Standards and practices necessary to implement a successful security review program for intrusion management systems

Thesis (Master)--Izmir Institute of Technology, Computer Engineering, Izmir, 2002Includes bibliographical references (leaves: 84-85)Text in English; Abstract: Turkish and Englishviii, 91 leavesIntrusion Management Systems are being used to prevent the information systems from successful intrusions and their consequences. They also have detection features. They try to detect intrusions, which have passed the implemented measures. Also the recovery of the system after a successful intrusion is made by the Intrusion Management Systems. The investigation of the intrusion is made by Intrusion Management Systems also. These functions can be existent in an intrusion management system model, which has a four layers architecture. The layers of the model are avoidance, assurance, detection and recovery. At the avoidance layer necessary policies, standards and practices are implemented to prevent the information system from successful intrusions. At the avoidance layer, the effectiveness of implemented measures are measured by some test and reviews. At the detection layer the identification of an intrusion or intrusion attempt is made in the real time. The recovery layer is responsible from restoring the information system after a successful intrusion. It has also functions to investigate the intrusion. Intrusion Management Systems are used to protect information and computer assets from intrusions. An organization aiming to protect its assets must use such a system. After the implementation of the system, continuous reviews must be conducted in order to ensure the effectiveness of the measures taken. Such a review can achieve its goal by using principles and standards. In this thesis, the principles necessary to implement a successful review program for Intrusion Management Systems have been developed in the guidance of Generally Accepted System Security Principles (GASSP). These example principles are developed for tools of each Intrusion Management System layer. These tools are firewalls for avoidance layer, vulnerability scanners for assurance layer, intrusion detection systems for detection layer and integrity checkers for recovery layer of Intrusion Management Systems

Evaluation of Traditional Security Solutions in the SCADA Environment

Supervisory Control and Data Acquisition (SCADA) systems control and monitor the electric power grid, water treatment facilities, oil and gas pipelines, railways, and other Critical Infrastructure (CI). In recent years, organizations that own and operate these systems have increasingly interconnected them with their enterprise network to take advantage of cost savings and operational benefits. This trend, however, has introduced myriad vulnerabilities associated with the networking environment. As a result, the once isolated systems are now susceptible to a wide range of threats that previously did not exist. To help address the associated risks, security professionals seek to incorporate mitigation solutions designed for traditional networking and Information Technology (IT) systems. Unfortunately, the operating parameters and security principles associated with traditional IT systems do not readily translate to the SCADA environment. Security solutions for IT systems focus primarily on protecting the confidentiality of system and user data. Alternatively, SCADA systems must adhere to strict safety and reliability requirements and rely extensively on system availability. Mitigation strategies designed for traditional IT systems must first be evaluated prior to deployment on a SCADA system or risk adverse operational impacts such as a catastrophic oil spill, poisoning a water supply, or the shutdown of an electrical grid. This research evaluates the suitability of deploying a Host-Based Intrusion Detection System (IDS) to the Department of Defense SCADA fuels system. The impacts of the Host Intrusion Prevention System (HIPS) installed on the SCADA network\u27s Human Machine Interface (HMI) is evaluated. Testing revealed that the HIPS agent interferes with the HMI\u27s system services during startup. Once corrected, the HMI and connected SCADA network inherit the protections of the HIPS security agent and defenses associated with the Host-Based Security System

Discovering New Vulnerabilities in Computer Systems

Vulnerability research plays a key role in preventing and defending against malicious computer system exploitations. Driven by a multi-billion dollar underground economy, cyber criminals today tirelessly launch malicious exploitations, threatening every aspect of daily computing. to effectively protect computer systems from devastation, it is imperative to discover and mitigate vulnerabilities before they fall into the offensive parties\u27 hands. This dissertation is dedicated to the research and discovery of new design and deployment vulnerabilities in three very different types of computer systems.;The first vulnerability is found in the automatic malicious binary (malware) detection system. Binary analysis, a central piece of technology for malware detection, are divided into two classes, static analysis and dynamic analysis. State-of-the-art detection systems employ both classes of analyses to complement each other\u27s strengths and weaknesses for improved detection results. However, we found that the commonly seen design patterns may suffer from evasion attacks. We demonstrate attacks on the vulnerabilities by designing and implementing a novel binary obfuscation technique.;The second vulnerability is located in the design of server system power management. Technological advancements have improved server system power efficiency and facilitated energy proportional computing. However, the change of power profile makes the power consumption subjected to unaudited influences of remote parties, leaving the server systems vulnerable to energy-targeted malicious exploit. We demonstrate an energy abusing attack on a standalone open Web server, measure the extent of the damage, and present a preliminary defense strategy.;The third vulnerability is discovered in the application of server virtualization technologies. Server virtualization greatly benefits today\u27s data centers and brings pervasive cloud computing a step closer to the general public. However, the practice of physical co-hosting virtual machines with different security privileges risks introducing covert channels that seriously threaten the information security in the cloud. We study the construction of high-bandwidth covert channels via the memory sub-system, and show a practical exploit of cross-virtual-machine covert channels on virtualized x86 platforms

