Cyber Security – Types Of Tools And Threat Models Analysis

Types of Cyber Security Tools

Question:

Analysis of Cybersecurity Capabilities ?

Cyber security consists of the technologies, policies and procedures that are designed for protecting the public and private networks and their data from external attacks and unauthorized access (Wang and Lu 2013). Cyber security is basically the security for the computers. It provides security to the computer from external theft and damage. In addition to this it provides safety of the hardware as well as the software components of the computer. In addition to this, it also provides safety from external network access and malicious code injections. It also controls the physical access to the machines. The cyber security issues are growing day by day with the increase of the with the growth of the number of computer systems and over dependence on these computer system.

The report consists of description of different types of cyber security tools and a brief analysis about them.

The report contains an analysis of two the different tools in different categories such as, Network Intrusion Detection System (Liao et al. 2013), Host Intrusion detection System, Web Application Firewall (Razzaq et al. 2013), Honeypot (Holeczer et al. 2015), Security Information and Event Management, and Network Vulnerability Scanner. In addition to this, the report also contains a brief analysis of the existing threat models.

The threat model is very essential for website development or any other application developments. There are various models:

The Stride is the scheme to classify the threats according to the kind of damage they to the system. The STRIDE is basically:

Spoof Identity: Identifying the spoofing is a very serious risk identity technique for the applications. It can help to identify the spoofer so that, no can inherit the attribute of the other users.

Tampering with the data: The data of the users can be manipulated or changed according to wishes of the mal practitioner. It should be ensured that the data of the user is not lost or stolen.

Repudiation: The dispute in the transactions should be solved by this type of procedure.

Information Disclosure: The user are aware of the submitting the details to the company or the organizations. This might lead to wrongful use of their details of the users. The system can prevent this type of mal partition.

Denial of Service: There are various kind of services that are inappropriate for the users. The Denial of services unapproved these kind of services.

Elevation of Privilege: The accessing privilege are also a very serious issue. The elevation of privileges can control these privilege accesses.

This is a scheme that can classify the risk by quantifying and also by setting priority of the amount of the risks. The DREAD is also known as:

Risk_DREAD

Damage Potential

Reproducibility

Exploitability

Affected Users

Discoverability

In addition to these are various alternative threat models that are existing are:

Trike

AS/NZS 4360:2004 Risk Management

CVSS

OCTAVE

The host intrusion detection system is the system that can monitor and analyze the internal systems of computer. In addition to this, it also protects the network packets and the network interface of the system. It monitors the dynamic behavior of the computer system. The computers have encountered the tools that, monitor the dynamic processes, in the form of the anti-viruses. The programs also monitor the state of the system as well. They also control the lines that are blurred and the overlapping contents. The HIDs generally, uses the database system and the system objects in it. During the communication procedure, the client exchanges the passphrase fro verification of the identities. The HIDS take great measures in preventing the tampering of the data objects. They adopt the crypto technique for this procedure. The HIDS also allow the administrators the option of storing the data in physical memories. Among the HIDS tools OSSEc is the most important one.

Analysis of Two Types of Tools

OSSEC is multiple piece tool (Mehta et al. 2015). It consists of a central manager for receiving and monitoring the information from the syslog, agents, databases and devices that are agentless.

OSSEC can be installed on the Microsoft Windows platforms as an agent. For, installing these system on Linux, an OSSEC server has to be present in the system. The agentless systems need some integrity check to be performed. IT can be used for scanning the firewall, routers and even the operating system.

Input / Output and configuration procedure of the tool:

The process contains several steps:

Step1: Downloading and Verifying the OSSSEC on the server and on the agent.

In this step the user is required to download OSSEC tool and the checksum file along with it. The user is required to log in to the server and update the package database.

sudo apt-get update

The user is required to install the available updates.

sudo apt-get upgrade

The user is required to install the packages required and install the following on the server;

sudo apt-get install inotify-tools build-essential

The following is to be installed on the agent.

