-
What are the Security Layers?
- Network Security
- Physical Security
- Personal Security
- Operational Security
- Communication
-
What is Computer Security?
Keeping anyone from doing things you do not want them to do with, on, or from your data, computer, or any peripheral device.
-
What are the costs of not having security?
- stolen business
- loss of business through bad publicity
- network ground to a halt
- you may fall foul of the data protection legislation
-
Why aren't computers secure?
- Security is an annoyance
- Vendors need to get product out
- Hardware and software evolve quickly
- Programmers can’t predict flaws
- Little OS diversity
- Vendors are not motivated to declare flaws
- Patches if available may actually cause more problems
-
What must security be balanced against?
Accessibility
-
What data characteristics are worth preserving?
- Availability of information
- Accuracy of information
- Authenticity of the information
- Confidentiality of the information
- Integrity of the information
-
Who are the attackers?
- Hackers: Script kiddies/Ideological
- Bodies with criminal intent
- Government / Corporate raiders
- Own employees
- Short term contractors
-
What are the vectors that hackers exploit?
- Over the Internet
- Using a computer connected to the network
- Remote Access: Dial-up, VPN, Telnet
- Wireless
- Line-0f-sight
-
What are Administrators Security Expectations?
- Users can perform only authorized tasks.
- Users can obtain only authorized information.
- Users cannot cause damage to the data, applications, or operating environment of a system.
-
What are the concerns affecting security?
- Increase of network attacks
- Increased sophistication of attacks
- Increased dependence on the network
- Lack of trained personnel
- Lack of awareness
- Lack of security policies
- Wireless access
- Legislation
- Litigation
-
What are the category's of threat?
- Human error or failure: Accidents, mistakes
- Compromise of IP: Piracy, ©infringement
- Espionage or trespass: Unauthorised access
- Software attacks: Virus, worms, macros
- Deviation in quality of service: Service providers, DOS
- h/w, s/w failures: Equipment failures, bugs
-
What are the Network Vulnerabilities?
- Technology: Transport Protocols, Routing Protocols, Operating System
- Configuration: Servers and workstations, Firewalls and Routers, IDS
- Policy: Ineffective security policy
-
What are the classes of attack?
- Reconnaissance attacks
- Access attacks
- Denial of service attacks
- Worms, viruses, and Trojan horses
-
What are the types of attack?
- Packet sniffers
- Trust exploitation
- Password attacks
- Trojan horse
- Man-in-the-middle attacks
- Worms
- VLAN
- IP weaknesses
- Port redirection
- Virus
- DoS or DDoS
- Operator error
- Application layer attacks
-
What are the targets of attacks?
- System Hacking: Window/Unix/Apple
- Network Hacking: Network devices, OSI Layer, Protocols
- Software Hacking: Web Server Hacking, Web Applications, Malware, Spyware, viruses
-
Name some useful Security Websites
- http://nvd.nist.gov/nvd.cfm
- http://www.securityfocus.com
- http://www.insecure.org
- http://www.cve.mitre.org/
- http://www.epic.org/
- http://www.ftc.gov/privacy/
- http://www.cert.org/
- http://www.sans.org/
- https://www.icsalabs.com/icsa/icsahome.php
- http://niap.nist.gov/
-
Name the three entities in a hackers methodology
- Footprinting
- Scanning
- Enumeration
-
What information is aquired through footprinting?
- Company web sites -public and private
- Related Organisations
- Location details
- Phone number, contact names, email addresses, and personal details
- Current events (mergers, acquistions, layoff, charity events etc.)
- Privacy or security policies and the technical details indicating the types of security and how they are implemented.
- Archived information
- Disgrunted employees
- Search engines, Usnet and resumes
- Other information of Interest
-
Name some hacking tools and what they do
- Google groups: Search for useful emails addresses in newsgroups
- Whois: Gather IP and domain information
- SamSpade: Gather IP and domain information
- Namedroppers: Run a domain name search
- Google: Search for web sites and company information
- Dig: Performs DNS zone transfers
- Netcat: Read and write data to ports over the network
- Wget: Retrieves HTTP, HTTPS and ftp over the internet
-
In the process of Whois and DNS enumeration, what does ICANN provide?
