Transcription

1 IS TEST 3 - TIPS FOUR (4) levels of detective controls offered by intrusion detection system (IDS) methodologies. First layer is typically responsible for monitoring the network and network devices. NIDS and honeypots can serve in this role by monitoring the traffic traversing the network. Second layer is responsible for monitoring computer systems for malicious activity. HIDS and honeypots have this duty. HIDS are implemented as software on productionsystems to continually monitor actions on these systems. Honeypots can also help organisations to understand what system attacks are being directed against them. Third layer is the analysis of the data collected by the intrusion detection devices over time. By understanding the trends and types of attacks that are occurring, organizations divert security resources to the most vulnerable area. Fourth layer is current news such as traditional media, websites and newsgroups that offer information about current attacks or increases in malicious activity. Using all of these layers, security professionals can proactively monitor a network and block attacks before they occur. FOUR (4) detective controls that could be utilised to maintain system security. Antivirus Antivirus software is detective in that it catches malicious software code when it appears on the computer system. Updating antivirus software has become easier in the last few years. Antivirus companies have come up with innovative ways to help organizations automatically update and track antivirus signature and software. Auditing and logging The basic operation of a system logging facility is to collect information from the operating system or application whenever specific actions occur. There are similar items usually audited; namely logs cleared, logon failures and successes, system restarts and shutdowns, right changes or group membership changes and object accesses. Firewall Protection which can be implemented as software applications or hardware devices and is designed to restrict access between networks. For remote or mobile workers who may use a personal ISP to connect to the corporate network, system firewalls can help to ensure that malicious traffic cannot originate from these remote computers. Host Intrusion Detection Systems Sensors that are installed directly on production computer systems to monitor a wide range of activities which occur on the system. Among the functions are to monitor incoming network connections for malicious activity and to act as log analysis tools to monitor log files created by the operating system and installed applications. Policy Verification The activity of ensuring that systems meet the established security policy. Examine all user accounts to make sure that passwords have been changed according to guidelines. Check password policies to ensure that the system requires password changes at regular intervals. Check that auditing Techniques utilised by honeypots to trap an attacker. Delaying network responses is a popular method. By configuring the network drivers to respond more slowly as more requests are made, the attacker is forced to wait for responses to his actions.

2 Some honeypots can also respond with errors or deceptive messages to tease the abuser into continuing. The honeypot allows inbound connections to connect only for a short period of time. After the time period is up, the honeypot drops the network connection and forces the attacker to reconnect. The trapping system lets an inbound connection make only a finite number of requests before dropping the connection. The honeypot denies all inbound connections. As the abuser tries to find open network ports, the victim system records and reports all activity. The victim system runs services and applications as a non privileged user. This gives limited access to the system reducing the ability to cause harm. The use of filtering and summation techniques to efficiently reduce false positives. 8 Filtering: Filtering is a common mechanism used for reducing false positives. Filtering is achieved by configuring a sensor so that instead of reporting every event, it reports only those that could be successful. For example, one company has only web servers running the Linux operating system. In order to monitor Internet traffic, the company deploys NIDS sensors in the network. However, the NIDS sensors report malicious activity that matches known attacks for Web servers running the windows operating system. These attacks, however, are not valid because there are no Web servers running Windows. Although filtering out these events is commonsense, it does present some danger. This malicious activity, although not successful, may still warrant careful monitoring. This trade-off between false positive suppression and detecting all malicious activity is a larger challenge for all intrusion detection systems. Summation: Summation is another technique commonly used to reduce false positives. IDS sensors have signatures to detect packets that may be part of a DOS attack. If the instruction detection system reports an event for every malicious packet received, the effect can cause an indirect denial of service on the intrusion detection system itself. These events are not harmful if seen a few at a time, but hundreds or thousands at a time spell trouble. By summarising events, the sensor can be configured so that it only generates events when it detects 10 packets or 100 packets that match a signature. The risk of summation is slightly less than the risk in filtering, because events are not removed. False positives such a problem in intrusion detection The single largest problem in intrusion detection sensors is their tendency to generate a large number of false positives. In a general sense, a false positive is an event that incorrectly reports malicious activity. False positives can overwhelm the IDS to the extent that real attacks go undetected. The constant influx of false positives can cause the people monitoring the IDS to ignore much of the incoming activity - including valid malicious activity.

