Session-13 - Database Security Intrusion Detection&...

Info iconThis preview shows pages 1–9. Sign up to view the full content.

View Full Document Right Arrow Icon

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: Database Security Intrusion Detection & Protection Session 13 Where is the threat Most of computer security money is spent in prevention -- a bastion mentality Most of the loss is from insider activity (82%) Intrusion Detection is the art of detecting and responding to computer misuse Intrusion Detection (ID) Deterrence (we will find out what you did and catch you) Detection Misuse detection based on known patterns of attack (signatures) Anomaly detection (profile of expected behavior) patterns of acceptable behavior patterns of known misbehavior Intrusion Detection (continued) Response Damage Assessment need to assess in dollar terms Attack Anticipation when (time of year/day; significant dates) type Prosecution Support (forensics) Comparison of Network and Host Based Intrusion Detection Host Based Patterns of File Access Patterns of Application Execution Network Based Analysis of Packets and other network activity Sensor Placement & Firewalls Sensor’s placed outside the Firewall (sometime called the DMZ or demilitarized zone) are useful for detecting the source addresses attempting to attack and for attack anticipation Sensor’s placed inside the Firewall are useful for detecting attacks that get through the firewall and for unauthorized traffic going out Attacker Skills Skill Level Ability Evidence Clueless Virtually no skills. All activities are readily apparent. Script Kiddie Able to find ready-made exploit scripts on the Internet and run them following rote instructions. This code may give them root access, activity-hiding capabilities, and back doors for return visits. Unable to deal with non-standard UNIX configurations. May attempt to cover tracks but with limited success. Activities can be detected with minimal effort. Guru Equivalent to an experienced systems administrator. Able to manipulate UNIX systems that are not configured in the standard way. Able to program in C, Perl, and shell script. Check for existence of security programs and logging performed off-system and Carefully clears out log files to remove evidence of original compromise. Leaves no obvious traces associated with account used to access system. May leave Trojan horses behind for future access. Wizard Intimate knowledge of UNIX internals. Capable of programming in assembly language. Can manipulate hardware and software. Very rare! Leaves virtually no useful evidence on the attached host Hierarchy of Attacker Skills Attacker Chain of Attack Target Attacker Dial-In Source Proxy Attack No attack code running on original workstation Dial-up to stolen ISP account. Might use hacked phone switch to confuse trail....
View Full Document

This note was uploaded on 12/23/2009 for the course DBST dbst 668 taught by Professor Yelena - ta during the Spring '09 term at MD University College.

Page1 / 48

Session-13 - Database Security Intrusion Detection&...

This preview shows document pages 1 - 9. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online