|
||
 
|
||
|
| ISP Resources |
| ISP-Lists ISP Glossary ISP News The List ISPCON Events Free Newsletters |
|
|
White Paper:
Intrusion Detection: Reducing Network Security Risk
How do you know you're under attack? Once you know there's a problem, how do you find the source of the problem? The answer is intrusion detection systems (IDS).
| by Recourse Technologies [December 24, 2001] |
 |
|
|
Introduction
Numerous websites and internal networks are hacked because they do not take
the precautions necessary to protect against attacks. The failure to secure
their websites and customer data puts companies at a much greater risk of loss.
A single attack can cost millions of dollars in potential revenue, but that's
just the beginning. The damage from an attack can also include customer inconvenience
and loss of customer confidence, loss of intellectual property and market advantage,
liability for compromised customer data, and the time and money spent recovering
from the attack.
The best defense against attacks is a combination of tools and policies that increase the amount of "correct" information you have about an attack and providing that information in a timely manner in order to effectively respond to the attack.
The Security Requirement
A network is made up of many types of hardware and software, and the many different
requirements of the users accessing that hardware and software. To be effective,
a security model must take into consideration these various network components
and the security issues related to each. The following is a basic security model
outline.
- User policy
- Firewalls
- Intrusion detection systems
- Router security
- Host system security
- Auditing
- Incident response plan
In this document, we will address some of the issues organizations face, specifically those issues that can be addressed by the deployment of intrusion detection systems within an organization's infrastructure.
The Five Basic Stages of Attack
To understand how simple an attacker can compromise a network, the five basic
stages of an attack are described below.
Initial reconnaissance: A potential intruder will find out as much as they possibly can about their target by seemingly legitimate means. Finding public information about their target on the Internet is usually the first step. The intruder will browse public websites and even search news articles and press releases about the company. The next step is to uncover as much information as possible on the company's internal network, Internet domain, machine names, and the company's IP address ranges. At this stage, it is really not possible to detect the intruder—they have done nothing illegal and their information requests are considered legitimate.
Network probe: At the network probe stage, the intruder uses more invasive techniques to scan for information. Usually, a 'ping sweep' of the network IP addresses is performed in order to seek out potential targets, then a 'port scanning' tool would be used to discover exactly which services are running on the target system. Again, at this point the intruder has still not done anything that would be considered as abnormal activity on the network and they have not done anything that can be classified as an intrusion.
Crossing the line: The intruder now commits what is technically a "computer crime" by exploiting possible holes on the target machine. The hacker usually goes through several stages of exploits to gain access to the system. Certain programming errors can be used by attackers to compromise a system and are quite common. Exploits usually include vulnerabilities in CGI scripts or well-known buffer-overflow holes, but the easiest way to gain entry is by checking for default login accounts with easily guessable (or empty) passwords. Once the intruder is able to access a user account without very many privileges, they will attempt further exploits in order to get administrator or 'root' access. Root access is a UNIX term and is associated with the system privileges required to run all services and access all files on the system. "Root" is basically Administrator or Super User access and grants them the privileges to do anything on the system.
Owning the network: An attacker can quickly and easily gain a foothold in the internal network by compromising low priority target systems. The next step is to remove any evidence of the attack. The intruder will usually install a set of tools (known as 'RootKits') that replace existing files and services with Trojan files and services that have a backdoor password. There are a number of hacker tools that clean up log files and remove any trace of an intrusion. They are sometimes part of a RootKit, but most of the time they are individual programs written by hackers. RootKits provide copies of system files that look and act like the real thing, but in fact they give the hacker a backdoor into the system and hide processes he might be running on that system and his user information. This allows the attacker to return to the system at will. Once the attacker has gained access to one system, he will then repeat the process by using the system as a stepping-stone to access other systems deeper within the network, since most networks have fewer defenses against attacks from internal sources.
Game over: The intruder takes advantage of his position to steal confidential data, customer credit card information, deface Web pages, and even launch attacks at other sites from your network, causing a potentially expensive and embarrassing situation for your company.
|
1.
Introduction
|
|
|
|
|
| Best of ISP-Planet | ||
|---|---|---|
|
ISP-Planet
Guide
ISP-Planet's Principal Studies Directories:
Q4 2007 Top U.S. ISPs by Subscriber (Updated 04/10/2008)
ISP-Planet's Blogroll | ||
ISP-Planet's
RSS feed
| Solutions | ||||||
|
||||||
|
||||||
|
||||||
|
||||||