Monitoring
Monitoring covers much wider ground than just periodic or constant inspection of audit logs. Monitoring includes the following activities:
Penetration testing
Intrusion detection
Violation processing
Keystroke monitoring
Traffic and trend analysis
Facilities monitoring
The following sections give the skinny on each monitoring activity.
Penetration testing
Penetration testing techniques include
Port scanning: A port scan is a tool that communicates over the network with one or more target systems on various Transmission Control Protocol/Internet Protocol (TCP/IP) ports. A port scan can discover the presence of ports that you should probably deactivate (because they serve no useful or necessary purpose on a particular system) or upgrade/patch (because of a software vulnerability that could lead to a break-in). Some examples of port-scanning tools include Nessus, SATAN, and Nmap.
Vulnerability scanning: Similar to port scanning, vulnerability scanning is a means of identifying exploitable vulnerabilities in a system. You most often use such vulnerability-scanning tools to ensure that web-based applications, operating systems, and databases don’t have any vulnerabilities that might permit an attacker to compromise a system or database.
Packet sniffing: A packet sniffer is a tool that captures all TCP/IP packets on a network, not just those being sent to the system or device doing the sniffing. An Ethernet network is a shared-media network (see Chapter 5), which means that any or all devices on the local area network (LAN) can (theoretically) view all packets. However, switched-media LANs are more prevalent today and sniffers on switched-media LANs generally pick up only packets intended for the device running the sniffer.
A network adapter that operates in promiscuous mode accepts all packets, not just the packets destined for the system, and sends them to the operating system.
War dialing: Hackers use war dialing to sequentially dial all phone numbers in a range to discover any active modems. The hacker then attempts to compromise any connected systems or networks via the modem connection.
War driving: War driving is the 21st-century version of war dialing: Someone uses a laptop computer equipped with a wireless LAN card and literally drives around a densely populated area, looking to discover unprotected (or poorly protected) wireless LANs.
Radiation monitoring: Radio frequency (RF) emanations describe the electromagnetic radiation emitted by computers and network devices. Radiation monitoring is similar to packet sniffing and war driving in that someone uses sophisticated equipment to try to determine what data is being displayed on monitors, transmitted on LANs, or processed in computers.
Dumpster diving: Dumpster diving is low-tech penetration testing at its best (or worst), and is exactly what it sounds like. Dumpster diving can sometimes be an extraordinarily fruitful way to obtain information about an organization. Organizations in highly competitive environments also need to be concerned about where their recycled paper goes.
Eavesdropping: Eavesdropping is as low-tech as dumpster diving, but a little less (physically) dirty. Basically an eavesdropper takes advantage of one or more persons who are talking or using a computer — and paying little attention to whether someone else is listening to their conversations or watching them work with discreet over-the-shoulder glances. (The technical term for the latter is shoulder surfing.)
Social engineering: If eavesdropping is passive, then social engineering is the active way of getting information from workers. It involves such low-tech tactics as an attacker pretending to be a support technician, then calling an employee and asking for their password. You’d think most people would be smart enough not to fall for this, but people are people (and Soylent Green is people)! We cover this topic in more detail in Chapter 7.
Intrusion detection and prevention
Intrusion detection is the technique used to detect unauthorized activity on a network. An intrusion detection system is frequently called an IDS. The two types of IDSs used today are
Network-based intrusion detection (NIDS): Consists of a separate device attached to a LAN that listens to all network traffic by using various methods (which we describe later in this section) to detect anomalous activity.
Host-based intrusion detection (HIDS): This is really a subset of network-based IDS, in which only the network traffic destined for a particular host is monitored.
Both network- and host-based IDSs use a couple of methods:
Signature-based: A signature-based IDS compares network traffic that is observed with a list of patterns in a signature file. A signature-based IDS detects any of a known set of attacks, but if an intruder is able to change the patterns that he uses in his attack, then his attack may be able to slip by the IDS without being detected. The other downside of signature-based IDS is that the signature file must be periodically updated.
Anomaly-based: An anomaly-based IDS monitors all the traffic over the network and builds traffic profiles. Over time, the IDS will report deviations from the profiles that it has built. The upside of anomaly-based IDSs is that there are no signature files to periodically update. The downside is that you may have a high volume of false-positives. Behavior-based and heuristics-based IDSs are similar to anomaly-based IDSs and share many of the same advantages. Rather than detecting anomalies to normal traffic patterns, behavior-based and heuristics-based systems attempt to recognize and learn potential attack patterns.
Intrusion detection doesn’t stop intruders, but intrusion prevention does . . . or, at least, it slows them down. Intrusion prevention systems (IPSs) are newer and more common systems than IDSs, and IPSs are designed to detect and block intrusions. An intrusion prevention system is simply an IDS that can take action, such as dropping a connection or blocking a port, when an intrusion is detected.
Violation analysis
Violation analysis is the science of examining activity and audit logs to discover inappropriate activities. Violation analysis uses clipping levels, which are the thresholds that differentiate violations from non-events.
For example, users on a particular system sometimes type in their passwords incorrectly, so a few errors are allowed. But wisely, you set a clipping level of four failed login attempts per hour. Whenever a user has fewer than four failed attempts, everything’s cool. But when the clipping level is exceeded, then a violation has occurred. In this example, the violation may indicate that someone is trying to break in to the system by guessing passwords.
Keystroke monitoring
Keystroke monitoring records all input activities on a terminal or workstation. Keystroke monitoring writes large volumes of data to log files; you may find it difficult to hide, and ethical issues exist regarding the privacy rights of the person or people whose activities you monitor at this level of scrutiny.
Use keystroke monitoring with care — perhaps only as an aid for an active investigation.