- Internet Domain names
- IP addresses
- Protocol parameter and port numbers
- Internet’s root DNS servers.
-
Name two network reconnaissance tools
-
What is the purpose of scanning?
- If you have an IP address range - to find out which IP addresses are alive
- If you have a found a target - to find out which ports are open
-
What are Ping Sweeps used for?
- Identify which IP addresses belong to active hosts
- Ping a range of IP addresses
-
What are the potential problems of ping sweeps?
- Computers that are shut down cannot respond
- Networks may be configured to block ICMP Echo Requests
- Firewalls may filter out ICMP traffic
-
From RFC 792; what are the primary ICMP type messages?
- 0: Echo Reply
- 3: Destination Unreachable
- 4: Source Quench
- 5: Redirect
- 8: Echo Request
- 11: Time Exceeded
- 12: Parameter problem
- 13: Timestamp
- 14: Timestamp Reply
- 15: Information Request
- 16: Information Reply
-
What does Port Scanning find out?
What is the problem with services?
What ports do you scan?
What do port scanners report about ports?
- Port Scanning: Finds out which services are offered by a host and Identifies vulnerabilities
- Open services can be used on attacks: Identify a vulnerable port, Launch an exploit
- Scan all ports when testing: Not just well-known ports
- Port scanning programs report: Open ports, Closed ports, Filtered ports, Best-guess assessment of which OS is running
-
What are the types of port scans?
- SYN scan: Stealthy scan
- Connect scan: Completes the three-way handshake
- NULL scan: Packet flags are turned off
- XMAS scan: FIN, PSH and URG flags are set
- ACK scan: Used to past a firewall
- FIN scan: Closed port responds with an RST packet
- UDP scan: Closed port responds with ICMP “Port Unreachable” message
-
Name some popular port scanning tools for Unix and Windows
- UNIX
- scope
- udp-scan
- netscan
- nmap
- Windows
- netcat
- SuperScan
- ipEye
-
What are the countermeasures to port scanning?
- Options limited
- Shut the port
- Leave it open
- Try to disguise it
- Use IDS/IPS
-
Name two operating system failures to deal with Active Stack Fingerprintin (Port) scans
- FIN probe: RFC 793 states that the correct response to this flag is not to respond. Windows NT/200/2003 respond with a FIN/ACK
- Bogus flag probe: An unidentified TCP flag is set in a TCP header of a SYN packet. Some OS’s like Some OS’s like Linux will respond with that flag set in the response packet.
-
How to try and detect Active Stack Fingerprinting?
Look for these flags by using some network monitoring software to capture network traffic.
-
What information does Enumeration hope to extract?
- Resources or shares on the network
- User names or groups assigned on the network
- Last time user logged on
- User’s password
-
Name some examples of enumeration tools
- Port scanning and footprinting: Determine OS being used
- NBT (NetBIOS over TCP/IP): Tool for enumerating Microsoft OSs
- Using NBTscan: Use nbtscan command to scan a range of IP addresses
- Example: nbtscan192.168.0.0./24
- Telnet to probe services: banner grabbing, ftp, DNS zone transfers, SMTP and NetBIOS
-
What type of process is enumeration?
Intrusive process
-
What is the Application Layer?
- Front end to the lower-layer protocols
- What you can see and touch
-
What is the Transport Layer?
What common Protocols run on this layer?
On what basis do these protocols work?
What is a three way handshake?
- Encapsulates data into segments
- Segments can use TCP or UDP to reach a destination host
- UDP is a minimal message-oriented
- TCP is a connection-oriented protocol
- TCP three-way handshake
- Computer A sends a SYN packet
- Computer B replies with a SYN-ACK packet
- Computer A replies with an ACK packet
-
What are the critical components of TCP Segment Headers and why are they important?
- Critical components:
- TCP flags
- Initial Sequence Number (ISN)
- Source and destination port
Important because they are abused by hackers finding vulnerabilities
-
What are the TCP Flags and what do they do?
- URG: indicates that the Urgent pointer is valid.
- ACK: indicates that the Acknowledgement number is valid.
- PSH: indicates that this segment requests a push (i.e. pass this data to the application as soon as possible).
