INFORMATION SECURITY

QUESTIONS AND ANSWERS

BY
Prof.R.G.HIREGOUDAR
Dept of CSE
TKIET Warananaar

CHAPTER 4: SYSTEM SECURITY
Q1. What are different classes f intr!ders and e"#lain $ith e"a%#le&
Ans:
Three classes of intruders:
Mas'!erader: An individual who is not authorized to use the computer and who
penetrates a systems access controls to exploit a legitimate users account.
Misfeasr: A legitimate user who accesses data, programs, or resources for which such
access is not authorized, or who is authorized for such access but misuses his or her
privileges.
Clandestine !ser: An individual who seizes supervisory control of the system and uses
this control to evade auditing and access controls or to suppress audit collection.
The masuerader is li!ely to be an outsider"
The misfeasor generally is an insider"
The clandestine user can be either an outsider or an insider.
#ntruder attac!s range from the benign to the serious. At the benign end of the scale, there
are many people who simply wish to explore internets and see what is out there. At the
serious end are individuals who are attempting to read privileged data, perform
unauthorized modifications to data, or disrupt the system.
E"a%#les f intruders
$erforming a remote root compromise of an e%mail server
&efacing a 'eb server
(uessing and crac!ing passwords
)opying a database containing credit card numbers
*iewing sensitive data, including payroll records and medical information, without
authorization
+unning a pac!et sniffer on a wor!station to capture usernames and passwords.
Q2. Explain Diferent approaches used for Intrusion detection?
Ans:
There are Two approaches for Intrusion detection
1. Statistical an%al( detectin:
#nvolves the collection of data relating to the behavior of legitimate users over a
period of time. Then statistical tests are applied to observed behavior to determine
with a high level of confidence whether that behavior is not legitimate user behavior.
a. Threshold detection:
This approach involves defining thresholds, independent of user, for the freuency of
occurrence of various events. Threshold detection involves counting the number of
occurrences of a specific event type over an interval of time. #f the count surpasses what
is considered a reasonable number that one might expect to occur, then intrusion is
assumed.
b. Prfile )ased: A profile of the activity of each user is developed and used
to detect changes in the behavior of individual accounts.
E"a%#les f %etrics that are !sef!l fr #rfile*)ased intr!sin detectin are
the fll$in+:
C!nter: A nonnegative integer that may be incremented but not decremented until it is
reset by management action. Typically, a count of certain event types is !ept over a
particular period of time. ,xamples include the number of logins by a single user during
an hour.
,a!+e: A nonnegative integer that may be incremented or decremented. ypically, a
gauge is used to measure the current value of some entity. ,xamples include the number
of logical connections assigned to a user application and the number of outgoing
messages ueued for a user process.
Inter-al ti%er: The length of time between two related events. An example is the
length of time between successive logins to an account.
Res!rce !tili.atin: -uantity of resources consumed during a specified
period. ,xamples include the number of pages printed during a user session
and total time consumed by a program execution
/. R!le*)ased detectin: #nvolves an attempt to define a set of rules that can be
used to decide that a given behavior is that of an intruder.
a.An%al( detectin:
+ules are developed to detect deviation from previous usage patterns.
'ith the rule%based approach, historical audit records are analyzed to identify usage
patterns and to generate automatically rules that describe those patterns. +ules may
represent past behavior patterns of users, programs, privileges, time slots, terminals, and
so on. )urrent behavior is then observed, and each transaction is matched against the set
of rules to determine if it conforms to any historically observed pattern of behavior.
). Penetratin identificatin:
An expert system approach that searches for suspicious behavior.
Q0.What are a!dit recrds & Which fields are #resent in detectin s#ecific a!dit
recrds .
Ans:
A fundamental tool for intrusion detection is the audit record.
Two plans of audit records are
1ati-e a!dit recrds: *irtually all multiuser operating systems include accounting
software that collects information on user activity. The advantage of using this
information is that no additional collection software is needed. The disadvantage is that
the native audit records may not contain the needed information or may not contain it in a
convenient form.
