Security Technologies (6).pdf
Document Details
Uploaded by StupendousPipa
Full Transcript
Information Assurnce and Security2 TECHNOLOGIES SECURITY A BRIEF OUTLINE Intrusion,Dectection and COVERED Response TODAY Deploying Honeynets Steganography and Steganalysis Digital Forensics INTRUSION, DE...
Information Assurnce and Security2 TECHNOLOGIES SECURITY A BRIEF OUTLINE Intrusion,Dectection and COVERED Response TODAY Deploying Honeynets Steganography and Steganalysis Digital Forensics INTRUSION, DETECTION & RESPONSE In securing one’s systems, actions must be taken in three areas — prevention, detection, and response. All three are important and necessary. DETECTION detection PREVENTION involves those RESPONSE actions taken to prevention discover failures Response is generally involves all those in prevention considered to include recovery (realizing that actions one must measures, but might also 100% prevention take to attempt to include efforts to uncover what is never prevent has been done to the system in possible); unauthorized the attack and how it was done. access to a system INTRUSION DETECTION & RESPONSE Types of Intrusion PHYSICAL TARGET RANDOM INTRUSION INTRUSION INTRUSION PHYSICAL occurs when an TARGET RANDOM intruder has occurs on a a system is attacked simply due physical access particular system (or to the fact that a door was left to a machine host machine) and can open for access into the system (i.e., use of a and that door was discovered by keyboard or be initiated by an access to the happenstance over the network authorized user with physical system) when intruders were looking for an account, an access into randomly selected unauthorized user potential systems. masquerading as an authorized user (e.g., with a stolen password) DEPLOYING HONEYNETS HONEYPOT In computer security terms, a cyber honeypot works in a similar way, baiting a trap for hackers. It's a sacrificial computer system that’s intended to attract cyberattacks, like a decoy. It mimics a target for hackers, and uses their intrusion attempts to gain information about cybercriminals and the way they are operating or to distract them from other targets. HONEYPOT For example, a honeypot could mimic a company's customer billing system - a frequent target of attack for criminals who want to find credit card numbers. Once the hackers are in, they can be tracked, and their behavior assessed for clues on how to make the real network more secure. A honeypot isn't set up to address a specific problem, like a firewall or anti-virus. Instead, it's an information tool that can help you understand existing threats to your business and spot the emergence of new threats. With the intelligence obtained from a honeypot, security efforts can be prioritized and focused. HONEY TRAP In the field of cybersecurity, a "honey trap" is a technique that hackers use to entice victims into risky circumstances. Although honey traps can take many forms, they usually entail developing a false identity or online presence to win over an unsuspecting victim. HONEY FARM honey farm is a centralized collection of honeypots and analysis tools HOW HONEYPOT WORKS DIFFERENT TYPES OF HONEYPOT AND HOW THEY WORK MALWARE EMAIL TRAPS HONEYPOT OR SPAM DECOY mimics software SPIDER TRAPS DATABASE apps and APIs to HONEYPOT place a fake can be set up to invite malware is intended to trap email address in monitor software attacks. The webcrawlers a hidden location vulnerabilities characteristics ('spiders') by where only an and spot attacks of the malware creating web pages automated address exploiting can then be and links only harvester will be insecure system analyzed to accessible to able to find it. architecture or develop anti- crawlers. Detecting using SQL malware software crawlers can help you injection, SQL or to close learn how to block services vulnerabilities malicious bots, as exploitation, or in the API well as ad-network privilege abuse. crawlers. WHAT IS THE DIFFERENCE BETWEEN A HONEYPOT AND A HONEYNET? HONEYPOT A honeypot is a single service or computer on a network, that is configured to act as a decoy, attracting and trapping would-be attackers. HONEYNET A honeynet on the other hand is a network of honeypots that are used to lure in attackers and study their activities across multiple honeypots. HONEYPOT Honeypot depends greatly on the objectives and resources of the implementer. In function, a honeypot can be characterized as either low-interaction or high-interaction The primary difference between a low- interaction and high-interaction honeypot is the level (or depth) of interaction that a hacker can have with the target system. HIGH INTERACTION high-interaction honeypots provide real operating systems and services with real content with which attacker can interact. high-interaction honeypots have significantly higher resource, management, and risk factors. LOW INTERACTION A common low- interaction honeypot is Honeyd. A lowinteraction honeypot is one that uses emulated services and signatures to respond to an attacker’s probes. Honeynet: A Network of Honeypots Honeynet is a collection of high-interaction honeypots designed to capture extensive information on threats. It is a combination of several honeypots to represent a network subnet. THE DANGER OF HONEYPOTS A good, properly configured honeypot will deceive attackers into believing that they've gained access to the real system. It will have the same login warning messages, the same data fields, even the same look and feel and logos as your real systems. However, if an attacker manages to identify it as a honeypot, they can then proceed to attack your other systems while leaving the honeypot untouched. DEPLOYING HONEYNETS Deploying honeynets is not necessarily a simple proposition. The deployment requires careful consideration of the risks associated with honeynets — after all, you are putting a computer in your network that is designed to be hacked. In a honeynet, all captured activity is assumed to be unauthorized or malicious. uWhen Honeynets starts to receive attention in 2000, many users raised concerns about their legality of the honeynets. Illegal data capture and entrapment were the concerns of many people. ENTRAPMENT Entrapment is defined as enticing the other party to commit an act that he/she was not already predisposed to do. -the action of tricking someone into committing a crime in order to secure their prosecution. LEGAL RISK OF "his style of investigation constitutes entrapment" DEPLOYMENT WIRETAPPING The Wiretap Act was enacted to limit the