Thursday, February 28, 2008

Other IDS Features to Consider continue...

Monitoring and Privacy

Keystroke monitoring has not been a fruitful approach to intrusion detection. As with many other computer science endeavors, context-sensitive analysis of data is one of the most difficult reasoning challenges for a program. Therefore, no commercial IDSs rely on keystrokes for determining misuses or intrusions. If such a tool were to exist, how would you handle privacy issues?

Most companies own the intellectual property of employees and also legally restrict computer activities to only those approved by management. A common practice is to present this warning to all computers users as part of the normal login message. This does not mean that all managers in a company own all of the correspondence of all of the employees. Especially unclear is how to handle the conflict that arises between privacy and monitoring. For example, if your IDS does monitor keystrokes, then someone is capable of reading the e-mail of employees. Sure, the company owns the content of these messages anyway. But, what if the message is from an employee to a superior complaining about harassment on the job. Is this something from which an IDS might generate alerts or message excerpts?

Internet 2010

Unfortunately, you should be worried about privacy and IDSs even though they do not perform keystroke analysis. What if someone is filling out a medical form online and enters words such as "attack," "weakness," and "confidential?" Many network sniffers would look for these as part of a standard set of watch words. Ideally, you could configure the sniffer to ignore these words when the user was in the context of a medical application online, but it's unlikely the tool supports this because it is a difficult algorithm to generalize.

System monitoring tools also require caution. Audit trail reports contain the full command and its parameters in most cases. Knowing that an employee is suddenly sending several mail messages to someone in personnel could be confidential. This situation particularly becomes a problem if the manager is receiving IDS usage reports (to look for misuse problems), and the employee is documenting improper behavior by that manager. In this particular case, the best advice is to document the problem on a home computer rather than risk discovery by unauthorized sniffers being used at your site.

By the way, these privacy problems are not limited to intrusion detection. In plenty of cases, developers use network sniffers to capture packets that are needed to debug a problem. Separating confidential information from test environments is the right approach for solving this dilemma. An interesting legend has gone around about how some user IDs and passwords from a reputable company found their way into one distribution of Crack when the software was tested in a production environment.

If you run a scanner and configure it to mail reports, verify your configuration so that you are not mailing the list of easily guessed passwords to everyone at your site, or even worse to your favorite newsgroup on the Internet. In some instances, someone mailed the output of a scan to a personal account outside the company, and the mail message flowed in the clear across the Internet. Remember, without encryption the Internet is like one big party line that many people share.

Finding New Attacks

Companies that build IDSs know the importance of keeping up with new attacks. Companies do this in several ways.

ISS recently has put together a talented team called the X-Force. This group spends a great deal of time uncovering their own exploits, as well as maintaining contacts in the hacker community. Secure Networks, Inc., also has a dedicated team of researchers that look for exploits, as did the WheelGroup (now folded into Cisco). These folks spend a good portion of their day looking for weaknesses in systems and networks. If you subscribe to BUGTRAQ, Best of Security, NT Security, and other security mailing lists, you'll see the names of some of these folks appear regularly. They also are frequent panel members at conferences such as DEFCON and Usenix Security.

Another group of ethical hackers operates as LOpht Heavy Industries. Once described as "rock stars of computer security," the LOpht is responsible for discovering well-announced weaknesses in products such as Kerberos V4 and Microsoft NT. The most famous output from the lab is the NT password cracker developed by two of the team's members. Hacking in a private laboratory because its fun and interesting is perhaps the best motivation for finding security holes in products. That's really why these exploit hunting teams exist.

Early hackers broke into systems because they were curious and wanted to learn more. Many remote attacks occur for the same reason today. Not everyone is out to damage your systems, although plenty of people enjoy doing so. Staying in touch with hackers is one way that companies know the latest exploits. Don't be surprised if you find a consultant who has a history of attempted break-in attempts or even a conviction.

Security newsgroups and mailing lists are other avenues for keeping abreast of holes in systems. Most of these groups are moderated. A common rule of thumb is to notify the vendor before posting the flaw. Moderators are generally good about ensuring this happens. Unresponsive software vendors have sometimes been caught in the awkward situation of not knowing about an exploit because the mail from the discoverer was somehow lost in the corporate maze.

