本课程由纽约州立大学布法罗分校教授Shambhu J. Upadhyaya讲授。
4.4 监控、入侵检测和网络加固
0:00
[MUSIC] Welcome to lesson four. In lesson three, we looked at intrusion prevention and data leak prevention topics and also reviewed some commercial and open source tools.
欢迎来到第四课。在第三课中,我们学习了入侵防御和数据泄漏防御主题,还回顾了一些商业和开源工具。
0:19
These tools require continuous monitoring of user operations to perform correctly.Often times, they monitor audit logs and perform their analysis. In this lesson, the deployment of signature waste and anomaly based intrusion detection tools will be described.The lesson will conclude with vulnerability analysis and network handling against security breaches.
这些工具需要持续监控用户操作才能正确执行。通常,他们会监控审计日志并执行分析。在本课中,展开签名浪费和将描述基于异常的入侵检测工具。本课将以漏洞分析结束,并针对安全漏洞的网络处理。
0:48
Before talking about network monitoring, let us first try to understand who these intruders are and what is their typical behavior? Intruders are the people or organizations, which cause significant issues for networked systems by hostile or unwanted access to intellectual property.There are three classes of intruders, masquerader. These are intruders who hide their identity by impersonating someone else.Misfeasor, these are the users with authenticated access to the system but misuse their privilege for an unethical activities. Clandestine user, this are attackers who access the system privileges and remove ordered logs after the attack to clear their footprints or any other traces of their actions.
在谈论网络监控之前,让我们先来试试要了解这些入侵者是谁,他们的典型行为是什么?入侵者是会给带来重大问题的人或组织对知识产权的恶意或不必要的访问。有三种入侵者,伪装者。这些入侵者通过冒充他人来隐藏自己的身份。误操作者,这些是对系统进行认证访问的用户,但是滥用他们的特权进行不道德的活动。秘密用户,这是访问系统权限的攻击者攻击后移除有序的日志以清除它们的足迹或他们行动的任何其他痕迹。
1:51
There are numerous examples of intrusive activities on the Internet, but they can be categorized into a few distinct classes. These are, remote root compromise of an email server, web server defacement, guessing or cracking passwords, copying or viewing sensitive data or databases, running a packet sniffer. Distributing pirated software, using an unsecured modem to access the Internet, impersonating a user to reset password and using an unattended workstation.It is interesting to know how a typical intruder behaves? Just like it is possible to profile a thief or a burglar, we can characterize an intruder by their distinct behavior.They typically do one or more of the following activities.Act quickly and precisely to make their activities harder to detect. Exploit perimeter via vulnerable ports.
互联网上有许多侵入性活动的例子,但是它们可以分为几个不同的类别。这些是电子邮件服务器的远程根危害,网络服务器污损,猜测或破解密码、复制或查看敏感数据或数据库,运行数据包嗅探器。分发盗版软件,使用不安全的调制解调器访问互联网,冒充用户重置密码并使用无人值守的工作站。了解一个典型的入侵者的行为是很有趣的?就像描绘小偷或窃贼的侧写是可能的一样,我们可以通过入侵者独特的行为来描述他们的特征。他们通常会执行以下一项或多项活动。迅速而精确地采取行动,使他们的活动更难被发现。通过易受攻击的端口利用边界。
3:08
Use Trojan horses, that is hidden software to leave backdoors for re-entry. Use sniffers to capture passwords.Do not stick around until noticed. And make few or no mistakes.Intruders aim to gain access and or increase their privileges on a system.For this, they often use system or software vulnerabilities. The key goal often is to acquire passwords so that they can then exercise access rights of the owner.Their basic attack methodologies consist of target acquisition and information gathering. To gain control over a system, using system vulnerabilities.
使用特洛伊木马,这是隐藏的软件,为重新进入留下后门。使用嗅探器捕获密码。不要逗留,直到被发现。并且很少或不犯错误。入侵者的目的是获得访问权和/或增加他们在系统上的特权。为此,他们经常利用系统或软件漏洞。关键目标通常是获取密码然后他们可以行使所有者的访问权限。他们的基本攻击方法包括目标获取和信息收集。利用系统漏洞获得对系统的控制。
4:05
Initial access to access basic user controls over a system.Privilege escalation to hack into a system with administrative privilege, to perform any action without restriction.Covering tracks to clear history of any of their actions.Let us see why intrusion detection and monitoring are so important.
