Security Technologies (6).pdf

Full Transcript

Information Assurnce and Security2
TECHNOLOGIES
SECURITY
 A BRIEF OUTLINE

Intrusion,Dectection and
COVERED Response
TODAY Deploying Honeynets
Steganography and
Steganalysis
Digital Forensics
INTRUSION,
DETECTION &
RESPONSE
In securing one’s systems,
actions must be taken in three
areas — prevention, detection,
and response. All three are
important and necessary.
DETECTION

detection
PREVENTION
involves those RESPONSE
actions taken to
prevention
discover failures Response is generally
involves all those
in prevention considered to include recovery
(realizing that actions one must
measures, but might also
100% prevention take to attempt to include efforts to uncover what
is never prevent has been done to the system in
possible); unauthorized the attack and how it was done.
access to a system
INTRUSION
DETECTION
&
RESPONSE
Types of Intrusion

PHYSICAL TARGET RANDOM
INTRUSION INTRUSION INTRUSION
PHYSICAL

occurs when an
TARGET RANDOM
intruder has
occurs on a a system is attacked simply due
physical access
particular system (or to the fact that a door was left
to a machine
host machine) and can open for access into the system
(i.e., use of a
and that door was discovered by
keyboard or be initiated by an
access to the happenstance over the network
authorized user with
physical system) when intruders were looking for
an account, an
access into randomly selected
unauthorized user
potential systems.
masquerading as an
authorized user
(e.g., with a stolen
password)
DEPLOYING
HONEYNETS
HONEYPOT

In computer security terms, a cyber
honeypot works in a similar way, baiting
a trap for hackers. It's a sacrificial
computer system that’s intended to
attract cyberattacks, like a decoy. It
mimics a target for hackers, and uses
their intrusion attempts to gain
information about cybercriminals and the
way they are operating or to distract
them from other targets.
HONEYPOT
For example, a honeypot could mimic a company's customer
billing system - a frequent target of attack for criminals
who want to find credit card numbers. Once the hackers are
in, they can be tracked, and their behavior assessed for
clues on how to make the real network more secure.

A honeypot isn't set up to address a specific problem, like
a firewall or anti-virus. Instead, it's an information tool
that can help you understand existing threats to your
business and spot the emergence of new threats. With the
intelligence obtained from a honeypot, security efforts can
be prioritized and focused.
HONEY TRAP
In the field of cybersecurity, a "honey trap" is a
technique that hackers use to entice victims into risky
circumstances. Although honey traps can take many forms,
they usually entail developing a false identity or online
presence to win over an unsuspecting victim.

HONEY FARM
honey farm is a centralized collection of honeypots and
analysis tools
HOW
HONEYPOT
WORKS
 DIFFERENT TYPES OF HONEYPOT AND
HOW THEY WORK
MALWARE
EMAIL TRAPS HONEYPOT
OR SPAM DECOY
mimics software
SPIDER
TRAPS DATABASE
apps and APIs to HONEYPOT
place a fake can be set up to invite malware
is intended to trap
email address in monitor software attacks. The
webcrawlers
a hidden location vulnerabilities characteristics
('spiders') by
where only an and spot attacks of the malware
creating web pages
automated address exploiting can then be
and links only
harvester will be insecure system analyzed to
accessible to
able to find it. architecture or develop anti-
crawlers. Detecting
using SQL malware software
crawlers can help you
injection, SQL or to close
learn how to block
services vulnerabilities
malicious bots, as
exploitation, or in the API
well as ad-network
privilege abuse. crawlers.
WHAT IS THE DIFFERENCE BETWEEN A HONEYPOT
AND A HONEYNET?

HONEYPOT
A honeypot is a single service or computer on a network,
that is configured to act as a decoy, attracting and
trapping would-be attackers.

