Intrusion Detection System (IDS) Network intrusion prevention (IP) • It includes the process of detecting network intrusion events, but also includes the process of preventing and blocking detected or potential network incidents. Network intrusion detection and prevention systems (idp) • They are based on identifying potential incidents, logging information about them, attempting to prevent them and alerting the administrators responsible for security. • In addition to this basic function, IDP systems can also be used to identify problems concerning the adopted security policies, to document existing security threats and to discourage individuals from violating security rules. • IDP systems use various incidentdetection methods. Intrusion Detection System (IDS) • IDP (intrusion detection and prevention) network intrusion detection (ID) is based on monitoring the operation of computer systems or `networks and analysing the processes they perform, which can point to certain incidents. • Incidents are events posing a threat to or violating defined security policies, violating AUP (acceptable use policy) rules, or generally accepted security norms. • They appear as a result of the operation of various malware programmes (e.G., Worms, spyware, viruses, and trojans), as a result of attempts at unauthorised access to a system through public infrastructure (internet), or as a result of the operation of authorised system users who abuse their privileges. Intrusion Detection System (IDS) • There are three primary classes of detection methodology: – 1. Signature-based detection – 2. Anomaly-based detection – 3. Detection based on stateful protocol analysis Intrusion Detection System (IDS) 1. Signature-based detection – certain security threats can be detected based on the characteristic manner in which they appear. – The behaviour of an already detected security threat, described in a form that can be used for the detection of any subsequent appearance of the same threat, is called an attack signature. – This detection method, based on the characteristic signature of an attack, is a process of comparing the known forms in which the threat has appeared with the specific network traffic in order to identify certain incidents. Intrusion Detection System (IDS) 1. Signature-based detection – Although it can be very efficient in detecting the subsequent appearance of known threats, this detection method is extremely inefficient in the detection of completely unknown threats, of threats hidden by using various techniques, and of already known threats that have somehow been modified in the meantime. – It is considered the simplest detection method and it cannot be used for monitoring and analysing the state of certain, more complex forms of communication. Intrusion Detection System (IDS) 2. Anomaly-based detection – This method of IDP is based on detecting anomalies in a specific traffic flow in the network. – Anomaly detection is performed, based on the defined profile of acceptable traffic and its comparison with the specific traffic in the network. – Acceptable traffic profiles are formed by tracking the typical characteristics of the traffic in the network during a certain period of time (e.g., The number of email messages sent by a user, and the number of attempts to log in to a host, or the level of utilisation of the processor in a given time interval). – These characteristics of the behaviour of users, hosts, connections or applications in the same time interval are then Intrusion Detection System (IDS) 2. Anomaly-based detection – However, acceptable-behaviour profiles can unintentionally contain certain security threats, which lead to problems in their application. – Likewise, imprecisely defined profiles of acceptable behaviour can cause numerous alarms, generated by the system itself as a reaction to certain acceptable) activities on the network. – The greatest advantage of this detection method is its exceptional efficiency in detecting previously unknown security threats. Intrusion Detection System (IDS) 3. Detection based on stateful protocol analysis – Stateful protocol analysis is a process of comparing predefined operation profiles with the specific data flow of that protocol on the network. – Predefined profiles of operation of a protocol are defined by the manufacturers of IDP devices and they identify everything that is acceptable or not acceptable in the exchange of messages in a protocol. – Unlike anomaly-based detection, where profiles are created based on the hosts or specific activities on the network, stateful protocolanalysis uses general profiles generated by the equipment manufacturers. – Most IDP systems use several detection methods simultaneously, thus enabling a more comprehensive and precise method of Intrusion Detection System (IDS) 3. Detection based on stateful protocol analysis – Testing tools are used for testing the detection, recognition and response capabilities of devices tha perform packet filtering (including those that use network address translation), such as firewalls, idses/ipses, routers and switches. – These test the traffic filtering devices' ability to detect and/or block dos attacks, spyware, backdoors, and attacks against applications such as IIS, SQL server and WINS. – Standard traffic sessions can be used to test how packet filtering devices handle a variety of protocols including Intrusion Detection System (IDS) • Intrusion detection systems can be grouped into the following categories: – Host-based IDS – Network-based IDS – Intrusion prevention system (IPS) Host-based intrusion detection systems • Host-based IDSs are designed to monitor, detect and respond to activity and attacks on a given host. In most cases, attackers target specific systems on corporate networks that have confidential information. • They will often try to install scanning programs and exploit other vulnerabilities that can record user activity on a particular host. • Some host-based IDS tools provide policy management, statistical analytics and data forensics at the host level. Host-based intrusion detection systems
