Download - USDA Cyber Security Awareness IDS Briefing Gregory Tepe Director, Federal Security Solutions
USDA Cyber Security AwarenessIDS Briefing
Gregory TepeDirector, Federal Security Solutions
Topics
The need for Intrusion Detection
IDS Definitions
IDS Components
Q&A
Why do Federal Agencies need IDS?
The threat is real Insider (contractors, co-location facilities, malicious
employees) Outsider (external hackers, mistaken network security
tests, foreign governments) When an attack occurs (and it will) companies will limit
exposure, perform accurate damage assessment and have evidence for potential legal action
Not a question of whether to install but which IDS to install
Why do Federal Agencies need IDS?
Prevent problems by increasing the perceived risk of discovery, i.e. deterrence
Detect problems that are not prevented by other security measures
uncorrected known vulnerabilities open paths through firewalls DMZ locations
Detect preliminary attacks probes sweeps scans
Why do Federal Agencies need IDS?
Data Collection monitor and document the threats
itemize and characterize internal and external threats incident handling recovery efforts investigation
Regulatory Measures Affecting Information Security
HIPAA—Healthcare Information Portability Accountability Act in the U.S.
Gramm-Leach-Bliley—Established standards for financial institutions to protect customer information.
British Standard BS7799—Divides the security policy into a five-step, cyclical process.
The EU Data Protection Act – Establishes a high level of protection for the free movement of personal data within the European Union.
More Susceptibility to Hackers
Growing complexity of threats
— More sophisticated attackers looking to cause more damage
— Blended threats
Insider attacks still predominant
Vulnerabilities are proliferating – configuration deficiencies & published lists
Hacker tools make attacks easier
Security perceived as a need, like insurance
Threats are increasing
Internal Threats
— Clueless users
— Disgruntled employees
— Downsized trusted users
— Embezzlers
External Threats
— Corporate Spies
— Criminals
— “kiddie scripts”
— Terrorists
Because locks are not enough . . .
In 2001, U.S. businesses lost over $375 million to computer crime, but only 37% of the respondents could quantify the loss.
FBI estimates that well over half of the computer crime actually comes from inside the organization.
One of the biggest problems facing managers today is not having enough trained system administrators on-hand to properly configure and maintain their information resources.
CSI/FBI 2001 U.S. Security Survey - Dollar Loss by Type of Attack
Theft of Information: $151,230,100Financial Fraud: $92,935,500Virus: $45,288,150Insider Net Abuse: $35,001,650System Penetration: $19,066,600Telecom Fraud: $9,041,000Laptop Theft: $8,849,000Unauthorized Insider Access: $6,064,000Sabotage: $5,183,100Denial of Service: $4,283,600Telecom Eavesdropping: $886,000
Economic Impact of High-Tech Crimes in the U.S.
Average computer crime
$500,000
Average bank fraud$25,000
Average bank robbery$2,500
Managing Your Risk
Security is about managing risk – risk of:— Loss of operational capability
— Loss of trust
— Financial loss and fraud
Risk is a function of:— ASSET VALUE
< The value of the assets you are trying to protect
— THREATS< Forces and entities which could bring harm to your assets
< Direct (e.g., hackers, employees) and in-direct (e.g., flood, war)
— VULNERABILITIES< Areas of weakness in processes, people and technology that would allow a
threat to materialize.
IDS Asset Value
How much is your brand worth?
How much is your credibility worth?
How much is your network worth?
How much are your systems worth?
How much is your intellectual property worth?
Why do Federal Agencies need IDS?
A balanced defense for an in depth security architecture Firewalls and VPNs are not enough - a balanced and
effective information security program requires both preventive and detective controls.
— Preventive Controls< Systems put in place to prevent misuse and attack from occurring
and/or succeeding, for example:– Two-factor authentication (thumbprint scanner and password)– Firewalls– Virtual Private Networks
— Detective Controls< Systems put in place to detect misuse/attack when preventive
controls cannot be put in place or fail, for example:– Reviewing system audit logs– Intrusion detection systems
Intrusion Detection Systems
Intrusion DETECTION, notnot Intrusion CORRECTION
— “Sniffs” packets and detects potential threats
— Can store packets for later session re-creation
— MUST be monitored for proper security implementation
Searches IP packets
— Patterns in packets; “/cgi-bin/phf”
— Patterns of packets; port scans & sweeps
— Patterns that should not be there; illegal web servers
What are Network Intrusion Detection Systems (NIDS)?