3 Popular examples of a honeypot. A computer system that is built to be secure and generates an event for any computer that attempts to bypass its security controls. A computer that was formerly a company s Web server. A Linux server that is configured to respond like a Windows machine to record malicious attacks against Windows hosts. A server that that has a tool installed to decrease response times to incoming requests. Briefly describe the Division B requirements defined by the Trusted Computer System Evaluation Criteria (TCSEC) standard to meet the security requirements of the United States Department of Defense (DoD). Division B Mandatory Access Controls Systems and applications classified in this division have mandatory access controls in place. Within these types of systems, each subject (e.g., user, application or process) must be assigned a level that signifies what level of information the subject can access and each object (e.g. file, directory or network connection) must also be labelled signifying the level of security necessary to access this information. Mandatory access controls then ensure that each subject is authorised to access each object. With mandatory access controls the access policy is objectively based on user identity and access level. ETHICAL HACKING: Ethical hacking is a type of security testing that enables IT organisations to objectively view the strengths and weaknesses of their security policies and procedures. With this type of testing, trusted employees pose as abusers to uncover possible avenues of attack. Benefits of security testing. Audits that measure an IT environment against security best practices help to determine if existing security policies and controls are sufficient. Security testing is more accurate than audits in determining whether current security controls are sufficient because ethical hackers actually try to breach security defences. By acting as an abuser, the ethical hacker can use all possible methods to uncover exposures and vulnerabilities. An unfortunate side effect of sitting inside fortified castle walls is that the defending organisation does not have the same view as attackers. The friendly forces that simulate an attack can report weakness in defences. The analogy applies to testing. A variety of tools compliance checking, security advisory service and IDS can identify the exposures that must be fixed. Organisations must then direct a significant work effort to close the exposures. Security testing can help to determine whether the vulnerabilities were actually fixed and verify or refute the success of security remediation.

4 SIX (6) items required by the Trusted Computer System Evaluation Criteria (TCSEC) security standard. Security policy: There must be an explicit and well-defined security policy enforced by the computer system. Marking: Access control labels must be associated with the information stored on a computer system. Identification: Access to sensitive information must be regulated by the proven identity of a user and based on the access level granted to the user. Accountability: Audit information must be selectively kept and protected so that actions affecting security can be traced to the responsible party. Assurances: The computer system must contain hardware and software mechanisms that can be independently evaluated to provide sufficient assurance that the system enforces the first four requirements in this list. Continuous protection: The trusted mechanisms that enforce these basic requirements must be continuously protected against tampering and unauthorized changes. Purpose of using the ping utility in an operating system. The ping utility is often used to check whether a computer is connected to the network. Ping can also quickly test the responsiveness of a target server and ensure that the server is operational. In additional, by running ping against a list of servers also referred to as ping sweeps, testers can quickly determine which IP addresses are active on the target network. The purpose of having the Kerberos function in the UNIX system. Kerberos is an authentication technology to ensure that passwords could not be intercepted while in transit over the network Using secret-key technology, Kerberos encrypts passwords before sending them over the network thereby greatly reducing the chances that passwords can be intercepted by abusers using packet sniffers Kerberos implements symmetric encryption to hide the authentication communication between the user requesting access to a network resource (e.g. files on a server, remote printer, remote application) and the system controlling access. The term principle of least privilege in the context of access control. To ensure the highest level of security, administrators should use the principle of least privilege, which states that each user should be granted no more privileges than those necessary for him to do his job. Administrators should start by granting everyone no rights to data and when business needs dictate, grant access to data in accordance with established security policies. This approach ensures that access is denied to any files that do not have explicit access granted. The use of TWO (2) probing tools available in most operating systems. Ping The Ping utility is often used to check whether a computer is connected to the network. In relation to security testing, ping can quickly test the responsiveness of a target server and