ability for any individual to intercept communications. There are exceptions to the Wiretap Act that current legal opinions are using to support the deployment of honeynets. The exceptions that most directly apply are the “provider protection,” the “consent,” and the “computer trespasser” exceptions. RA No. 4200 is the wiretap act of the Philippines. THE PATRIOT ACT allows the government to monitor electronic communication when in conjunction with an ongoing LEGAL RISK OF investigation PEN TRAP ACT DEPLOYMENT This statute prohibits the capture of non-content related data like the information contained in the IP-packet headers. TECHNICAL DETAILS OF DEPLOYMENT The design and deployment strategy must be planned once the legal and procedural issues have been settled—we stress that this should be the very first step in implementing a honey net. include the technical means to protect your internal network from the honey net and the means to prevent it from being used as a launching point for network intrusions against others. must address how you will record, exfiltrate, and analyze the data associated with the activity on your honey net. the architecture of your honey net should be designed with a specific and well-articulated purpose. TWO ISSUES THAT MUST BE ADDRESSED WHEN DEVELOPING AND DEPLOYING A HONEY NET data control data capture Data control - is crucially important to the implementation of a honey net. The key to protecting the rest of your network is to provide a mechanism for catching and mitigating all outbound packets. Data Capture - The honey net won't help you if you don't record the data and set alerts. The data can also be utilized for forensic investigation to understand more about the attack in addition to capturing traffic for event notification. Any system on the honeynet may serve as a point of entry for attackers. The honeynet gathers intelligence on the attackers and diverts them from the real network. The advantage of a honeynet over a simple honeypot is that it feels more like a real network, and has a larger catchment area. STEGANOGRAPHY & STEGANALYSIS HISTORY OF STEGANOGRAPHY The word steganography is derived from the Greek words steganos (meaning hidden or covered) and the Greek root graph (meaning to write). The term was first used in the 14th century by the German mathematician Johannes Trithemius (1606) as the title for his book Steganographia. EARLIER The actual hiding of information is much older. In ancient Greece, messages might be tattooed on slaves’ shaved heads and then their hair would be allowed to grow back before they were sent out as messengers A more benign form of information hiding was inscribing messages on the wooden base of wax tablets, rather than on the surface of the wax itself TODAY Modern steganography are almost all digitized and computerized. With this, modern technology and connectivity have put steganographic capabilities within the reach of the average person with a computer and an Internet connection. In today’s fast-paced, high-tech society, people who want to send hidden messages have very efficient methods of getting a message to its destination with the use of computerized tools that encode a message in a graphic, sound, or other type of file. EXAMPLE One modern technique to hide data using steganography is called least significant bit (LSB) insertion. The LSB approach allows the last bit in a byte to be altered. While one might think that this would significantly alter the colors in an image file, it does not. In fact, the change is indiscernible to the human eye. Cryptography is concerned with RELATIONSHIP creating electronic artifacts TO (typically data files) that are encoded and cannot be CRYPTOGRAPHY interpreted by an intercepting party. As such, an encrypted message often appears to be random or unintelligible. However, the goal of sending steganographically hidden messages is to appear normal — the artifact might appear to be “normal.” One difference between the two is their goals. The ultimate goal of cryptography is hiding and DIFFERENCE OF protecting the content of information, whereas steganography CRYPTOGRAPHY AND hides the presence of information STEGANOGRAPHY itself. Another difference is the mode of transmission. Cryptographic messages can be transported by themselves. In steganography, to hide information, the secret content has to be hidden in a cover message EXAMPLE Steganography refers to the STEGANOGRAPHY VS technique of hiding secret STEGANALYSIS messages into media such as text, audio, image and video without any suspicion. While steganalysis is the art and science of detection of the presence of steganography. STEGANOGRAPHY TOOLS There are several steganography tools that are publicly available, many of which are available over the Web at no cost. An easy-to-use but effective steganography tool is SpamMimic. SpamMimic can be used by anyone with access to the Web without even downloading any software. To disguise a message, one can visit http://spammimic.com/ and type a message. The website will then create a message that looks like spam, but actually contains the covert message. COMPUTER FORENSICS the scientific bridge between law and computer science that allows digital evidence to be collected in a legally sound manner. DIGITAL FORENSIC Digital forensics is a branch of forensic science that focuses on identifying, acquiring, processing, analysing, and reporting on data stored electronically. DIGITAL FORENSIC Digital forensics is dependent on the integrity, dependability, and admissibility of digital evidence in judicial proceedings. Cybercrimes involve any unauthorized and unlawful cyber activities. They may range from a simple denial-of-service (DOS) attack to unauthorized use or access of systems. The installation of intrusion detection systems, firewalls, or proxy services may be insufficient to prevent these activities. To successfully discover and prosecute cybercrimes, computer forensic knowledge and skills are essential. FORENSIC SKILLS PREREQUISITES OF A The foremost common forensic skill is the scientific method in which it COMPUTER ensures that the examiner is merely a finder of FORENSIC EXAMINER facts. FORENSIC TECHNIQUES AND TOOLS the expert must by supported by forensically sound skills, tools, and methods. MEDIA AND FILE SYSTEM FORENSICS Successful forensic analysis requires a thorough knowledge of file types and digital media used to store data and the file structures used on those devices. BE INSPIRED Imagination is more important than knowledge. ALBERT EINSTEIN