USDA Cyber Security AwarenessIDS Briefing

Gregory TepeDirector, Federal Security Solutions

Topics

The need for Intrusion Detection

IDS Definitions

IDS Components

Q&A

Why do Federal Agencies need IDS?

The threat is real Insider (contractors, co-location facilities, malicious

employees) Outsider (external hackers, mistaken network security

tests, foreign governments) When an attack occurs (and it will) companies will limit

exposure, perform accurate damage assessment and have evidence for potential legal action

Not a question of whether to install but which IDS to install

Why do Federal Agencies need IDS?

Prevent problems by increasing the perceived risk of discovery, i.e. deterrence

Detect problems that are not prevented by other security measures

uncorrected known vulnerabilities open paths through firewalls DMZ locations

Detect preliminary attacks probes sweeps scans

Why do Federal Agencies need IDS?

Data Collection monitor and document the threats

itemize and characterize internal and external threats incident handling recovery efforts investigation

Regulatory Measures Affecting Information Security

HIPAA—Healthcare Information Portability Accountability Act in the U.S.

Gramm-Leach-Bliley—Established standards for financial institutions to protect customer information.

British Standard BS7799—Divides the security policy into a five-step, cyclical process.

The EU Data Protection Act – Establishes a high level of protection for the free movement of personal data within the European Union.

More Susceptibility to Hackers

Growing complexity of threats

— More sophisticated attackers looking to cause more damage

— Blended threats

Insider attacks still predominant

Vulnerabilities are proliferating – configuration deficiencies & published lists

Hacker tools make attacks easier

Security perceived as a need, like insurance

Threats are increasing

Internal Threats

— Clueless users

— Disgruntled employees

— Downsized trusted users

— Embezzlers

External Threats

— Corporate Spies

— Criminals

— “kiddie scripts”

— Terrorists

Because locks are not enough . . .

In 2001, U.S. businesses lost over $375 million to computer crime, but only 37% of the respondents could quantify the loss.

FBI estimates that well over half of the computer crime actually comes from inside the organization.

One of the biggest problems facing managers today is not having enough trained system administrators on-hand to properly configure and maintain their information resources.

CSI/FBI 2001 U.S. Security Survey - Dollar Loss by Type of Attack

Theft of Information: $151,230,100Financial Fraud: $92,935,500Virus: $45,288,150Insider Net Abuse: $35,001,650System Penetration: $19,066,600Telecom Fraud: $9,041,000Laptop Theft: $8,849,000Unauthorized Insider Access: $6,064,000Sabotage: $5,183,100Denial of Service: $4,283,600Telecom Eavesdropping: $886,000

Economic Impact of High-Tech Crimes in the U.S.

Average computer crime

$500,000

Average bank fraud$25,000

Average bank robbery$2,500

Managing Your Risk

Security is about managing risk – risk of:— Loss of operational capability

— Loss of trust

— Financial loss and fraud

Risk is a function of:— ASSET VALUE

< The value of the assets you are trying to protect

— THREATS< Forces and entities which could bring harm to your assets

< Direct (e.g., hackers, employees) and in-direct (e.g., flood, war)

— VULNERABILITIES< Areas of weakness in processes, people and technology that would allow a

threat to materialize.

IDS Asset Value

How much is your brand worth?

How much is your credibility worth?

How much is your network worth?

How much are your systems worth?

How much is your intellectual property worth?

Why do Federal Agencies need IDS?

A balanced defense for an in depth security architecture Firewalls and VPNs are not enough - a balanced and

effective information security program requires both preventive and detective controls.

— Preventive Controls< Systems put in place to prevent misuse and attack from occurring

and/or succeeding, for example:– Two-factor authentication (thumbprint scanner and password)– Firewalls– Virtual Private Networks

— Detective Controls< Systems put in place to detect misuse/attack when preventive

controls cannot be put in place or fail, for example:– Reviewing system audit logs– Intrusion detection systems

Intrusion Detection Systems

Intrusion DETECTION, notnot Intrusion CORRECTION

— “Sniffs” packets and detects potential threats

— Can store packets for later session re-creation

— MUST be monitored for proper security implementation

Searches IP packets

— Patterns in packets; “/cgi-bin/phf”

— Patterns of packets; port scans & sweeps

— Patterns that should not be there; illegal web servers

What are Network Intrusion Detection Systems (NIDS)?