Sudo apt-get install build essential

After this the user is required to download OSSEC and its checksum on both the Droplets.

wget -U ossec https://www.ossec.net/files/ossec-hids-2.8.1.tar.gz

wget -U ossec https://www.ossec.net/files/ossec-hids-2.8.1-checksum.txt

After this the user needs to verify the md5sum of the compressed tarball.

md5sum -c ossec-hids-2.8.1-checksum.txt

The output would be:

ossec-hids-2.8.1.tar.gz: OK

md5sum: WARNING: 1 line is improperly formatted

These processes should be followed by verifying the SHA1 checksum.

Step 2: Install the OSSEC Server

In this step the user is required to install the OSSEC server. The following commands should be executed only within one droplet. The user should then start the installation procedure.

Sudo./install.sh

After this the user needs to select the mode in which the tool is to be installed.What kind of installation do you want (server, agent, local, hybrid or help)?

After the successful installation the following output would be produced.

– System is Debian (Ubuntu or derivative).

– Init script modified to start OSSEC HIDS during boot.

– Configuration finished properly.

More information can be found at https://www.ossec.net

Press ENTER to finish (maybe more information below). —

Then the user is required to press enter.

Step 3: Configuring the OSSEC Server

The user needs to OSSEC server stings and make sure that it can send alerts to the specified emails. At firs the user needs to move into the root directory. When inside the root directory the user needs to change the directory into the location of the configuration file of the OSSEC. The user needs to make a backup copy of the configuration file. Then the original file is to be opened, and the nano text editor is used to configure the file.

Nano ossec.conf

The following configuration setting need to be done:

<email_notification>yes</email_notification>

<email_to>[email protected]</email_to>

<smtp_server>mail.example.com.</smtp_server>

<email_from>[email protected]</email_from>

</global>

After modifying the settings the user need to save the file and start the OSSEC.

Existing Threat Models

Step 4: The installation process

The user needs to install the tool.

Sudo ./install.sh

What is the IP Address of the OSSEC HIDS server?: your_server_ip

The user needs to provide the IP address the user had received earlier. For the other settings the user needs to select the default values and press ENTER.

Step 5: Add Agent to the Server and Extract its Key.

The user is required to start the process of adding the agent,

/var/ossec/bin/manage_agents

For adding the agents the user would be prompted to specify the name, IP address and an ID for the agent. After entering all the fields the user need to confirm by pressing y.

Step 6: Importing the key from the server to the agent.

The user needs to import the key from server to the agents. The user needs copy the key from the server to the agent.

Step 7: Allow the UDP port 1514 Traffic through the Firewalls

Firstly, the user needs to remove the drop rule.

Sudo iptables –D INPUT –j drop

For adding the OSSEC server, the OSSEC IP of the agent needs to be entered. Next, all the outbound traffic is required to be allowed.

Iptables –A OUTPUT –j ACCEPT

Finally, add the drop rule again to both.

Sudo iptables –A INPUT –j DROP

Step 8- Restart OSSEC Agent and Server

The user needs to restart the server and activate the agent by typing

/var/ossec/bin/ossec-control restart.

If the connection is successful an output would be produced.

agentUbuntu-111.111.111.111 is active.

After successfully completing all the procedures the user would be getting the outputs. The line of the alerts of the agent would look like

OSSEC Notification – (agentUbuntu) 111.111.111.111 – Alert level 3

OSSEC have many methods of sending the alerts to the other systems or the applications. The main methods of sending the alerts are, Syslog, email, and sending alerts to any SQL database. The output methods are only alerts and not full data.

The Honeypot is the security mechanism that would detect or deflect or counter the effects of the effects of unauthorized access. It consists of the data that is generated from the legitimate part of the site. Although the actual function of the tool is monitoring and controlling the processes of the website and preventing the attackers from potentially blocking and disrupting the processes of the website. The process is actually inducing the offender to commit the offence and catch the offender in exchange. These tools prohibits several applications from effecting the websites. These are:

Deception Technologies, Malware Honeypots and Spam version of the software.

