System Threats

Worms – use spawn mechanism; standalone program

Internet worm

      1. Exploited UNIX networking features (remote access) and bugs in finger and send mail programs.

      2. Grappling hook program uploaded main worm program.

Viruses – fragment of code embedded in a legitimate program.

      1. Mainly effect microcomputer systems.

      2. Downloading viral programs from public bulletin boards or exchanging floppy disks containing an

           infection.

      3. Safe computing.

Denial of Service

      1. Overload the targeted computer preventing it from doing any useful work.

The Morris Internet Worm

Threat Monitoring

Check for suspicious patterns of activity – i.e., several incorrect password attempts may signal password guessing.

Audit log – records the time, user, and type of all accesses to an object; useful for recovery from a violation and developing better security measures.

Scan the system periodically for security holes; done when the computer is relatively unused.

Check for:

     1. Short or easy-to-guess passwords

     2. Unauthorized set-uid programs

     3. Unauthorized programs in system directories

     4.Unexpected long-running processes

     5. Improper directory protections

     6. Improper protections on system data files

     7. Dangerous entries in the program search path (Trojan horse)

     8. Changes to system programs: monitor checksum values

 Fire Wall

A firewall is placed between trusted and un trusted hosts.

The firewall limits network access between these two security domains.

Network Security Through Domain Separation Via Firewall

 Intrusion Detection

Detect attempts to intrude into computer systems.

Detection methods:

   1. Auditing and logging.

   2. Tripwire (UNIX software that checks if certain files and directories have been altered – I.e. password 

        files)

System call monitoring

Data Structure Derived From System-Call Sequence