15.3 Alternative approaches and technologies

15.3.1    Security scanning

The term security scanning refers to the process of performing vulnerability analyses, and the term security scanner refers to a tool that can be used to automatically perform such analyses. In essence, a security scanner holds a database that includes known vulnerabilities ^[5] of operating systems and corresponding configurations. Each system can be probed and tested to detect and identify the vulnerabilities that are relevant.

Security scanning tools and security scanners can be partitioned into host-based scanners and network-based scanners :

• A host-based scanner runs on a system and looks into the configuration of the system from the inside. For example, a host-based scanner can check whether files that contain user authentication information (e.g., user passwords) can be read by nonprivileged processes.

• Contrary to that, a network-based scanner runs on a system and looks into the configurations of other systems from the outside. For example, a network-based scanner can check which systems are accessible and which services are running on the ports of these systems.

Ideally, a scanner is host-based and network-based, meaning that it can investigate on and take into account information that is available on either side. As of this writing, there are many security scanners commercially or freely available on the Internet. The most widely used and deployed security scanners on the Internet are developed and marketed by Internet Security Systems, Inc. ^[6] In addition, there are many security scanners publicly and freely available on the Internet. Examples include the Computer Oracle and Password System (COPS ^[7] ) and the Security Administrator Tool for Analyzing Networks ( SATAN ^[8] ). Also, the Nessus security scanner was developed in an open source project of the same name . ^[9]

More recently, Microsoft Corporation has launched the Strategic Technology Protection Program (STPP). As part of the STPP, the Microsoft Baseline Security Analyzer (MBSA) has been designed and developed as a tool to assess one or more Windows-based computer systems for known vulnerabilities and to determine whether or not they are up-to-date with the latest security-related patches and hotfixes. The tool is publicly and freely available. Having software providers provide tools like the MBSA is certainly the right way to go. The disadvantage is that attackers can use the same tools to discover breakable computer systems.

15.3.2    Intrusion detection

According to [6], an intrusion refers to ˜ ˜a sequence of related actions by a malicious adversary that results in the occurrence of unauthorized security threats to a target computing or networking domain, and the term intrusion detection refers to the process of identifying and responding to intrusions.

There are many tools that can be used to automate intrusion detection. These tools are commonly referred to as intrusion detection systems (IDSs). Although the research community has been actively designing, developing, and testing IDSs for more than a decade , corresponding products have only recently received wider market interest. Furthermore, the IETF has chartered an Intrusion Detection Exchange Format (IDWG) WG ˜ ˜to define data formats and exchange procedures for sharing information of interest to intrusion detection and response systems, and to management systems which may need to interact with them. Refer to the IDWG s home page ^[10] to get more information about the relevant Internet-Drafts and RFC documents.

There are basically two technologies that can be used to implement an IDS: attack signature recognition and anomaly detection.

1. Using attack signature recognition, an IDS uses a database with known attack patterns (also known as attack signatures) and an engine that uses this database to detect and recognize attacks. The database can either be local or remote and the engine can either work in real time or not. In either case, the quality of the IDS is as good as the database and its attack patterns as well as the engine that makes use of this database. The situation is similar and quite comparable to the antivirus software (i.e., the database must be updated on a regular basis).

2. Using anomaly detection, an IDS uses a database with a formal representation of ˜ ˜normal (or ˜ ˜normal looking ) user activities and an engine that makes use of this database to detect and recognize attacks. For example, if a user almost always starts up his or her e-mail user agent after having successfully logged onto a system, the IDSs engine may get suspicious if he or she starts a Telnet session to a trusted host first. The reason for this activity may be an attacker misusing the account to gain illegitimate access to a remote system. Again, the database can be either local or remote, and the quality of the IDS is as good as the database and its statistical material.

Again, it is possible to combine both technologies in an IDS. More information about intrusion detection technologies and IDSs that employ these technologies and are commercially available can be found in many books (e.g., [5 “10]).

^[5] Note that known vulnerabilities are vulnerabilities that have been found by experience on other systems, and that there is no list of known vulnerabilities that is guaranteed to be complete.

^[6] http://www.iss.net

^[7] http://www.sh.com/cops

^[8] http://www.sh.com/satan

^[9] http://www.nessus.org

^[10] http://www.ietf.org/html. charters /idwg-charter.html