- RST: indicates that the connection should be reset.
- SYN: indicates that Initial Sequence Numbers (ISNs) should be synchronised.
- FIN: indicates that the sender has finished sending data
-
What is the initial sequence number (ISN) in TCP?
- 32-bit number
- Tracks packets received
- Enables reassembly of large packets
- Sent on steps 1 and 2 of the TCP three-way handshake
-
Describe TCP Ports
What do TCP's contain?
What are the common ports and where can you find information about them?
- Port: Logical, not physical, component of a TCP connection
- Identifies the service that is running
- Example: HTTP uses port 80
- A 16-bit number
- TCP packets has source and destination port fields
- Helps you stop or disable services that are not needed:Open ports are an invitation for an attack
- Only the first 1023 ports are considered well-known
- List of well-known ports: Available at the Internet Assigned Numbers Authority (IANA) Web site (www.iana.org)
-
Describe TCP ports 20 and 21
- Ports 20 and 21:File Transfer Protocol (FTP)
- Use for sharing files over the Internet
- Requires a logon name and password
- More secure than Trivial File Transfer Protocol (TFTP)
-
Describe TCP ports 25, 53 and 69
- Port 25:
- Simple Mail Transfer Protocol (SMTP)
- E-mail servers listen on this port
- Port 53:
- Domain Name Service (DNS)
- Helps users connect to Web sites using URLs instead of IP addresses
- Port 69:
- Trivial File Transfer Protocol
- Used for transferring router configurations
-
Describe TCP ports 80, 110 and 119
- Port 80:
- Hypertext Transfer Protocol (HTTP)
- Used when connecting to a Web server
- Port 110:
- Post Office Protocol 3 (POP3)
- Used for retrieving e-mail
- Port 119:
- Network News Transfer Protocol
- For use with newsgroups
-
Describe TCP ports 135, 139 and 143
- Port 135:
- Remote Procedure Call (RPC)
- Critical for the operation of Microsoft Exchange Server and Active Directory
- Port 139:
- NetBIOS
- Used by Microsoft’s NetBIOS Session Service
- Port 143:
- Internet Message Access Protocol 4 (IMAP4)
- Used for retrieving e-mail
- Better than POP3
-
Describe the User Datagram Protocol (UDP)
- Fast but unreliable protocol
- Operates on transport layer
- Does not need to verify whether the receiver is listening
- Higher layers of the TCP/IP stack handle reliability problems
- Connectionless protocol
-
What is the internet layer used for and what protocol does it use?
What is the ICMP?, what is it used for and what are common commands?
- Responsible for routing packets to their destination address
- Uses a logical address, called an IP address
- IP addressing packet delivery is connectionless
- Internet Control Message Protocol (ICMP):
- Used to send messages related to network operations
- Helps in troubleshooting a network
- Some commands include:
- Ping
- Traceroute
-
Name some popular security models
- Asset and Risk Based Infosec Lifecycle (ARBIL)
- Confidentiality, Integrity and Availability (CIA)
- McCumber Cube
- Cisco Security Wheel
-
Describe Network Security as a Continuous Process
- Network security is a continuous process built around a security policy:
- Step 1: Secure
- Step 2: Monitor
- Step 3: Test
- Step 4: Improve
-
With reference to the Cisco security model; describe the secure step.
- Implement security solutions to stop or prevent unauthorized access or activities, and to protect information:
- Authentication
- Encryption
- Firewalls
- Vulnerability patching
-
With reference to the Cisco security model; describe monitor step
- Detects violations to the security policy
- Involves system auditing and real-time intrusion detection
- Validates the security implementation in Step 1 (secure)
-
With reference to the Cisco security model; describe testing step
Validates effectiveness of the security policy through system auditing and vulnerability scanning
-
With reference to the Cisco security model; describe improve step
- Use information from the monitor and test phases to make improvements to the security implementation.
- Adjust the security policy as security vulnerabilities and risks are identified
-
What is a security policy?
- “A security policy is a formal statement of the rules by which people who are given access to an organization’s technology and information assets must abide.”
- (RFC 2196, Site Security Handbook)
-
What factors should be taken into consideration when preparing a security policy?