Other IDS Features to Consider

So far you've seen that Stalker and CMDS are complementary system-level IDSs that catch a number of attacks which scanners and network sniffers cannot The next few sections summarize some other important issues to consider about system intrusion detection.

Ease of Set Up

Both Stalker and CMDS are distributed, client-server products. Depending on your network configuration, the installation and setup can be simple or complex. The usual rule of "your mileage may vary" is a good one to keep in mind.

Agent code must be installed on each CMDS target or Stalker agent. Although some autodiscovery is provided, the Server or Manager will need to be made aware of which nodes to monitor. The time it takes to configure nodes is a small constant value in most cases, but you need to multiply this value by the number of nodes you have.

Internet 2010

As with most systems that rely on host names and IP addresses for identification, the use of dynamic host configuration protocol (DHCP) or regular changes to host identifiers will require additional administration. If you treat all monitored nodes uniformly, administration is simpler. However, if you want to analyze different statistics or attack patterns on each node, your administrative workload also will increase. Any variability in your monitoring requirements per node naturally will drive configuration changes on either agents or servers/ managers.

Distributed Intrusion Detection

Neither Stalker nor CMDS track the activities of a given user across multiple systems unless the assumption is that a person will have the same UID across all systems in the enterprise. Because this assumption is highly unlikely—even though the login name might be the same, the UIDs across systems may not be equivalent—tracking the activities of a single user throughout the enterprise is not straightforward.

One solution would be to add to each audit record, when consolidated on the server, with the originating host IP address. Unfortunately, this solution does not work for systems with multiple network adapters because the node will have several IP addresses. Also, in sites where IP addresses are assigned dynamically with DHCP, relying on an IP address to be meaningful would be a mistake because it could be reassigned at a future time. The host's name would probably be more reliable. When consolidating activities across systems, CMDS relies on the host's name and UID paired together to uniquely identify a user.

Distributed systems management framework vendors, such as Tivoli, are all too aware of this identity problem in networked environments. The favored approach is to assign a framework-specific host identifier that is persistent across changes in IP addresses or other system parameters, such as the planar ROM ID. Assigning a network user name that is independent of the system on which a user operates also would be useful. However, such an extension would require changes in core parts of the OS, such as the login process and the generation of audit records, in order to track user activities across multiple systems. One research project prototyped this approach for intrusion detection across systems (Snapp et al., 1991).

Wednesday, February 27, 2008

Outline marketing plan for Asuk Creative Limited a B2B provider of Internet services continue...

Objectives

The objectives are each built around the SMART criteria (specific, measurable, actionable, realistic and timed).

  • Increase market share. ASUK Creative Limited currently holds 2 per cent (200 servers) of the UK dedicated server market (approx immediately 10,000 dedicated servers). ASUK should plan to increase this steadily to 16.7 per cent after four years. Since the market share has risen from 0 to 2 per cent in one year without increased marketing, this is a realistic target.
  • Streamline ordering processes. The new web site called DediPower.com should incorporate online facilities for order processing, upgrades and support. The development of these features can continue over time but a fully featured site should be ready for launch.
  • Increase brand awareness/brand building. By launching a new site, ASUK can take advantage of a fresh start but still use all the advantages of an established company. A brand image of power and quality, yet competitive prices should be established through intensive marketing and excellent CRM. The company plans to have a powerful brand name within six months of launching the site.
  • Internet 2010
  • Create self-contained entity for possible initial public offering (IPO) or trade sale.
  • ASUK can aim for an IPO within three years, being sold either to a competitor or to a diversifying larger company. The sell value is currently £300,000. A target should be set to have this at £1 5 million within three years.
  • Expansion into international markets. The launch of DediPower means that foreign clients will become more accessible. The improved site will have support for international sales.
  • Improve CRM and customer support. By improving these fundamentals, ASUK aims to sell additional products to its current clients. Currently, 25 per cent of clients have bought additional services, and the aim is to increase this to 55 per cent within a year.

Strategies by target markets

  • Current customers. By rebranding, enforce customer loyalty and improve service level. Also provide an easier product upgrade path. Better support and customer self-service should also be provided.
  • Domestic. Build brand as a high-quality service with lower-value pricing. Offer three core incentives to show confidence in the product: thirty-day money back guarantee, UK price matching initiative, no minimumcontract. ASUK will be the first company in the UK industry to offer all these incentives together in a genuine fashion.
  • International. Key strengths to marketing include sustainability and experience. The product will be positioned in the market as a high-end service, offering good performance for companies that have interests across Europe.

