Network Intrusion

1
Network Intrusion And Its Countermeasures Tao
Chen April 2,2002
2
Agenda

• Danger of Intrusion
• Intrusion Technique Analysis
• Network Intrusion Countermeasures
• Intrusion Detection and Response Technology
• Proactive Prevention Technology
• People and Organization Issues
• Conclusion
• Q A

3
The Danger of Intrusion
Here are some example of Hacked Web Sites. Lets
guess their correct site names.
4
The Danger of Intrusion
www.whitehouse.gov was owned by global hell,
5/10/99 Source http//www.paybackproductions.com/
hackedsites/whitehouse/
5
The Danger of Intrusion
ABC receives the wrath of ulg united loan gunmen,
8/20/99 Source http//www.paybackproductions.com/
hackedsites/abc/
6
The Danger of Intrusion
International Association for Counterterrorism
and Security Professionals 9/9/99 Source
http//www.paybackproductions.com/hackedsites/iacs
p/
7
The Danger of Intrusion
(Source http//www.nwfusion.com/news/2000/0209att
ack.html)
8
Intrusion Technique Analysis

• Concepts of Intrusion
• Intrusion Sources
• Analysis of Some Intrusion Methodologies

9
Intrusion Technique Analysis

• Concepts of Intrusion
• According to Techdictionary.com, intrusion is
  any set of actions that attempt to compromise
  the integrity, confidentiality or availability of
  a resource1 .
• Computer Security Intrusion is any event of
  unauthorized access or penetration to an
  automated information system 2.

10
Intrusion Technique Analysis

• Intrusion Sources
• Outside Intruders
• They are from outside our network. They may
  attack the external systems, such as web servers
  and e-mail servers. They may also attempt to go
  through firewalls to attack systems inside the
  internal network. Outside intruders may attack
  from the Internet or from business partners
  network that is linked to the businesss private
  network.
• Inside Intruders
• They are authorized to use our internal network.
  They can be employees, contractors, part time
  workers, even vendors and consultants. The inside
  intruders may abuse their privileges or use the
  privileges of the other peoples.

11
Intrusion Technique Analysis

• Analysis of Some Intrusion Techniques
• Physical Intrusion
• The most effective and dangerous intrusion method
  is to get the physical access to the system. Once
  intruders can access to a system physically, they
  could be able to use the keyboard of the machine.
  They can even remove data storage subsystem, like
  tape drive or hard disk drive. Or the intruders
  can put some device to collect information from
  the system, such as network sniffers.
• Network Intrusion
• Network Intrusion is the most common intrusion
  method on the Internet. Intruders attempt to
  compromise the security mechanism of a system and
  access the information in the system over the
  network.

12
Intrusion Technique Analysis

• Analysis of Some Intrusion Techniques
• Network Intrusion
• Port Scan
• A port scan is a series of messages sent by
  someone attempting to break into a computer to
  learn which computer network services, each
  associated with a "well-known" port number, the
  computer provides3. Network intruders often
  use port scans to know targets and find out the
  opening ports and related services to the ports.
  It is one of the most common techniques used by
  intruders to exploit potential problems and
  weaknesses of the target system.
• Special Codes
• The intruder can create some malicious programs
  to invade a system without compromise the
  security mechanism of the system.
• Examples are Logical Bomb, Worm,
  Backdoor,Virus,Trojan Horse

13
Intrusion Technique Analysis

• Analysis of Some Intrusion Techniques
• Network Intrusion
• Software bugs
• A software bug is an error or defect in software
  that causes a program to malfunction4. Network
  intruders can use these bugs to invade a computer
  system.
• Improper System Configuration
• Most systems have configuration setup defined by
  vendors. These default configurations may have
  many unnecessary services and features installed
  on the system. If system administrators do not
  change these default configurations to remove the
  unnecessary accounts and services, intruders may
  use these default configurations and service to
  invade the system.

14
Intrusion Technique Analysis

• Analysis of Some Intrusion Techniques
• Network Intrusion
• Crack Password
• Intruders may look for default password, weak
  password and unencrypted password. If intruders
  cannot find these passwords in a system, they may
  use password-cracking utilities to decrypt the
  encrypted passwords.
• Sniff unsecured traffic
• Packet sniffing is a technology to intercept and
  copy data packets sent through a shared network
  medium, like Ethernet and Internet. If intruders
  could install sniffers on a network, they can see
  the network traffic from everyone. If the network
  traffic is not encrypted, the intruders would be
  see everyones information.

15
Intrusion Technique Analysis

• Analysis of Some Intrusion Techniques
• Network Intrusion
• Attack Server Side Script
• CGI scripts can be another security hole.
  Scanning a website for CGI programs is almost as
  popular as port scanning. A broad-spectrum
  scanner is used to enumerate through hundreds of
  CGI programs that have known vulnerabilities in
  them. If a vulnerable CGI program is found, then
  it will be exploited in order to break into a
  server5
• IP Spoofing
• Spoofing is the creation of TCP/IP packets using
  somebody else's IP address6. By using other
  computers IP address or making an non-existing
  IP address as source IP address, an intruder may
  make the IP package look like sent from another
  location than its real original location. In this
  way, intruders may make themselves invisible
  because the false source IP address make it
  difficult to trace back intruders.

16
Intrusion Technique Analysis

• What do hackers do after intrusion?
• Remove log
• Intruders will remove all the system logs that
  recorded their actions on the system so that the
  system administrator can not detect the
  intrusion.
• Install Sniffer
• They will install the sniffer on servers or
  networking devices to collect network traffic to
  get further data and information.
• Install Trojan horse
• They will also install Trojan horse software so
  that they can easily access and remote control
  the system later.
• Do other harmful things
• They also may do other harmful things to the
  system, like removing data, modifying data,
  install computer viruses or stealing information.