Burglar alarms of the network— Can identify someone “casing” the environment

< port scan

— Will detect unauthorized access< remote password attacks< Breaches of the firewall

— Will detect system disruptions< application buffer overflow< Denial of Service

— Will sound the alarm< 24x7 monitoring

— Will monitor and log forensic evidence to support the legal case

What are Host Based IDS (HIDS)

HIDS - Burglar alarms for the Server— Resides on a customer’s key servers

— Operating System Support< Linux

< Windows

< UNIX

— HIDS Alarms are correlated along with NIDS, Firewalls, and Routers

< System logs

< Kernel calls

< File monitoring

Network Sensor Key Features

High-bandwidth support

Multi-method attack detection

— Detection using a combination of signature, protocol and system anomaly based techniques to ensure no attack goes undetected

Open and customizable signatures

— Signatures available to the user. This is critical in tuning signatures and in developing signatures unique to the operating environment.

DOS Detection

— Network Sensor employs multiple methods, including signature and protocol analysis techniques, in identifying known and unknown DOS techniques, including distributed attacks.

Backdoor and rogue server detection

— NIDS ought to detect backdoors and rogue servers via many techniques including but not limited to protocol analysis, session analysis, and ICMP traffic profiling.

Network Sensor Ideal Features

Intrusion Prevention— Event Sniping

< Terminate sessions via a TCP reset or ICMP unreachable message

— Shunning

< Configure ACLs on third-party firewalls and routers

Advanced buffer overflow detection— Recognize unique patterns sent during an attack.

IDS evasion (protect the IDS from being a victim of DOS)

— IP de-fragmentation and TCP/UDP stream reassembly

— Protocol decoding

< HTTP, FTP, Telnet, RPC, SNMP

DOS countermeasures— Techniques for defeating tools such as “stick” and “snot” that attempt to

DOS an intrusion detection system.

IDS Detection Techniques

Greater Visibility/Granularity

Greater Number of events

Superior Forensics

Greater Performance

Increased ease of use

101010101010101 P SA DA L/T SIP DIP

IDS vs. IPS

Performance

Latency

Accuracy

Host Sensor Key Features

Multi-method detection— Log file analysis

< Host Sensor can analyze any file against a signature policy whether it’s the system log, the security log, or the log for a custom built application.

— File attribute monitoring< Monitoring of specific file attributes such as owner, group, permissions and file size

for changes.

— File integrity checking (MD5)< Monitoring files to determine if there content has been changed via MD5. This

provides assurance that sensitive files that should not be modified have not been modified.

— Backdoor service monitoring< Host Sensor can monitor a system for new TCP and UDP ports. This provides

critical protection against backdoor services which can be used to allow unauthorized access through the firewall and/or be a staging point for a distributed denial of service or outright attack.

— Registry monitoring< Host Sensor will analyze the Windows registry for attributes that should not be

accessed and/or modified. This is essential in identifying attacks against often-targeted Microsoft servers.

Host Sensor Key Features

Open and customizable signatures

— Signatures are available to the user. This is critical in tuning signatures and in developing signatures unique to the operating environment.

Off-host analysis

— Host Sensor can analyze events sent via SNMP or syslog to a log analysis server. This is critical in monitoring the security of systems where Host Sensor cannot be installed such as routers and legacy systems. It can also be used to extend security monitoring to custom applications.

Windows event log analysis

— Host Sensor will monitor the various Windows event logs for sign of misuse or attack.

Host Sensor Key Features

Enterprise Monitoring

— Web Server support

< Apache web server

< IIS web server

< Netscape web server

— FTP servers support

< IIS FTP server

< WU-FTP (FTP server)

— Application support

— Commercial Firewall Support

— Open Source Firewall Support

Q & A