The marketing mix

  • Price. Although prices should be offered on a price match guarantee within the UK, they should be based around a product-line pricing strategy; that is, each customer can start with a basic product and build layers on top to create their custom product.
  • Product. The product is to be sold individually, but a discount should be offered for multiple sales and/or prepayment packages. Customer loyalty could be rewarded with additional free services.
  • Promotion. ASUK should base the promotion around an online marketing strategy, using online targeted banners and search engines, complemented by increased exposure on the major Web hosting guides. Publication to online and offline trade magazines of press releases and adverts will reinforce the respectability of the brand.

Evaluation and control

  • Monitor market share and company growth rate. Frequently obtain market share statistics. An estimate can be made by obtaining the total number of dedicated in the market segment and calculating the percentage of them that ASUK holds.
  • Occasional customer surveys to ensure support satisfaction is increasing. ASUK already has the facility to conduct customer surveys online. These should be conducted half-yearly to ensure that satisfaction objectives are met.
  • Demographic analysis of buyers and potential buyers. To determine whether ASUK is penetrating all potential markets sufficiently, customer account details should be collated and analysed to produce maps of customer distribution.

Outline marketing plan for Asuk Creative Limited a B2B provider of Internet services

This subsection was kindly supplied by Craig Martin and Spencer Tarring, ASUK Creative and Brunel University respectively.

Background

ASUK Creative Limited (www.asuk.com) was formed in 1998 to provide a complete set of services, from consultancy to hosting, in the business-to-business Internet industry. After introducing a small range of low-cost dedicated servers in 1999, this small Internet design company began to make an impact on the market. Its servers were the cheapest in the UK, and potential clients flocked to find the catch. At first, progress was slow, but Web-hosting guides and directories quickly picked up on the low prices, and market penetration began. Although ASUK Creative manages to compete successfully on price, it struggles to compete with the big players and the more established brand names such as Fasthosts (www.fasthosts.co.uk) and Dellhost (www.dellhost.co.uk) in the field of support and reliability. Growth over the first two years was steady, but at the end of 2001, ASUK faced a declining growth rate. ASUK's corporate Web site focuses on other parts of the business, such as Web integration consultancy and database programming, that are in decline. This is stunting the growth of the dedicated server product, while the market is growing rapidly. ASUK Creative Limited needs to take advantage of this growth by improving its marketing output.

Internet 2010

Audit

Initially, an analysis of where ASUK stands can be achieved through a SWOT and PEST analysis as shown below:

SWOT

Strengths

  • competitive pricing on products;
  • no minimum contracts, whereas other competitors demand 12 months minimum;
  • quality and performance;
  • flexibility in product variations;
  • friendly service;
  • offers twenty-four hours, seven-day support;
  • existing loyal customer base;
  • recognized brand.
  • Weaknesses
  • small company in comparison to competitors;
  • low capital;
  • lack of product resilience;
  • poor support response times;
  • budget network operations centre;
  • only the English language supported by the sales and support teams;
  • online documentation thin and outdated;
  • under-staffed.
  • Opportunities
  • * fast-growing international markets;
  • partnership opportunities with automated administration developers, opening the market to less experienced users.

Threats

  • competition increasingly dropping prices;
  • market saturation: many companies are trying to take advantage of the increase in market worth;
  • technological advances cause hardware to devalue quickly;
  • failure of suppliers to deliver mission-critical services;
  • decrease in bandwidth costs means more companies can afford in-house operations, eliminating the need for hosting companies.

PEST

Political

  • law in regard to copyright: since dedicated servers are not controlled by ASUK, it must ensure all users understand the law;government actively encouraging use of Internet.

Economic

  • worldwide recession looms;
  • introduction of the euro;
  • fraud: the increase of credit card fraud has had two effects. First, ASUK receive more fraudulent orders; and second, real customers are less willing to give out card details.
  • Social and cultural
  • Language barriers: ASUK supports only English.

Technological

  • bandwidth usage; that is, easier access by users means that bandwidth levels are increasing;
  • speed of hardware redundancy (depreciation).