Network Traffic Measurements, Applications to Internet Services and Security

The Internet has become along the years a pervasive network interconnecting billions of users and is now playing the role of collector for a multitude of tasks, ranging from professional activities to personal interactions. From a technical standpoint, novel architectures, e.g., cloud-based services and content delivery networks, innovative devices, e.g., smartphones and connected wearables, and security threats, e.g., DDoS attacks, are posing new challenges in understanding network dynamics. In such complex scenario, network measurements play a central role to guide traffic management, improve network design, and evaluate application requirements. In addition, increasing importance is devoted to the quality of experience provided to final users, which requires thorough investigations on both the transport network and the design of Internet services. In this thesis, we stress the importance of users’ centrality by focusing on the traffic they exchange with the network. To do so, we design methodologies complementing passive and active measurements, as well as post-processing techniques belonging to the machine learning and statistics domains. Traffic exchanged by Internet users can be classified in three macro-groups: (i) Outbound, produced by users’ devices and pushed to the network; (ii) unsolicited, part of malicious attacks threatening users’ security; and (iii) inbound, directed to users’ devices and retrieved from remote servers. For each of the above categories, we address specific research topics consisting in the benchmarking of personal cloud storage services, the automatic identification of Internet threats, and the assessment of quality of experience in the Web domain, respectively. Results comprise several contributions in the scope of each research topic. In short, they shed light on (i) the interplay among design choices of cloud storage services, which severely impact the performance provided to end users; (ii) the feasibility of designing a general purpose classifier to detect malicious attacks, without chasing threat specificities; and (iii) the relevance of appropriate means to evaluate the perceived quality of Web pages delivery, strengthening the need of users’ feedbacks for a factual assessment

Gotham Testbed: a Reproducible IoT Testbed for Security Experiments and Dataset Generation

The scarcity of available Internet of Things (IoT) datasets remains a limiting factor in developing machine learning based security systems. Static datasets get outdated due to evolving IoT threat landscape. Meanwhile, the testbeds used to generate them are rarely published. This paper presents the Gotham testbed, a reproducible and flexible network security testbed, implemented as a middleware over the GNS3 emulator, that is extendable to accommodate new emulated devices, services or attackers. The testbed is used to build an IoT scenario composed of 100 emulated devices communicating via MQTT, CoAP and RTSP protocols in a topology composed of 30 switches and 10 routers. The scenario presents three threat actors, including the entire Mirai botnet lifecycle and additional red-teaming tools performing DoS, scanning and various attacks targeting the MQTT and CoAP protocols. The generated network traffic and application logs can be used to capture datasets containing legitimate and attacking traces. We hope that researchers can leverage the testbed and adapt it to include other types of devices and state-of-the-art attacks to generate new datasets that reflect the current threat landscape and IoT protocols. The source code to reproduce the scenario is publicly accessible

Teollisen ohjausjärjestelmän koventaminen ja arkkitehtuuri virtualisoidussa ympäristössä

Virtualization is widely used in traditional ICT in order to share hardware resources between separate software applications while also creating isolation. This makes it possible to more efficiently utilize hardware resources as isolation doesn't require running software on separate hardware servers. Virtualization offers features like fault tolerance and the ability to create easily managed test environments. Such features are also desirable in designing and maintaining automation systems. Industrial control systems and their requirements differ significantly from traditional ICT, however. Security and reliability are of critical concern in ICS, and the effects of introducing new technology need to be thoroughly considered. Many practices that may be well-established and trusted in ICT can't be used directly in ICS, if at all. Industrial automation uses highly specialized solutions, and security measures can hinder or prevent system performance. This thesis presents the main challenges and solutions related to using virtualization in industrial automation, with a focus on security and hardening. The virtualization platform used is VMware's vSphere 6.5, and thus the practical recommendations are aimed at VMware products. Much of the general design and security principles are also applicable in environments using different virtualization software. Automation systems are complex, and maintaining virtualization adds its own operational workload. Available scripting languages and programming interfaces are researched to find ways to decrease this workload by automating some of the maintenance tasks. Automation systems are very heterogeneous and the integration of virtualization needs a lot of additional case specific consideration and practical work. Still, many of the established ICT solutions addressing virtualization security and hardening problems are found suitable for use in the ICS domain with some special considerations. Using the available VMware APIs and scripting solutions, practical tools automating security checks and hardening of virtual environments was developed