• Host-based IDSs are best used when an
intruder tries to access particular files or other services that reside on the host computer. • Because attackers mainly focus on operating system vulnerabilities to break into hosts, in most cases, the host-based IDS is integrated into the operating systems that the host is running. Network-based intrusion detection systems
• Network traffic based IDSs capture network traffic to detect
intruders. • Most often, these systems work as packet sniffers that read through incoming traffic and use specific metrics to assess whether a network has been compromised. • Various internet and other proprietary protocols that handle messages between external and internal networks, such as TCP/IP, NetBEUI and XNS, are vulnerable to attack and require additional ways to detect malicious events. • Frequently, intrusion detection systems have difficulty working with encrypted information and traffic from virtual private networks. Speed over 1Gbps is also a constraining factor, although modern and costly network-based IDSs have Network-based intrusion detection systems
• Cooperative agents are one of the most important
components of distributed intrusion detection architecture. • An agent is an autonomous or semi-autonomous piece of software that runs in the background and performs useful tasks for another. • Relative to IDSs, an agent is generally a piece of software that senses intrusions locally and reports attack information to central analysis servers. • The cooperative agents can form a network among themselves for data transmission and processing. • The use of multiple agents across a network allows a broader view of the network than might be possible with a single IDS or centralized IDSs. Intrusion prevention system (IPS) • An IPS is a network security tool that can not only detect intruders, but also prevent them from successfully launching any known attack. • Intrusion prevention systems combine the abilities of firewalls and intrusion detection systems. • However, implementing an IPS on an effective scale can be costly, so businesses should carefully assess their IT risks before making the investment. • Moreover, some intrusion prevention systems are not as fast and robust as some firewalls and intrusion detection systems, so an IPS might not be an appropriate solution when speed is an absolute requirement. Intrusion prevention system (IPS) • One important distinction to make is the difference between intrusion prevention and active response. • An active response device dynamically reconfigures or alters network or system access controls, session streams or individual packets based on triggers from packet inspection and other detection devices. • Active response happens after the event has occurred; thus, a single packet attack will be successful on the first attempt but will be blocked in future attempts; for example, a DDoS attack will be successful on the first packets but will be blocked afterwards. • While active response devices are beneficial, this one aspect makes them unsuitable as an overall solution. • Network intrusion prevention devices, on the other hand, are typically inline devices on the network that inspect packets and make decisions before forwarding them on to the destination. Intrusion prevention system (IPS) • Most important, an IPS must perform packet inspection and analysis at wire speed. Intrusion prevention systems should be performing detailed packet inspection to detect intrusions, including application-layer and zero-day attacks. • System or host intrusion prevention devices are also inline at the operating system level. They have the ability to intercept system calls, file access, memory access, processes and other system functions to prevent attacks. There are several intrusion prevention technologies, including the following: – System memory and process protection – Inline network devices – Session sniping – Gateway interaction devices Intrusion prevention system (IPS) • System memory and process protection – This type of intrusion prevention strategy resides at the system level. – Memory protection consists of a mechanism to prevent a process from corrupting the memory of another process running on the same system. – Process protection consists of a mechanism for monitoring process execution, with the ability to kill processes that are suspected of being attacks. Intrusion prevention system (IPS) • System memory and process protection – Internet technology, with its open architecture, inherently provides access to all resources that are connected to the world wide web. Hence, users can connect themselves to all legitimate and illegitimate web sources. – This may expose organizations to serious security threats. The outward and inward connections, thus, have a potential to jeopardize the security posture of an organization. These connections also create possibilities of data leakage from an organization to the outside world. Security threats have been increasingly exploiting these connections, channels, protocols and traffic to perpetrate attacks. Intrusion prevention system (IPS) • Inline network devices – This type of intrusion prevention strategy places a network device directly in the path of network communications with the capability to modify and block attack packets as they traverse the device’s interfaces. – It acts much like a router or firewall combined with the signature-matching capabilities of IDS. The detection and response happens in real time before the packet is passed on to the destination network. Intrusion prevention system (IPS) • Session sniping – This type of intrusion prevention strategy terminates a TCP session by