Incident Handling Steps
The response to systems security incidents is as, if not more, important as detection. What actions you perform subsequent to identifying an incident will not only affect your organization's operations, but may impact future such procedures, your security posture, and the outcome of the situation.
This article covers the topic of response, including matters of scale, operational constraints, appropriate countermeasures, legal concerns, and hints for proper implementation. While not technical in nature, this study of response procedures might give you some insight on how to handle the more ambiguous elements of systems security: human factors, policy, and time.
Friday, August 16, 2002
Bait and Switch Honeynet
The idea of a "Bait and Switch" honeynet is to use an otherwise passive security mechanism as a defensive security layer.
A would-be attacker sends an exploit to your production server. Snort picks this up and sends an alert. A series of bash scripts -- probably using swatch -- picks up this alert, understands that it is a serious alert, and takes action. The action taken is to redirect iptables port-forwarding rules from your production machine to a honeynet machine on another network or subnet (isolated from production at any rate). (Note: only traffic from the hostile IP should be diverted. Everything else still goes to production.) This honeynet machine has the following characteristics: It is not normally accessible from the outside world -- only when the Bait and Switch system kicks in. Secondly, it should look -- on the surface -- as much like your production machine as possible. It should not contain any sesitive data, database access, etc. While you dont want the attacker to realize that he's been switched before he gives up attacking - if it had compromisable information, it wouldn't be a honeynet eh? There are some timing issues with this, but they are acceptable for these purposes. For example, a single packet ftp root-level exploit may succeed, but if traffic is diverted to the honeynet immediately after, the attacker will never realize it succeeded and would not have access to the machine to take advantage of the exploit anyway.
The idea of a "Bait and Switch" honeynet is to use an otherwise passive security mechanism as a defensive security layer.
A would-be attacker sends an exploit to your production server. Snort picks this up and sends an alert. A series of bash scripts -- probably using swatch -- picks up this alert, understands that it is a serious alert, and takes action. The action taken is to redirect iptables port-forwarding rules from your production machine to a honeynet machine on another network or subnet (isolated from production at any rate). (Note: only traffic from the hostile IP should be diverted. Everything else still goes to production.) This honeynet machine has the following characteristics: It is not normally accessible from the outside world -- only when the Bait and Switch system kicks in. Secondly, it should look -- on the surface -- as much like your production machine as possible. It should not contain any sesitive data, database access, etc. While you dont want the attacker to realize that he's been switched before he gives up attacking - if it had compromisable information, it wouldn't be a honeynet eh? There are some timing issues with this, but they are acceptable for these purposes. For example, a single packet ftp root-level exploit may succeed, but if traffic is diverted to the honeynet immediately after, the attacker will never realize it succeeded and would not have access to the machine to take advantage of the exploit anyway.
Network Sniffers explained
Sniffers are tools, also known as network analyzers, used for monitoring network traffic. As such, if used by authorized personnel, can prove to be of a great value. But, on the other hand, sniffers represent significant threat to your network, and are very hard to detect.
Why a threat, one might wonder? Sniffers do not pose as a direct threat to your data in the common sense of the word, like viruses or malicious code. No, the threat lies in the fact that sniffers are network analyzers designed to monitor network traffic. A high level of risk lies within the abuse of sniffers, due to the fact that an attacker, or a hostile user can gather information that travels through the network, sensitive information like passwords, various confidential information and similiar, stored in plain text or other formats. Usually, the presence of a sniffer on the network can indicate future, more serious attacks against the network. Information gathered through the usage of sniffers can be used for upcoming attacks, further network compromises and can lead to a complete data disclosure and network compromise. So, it's of a great value to recognise the risks posed by network sniffers.
If you want to test your network, and try out some sniffers and their features, I'd advise you to try the following ones: Ethereal, available for both Unix/Linux and Windows or Sniffit, a Unix/Linux only tool. Of course, there are others, all flavours included, GUI or promp
Sniffers are tools, also known as network analyzers, used for monitoring network traffic. As such, if used by authorized personnel, can prove to be of a great value. But, on the other hand, sniffers represent significant threat to your network, and are very hard to detect.
