Usable Security: Module 4

Intrusion Detection

–Primary purpose to identify and report an intrusion

–Can quickly contain the attack and prevent/mitigate loss or damage

–Detect and deal with preambles to attacks

Data Collection

allows the organization to examine what happened after an intrusion and why.

IDPS

operate as network-based or host-based systems.

Network Based IDPS

• is focused on protecting network information assets.

• resides on a computer or an appliance connected to a segment of an organization’s network; looks for indications of attacks

Wireless IDPS

focuses on wireless networks

Network Behavior Analysis IDPS

examines traffic flow on a network in an attempt to recognize abnormal patterns

Host Based IDPS

–Resides on a particular computer or server (host) and monitors activity only on that system

–Benchmarks and monitors the status of key system files and detects when intruder creates, modifies, or deletes files

Signature Based Detection

–Examines network traffic in search of patterns that match known signatures

–Widely used because many attacks have clear and distinct signatures

Anomaly Based Detection

Or behavior-based detection collects statistical summaries by observing traffic known to be normal.

–When a measured activity is outside baseline parameters or clipping level, IDPS sends an alert to the administrator.

Stateful Protocol Analysis

the process of comparing known normal/benign protocol profiles against observed traffic

Stores and uses relevant data detected in a session to identify intrusions involving multiple requests /responses; allows IDPS to better detect specialized, multisession attacks (also called deep packet inspection)

Logfile Monitors

–similar to NIDPS

–Reviews log files generated by servers, network devices, and even other IDPSs for patterns and signatures

–Patterns that signify attack may be much easier to identify when the entire network and its systems are viewed as a whole

–Requires considerable resources since it involves the collection, movement, storage, and analysis of large quantities of log data

Active or Passive

IDPS responses can be classified as these

Active Response

collecting additional information about the intrusion, modifying the network environment, taking action against the intrusion

Passive Response

setting off alarms or notifications, collecting passive data through SNMP traps

Failsafe

features protect IDPS from being circumvented.

Centralized, Fully Distributed, Partially Distributed

An IDPS can be implemented via one of three basic control strategies

Centralized

All IDPS control functions are implemented and managed in a central location.

Fully Distributed

All control functions are applied at the physical location of each IDPS component.

Partially Distributed

Combines the two control functions; while individual agents can still analyze and respond to local threats, they report to a hierarchical central facility to enable organizations to detect widespread attacks.

Location 1

NIST recommended location NIDPS sensors behind each external firewall, in the network DMZ

Location 2

NIST recommended location NIDPS sensors outside an external firewall

Location 3

NIST recommended location NIDPS sensors on major network backbones

Location 4

NIST recommended location NIDPS sensors on critical subnets

Thresholds, Blacklists and Whitelists, Alert Settings, and Code Editing and Viewing

IDPSs are evaluated using four dominant metric

Honeypots

decoy systems designed to lure potential attackers away from critical systems

Honeynets

several honeypots connected together on a network segment

Trap and Trace Systems

• Use a combination of techniques to detect an intrusion and trace it back to its source

• usually consists of a honeypot or a padded cell and alarm.

Enticement

an act of attracting attention to the system by placing tantalizing information in key locations

Entrapment

an act of luring an individual into committing a crime to get a conviction

LaBrea

One tool takes up unused IP address space to pretend to be a computer and allows attackers to complete a connection request but then holds the connection open.

Fingerprinting

a systematic survey of the target organization’s Internet addresses collected during the footprinting phase to identify network services offered by hosts in that range

Port Scanners

• Tools used by both attackers and defenders to identify/fingerprint computers active on a network and other useful information

• Can either perform generic scans or those for specific types of computers, protocols, or resources

Plaintext

can be encrypted through bitstream or block cipher method.

Bitstream

Each plaintext bit is transformed into a cipher bit one bit at a time.

Block Cipher

Message is divided into blocks (e.g., sets of 8- or 16-bit blocks), and each is transformed into encrypted block of cipher bits using algorithm and key.

Substitution Cipher

Exchanges one value for another

Monoalphabetic Substitution

uses only one alphabet during the encryption process

Polyalphabetic Substitution

more advanced; uses two or more alphabets

Vigenere Substitution

advanced substitution cipher that uses simple polyalphabetic code; made up of 26 distinct cipher alphabets

Transposition Cipher

• Simple to understand, but if properly used, produces ciphertext that is difficult to decipher

• Rearranges values within a block to create ciphertext

• Can be done at the bit level or at the byte (character) level

• To make the encryption even stronger, the keys and block sizes can be increased to 128 bits or more.

–Uses block padding method to facilitate algorithm

Exclusive OR (XOR)

• Function of Boolean algebra; two bits are compared and a binary result is generated.

–If two bits are identical, the result is binary 0.

–If two bits are not identical, the result is binary 1.

• Very simple to implement and simple to break; should not be used by itself when an organization is transmitting/storing sensitive data

Vernam Cipher

• Developed at AT&T Bell Labs

• Uses a set of characters once per encryption process

• To perform:

–The pad values are added to numeric values that represent the plaintext that needs to be encrypted.

–Each character of the plaintext is turned into a number and a pad value for that position is added.

–The resulting sum for that character is then converted back to a ciphertext letter for transmission.

Book Based Cipher

Uses text in the book as a key to decrypt a message. ciphertext consists of a list of codes representing page, line, and word numbers of plaintext words.

Running Key Cipher

uses a book for passing the key to a cipher similar to Vigenère cipher; the sender provides an encrypted message with a sequence of numbers from a predetermined book to be used as an indicator block.

Template Cipher

involves the use of hidden message in the book, letter, or another message; requires page with a specific number of holes cut into it

Hash Functions

Mathematical algorithms used to confirm specific message identity and that no content has changed

Symmetric Encryption

Requires same “secret key” to encipher and decipher message; also known as private-key encryption

Data Encryption Standard

one of the most popular symmetric encryption cryptosystems

Public Key Infrastructure

Integrated system of software, encryption methodologies, protocols, legal agreements, and third-party services enabling users to communicate securely

Digital Signatures

Created in response to rising the need to verify information transferred via electronic systems