jaydeltathree

Its been a long time...

Too long. And its not like I haven't done anything since my last post. The main reason why its been so long is because I upgraded my hard drive AND went from using Vista to Fedora. Its taken me this long to install Thingamablog on the new hard drive and then go back to the old one and copy the database files.

So what have I done since my last post. Well, not that much. Well, I've done lots of things, I just haven't accomplished much. I did install OSSEC, but I have no idea how it works yet. Last night while I was trying to figure out for the umpteenth time how to get Infrarecorder to work under Vista (you have to format the DVDs first), I went ahead and installed the new hard drive on my test machine, setup the partitions and installed Zenwalk. I was having trouble with Xorg at first, and when it came up, I was surprised to see that it was in 1024x768, seeing that the Intel graphics chipset seems to max out at 800x600. Then whenever I tried to start a terminal it would crash and go back to the display manager. I thought that was because of the graphics card limitation, but apparently its just a problem with the terminal. I downloaded the gnome terminal and that apparently fixed it.

Bace Ch 7: Technical Issues

I just couldn't get into this chapter at all. The gist of it is that there are issues that degrade the performance of instrusion detection systems. The issues discussed are scalability, management, reliability, analysis, interoperability, integration, and user interfaces.

Bace Ch 6: Vulnerability Analysis: A Special Case

Bace talks about Vulnerability analysis because it relates to intrusion detection as being a static analysis scheme. Basically vulnerability analysis is taking a snapshot of the system looking for security problems, checking against some predetermined configuration and reporting to the user. COPS is discussed up front. Bace makes a distinction between credentialed and noncredentialed approaches, acknowledging that others prefer to call them passive and active. Basically the difference is that credentialed approaches work inside the system, and noncredentialed appraoches work outside the system. The latter basically is attacking the system itself--testing by exploit.

SATAN is discussed near the end. Just what I read about SATAN reminds me of Nessus. Password cracking is also discussed.

Bace Ch 5: Responses

Somehow I never got around to talking about chapter 5 yesterday despite the fact I finished it and started on chapter 6. Chapter 5 is a very small chapter, which is somewhat disappointing considering the fact that the focus of my thesis is the response part of intrusion detection.

The note on page 122 talks about the people who are the standard users of intrusion detection systems: network security specialists, who are generally experts in security, but maybe not in the underlying systems that are being protected; system administrators, who out of necessity have to be conversant in both security and underlying systems; and security investigators, who may not be conversant in either, but are experts in conducting investigations in general.

There's some general talk up front about how design comes into play. The environment, the purpose of the system and regulatory requirements all come into consideration when considering exactly what the response of the system will be and how the information is communicated to the user, if at all. Active responses fall into three categories: take action against the intruder, amend the environment and collect more information. Bace points out that the first is the one that captures people's imagination nowadays. Passive responses are: alarms and notification, and SNMP traps and plug-ins.

The point is made that while the intrusion detection system should be generating alerts, the alerts should not be visible to the intruder, and that the intruder will be looking to intercept and do away with the responses. Lastly the chapter talks about the actions a user should take after receiving a response, ordered by "time and criticality of the activities."

Bace: Ch 4--Analysis Schemes

Eh, I read it all, and I got a basic understanding of what the schemes are, but there was a lot that went over my head. And I'm wondering if it even matters. Another problem of mine is that when I'm reading this stuff I'm always asking myself, how do you code something like this. I gotta stop asking that.

Basically everything is broken down into the categories of misuse detection and anomaly detection. Honestly, I may have to read this chapter again, but the only thing that's really sticking out now is the conclusion of the chapter, namely that "analysis involves isolating patterns of behavior known to represent problems (misuse analysis) and using mathematical approaches to characterize user behaviors that are abnormal (anomaly detection)." (pg. 117)

There was some talk about agent based systems that did get my attention, though. For some reason, I hadn't considered that others may have done research very similar to COL Carver's, and that I could base my thesis off that research. Definitely worth looking into.

Thought of the moment

Bace: Ch 3--Information Sources

Bace is taking it one chunk at a time, which is good for somebody like me. Intrusion detection systems determine whether an intrusion has been made based on information. This chapter discusses where the information on which the decision is made comes from. She also talks about the different levels of abstraction of information, and how they can affect the intrusion determination.

She talks about operating system audit trails and system logs. The audit trails are lower level and more secure. She gave real world examples, with Solaris Basic Security Module and Windows NT event logger. Now the thing is, I guess I thought of BSM as being an audit trail and event logger as system logs. Actually, I'd never heard of BSM before, and I'm wondering if anything similar is present in Linux. Maybe that's what the commercial versions provide.

The need for audit reduction is described. The gears shift from host-based information sources to application based. On page 60, she says the intrusion detection community thinks that all the important ID information will be at the application level. I wasn't understanding why until I read her examples about database systems. Some computer systems exist only to run extremely large scale applications like databases or web servers, so yeah, that's where all the information would be. Network based sources were discussed, but most of it was either stuff I knew or had at least heard of.