Why a threat, one might wonder? Sniffers do not pose as a direct threat to your data in the common sense of the word, like viruses or malicious code. No, the threat lies in the fact that sniffers are network analyzers designed to monitor network traffic. A high level of risk lies within the abuse of sniffers, due to the fact that an attacker, or a hostile user can gather information that travels through the network, sensitive information like passwords, various confidential information and similiar, stored in plain text or other formats. Usually, the presence of a sniffer on the network can indicate future, more serious attacks against the network. Information gathered through the usage of sniffers can be used for upcoming attacks, further network compromises and can lead to a complete data disclosure and network compromise. So, it's of a great value to recognise the risks posed by network sniffers.
If you want to test your network, and try out some sniffers and their features, I'd advise you to try the following ones: Ethereal, available for both Unix/Linux and Windows or Sniffit, a Unix/Linux only tool. Of course, there are others, all flavours included, GUI or promp
Thursday, August 15, 2002
Speak Freely for Windows and UNIX
Speak Freely is a program for 80x86 Windows machines and a variety of Unix workstations which lets you talk to other people across a local network or (with a fast enough link or enough compute power to compress and decompress audio in real time) the Internet. Optional party-line support and data compression are available, using the algorithm employed by GSM digital cellular telephones to reduce bandwidth requirements to 1700 characters per second. Sound packets can be encrypted with IDEA, DES, a binary key supplied in a file, or any combination. Speak Freely cooperates with a copy of PGP installed on your computer to automatically exchange session keys with users on your public keyring. Windows and Unix machines can intercommunicate, and Speak Freely can communicate with other Internet voice programs which support RTP or VAT protocol.
Speak Freely is a program for 80x86 Windows machines and a variety of Unix workstations which lets you talk to other people across a local network or (with a fast enough link or enough compute power to compress and decompress audio in real time) the Internet. Optional party-line support and data compression are available, using the algorithm employed by GSM digital cellular telephones to reduce bandwidth requirements to 1700 characters per second. Sound packets can be encrypted with IDEA, DES, a binary key supplied in a file, or any combination. Speak Freely cooperates with a copy of PGP installed on your computer to automatically exchange session keys with users on your public keyring. Windows and Unix machines can intercommunicate, and Speak Freely can communicate with other Internet voice programs which support RTP or VAT protocol.
Pseudorandom Number Sequence Test Program
This page describes a program, ent, which applies various tests to sequences of bytes stored in files and reports the results of those tests. The program is useful for those evaluating pseudorandom number generators for encryption and statistical sampling applications, compression algorithms, and other applications where the information density of a file is of interest.
This page describes a program, ent, which applies various tests to sequences of bytes stored in files and reports the results of those tests. The program is useful for those evaluating pseudorandom number generators for encryption and statistical sampling applications, compression algorithms, and other applications where the information density of a file is of interest.
MAC Addressing and ARP Functionality
The following paper will be on learning the usefulness of the MAC address and the inner workings of the Address Resolution Protocol on an Ethernet network.
The following paper will be on learning the usefulness of the MAC address and the inner workings of the Address Resolution Protocol on an Ethernet network.
Wednesday, August 14, 2002
TRACING AN IP (Internet Protocol)
In here I have figure out some very easy but cool ways to trace out the geographical location and various other infos like ISP details etc of a remote computer using its IP.
In here I have figure out some very easy but cool ways to trace out the geographical location and various other infos like ISP details etc of a remote computer using its IP.
Tuesday, August 13, 2002
Introduction to Denial of Service
In this paper I have tried to answer the following questions:
- What is a denial of service attack?
- Why would someone crash a system?
- How can someone crash a system.
- How do I protect a system against denial of service attacks?
In this paper I have tried to answer the following questions:
- What is a denial of service attack?
- Why would someone crash a system?
- How can someone crash a system.
- How do I protect a system against denial of service attacks?
Subscribe to:
Posts (Atom)