Kippo honeypot can be defined as a secure shell medium-interaction honeypot which is used to block the shell interaction or brutal attacks created by any attacker (Sochor and Zuzcak 2014). Python 2.5+, Twisted 8.0, PyCrypto or Zope interface is required to run this software (Rivvers and Koedinger 2015). It should be run through dedicated non-route user. Basic kippo configuration includes switching to a dedicated user and then acquiring Kippo. Later essential logging table is created after which setup suitable to the environment is made. After configuring the whole set up accordingly, one can run Kippo with ($./start.sh). It has the option to get more than one password to a user name but it may prove too suspicious to others. It portrays an annoying sticky feature. With this the attacker cannot exit from the shell by simply clicking on exit command. It actually acts like a honeytrap which holds the attacker into a shell which executes and shows meaningless results. Kippo graph is another feature which allows a user to see the honeypot in a statistical way. The Kippo graph uses a Libchart PHP. It detects all the attacks done for a given time and generates it statistically. It elevates the usability of Kippo for logging data into a SQL database. The generated graphs are in Python. A single graph is generated twice once in a larger scale and the other in its tenth form.

Alternative Threat Models

Input / Output and configuration procedure of the tool:

For the installation procedure of Kippo the following files would be required.

kippo – directory with Kippo source files (python);

kippo.tac – configuration file for twistd (twistd is required to run Kippo);

start.sh – shell script for starting Kippo;

For the configuration process of the tool the configuration file is to be accessed. The configuration file can be found at:

https://kippo.googlecode.com/svn/trunk/kippo.cfg.dist. The main configuration file for the tool is to be saved with the name of kippo.cfg. There are three sections in the configuration file:

[honeypot] – mandatory section including core honeypot configuration;

[database mysql] – optional section including configuration of the MySQL logging module; [database xmpp] – optional section including configuration of the XMPP logging module;

In the honeypot section the following parameters are to be defined.

ssh addr – IP address on which Kippo listens for new connections (default is 0.0.0.0 that means any address IP);

ssh port – TCP port on which Kippo listens for new connections (default is 2222);

hostname – hostname displayed by shell prompt;

log path – directory for saving log files

download path – directory for saving files downloaded by the emulated wget command;

download limit size – maximum size of downloaded file

filesystem file – path to the file containing emulated filesystem

contents path

txtcmds path

data path

public key

private key

out addr – IP address used by emulated wget for opening outgoing connections

sensor name

fake addr

banner file

interact enabled

interact port

In the database_mysql section the following configurations are to be done.

host – name of the server running database

database – database name

username – name of the database user

password – password of the database user

port – port on which the database listens for new connections;

In the database _xmpp section the following fields are to be configured:

server – name of the XMPP server

user – name of the XMPP user

password – password of the XMPP user

muc – name of the MUC service

signal createsession

signal connectionlost

signal loginfailed

signal loginsucceeded

signal_command

signal_clientversion

debug – flag (true or false)

In addition to this some option for the twistd are also to be set:

Option -1: default is log/kippo.log

Option –pidfile: default is kippo.pid

The tool also requires some additional configuration data:

userdb.txt – text file containing in each row a trio login:uid:password

last.log – text file containing information about last logins to the system emulated by Kippo

After the completion of the configuration procedure the start-up procedure is implemented:

The start.sh file has to execute for starting the process.

The output characteristics of the Kippo:

establishment of TCP connection:

-source IP address: L, B, X; – source TCP port: L, X; – target IP address: L, X; – target TCP port: L, X; – time of establishment of TCP connection: L, B;

Termination of TCP connection/SSH session:

– reason of termination of TCP connection/SSH session: L; – time of termination of TCP connection/SSH session: L, B*, X*; – in the case of termination of SSH session: ∗ content of the file with SSH session history: B*;

Host Intrusion Detection System

Receiving of the information about the version of the SSH client:

client version: L, B*, X*; 8 – time of receiving of information about client version: L

Establishing the connections that are encrypted-

– encryption algorithm: L; – time of establishment of encrypted connection: L;