5 ensure that the server is operational. In addition, by running ping against a list of servers, also referred to as ping sweeps, testers can quickly determine which IP addresses are active on the target network. Traceroute The traceroute utility allows a tester to view the route an IP packet follows in travelling from one host to another. Using traceroute the tester can not only determine how many devices exist between him and the target server, but also list the server name and IP address of each intermediary device, listing the paths by which network traffic reaches the destination, a tester can successfully sketch out the network architecture of the target organization. The purpose of security testing and THREE (3) of its benefits. Security testing is used to view the strength and weaknesses of an organizations security policies and procedures. The benefit of security testing is that it identifies the problems before the abusers can. Benefits: To help to determine if existing policies and controls are sufficient. To help to report the weakness in defences. To help to determine whether the vulnerability were actually fixed or not. The purpose of security auditing. The purpose of security auditing is to periodically compare the environment against established standards and to verify that the proper controls are in place. Audits can be applied to any area of controls whether they are financial, business, governmental, operational, or security. Example: Accounting may have financial auditors review current accounting practices, or the IT Department may have a technology review to ensure that system architecture and capacity is adequate to meet user needs. Audits usually carry a good deal of weight because the results come from a trusted, objective third-party and are normally presented to senior management. FOUR (4) major components of public-key infrastructure (PKI). PKI is designed to manage the keys necessary to perform public-key encryption. PKI consists of: 1. digital certificates, 2. a certificate authority (CA), 3. a registration authority (RA), 4. certificate directory and a key backup and recovery server. How boot loaders and consoles are used to implement physical security in UNIXsystems. Boot loaders: A boot loader is a program that accepts a hand-off from BIOS and initiates the boot sequence for the operating system. With Red Hat Linux, the default boot loaders LILO and GRUB can both be configured to require passwords. Console: Access to a system s console can be restricted in a number of ways that also limit or totally eliminate user privileges to access system devices, shutdown commands, or other privileged resources.

6 The operations of auditing and logging. Auditing refers to the tracking of specific events on the system and recording them in a system log. Auditing can also refer to the action of reviewing system settings to ensure that they match the security policy. As a detective control, logging is perhaps one of the best ways to get a picture of what is happening or what happened on a system. The basic operation of a system logging facility is to collect information from the operating system or application whenever specific actions occur. The standard guidelines for restoring Windows systems. Keep any and all original software media from which to restore the system. Because abusers can replace the default system commands and utilities, never trust that system integrity on an attacked system is intact. Have a good backup methodology in place to back up data. Backup or use a commercial product like ArcServeIT, NetBackup, or NetWorker. Once a system has been rebuilt using original media and backup can be verified, a backup will allow an organization to restore critical data. Periodically test backups to ensure data is being archived properly. It may be necessary to keep a spare computer system handy to perform a full backup and test the integrity of the data. Briefly describe the following probing tools available in most operating systems: i) Ping ii) Traceroute iii) Telnet and FTP iv) Nbtstat i. The ping utility is often used to check whether a computer is connected to the network. Ping can also quickly test the responsiveness of a target server and ensure that the server is operational. In addition, by running ping against a list of servers, also referred to as ping sweeps, testers can quickly determine which IP addresses are active on the target network. ii. The traceroute utility allows a tester to view the route an IP packet follows in travelling from one host to another. Using traceroute the tester can not only determine how many devices exist between him and the target server, but also list the server name and IP address of each intermediary device. By listing the paths by which network traffic reaches the destination, a tester can successfully sketch out the network architecture of the target organization. iii. Although both Telnet and FTP can be used innocuously for remote system management and file transfers, both can also be used to probe the target network. The Telnet client can also be used to grab information from Web servers. iv. The utility nbtstat is included with most versions of Windows to display the Windows, logged on users, MAC address, and other information used in NetBT communications. Like ping, the nbtstat command can only query one system at a time and display its output.