usda cyber security awareness ids briefing gregory tepe director, federal security solutions
TRANSCRIPT
![Page 1: USDA Cyber Security Awareness IDS Briefing Gregory Tepe Director, Federal Security Solutions](https://reader035.vdocuments.net/reader035/viewer/2022062314/56649e615503460f94b5be6b/html5/thumbnails/1.jpg)
USDA Cyber Security AwarenessIDS Briefing
Gregory TepeDirector, Federal Security Solutions
![Page 2: USDA Cyber Security Awareness IDS Briefing Gregory Tepe Director, Federal Security Solutions](https://reader035.vdocuments.net/reader035/viewer/2022062314/56649e615503460f94b5be6b/html5/thumbnails/2.jpg)
Topics
The need for Intrusion Detection
IDS Definitions
IDS Components
Q&A
![Page 3: USDA Cyber Security Awareness IDS Briefing Gregory Tepe Director, Federal Security Solutions](https://reader035.vdocuments.net/reader035/viewer/2022062314/56649e615503460f94b5be6b/html5/thumbnails/3.jpg)
Why do Federal Agencies need IDS?
The threat is real Insider (contractors, co-location facilities, malicious
employees) Outsider (external hackers, mistaken network security
tests, foreign governments) When an attack occurs (and it will) companies will limit
exposure, perform accurate damage assessment and have evidence for potential legal action
Not a question of whether to install but which IDS to install
![Page 4: USDA Cyber Security Awareness IDS Briefing Gregory Tepe Director, Federal Security Solutions](https://reader035.vdocuments.net/reader035/viewer/2022062314/56649e615503460f94b5be6b/html5/thumbnails/4.jpg)
Why do Federal Agencies need IDS?
Prevent problems by increasing the perceived risk of discovery, i.e. deterrence
Detect problems that are not prevented by other security measures
uncorrected known vulnerabilities open paths through firewalls DMZ locations
Detect preliminary attacks probes sweeps scans
![Page 5: USDA Cyber Security Awareness IDS Briefing Gregory Tepe Director, Federal Security Solutions](https://reader035.vdocuments.net/reader035/viewer/2022062314/56649e615503460f94b5be6b/html5/thumbnails/5.jpg)
Why do Federal Agencies need IDS?
Data Collection monitor and document the threats
itemize and characterize internal and external threats incident handling recovery efforts investigation
![Page 6: USDA Cyber Security Awareness IDS Briefing Gregory Tepe Director, Federal Security Solutions](https://reader035.vdocuments.net/reader035/viewer/2022062314/56649e615503460f94b5be6b/html5/thumbnails/6.jpg)
Regulatory Measures Affecting Information Security
HIPAA—Healthcare Information Portability Accountability Act in the U.S.
Gramm-Leach-Bliley—Established standards for financial institutions to protect customer information.
British Standard BS7799—Divides the security policy into a five-step, cyclical process.
The EU Data Protection Act – Establishes a high level of protection for the free movement of personal data within the European Union.
![Page 7: USDA Cyber Security Awareness IDS Briefing Gregory Tepe Director, Federal Security Solutions](https://reader035.vdocuments.net/reader035/viewer/2022062314/56649e615503460f94b5be6b/html5/thumbnails/7.jpg)
More Susceptibility to Hackers
Growing complexity of threats
— More sophisticated attackers looking to cause more damage
— Blended threats
Insider attacks still predominant
Vulnerabilities are proliferating – configuration deficiencies & published lists
Hacker tools make attacks easier
Security perceived as a need, like insurance
![Page 8: USDA Cyber Security Awareness IDS Briefing Gregory Tepe Director, Federal Security Solutions](https://reader035.vdocuments.net/reader035/viewer/2022062314/56649e615503460f94b5be6b/html5/thumbnails/8.jpg)
Threats are increasing
Internal Threats
— Clueless users
— Disgruntled employees
— Downsized trusted users
— Embezzlers
External Threats
— Corporate Spies
— Criminals
— “kiddie scripts”
— Terrorists
![Page 9: USDA Cyber Security Awareness IDS Briefing Gregory Tepe Director, Federal Security Solutions](https://reader035.vdocuments.net/reader035/viewer/2022062314/56649e615503460f94b5be6b/html5/thumbnails/9.jpg)
Because locks are not enough . . .
In 2001, U.S. businesses lost over $375 million to computer crime, but only 37% of the respondents could quantify the loss.
FBI estimates that well over half of the computer crime actually comes from inside the organization.
One of the biggest problems facing managers today is not having enough trained system administrators on-hand to properly configure and maintain their information resources.