The authentication attempt of the client:

– login: L, B, X; – password: L, B, X; – information if attempt was successful: L, B, X; – time of performing the client’s authentication attempt: L, B; – in the case of successful authentication (i.e. creating SSH session): ∗ size of terminal: L, B; ∗ name of created file to record SSH session history: L; ∗ values of environment variables (e.g. XMODIFIERS, LANG): L;

Execution of the shell commands:

command name: L, B, X; – information if command was recognized by Kippo: L, B, X; – time of command execution: L, B; – in the case of wget command: ∗ URL of downloaded file: L, B; ∗ name of the file where downloaded file was saved on the host machine: L, B; ∗ time of starting the file download: L, B; ∗ time of finishing the file download: L;

The data input for the shell command

command name: L, B; – input data: L, B; – time of data input: L, B;

The output format:

Main Log:

timestamp – log entry creation time

context – log entry context

message – log entry message

The main log consists of these three parts.

The TCP connections are established in the main log as single entry.

context := [kippo.core.honeypot.HoneyPotSSHFactory]

message := New connection: IP source:port source (IP dest:port dest) [session: session id], where: – IP source: source IP address; – port source: source TCP port; – IP dest: target IP address; – port dest: target TCP port; – session id: number uniquely identifying TCP connection/SSH session in the main log (session identifier); 10

The output that is generated by this connection:

2013−01−08 14:18:25+0100 [kippo.core.honeypot.HoneyPotSSHFactory] New connection: 192.168.122.1:35533 (192.168.122.82:2222) [session: 0]

Information log bout the encrypted process:

2013−01−08 14:18:26+0100 [HoneyPotTransport,0,192.168.122.1] kex alg, key alg: diffie−hellman−group1−sha1 ssh−rsa 2013−01−08 14:18:26+0100 [HoneyPotTransport,0,192.168.122.1] outgoing: aes128−ctr hmac−md5 none 2013−01−08 14:18:26+0100 [HoneyPotTransport,0,192.168.122.1] incoming : aes128−ctr hmac−md5 none 2013−01−08 14:18:26+0100 [HoneyPotTransport,0,192.168.122.1] NEW KEYS 2013−01−08 14:18:26+0100 [HoneyPotTransport,0,192.168.122.1] starting service ssh−userauth

The authentication attempt of the client.

2013−01−08 14:33:27+0100 [SSHService ssh−userauth on HoneyPotTransport,0,192.168.122.1] login attempt [root/123456] succeeded

2013−01−08 14:33:27+0100 [SSHService ssh−userauth on HoneyPotTransport,0,192.168.122.1] root authenticated with keyboard –interactive

2013−01−08 14:33:27+0100 [SSHService ssh−userauth on HoneyPotTransport,0,192.168.122.1] starting service ssh−connection

2013−01−08 14:33:27+0100 [SSHService ssh−connection on HoneyPotTransport,0,192.168.122.1] got channel session request

2013−01−08 14:33:27+0100 [SSHChannel session (0) on SSHService ssh− connection on HoneyPotTransport,0,192.168.122.1] channel open

2013−01−08 14:33:27+0100 [SSHService ssh−connection on HoneyPotTransport,0,192.168.122.1] got global no−more− [email protected] request 2013−01−08 14:33:27+0100 [SSHChannel session (0) on SSHService ssh− connection on HoneyPotTransport,0,192.168.122.1] pty request: xterm (33, 129, 0, 0)

2013−01−08 14:33:27+0100 [SSHChannel session (0) on SSHService ssh− connection on HoneyPotTransport,0,192.168.122.1] Terminal size: 33 129

2013−01−08 14:33:27+0100 [SSHChannel session (0) on SSHService ssh− connection on HoneyPotTransport,0,192.168.122.1] request env: ’x00 [email protected]=none’

2013−01−08 14:33:27+0100 [SSHChannel session (0) on SSHService ssh− connection on HoneyPotTransport,0,192.168.122.1] request env: ’x00 x00x00x04LANGx00x00x00npl PL.utf8’

