Transcript Intrusion Detection Systems

Methods of Attack
NJ-CISSP
Attack
An assault on system security that
derives from an intelligent threat, i.e.,
an intelligent act that is a deliberate
attempt (especially in the sense of a
method or technique) to evade security
services and violate the security policy
of a system.
RFC 2828, May 2000
Attacks Target Secure
Computing Properties
Confidentiality

The property that information is not made available or disclosed to
unauthorized individuals, entities, or processes.
Integrity

The property that data has not been changed, destroyed, or lost in an
unauthorized or accidental manner.
Availability

The property of a system or a system resource being accessible
and usable upon demand by an authorized system entity, according
to performance specifications for the system; i.e., a system is
available if it provides services according to the system design
whenever users request them.
Attack Phases
PHASE 1 - INFORMATION GATHERING

First phase tools (Ping sweeps, Port scans, Social
Engineering)
PHASE 2 - GAINING ACCESS

Second phase techniques (exploit of software bugs,
buffer overflow exploit, FTP bugs)
PHASE 3 - DENYING SERVICES

Third phase attacks (Syn Flood, Ping of death, Teardrop
Attack)
PHASE 4 - EVADE DETECTION
Brute Force
A cryptanalysis technique or other kind of
attack method involving an exhaustive
procedure that tries all possibilities, one-by-one.
For example, for ciphertext where the analyst
already knows the decryption algorithm, a brute
force technique to finding the original plaintext
is to decrypt the message with every possible
key.
Brute Force
Passwords

More successful against weak passwords
Encryption - DES



Obtain sample plaintext-ciphertext pair
Test each possible key in turn
Would take thousands of years,
unless done in parallel. (20 hours by 1990)
Pop service (110) success

Did not have their login failures logged
The key to a successful brute force attack is to select a target that has a high
degree of success and a small chance of being logged.
Dictionary
An attack that uses a brute-force technique of
successively trying all the words in some large,
exhaustive list. For example, an attack on an
authentication service by trying all possible
passwords; or an attack on encryption by
encrypting some known plaintext phrase with
all possible keys so that the key for any given
encrypted message containing that phrase may
be obtained by lookup.
RFC 2828, May 2000
Denial of Service
Denial Of Service (DOS) attacks attempt
to slow or shut down targeted network
systems or services.
There are two main types of DOS
attacks: flaw exploitation and flooding.
Denial of Service
Flaw exploitation DOS Attacks
 Flaw exploitation attacks exploit a flaw in the target
system’s software in order to cause a processing failure
or to cause it to exhaust system resources.
Flooding DOS Attacks
 Flooding attacks simply send a system or system
component more information than it can handle. In cases
where the attacker cannot send a system sufficient
information to overwhelm its processing capacity, the
attacker may nonetheless be able to monopolize the
network connection to the target, thereby denying
anyone else use of the resource.
Distributed Denial of Service
 DDOS attacks are a subset of DOS

DDOS attacks are simply flooding DOS attacks where the
hacker uses multiple computers to launch the attack.
These attacking computers are centrally controlled by the
hacker’s computer and thus act as a single immense attack
system.
Spamming
Attacks are a subset of DOS


A spammer uses your email system as a
spam relay. Your system becomes the host
and then tries to deliver all messages.
While your email server is spending time
processing the spam mail, it is prevented
from handling legitimate mail for your
domain.
Spoofing
In a spoofing attack, the intruder sends messages to
a computer indicating that the message has come
from a trusted system. To be successful, the intruder
must first determine the IP address of a trusted
system, and then modify the packet headers to that it
appears that the packets are coming from the trusted
system
http://www.sans.org/infosecFAQ/threats/intro_spoofing.htm
Spoofing
IP spoofing - IP spoofing involves forging
one's source IP address. It is the act of using
one machine to impersonate another. Many
applications and tools in UNIX systems rely
on source IP address authentication.
ARP spoofing - ARP spoofing involves forging
packet source hardware address (MAC
address) to the address of the host you
pretend to be.
Man-in-the-middle
The "Man In The Middle" or "TCP Hijacking"
attack is a well known attack where an
attacker sniffs packets from network, modifies
them and inserts them back into the network.
There are few programs/source codes
available for doing a TCP hijack. Juggernaut,
T-Sight and Hunt are some these programs.
http://www.sans.org/infosecFAQ/threats/middle.htm
Sniffers
Packet sniffers

A software application that uses a network
adapter card in promiscuous mode to
capture all network packets that are sent
across a LAN.
 Captures plain text user account names,
passwords, etc.
 Can also interject new information or change
existing information.
Crackers
Someone who tries to break the
security of, and gain access to,
someone else's system without
being invited to do so.
Countermeasures
Adequate Security Controls

Documentation
 Policy, Standards, Processes

Equipment
 IDS, Firewall, Network Map

Personnel
 Auditing, Monitoring, Configuring, etc

Education
CISSP Certified Staff
Questions?
Ask Jeanette!