Unit 5. System Security

Transcription

1 Unit 5 System Security

2 Intrusion Techniques The password file can be protected in one of two ways: One-way function: The system stores only the value of a function based on the user's password. When the user presents a password, the system transforms that password and compares it with the stored value. Access control: Access to the password file is limited to one or a very few accounts.

3 Intrusion Techniques Number of password crackers, reports the following techniques for learning passwords: Try default passwords used. Try all short passwords (those of one to three characters). Try words in the system's online dictionary or a list of likely passwords.

4 Intrusion detection approaches Statistical anomaly detection: Involves the collection of data relating to the behavior of legitimate users over a period of time. Then statistical tests are applied to observed behavior to determine with a high level of confidence whether that behavior is not legitimate user behavior.

5 Intrusion detection approaches Rule-based detection: Involves an attempt to define a set of rules that can be used to decide that a given behavior is that of an intruder.

6 Audit Records a fundamental tool for intrusion detection two variants: native audit records - provided by O/S always available but may not be optimum detection-specific audit records - IDS specific additional overhead but specific to IDS task often log individual elementary actions e.g. may contain fields for: subject, action, object, exception-condition, resource-usage,

7 Example of Audit Consider copy.exe game.exe <system>/game.exe Several records may be generated for a single command 1. Execute copy.exe 2. Read game.exe 3. Write <system>/game.exe

8 Anomaly Detection threshold detection checks excessive event occurrences over time alone a crude and ineffective intruder detector must determine both thresholds and time intervals profile based characterize past behavior of users / groups then detect significant deviations based on analysis of audit records gather metrics: counter, guage, interval timer, resource utilization analyze: mean and standard deviation, multivariate, markov process, time series, operational model

9 Examples of Anomaly

10 Examples of Anomaly

11 Distributed Host-Based IDS

12 Distributed Host-Based IDS

13 Network-Based IDS network-based IDS (NIDS) monitor traffic at selected points on a network in (near) real time to detect intrusion patterns may examine network, transport and/or application level protocol activity directed toward systems comprises a number of sensors inline (possibly as part of other net device) passive (monitors copy of traffic)

14 Honeypots are decoy systems filled with fabricated info instrumented with monitors / event loggers divert and hold attacker to collect activity info without exposing production systems initially were single systems more recently are/emulate entire networks

15 Password Management Password Protection: The front line of defense against intruders is the password system. Virtually all multiuser systems require that a user provide not only a name or identifier (ID) but also a password. The password serves to authenticate the ID of the individual logging on to the system. In turn, the ID provides security in the following ways:

16 Password Management The Vulnerability of Passwords: let us consider a scheme that is widely used on UNIX: Each user selects a password up to eight characters. This is converted into a 56-bit value (key input to an encryption routine). The encryption routine is based on DES. The DES algorithm is modified using a 12-bit. This value is related to the time at which the

17 Password Management The modified DES algorithm is exercised with a data input consisting of a 64-bit block of zeros. The output of the algorithm then serves as input for a second encryption. This process is repeated for a total of 25 encryptions. The resulting 64-bit output is then translated into an 11-character sequence. The hashed password is then stored, together with a plaintext copy of the salt, in the password file

18 Password Management

19 Password Management

20 Password Management The salt serves three purposes: It prevents duplicate passwords from being visible in the password file. It effectively increases the length of the password without requiring the user to remember additional characters.

21 Password Management User education Users can be told the importance of using hard-toguess passwords and can be provided with guidelines for selecting strong passwords. Computer-generated passwords passwords are quite random in nature Reactive password checking the system periodically runs its own password cracker to find guessable passwords. The system cancels any passwords that are guessed

22 Password Management Proactive password checking user is allowed to select his or her own password. However, at the time of selection, the system checks to see if the password is allowable and, if not, rejects it. The trick with a proactive password checker is to strike a balance between user acceptability and strength.

23 Password Management Proactive password checking approaches: Rule enforcement: All passwords must be at least eight characters long. The passwords must include at least one each of uppercase, lowercase, numeric digits, and punctuation marks. Another possible procedure is simply to compile a large dictionary of possible "bad" passwords.

24 Password Management Proactive password checker techniques Markov model: generation of guessable passwords, this model shows a language consisting of an alphabet of three characters. The state of the system at any time is the identity of the most recent letter. The value on the transition from one state to another represents the probability that one letter follows another. Thus, the probability that the next letter is b, given that the current letter is a, is 0.5.

25 Password Management

26 Viruses and Other Malicious Content computer viruses have got a lot of publicity one of a family of malicious software effects usually obvious have figured in news reports, fiction, movies (often exaggerated) getting more attention than deserve are a concern though 26

27 Malicious Software/ Digital Pests Trojan horse A program with an overt (documented or known) effect and a covert (undocumented or unexpected) effect Virus A set of instructions that inserts copies of itself into other programs Worm A program that replicates itself on other machines across a network Bacteria/rabbit A free-standing program that absorbs all of some class of resource Trapdoor An undocumented entry point in a program Logic bomb A program that performs an action when some external event occurs Zombie Malicious instructions on comprised machines used to launch attacks 27

28 How do they spread from machine to machine? Floppy or CD-R, CD-RW Resource sharing Log into the other machine Mobile programs Program bugs Buffer overflow 28 28

