IT AUDITIT AUDIT

INTRUSION INTRUSION DETECTION DETECTION

SYSTEMSSYSTEMS

MUSTAFA SHAHMUSTAFA SHAH

INTRODUCTIONINTRODUCTION

INTRUSION DETECTIONINTRUSION DETECTION Process of monitoring events occurring in a Process of monitoring events occurring in a

computer system or network and analyzing computer system or network and analyzing them for signs of them for signs of intrusionsintrusions

Intrusions are attempts to compromise the Intrusions are attempts to compromise the ConfidentialityConfidentiality, , IntegrityIntegrity, , AvailabilityAvailability, and , and ControlControl of a computer network of a computer network

OVERVIEWOVERVIEW

Intrusion detection allows organizations to protect Intrusion detection allows organizations to protect their systems from threats that come from their systems from threats that come from increasing network connectivity and information increasing network connectivity and information systemssystems

ID is an important part of the Security ID is an important part of the Security Infrastructure: Infrastructure: FirewallsFirewalls Password AuthenticationPassword Authentication EncryptionEncryption Anti-virus softwareAnti-virus software Incident response planIncident response plan

TYPESTYPES

Network-Based Intrusion Detection:Network-Based Intrusion Detection: Monitors traffic on the networkMonitors traffic on the network Examines packets as they pass by a sensorExamines packets as they pass by a sensor Packets are examined if they match a signaturePackets are examined if they match a signature

String signatureString signaturePort signaturePort signatureHeader signatureHeader signature

Port State ServicePort State Service104/tcp    open    acr-nema104/tcp    open    acr-nema655/tcp    open    unknown655/tcp    open    unknown658/tcp    open    unknown658/tcp    open    unknown670/tcp    open    unknown670/tcp    open    unknown723/tcp    open    unknown723/tcp    open    unknown725/tcp    open    unknown725/tcp    open    unknown727/tcp    open    unknown727/tcp    open    unknown728/tcp    open    unknown728/tcp    open    unknown

TYPESTYPES

Host-Based IDS:Host-Based IDS: Works by intercepting operating system and Works by intercepting operating system and

application calls on an individual hostapplication calls on an individual host Checks the integrity of system filesChecks the integrity of system files Watches for suspicious processesWatches for suspicious processes

METHODSMETHODS

Knowledge-Based:Knowledge-Based: Applies knowledge about specific attacks and Applies knowledge about specific attacks and

system vulnerabilitiessystem vulnerabilities Contains information about these Contains information about these

vulnerabilitiesvulnerabilities An alarm is triggered when an attempt is An alarm is triggered when an attempt is

detecteddetected Completeness depends on regular update of Completeness depends on regular update of

knowledge about attack methodsknowledge about attack methods

METHODSMETHODS

Behavior-Based:Behavior-Based: Intrusion can be detected by observing a Intrusion can be detected by observing a

deviation from normal behaviordeviation from normal behavior Maintain a model of expected behavior and Maintain a model of expected behavior and

compare activities against this modelcompare activities against this model An alarm is generated when a deviation is An alarm is generated when a deviation is

observedobserved

DEPLOYENTDEPLOYENT

Behind each external Behind each external Firewall in the network Firewall in the network DMZDMZ

Outside an external Outside an external FirewallFirewall

On major backbonesOn major backbones On critical subnetsOn critical subnets

RISKRISK Network Security is a crucial component of every Network Security is a crucial component of every

companycompany Loss of business Loss of business Loss of intellectual propertyLoss of intellectual property Loss of ReputationLoss of Reputation Stock priceStock price Loss of third-party confidenceLoss of third-party confidence Legal implicationsLegal implications

HIPAA 1996HIPAA 1996Gram-Leach Bliley Act 1999Gram-Leach Bliley Act 1999Homeland Security Act 2002Homeland Security Act 2002State LawsState Laws

Homeland Security Secretary Michael Chertoff speaks about computer security at Homeland Security Secretary Michael Chertoff speaks about computer security at the RSA Conference on information security in San Francisco, Tuesday, April 8, the RSA Conference on information security in San Francisco, Tuesday, April 8, 2008. 2008. AP Photo/Paul SakumaAP Photo/Paul Sakuma

