Presentation is loading. Please wait.

Presentation is loading. Please wait.

Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early."— Presentation transcript:

1 Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early.

2 Intrusion Detection ● We have discussed the Security, “Life Cycle”  Maintain ● Keep your system secure and up to date  Detect ● Detect an attack  Recover ● Repair damage from attack and restore the system to working order.

3 Intrusion Detection ● We have spent a lot of time dealing with  Types of attacks  How to help secure systems against attack. ● We have spent some time on the issue of backups  The most simple and cost effective solution to restoration on your level ● We need to talk about the issue of Detecting attacks.

4 Intrusion Detection -- Baselining ● The most important concept in ID is baselining  We need to know what our system looks like ordinarily, so we can notice something extraordinary has happened ● We do this by making a record of the normal state of our system  Configuration files  Network Traffic  Data files...

5 Defenses ● Last week we divided our defenses into three groups  Network defenses – perimeter defenses  Host defenses  Data defenses

6 Defenses ● We will continue our discussion by talking about ways to detect breaches on these various levels

7 Network Defenses ● Network Defenses  Protect our LAN from attacks outside our LAN  Defenses are usually implemented by a boundary router or a personal router providing the following services ● Firewall ● NAT ● Possibly DHCP

8 Traffic Analysis ● We typically detect that an intruder has gotten into our local net by doing traffic analysis  We look at the kinds of packets on our net ● What protocols or applications generate them ● How heavy is the traffic on the network ● How much traffic does each host generate ● Anything else we can grab  We make a record of normal behavior, (baselining) and we look for unusual activity

9 Traffic Analysis ● Port scanning  Easy to detect, if carelessly done  Look for someone looking at a lot of ports on the same host. ● Increased Traffic  Hosts that have been taken over as zombies can generate greater than normal traffic

10 Traffic Analysis ● Looking for specific kinds of packets  Packets that carry worms can have a signature ● Similar to the signature of a file that has a virus  This signature can be detected  Sometimes, attack packets have header information that can be looked for. ● Any unusual activity  Could indicate an attack  Could simply indicate a hardware or software problem.

11 Host Defense ● Host Defenses can include  Anti Virus and anti Spam software  Personal firewall  Secure configurations or add ons to network software  Human Factors, (to be discussed later)

12 Host Defenses ● Again, we use baselining.  Contents of configuration files  Normal levels of CPU activity ● Hard to do  Normally running tasks and processes

13 Anti Virus Software ● Looks for “signatures” of viruses in executable files.  Alerts user if signatures found  This gives evidence of intrusion... at some point ● Anti Virus software can also help in recovery  Cleans infected files

14 Anti Spyware software ● Looks for a couple of things  Files associated with known threats  Tasks running that look like threats ● Out of the ordinary  Suspicious changes in configuration information ● In Windows, the registry ● In OS X, netinfo ● In Linux, state of configuration files

15 Anti Spyware Software ● Anti Spyware Software can contribute to recovery  Remove suspicious tasks, (stop them from executing)  Quarantine files  Remove or repair configuration changes ● Fix the registry

16 Other Approches ● Alert on  Attempts to write to the bios ● Often a parameter that can be set in the bios  Root Logins ● Fair or Foul, a root login is an important event  Attempts to write to system areas ● Areas where system programs are stored are usually only written to during upgrades or software installations. Writes at other times are suspicious.

17 Other Approach ● Alert on  Port Scans ● Again easy to detect

18 ID Host -- Tools ● Most Anti Virus Vendors provide total security packages that implement most of what I have discussed ● There are Freeware packages  Snort – Linux and Windows  Tripwire – used to be free, now nominal ● Most Unix Systems, including all Linuxes  Not much available for OS X ● Ports of some Unix packages

19 Data Defense ● Principle tool for defending data is encryption  Also detects modification of data  An encrypted file that is modified, can not be completely decrypted. ● We can also use baselining  Only on files that are relatively static

20 Baselining Data ● We can store, for static files.  Last modification date  Last access date  File size  A digital digest, or signature of the file. ● If any of these change, we know the file has been modified