Burglar alarms of the network— Can identify someone “casing” the environment
< port scan
— Will detect unauthorized access< remote password attacks< Breaches of the firewall
— Will detect system disruptions< application buffer overflow< Denial of Service
— Will sound the alarm< 24x7 monitoring
— Will monitor and log forensic evidence to support the legal case
What are Host Based IDS (HIDS)
HIDS - Burglar alarms for the Server— Resides on a customer’s key servers
— Operating System Support< Linux
< Windows
< UNIX
— HIDS Alarms are correlated along with NIDS, Firewalls, and Routers
< System logs
< Kernel calls
< File monitoring
Network Sensor Key Features
High-bandwidth support
Multi-method attack detection
— Detection using a combination of signature, protocol and system anomaly based techniques to ensure no attack goes undetected
Open and customizable signatures
— Signatures available to the user. This is critical in tuning signatures and in developing signatures unique to the operating environment.
DOS Detection
— Network Sensor employs multiple methods, including signature and protocol analysis techniques, in identifying known and unknown DOS techniques, including distributed attacks.
Backdoor and rogue server detection
— NIDS ought to detect backdoors and rogue servers via many techniques including but not limited to protocol analysis, session analysis, and ICMP traffic profiling.
Network Sensor Ideal Features
Intrusion Prevention— Event Sniping
< Terminate sessions via a TCP reset or ICMP unreachable message
— Shunning
< Configure ACLs on third-party firewalls and routers
Advanced buffer overflow detection— Recognize unique patterns sent during an attack.
IDS evasion (protect the IDS from being a victim of DOS)
— IP de-fragmentation and TCP/UDP stream reassembly
— Protocol decoding
< HTTP, FTP, Telnet, RPC, SNMP
DOS countermeasures— Techniques for defeating tools such as “stick” and “snot” that attempt to
DOS an intrusion detection system.
IDS Detection Techniques
Greater Visibility/Granularity
Greater Number of events
Superior Forensics
Greater Performance
Increased ease of use
101010101010101 P SA DA L/T SIP DIP
IDS vs. IPS
Performance
Latency
Accuracy
Host Sensor Key Features
Multi-method detection— Log file analysis
< Host Sensor can analyze any file against a signature policy whether it’s the system log, the security log, or the log for a custom built application.
— File attribute monitoring< Monitoring of specific file attributes such as owner, group, permissions and file size
for changes.
— File integrity checking (MD5)< Monitoring files to determine if there content has been changed via MD5. This
provides assurance that sensitive files that should not be modified have not been modified.
— Backdoor service monitoring< Host Sensor can monitor a system for new TCP and UDP ports. This provides
critical protection against backdoor services which can be used to allow unauthorized access through the firewall and/or be a staging point for a distributed denial of service or outright attack.
— Registry monitoring< Host Sensor will analyze the Windows registry for attributes that should not be
accessed and/or modified. This is essential in identifying attacks against often-targeted Microsoft servers.
Host Sensor Key Features
Open and customizable signatures
— Signatures are available to the user. This is critical in tuning signatures and in developing signatures unique to the operating environment.
Off-host analysis
— Host Sensor can analyze events sent via SNMP or syslog to a log analysis server. This is critical in monitoring the security of systems where Host Sensor cannot be installed such as routers and legacy systems. It can also be used to extend security monitoring to custom applications.
Windows event log analysis
— Host Sensor will monitor the various Windows event logs for sign of misuse or attack.
Host Sensor Key Features
Enterprise Monitoring
— Web Server support
< Apache web server
< IIS web server
< Netscape web server
— FTP servers support
< IIS FTP server
< WU-FTP (FTP server)
— Application support
— Commercial Firewall Support
— Open Source Firewall Support
Q & A