17
Network Intrusion Countermeasures
Intrusion Detection And Response Technology
Proactive Prevention Technology
Integrated Network Intrusion Countermeasure
Solution
People and Organization Issues
There are three main components that are involved
in intrusion countermeasures. First, intrusion
detection technology is used to detect intrusion
attempts and existing intrusion. Second,
proactive prevention technology can be implement
to reduce the chance of being intruded. Third,
people and organization are critical in
successful intrusion response. Any advanced
technology will be useless if people and
organization do not pay attention to information
system security issues. Therefore, an Integrated
Network Intrusion Countermeasure Solution is
proposed in order to increase the chance of
successful intrusion response.
18
Network Intrusion Countermeasures

• Intrusion Detection and Response Technology
• Signature recognition
• The idea of signature recognition is as
  following Misuse intrusions are attacks on
  known weak points of a system. An IDS looks for
  this type of attack by comparing network traffic
  with signatures of known attacks.7 In order
  to detect intrusion, the signature recognition
  technology needs to develop a variety of patterns
  of different attacks. It just likes antivirus
  software that detects certain patterns or
  signatures in files to discover computer virus.
• Anomaly detection
• Anomaly detection techniques assume that all
  intrusive activities are necessarily anomalous.
  This means that if we could establish a normal
  activity profile for a system, we could, in
  theory, flag all system states varying from the
  established profile by statistically significant
  amounts as intrusion attempts.8
• The anomaly detection technology tracks network
  activity to make difference between normal
  activities and abnormal activities.

19
Network Intrusion Countermeasures

• Detection and Response Technology
• Securing system logs
• After breaking into a system, an intruder usually
  changes system log to remove the intrusion
  attempts and intrusion activities. One of the
  methods to protect system log is to use a remote
  dedicate log server which is protected by
  firewall and only has logging function with all
  other services closed9. Thus, a secure and
  clean system log can be used to analyze intrusion
  activities
• Regular System Check
• Regular system check is an effective way to find
  out intrusion attempts and intrusion activities.
  Some examples are
• Check system log files
• Check System Binaries
• Check for packet sniffers
• Check for unauthorized services
• Check for unusual hidden files

20
Network Intrusion Countermeasures

• Detection and Response Technology
• File Integrity Check
• It checks whether important system files have
  been modified, removed or deleted.
• Example GFI Software LANguard File Integrity
  Checker

21
Network Intrusion Countermeasures

• Detection and Response Technology
• Common methods used to response to network
  intrusions
• Isolate the intruded system and service
• Install latest patches to the system
• Keep Record of Intrusion
• Records indicate the vulnerabilities in the
  system and help system administrators to correct
  these errors and holes. They also provide hint to
  response to new intrusions because system
  administrators can learn from previous solutions.
  Thirdly, the intrusion records also provide
  evidence for legal action against intruders.
• Trace to the source of the attack
• Example SHARP Technologys Hack Tracer 1.2
• Demo http//www.sharptechnology.com/bh-cons.htm

22
Network Intrusion Countermeasures

• Proactive Prevention Technology
• The main idea is to fix system errors and holes
  proactively and implement technologies to improve
  the security level of the system.
• Port scanning
• System administrator can use port scanning to
  find out security holes and weaknesses in the
  system and then fix them.
• Example GFI Software LANGuard Network Scanner

23
Network Intrusion Countermeasures
Example GFI Software LANGuard Network Scanner
24
Network Intrusion Countermeasures

• Proactive Prevention Technology
• Firewall
• Honeypots10
• Honeypots are programs that simulate one or more
  network services on your computer's ports. An
  attacker assumes you're running vulnerable
  services that can be used to break into the
  machine.
• Log access attempts to those ports including the
  attacker's keystrokes.
• Provide warning of a future attack.
• Run on well-know servers, such as Web, mail, or
  DNS servers.

25
Network Intrusion Countermeasures

• Proactive Prevention Technology
• Authentication
• Authorization
• Encryption
• VPN

26
Network Intrusion Countermeasures

• People and Organization Issues
• Management Support
• Management Team should understand how important
  system security is to a successful business and
  how much it would cost if the system is broken in
  and important business data are lost. Their
  support could help allocate more resources to
  system security and intrusion responses.
• Policies and Procedures 11
• Policies and supporting procedures help people
  better prepare for the intrusions and give them
  the ability to response to the intrusion
  effectively. With predefined policies and
  procedures, people can know what they should do
  before, during and after the intrusion.
• Technical Training
• IT department and end users neec to get enough
  knowledge of intrusion detection and intrusion
  responses technology.

27
Conclusion

• Network Intrusion is a threaten to online
  business.
• A integrated solution is proposed.

Intrusion Detection And Response Technology
Proactive Prevention Technology
Integrated Network Intrusion Countermeasure
Solution
People and Organization Issues
28
Thank you!
29
Reference 1 Techdictionary.com, Search By
Term Intrusion 2 Techdictionary.com, Search
By Term Intrusion 3 URL http//whatis.techtar
get.com/definition/0,289893,sid9_gci214054,00.html
4 http//www.pcwebopedia.com/TERM/b/bug.html 5
http//www.networkice.com/Advice/Underground/Hac
king/Methods/Technical/CGI/default.htm 6
http//www.networkice.com/Advice/Underground/Hacki
ng/Methods/Technical/Spoofing/default.htm 7
http//www.messageq.com/security/meinel_2.html
8 http//www.acm.org/crossroads/xrds2-4/intrus.
html 9 http//project.honeynet.org/papers/enemy2
/ 10 http//www.sans.org/newlook/resources/IDFA
Q/honeypot.htm 11 http//www.cert.org/security-
improvement/practices/p044.html