After carefully assessing ASUK's position and its strengths and weaknesses within its existing market, the owners came to the conclusion that it would be in ASUK's best interest to differentiate the dedicated server market from the other services it provides. This would entail establishing a separate entity, which in effect would require the building of a new brand. After they had conducted a survey of existing clients, it became apparent that the following features were needed:

  • the ability to manage services online;
  • the ability to upgrade services online;
  • more reliable technical and telephone support;
  • easier server management software for inexperienced users.

In order to build this brand, ASUK must eliminate these weaknesses identified by the survey, and add additional value to the service under the new brand. To encourage consumption and recognition of the new brand, the company needs to offer some value-added incentives. After assessing the existing market, ASUK identified three fundamentals employed by the industry that could also help obtain a competitive advantage;

  1. thirty-day 100 per cent money back guarantee (risk reversal program);
  2. UK price match;
  3. no minimum contract.

With the newly developed brand, ASUK will have the mechanism to penetrate fresh high-growth market areas such as Asia. For example, in India, dedicated server sales will hit $43.1 million by 2004; together with an annual growth rate of 146 per cent for the Application Service Provider (ASP) market, this gives opportunity and potential for ASUK to diversify into new market sectors.

Saturday, February 23, 2008

NT Security continue...

A final choice for directory objects is whether to audit only the current directory or to enable auditing for all of its subdirectories. This simplifies the administrators task when auditing is being configured. Caution is necessary, though. If you turn auditing on for the NT system directories and subdirectories, your event- logging activities will slow down the computer. Because all major executables are in these directories, this is unfortunate. Watching for Trojan Horses in system directories is reasonable goal for an IDS. Your only alternative is to be more granular in configuring auditing. For example, you could monitor everything except for read and execute events. This should catch most Trojan Horse attempts. However, if there is a file that only administrators should access, you might want to monitor any activity against that file. Be selective, or you quickly will notice sluggishness in your system's performance.

When you enable auditing for an object, the appropriate bits ate set in that object's SACL. This activity itself generates an event that shows up in the log. Therefore, if you have turned auditing on for an object, and later you see an event that turns auditing off for that object, something unpleasant might be going on in your system.

Internet 2010

Although not all NT IDS vendors choose to do so, a program can attach to the security event log and monitor events in real time. Today, Kane's Security Monitor and Centrax's eNTrax tools both periodically read the event log rather than process events in real time. An option to read the logs on an interval basis or to capture events in real time probably will be seen in future versions.

Not all events in the NT log contain sufficient data for IDSs to work. For example, remote logins do not identify the originating IP address or node name in the event record. An IDS vendor needs to gather this information from elsewhere in the system and correlate the information with the appropriate events—no trivial task. If the IDS is loaded as a service when the system boots, then process trees for login users can be constructed by monitoring the event log. Process and thread identifiers are associated with kernel data structures for sockets, pipes, and other communications data. Therefore, coalescing this information is possible and the IDS can use it to disconnect a remote user, who is hacking the system.

There also have been cases in which events that an IDS depended upon were no longer emitted after service packs were installed. Ripple effects of bug fixes are the leading suspects for this problem. You undoubtedly have been hit by this same type of problem when vendors of other products choose to deprecate an interface that you were relying upon for an in-house application.

Event Records

Information provided in the NT event log record includes header fields followed by an event specific description. Header fields are listed in Table 10.1. Table 10.2 shows the fields usually found in an event description.

Not all fields are always filled in for the record. For example, if a user's privileges are modified, in the Privileges field of the event record, you will find information describing what changed. Any time you see that someone has gained an administrator privilege, it's time to investigate and determine whether the change was legitimate. Object accesses are reported in the Accesses field of the description. Both fields can contain multiple lines of information when inspected through the Event Viewer on NT or through your IDSs browser.

Table 10.1 Header Fields for an Event Record

date time event ID

source of the record (security, application, system)

type of event

category (object access, system event, user event, and so on)

computer node name

user name

Table 10.2 Event Description Fields

object server name

object type (file or user, for example) object name

a handle ID

operation ID

process ID

primary User Name

primary domain

client user name

client domain

client login ID

information about any object accesses information about any privileges changed

Luckily, if you have an IDS for NT, you do not need to sit and watch events as they appear in the event log. Instead the IDS will summarize the information and display alerts when necessary. If you have the option of deciding which attacks to watch for, or if your IDS will notify you about select individual events, then you might want to think about what you should monitor to catch NT attacks. The next few sections give recommendations and describe well-known attacks against NT. The topics covered are not meant to be exhaustive. New NT hacks are posted regularly. See the NTbugtraq archives maintained by Russ Cooper at www.ntbugtraq.com. He also moderates the NTbugtraq mailing list.

