intruders. topics intruders intrusion detection password management
TRANSCRIPT
Intruders
TopicsIntrudersIntrusion detectionPassword management
IntrudersAlso known as hackers or crackersOne of the most publicized threats to securityThree classes:
Masquerader: Someone not authorized to use a computer; penetrates access controls to exploit a legitimate account
Misfeasor: A legitimate user who accesses unauthorized resources or misuses privileges
Clandestine user: Someone who gains supervisory control and evades or suppresses auditing and access controls
IntrudersAttacks range from harmless to devastating
Some just want to exploreSome read or modify sensitive data or cause
disruptionsNo way to tell in advance how harmful an
intruderwill beAny intruder must be considered a threat
ExampleTexas A&M University in 1992
Received notification that one of their computers was attacking computers at a different location
Several outside intruders involvedThe machines were disconnected by the
university and security holes were patchedA few days later, attacks resumedFound hundreds of captured passwords in filesFound a bulletin board (on one of their machines)
used by hackers for discussion of techniques and progress
Intrusion techniquesObjective:
Gain access to a systemOr, gain more privileges on a system
Generally requires the intruder to access protected informationMost likely, a password to a user’s account
Password filePasswords may be hashed (one-way function)Or, may only be accessible by certain accounts
Intrusion techniquesLearning a password
Try default passwords for the systemGuess
Brute force it Dictionary words Commonly used passwords (e.g., “password”,
“admin”) Personal information about user (e.g., name, address,
phone number)Trojan horse to bypass securityTap line between user and system
Intrusion techniquesExploit security holes
Buffer overflows in a program running with privileges Run unauthorized instructions
System does not check for invalid user input Disrupts data integrity Also run unauthorized instructions
Software bugs
Intrusion detectionMotivated by:
If the intruder can be detected and ejected quickly, damage to the system is minimized
If effective, acts as a deterrentCollecting information about intrusion
techniquesBased on assumption that an intruder
behaves differently than a legitimate userBehaviour overlapsPotential for false positives or negatives
Intrusion detectionBalancing act
Strong detection… Many false alarms; systemmanagers will ignore
Weak detection… False sense of securityTwo approaches:
Statistical anomaly detectionRule-based detection
Audit recordsA record of user activity that is used as input to
an intrusion detection systemTwo types:
Native Information collected by operating system May not contain relevant information or may not be in
convenient formDetection-specific
Facility implemented that collects information only needed by detection system
Extra overhead due to having multiple collection systems in place
Example fields: Subject, action, object (recipient), exception condition,
resource usage, timestamp
Statistical anomaly detectionOver a period of time, data about the
behaviour of legitimate users is collectedStatistical tests applied to determine whether
the behaviour is legitimate or intrusive
Statistical anomaly detectionTwo categories:
Threshold detection The number of times an event occurs is counted over a
periodof time
If the count is not a reasonable number, assume an intrusion Not very effective; may generate lots of false positives or
negativesProfile-based
Characterizes past behaviour of users and detects significant deviations
Based on a set of parameters Counters, gauges, interval timers, resource utilization
Tests are performed on this data to determine if behaviour is acceptable or not
Rule-based detectionAttempts to define a set of rules with regards
to what is legitimate or intrusive behaviour
Rule-based detectionTwo categories:
Anomaly detection Similar to statistical anomaly detection Usage patterns are identified and rules are generated
to describe such patterns in behaviour Current behaviour is observed and compared to past
behaviourPenetration identification
Rules are defined with regards to known penetrations, ways to exploit system weaknesses, and suspicious behaviour
Rules are generated by experts; interviews are conducted with administrators, security analysts, or hackers themselves
Distributed intrusion detectionA detection system that monitors behaviour
across a network of systemsMajor issues to consider:
May need to deal with multiple formats of audit records
Audit records will need to be transferred through the network to a node with the detection system Data integrity and confidentiality
Centralization One node… Single point of failure Many nodes… Must coordinate
HoneypotsDecoy systems used to distract an intruderDesigned to:
Divert intruder from gaining access to critical systems
Collect information about their activitiesDelay them long enough so that administrators can
respondAppear valuable, but cannot be accessed by a
legitimate userIntruder touches a honeypot…immediately
suspectedCould be a single computer or alternate network
where the real network is emulated
Password managementA password system is almost always the front
line of defenseEach user has a username (or ID) and
passwordUsername determines what privileges that
user hasA guest or anonymous account may also exist
with very limited privilegesPassword is used for authentication when
logging in
Password vulnerabilitiesA password file typically does not store
passwords as plaintextA unique salt (e.g., username) is attached to a
user’s password, encrypted using some algorithm, then stored
Having obtained the password file, an intruder would need to decrypt the passwords contained in it…not necessarily an easy task
This is fine, but…if someone’s password is “password”, it doesn’t matter how secure your password file is
Password vulnerabilitiesSome people choose passwords that are easy to
guessDictionary wordsPersonal information
Or, too short in lengthSystem may enforce a minimum length
Strategy to obtain a passwordTry personal informationTry dictionary wordsTry exchanging letters with lookalike symbols (e.g.,
letter O with number zero)Try varying capitalization
This allows for a password to be obtained without having to actually decrypt it the password file
Password vulnerabilitiesPassword file is most likely only accessible by
certain accountsSome users may use the same password for a
variety of systemsIntruder may obtain their password from one
system and try it on another
Password selectionUsers may choose a password that is easy to
remember…insecure because easily guessable
System may assign a randomly generated password…secure, but not easy to remember
Goal: generate a password that is not easy to guess, but is easy to remember
Password selectionFour techniques:
User education: Provide user with guidelines on how to select a strong password
Computer-generated passwords: Use an algorithm (e.g., produce a password with pronounceable syllables) to generate a user’s password
Reactive password checking: The system runs its own password checker and informs users who have weak passwords
Proactive password checking: A user selects a password and the system will reject any that are weak based on some guidelines