- Count the Cost
- Identify your assumptions
- Control your secrets
- Remember human factors
- Know your weaknesses
- Limit the scope of access
- Understand your environment
- Limit your trust
- Remember physical security
- Make security pervasive
- Know your enemy
-
Why should you create a security policy?
- To create a baseline of your current security posture
- To set the framework for security implementation
- To define allowed and not allowed behaviors
- To help determine necessary tools and procedures
- To communicate consensus and define roles
- To define how to handle security incidents
-
Describe the two sets of security policy elements
Network Design Factors upon which security policy is based:
- Data Assessment
- Host Addressing
- Application Definition
- Usage Guidelines
- Topology/Trust Model
Basic Internet threat vectors toward which security policies are written to mitigate
- Vulnerabilities
- Denial of Service
- Misuse
- Reconnaissance
-
What are the threats to security and what are the counters that should be documented in a security policy?
- Treats---------------> Counters
- Masquerade--------> Authenticity
- Interception---------> Privacy
- Modification--------> Integrity
- Interruption---------> Availability
-
What are the main Personal threats to Authenticity?
- Same log in routine
- Username readily available
- Thus password becomes the gateway: Or session tickets for inter-resource communication
- Often limited in some way: lower & upper case, more than 8 char.
-
What are the Authenticity Attacks?
- Guessing the password
- “Cracking” passwords
- Reuse of old passwords
- Capture via Trojan Horses
-
What are the treats to internal Authenticity?
- Main threat is from “spoofing”
- Identification of host is by address
- The usual assumption is if you say you are a particular address then it must be so.
-
Structure of internal networks regarding Authenticity
How is the network arranged, what identifies what and how are the able to communicate?
- Address conveys information about your setup
- IP addresses must be unique
- Must reside on correct network unless using “source routing”
- Most IP traffic within an organisation is carried over LAN’s
- Media Access Control MAC
- Address Resolution Protocol (ARP) uses LAN broadcast to ask for MAC address of a particular IP address.
-
What are the countermeasures to an internal Authenticity Attack?
- Spoof detection
- Static address mapping
- Using an APR server
- Authentication protocols e.g MD5, Kerberos
-
What is the problem of exploiting Authenticity from the exterior using a permanent network and what counter measures can be utilised?
- Spoofing of an internal address from outside is harder as the traffic which passes though a router will be directed to the appropriate network via the routers internal tables
- Main Counter: IP source routing: source host specifies the list of routers the package must pass through.
- Secondary Counters:
- Password encryption
- One-time passwords
- Secure address mapping
- Strong authentication
- Proper router configuration
- Firewall gateways
-
How does exploiting a networks authenticity from the exterior using a temporary network work? What are the countermeasures to this attack?
- Find the dial-in line and then use brute force attack
- Main Counter attack: by dial back or strong authentication
- Secondary Counters:
- Password encryption
- One-time passwords
- Secure address mapping
- Strong authentication
- Proper router configuration
- Firewall gateways
-
What are the countermeasures to a masquerade/exterior attack?
- Masquerade -> Authenticity
- Password encryption
- One-time passwords
- Secure address mapping
- Strong authentication
- Proper router configuration
- Firewall gateways
-
What are the three different areas of Interception attacks?
-
What is the structure of interception on a personal level. What different user technologies are employed?
What is the structure in a multi-user system?
- The technology:
- single user
- single user with optional authentication
- multiple user
- Multiuser system:
- file permission scheme: rwx|rwx|rwx
- VMS, Netware more permissions and/or user categories
- Users may belong to more than one grouping
- ACL’s
-
What are the methods employed to secure data at a personal level to protect against interception attacks?
- Your job to ensure that documents are secure:
- File encryption: password protection
- Key encryption: DES, IDEA, PGP, RSA
- Compression
-
What is the structure of interception on a interior level? What would allow a hacker to obtain information? What is a common interception weakness in interior networks?
Where are attacks possible from?
- Most LAN’s are broadcast:
- Can turn a PC into protocol analyser
- Many login/password sequences are sent in clear text
- Attacks are possible from:
- Legally connected host
- Illegally connected host
- Invisible hosts
-
How do you setup interception on a exterior level, what do you use and what do you want to access?