Zombie Computers Decried As Imminent Zombie Computers Decried As Imminent National ThreatNational Threat

ATTACK TYPESATTACK TYPES

Scanning attacksScanning attacks Denial of Service Denial of Service Penetration attacksPenetration attacks

User to RootUser to Root Remote to UserRemote to User

Authorized UserAuthorized User Public UserPublic User

MALWAREMALWARE

Infectious:Infectious: VirusesViruses WormsWorms

For Profit:For Profit: SpywareSpyware AdwareAdware BotnetsBotnets Keystroke loggersKeystroke loggers

AUDIT CHECKLISTAUDIT CHECKLIST

Proactive Auditing and monitoring are essentialProactive Auditing and monitoring are essential

STEPSSTEPS

Examine Log FilesExamine Log Files Look for Unauthorized User RightsLook for Unauthorized User Rights Look for Unusual or Hidden FilesLook for Unusual or Hidden Files Check for Changes in Computer or User PoliciesCheck for Changes in Computer or User Policies Check for Odd User Accounts Check for Odd User Accounts Check for Altered Permissions on Files or Registry Check for Altered Permissions on Files or Registry

KeysKeys Audit for Intrusion DetectionAudit for Intrusion Detection

AREASAREAS

Security policies, guidelines, and proceduresSecurity policies, guidelines, and procedures Security awareness programsSecurity awareness programs Software-based (Logical) Access controls Software-based (Logical) Access controls

including:including: Change controlChange control Data and program accessData and program access Audit trailsAudit trails Access control softwareAccess control software Authentication proceduresAuthentication procedures

Hiring Policy for Network AdministratorsHiring Policy for Network Administrators

SURVEYSURVEY

CONCLUSIONCONCLUSION

IDS is an important tool in the Security HierarchyIDS is an important tool in the Security Hierarchy It is mostly outsourced to third-partiesIt is mostly outsourced to third-parties IDS will be replaced with Intrusion Prevention IDS will be replaced with Intrusion Prevention

Systems in the futureSystems in the future IP systems prevent attacks in real-timeIP systems prevent attacks in real-time Able to decode layer 7 protocols like HTTP, FTP, Able to decode layer 7 protocols like HTTP, FTP,

and SMTPand SMTP An Incident Response Plan is a must An Incident Response Plan is a must

SOURCESSOURCES

http://en.wikipedia.org/wiki/Intrusion-prevention_systemhttp://en.wikipedia.org/wiki/Intrusion-prevention_system

http://en.wikipedia.org/wiki/Zombie_computerhttp://en.wikipedia.org/wiki/Zombie_computer

http://en.wikipedia.org/wiki/Botnethttp://en.wikipedia.org/wiki/Botnet

http://en.wikipedia.org/wiki/Cyber-security_regulationhttp://en.wikipedia.org/wiki/Cyber-security_regulation

http://blog.wired.com/27bstroke6/2008/04/zombie-computer.html?nup=1&mbid=yhphttp://blog.wired.com/27bstroke6/2008/04/zombie-computer.html?nup=1&mbid=yhp

http://en.wikipedia.org/wiki/Intrusion_detection_systemhttp://en.wikipedia.org/wiki/Intrusion_detection_system

http://en.wikipedia.org/wiki/Malwarehttp://en.wikipedia.org/wiki/Malware

SOURCESSOURCES

http://www.cert.org/tech_tips/WIDC.html#C16http://www.cert.org/tech_tips/WIDC.html#C16

http://www.sans.org/top20/#z1http://www.sans.org/top20/#z1

http://www.nist.org/news.phphttp://www.nist.org/news.php

http://www.snort.org/http://www.snort.org/

http://www.sans.org/resources/idfaq/http://www.sans.org/resources/idfaq/

http://csrc.nist.gov/publications/nistpubs/800-31/sp800-31.pdfhttp://csrc.nist.gov/publications/nistpubs/800-31/sp800-31.pdf

http://www.pwc.com/extweb/pwcpublications.nsf/docid/114E0DE67DE6965385257341005AED7B/$FILE/PwC_GISS2007.pdf114E0DE67DE6965385257341005AED7B/$FILE/PwC_GISS2007.pdf