intrusion detection presentation
DESCRIPTION
Audit issues and points in auditing Intrusion Detection Systems.TRANSCRIPT
IT AUDITIT AUDIT
INTRUSION INTRUSION DETECTION DETECTION
SYSTEMSSYSTEMS
MUSTAFA SHAHMUSTAFA SHAH
INTRODUCTIONINTRODUCTION
INTRUSION DETECTIONINTRUSION DETECTION Process of monitoring events occurring in a Process of monitoring events occurring in a
computer system or network and analyzing computer system or network and analyzing them for signs of them for signs of intrusionsintrusions
Intrusions are attempts to compromise the Intrusions are attempts to compromise the ConfidentialityConfidentiality, , IntegrityIntegrity, , AvailabilityAvailability, and , and ControlControl of a computer network of a computer network
OVERVIEWOVERVIEW
Intrusion detection allows organizations to protect Intrusion detection allows organizations to protect their systems from threats that come from their systems from threats that come from increasing network connectivity and information increasing network connectivity and information systemssystems
ID is an important part of the Security ID is an important part of the Security Infrastructure: Infrastructure: FirewallsFirewalls Password AuthenticationPassword Authentication EncryptionEncryption Anti-virus softwareAnti-virus software Incident response planIncident response plan
TYPESTYPES
Network-Based Intrusion Detection:Network-Based Intrusion Detection: Monitors traffic on the networkMonitors traffic on the network Examines packets as they pass by a sensorExamines packets as they pass by a sensor Packets are examined if they match a signaturePackets are examined if they match a signature
String signatureString signaturePort signaturePort signatureHeader signatureHeader signature
Port State ServicePort State Service104/tcp open acr-nema104/tcp open acr-nema655/tcp open unknown655/tcp open unknown658/tcp open unknown658/tcp open unknown670/tcp open unknown670/tcp open unknown723/tcp open unknown723/tcp open unknown725/tcp open unknown725/tcp open unknown727/tcp open unknown727/tcp open unknown728/tcp open unknown728/tcp open unknown
TYPESTYPES
Host-Based IDS:Host-Based IDS: Works by intercepting operating system and Works by intercepting operating system and
application calls on an individual hostapplication calls on an individual host Checks the integrity of system filesChecks the integrity of system files Watches for suspicious processesWatches for suspicious processes
METHODSMETHODS
Knowledge-Based:Knowledge-Based: Applies knowledge about specific attacks and Applies knowledge about specific attacks and
system vulnerabilitiessystem vulnerabilities Contains information about these Contains information about these
vulnerabilitiesvulnerabilities An alarm is triggered when an attempt is An alarm is triggered when an attempt is
detecteddetected Completeness depends on regular update of Completeness depends on regular update of
knowledge about attack methodsknowledge about attack methods
METHODSMETHODS
Behavior-Based:Behavior-Based: Intrusion can be detected by observing a Intrusion can be detected by observing a
deviation from normal behaviordeviation from normal behavior Maintain a model of expected behavior and Maintain a model of expected behavior and
compare activities against this modelcompare activities against this model An alarm is generated when a deviation is An alarm is generated when a deviation is
observedobserved
DEPLOYENTDEPLOYENT
Behind each external Behind each external Firewall in the network Firewall in the network DMZDMZ
Outside an external Outside an external FirewallFirewall
On major backbonesOn major backbones On critical subnetsOn critical subnets
RISKRISK Network Security is a crucial component of every Network Security is a crucial component of every
companycompany Loss of business Loss of business Loss of intellectual propertyLoss of intellectual property Loss of ReputationLoss of Reputation Stock priceStock price Loss of third-party confidenceLoss of third-party confidence Legal implicationsLegal implications
