© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems. Beyond Intrusion Detection - Prevention & Protection.

Slides:



Advertisements
Similar presentations
By Hiranmayi Pai Neeraj Jain
Advertisements

Security Training Lunch ‘n Learn. Agenda  Threat Analysis  Legal Issues  Threat Mitigation  User Security  Mobile Security  Policy Enforcement.
Packets and Protocols Chapter Seven Real World Packet Captures.
(n)Code Solutions Presentation on the importance of a Secure Technology Infrastructure.
CHAPTER 2 KNOW YOUR VILLAINS. Who writes it: Malware writers vary in age, income level, location, social/peer interaction, education level, likes, dislikes.
1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?
©2004 Check Point Software Technologies Ltd. Proprietary & Confidential Check Point Next Generation with Application Intelligence Protection Against Network.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia
 Population: N=100,000  Scan rate  = 4000/sec, Initially infected: I 0 =10  Monitored IP space 2 20, Monitoring interval:  = 1 second Infected hosts.
Presented by Justin Bode CS 450 – Computer Security February 17, 2010.
Lesson 14-Desktop Protection. Overview Protect against malicious code. Use the Internet. Protect against physical tampering.
IT Security Doug Brown Jeff Bollinger. What is security? P.H.P. People Have Problems Security is the mitigation and remediation of human error in information.
Protecting Yourself Online. VIRUSES, TROJANS, & WORMS Computer viruses are the "common cold" of modern technology. One in every 200 containing.
Computer Security Fundamentals by Chuck Easttom Chapter 5 Malware.
Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.
Internet Relay Chat Chandrea Dungy Derek Garrett #29.
1Cisco Security NOW © 2003, Cisco Systems, Inc. All rights reserved. THIS IS THE POWER OF CISCO SECURITY. now.
2851A_C01. Microsoft Windows XP Service Pack 2 Security Technologies Bruce Cowper IT Pro Advisor Microsoft Canada.
1 Internet Security Threat Report X Internet Security Threat Report VI Figure 1.Distribution Of Attacks Targeting Web Browsers.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.
AIS, Passwords Should not be shared Should be changed by user Should be changed frequently and upon compromise (suspected unauthorized disclosure)
Malware  Viruses  Virus  Worms  Trojan Horses  Spyware –Keystroke Loggers  Adware.
Virus & Anti-Virus Itthiwat Phiphopsukhawadee M.2/7 No.5 Saranpat Prasertthum M.2/7 No.17 Korakrit Laotrakul M.2/7 No.23 Pesan Kasemkitjanuwat M.2/7 No.25.
W HAT DOES EXPLOIT MEAN ? A ND THE S ASSER WORM Seminar on Software Engineering, Short Presentation Christian Gruber.
1Cisco Security NOW © 2003, Cisco Systems, Inc. All rights reserved. THIS IS THE POWER OF CISCO SECURITY. now.
Talking points Attacks are more frequent, more aggressive, require more time to repair and prevent Machines get compromised in 2003 for the same reasons.
Honeypot and Intrusion Detection System
BLENDED ATTACKS EXPLOITS, VULNERABILITIES AND BUFFER-OVERFLOW TECHNIQUES IN COMPUTER VIRUSES By: Eric Chien and Peter Szor Presented by: Jesus Morales.
Vulnerabilities in peer to peer communications Web Security Sravan Kunnuri.
3-Protecting Systems Dr. John P. Abraham Professor UTPA.
Buffer Overflows Lesson 14. Example of poor programming/errors Buffer Overflows result of poor programming practice use of functions such as gets and.
11 SECURING YOUR NETWORK PERIMETER Chapter 10. Chapter 10: SECURING YOUR NETWORK PERIMETER2 CHAPTER OBJECTIVES  Establish secure topologies.  Secure.
A virus is software that spreads from program to program, or from disk to disk, and uses each infected program or disk to make copies of itself. Basically.
JEnterprise Suite For Network Monitoring and Security Dr. Sureswaran Ramadass, Dr. Rahmat Budiarto, Mr. Ahmad Manasrah, Mr. M. F. Pasha.
A computer virus is a computer program that can replicate itself and spread from one computer to another. The term "virus" is also commonly, but erroneously.
Administrative: Objective: –Tutorial on Risks –Phoenix recovery Outline for today.
1 Figure 4-16: Malicious Software (Malware) Malware: Malicious software Essentially an automated attack robot capable of doing much damage Usually target-of-opportunity.
Network and Perimeter Security Paula Kiernan Senior Consultant Ward Solutions.
Crimeware: An Emerging, Acute Threat Dave Green.
1 Topic 2: Lesson 3 Intro to Firewalls Summary. 2 Basic questions What is a firewall? What is a firewall? What can a firewall do? What can a firewall.
Recent Internet Viruses & Worms By Doppalapudi Raghu.
1 HoneyNets. 2 Introduction Definition of a Honeynet Concept of Data Capture and Data Control Generation I vs. Generation II Honeynets Description of.
Worm Defense Alexander Chang CS239 – Network Security 05/01/2006.
4061 Session 26 (4/19). Today Network security Sockets: building a server.
Microsoft ISA Server 2000 Presented by Ricardo Diaz Ryan Fansa.
& Selected Topics: Digital Forensics
Understand Malware LESSON Security Fundamentals.
Slammer Worm By : Varsha Gupta.P 08QR1A1216.
I NTRUSION P REVENTION S YSTEM (IPS). O UTLINE Introduction Objectives IPS’s Detection methods Classifications IPS vs. IDS IPS vs. Firewall.
“Lines of Defense” against Malware.. Prevention: Keep Malware off your computer. Limit Damage: Stop Malware that gets onto your computer from doing any.
Lect 8 Tahani al jehain. Types of attack Remote code execution: occurs when an attacker exploits a software and runs a program that the user does not.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.
Page 1 Viruses. Page 2 What Is a Virus A virus is basically a computer program that has been written to perform a specific set of tasks. Unfortunately,
CIW Lesson 8 Part B. Malicious Software application that installs hidden services on systems term for software whose specific intent is to harm computer.
Unit 2 Personal Cyber Security and Social Engineering Part 2.
SemiCorp Inc. Presented by Danu Hunskunatai GGU ID #
General Information: This document was created for use in the "Bridges to Computing" project of Brooklyn College. You are invited and encouraged to use.
@Yuan Xue Worm Attack Yuan Xue Fall 2012.
Chapter 14.  Upon completion of this chapter, you should be able to:  Identify different types of Intrusion Detection Systems and Prevention Systems.
Common System Exploits Tom Chothia Computer Security, Lecture 17.
Microsoft OS Vulnerabilities April 1, 2010 MIS 4600 – MBA © Abdou Illia.
Instructor Materials Chapter 7 Network Security
Firewalls.
Information Security Session October 24, 2005
Computer & Network Forensics
Security.
Introduction to Internet Worm
Presentation transcript:

© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems. Beyond Intrusion Detection - Prevention & Protection

© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems. Problem Domain Viruses, Worms, Trojans, and Bad Code… Hybrid Threats designed to improve chances for propagation –MS_Blaster –NIMDA –CodeRed –SQL Slammer Hackers, Script Kiddies, Malicious Insiders Theft of Intellectual Property, Confidentiality, and associated Legal Liability –HIPAA, Sarbanes/Oxley, California Senate Bill no.1386, Buckley Amendment

© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems. State of Security Today Firewalls and anti-virus were not capable of stopping any of the last 5 major Internet attacks Add MS Blaster!

© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems. Example - HTTP-based Attack

© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems. Remote User = Unsecured Outside firewall –Connections are not monitored Visit unsuitable websites Download unsuitable software Broadband –Faster connections encourage ‘other uses’ Peer to peer software Instant Messenger tools Software vulnerabilities –Targeted by hybrid worms

© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems. Accidental Internal Attack INTRUDER Company Confidential

© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems. Problem: Firewalls are Not Enough Firewalls can’t block malicious traffic Many ports must be kept open for healthy applications to run Users unwittingly download dangerous applications or other forms of malicious code “Always on” connection = Always vulnerable Peer-to-peer and instant messaging have introduced new infection vectors

© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems. Problem: AV is Not Enough AV signature scanning is a reactive model Several must suffer infection before samples can be obtained, signatures developed, updates released, and protection deployed to your vulnerable endpoints MS_Blaster recently spread quickly and undetected, wreaking havoc throughout the world

© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems. Problem: Network IPS is not enough Although Network IPS has its place, many threats originate at the Desktop To protect at the Source, Host based Intrusion Detection and Prevention is necessary Detecting only at the Network may be too late

© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems. Multi-layered Compromise INTRUDER You have Mail ! Company Confidential

© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems. “All I Have To Do Is Patch My Systems” “It takes days to install a single patch at every one of our 110 bases” - US Air Force “It is a never- ending cycle, trying to keep up with this stuff” - Toyota Source: Forbes, May 26, 2003

© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems. Vulnerability and Threat Time-Line Vulnerability Disclosure Exploit Disclosure Worm No Patch. Security Patch available. Typically, apply patch to perimeter network Apply patches everywhere after business is disrupted

© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems. Exploit Signature Based Time-Line Vulnerability Disclosure Exploit Disclosure Worm No exploit patterns No exploit patterns Reactive. Add exploit pattern and variants. Reactive. Add worm exploit pattern. Similar to anti-virus, add new variants

© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems. Virtual Patch Based Time line Vulnerability Disclosure Exploit Disclosure Worm Protocol Validation. Virtual Patch Proactive. Protected.

© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems. Case Study Microsoft SQL Server Resolution Protocol Stack-based Overflow (MS SQL Slammer Worm)

© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems. What was the bug? Vulnerability –Microsoft SQL Server 2000 and MSDE –Buffer-overflow in “SQL Server Resolution” Vuln = ssrp.name.length > 97 –Disclosed July, 2002 Exploit –Several noted well before January 25th –Worm on January 25, 2003

© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems. What do sigs look like? All sigs –UDP port 1434 –First byte equal to 4 Pattern-match sigs –Slammer pattern Protocol-analysis sigs –Check length of field for overflow

© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems. Snort alert udp $EXTERNAL_NET any -> $HOME_NET 1434 ( \ msg:"MS-SQL Worm propagation attempt"; content:"|04|"; depth:1; content:"|81 F B 81 F1 01|"; content:"sock"; content:"send"; reference:bugtraq,5310; classtype:misc-attack; reference:bugtraq,5311; reference:url,vil.nai.com/vil/content/v_99992.htm; sid:2003; rev:2;)

© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems. Vulnerability Signature SQL_SSRP_StackBo is ( udp.dst == 1434 ssrp.type == 4 ssrp.name.length > ssrp.threshold) where ssrp.type is first-byte of packet where ssrp.name is nul-terminated string starting at second where ssrp.threshold defaults to 97 SQL_SSRP_SlammerWorm is ( SQL_SSRP_StackBo pattern-search[offset=97] = DCC9B042EB0E )

© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems. Security Technology Evolution Integrated Application

© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems. Layered Technologies PFW IDS/IPS IBEAppCtrl BuffOP Port 80 Port 135 Port 445 Port 1025 Port xyz Network Based Attack Vector File Based Attack Vector AV BehavioralBehavioral Execution Space Pre-Execution ReactiveReactive

© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems. Buffer Overflow Stack Local VariablesReturn Address Void funcA(char *b) { char buf[10]; strcpy(buf,s); printf(“buffer is %s\n”,s); } funcA(“aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa”); …

© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems. Buffer Overflow Stack Local VariablesReturn Address Attacker then jumps to new user- controlled return address x90\x90\x90\x90\x90\x90\xeb \xff\x81\x36\x80\xbf\x32\x94 \x05\xe8\xe2\xff\xff\xff\x03\ Arbitrary code can then be executed by the attacker. This code could directly or indirectly access system calls such as CreateProcess(….) Overflow buffer with shellcode and overwrite original return address

© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems. File Based Attack Vector Case: Network: MS Blaster: DayZERO PFW IDS/IPS 0-dayAppCtrl BuffOP Port 80 Port 135 Port 445 Port 1025 Port xyz AV BehavioralBehavioral Execution Space Pre-Execution ReactiveReactive RPC Network Based Attack Vector

© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems. File Based Attack Vector Case: Network: MS Blaster: DayZERO PFW IDS/IPS IBEAppCtrl BuffOP Port 80 Port 135 Port 445 Port 1025 Port xyz AV BehavioralBehavioral Execution Space Pre-Execution ReactiveReactive RPC Network Based Attack Vector RPC Service has been DOS’d Must Reboot

© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems. What’s the difference? Protecting against exploits is reactive –Too late for many –Variants undo previous updates –Typical of AV and most IDS/IPS vendors Protecting against vulnerabilities is proactive –Stops threat at source –Requires advanced R&D

© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems. Thanks! Questions?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.