![Page 10: USDA Cyber Security Awareness IDS Briefing Gregory Tepe Director, Federal Security Solutions](https://reader035.vdocuments.net/reader035/viewer/2022062314/56649e615503460f94b5be6b/html5/thumbnails/10.jpg)
CSI/FBI 2001 U.S. Security Survey - Dollar Loss by Type of Attack
Theft of Information: $151,230,100Financial Fraud: $92,935,500Virus: $45,288,150Insider Net Abuse: $35,001,650System Penetration: $19,066,600Telecom Fraud: $9,041,000Laptop Theft: $8,849,000Unauthorized Insider Access: $6,064,000Sabotage: $5,183,100Denial of Service: $4,283,600Telecom Eavesdropping: $886,000
![Page 11: USDA Cyber Security Awareness IDS Briefing Gregory Tepe Director, Federal Security Solutions](https://reader035.vdocuments.net/reader035/viewer/2022062314/56649e615503460f94b5be6b/html5/thumbnails/11.jpg)
Economic Impact of High-Tech Crimes in the U.S.
Average computer crime
$500,000
Average bank fraud$25,000
Average bank robbery$2,500
![Page 12: USDA Cyber Security Awareness IDS Briefing Gregory Tepe Director, Federal Security Solutions](https://reader035.vdocuments.net/reader035/viewer/2022062314/56649e615503460f94b5be6b/html5/thumbnails/12.jpg)
Managing Your Risk
Security is about managing risk – risk of:— Loss of operational capability
— Loss of trust
— Financial loss and fraud
Risk is a function of:— ASSET VALUE
< The value of the assets you are trying to protect
— THREATS< Forces and entities which could bring harm to your assets
< Direct (e.g., hackers, employees) and in-direct (e.g., flood, war)
— VULNERABILITIES< Areas of weakness in processes, people and technology that would allow a
threat to materialize.
![Page 13: USDA Cyber Security Awareness IDS Briefing Gregory Tepe Director, Federal Security Solutions](https://reader035.vdocuments.net/reader035/viewer/2022062314/56649e615503460f94b5be6b/html5/thumbnails/13.jpg)
IDS Asset Value
How much is your brand worth?
How much is your credibility worth?
How much is your network worth?
How much are your systems worth?
How much is your intellectual property worth?
![Page 14: USDA Cyber Security Awareness IDS Briefing Gregory Tepe Director, Federal Security Solutions](https://reader035.vdocuments.net/reader035/viewer/2022062314/56649e615503460f94b5be6b/html5/thumbnails/14.jpg)
Why do Federal Agencies need IDS?
A balanced defense for an in depth security architecture Firewalls and VPNs are not enough - a balanced and
effective information security program requires both preventive and detective controls.
— Preventive Controls< Systems put in place to prevent misuse and attack from occurring
and/or succeeding, for example:– Two-factor authentication (thumbprint scanner and password)– Firewalls– Virtual Private Networks
— Detective Controls< Systems put in place to detect misuse/attack when preventive
controls cannot be put in place or fail, for example:– Reviewing system audit logs– Intrusion detection systems
![Page 15: USDA Cyber Security Awareness IDS Briefing Gregory Tepe Director, Federal Security Solutions](https://reader035.vdocuments.net/reader035/viewer/2022062314/56649e615503460f94b5be6b/html5/thumbnails/15.jpg)
Intrusion Detection Systems
Intrusion DETECTION, notnot Intrusion CORRECTION
— “Sniffs” packets and detects potential threats
— Can store packets for later session re-creation
— MUST be monitored for proper security implementation
Searches IP packets
— Patterns in packets; “/cgi-bin/phf”
— Patterns of packets; port scans & sweeps
— Patterns that should not be there; illegal web servers
![Page 16: USDA Cyber Security Awareness IDS Briefing Gregory Tepe Director, Federal Security Solutions](https://reader035.vdocuments.net/reader035/viewer/2022062314/56649e615503460f94b5be6b/html5/thumbnails/16.jpg)
What are Network Intrusion Detection Systems (NIDS)?
Burglar alarms of the network— Can identify someone “casing” the environment
< port scan
— Will detect unauthorized access< remote password attacks< Breaches of the firewall
— Will detect system disruptions< application buffer overflow< Denial of Service
— Will sound the alarm< 24x7 monitoring
— Will monitor and log forensic evidence to support the legal case
![Page 17: USDA Cyber Security Awareness IDS Briefing Gregory Tepe Director, Federal Security Solutions](https://reader035.vdocuments.net/reader035/viewer/2022062314/56649e615503460f94b5be6b/html5/thumbnails/17.jpg)
What are Host Based IDS (HIDS)
HIDS - Burglar alarms for the Server— Resides on a customer’s key servers
— Operating System Support< Linux
< Windows
< UNIX
— HIDS Alarms are correlated along with NIDS, Firewalls, and Routers
< System logs
< Kernel calls
< File monitoring
![Page 18: USDA Cyber Security Awareness IDS Briefing Gregory Tepe Director, Federal Security Solutions](https://reader035.vdocuments.net/reader035/viewer/2022062314/56649e615503460f94b5be6b/html5/thumbnails/18.jpg)
Network Sensor Key Features
High-bandwidth support
Multi-method attack detection
— Detection using a combination of signature, protocol and system anomaly based techniques to ensure no attack goes undetected
Open and customizable signatures
— Signatures available to the user. This is critical in tuning signatures and in developing signatures unique to the operating environment.