初始访问访问系统的基本用户控制。特权提升以管理特权侵入系统,不受限制地执行任何动作。掩盖痕迹来清除他们的任何行动的历史。让我们看看为什么入侵检测和监控如此重要。
4:35
No system can be 100% secure and security breaches cannot be prevented completely.The next best thing is to monitor and detect.With appropriate monitoring, a user can get alerts for any suspicious activity on the system, and therefore can take quick, remedial actions to safeguard any sensitive information.Monitoring also helps in collecting information about attacks signatures and system vulnerabilities. Such information is highly useful in improving system security and detecting new kinds of attacks.
没有一个系统是100%安全的,安全漏洞也无法完全避免。下一个最好的事情是监测和检测。通过适当的监控,用户可以获得以下警报系统上的任何可疑活动,因此可以快速,保护任何敏感信息的补救措施。监控还有助于收集有关攻击特征的信息系统漏洞。这些信息对于提高系统安全性非常有用检测新类型的攻击
5:21
Monitoring system for anomalies generates alerts if it detects any actions which are different from the normal user behavior.For creating such alerts, the monitoring system generates a profile of regular user from system audit logs and keeps track of each activity that might lead to a security breach.Once it has the user profile generated, it then looks for any deviation from the normal user activity.If user actions vary too much from the normal, and if those activities are suspicious in terms of system security, then it generates an alert. This is called, anomaly-based intrusion detection systems. This is in short contrast with the other type of intrusion detection system called misuse detection. Where the monitoring system looks for previously seen attack signatures. A combination of misuse detection and anomaly detection works well in detecting attacks in a network or a host of computers.
异常监测系统在检测到以下情况时会发出警报任何不同于正常用户行为的行为。为了创建此类警报,监控系统会生成以下配置文件来自系统审核日志和的常规用户跟踪每个可能导致安全漏洞的活动。一旦生成了用户配置文件,它就会查找任何偏离正常用户活动的情况。如果用户操作与正常情况相差太多,并且如果这些活动在系统安全方面是可疑的,然后它会发出警报。这就是所谓的基于异常的入侵检测系统。这与其他类型的入侵检测形成鲜明对比称为误用检测的系统。其中监控系统寻找先前看到的攻击特征。误用检测和异常检测的组合效果很好检测网络或计算机主机中的攻击。
6:36
The final topic of this lesson is network hardening.Let us take a look at how intrusion prevention or detection systems can be used to harden the network and computer systems against security breaches.There are tools that help identify weak points in the network so that appropriate security appliances can be deployed to circumvent the weaknesses, once such tool is that network vulnerability scanning tool called Nessus.
本课的最后一个主题是网络加固。让我们看看入侵防御或检测系统是如何做到的用于加强网络和计算机系统的安全性。有一些工具可以帮助识别网络中的弱点可以部署适当的安全设备来避开这些弱点,一种这样工具是名为Nessus的网络漏洞扫描工具。
7:13
Nessus is a free tool for personally used but can you purchased by ordinations to determine their network's security posture and maintain through a licensing fee.It does a portscan on the target device to discover which ports are open and then performs thorough investigation to determine weaknesses such as weak password usage, misconfigurations, and unpatched vulnerabilities.
Nessus是个人使用的免费工具,但是你能通过购买顺序来确定他们的网络吗通过收取许可费来维持安全态势。它在目标设备上执行端口扫描,以发现哪些端口是打开的然后进行彻底的调查以确定弱点,例如弱密码使用、错误配置和未打补丁的漏洞。
7:47
Based on the recommendations, the organization's system administrator can then harden the networks and devices by employing corrective actions, including placement of security tools at strategic locations.One can also take advantage of vulnerability repositories such as the National Vulnerability Database or NVD maintained by the US government and the mailing lists such as Bugtraq for vulnerability management and security measurement.
根据这些建议,组织的系统管理员可以然后通过采取纠正措施来强化网络和设备,包括在战略地点放置安全工具。人们还可以利用漏洞库,例如作为国家脆弱性数据库或美国政府维护的NVD和Bugtraq等邮件列表漏洞管理和安全度量。
原文始发于微信公众号(网络安全经济学):制造业中的网络安全-4.4
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论