sending a TCP RST packet to both ends of the connection. When an attempted attack is detected, the TCP RST is sent and the attempted exploit is flushed from the buffers and thus prevented. Note that the TCP RST packets must have the correct sequence and acknowledgement numbers to be effective. • Gateway interaction devices – This type of intrusion prevention strategy allows a detection device to dynamically interact with network gateway devices such as routers or firewalls. When an attempted attack is detected, the detection device can direct the router or firewall to block the attack. Intrusion prevention system (IPS) • Session sniping system identification is another concern when deploying active response IPSs. • When systems terminate sessions with RST packets, an attacker might be able to discover not only that an IPS is involved but also the type of underlying system. • Readily available passive operating system identification tools analyze packets to determine the underlying operating system. • This type of information might enable an attacker to evade the IPS or direct an attack at the IPS. Intrusion prevention system (IPS) • There are several risks when deploying intrusion prevention technologies. • Most notable is the recurring issue of false positives in today’s intrusion detection systems. On some occasions, legitimate traffic will display characteristics similar to malicious traffic. • This could be anything from inadvertently matching signatures to uncharacteristically high traffic volume. • Even a finely tuned IDS can present false positives when this occurs. When intrusion prevention is involved, false positives can create a denial-of-service (DoS) condition for legitimate traffic. • In addition, attackers who discover or suspect the use of intrusion prevention methods can purposely create a DoS attack against legitimate networks and sources by sending attacks with spoofed source IP addresses. • A simple mitigation to some DoS conditions is to use a whitelisting policy. Intrusion prevention system (IPS) • Another risk with active response IPSs involves gateway interaction timing and race conditions. • In this scenario, a detection device directs a router or firewall to block the attempted attack. • However, because of network latency, the attack has already passed the gateway device before it receives this direction from the detection device. • A similar situation could occur with a scenario that creates a race condition on the gateway device itself between the attack and the response. • In either case, the attack has a high chance of succeeding. Intrusion prevention system (IPS) • When deploying an IPS, you should carefully monitor and tune your systems and be aware of the risks involved. • You should also have an in-depth understanding of your network, its traffic, and both its normal and abnormal characteristics. • It is always recommended to run IPS and active response technologies in test mode for a while to thoroughly understand their behavior. Secure Content Management - Overview • Organizations are increasingly moving toward collaboration – encouraging usage of the internet for knowledge access and productivity enhancement, advocating widespread adoption of email as communication means and promoting instant messaging for better coordination. • The global nature of business transactions — involving service providers and third party solutions — relies on communication protocols such as SMTP, HTTP, HTTPS, FTP, ipsec VPN, etc. • For exchange of information and execution of a transaction. This has been contributing to increased dependencies of an organization on the inbound and outbound traffic flowing across its boundaries. The Importance of Secure Content Management Unrestricted Access The use of the internet is on the rise, as are the risks of uncontrolled access. When employees and staff inadvertently or deliberately access sites containing inappropriate, illegal or dangerous content, businesses suffer losses of productivity, expose themselves to legal liabilities and can experience degraded network performance that negatively affects mission- critical tasks. There are also a growing number of security risks—including trojans and worms—that can seriously impact operations. Unrestricted Access The risks include: Impacted employee productivity Liability exposure Hacker attacks and privacy violations Unrestricted Access Impacted employee productivity Restricting access to inappropriate web sites helps companies prevent excessive non-productive web surfing and preserves network bandwidth. Liability Exposure Employees who visit pornographic or racist/hate sites represent a major legal liability concern. Businesses need to shield themselves from potential legal liability that can arise if an employee is repeatedly exposed to offensive material on a co-worker’s computer or anywhere in the workplace. Other sources of liability exposure include peer-to-peer networking and file sharing, which have opened the door to charges of copyright violations and high-profile litigation. Corporations can be held liable for breaking copyright laws if employees use company networks to download music or movies illegally. Content Management Hacker Attacks and Privacy Violations • Instant messaging, peer-to-peer file sharing and multimedia downloads make businesses vulnerable to backdoor attacks. How Secure Content Management Works Securing content starts with controlling access to certain web sites based on predetermined criteria. At a basic level, user access to internet content is controlled using the URL address or the URL content category (such as nudity or gambling). Basic content management solutions can also examine the way the content is delivered, such as through Java Applets or ActiveX scripts, and determine access permissions accordingly. More advanced content management solutions also provide the ability