Network Intrusion - PowerPoint PPT Presentation

1 / 29
About This Presentation
Title:

Network Intrusion

Description:

www.whitehouse.gov was owned by global hell, 5/10/99 ... Thirdly, the intrusion records also provide evidence for legal action against intruders. ... – PowerPoint PPT presentation

Number of Views:95
Avg rating:3.0/5.0
Slides: 30
Provided by: geme6
Category:

less

Transcript and Presenter's Notes

Title: Network Intrusion


1
Network Intrusion And Its Countermeasures Tao
Chen April 2,2002
2
Agenda
  • Danger of Intrusion
  • Intrusion Technique Analysis
  • Network Intrusion Countermeasures
  • Intrusion Detection and Response Technology
  • Proactive Prevention Technology
  • People and Organization Issues
  • Conclusion
  • Q A

3
The Danger of Intrusion
Here are some example of Hacked Web Sites. Lets
guess their correct site names.
4
The Danger of Intrusion
www.whitehouse.gov was owned by global hell,
5/10/99 Source http//www.paybackproductions.com/
hackedsites/whitehouse/
5
The Danger of Intrusion
ABC receives the wrath of ulg united loan gunmen,
8/20/99 Source http//www.paybackproductions.com/
hackedsites/abc/
6
The Danger of Intrusion
International Association for Counterterrorism
and Security Professionals 9/9/99 Source
http//www.paybackproductions.com/hackedsites/iacs
p/
7
The Danger of Intrusion
(Source http//www.nwfusion.com/news/2000/0209att
ack.html)
8
Intrusion Technique Analysis
  • Concepts of Intrusion
  • Intrusion Sources
  • Analysis of Some Intrusion Methodologies

9
Intrusion Technique Analysis
  • Concepts of Intrusion
  • According to Techdictionary.com, intrusion is
    any set of actions that attempt to compromise
    the integrity, confidentiality or availability of
    a resource1 .
  • Computer Security Intrusion is any event of
    unauthorized access or penetration to an
    automated information system 2.

10
Intrusion Technique Analysis
  • Intrusion Sources
  • Outside Intruders
  • They are from outside our network. They may
    attack the external systems, such as web servers
    and e-mail servers. They may also attempt to go
    through firewalls to attack systems inside the
    internal network. Outside intruders may attack
    from the Internet or from business partners
    network that is linked to the businesss private
    network.
  • Inside Intruders
  • They are authorized to use our internal network.
    They can be employees, contractors, part time
    workers, even vendors and consultants. The inside
    intruders may abuse their privileges or use the
    privileges of the other peoples.

11
Intrusion Technique Analysis
  • Analysis of Some Intrusion Techniques
  • Physical Intrusion
  • The most effective and dangerous intrusion method
    is to get the physical access to the system. Once
    intruders can access to a system physically, they
    could be able to use the keyboard of the machine.
    They can even remove data storage subsystem, like
    tape drive or hard disk drive. Or the intruders
    can put some device to collect information from
    the system, such as network sniffers.
  • Network Intrusion
  • Network Intrusion is the most common intrusion
    method on the Internet. Intruders attempt to
    compromise the security mechanism of a system and
    access the information in the system over the
    network.

12
Intrusion Technique Analysis
  • Analysis of Some Intrusion Techniques
  • Network Intrusion
  • Port Scan
  • A port scan is a series of messages sent by
    someone attempting to break into a computer to
    learn which computer network services, each
    associated with a "well-known" port number, the
    computer provides3. Network intruders often
    use port scans to know targets and find out the
    opening ports and related services to the ports.
    It is one of the most common techniques used by
    intruders to exploit potential problems and
    weaknesses of the target system.
  • Special Codes
  • The intruder can create some malicious programs
    to invade a system without compromise the
    security mechanism of the system.
  • Examples are Logical Bomb, Worm,
    Backdoor,Virus,Trojan Horse

13
Intrusion Technique Analysis
  • Analysis of Some Intrusion Techniques
  • Network Intrusion
  • Software bugs
  • A software bug is an error or defect in software
    that causes a program to malfunction4. Network
    intruders can use these bugs to invade a computer
    system.
  • Improper System Configuration
  • Most systems have configuration setup defined by
    vendors. These default configurations may have
    many unnecessary services and features installed
    on the system. If system administrators do not
    change these default configurations to remove the
    unnecessary accounts and services, intruders may
    use these default configurations and service to
    invade the system.