HONEYNET
A honeynet on the other hand is a network of honeypots that
are used to lure in attackers and study their activities
across multiple honeypots.
HONEYPOT

Honeypot depends greatly on the
objectives and resources of the
implementer.
In function, a honeypot can be
characterized as either low-interaction
or
high-interaction

The primary difference between a low-
interaction and high-interaction
honeypot is the level (or depth) of
interaction that a hacker can have with
the target system.
HIGH
INTERACTION

high-interaction
honeypots provide
real
operating systems and
services with real
content with which
attacker can
interact.
high-interaction
honeypots have
significantly higher
resource, management,
and risk factors.
LOW INTERACTION

A common low-
interaction honeypot
is Honeyd.
A lowinteraction
honeypot is one that
uses emulated services
and signatures to
respond to an
attacker’s probes.
Honeynet: A Network of
Honeypots
Honeynet is a collection of high-interaction honeypots
designed to capture extensive information on threats.
It is a combination of several honeypots to represent a
network subnet.
THE DANGER OF HONEYPOTS

A good, properly configured honeypot
will deceive attackers into believing
that they've gained access to the real
system. It will have the same login
warning messages, the same data fields,
even the same look and feel and logos as
your real systems. However, if an
attacker manages to identify it as a
honeypot, they can then proceed to
attack your other systems while leaving
the honeypot untouched.
DEPLOYING HONEYNETS

Deploying honeynets is not necessarily a
simple proposition. The deployment
requires careful consideration of the
risks associated with honeynets — after
all, you are putting a computer in your
network that is designed to be hacked.

In a honeynet, all captured activity is assumed to be
unauthorized or malicious. uWhen Honeynets starts to
receive attention in 2000, many users raised concerns
about their legality of the honeynets. Illegal data
capture and entrapment were the concerns of many people.
 ENTRAPMENT

Entrapment is defined as enticing the other party to commit
an act that he/she was not already predisposed to do.
-the action of tricking someone into committing a crime
in order to secure their prosecution.
LEGAL RISK OF
"his style of investigation constitutes entrapment"
DEPLOYMENT

WIRETAPPING

The Wiretap Act was enacted to limit the ability for any
individual to intercept communications. There are exceptions
to the Wiretap Act that current legal opinions are using to
support the deployment of honeynets. The exceptions that
most directly apply are the “provider protection,” the
“consent,” and the “computer trespasser” exceptions.
RA No. 4200 is the wiretap act of the Philippines.
 THE PATRIOT ACT

allows the government to monitor electronic
communication when in conjunction with an ongoing
LEGAL RISK OF
investigation

PEN TRAP ACT
DEPLOYMENT

This statute prohibits the capture of non-content related
data like the information contained in the IP-packet
headers.
TECHNICAL DETAILS OF DEPLOYMENT

The design and deployment strategy must be
planned once the legal and procedural issues
have been settled—we stress that this should be
the very first step in implementing a honey
net.

include the technical means to protect your internal
network from the honey net and the means to prevent it
from being used as a launching point for network
intrusions against others.
must address how you will record, exfiltrate, and
analyze the data associated with the activity on your
honey net.
the architecture of your honey net should be designed
with a specific and well-articulated purpose.
TWO ISSUES THAT MUST BE ADDRESSED WHEN
DEVELOPING AND DEPLOYING A HONEY NET

data control
data capture
Data control - is crucially important to the
implementation of a honey net. The key to protecting the
rest of your network is to provide a mechanism for
catching and mitigating all outbound packets.

Data Capture - The honey net won't help you if you don't
record the data and set alerts. The data can also be
utilized for forensic investigation to understand more
about the attack in addition to capturing traffic for
event notification.
Any system on the
honeynet may serve
as a point of entry
for attackers. The
honeynet gathers
intelligence on the
attackers and
diverts them from
the real network.
The advantage of a
honeynet over a
simple honeypot is
that it feels more
like a real network,
and has a larger
catchment area.
STEGANOGRAPHY & STEGANALYSIS
HISTORY OF STEGANOGRAPHY

The word steganography is derived from
the Greek words steganos (meaning hidden
or covered) and the Greek root graph
(meaning to write).

