Cryptography Reference
In-Depth Information
1.
Audit Records
: A basictool for deteting intruders is some form of audit
record. There may be a
native audit record
that automatically collects data
on all user activity. However, it is diHcult to be precise about something
you are looking to discover, so for that you require
detection-specific audit
records
. Audit records may be used quite effectively in conjunction with
statistical anomaly detection
, which analyzes such data over a period of
time to determine the profile of the average user. Then an intrusion-
detection model may be assembled from this data.
2.
Disable
: One security measure you can take is to disable inactive accounts
since these are weak points that hackers love to attack. Also, a sysadmin
should not run any servers or daemons that are not needed. Moreover,
if such are needed infrequently, then disallow anonymous access, such as
anonymous ftp.
3.
Firewalls/Gateways
: We discussed gateways and their associated firewall
security at length in Section 8.4. Such measures go a long way toward
thwarting hacker attacks.
4.
Intruder-Detection System (IDS)
: There is some overlap with the
discussion above since we looked at one form of IDS, namely, statistical
anomaly detection used in conjunction with audit records. There are other
types as well. If you have a
network-based
IDS, it eavesdrops on network
traHc, seeking evidence of an intrusion. A
host-based
IDS might scan for
incoming viruses, or altered files, for instance. However, certain IDSs have
false negatives (intrusions missed by the IDS), and false positives (false
alarms, when an IDS incorrectly concludes there is an intrusion). Anomaly
detection, such as the one described in the audit record section, is an IDS
that will usually get both false signals. See [119] for instance, which looks
in detail at the problems involved with getting an IDS to function in a
desired manner. Host and network-based IDSs work in concert. While a
network-based IDS is a unit unto itself, so it is attack resistant; a host-
based IDS is aware of the state of its computer, so data flow is simplified.
A recent innovation in the IDS arena is the
honeypot
, which is a decoy
system whose function it is to lure the hacker away from sensitive areas in
the system. A recent example may be found in [269], which is a honeypot
that imitates a complete network. Honeypots work best as a dedicated
network-based IDS. Honeypots will not only redirect a hacker from sensi-
tive systems areas, but also collect data about the hacker's activities and
possibly keep them online long enough to have a sysadmin take action.
This type of IDS is perhaps one of the most effective in existence today,
since it not only protects, but also sets a trap for the hacker.
5.
Password Protection
: Your first line of defence should be proper pass-
word protection. We have discussed proper choices for passwords on page
330. Moreover, we discussed protocols in Section 5.2 for securely establish-
ing passwords along with authentication, such as SRP-6 (see page 200).
Search WWH ::
Custom Search