14
Intrusion Technique Analysis
  • Analysis of Some Intrusion Techniques
  • Network Intrusion
  • Crack Password
  • Intruders may look for default password, weak
    password and unencrypted password. If intruders
    cannot find these passwords in a system, they may
    use password-cracking utilities to decrypt the
    encrypted passwords.
  • Sniff unsecured traffic
  • Packet sniffing is a technology to intercept and
    copy data packets sent through a shared network
    medium, like Ethernet and Internet. If intruders
    could install sniffers on a network, they can see
    the network traffic from everyone. If the network
    traffic is not encrypted, the intruders would be
    see everyones information.

15
Intrusion Technique Analysis
  • Analysis of Some Intrusion Techniques
  • Network Intrusion
  • Attack Server Side Script
  • CGI scripts can be another security hole.
    Scanning a website for CGI programs is almost as
    popular as port scanning. A broad-spectrum
    scanner is used to enumerate through hundreds of
    CGI programs that have known vulnerabilities in
    them. If a vulnerable CGI program is found, then
    it will be exploited in order to break into a
    server5
  • IP Spoofing
  • Spoofing is the creation of TCP/IP packets using
    somebody else's IP address6. By using other
    computers IP address or making an non-existing
    IP address as source IP address, an intruder may
    make the IP package look like sent from another
    location than its real original location. In this
    way, intruders may make themselves invisible
    because the false source IP address make it
    difficult to trace back intruders.

16
Intrusion Technique Analysis
  • What do hackers do after intrusion?
  • Remove log
  • Intruders will remove all the system logs that
    recorded their actions on the system so that the
    system administrator can not detect the
    intrusion.
  • Install Sniffer
  • They will install the sniffer on servers or
    networking devices to collect network traffic to
    get further data and information.
  • Install Trojan horse
  • They will also install Trojan horse software so
    that they can easily access and remote control
    the system later.
  • Do other harmful things
  • They also may do other harmful things to the
    system, like removing data, modifying data,
    install computer viruses or stealing information.

17
Network Intrusion Countermeasures
Intrusion Detection And Response Technology
Proactive Prevention Technology
Integrated Network Intrusion Countermeasure
Solution
People and Organization Issues
There are three main components that are involved
in intrusion countermeasures. First, intrusion
detection technology is used to detect intrusion
attempts and existing intrusion. Second,
proactive prevention technology can be implement
to reduce the chance of being intruded. Third,
people and organization are critical in
successful intrusion response. Any advanced
technology will be useless if people and
organization do not pay attention to information
system security issues. Therefore, an Integrated
Network Intrusion Countermeasure Solution is
proposed in order to increase the chance of
successful intrusion response.
18
Network Intrusion Countermeasures
  • Intrusion Detection and Response Technology
  • Signature recognition
  • The idea of signature recognition is as
    following Misuse intrusions are attacks on
    known weak points of a system. An IDS looks for
    this type of attack by comparing network traffic
    with signatures of known attacks.7 In order
    to detect intrusion, the signature recognition
    technology needs to develop a variety of patterns
    of different attacks. It just likes antivirus
    software that detects certain patterns or
    signatures in files to discover computer virus.
  • Anomaly detection
  • Anomaly detection techniques assume that all
    intrusive activities are necessarily anomalous.
    This means that if we could establish a normal
    activity profile for a system, we could, in
    theory, flag all system states varying from the
    established profile by statistically significant
    amounts as intrusion attempts.8
  • The anomaly detection technology tracks network
    activity to make difference between normal
    activities and abnormal activities.