Input / Output and Configuration Procedure of the Tool

2013−01−08 14:33:27+0100 [SSHChannel session (0) on SSHService ssh− connection on HoneyPotTransport,0,192.168.122.1] getting shell

2013−01−08 14:33:27+0100 [SSHChannel session (0) on SSHService ssh− connection on HoneyPotTransport,0,192.168.122.1] Opening TTY log: /var/log/kippo/log/tty/20130108−143327−9152.log 2013−01−08 14:33:33+0100 [SSHChannel session (0) on SSHService ssh− connection on HoneyPotTransport,0,192.168.122.1] /etc/motd resolved into /etc/motd

Execution of the Shell command:

2013−01−08 14:51:47+0100 [SSHChannel session (0) on SSHService ssh− connection on HoneyPotTransport,0,192.168.122.1] CMD: wget www. dna.caltech.edu/Papers/DNAorigami−nature.pdf

2013−01−08 14:51:47+0100 [SSHChannel session (0) on SSHService ssh− connection on HoneyPotTransport,0,192.168.122.1] Command found: wget www.dna.caltech.edu/Papers/DNAorigami−nature.pdf

2013−01−08 14:51:47+0100 [SSHChannel session (0) on SSHService ssh− connection on HoneyPotTransport,0,192.168.122.1] Starting factory < HTTPProgressDownloader: https://www.dna.caltech.edu/Papers/ DNAorigami−nature.pdf>

2013−01−08 14:51:50+0100 [HTTPPageDownloader,client] Updating realfile to /var/log/kippo/dl/20130108145147 http www dna caltech edu Papers DNAorigami nature pdf 2013−01−08 14:51:50+0100 [HTTPPageDownloader,client] Stopping factory

2013−01−08 14:51:47+0100 [SSHChannel session (0) on SSHService ssh− connection on HoneyPotTransport,0,192.168.122.1] INPUT (passwd): pp

Establishment of the connection:

insert into sensors (id, ip) values (’3’, ’kippo hp’);

insert into sessions (id, starttime, endtime, sensor, ip, termsize, client) values (’e28678b4599511e2bab10800277e980c’, ’2013−01−08 13:18:26’, NULL, ’3’, ’192.168.122.1’, NULL, NULL);

Termination of the TCP connection

update sessions set endtime = ’2013−01−08 14:03:22’ where id = ’ e28678b4599511e2bab10800277e980c’;

insert into ttylog (id, session, ttylog) values (’4’, ’ e28678b4599511e2bab10800277e980c’, BLOB);

The XMPP:

The TCP connection information:

<kippo xmlns=”https://code.google.com/p/kippo/” type=”createsession”> <session locaLhost=”127.0.0.1” session=”136371692

cdb4d91b3eec6ff04618232” locaLport=”2222” remote_port=”35533” remote_host=”192.168.122.1”/>

</kippo>

</body>

</message>

<body>

<kippo xmlns=”https://code.google.com/p/kippo/” type=”connectionlost

”>

</kippo>

</body>

</message>

</kippo>

</body>

</message>

</kippo>

</body>

</message>

<kippo xmlns=”https://code.google.com/p/kippo/” type=”loginsucceeded

”>

</kippo>

</body>

</message>

</kippo>

</body>

</message>

Conclusion

For conclusion it can be said that, there are various types of security tools, which are open source. So, it can be brought for free and free services can obtained from these tools. The report consists of a brief analysis about various kind of security tools. Each tool has some different feature and are efficient in their own way. Hence, different tools must be used for different functions in different situations. Although, most the tool are suitable for almost all type of jobs and in all type of open source platforms.

References

Arambatzis, T., Lazaridis, I. and Pouros, S., 2016, May. Modern Windows Server Operating Systems Vulnerabilities. In The Third International Conference on Computer Science, Computer Engineering, and Social Media (CSCESM2016) (p. 29).

