• No results found

Practical Intrusion Analysis

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Practical Intrusion Analysis"

Copied!
8
0
0

Loading.... (view fulltext now)

Download now ( 8 Page )

Full text

(1)

Practical Intrusion Analysis

P R E V E N T I O N A N D D E T E C T I O N

FOR T H E T W E N T Y - F I R S T C E N T U R Y

Ryan Trost

Ar Addison-Wesley

T T

Upper Saddle River, NJ • Boston • Indianapolis * San Francisco New York • Toronto • Montreal • London • Munich • Paris • Madrid

(2)

Contents

Preface

Network Overview

Key Terms and Concepts Brief History of the Internet Layered Protocols

TCP/IP Protocol Suite Internet Protocol Addressing IP Addresses IPv6 Summary Infrastructure Monitoring Network-Analysis Tools Packet Sniffing

Accessing Packets on the Network SPANs (Port Mirroring) Network Taps To Tap or to SPAN Defense-in-Depth Summary XV I 2 2 3 10 14 21 22 27 29 31 32 35 40 40 43 48 50 51 VII

(3)

C O N T E N T S

Chapter 3 Intrusion Detection Systems 53

IDS Groundwork 54 From the Wire Up 55

DoS Attacks 55 IP Fragmentation 57 TCP Stream Issues 58 Target-Based Reassembly 59 Two Detection Philosophies: Signature and Anomaly Based 60

Snort: Signature-Based IDS 61 Two Signature Writing Techniques 67 Bro: An Anomaly-Based IDS 74 Similarities Between the Systems 82

Summary 85

Chapter 4 Lifecycle of a Vulnerability 87

A Vulnerability Is Born 87 FlashGet Vulnerability 88 Collecting a Sample Packet Capture 90

Packet Analysis and Signature-Writing 95

Signature Tuning 100 Detection Tuning 100 Performance Tuning 101 Advanced Examples 104

CitectSCADA ODBC Server Buffer Overflow: Metasploit 104

FastStone Image Viewer Bitmap Parsing 109 Libspf2 DNS TXT Record Size Mismatch 114

Summary 117

Chapter 5 Proactive Intrusion Prevention and Response via Attack Graphs I 19

Topological Vulnerability Analysis (TVA) 121

Overview of Approach 121 Illustrative Example 122 Limitations 125 Attack Modeling and Simulation 126

Network Attack Modeling 126 Attack Simulation 130 Optimal Network Protection 134

Vulnerability Mitigation 135 Attack Graph Visualization 137

Security Metrics 139

(4)

Intrusion Detection and Response 141 Intrusion Detection Guidance 141 Attack Prediction and Response 144

Summary 147 Acknowledgments 147 Endnotes 148

Chapter 6 Network Flows and Anomaly Detection 151

IP Data Flows 152 NetFlow Operational Theory 153

A Matter of Duplex 155 Cisco IOS NetFlow and Flexible NetFlow 156

sFlow: More Data, But Less Frequency 159 Internet Protocol Flow Information Export (IPFIX) 161

It's a Virtual World 162 Endless Streams of Data 164 Behavioral Analysis and Anomaly Detection 167

Compare and Contrast 172 IDS and NetFlow 172 Signature Updates 173 IDS System Resources 174 Syslog and NetFlow 178 Technology Matrix 180

Summary 182 Endnotes 183

Chapter 7 Web Application Firewalls 185

Web Threat Overview 186 WhyaWAF? 189 WAF Protection Models 191

Positive Security Model 191 Negative Security Model 192 Virtual Patching Model 193 Output Detection Model/Content Scrubbing 194

WAF Policy Models 195 Learning 195 Vulnerability Assessment Feedback 195

Manual Entry 195

(5)

C O N T E N T S

ModSecurity 196 ModSecurity Rule Sets 196

VA+WAF 201 VA+WAF Example: WhiteHat Security and F5 Networks 201

WAFs and PCI Compliance 203

WAF Realities 203 IDS/IPS != WAF 204 False Positives 205 Misconfigured WAFs 205 WAFs Do Not Fix Bad Logic 205 WAFs != Bad Code Patch 206

Summary 206 References 207

Chapter 8 Wireless IDS/IPS 209

Why a Wireless IDS? 209 Wireless Intrusion Detection/Prevention Realities 212

Types of Wireless IDSs/IPSs 213

Overlay 213 Combined AP/WIDS 214

Combined AP/WIDS/Access Controller 215

Wireless IDS Events 215 Unauthorized Activity 216 Active Recon/Cracking 217

DoS Attacks 221 Intrusion Prevention Techniques 224

Limitations 224 Isolation 225 WEP Cloaking (WEP Chaffing) 228

Location Detection 229 Honeypot 231 Other Wireless Threats 233

Legacy Wireless Technology 233

Bluetooth 233 Sniffers 233 Summary 234 Endnote 234

(6)

Chapter 9 Physical Intrusion Detection for IT 235

Origins of Physical Security 236 Assumed, Yet Overlooked 236 A Parallel Universe to IT Security 239