to block applications such as instant messaging and peer-to-peer services. Site Blocking Versus Content Monitoring Secure content management solutions employ one of two basic approaches: site blocking or content monitoring. While there are considerable differences between these two approaches, both are based on pass-through filtering technology. That is, all requests for web pages pass through an internet control point such as a firewall, proxy server or caching device. The device then evaluates each request to determine whether it should be allowed or denied based on company policy. Site blocking The site blocking approach for content management typically uses list-based or URL-based filters to identify and block certain web sites. Some solutions rely on white lists that allow access to only those sites that appear on the list. For example, a retail store might create a white list containing only the company’s web site, shipping web sites and supplier web sites. Other solutions use black lists, which permit access to all sites except those on the black list. The black list approach is preferable for businesses whose employees need less restrictive internet access. With a black list approach, the database of web sites is organized into categories, such as “violence” or “drugs,” and network administrators can selectively block categories. Site blocking • The effectiveness and manageability of site blocking depends on a number of factors: Database size A larger database allows more sites to be added to the restricted list. Update frequency New sites continually emerge, and many existing sites are relocated. Most site blocking solutions update their databases on a daily basis, often automatically downloading new URL’s every night. Category Organization definition of categories must be carefully considered and established with enough granularity to accomplish effective restrictions while allowing access when appropriate. A general limitation of site blocking is that it focuses exclusively on http-based web traffic. It does not block instant messaging, e-mail attachments, peer-to-peer applications and other applications that could contain security threats. Content monitoring The most basic level of content monitoring uses a keyword- blocking approach. Instead of blocking URL’s, it compares the keyboard data to a user-defined library of words and phrases. When a match to one of the blocked words or phrases is detected, the solution filters or blocks the data, or in some cases even closes the application. The problem with this approach is that it can inadvertently block legitimate pages based on the fact that they contain one or more targeted keywords. For example, a web site about cancer research could be blocked because it contains the word “breast.” More advanced content monitoring solutions not only examine the individual words on the page, but also evaluate context and other data such as HTML tags. Solution Architectures • Content management software can be embedded on a networked device such as a proxy server, caching appliance or firewall, or it can reside on a dedicated server running the Microsoft windows, Linux or UNIX operating system. The three common deployment methods vary in terms of effectiveness, cost and manageability. Client Solutions Standalone Solutions Integrated Solutions Integrated Content Management and Firewalls Standalone Appliances Solution Architectures • Client Solutions – Installed on the desktop, client solutions are most suited for home environments where parental control is the primary application. – Client software solutions include a management interface and a database of blocked web sites; the parent downloads database updates via the internet. – Leading providers of client solutions include zone labs, net nanny® and internet service providers (ISP’s) such as Microsoft® MSN and AOL®. Solution Architectures • Standalone Solutions Standalone solutions consist of a dedicated database server for defining policies and a separate gateway or firewall that enforces the content management policies. These solutions are more manageable than client based solutions because an administrator can create a policy once on the gateway and then apply it across all desktops. However, most standalone solutions require organizations to purchase and manage two separate hardware devices in addition to content management software. They also require additional storage to be purchased as needed, when the policy database grows to exceed the storage available. Key vendors of standalone solutions include SonicWALL®, Websense and Surf Control®. Solution Architectures • Integrated Solutions – Integrated solutions consolidate management and processing in a single gateway or firewall, thereby reducing capital and operational expenses. – However, when the gateway or firewall is also used for services like anti-virus and intrusion prevention, performance can suffer. – Key vendors of integrated content filtering solutions include SonicWALL®, Symantec™ and Watch Guard®. Solution Architectures • Integrated content management and firewalls Content filtering integrated on a firewall is a cost-effective content management solution that is ideal for businesses with small to mid-sized networks. This alternative integrates the existing firewall technology, or is installed simultaneously with a new firewall solution. A typical service will make available a continuously updated, comprehensive database of millions of web sites, domains and IP addresses. Minimal administrative overhead means that businesses can either manage the solution themselves or outsource the task to their IT service provider. Solution Architectures • Standalone Appliances – Beyond these advantages and basic web site access controls, other advantages of a standalone appliance include: 1. Seamless integration 2. Dynamic rating engine 3. Protection from attacks 