2etectin*s#ecific a!dit recrds: A collection facility can be implemented that
generates audit records containing only that information reuired by the intrusion
detection system. .ne advantage of such an approach is that it could be made vendor
independent and ported to a variety of systems. The disadvantage is the extra overhead
involved in having, in effect, two accounting pac!ages running on a machine.
detectin*s#ecific a!dit recrds fields are
S!)3ect: #nitiators of actions. A sub/ect is typically a terminal user but might also be a
process acting on behalf of users or groups of users. All activity arises through commands
issued by sub/ects. 0ub/ects may be grouped into different access classes, and these
classes may overlap.
Actin: .peration performed by the sub/ect on or with an ob/ect" for example, login,
read, perform #1., execute.
4)3ect: +eceptors of actions. ,xamples include files, programs, messages, records,
terminals, printers, and user% or program%created structures. 'hen a sub/ect is the
recipient of an action, such as electronic mail, then that sub/ect is considered an ob/ect.
.b/ects may be grouped by type. .b/ect granularity may vary by ob/ect type and by
environment. 2or example, database actions may be audited for the database as a whole
or at the record level.
E"ce#tin*Cnditin: &enotes which, if any, exception condition is raised on return.
Res!rce*Usa+e: A list of uantitative elements in which each element gives the
amount used of some resource 3e.g., number of lines printed or displayed, number of
records read or written, processor time, #1. units used, session elapsed time4.
Ti%e*Sta%#: 5niue time%and%date stamp identifying when the action too! place.
Q4. 2escri)e the architect!re fr distri)!ted intr!sin detectin s(ste%.
Ans:

Architect!re fr distri)!ted intr!sin detectin s(ste% is one developed
at the 5niversity of )alifornia at &avis which consists of three main components:
Hst a+ent %d!le: An audit collection module operating as a bac!ground process on
a monitored system. #ts purpose is to collect data on security related events on the host
and transmit these to the central manager.
5A1 %nitr a+ent %d!le: .perates in the same fashion as a host agent module
except that it analyzes 6A7 traffic and reports the results to the central manager.
Central %ana+er %d!le: +eceives reports from 6A7 monitor and host agents and
processes and correlates these reports to detect intrusion.
The scheme is designed to be independent of any operating system or system auditing
implementation.
2ig. Agent Architecture.

Q6. E"#lain Uni" #ass$rd sche%e &
Ans:
s'hen a user attempts to log on to a 57#8 system, the user provides an
#& and a password. The operating system uses the #& to index into the password file and
retrieve the plaintext salt and the encrypted password. The salt and user%supplied
password are used as input to the encryption routine. #f the result matches the stored
value, the password is accepted.
The encryption routine is designed to discourage guessing attac!s.
0oftware implementations of &,0 are slow compared to hardware versions, and the use
of 9: iterations multiplies the time reuired by 9:. ;owever, since the original design of
this algorithm, two changes have occurred. 2irst, newer implementations of the algorithm
itself have resulted in speedups. 0econd, hardware performance continues to increase, so
that any software algorithm executes more uic!ly.
Thus, there are two threats to the 57#8 password scheme. 2irst, a user can gain access
on a machine using a guest account or by some other means and then run a password
guessing program, called a password crac!er, on that machine. The attac!er should be
able to chec! hundreds and perhaps thousands of possible passwords with little resource
consumption. #n addition, if an opponent is able to obtain a copy of the password file,
then a crac!er program can be run on another machine.
-<. E"#lain different Pass$rd Selectin Strate+ies &
Ans:
7!r )asic techni'!es are in !se:
8 User ed!catin
8 C%#!ter*+enerated #ass$rds
8 Reacti-e #ass$rd chec9in+
8 Practi-e #ass$rd chec9in+
User ed!catin strategy is unli!ely to succeed at most installations, particularly where
there is a large user population or a lot of turnover. =any users will simply ignore the
guidelines. .thers may not be good /udges of what is a strong password. 2or example,
many users 3mista!enly4 believe that reversing a word or capitalizing the last letter ma!es
a password unguessable.
