next up previous contents
Next: 3.1.3 Security management service Up: 3.1 Interactions in adaptive Previous: 3.1.1 Interactions within the

3.1.2 Security engine interactions

Not only a security engine has to provide protection at various layers, they may also need to work together to successfully detect an attack scenario. Consider an employee that has access to a networked computer system. He logs on to a certain computer. This event is detected and the person is known to the system as being connected at a certain machine. By some means he succeeds to force the network interface of the machine in promiscuous mode and to install a network sniffer that collects all data being sent over the network. Doing so he is able to retrieve some passwords that other people use to log on remotely to other systems. He now logs on to another machine impersonating someone with more privileges than himself on the particular system, thereby breaching the access control policies.

The computer security engine notices a login, the network security system knows who logs on from where. Both events do not give any clue to an attack in themselves, combining the two however gives us enough information to conclude that an impersonation attack is taking place.

An attack like this cannot be spotted by a network security system alone: forcing the network interface into promiscuous mode may indicate a potential danger, it is not an attack. Logging on remotely -- which is detected by the computer security system -- is not an attack either. The combination of both events however does result in a threat scenario: someone sitting behind a computer system, being authenticated to that system, that logs on to a remote system as someone else constitutes an masquerading attack3.1. Moreover, additional information from a physical security system could be used to see whether the person logging from a console is also physically present where the computer is located.



Footnotes

... attack3.1
The attacker could of course log off and then log on using the other person's credentials. As soon as the victim logs on himself (at another machine), this would be spotted by the computer security engine: it is quite hard to clone yourself and use several distant terminals at the same time. Additional information from the operating system, like keyboard activity for instance, could be used to prevent false alarms from the same person simultaneously logging in at various machines.

next up previous contents
Next: 3.1.3 Security management service Up: 3.1 Interactions in adaptive Previous: 3.1.1 Interactions within the
(c) 1998, Filip Schepers