19
Network Intrusion Countermeasures
  • Detection and Response Technology
  • Securing system logs
  • After breaking into a system, an intruder usually
    changes system log to remove the intrusion
    attempts and intrusion activities. One of the
    methods to protect system log is to use a remote
    dedicate log server which is protected by
    firewall and only has logging function with all
    other services closed9. Thus, a secure and
    clean system log can be used to analyze intrusion
    activities
  • Regular System Check
  • Regular system check is an effective way to find
    out intrusion attempts and intrusion activities.
    Some examples are
  • Check system log files
  • Check System Binaries
  • Check for packet sniffers
  • Check for unauthorized services
  • Check for unusual hidden files

20
Network Intrusion Countermeasures
  • Detection and Response Technology
  • File Integrity Check
  • It checks whether important system files have
    been modified, removed or deleted.
  • Example GFI Software LANguard File Integrity
    Checker

21
Network Intrusion Countermeasures
  • Detection and Response Technology
  • Common methods used to response to network
    intrusions
  • Isolate the intruded system and service
  • Install latest patches to the system
  • Keep Record of Intrusion
  • Records indicate the vulnerabilities in the
    system and help system administrators to correct
    these errors and holes. They also provide hint to
    response to new intrusions because system
    administrators can learn from previous solutions.
    Thirdly, the intrusion records also provide
    evidence for legal action against intruders.
  • Trace to the source of the attack
  • Example SHARP Technologys Hack Tracer 1.2
  • Demo http//www.sharptechnology.com/bh-cons.htm

22
Network Intrusion Countermeasures
  • Proactive Prevention Technology
  • The main idea is to fix system errors and holes
    proactively and implement technologies to improve
    the security level of the system.
  • Port scanning
  • System administrator can use port scanning to
    find out security holes and weaknesses in the
    system and then fix them.
  • Example GFI Software LANGuard Network Scanner

23
Network Intrusion Countermeasures
Example GFI Software LANGuard Network Scanner
24
Network Intrusion Countermeasures
  • Proactive Prevention Technology
  • Firewall
  • Honeypots10
  • Honeypots are programs that simulate one or more
    network services on your computer's ports. An
    attacker assumes you're running vulnerable
    services that can be used to break into the
    machine.
  • Log access attempts to those ports including the
    attacker's keystrokes.
  • Provide warning of a future attack.
  • Run on well-know servers, such as Web, mail, or
    DNS servers.

25
Network Intrusion Countermeasures
  • Proactive Prevention Technology
  • Authentication
  • Authorization
  • Encryption
  • VPN

26
Network Intrusion Countermeasures
  • People and Organization Issues
  • Management Support
  • Management Team should understand how important
    system security is to a successful business and
    how much it would cost if the system is broken in
    and important business data are lost. Their
    support could help allocate more resources to
    system security and intrusion responses.
  • Policies and Procedures 11
  • Policies and supporting procedures help people
    better prepare for the intrusions and give them
    the ability to response to the intrusion
    effectively. With predefined policies and
    procedures, people can know what they should do
    before, during and after the intrusion.
  • Technical Training
  • IT department and end users neec to get enough
    knowledge of intrusion detection and intrusion
    responses technology.

27
Conclusion
  • Network Intrusion is a threaten to online
    business.
  • A integrated solution is proposed.

Intrusion Detection And Response Technology
Proactive Prevention Technology
Integrated Network Intrusion Countermeasure
Solution
People and Organization Issues
28
Thank you!
29
Reference 1 Techdictionary.com, Search By
Term Intrusion 2 Techdictionary.com, Search
By Term Intrusion 3 URL http//whatis.techtar
get.com/definition/0,289893,sid9_gci214054,00.html
4 http//www.pcwebopedia.com/TERM/b/bug.html 5
http//www.networkice.com/Advice/Underground/Hac
king/Methods/Technical/CGI/default.htm 6
http//www.networkice.com/Advice/Underground/Hacki
ng/Methods/Technical/Spoofing/default.htm 7
http//www.messageq.com/security/meinel_2.html
8 http//www.acm.org/crossroads/xrds2-4/intrus.
html 9 http//project.honeynet.org/papers/enemy2
/ 10 http//www.sans.org/newlook/resources/IDFA
Q/honeypot.htm 11 http//www.cert.org/security-
improvement/practices/p044.html
Write a Comment
User Comments (0)
About PowerShow.com