And she said that there are other sources--including human sources. Of course we set configurations and such, but we can also feed the machine outside information that it doesn't have access to but is relevant. She also pointed out that data within the sphere of computer security but outside of intrusion detection can be useful. Her example was physical security logs to corroborate whether a masquerader is at large.

Bace: Ch 2--Concepts and Definitions

No surprises here. Pretty short chapter. Starts off with an introduction to intrusion detection where the components and goals are stated. A lot of the chapter actually deals with security in general rather than intrusion detection. Formal definition of computer is given with the security triad of confidentiality, integrity and availability. Threat, vulnerability and the relationship between the two are mentioned. Security policy is covered. Other parts of security infrastructure are touched upon: access control, identification and authentication, encryption and firewalls. Intrusion detection systems are classified and the components are listed. Page 41 deals with response, and I learned a few things. I guess I should have known, but response is a lot broader than what were hear about the most, which is going on the attack. Using Bace's definition of response, all intrusion detection systems are response systems, which I guess I've kinda though all along was correct.

Bace: Ch 1 continued

These were thoughts that came to me as I was reading, not actually material from the book itself...

Can an IDS backtrack password guessers? If you have an IP, can the system check tos ee who is behind the IP? Can the IDS investigate, play detective? If its an internal threat, it should be easy, but if its an external threat, it could be hard. But could a person somehow monitor that remote IP to see what else that person is doing? Maybe they logon to some system that shows their name or username. Maybe you can get a general idea of who they are by the websites they look at. If they look at tamu.edu there is a strong chance that they are a prospective or current student (with a smaller chance off being a former student). But I guess before I go too far down that rabbit trail, ethical considerations need to come into play. Is that legal? Invasion of privacy? I'm thinking not, especially if the person was clearly trying to guess passwords on your system. Don't you have a right to try to figure out who that person is?

Better yet, can I get a person's MAC address if I know their IP? That would be more useful than an IP in this day of DHCP. But I'm guessing the IP address would be more helpful in trying to track the person. Should this program be named after a tracking dog (Malamute??) or a detective (Ollie, Bacon?)

...

I'm so ignorant. Bace tells me on page 22 that my tracking system idea was done 18 yeras ago, in a system called DIDS.

...

So overall, chapter 1 pretty much lived up to its name. I got a short history of intrusion detection. What's nice is it not only tells the systems, but it also tells the players, including the principal architect of each system. What's disturbing is that this book's history stops at 1990. The book was published in 1999, and I was content to have a book that is almost a decade old if it was pretty definitive. But if the information is actually decades old...I don't know. Well, I guess I'm not reading this book for the systems, but to gain an understanding of the concepts, so this book still should be okay, I hope...

Bace: Ch 1--History of Intrusion Detection

I understand that just as the basis of intrusion response is intrusion detection, the basis of intrusion detection is audit. She defines audit as the process of generating, recording, and reviewing a chronoligical record of system events (page 7). The Tan Book states that one of the goals of an audit mechanism is to provide assurance that attempts to bypass the system will be recorded and discovered. This made me think again of my idea to have duplicate logs on multiple systems, as many systems as the security administrator can get his hands on. I'm thinking that it wouldn't be too much trouble to send logs to about half a dozen systems, and an intruder would be hard pressed to delete logs from all of them. At the very least it would take a lot of time. But could the mechanism that facilitates sending the logs itself make the recipients vulnerable to attack?

Bace: Introduction

I decided a long time ago that I would use Rebecca Gurley Bace's book Intrusion Detection to get me up to speed on intrusion detection. Now I'm finally actually reading the book. I like how in her introduction she describes the cycle of how new technology is adopted and eventually abused, bringing about the need for regulation (page 1).

On page 2 she defines intrusion detection as the process of monitoring the events occurring in a computer system or network, analyzing them for signs of security problems. I actually told someone a few minutes that my thesis was on intrusion detection. I guess I'd forgotten that my thesis is actually on intrusion response. Intrusion detection is part of intrusion response, so I figured I'd get that base. Plus I haven't found any definitive books on intrusion reponse. Perhaps I can write one someday.

Last Week

I didn't accomplish much last week. I'd been on 'vacation' since my dad came to town, which was around June 14th. The previous week we went to Florida. I don't even think I made it to the library until at least Tuesday, maybe Wednesday. I pulled the Intrusion Detection book off the shelf several times, but I didn't do any actual work. I remember now, that first day I spent time trying to create a sample C++ program to create a Windows (Vista) Contacts object. The goal was to familiarize myself with Windows Contacts to create a Thunderbird plugin. I failed miserably. A Windows Contact is a COM+ object, and creating one isn't as cut and dried as I thought.

I honestly don't remember doing anything of value on Thursday. No, wait, I emailed Willis Marti telling what little I actually had done and asking him if Patrick had actually gone to CCDC. He said he'd been as a participant and as a coach. On Friday, I started working on getting Thingamablog to the place where I could use it for all my blogging needs. I finished that today. My goal is to merge entries from both previous blogs into Thingamablog. It would be a cut and paste job if it weren't for the fact that the dates have to be entered using the form field. That's going to take time for each entry.