4. Advanced security for bandwidth protection and reduced legal liabilities Solution Architectures • Standalone Appliances For larger businesses and enterprise environments requiring more comprehensive content control abilities, a standalone content filtering appliance maximizes the protection of any network from today’s sophisticated internet threats. Although it requires the purchase of additional hardware, ease of installation and use make this an attractive solution. The appliance can be dropped into the existing network without any reconfiguration of existing hardware or software. Appliances are also an affordable way to upgrade existing firewalls by introducing new functionality without an actual upgrade on the firewall itself. A standalone appliance can affordably combine internet content management with real-time gateway anti-virus and antispyware capabilities, and the best appliances are rich in features and Solution Architectures: Standalone Appliances 1. Seamless integration Appliances can be easily installed in virtually any network, and combined with any existing firewall. Plug-and-play designs speed installation, making them drop-in solutions that eliminate the need for additional servers or hardware. Solution Architectures: Standalone Appliances 2. Dynamic rating engine built-in capabilities can dynamically evaluate new URL’s. Real-time analysis of page content, context for flagged words, HTML tags and other data can produce a rating and category for immediate access or blocking based on the organizations’ predetermined policies. New ratings can be automatically added to a master ratings database for subsequent requests. Solution Architectures: Standalone Appliances 3. Protection from attacks deep packet inspection technology can block viruses, worms, Trojans, spyware, phishing, malicious code and other attacks before they are able to infect a network. Appliances can scan and clean network traffic over a multitude of ports and protocols including HTTP, SMTP, POP3, FTP and NetBIOS. Solution Architectures: Standalone Appliances 4. Advanced security for bandwidth protection and reduced legal liabilities appliances can provide controls for managing instant messaging, peer-to-peer and multimedia applications. Management and reporting capabilities—integrated support enables network administrators to manage all users through a single interface, while the option to create custom categories and URL rating lists provides more granular control over filtering policies. Advanced reporting and analysis tools provide granular insight into network usage through custom reports. Why are CMS platforms so vulnerable? When you consider the different issues in play it becomes obvious why hackers deem CMSes to be appealing targets. It is easy for some to assume that since WordPress, Joomla, and Drupal are such recognizable names, they must be providing some form of protection. However, the opposite is true. Fact is, CMSes are vulnerable by nature because they are built on open source frameworks. Such shared development environments offer several benefits but they also have their share of flaws, many of which arise form a lack of accountability. With no price tag, and with no one to take direct responsibility for potential problems, it’s no surprise when the final product has some security issues. Since the top CMSes are so popular, these security vulnerabilities are actively sought after — both by security researchers and members of the hacker community. Why are CMS platforms so vulnerable? Once identified, these flaws can turn into a virtual gold mine for hackers, creating a much more efficient way for them to execute automated mass-scale attacks. Adding to the issue are website operators who use weak passwords, leaving their admin accounts vulnerable to automated brute force attacks. In past we’ve showed how such weak passwords were used to inject the website with malware, turning them into DDoS zombies. Obviously, with administrative access hackers can also deal other kinds of damage: anything from defacing the site (for fun) to using it for malware distribution, which eventually gets it blacklisted in google and in other search engines. Why are CMS platforms so vulnerable?
• Finally, there is also the issue of various CMS plugins
and themes, which are also exposed to attacks. Each of these is created by a different developer and may introduce an additional set of vulnerabilities. • A recent study found that over 20% of the fifty most popular WordPress plugins were vulnerable to hacking, while a staggering eight million susceptible plugins had been downloaded from WordPress alone. • Considering that most users have at least 3-4 plugins running on their CMS platform, it’s apparent how they can further expose their sites to new security risks. Why are CMS platforms so vulnerable? What users can do to protect themselves from CMS vulnerabilities There are a number of things users can do to protect themselves: create a regular schedule to update or patch their CMS, and all installed plugins and themes. This will ensure that all components are up-to-date. CMS platforms usually display a dashboard message whenever a new update is available; users should quickly install it even if it’s outside their update schedule. Regularly backup the CMS and its underlying database. This should be performed weekly at a minimum. Subscribe to a regularly-updated list of vulnerabilities for the specific CMS being used (e.g., WordPress). Why are CMS platforms so vulnerable?
What users can do to protect themselves from CMS
vulnerabilities
Delete default admin usernames (e.g., ‘Admin’•) and use
strong passwords (at least eight characters long, with a combination of upper and lower case, as well as both letters and numerical characters). Use a plugin for strong authentication, or two-factor authentication (2FA) for an additionallayer of protection.