HostedDB - Dedicated UNIX Servers

intrusion_32 ICSA, Inc. For more information, call 888-396-8348                 32 An Introduction to Intrusion Detection and Assessment attackers can use them. Intrusion-detection systems are by nature reactive: they monitor for attackers targeting systems in hopes of interrupting the attacks before the system is damaged. Assessment approach Application-based Assessment Application-based assessment uses passive, non- invasive techniques to check settings and configu- rations within application packages for errors known to have security ramifications. Host-based Assessment Host-based assessment uses passive, non-invasive techniques to check system settings and configu- rations for errors known to cause security problems. These checks typically encompass system internals and include things such as file permissions and ownership settings and whether operating-system bug patches have been applied. Most vulnerability-assessment products perform password analysis as part of their assessment Pass- word analysis consists of running password crack- ers against password files, utilizing a well-known attack in order to quickly locate weak, non-existent, or otherwise flawed passwords. Advantages: •  It yields a very accurate, host-specific picture of security holes; •  It catches security holes that aren’t exposed during a network-based assessment. Disadvantages: •  The assessment methods are platform-specific and thus require precise configuration for each type of host used by the organization •  Deployment and update often require much more effort than in network-based assessment Target-based Assessment Target-based assessment (also known as file integrity assessment) uses passive, non-invasive techniques to check the integrity of system and data files as well as system objects and their attributes (e.g., hidden data streams, databases, and registry keys). Target-based assessment products use crypto- graphic checksums (message-digest algorithms) to make tampering evident for critical systems objects and files. Message-digest algorithms are based on hash functions, which possess the property that extremely subtle changes in the input to the func- tion produce large differences in the result. This means that a change in a data stream fed to a message digest algorithm produces a huge change in the checksum generated by the algorithm. These algorithms are cryptographically strong; i.e., given a particular output value, it is practi- cally impossible to come up with another input to the algorithm that will product an identical output. This eliminates a common attack against relatively simple CRC (cyclic redundancy code) checksums in which hackers mask alterations to files by altering the content of the file so that the same checksum is generated for both the original and the tampered file. 8 Target-based assessment products run in a closed loop, processing files, system objects, and system object attributes to generate checksums; they then compare them to previous checksums, looking for changes. When a change is detected, the product sends a message to the intrusion-detection system that records the problem with a time stamp cor- responding to the probable time of alteration. This process can provide a one-record trigger for an intruder alert or it can serve as a milestone for an investigator performing a trace of the events leading to the alteration.