Computer attacks and data breaches are inevitable. It seems like every day a data breach occurs and the victims of the data breach suffer. Their information is stolen or posted online. The company’s or businesses who had the breach go on, learn a little from the attack, and just give credit monitoring out as if nothing happened. What if you could help prevent a data breach in your organization? This is the third course in the Practical Computer Security specialization. This course looks at detection and mitigation of threats and attack vectors and discusses how to use tools and principles to protect information. By the end of the course you should be able to make suggestions on what type of detection and mitigation strategy is right for your systems or business given the known threats and attack vectors. You should be able to discuss what features you want in a firewall, or how cash registers or sensitive data systems should be secured. The project at the end of the course will allow you to apply what you have learned to argue what type of detection and mitigation strategies should have been employed by companies and businesses that have suffered a data breach.
HIDs and HIPs
Loading...
Del curso dictado por University of Colorado System
Detecting and Mitigating Cyber Threats and Attacks
58 calificaciones
University of Colorado System
58 calificaciones
Curso 3 de 4 en SpecializationCybersecurity for Business
De la lección
Detection and Prevention tools
This module covers intrusion detection and prevention tools used for both networks and systems. There will be demos of the tools so that you can understand how they might protect your network or systems better.
Conoce a los instructores
Greg WilliamsLecturer
Department of Computer Science
In this lesson, I will talk about Host Intrusion Detection Systems and
Host Intrusion Prevention Systems.
Host Intrusion Detection Systems should be used to
monitor your overall system architecture.
The reason that we're going to do this is because we can't look
at the entire network all the time.
And the entire network does not show us everything that is going on.
For example, if somebody logs in to a computer and
tries to use a local password five different times and
gets locked out of the computer.
Well, that is something that the network
intrusion prevention system is not going to tell us.
That is only going to be a function of a Host Intrusion Detection or
a Host Intrusion Prevention system.
So, Host Intrusion Detection or HIDs monitors hosts.
So we have a problem if we're just, if we start jumping from system to system.
Network Intrusion Prevention Systems are great at what they do, but
they can't look internally.
Host Intrusion Detection systems serve several different purposes.
They monitor files or directories,
they monitor system activity, they monitor system logs and
also report on patterns that they may see as malicious.
Now, not all software is going to do that, so
let's talk about two of these specifically.
The first one is going to be AIDE.
AIDE stands for Advanced Intrusion Detection Engine which is used for
integrity checking.
It's only used for integrity checking, so when a help desk or
when a lab is built, and we have what we called a Gold Image,
it means the standard image that we're going to deploy out.
What it'll do is make a hash database of all the files and
all the processes on that system.
In order to see if any of the main system files have
been compromised, we may run manually AIDE and
check the gold image versus the image that's running.
The problem with that is that's a very manual process,
it's not a scheduled tasks.
I guess you can make it a scheduled task but it would be more trouble than
it's worth because there's other tools out there such as OSSEC.
OSSEC stands stands for Open-Source Intrusion Detection System.
Actually it doesn't stand for that.
The second one is OSSEC.
OSSEC is used for many different systems and
not just Linux with AIDE is designed for.
OSSEC can be put on Windows,
it could be put on MAC and it could be put on Linux.
It's a very powerful Host Intrusion Detection System runs on Linux but like
I said you can use it on other systems and that's what we do here at the university.
Logs from OSSEC are hashed so they cannot be tampered with.
This is important because attackers generally
modify log files to make sure that they cover their tracks.
OSSEC has four basic components.
File Integrity Checking, AIDE only runs on a manual basis,
OSSEC does it every few hours.
Log Monitoring, OSSEC can report the logs to a central server,
which we'll look at here in a second.
A Rootkit Detection, OSSEC agents check for rootkits on a system every two hours.
That's something that AIDE cannot do.
And then Active Response, so responses are configurable.
Let's say that you logged in with or tried to login with local
password five different times, it could lock you out even though
you may not have a policy on your windows domain to do that.
There are some advantages and
some disadvantages of using Host Intrusion Detection.
The first one is going to be, Host Intrusion Detection
is a simple way of ensuring integrity remains in tact and
it's going to look at the system as a whole, a system entirely.
It's relatively easy administration and it meets compliance standards for
some industries, such as payment card industry systems.
We use this extensively in our PCI network here at the University.
Some disadvantages of using Host Intrusion Detection.
Well, installation and setup can be very cumbersome in the beginning,
but once it's done it just runs.
Files are changed frequently, so you get a huge amount of alerts.
Let's say that System32 in Windows is changed,
because of an update that Microsoft puts out.
That will alert OSSEC that something is happening.
Now, you can configure OSSEC and
some of the other ones like Tripwire, it's another,
but that's a commercial version HIDS piece of software.
But you can configure them to only look at certain directories if you want to.
But it is very chatty, so I get probably,
we may only have OSSEC on 30 different systems.
However I get several hundred emails a day from the system
about what's going on with the overall PCI network,
which is a good thing if we're looking at security.
Let's go to Splunk here, and let's look at,
Let's look at OSSEC.
So I just happened to type in OSSEC NOT host=potemkin
because that's one of our other servers that has OSSEC on it.
And I'm looking for anything that has the word password in it.
So what it's doing is it's going through, let's pick on one here, okay?
Let's pick on this one right here.
So on July 21st, which was two days ago on Friday,
says Alert Level 2: Rule: 1002 fired
Unknown problem somewhere in the system, okay?
Looks at var/log/secure, and it said,
looks like there was a pam module error, wrong password,
which is a good thing to understand, okay?
Here's another one.
This is one of our older systems for our book store, and
it's actually being decommissioned.
So there was an alert level five,
the higher the rule level the worst of the damage could be.
Here's the rule number and
it says Windows error event, location,
no domain, user password change required.
So it's going to give you a lot more information from the system than
just looking at certain logs.
In conclusion, Host Intrusion Detection Systems should
be used to ensure that your hosts are in good security status.
OSSEC is a great piece of software because it is open source and it's easy to manage.
Explora nuestro catálogo
Inscríbete de manera gratuita y obtén recomendaciones personalizadas, actualizaciones y ofertas.
Coursera brinda acceso universal a la mejor educación del mundo, al asociarse con las mejores universidades y organizaciones, para ofrecer cursos en línea.
© 2018 Coursera Inc. Todos los derechos reservados.