Physical Security Background 241 Common Physical Access Control Components 243

This Is Not Your Father's CCTV 255

Old Habits Die Hard 259 Convergence of Physical and Logical Security 260

How Convergence Works 261 HSPD-12: Convergence Trial by Fire 265

A Look at Some Vendor Offerings 266 Intrusion Detection Examples in a Converged Environment 270

Summary 274 Endnotes 274

Chapter 10 Geospatial Intrusion Detection 275

Current Uses of Geocoding 278 Introduction to Geographic Information Systems 279

GIS Basic Functions 282 Framework for Cooperation 282

Map Projection 283 Raster Versus Vector 285 Vector Data Model 287 Spatial Point Pattern Analysis 288

Classes of Spatial Analysis 289

Point Intensity 290 Point Process Statistics 290 Dynamics of a Professional Attack 293

Cornerstone Theory 295 Example of Attack Steps and Methods 296

Geocoding Techniques 299 Geocoding Limitations 315

Accuracy 316 GeoLocation Intelligence Vendors 317

(7)

C O N T E N T S

Case Study of Geographic Intrusion Detection 320

Case Outline 322 Breakdown of the Steps 322

Summary 344 Endnotes 345 References 346

Chapter 11 Visual Data Communications 347

Introduction to Visualization 348 Developing a Visualization Strategy 355

User Audiences 356 Statistical Graphing Techniques 361

Technological Considerations 365

Scalability 365 Installation and Support 366

Data Management 368 Security Event Visualization 370

Example Graphs 371 Starlight Visual Information System 378

ETRI: VisNet and VisMon 381 Use-Case: Security Audit 385

Summary 387 Terminology 388 Endnotes 390 Reference 390

Chapter 12 Return on Investment: Business Justification 391

Not If, But When 393 Compliance Plays a Role 394

CoBIT Framework 394 ISO 27001/27002 Frameworks 395

ITIL Framework 396 Health Insurance Portability and Accountability Act of 1996 (HIPAA) 397

Payment Card Industry Data Security Standard (PCI-DSS) 398 Federal Information Security Management Act of 2002 (FISMA)/National

Institute of Standards and Technology 399

Security Breaches 400 Breach Costs 401 Security Investment Within the Organization 402

(8)

Appendix

Data Breaches and the Law ROI as a Unifying Benchmark Cost Breakdown

Cost-Benefit Analysis: Building an Economic Model Gain from Investment

Cost of Investment Return on Investment Net Present Value Internal Rate of Return ROI Versus NPV Versus IRR

Security Investment: Should Security Operations Be Outsourced? Benefits of MSSPs

Downfalls of MSSPs

The Financial Aspect of an MSSP Cyber Liability Insurance (CLI)

CLI Coverage Types Privacy Liability Insurance

Network Security Liability Insurance Property Loss Insurance

Loss of Revenue Insurance Cyber Extortion Insurance Notification Costs Insurance Regulatory Defense Insurance Media Liability Insurance CLI Underwriting Process Summary

Endnotes

Bro Installation Guide

Compiling and Building Options Operations Use References 402 404 405 408 409 413 414 414 416 417 418 418 419 422 426 428 429 429 429 429 430 430 430 430 431 432 434 435 437 438 440 Index 441

xlii

References

Download now ( PDF - 8 Page - 1.45 MB )

Related documents

The homeopathic market : profiling the use of homeopathic remedies at early childhood development centres in the Pretoria East Region

This study will not put one method of medicine up against one another, but rather determine whether one segment in the market, namely parents with children in

SPACKENKILL UNION FREE SCHOOL DISTRICT. Curriculum, Instruction, and Assessment Handbook

The plan outlines the expectations and procedures regarding the written curriculum (curriculum maps), the taught curriculum (resources, instruction, and best practices), and

Infertile couples' perceived needs after unsuccessful fertility treatment: A qualitative study

Data analysis revealed one theme titled: "The need for support" and four categories regarding the needs of infertile couples, following treatment failure

Managing Crisis in the Eurozone

The French and the Italians continued to propose the centralization of economic policy authority in political bodies and giving greater weight to employ- ment and the coordination

The Continuing Challenge of Aviation Safety in Africa.

These initiatives are designed to improve safety, efficiency, environmental issues, integrate national defense, homeland security and address the economic needs of the global

Examining occupational self-efficacy, work locus of control and communication as moderators of the job insecurity--job performance relationship

Analyses of a large Swiss dataset revealed two significant interaction effects: The higher job insecurity, the less influence work locus of control and perceived communication

Emotional mediators of psychological capital on well-being: The role of stress, anxiety, and depression

Based on the above, the goal of this research is studying different constructive and destructive emotions in developed model of PsyCap and well-being: Do PsyCap components and

Early nutritional programming affects liver transcriptome in diploid and triploid Atlantic salmon, Salmo salar

However, fold-changes in the genes affected by diet x ploidy interaction and involved in metabolic pathways were moderate and the number of probes af- fected by this interaction