The term was first used in the 14th
century by the German mathematician
Johannes Trithemius (1606) as the title
for his book Steganographia.
EARLIER

The actual hiding of information is much
older. In ancient Greece, messages might
be tattooed on slaves’ shaved heads and
then their hair would be allowed to grow
back before they were sent out as
messengers

A more benign form of information hiding
was inscribing messages on the wooden
base of wax tablets, rather than on the
surface of the wax itself
TODAY

Modern steganography are almost all
digitized and computerized. With this,
modern technology and connectivity have
put steganographic capabilities within
the reach of the average person with a
computer and an Internet connection.

In today’s fast-paced, high-tech
society, people who want to send hidden
messages have very efficient methods of
getting a message to its destination
with the use of computerized tools that
encode a message in a graphic, sound, or
other type of file.
 EXAMPLE

One modern technique to hide
data using steganography is
called least significant bit
(LSB) insertion. The LSB
approach allows the last bit in
a byte to be altered. While one
might think that this would
significantly alter the colors
in an image file, it does not.
In fact, the change is
indiscernible to the human eye.
 Cryptography is concerned with
RELATIONSHIP creating electronic artifacts
TO (typically data files) that are
encoded and cannot be
CRYPTOGRAPHY interpreted by an intercepting
party. As such, an encrypted
message often appears to be
random or unintelligible.
However, the goal of sending
steganographically hidden
messages is to appear normal —
the artifact might appear to be
“normal.”
 One difference between the two is
their goals. The ultimate goal of
cryptography is hiding and
DIFFERENCE OF protecting the content of
information, whereas steganography
CRYPTOGRAPHY AND
hides the presence of information
STEGANOGRAPHY itself.

Another difference is the mode of
transmission. Cryptographic messages
can be transported by themselves. In
steganography, to hide information,
the secret content has to be hidden
in a cover message
 EXAMPLE

Steganography refers to the
STEGANOGRAPHY VS technique of hiding secret
STEGANALYSIS messages into media such as text,
audio, image and video without
any suspicion.

While steganalysis is the art and
science of detection of the
presence of steganography.
STEGANOGRAPHY TOOLS

There are several steganography tools that are publicly available,
many of which are available over the Web at no cost.

An easy-to-use but effective steganography tool is SpamMimic.
SpamMimic can be used by anyone with access to the Web without
even downloading any software. To disguise a message, one can
visit http://spammimic.com/ and type a message. The website will
then create a message that looks like spam, but actually contains
the covert message.
COMPUTER FORENSICS

the scientific bridge between law and
computer science that
allows digital evidence to be collected in a
legally sound manner.
DIGITAL
FORENSIC
Digital forensics is
a branch of forensic
science that focuses
on identifying,
acquiring,
processing,
analysing, and
reporting on data
stored
electronically.
DIGITAL
FORENSIC
Digital forensics is
dependent on the
integrity,
dependability, and
admissibility of
digital evidence in
judicial
proceedings.
Cybercrimes involve any unauthorized and unlawful
cyber activities. They may range from
a simple denial-of-service (DOS) attack to
unauthorized use or access of systems.

The installation of intrusion detection systems,
firewalls, or proxy services may be insufficient to
prevent these activities. To successfully discover and
prosecute cybercrimes, computer
forensic knowledge and skills are essential.
 FORENSIC SKILLS

PREREQUISITES OF A The foremost common forensic
skill is the scientific method in which it
COMPUTER
ensures that the examiner is merely a finder of
FORENSIC EXAMINER
facts.

FORENSIC TECHNIQUES AND TOOLS
the expert must by supported by
forensically sound skills, tools, and methods.

MEDIA AND FILE SYSTEM FORENSICS
Successful forensic analysis requires a thorough
knowledge of file types and digital media
used to store data and the file structures
used on those devices.
BE INSPIRED

Imagination is more
important than
knowledge.

ALBERT EINSTEIN