DOS Detection
— Network Sensor employs multiple methods, including signature and protocol analysis techniques, in identifying known and unknown DOS techniques, including distributed attacks.
Backdoor and rogue server detection
— NIDS ought to detect backdoors and rogue servers via many techniques including but not limited to protocol analysis, session analysis, and ICMP traffic profiling.
![Page 19: USDA Cyber Security Awareness IDS Briefing Gregory Tepe Director, Federal Security Solutions](https://reader035.vdocuments.net/reader035/viewer/2022062314/56649e615503460f94b5be6b/html5/thumbnails/19.jpg)
Network Sensor Ideal Features
Intrusion Prevention— Event Sniping
< Terminate sessions via a TCP reset or ICMP unreachable message
— Shunning
< Configure ACLs on third-party firewalls and routers
Advanced buffer overflow detection— Recognize unique patterns sent during an attack.
IDS evasion (protect the IDS from being a victim of DOS)
— IP de-fragmentation and TCP/UDP stream reassembly
— Protocol decoding
< HTTP, FTP, Telnet, RPC, SNMP
DOS countermeasures— Techniques for defeating tools such as “stick” and “snot” that attempt to
DOS an intrusion detection system.
![Page 20: USDA Cyber Security Awareness IDS Briefing Gregory Tepe Director, Federal Security Solutions](https://reader035.vdocuments.net/reader035/viewer/2022062314/56649e615503460f94b5be6b/html5/thumbnails/20.jpg)
IDS Detection Techniques
Greater Visibility/Granularity
Greater Number of events
Superior Forensics
Greater Performance
Increased ease of use
101010101010101 P SA DA L/T SIP DIP
![Page 21: USDA Cyber Security Awareness IDS Briefing Gregory Tepe Director, Federal Security Solutions](https://reader035.vdocuments.net/reader035/viewer/2022062314/56649e615503460f94b5be6b/html5/thumbnails/21.jpg)
IDS vs. IPS
Performance
Latency
Accuracy
![Page 22: USDA Cyber Security Awareness IDS Briefing Gregory Tepe Director, Federal Security Solutions](https://reader035.vdocuments.net/reader035/viewer/2022062314/56649e615503460f94b5be6b/html5/thumbnails/22.jpg)
Host Sensor Key Features
Multi-method detection— Log file analysis
< Host Sensor can analyze any file against a signature policy whether it’s the system log, the security log, or the log for a custom built application.
— File attribute monitoring< Monitoring of specific file attributes such as owner, group, permissions and file size
for changes.
— File integrity checking (MD5)< Monitoring files to determine if there content has been changed via MD5. This
provides assurance that sensitive files that should not be modified have not been modified.
— Backdoor service monitoring< Host Sensor can monitor a system for new TCP and UDP ports. This provides
critical protection against backdoor services which can be used to allow unauthorized access through the firewall and/or be a staging point for a distributed denial of service or outright attack.
— Registry monitoring< Host Sensor will analyze the Windows registry for attributes that should not be
accessed and/or modified. This is essential in identifying attacks against often-targeted Microsoft servers.
![Page 23: USDA Cyber Security Awareness IDS Briefing Gregory Tepe Director, Federal Security Solutions](https://reader035.vdocuments.net/reader035/viewer/2022062314/56649e615503460f94b5be6b/html5/thumbnails/23.jpg)
Host Sensor Key Features
Open and customizable signatures
— Signatures are available to the user. This is critical in tuning signatures and in developing signatures unique to the operating environment.
Off-host analysis
— Host Sensor can analyze events sent via SNMP or syslog to a log analysis server. This is critical in monitoring the security of systems where Host Sensor cannot be installed such as routers and legacy systems. It can also be used to extend security monitoring to custom applications.
Windows event log analysis
— Host Sensor will monitor the various Windows event logs for sign of misuse or attack.
![Page 24: USDA Cyber Security Awareness IDS Briefing Gregory Tepe Director, Federal Security Solutions](https://reader035.vdocuments.net/reader035/viewer/2022062314/56649e615503460f94b5be6b/html5/thumbnails/24.jpg)
Host Sensor Key Features
Enterprise Monitoring
— Web Server support
< Apache web server
< IIS web server
< Netscape web server
— FTP servers support
< IIS FTP server
< WU-FTP (FTP server)
— Application support
— Commercial Firewall Support
— Open Source Firewall Support
![Page 25: USDA Cyber Security Awareness IDS Briefing Gregory Tepe Director, Federal Security Solutions](https://reader035.vdocuments.net/reader035/viewer/2022062314/56649e615503460f94b5be6b/html5/thumbnails/25.jpg)
Q & A