- External connections via say friendly ISP.
- Gain access to your monitoring device.
-
What is that main method utilised for interception attacks?
Eavesdropping, which is the main threat to privacy.
-
What are the countermeasures to interception attacks?
- Interception -> Privacy
- Strong authentication techniques
- Data encryption
- Correct file permissions
- Secure address mapping techniques
- Good firewall topology.
-
What are the three levels of Integrity. What are the common components of these areas?
- Personal:
- Import of data via removable media: floppy, zip, hard drive, USB
- Electronic mail: especially via mime attachments, Message transfer agents
- WWW or similar
- Internal:
- Network Technologies
- File checksum
- Immutable Files
- External:
- Router
- DNS server
-
What is the main goal and countermeasures to a modification attack?
- Modification -> Integrity
- The main goal is prevention:
- Checksums
- Digital Signatures
- Firewall
- Immutable files
- Static routing
-
What are the three levels of Availability and what are the components of these areas?
- Personal:
- Viruses
- Bombs
- Trojan horses
- Interior:
- Disc quotas
- Broadcast Storms
- Duplicate IP address
- Exterior:
- Disruption of normal routing
- Flooding of resources
-
What are the countermeasures to a Interruption Attack?
- Interruption -> Availability
- Frequent virus checks
- Limit resources assigned to a process
- Control IP address allocation
- Use static routing on external connects
- Use packet-filtering gateways
- Good firewall topology.
- IDS/IPS
-
What are the Security Risk Areas (areas of concern)?
- Theft of data, files, or software
- Unauthorised use of computer resources
- Denial-of-service attacks
- Deletion and/or replacement of content.
- Installation of unauthorised resource
-
What areas of an organisations security are most at risk?
- Passwords: Gaining access to lists of usernames and passwords, which then give intruder free access for further attacks.
- Organisational data: Sensitive organisational data such as planning data, test data, payroll etc.
- Customer data: Commerce Web sites should realise that access to customer data, such as credit card numbers could prove useful to the hacker.
- Application software: Downloading licenses, sensitive software
-
What are the three areas which can be addressed to improve OS security? What are the good practices to improving security in these areas?
- Logon Security:
- Display legal notice
- Remove last user’s name from logon dialog
- Remove shut down button
- User Rights:
- Sufficient for task
- Create several for a user to match requirements
- Don’t give “Back up files and directory” rights
- Machine itself:
- Keep up to date with patches and service packs.
- Close off ports that are not being used.
- Shut down/uninstall services not required.
- Restrict access to the registry
- Domain security
-
What are the methods to impove Application Security?
- Correct user privileges: anonymous, others for specific directories/ applications
- Appropriate use of directory browsing.
- Correct access permissions on directories: usually read only, scripting, execute for cgi directory
-
What are good security practices?
- Integrated Thread Management: Firewalls, Virus scanners, IDS/IPS, DMZ
- Limiting Server services: Remove needless services, lock down others
- Perform regular Server Maintenance and Administration
- Protect the log file:
- Encrypt the files, store on a different m/c. Use a different file system
- Logfiles should not be visible via the web.
- Logfiles should be analysed frequently
- Ample disc space should be allocated to prevent “denial of service”
- Secure Programs and Scripts:
- Adopt a general policy regarding the authoring and testing of scripts.
- Remove all unnecessary scripts or programs
- Consider server configuration which requires the “CGI” process to run in isolation.
- Carefully examine any application which requires the installation of server’s API.
-
What type of security tools should be utilised to improve security?
- Macros or scripts that periodically check the integrity of critical files. (check sums)
- Programs that periodically make HTTP requests to check server availability.
- Scanning programs which check for known server vulnerabilities.
- Network Monitors
-
How can you make services more secure?
- Remove/replace the “default” configuration
- Isolate the document root from the real file system.
- Regular backup of configuration files
- Disable:
- Automatic directory listings
- Home directory that may contain “exploitable” scripts
- Server-side includes especially with #EXEC option
- CGI script execution from arbitrary directories.
- See http://www.cert.org
-
What shouuld you do in the event of an intrusion?
- Shut down the server
- Explain to reader/user community
- Back up all server configuration to obtain accurate information about the system.
