Professional Documents
Culture Documents
Intruders: Detect Possible Intrusions
Intruders: Detect Possible Intrusions
Intruders
Person who enters a territory that does not belong to that person.
Masquerader: An individual who is not authorized to use the computer and who penetrates a
system's access controls to exploit a legitimate user's account
Misfeasor: A legitimate user who accesses data, programs, or resources for which such
access is not authorized, or who is authorized for such access but misuses his or her privileges
Clandestine user: An individual who seizes supervisory control of the system and uses this
control to evade auditing and access controls or to suppress audit collection
Components of IDS
Traffic collector collects activity or events to examine and forward these activities to analysis
engine.
Analysis Engine collects activities from traffic collector and compares them with suspicious patterns
stored in signature database.
Signature Database collection of all known samples or patterns of malicious and suspicious
activities.
User Interface provide a framework to user , to operate IDS. User interface works as a mediator
between user and IDS system. IDS system can forward alerts to user by using it.
1
Fig. Components of IDS
There are two mainstream options when implementing IDS Host based IDS and Network based IDS.
2
Host Based IDS
A host-based IDS analyzes several areas to determine misuse (malicious or abusive activity inside the
network) or intrusion (breaches from the outside). Host-based IDSes consult several types of log files
(kernel, system, server, network, firewall, and more), and compare the logs against an internal
database of common signatures for known attacks.
3
4
Fig. Components of HIDS
HIDS check the log files, audit records, these log files and audit records contains record of all
activities performed on a particular host. So in HIDS traffic collector accept activities from log files
and audit records.
5
Fig. Components of NIDS
Snort is a lightweight network intrusion detection system, capable of performing real-time traffic
analysis and packet logging on IP networks. It can perform protocol analysis, content
6
searching/matching and can be used to detect a variety of attacks and probes, such as buffer
overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more.
NIDS checks network traffic to collect different activities performed in network.
PASSWORD MANAGEMENT
Vulnerability to passwords
There are two threats to the UNIX password scheme. First, a user can gain access on a
machine using a guest account or by some other means and then run a password guessing
program, called a password cracker, on that machine. The attacker should be able to check
hundreds and perhaps thousands of possible passwords with little resource consumption. In
addition, if an opponent is able to obtain a copy of the password file, then a cracker program
can be run on another machine at leisure. This enables the opponent to run through many
thousands of possible passwords in a reasonable period.
Windows 8 is the first operating system from Microsoft to support alternative non-biometric
authentication mechanisms such as Picture password and PIN. A vulnerability discovered by a
password security vendor – “Passcape” in Microsoft’s Windows 8 operating system that it
saves a log on password in plain text and allows any user with admin rights to see the
password details.
For example
Password = ~Ti4556M~12005
Step 4. Always surround your root password with your favorite special character
Step 5. Always insert your special number after the second character of your root password
Step 6. Always capitalize the first character after your secret code (now you have the
unchanging part of your password – the Static Password)
Step 7. (Now for the part of your password that changes every 90 days when you are forced
create a new password) Always add the creation date to the end your new static
8
password. Add it as a combination of the calendar quarter plus the calendar year (Quarter 1,
or Q1 of 2005 would be 1 and 2005 written together as 12005 – Now you have your Full
Password)
Hot Fixes
A hotfix is a single, cumulative package that includes one or more files that are used to address a
problem in a software product (i.e. a software bug). Typically, hotfixes are made to address a specific
customer situation and may not be distributed outside the customer organization.
Patches
Patches are released to address different vulnerabilities of an application. Patches are available for all
through websites or by other sources while hotfixes are released for particular customer.
Service Packs
9
Service pack is an orderable or downloadable update to a customer's software that fixes existing
problems and, in some cases, delivers product enhancements. IBM and Microsoft are examples of
companies that use this term to describe their periodic product updates.
When a new product version comes out, it usually incorporates the fixes from the service packs that
have been shipped to update the previous product version.
10
The central analysis server is really the heart and soul of the operation. This server would ideally
consist of a database and Web server. This allows the interactive querying of attack data for analysis
as well as a useful Web interface to allow the corporate guys upstairs to see the current attack status
of your network. It also allows analysts to perform pre-programmed queries, such as attack
aggregation, statistics gathering, to identify attack patterns and to perform rudimentary incident
analysis, all from a Web interface.
The co-operative agent network is one of the most important components of the dIDS. An agent is a
piece of software that reports attack information to the central analysis server. The use of multiple
agents across a network allows the incident analysis team a broader view of the network than can be
achieved with single IDS systems.
Ideally these agents will be located on separate network segments, and geographical locations (See
diagram below.) The agents can also be distributed across multiple physical locations, allowing for a
single incident analysis team to view attack data across multiple corporate locations.
Attack Aggregation
Attack aggregation is another core part of the dIDS system. This part of the system is programming
logic based on the central server. Aggregation simply refers to the method in which users group or
order the information gathered from the agent network. One example of this would be to aggregate
information according to attacker IP, putting all attacks from an attacking IP together with other
attacks from the same IP. Another example is the aggregation of attack data according to destination
(attacked) port, or even by date and time. Uses for aggregation will be explained later in this paper.
11