Arney, C.A. and Wang, X., 2016, September. Active Snort Rules and the Needs for Computing Resources: Computing Resources Needed to Activate Different Numbers of Snort Rules. In Proceedings of the 5th Annual Conference on Research in Information Technology (pp. 54-54). ACM.

Bacs, A., Giuffrida, C., Grill, B. and Bos, H., 2016, April. Slick: an intrusion detection system for virtualized storage devices. In Proceedings of the 31st Annual ACM Symposium on Applied Computing (pp. 2033-2040). ACM.

Blas, G., Javier, F., Wyrzykowski, R., Jeannot, E. and Carretero Pérez, J., 2015. Proceedings of the Second International Workshop on Sustainable Ultrascale Computing Systems (NESUS 2015) Krakow, Poland.

Choug, J., Kayal, E.S., Ben-Nissanh, B. and Oktari, F.N., 2015. Nano-Bioceramic Synthesis from Tropical Sea Snail Shells (Tiger Cowrie-Cypraea Tigris) with Simple Chemical Treatment. methods, 23, p.24.

Di Rita, M., Nascetti, A. and Crespi, M., 2017. Open source tool for DSMs generation from high resolution optical satellite imagery: development and testing of an OSSIM plug-in. International Journal of Remote Sensing, 38(7), pp.1788-1808.

Holczer, T., Félegyházi, M. and Buttyán, L., 2015. The design and implementation of a PLC honeypot for detecting cyber attacks against industrial control systems.

Keller, N., 2015. Cybersecurity Framework-Industry Resources.

Liao, H.J., Lin, C.H.R., Lin, Y.C. and Tung, K.Y., 2013. Intrusion detection system: A comprehensive review. Journal of Network and Computer Applications, 36(1), pp.16-24.

Lin, H., Slagell, A., Kalbarczyk, Z. and Iyer, R.K., 2014, September. Semantic security analysis of scada networks to detect malicious control commands in power grids (poster). In Proceedings of the 7th International Conference on Security of Information and Networks (p. 492). ACM.

Mehta, V., Bahadur, P., Kapoor, M., Singh, P. and Rajpoot, S., 2015, February. Threat prediction using honeypot and machine learning. In Futuristic Trends on Computational Analysis and Knowledge Management (ABLAZE), 2015 International Conference on (pp. 278-282). IEEE.

O’Leary, M., 2015. IIS and ModSecurity. In Cyber Operations (pp. 457-483). Apress.

Razzaq, A., Hur, A., Shahbaz, S., Masood, M. and Ahmad, H.F., 2013, March. Critical analysis on web application firewall solutions. In Autonomous Decentralized Systems (ISADS), 2013 IEEE Eleventh International Symposium on (pp. 1-6). IEEE.

Rivers, K. and Koedinger, K.R., 2015. Data-driven hint generation in vast solution spaces: a self-improving python programming tutor. International Journal of Artificial Intelligence in Education, pp.1-28.

Rizal, M., 2015, July. RANCANG BANGUN SISTEM PENCEGAHAN PENYUSUPAN PADA JARINGAN KOMPUTER BERBASIS CYBEROAM. In Seminar Nasional Informatika (SEMNASIF) (Vol. 1, No. 3).

Sochor, T. and Zuzcak, M., 2014, June. Study of internet threats and attack methods using honeypots and honeynets. In International Conference on Computer Networks (pp. 118-127). Springer International Publishing.

Wang, W. and Lu, Z., 2013. Cyber security in the Smart Grid: Survey and challenges. Computer Networks, 57(5), pp.1344-1371.

Xu, Z., Malmer, D., Langille, M.G., Way, S.F. and Knight, R., 2014. Which is more important for classifying microbial communities: who’s there or what they can do?. The ISME journal, 8(12), p.2357.

Turn in your highest-quality paper
Get a qualified writer to help you with

“ Cyber Security – Types Of Tools And Threat Models Analysis ”

Get high-quality paper

NEW! AI matching with writer

Order an Essay Now & Get These Features For Free:

Turnitin Report

Formatting

Title Page

Citation

Outline

Place an Order