29 Malicious Software 29

30 Multiple-Threat Malware malware may operate in multiple ways multipartite virus infects in multiple ways eg. multiple file types blended attack uses multiple methods of infection or transmission to maximize speed of contagion and severity may include multiple types of malware 30

31 Viruses What are computer viruses? How viruses spread? Viruses phases? piece of software that infects programs modifying them to include a copy of the virus so it executes secretly when host program is run specific to operating system and hardware taking advantage of their details and weaknesses a typical virus goes through phases of: dormant propagation triggering execution 31

32 Virus Structure A virus is a piece of software that can "infect" other programs by modifying them; the modification includes a copy of the virus program, which can then go on to infect other programs. Dormant phase: The virus is idle. The virus will eventually be activated by some event, such as a date, the presence of another program or file, or the capacity of the disk exceeding some limit. Not all viruses have this stage. Propagation phase: The virus places an identical copy of itself into other programs or into certain system areas on the disk. Each infected program will now contain a clone of the virus, which will itself enter a propagation phase. Triggering phase: The virus is activated to perform the function for which it was intended. As with the dormant phase, the triggering phase can be caused by a variety of system events, including a count of the number of times that this copy of the virus has made copies of itself. Execution phase: The function is performed, which may be harmless, e.g. a message on the screen, or damaging, e.g. the destruction of programs and data files 32

33 Virus Structure 33

34 Compression Virus 34

35 Virus Classification boot sector file infector macro virus encrypted virus stealth virus polymorphic virus metamorphic virus 35

36 Macro Virus became very common in mid-1990s since platform independent infect documents easily spread exploit macro capability of office apps executable program embedded in office doc often a form of Basic more recent releases include 36

37 Viruses more recent development e.g. Melissa exploits MS Word macro in attached doc if attachment opened, macro activates sends to all on users address list and does local damage then saw versions triggered reading hence much faster propagation 37

38 Virus Countermeasures prevention - ideal solution but difficult realistically need: detection identification removal if detect but can t identify or remove, must discard and replace infected program 38

39 Anti-Virus Evolution virus & antivirus tech have both evolved early viruses simple code, easily removed as become more complex, so must the countermeasures generations first - signature scanners second - heuristics third - identify actions fourth - combination packages 39

40 Generic Decryption runs executable files through GD scanner: CPU emulator to interpret instructions virus scanner to check known virus signatures emulation control module to manage process lets virus decrypt itself in interpreter 40

41 Digital Immune System 41

42 Behavior-Blocking Software 42

43 Firewall Capabilities & Limits capabilities: defines a single choke point provides a location for monitoring security events convenient platform for some Internet functions such as NAT, usage monitoring, IPSEC VPNs limitations: cannot protect against attacks bypassing firewall may not protect fully against internal threats improperly secure wireless LAN laptop, PDA, portable storage device infected outside then used inside

44 Types of Firewalls

45 Packet Filtering Firewall applies rules to packets in/out of firewall based on information in packet header src/dest IP addr & port, IP protocol, interface typically a list of rules of matches on fields if match rule says if forward or discard packet two default policies: discard - prohibit unless expressly permitted more conservative, controlled, visible to users forward - permit unless expressly prohibited easier to manage/use but less secure

46 Packet Filter Rules

47 Packet Filter Weaknesses weaknesses cannot prevent attack on application bugs limited logging functionality do no support advanced user authentication vulnerable to attacks on TCP/IP protocol bugs improper configuration can lead to breaches

48 Stateful Inspection Firewall reviews packet header information but also keeps info on TCP connections typically have low, known port no for server and high, dynamically assigned client port no simple packet filter must allow all return high port numbered packets back in stateful inspection packet firewall tightens rules for TCP traffic using a directory of TCP connections only allow incoming traffic to high-numbered ports for packets matching an entry in this directory may also track TCP seq numbers as well

49 Application-Level Gateway acts as a relay of application-level traffic user contacts gateway with remote host name authenticates themselves gateway contacts application on remote host and relays TCP segments between server and user must have proxy code for each application may restrict application features supported more secure than packet filters but have higher overheads

50 Circuit-Level Gateway sets up two TCP connections, to an inside user and to an outside host relays TCP segments from one connection to the other without examining contents hence independent of application logic just determines whether relay is permitted typically used when inside users trusted may use application-level gateway inbound and circuit-level gateway outbound hence lower overheads

51 Examples of Firewalls Windows Defender (Application level) IP Tables (Packet level) SOCKS (circuit-level) MAC OS X personal firewall SNORT?

52 Example Connection State Common to have along with Network Address Translation and Port Address Translation (NAT and PAT) SrcAddr SrcPort DestAddr DestPort Status Status may be established, expired, ended, etc.

53 Distributed Firewalls

54 Intrusion Prevention Systems (IPS) recent addition to security products which inline net/host-based IDS that can block traffic functional addition to firewall that adds IDS capabilities can block traffic like a firewall using IDS algorithms may be network or host based

55 Host-Based IPS identifies attacks using both: signature techniques malicious application packets anomaly detection techniques behavior patterns that indicate malware can be tailored to the specific platform e.g. general purpose, web/database server specific can also sandbox applets to monitor behavior may give desktop file, registry, I/O protection

56 Network-Based IPS inline NIDS that can discard packets or terminate TCP connections uses signature and anomaly detection may provide flow data protection monitoring full application flow content can identify malicious packets using: pattern matching, stateful matching, protocol anomaly, traffic anomaly, statistical anomaly