exam ● on may 15, at 10:30am in this room ● two hour exam ● open notes ● will mostly cover...
Post on 20-Dec-2015
214 views
TRANSCRIPT
![Page 1: Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early](https://reader034.vdocument.in/reader034/viewer/2022052701/56649d4e5503460f94a2cefb/html5/thumbnails/1.jpg)
Exam
● On May 15, at 10:30am in this room● Two hour exam● Open Notes● Will mostly cover material since Exam 2● No, You may not take it early.
![Page 2: Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early](https://reader034.vdocument.in/reader034/viewer/2022052701/56649d4e5503460f94a2cefb/html5/thumbnails/2.jpg)
Intrusion Detection
● We have discussed the Security, “Life Cycle” Maintain
● Keep your system secure and up to date Detect
● Detect an attack Recover
● Repair damage from attack and restore the system to working order.
![Page 3: Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early](https://reader034.vdocument.in/reader034/viewer/2022052701/56649d4e5503460f94a2cefb/html5/thumbnails/3.jpg)
Intrusion Detection
● We have spent a lot of time dealing with Types of attacks How to help secure systems against attack.
● We have spent some time on the issue of backups The most simple and cost effective solution to
restoration on your level● We need to talk about the issue of Detecting
attacks.
![Page 4: Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early](https://reader034.vdocument.in/reader034/viewer/2022052701/56649d4e5503460f94a2cefb/html5/thumbnails/4.jpg)
Intrusion Detection -- Baselining
● The most important concept in ID is baselining We need to know what our system looks like
ordinarily, so we can notice something extraordinary has happened
● We do this by making a record of the normal state of our system Configuration files Network Traffic Data files . . .
![Page 5: Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early](https://reader034.vdocument.in/reader034/viewer/2022052701/56649d4e5503460f94a2cefb/html5/thumbnails/5.jpg)
Defenses
● Last week we divided our defenses into three groups Network defenses – perimeter defenses Host defenses Data defenses
![Page 6: Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early](https://reader034.vdocument.in/reader034/viewer/2022052701/56649d4e5503460f94a2cefb/html5/thumbnails/6.jpg)
Defenses
● We will continue our discussion by talking about ways to detect breaches on these various levels
![Page 7: Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early](https://reader034.vdocument.in/reader034/viewer/2022052701/56649d4e5503460f94a2cefb/html5/thumbnails/7.jpg)
Network Defenses
● Network Defenses Protect our LAN from attacks outside our LAN Defenses are usually implemented by a boundary
router or a personal router providing the following services
● Firewall● NAT● Possibly DHCP
![Page 8: Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early](https://reader034.vdocument.in/reader034/viewer/2022052701/56649d4e5503460f94a2cefb/html5/thumbnails/8.jpg)
Traffic Analysis
● We typically detect that an intruder has gotten into our local net by doing traffic analysis We look at the kinds of packets on our net
● What protocols or applications generate them● How heavy is the traffic on the network● How much traffic does each host generate● Anything else we can grab
We make a record of normal behavior, (baselining) and we look for unusual activity
![Page 9: Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early](https://reader034.vdocument.in/reader034/viewer/2022052701/56649d4e5503460f94a2cefb/html5/thumbnails/9.jpg)
Traffic Analysis
● Port scanning Easy to detect, if carelessly done Look for someone looking at a lot of ports on the
same host.● Increased Traffic
Hosts that have been taken over as zombies can generate greater than normal traffic
![Page 10: Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early](https://reader034.vdocument.in/reader034/viewer/2022052701/56649d4e5503460f94a2cefb/html5/thumbnails/10.jpg)
Traffic Analysis
● Looking for specific kinds of packets Packets that carry worms can have a signature
● Similar to the signature of a file that has a virus This signature can be detected Sometimes, attack packets have header information
that can be looked for.● Any unusual activity
Could indicate an attack Could simply indicate a hardware or software
problem.
![Page 11: Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early](https://reader034.vdocument.in/reader034/viewer/2022052701/56649d4e5503460f94a2cefb/html5/thumbnails/11.jpg)
Host Defense
● Host Defenses can include Anti Virus and anti Spam software Personal firewall Secure configurations or add ons to network
software Human Factors, (to be discussed later)
![Page 12: Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early](https://reader034.vdocument.in/reader034/viewer/2022052701/56649d4e5503460f94a2cefb/html5/thumbnails/12.jpg)
Host Defenses
● Again, we use baselining. Contents of configuration files Normal levels of CPU activity
● Hard to do Normally running tasks and processes
![Page 13: Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early](https://reader034.vdocument.in/reader034/viewer/2022052701/56649d4e5503460f94a2cefb/html5/thumbnails/13.jpg)
Anti Virus Software
● Looks for “signatures” of viruses in executable files. Alerts user if signatures found This gives evidence of intrusion . . . at some point
● Anti Virus software can also help in recovery Cleans infected files
![Page 14: Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early](https://reader034.vdocument.in/reader034/viewer/2022052701/56649d4e5503460f94a2cefb/html5/thumbnails/14.jpg)
Anti Spyware software
● Looks for a couple of things Files associated with known threats Tasks running that look like threats
● Out of the ordinary Suspicious changes in configuration information
● In Windows, the registry● In OS X, netinfo● In Linux, state of configuration files
![Page 15: Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early](https://reader034.vdocument.in/reader034/viewer/2022052701/56649d4e5503460f94a2cefb/html5/thumbnails/15.jpg)
Anti Spyware Software
● Anti Spyware Software can contribute to recovery Remove suspicious tasks, (stop them from
executing) Quarantine files Remove or repair configuration changes
● Fix the registry
![Page 16: Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early](https://reader034.vdocument.in/reader034/viewer/2022052701/56649d4e5503460f94a2cefb/html5/thumbnails/16.jpg)
Other Approches
● Alert on Attempts to write to the bios
● Often a parameter that can be set in the bios Root Logins
● Fair or Foul, a root login is an important event Attempts to write to system areas
● Areas where system programs are stored are usually only written to during upgrades or software installations. Writes at other times are suspicious.