HIPAA 1996HIPAA 1996Gram-Leach Bliley Act 1999Gram-Leach Bliley Act 1999Homeland Security Act 2002Homeland Security Act 2002State LawsState Laws
Homeland Security Secretary Michael Chertoff speaks about computer security at Homeland Security Secretary Michael Chertoff speaks about computer security at the RSA Conference on information security in San Francisco, Tuesday, April 8, the RSA Conference on information security in San Francisco, Tuesday, April 8, 2008. 2008. AP Photo/Paul SakumaAP Photo/Paul Sakuma
Zombie Computers Decried As Imminent Zombie Computers Decried As Imminent National ThreatNational Threat
ATTACK TYPESATTACK TYPES
Scanning attacksScanning attacks Denial of Service Denial of Service Penetration attacksPenetration attacks
User to RootUser to Root Remote to UserRemote to User
Authorized UserAuthorized User Public UserPublic User
MALWAREMALWARE
Infectious:Infectious: VirusesViruses WormsWorms
For Profit:For Profit: SpywareSpyware AdwareAdware BotnetsBotnets Keystroke loggersKeystroke loggers
AUDIT CHECKLISTAUDIT CHECKLIST
Proactive Auditing and monitoring are essentialProactive Auditing and monitoring are essential
STEPSSTEPS
Examine Log FilesExamine Log Files Look for Unauthorized User RightsLook for Unauthorized User Rights Look for Unusual or Hidden FilesLook for Unusual or Hidden Files Check for Changes in Computer or User PoliciesCheck for Changes in Computer or User Policies Check for Odd User Accounts Check for Odd User Accounts Check for Altered Permissions on Files or Registry Check for Altered Permissions on Files or Registry
KeysKeys Audit for Intrusion DetectionAudit for Intrusion Detection
AREASAREAS
Security policies, guidelines, and proceduresSecurity policies, guidelines, and procedures Security awareness programsSecurity awareness programs Software-based (Logical) Access controls Software-based (Logical) Access controls
including:including: Change controlChange control Data and program accessData and program access Audit trailsAudit trails Access control softwareAccess control software Authentication proceduresAuthentication procedures
Hiring Policy for Network AdministratorsHiring Policy for Network Administrators
SURVEYSURVEY
CONCLUSIONCONCLUSION
IDS is an important tool in the Security HierarchyIDS is an important tool in the Security Hierarchy It is mostly outsourced to third-partiesIt is mostly outsourced to third-parties IDS will be replaced with Intrusion Prevention IDS will be replaced with Intrusion Prevention
Systems in the futureSystems in the future IP systems prevent attacks in real-timeIP systems prevent attacks in real-time Able to decode layer 7 protocols like HTTP, FTP, Able to decode layer 7 protocols like HTTP, FTP,
and SMTPand SMTP An Incident Response Plan is a must An Incident Response Plan is a must
SOURCESSOURCES
http://en.wikipedia.org/wiki/Intrusion-prevention_systemhttp://en.wikipedia.org/wiki/Intrusion-prevention_system
http://en.wikipedia.org/wiki/Zombie_computerhttp://en.wikipedia.org/wiki/Zombie_computer
http://en.wikipedia.org/wiki/Botnethttp://en.wikipedia.org/wiki/Botnet
http://en.wikipedia.org/wiki/Cyber-security_regulationhttp://en.wikipedia.org/wiki/Cyber-security_regulation
http://blog.wired.com/27bstroke6/2008/04/zombie-computer.html?nup=1&mbid=yhphttp://blog.wired.com/27bstroke6/2008/04/zombie-computer.html?nup=1&mbid=yhp
http://en.wikipedia.org/wiki/Intrusion_detection_systemhttp://en.wikipedia.org/wiki/Intrusion_detection_system
http://en.wikipedia.org/wiki/Malwarehttp://en.wikipedia.org/wiki/Malware
SOURCESSOURCES
http://www.cert.org/tech_tips/WIDC.html#C16http://www.cert.org/tech_tips/WIDC.html#C16
http://www.sans.org/top20/#z1http://www.sans.org/top20/#z1
http://www.nist.org/news.phphttp://www.nist.org/news.php
http://www.snort.org/http://www.snort.org/
http://www.sans.org/resources/idfaq/http://www.sans.org/resources/idfaq/
http://csrc.nist.gov/publications/nistpubs/800-31/sp800-31.pdfhttp://csrc.nist.gov/publications/nistpubs/800-31/sp800-31.pdf
http://www.pwc.com/extweb/pwcpublications.nsf/docid/114E0DE67DE6965385257341005AED7B/$FILE/PwC_GISS2007.pdf114E0DE67DE6965385257341005AED7B/$FILE/PwC_GISS2007.pdf