C%#!ter*+enerated #ass$rds also have problems. #f the passwords are uite random
in nature, users will not be able to remember them. ,ven if the password is
pronounceable, the user may have difficulty remembering it and so be tempted to write it
down. #n general, computer%generated password schemes have a history of poor
acceptance by users. 2#$0 $5> ?@? defines one of the best%designed automated password
generators. The standard includes not only a description of the approach but also a
complete listing of the ) source code of the algorithm. The algorithm generates words by
forming pronounceable syllables and concatenating them to form a word. A random
number generator produces a random stream of characters used to construct the syllables
and words.
A reacti-e #ass$rd chec9in+ strategy is one in which the system periodically runs its
own password crac!er to find guessable passwords. The system cancels any passwords
that are guessed and notifies the user. This tactic has a number of drawbac!s.
2irst, it is resource intensive if the /ob is done right. >ecause a determined opponent who
is able to steal a password file can devote full )$5 time to the tas! for hours or even
days, an effective reactive password chec!er is at a distinct disadvantage.
2urthermore, any existing passwords remain vulnerable until the reactive password
chec!er finds them.
#racti-e #ass$rd chec9er. #n this scheme, a user is allowed to select his or her own
password.
;owever, at the time of selection, the system chec!s to see if the password is allowable
and, if not, re/ects it. 0uch chec!ers are based on the philosophy that, with sufficient
guidance from the system, users can select memorable passwords from a fairly large
password space that are not li!ely to be guessed in a dictionary attac!.
The tric! with a proactive password chec!er is to stri!e a balance between user
acceptability and strength. #f the system re/ects too many passwords, users will complain
that it is too hard to select a password. #f the system uses some simple algorithm to define
what is acceptable, this provides guidance to password crac!ers to refine their guessing
techniue. #n the remainder of this subsection, we loo! at possible approaches to
proactive password chec!ing .
Q:. E"#lain -erall ta"n%( f %alici!s #r+ra%s&
Ans:
Q;. E"#lain T(#es f -ir!s &
A -ir!s classification by tar+et includes the following categories:
<t sectr infectr: #nfects a master boot record or boot record and spreads when a
system is booted from the dis! containing the virus.
7ile infectr: #nfects files that the operating system or shell consider to be executable.
Macr -ir!s: #nfects files with macro code that is interpreted by an application.
A virus classification by cnceal%ent strate+( includes the following categories:
Encr(#ted -ir!s: A typical approach is as follows. A portion of the virus creates a
random encryption !ey and encrypts the remainder of the virus. The !ey is stored with
the virus. 'hen an infected program is invo!ed, the virus uses the stored random !ey to
decrypt the virus. 'hen the virus replicates, a different random !ey is selected. >ecause
the bul! of the virus is encrypted with a different !ey for each instance, there is no
constant bit pattern to observe.
. Stealth -ir!s: A form of virus explicitly designed to hide itself from detection by
antivirus software.Thus, the entire virus, not /ust a payload is hidden.
Pl(%r#hic -ir!s: A virus that mutates with every infection, ma!ing detection by the
AsignatureB of the virus impossible.
Meta%r#hic -ir!s: As with a polymorphic virus, a metamorphic virus mutates with
every infection.The difference is that a metamorphic virus rewrites itself completely at
each iteration, increasing the difficulty of detection. =etamorphic viruses may change
their behavior as well as their appearance.
Q=. E"#lain >ir!s c!nter %eas!res &
.+
E"#lain Anti-ir!s A##raches &
Ans:
2irst generation: simple scanners
0econd generation: heuristic scanners
Third generation: activity traps
2ourth generation: full%featured protection
A first*+eneratin scanner reuires a virus signature to identify a virus. The virus may
contain AwildcardsB but has essentially the same structure and bit pattern in all copies.