NT Security

Subjects in NT are processes and threads. Each process and thread is associated with an access token that is a complex data structure defining characteristics of the subject. One of the most important attribute lists in the access token is its privileges. Any time a process or thread is able to increase its privileges, that subject is able to access other resources that might normally be off limits.

Access control lists are associated with objects. Two different ACLsobject ACLs and system ACLs. Object ACLs control access requests by subjects. System ACLs control activities, such as auditing for that object. Depending on the type of object, the ACL entries vary. For example, access control entries (ACE) for files are different than they are for registry keys.

Based on this simple review, you probably see some of the important events to monitor on NT systems. Any time a change is made to a user's privilege list in the user database you want to be notified. Changes to ACLs for important system files and directories also are potential preludes to an attack. As in UNIX systems, you should watch for attempts to install Trojan Horses. Especially serious is any attempt—successful or not—to increase the privileges associated with a thread or process.

Internet 2010

Sources of Data for NT IDSs

By now, it should be apparent to you that intrusion detection is a special case of monitoring. Performance monitoring tools track network traffic, system resource utilization, and application behavior. IDSs also need data from various sources to operate effectively.

Vulnerability scanners that assess the state of your machines operate in one of two modes. Remote assessments are carried out from a central console and targeted at individual nodes in your network. With a remote scan, no special software is needed on the target machines. Local assessments are undertaken by software specifically installed on the node. When a scan is activated by a remote manager station or by a scheduled job, the local scanning software runs on the target node itself.

NT local vulnerability assessment tools operate much the same way as UNIX scanners. They look at configuration information on the system, inspect the contents of files, scour through registry entries, and attempt to crack passwords in the SAM. Other features, such as file-integrity checkers, are supported as well. Recall that a local scanner has the advantage of operating on the system as a login user. This means that the local scanner can read files and access other resources that a remote scanner cannot. Of course, you must install the local scanning code on each target.

Remote scanners against NT systems probe for known network configuration problems, check for back-level programs with holes, and attempt to gain access to the system by breaking in as normal users or as the administrator. The source of data for these IDSs is primarily feedback that comes from interacting with NT network services or applications, such as the Internet Information Server (IIS). Remote scanners benefit from the fact that they do not run client code directly on the target. For this reason, vendors can combine both NT and UNIX probing into the same product. As in the case of UNIX remote scanners, it is possible to peer into some of the internals of an NT system even though you are not running a process on that system. For example, if the trust relationship is configured to permit remote access, some NT registry entries can be inspected. Microsoft's Server Message Block protocol also divulges information to remote scanners, including the list of currently logged in users.

Network sniffers for UNIX and NT often are combined into one product, too. The source of data is the same for UNIX and NT network sniffers. Only the attacks monitored varies between the two operating system types. Many attacks are equally applicable to the IP stacks on both, such as SYN Flood.

System-level IDSs in UNIX and NT rely on different datastreams. NT provides an event log (or audit log) that tracks many important activities on the system. Vendors, who write system-level IDSs for NT, such as Centrax and Kane, depend on the event log for the data that drives their engines.

NT Event Log

There are really three different event logs in NTsystem, application, and security. The security log is the one IDS vendors are most interested in watching. Records are stored in a log file as events occur. NT Administrators can control the behavior of the logging subsystem in a number of ways. Space is controlled by defining a limit on the size of the log file. When the threshold is hit, options include the following:

  • Overwriting events that are only N days old
  • Pushing out the oldest records as new ones come in
  • Halting the system to prevent loss of an audit trail

To configure auditing, you first decide which event categories you want to monitor:

When you know which categories of events to monitor, you must enable auditing for individual users and objects. Auditing is turned on for a user through the user and group manager application. To enable auditing for an object, such as a file or directory, you use the File Manager. For a file, you can select whether to monitor success or failures for the following access types:

Internet Blogosphere