21 Candidate files for Baselining ● Configuration files  Including Host files (redirecting to false websites)  Other network configuration files  Files related to the configuration of security software ● Executable files  Parts of the operating system  Frequently used executables

22 File Baselining ● Its tough to baseline files that are frequently changing  New baselines have to be computed for each modification  Modifier must authenticate himself/herself to the baselining software for each modification

23 Tools – File Monitoring ● Again about the same  Security packages from major vendors implement much of this  Tripwire and its replacements and descendants provide these services  Again, Mac OS X uses Unix tools

24 Recovery ● Critical Element of recovery is a plan  Reduces recovery time  Insures that needed materials are at hand ● Backups ● Replacement hardware  The process of planning exposes weaknesses

25 Backups ● As we have discussed, on your level, recovery, generally means restoring from backups  Unlikely to maintain duplicate equipment or file systems  Unlikely to employ a data warehouse

26 Recovery ● To restore usefulness to your system you must restore  Operating System ● OS cd/dvd and/or system restore disks  Application Programs ● Original installation disks ● Original installation files on removable media ● Web site addresses for downloading the programs

27 Recovery ● Critical Data  Documents ● Don't forget email folders if stored locally  Bookmarks ● Often forgotten in backups. ● Use Export Bookmarks in favorite browser  Program configuration information  Personal Digital certificates ● Else you will get encrypted emails you can't read

28 Recovery ● With a simple recovery plan like this you must budget hours or days to get back to full function ● However, it is cheap. ● If your need do not permit that much downtime you need to look for backup software and hardware that allows you to make complete disk or system images.

Download ppt "Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early."

Similar presentations

Presented by Nikita Shah 5th IT ( )

Presented by Nikita Shah 5th IT ( )
Thank you to IT Training at Indiana University Computer Malware.

Thank you to IT Training at Indiana University Computer Malware.
Backing Up Your Computer Hard Drive Lou Koch June 27, 2006.

Backing Up Your Computer Hard Drive Lou Koch June 27, 2006.
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.

FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.
Intrusion Detection Systems By: William Pinkerton and Sean Burnside.

Intrusion Detection Systems By: William Pinkerton and Sean Burnside.
Presented by: Luke Speed Computer Security. Why is computer security important! Intruders hack into computers to steal personal information that the user.

Presented by: Luke Speed Computer Security. Why is computer security important! Intruders hack into computers to steal personal information that the user.
1 Protecting Your Computer Internet Annoyances (Already done in Chapter 3) Spam Pop-ups Identity theft phishing hoaxes Spyware.

1 Protecting Your Computer Internet Annoyances (Already done in Chapter 3) Spam Pop-ups Identity theft phishing hoaxes Spyware.
1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.

1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.
Intrusion Detection Systems and Practices

Intrusion Detection Systems and Practices
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.
Firewalls Presented by: Sarah Castro Karen Correa Kelley Gates.

Firewalls Presented by: Sarah Castro Karen Correa Kelley Gates.
Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.

Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.
Malicious Attacks. Introduction Commonly referred to as: malicious software/ “malware”, computer viruses Designed to enter computers without the owner’s.

Malicious Attacks. Introduction Commonly referred to as: malicious software/ “malware”, computer viruses Designed to enter computers without the owner’s.
Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.

Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.
Firewall and Proxy Server Director: Dr. Mort Anvari Name: Anan Chen Date: Summer 2000.

Firewall and Proxy Server Director: Dr. Mort Anvari Name: Anan Chen Date: Summer 2000.
Intrusion Prevention, Detection & Response. IDS vs IPS IDS = Intrusion detection system IPS = intrusion prevention system.

Intrusion Prevention, Detection & Response. IDS vs IPS IDS = Intrusion detection system IPS = intrusion prevention system.
Presented by INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used?

Presented by INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used?
What is it, how does it work, and why is it important?

What is it, how does it work, and why is it important?

Similar presentations

Ads by Google