intrusion_32
ICSA, Inc.
For more information, call 888-396-8348 32
An Introduction to Intrusion Detection and Assessment
attackers can use them. Intrusion-detection systems
are by nature reactive: they monitor for attackers
targeting systems in hopes of interrupting the
attacks before the system is damaged.
Assessment approach
Application-based Assessment
Application-based assessment uses passive, non-
invasive techniques to check settings and configu-
rations within application packages for errors
known to have security ramifications.
Host-based Assessment
Host-based assessment uses passive, non-invasive
techniques to check system settings and configu-
rations for errors known to cause security problems.
These checks typically encompass system internals
and include things such as file permissions and
ownership settings and whether operating-system
bug patches have been applied.
Most vulnerability-assessment products perform
password analysis as part of their assessment Pass-
word analysis consists of running password crack-
ers against password files, utilizing a well-known
attack in order to quickly locate weak, non-existent,
or otherwise flawed passwords.
Advantages:
It yields a very accurate, host-specific picture
of security holes;
It catches security holes that arent exposed
during a network-based assessment.
Disadvantages:
The assessment methods are platform-specific
and thus require precise configuration for
each type of host used by the organization
Deployment and update often require much
more effort than in network-based assessment
Target-based Assessment
Target-based assessment (also known as file integrity
assessment) uses passive, non-invasive techniques
to check the integrity of system and data files as
well as system objects and their attributes (e.g.,
hidden data streams, databases, and registry keys).
Target-based assessment products use crypto-
graphic checksums (message-digest algorithms) to
make tampering evident for critical systems objects
and files. Message-digest algorithms are based on
hash functions, which possess the property that
extremely subtle changes in the input to the func-
tion produce large differences in the result. This
means that a change in a data stream fed to a
message digest algorithm produces a huge change
in the checksum generated by the algorithm.
These algorithms are cryptographically strong;
i.e., given a particular output value, it is practi-
cally impossible to come up with another input
to the algorithm that will product an identical
output. This eliminates a common attack against
relatively simple CRC (cyclic redundancy code)
checksums in which hackers mask alterations to
files by altering the content of the file so that the
same checksum is generated for both the original
and the tampered file. 8
Target-based assessment products run in a closed
loop, processing files, system objects, and system
object attributes to generate checksums; they then
compare them to previous checksums, looking
for changes. When a change is detected, the product
sends a message to the intrusion-detection system
that records the problem with a time stamp cor-
responding to the probable time of alteration.
This process can provide a one-record trigger for
an intruder alert or it can serve as a milestone for
an investigator performing a trace of the events
leading to the alteration.