- Report intrusion to the appropriate authorities.
- Minimise any public announcement(?)
-
What is AAA?
A framework for intelligently controlling access to computer network resources, enforcing policies, auditing usage, and providing the information necessary to bill for services.
-
What are the individual areas of AAA(A) and what do they do?
- Authentication: Validating the claimed identity of the user or device.
- Authorisation: Granting access rights to system resources.(Time-of-day, QoS, Bandwidth, tunnelling)
- Accounting: Tracking users usage of system resources. (billing, management)
- Auditing: Ascertain the validity and reliability of information
-
Name some technologies used in AAA(A)
- CHAP: Challenge Handshake Authentication Protocol
- DIAMETER Protocol: This protocol is designed to replace the RADIUS.
- EAP: Extensible Authentication Protocol
- Kerberos
- MS-CHAP (MD4)
- PAP: Password Authentication Protocol
- PEAP: Protected Extensible Authentication Protocol
- RADIUS: Remote Authentication Dial-In User Service
- TACACS/TACACS+: Terminal Access Controller Access Control System
-
What are the benefits of using AAA?
- Increased flexibility and control of access configuration
- Scalability
- Standardized authentication methods, such as RADIUS, TACACS+, Diameter and Kerberos
- Multiple backup systems
-
What is an identity?
- An assertion of who we are
- Allows us to differentiate between one another
-
What forms do identities take?
- Username and password
- Email address: jhacker@stuff.com
- MAC address: 00-01-12-ab-3d-33
- IP address: 172.16.48.199
- Digital certificates
- Biometrics
-
What are identities used for?
Used to grant appropriate authorisations: rights to services within a given domain
-
What are some popular identity mechanisms
- Terminal Access Controller Access Control System(TACAS):
- TACACS
- XTACACS
- TACACS+
- Remote Authentication Dial-In User Service (RADIUS)
- Diameter
-
Draw an overview of what identity mechanisims provide
-
What are static passwords? What attacks are the susceptible to? Why are they used?
- Remains the same until changed
- Susceptible to playback, theft, brute force, eavesdropping
- For convenience distributed systems need to have one password to access all resources.
- If it is possible to capture the password for off-line guessing then a much larger name space is required
-
What is password storage site? What are the components?
- Individually stored on all the services required.
- Authentication Storage node: Central server
- Authentication Facilitator node: An intermediary that passes on authentication requests of a central server.
-
Describe the process for One-Time Passwords, for example S/Key
- 1. The Client – provides pass phrase
- 2. The server provides the seed phrase and hash algorithm - MD4, MD5 or SHA-1
- 3. These are concatenated and passed through the algorithm a number of times. Output folded/reduced to 64 bits each time.
- 4. On log in client challenged by server who provides seed, sequence number –1 and hash used.
- 5. Client performs the same as 3 and sends the sequence number -1th password to server.
- 6. Server passes this through the hash one more time and then compares.
- 7. Server updates its database with new sequence number and new password.
-
What are Token Passwords?
How do they work?
- A One-Time-Password (OTP) with added security
- Time-based: Password loosely synchronised in time to the server.
- Challenge-response: Token server sends a random string to remote client. Remote client uses this with stored cryptographic key to produce the “password” which is sent to the server for authentication
-
What are Digital Signatures?
- An encrypted hash appended to a document to confirm identity of the sender and the integrity of the document.
- Based on public key encryption and secure one-way hash functions
-
What are the different technologies utilised by Biometrics?
- Fingerprint Scanning
- Voice Recognition
- Face Recognition
- Signature Recognition
- Retinal scanner
- Iris scanner
- Handprint readers
- Keystroke timing
-
What is Correct EAP?
Name some of the different varieties of EAP.
- Extension of PPP to provide additional authentication features
- A flexible protocol used to carry arbitrary authentication information.
- Typically rides on top of another protocol such as 802.1x or RADIUS. EAP can also be used with TACACS+
- Specified in RFC 2284
- Support multiple authentication types:
- EAP-MD5: Plain Password Hash (CHAP over EAP). It has little use in a wireless authentication environment.
- EAP-TLS: based on X.509 certificates [RFC2716].