0uch signature%specific scanners are limited to the detection of !nown viruses. Another
type of first%generation scanner maintains a record of the length of programs and loo!s
for changes in length.
A secnd*+eneratin scanner does not rely on a specific signature. +ather, the scanner
uses heuristic rules to search for probable virus infection. .ne class of such scanners
loo!s for fragments of code that are often associated with viruses. 2or example, a scanner
may loo! for the beginning of an encryption loop used in a polymorphism virus and
discover the encryption !ey. .nce the !ey is discovered, the scanner can decrypt the virus
to identify it, then remove the infection and return the program to service.
Another second%generation approach is integrity chec!ing. A chec!sum can be appended
to each program. #f a virus infects the program without changing the chec!sum, then an
integrity chec! will catch the change. To counter a virus that is sophisticated enough to
change the chec!sum when it infects a program, an encrypted hash function can be used.
The encryption !ey is stored separately from the program so that the virus cannot
generate a new hash code and encrypt that. >y using a hash function rather than a simpler
chec!sum, the virus is prevented from ad/usting the program to produce the same hash
code as before.
Third*+eneratin programs are memory%resident programs that identify a virus by its
actions rather than its structure in an infected program. 0uch programshave the advantage
that it is not necessary to develop signatures and heuristics for a wide array of viruses.
+ather, it is necessary only to identify the small set of actions that indicate an infection is
being attempted and then to intervene.
7!rth*+eneratin products are pac!ages consisting of a variety of antivirus techniues
used in con/unction. These include scanning and activity trap components.
#n addition, such a pac!age includes access control capability, which limits the ability of
viruses to penetrate a system and then limits the ability of a virus to update files in order
to pass on the infection.
Ad-anced Anti-ir!s Techni'!es:
Gener!" De"r#pt!on (eneric decryption 3(&4 technology enables the antivirus program
to easily detect even the most complex polymorphic viruses while maintaining fast
scanning speeds
CPU e%!latr: A software%based virtual computer. #nstructions in an executable file are
interpreted by the emulator rather than executed on the underlying processor. The
emulator includes software versions of all registers and other processor hardware, so that
the underlying processor is unaffected by programs interpreted on the emulator.
>ir!s si+nat!re scanner: A module that scans the target code loo!ing for !nown virus
signatures.
E%!latin cntrl %d!le: )ontrols the execution of the target code.
Q1?. E"#lain 2ifferent T(#es f fire$alls&
1. Pac9et*filterin+ R!ter:
Applies a set of rules to each incoming #$ pac!et and then forwards or discards
he pac!et
2ilter pac!ets going in both directions
The pac!et filter is typically set up as a list of rules based on matches to fields in
the #$ or T)$ header
Two default policies 3discard or forward4
Ad-anta+es:
C 0implicity
C Transparency to users
C ;igh speed
2isad-anta+es:
C &ifficulty of setting up pac!et filter rules
C 6ac! of Authentication
/.A##licatin*le-el ,ate$a(
a. Also called proxy server
b. Acts as a relay of application%level traffic
Ad-anta+es:
c. ;igher security than pac!et filters
d. .nly need to scrutinize a few allowable applications
e. ,asy to log and audit all incoming traffic
2isad-anta+es:
f. Additional processing overhead on each connection 3gateway as splice
point4.
0.Circ!it*le-el ,ate$a(
g. 0tand%alone system or
h. 0pecialized function performed by an Application%level (ateway
i. 0ets up two T)$ connections
/. The gateway typically relays T)$ segments from one connection to
the other without examining the contents
4. Screened hst fire$all@ d!al*h%ed )astin cnfi+!ratin
a. The pac!et%filtering router is not completely compromised
b. Traffic between the #nternet and other hosts on the private networ! has to
flow through the bastion host.
7i+. T(#es f fire$alls