HIDs and HIPs

Loading...

Del curso dictado por University of Colorado System

Detecting and Mitigating Cyber Threats and Attacks

105 calificaciones

Explore Related Videos

At Coursera, you will find the best lectures in the world. Here are some of our personalized recommendations for you

University of Colorado System

Detecting and Mitigating Cyber Threats and Attacks

105 calificaciones

Curso 3 de 4 en SpecializationCybersecurity for Business

Computer attacks and data breaches are inevitable. It seems like every day a data breach occurs and the victims of the data breach suffer. Their information is stolen or posted online. The company’s or businesses who had the breach go on, learn a little from the attack, and just give credit monitoring out as if nothing happened. What if you could help prevent a data breach in your organization? This is the third course in the Practical Computer Security specialization. This course looks at detection and mitigation of threats and attack vectors and discusses how to use tools and principles to protect information. By the end of the course you should be able to make suggestions on what type of detection and mitigation strategy is right for your systems or business given the known threats and attack vectors. You should be able to discuss what features you want in a firewall, or how cash registers or sensitive data systems should be secured. The project at the end of the course will allow you to apply what you have learned to argue what type of detection and mitigation strategies should have been employed by companies and businesses that have suffered a data breach.

De la lección

Detection and Prevention tools

This module covers intrusion detection and prevention tools used for both networks and systems. There will be demos of the tools so that you can understand how they might protect your network or systems better.

Anti-Virus/Anti-Malware11:22

HIDs and HIPs8:30

Conoce a los instructores

Greg Williams
Lecturer
Department of Computer Science

In this lesson, I will talk about Host Intrusion Detection Systems and

Host Intrusion Prevention Systems.

Host Intrusion Detection Systems should be used to

monitor your overall system architecture.

The reason that we're going to do this is because we can't look

at the entire network all the time.

And the entire network does not show us everything that is going on.

For example, if somebody logs in to a computer and

tries to use a local password five different times and

gets locked out of the computer.

Well, that is something that the network

intrusion prevention system is not going to tell us.

That is only going to be a function of a Host Intrusion Detection or

a Host Intrusion Prevention system.

So, Host Intrusion Detection or HIDs monitors hosts.

So we have a problem if we're just, if we start jumping from system to system.

Network Intrusion Prevention Systems are great at what they do, but

they can't look internally.

Host Intrusion Detection systems serve several different purposes.

They monitor files or directories,

they monitor system activity, they monitor system logs and

also report on patterns that they may see as malicious.

Now, not all software is going to do that, so

let's talk about two of these specifically.

The first one is going to be AIDE.

AIDE stands for Advanced Intrusion Detection Engine which is used for

integrity checking.

It's only used for integrity checking, so when a help desk or

when a lab is built, and we have what we called a Gold Image,

it means the standard image that we're going to deploy out.

What it'll do is make a hash database of all the files and

all the processes on that system.

In order to see if any of the main system files have

been compromised, we may run manually AIDE and

check the gold image versus the image that's running.

The problem with that is that's a very manual process,

it's not a scheduled tasks.

I guess you can make it a scheduled task but it would be more trouble than

it's worth because there's other tools out there such as OSSEC.

OSSEC stands stands for Open-Source Intrusion Detection System.

Actually it doesn't stand for that.

The second one is OSSEC.

OSSEC is used for many different systems and

not just Linux with AIDE is designed for.

OSSEC can be put on Windows,

it could be put on MAC and it could be put on Linux.

It's a very powerful Host Intrusion Detection System runs on Linux but like

I said you can use it on other systems and that's what we do here at the university.

Logs from OSSEC are hashed so they cannot be tampered with.

This is important because attackers generally

modify log files to make sure that they cover their tracks.

OSSEC has four basic components.

File Integrity Checking, AIDE only runs on a manual basis,

OSSEC does it every few hours.

Log Monitoring, OSSEC can report the logs to a central server,

which we'll look at here in a second.

A Rootkit Detection, OSSEC agents check for rootkits on a system every two hours.

That's something that AIDE cannot do.

And then Active Response, so responses are configurable.

Let's say that you logged in with or tried to login with local

password five different times, it could lock you out even though

you may not have a policy on your windows domain to do that.

There are some advantages and

some disadvantages of using Host Intrusion Detection.

The first one is going to be, Host Intrusion Detection

is a simple way of ensuring integrity remains in tact and

it's going to look at the system as a whole, a system entirely.

It's relatively easy administration and it meets compliance standards for

some industries, such as payment card industry systems.

We use this extensively in our PCI network here at the University.

Some disadvantages of using Host Intrusion Detection.

Well, installation and setup can be very cumbersome in the beginning,

but once it's done it just runs.

Files are changed frequently, so you get a huge amount of alerts.

Let's say that System32 in Windows is changed,

because of an update that Microsoft puts out.

That will alert OSSEC that something is happening.

Now, you can configure OSSEC and

some of the other ones like Tripwire, it's another,

but that's a commercial version HIDS piece of software.

But you can configure them to only look at certain directories if you want to.

But it is very chatty, so I get probably,

we may only have OSSEC on 30 different systems.

However I get several hundred emails a day from the system

about what's going on with the overall PCI network,

which is a good thing if we're looking at security.

Let's go to Splunk here, and let's look at,

Let's look at OSSEC.

So I just happened to type in OSSEC NOT host=potemkin

because that's one of our other servers that has OSSEC on it.

And I'm looking for anything that has the word password in it.

So what it's doing is it's going through, let's pick on one here, okay?

Let's pick on this one right here.

So on July 21st, which was two days ago on Friday,

says Alert Level 2: Rule: 1002 fired

Unknown problem somewhere in the system, okay?

Looks at var/log/secure, and it said,

looks like there was a pam module error, wrong password,

which is a good thing to understand, okay?

Here's another one.

This is one of our older systems for our book store, and

it's actually being decommissioned.

So there was an alert level five,

the higher the rule level the worst of the damage could be.

Here's the rule number and

it says Windows error event, location,

no domain, user password change required.

So it's going to give you a lot more information from the system than

just looking at certain logs.

In conclusion, Host Intrusion Detection Systems should

be used to ensure that your hosts are in good security status.

OSSEC is a great piece of software because it is open source and it's easy to manage.

Explora nuestro catálogo

Inscríbete de manera gratuita y obtén recomendaciones personalizadas, actualizaciones y ofertas.

Coursera brinda acceso universal a la mejor educación del mundo, al asociarse con las mejores universidades y organizaciones, para ofrecer cursos en línea.

© 2019 Coursera Inc. Todos los derechos reservados.

Descargar en la App Store

Consíguelo en Google Play