- EAP-TTLS: Sets up a encrypted TLS-tunnel for safe transport of authentication data.
- LEAP (EAP-Cisco Wireless): proprietary protocol developed by Cisco, and is not considered secure
- PEAP (Protected EAP): currently an IETF draft
- EAP-MSCHAPv2: Requires username/password, and is basically an EAP encapsulation of MS-CHAP-v2
-
What is a basic login only? What are its weaknesses?
- Username and Password sent in clear.
- Recipient verifies username and password and communication occurs: No encryption, no integrity checks
-
What is a Nonce?
- A quantity that a protocol only uses once:
- Random number
- Timestamp
- Sequence number
-
Describe the Authentication Protocol Checklist
- Learn the contents of the messages between Alice and Bob.
- Learn information that would enable Trudy to impersonate either Alice or Bob in subsequent exchanges.
- Learn information that would enable Trudy to impersonate Alice to another replica of Bob.
- Learn information that would allow Trudy to do an off-line password guessing attack against either Alice or Bob
- Pick up a conversation to Bob and convince him that it is Alice.
- Trick either into signing or decrypting something.
- Use one protocol to mount an attack on another.
-
Describe the four factors that motivate administrators to install IDS
- Most existing systems have security flaws that render them susceptible to intrusions, penetrations, and other forms of abuse; finding and fixing all these deficiencies is not feasible for technical and economic reasons
- Existing systems with known flaws are not easily replaced by systems that are more secure-mainly because the systems have attractive features that are missing in the more-secure systems, or else they cannot be replaced for economic reasons
- Developing systems that are absolutely secure is extremely difficult, if not generally impossible
- Even the most secure systems are vulnerable to abuses by insiders who misuse their privileges.
-
What are the different IDS Hypothesis detection models?
- Attempted Break-in: Recognised by the abnormal number of password failures
- Masquerading or successful break-in: Logged in at an unusual time for the legitimate user. Resource usage may be that of browsing directories and executing system status commands.
- Penetration by legitimate user: Triggers excessive protection violations. Accessing material not usually used by them.
- Leakage by legitimate user: Leaking sensitive documents by routeing data to remote printers not normally used.
- Similarly for Trojan horses, virus and DOS
-
Explain how IDS works, what its architecture is.
- Collects, organizes, and analyzes information from any number of network based and host based IDS sensors;
- Shows overall status at a glance;
- Generates a report hierarchy that allows humans to start their investigation at any level and work up, down, and across as the trail leads;
- Enables humans to interact with the system to test their intuitions;
- Allows humans to direct further analysis and redirect how data is analyzed;
- Is invisible to hackers and is secure, because it is physically isolated from the production network.
-
Describe some of an IDS characteristics and components.
- Network taps: Invisible to hackers. The whole IDS network is physically separate from the production network
- One or more IDS sensors to prevent overload
- The IDS sensors types perform preliminary analysis.
- Central analysis server on the isolated IDS network to collect and allow analysis of the sensors data.
- Capability of sensors and central analysis to tools to react in real time.
-
Outline what a IDS is
Outline what an IPS is and what mechanisms it provides.
- IDS:
- Similar to generic packet sniffer.
- Compares packets with known attack patterns
- IPS:
- Provides the following active defence mechanisms:
- Detection: identify attacks
- Prevention: stop detected attacks from happening
- Reaction: immunise the system from further attacks from a malicious source.
-
What are the different things which can happen when an IDS/IPS makes a signaure match?
- Alarm: sends alarm to a log/email and then forwards package.
- Reset: sends packet with a reset flag to session participants.
- Drop: immediately drop packet
- Block: denies traffic from source attack address
-
Name the the two types of IDS
- Host-Based IDS (HIDS)
- Network IDS (NIDS)
-
Explain the process of Kerberos Authentication
- 1. Once per kerberous session a client connects to the Autentication Server (AS) to obtain Ticket-Granting Server (TSG) session key and ticket granting ticket (TGT)
- 2. Once per application session, client connects to TGS to obtain application session key (ASK) and application server's secret key
- 3. The authenticated client sends its ticket, ASK and encrypted application server's secret key to application server and initiates a connection.
|
|