![Page 17: Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early](https://reader034.vdocument.in/reader034/viewer/2022052701/56649d4e5503460f94a2cefb/html5/thumbnails/17.jpg)
Other Approach
● Alert on Port Scans
● Again easy to detect
![Page 18: Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early](https://reader034.vdocument.in/reader034/viewer/2022052701/56649d4e5503460f94a2cefb/html5/thumbnails/18.jpg)
ID Host -- Tools
● Most Anti Virus Vendors provide total security packages that implement most of what I have discussed
● There are Freeware packages Snort – Linux and Windows Tripwire – used to be free, now nominal
● Most Unix Systems, including all Linuxes Not much available for OS X
● Ports of some Unix packages
![Page 19: Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early](https://reader034.vdocument.in/reader034/viewer/2022052701/56649d4e5503460f94a2cefb/html5/thumbnails/19.jpg)
Data Defense
● Principle tool for defending data is encryption Also detects modification of data An encrypted file that is modified, can not be
completely decrypted.● We can also use baselining
Only on files that are relatively static
![Page 20: Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early](https://reader034.vdocument.in/reader034/viewer/2022052701/56649d4e5503460f94a2cefb/html5/thumbnails/20.jpg)
Baselining Data
● We can store, for static files. Last modification date Last access date File size A digital digest, or signature of the file.
● If any of these change, we know the file has been modified
![Page 21: Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early](https://reader034.vdocument.in/reader034/viewer/2022052701/56649d4e5503460f94a2cefb/html5/thumbnails/21.jpg)
Candidate files for Baselining
● Configuration files Including Host files (redirecting to false websites) Other network configuration files Files related to the configuration of security
software● Executable files
Parts of the operating system Frequently used executables
![Page 22: Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early](https://reader034.vdocument.in/reader034/viewer/2022052701/56649d4e5503460f94a2cefb/html5/thumbnails/22.jpg)
File Baselining
● Its tough to baseline files that are frequently changing New baselines have to be computed for each
modification Modifier must authenticate himself/herself to the
baselining software for each modification
![Page 23: Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early](https://reader034.vdocument.in/reader034/viewer/2022052701/56649d4e5503460f94a2cefb/html5/thumbnails/23.jpg)
Tools – File Monitoring
● Again about the same Security packages from major vendors implement
much of this Tripwire and its replacements and descendants
provide these services Again, Mac OS X uses Unix tools
![Page 24: Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early](https://reader034.vdocument.in/reader034/viewer/2022052701/56649d4e5503460f94a2cefb/html5/thumbnails/24.jpg)
Recovery
● Critical Element of recovery is a plan Reduces recovery time Insures that needed materials are at hand
● Backups● Replacement hardware
The process of planning exposes weaknesses
![Page 25: Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early](https://reader034.vdocument.in/reader034/viewer/2022052701/56649d4e5503460f94a2cefb/html5/thumbnails/25.jpg)
Backups
● As we have discussed, on your level, recovery, generally means restoring from backups Unlikely to maintain duplicate equipment or file
systems Unlikely to employ a data warehouse
![Page 26: Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early](https://reader034.vdocument.in/reader034/viewer/2022052701/56649d4e5503460f94a2cefb/html5/thumbnails/26.jpg)
Recovery
● To restore usefulness to your system you must restore Operating System
● OS cd/dvd and/or system restore disks Application Programs
● Original installation disks● Original installation files on removable media● Web site addresses for downloading the programs
![Page 27: Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early](https://reader034.vdocument.in/reader034/viewer/2022052701/56649d4e5503460f94a2cefb/html5/thumbnails/27.jpg)
Recovery
● Critical Data Documents
● Don't forget email folders if stored locally Bookmarks
● Often forgotten in backups.● Use Export Bookmarks in favorite browser
Program configuration information Personal Digital certificates
● Else you will get encrypted emails you can't read
![Page 28: Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early](https://reader034.vdocument.in/reader034/viewer/2022052701/56649d4e5503460f94a2cefb/html5/thumbnails/28.jpg)
Recovery
● With a simple recovery plan like this you must budget hours or days to get back to full function
● However, it is cheap.● If your need do not permit that much downtime
you need to look for backup software and hardware that allows you to make complete disk or system images.