Traffic and trend analysis
Traffic analysis and trend analysis are the techniques used to make inferences about the activities of an individual or an organization, based on the type and volume of traffic on a network. For instance, a dramatic rise in network traffic at 2:00 a.m. might be an indication of backups or batch processing.
Hackers use traffic and trend analysis, too. You can read more about this topic in Chapter 7.
Facilities monitoring
No monitoring plan is complete without some physical monitoring capabilities. A few methods are
Watching the logs of buildings with card-key access control to see whether doors are being propped open or if people are attempting to enter restricted areas
Monitoring unmanned entrances and other locations with closed-circuit television (CCTV) monitoring systems
Staffing key locations with security guards
Installing and monitoring security alarm sensors on doors and windows, and motion sensors in areas not normally manned
Responding to events
So, through your foresight and leadership (and the excellent book that you’re reading right now), your organization has full security monitoring capabilities. What do you do when one of the monitoring systems indicates that a security event is unfolding? How can you recognize that something’s up and respond appropriately?
Monitoring personnel: Who’s monitoring which events, audit logs, and other facilities?
Initial response: What are the first steps to be performed when a suspicious event is noticed? Written procedures would be a good idea here.
Confirmation: Who performs this task, and how does he or she do it? Someone needs to determine whether the event is a false alarm.
Notification: How will the appropriate persons or the affected community be notified? Who bears this responsibility? Presuming that someone is using the system generating the alarm, key personnel and/or the user community may need to be notified in the event that the event will continue to unfold and interrupt service.
Escalation: Who defines which senior managers need to be notified and when? If the event crosses predetermined thresholds, you may need to notify higher levels of management.
Resolution: How do you plan a resolution? Most of the time, someone needs to do something to manage the event, such as shutting down and rebooting a server, locking a user account, suspending a service, or any number of other actions.
Event reporting: Will there be standard reporting formats, and by what means will reports be delivered? How various events will be reported needs to be worked out in advance, too.
Event review: How do you plan to review the event in terms of action and prevention? At the conclusion of the event, stakeholders need to discuss the event to determine whether the response was appropriate and whether the organization can avoid the event (or ones like it) in the future.
Security Violations: All known security violations should be documented, and a root-cause analysis should be performed in order to determine whether any changes in processes or technology are needed.
Security incident response is no longer a nice-to-have luxury. Security regulations often require a formal incident response capability. This entails setting up a response and communication plan, and training key individuals who will know what to do should a security incident occur.
We discuss this topic further in Chapter 12.
Prep Test
1 The two types of intrusion detection are
A Attack-based systems and response-based systems
B Signature-based systems and anomaly-based systems
C Knowledge-based systems and scripture-based systems
D Passive monitoring systems and active monitoring systems
2 Recording data traveling on a network is known as
A Promiscuous mode
B Packet sniffing
C Packet snoring
D Packing sneaking
3 Which of the following is NOT an example of penetration testing?
A Radiation monitoring
B War driving
C Port scanning
D War diving
4 Trusted recovery is concerned with
A The ability of a system to be rebuilt
B The vulnerability of a system while it’s being rebuilt
C The ability of a system to rebuild itself
D The willingness of a system to rebuild itself
5 The third-party inspection of a system is known as a(n)
A Confidence check
B Integrity trail
C Audit trail
D Audit
6 One of the primary concerns with long-term audit log retention is
A Whether anyone will be around who can find them
B Whether any violations of privacy laws have occurred
C Whether anyone will be around who understands them
D Whether any tape/disk drives will be available to read them
7 The required operating state of a network interface on a system running a sniffer is
A Open mode
B Promiscuous mode
C Licentious mode
D Pretentious mode
8 Filling a system’s hard drive so that it can no longer record audit records is known as a(n)
A Audit lock-out
B Audit exception
C Denial of Facilities attack
D Denial of Service attack
9 An investigator who needs to have access to detailed employee event information may need to use
A Keystroke monitoring
B Intrusion detection
C Keystroke analysis
D Trend analysis
10 Which of the following is NOT true about a signature-based IDS?
A It reports a low number of false-positives.
B It requires periodic updating of its signature files.
C It reports a high number of false-positives.
D It can’t detect anomalies based on trends.
Answers
1 B. Signature-based systems and anomaly-based systems. The two types of IDS systems are signature-based and anomaly-based. Review “Intrusion detection and prevention.”
2 B. Packet sniffing. Packet sniffing is the technique used to record network traffic. Review “Penetration testing.”
3 D. War diving. War diving isn’t a testing technique, but radiation monitoring, war driving, and port scanning are. Review “Penetration testing.”
4 B. The vulnerability of a system while it’s being rebuilt. Most operating systems in single-user mode lack the security controls present in a system that’s fully operational. Review “Security Controls.”
5 D. Audit. An audit is an inspection of a system or process. Review “Security Auditing and Due Care.”
6 D. Whether any tape/disk drives will be available to read them. The challenge with audit log retention is choosing a medium that will be readable many years in the future. Review “Retaining audit logs.”
7 B. Promiscuous mode. Promiscuous mode is the term that describes the state of a system that’s accepting all packets on the network, not just those packets destined for the system. Review “Penetration testing.”
8 D. Denial of Service attack. Filling a system’s hard drive is one way to launch a Denial of Service attack on an audit log mechanism. Filling the hard drive prevents the mechanism from being able to write additional entries to the log. Review “Protection of audit logs.”
9 A. Keystroke monitoring. Keystroke monitoring records every key press and mouse movement. Review “Keystroke monitoring.”
10 C. It reports a high number of false-positives. Signature-based IDSs generally have a low number of false-positives. Review “Intrusion detection and prevention.”