Chapter 3

Workstation Security

1
3-1 Introduction

Network security relies on the assumption that

the underlying software on the client
workstations and the servers is secure.
For example, data encryption over the network
is of little value when it can be easily copied or
stolen as plaintext from the client or the server.
So securing each workstation and server is
critical for protection of the entire network.

2
We begin by presenting two basic aspects of
workstation security: workstation access and
workstation monitoring.
Workstation security also requires protection
from viruses. After reviewing the topic of
viruses, we describe approaches to classifying
computer systems based on their security
levels.

3
3-2 Workstation Access

3-2-1 Power-On Password

Workstations should be protected from
unauthorized user access. At power-on time,
the workstation software should prompt the
user to enter a password. In the absence of
such a requirement, an intruder can walk to the
workstation, power it on, and attempt to steal or
damage the workstation resources as well as
other network resources accessible through the
workstation.

4
3-2-2 Screen Lock
Screen lock is perhaps the single most
valuable feature to protect the workstation.
After a certain inactivity time-out, this feature
automatically locks the workstation screen. The
screen can be unlocked by entering a
password that is known only to the user. This is
clearly of significant value, since it protects the
workstation when the user has stepped away
for a long time.

5
Additionally, the workstation may present a
locked screen at the time of power on. In this
way, even if an intruder walks to a workstation
and powers it on, he still cannot unlock the
screen.

6
3-2-3 Old Accounts
A large system may contain many user
accounts whose owners have since left the
organization. Such accounts may be broken
into by an intruder if the power-on logon
password is easy to guess.
Furthermore, breaking into these accounts may
go unnoticed because the legitimate user is not
around any more.

7
 A simple precaution is to identify and
delete all the idle accounts at frequent time
intervals. To implement this function, each user
account is assigned an expiration date.
For example, for a student account in a
university system, the expiration date may be
the end of the academic year. At the beginning
of every month, the system (administrator) can
check the accounts that are due to expire that
month and delete accounts that are not
required anymore.

8
3-2-4 Single-User and Multiuser Modes
UNIX system can operate in a single-user
mode or a multiuser mode. In the multiuser
mode, most of the system services are running.
Users can access these services through a
terminal, modem, or a network connection.
A UNIX system is changed to a single-user
system in order to repair the system after a
crash, back the system on a tape, or install new
hardware or software.
9
When the UNIX system is booted in a single-
user mode, a shell (sequence of commands) is
started, in many systems, the root password is
not required before this shell is started.
So if the intruder has access to the system
console and can place the system in a single-
user mode, the intruder can gain access to the
system without providing the root password.

10
However, this shell has privileges associated
with a super user. With super user access, an
intruder can modify critical data such as user
passwords. This security hole has been
recognized by various vendors, and many
systems have been changed to require the
user to enter the root password before starting
this shell.

11
3-3 Workstation Monitoring

Workstation monitoring consists of tracking and

investigating the history of significant events.
We divide this discussion into two parts, audit
trail and intrusion analysis.

12
3-3-1 Audit Trail
There are several significant events that should
be recorded for potential review at a later time.
For example, consider a system where an
intruder is persistently attempting to log on by
trying different words as the password. The
intruder tries a few times every few hours,
bypassing checks by the system for a
persistent user.

13
Assume the worse case that the intruder has
ultimately succeeded in logging to the system.
Then for the purposes of investigation, it is
desirable to maintain a record of all logon
activities. This record should include network
addresses of the workstations from which each
user (including the intruder) has tried to log on
the system. In addition, the record should
indicate the time at which the logon was
attempted.

14
The example above relates to user activity, but
it is also important to record administrative
activities. In case of a break-in, a record of all
the user and administrative actions may be
required to investigate the break-in. A break-in
can occur as a result of an inadvertent action
by the administrator, such as erroneously
giving root access to another user.

15
Audit trail pertains to automatic recording and
saving of significant system events. Auditing
requires the use of procedures that
automatically create a record for every security-
sensitive workstation event and store the
record in a secure log.

16
The creation and recording of audit records for
logon attempts are shown in the next figure. It
is a common practice for the logon products to
offer an option for recording all logon attempts.
At a minimum, it should record all the
unsuccessful logon attempts.

17
 administrator

logon

Format logon
attempts as audit Audit
records log

Authentication
program
logon

Security server

Client
workstation

Audit log of logon attempts

18
3-3-2 Audit Requirements
Some of the important requirements for an
audit system follow:
 Automatically collects information on all the
security – sensitive activities. These activities
are often selected by the administrator at
installation time.

19
 Stores the information using a standard
record format.
 Creates and saves the audit records
automatically without requiring any action by
the administrator.

20
 Protects the audit records log under
some security scheme. For example,
encrypt the audit log using the root
password as the encryption key, or
require entry of the root password to
access the audit log.
 Minimally affects the normal computer
system operation and performance.

21
Audit System Design
Implementation of an audit system can be
achieved in several steps. In short, it
consists of determining what events must
be audited, creating the software to
record those events, and then saving
these records in a protected log.

22
To begin with, there must be some audit
mechanism that is monitoring the system
activities. This mechanism also logs details of
each activity in the form of an audit record.
Such activities may include logon attempts
(successful and unsuccessful), read or write of
sensitive files such as changes to the password
database, deletion or creation of files by the
administrator, and delegation of access rights
by the administrator.

23
The system administrator selects these
activities at the time the audit system is
installed or configured.
The audit records are saved in a secure log.
Most systems work with two log files. When
one of the log files is full, the audit mechanism
informs the administrator to dump or print the
current log file and starts writing to the other log
file.

24
This gives the administrator time to copy the
audit records from the current log file to a tape
or other backup medium. Alternatively, this
backup process can be automated so that
when a log file is full, it is programmed to be
copied to the backup storage medium without
requiring any administrator actions.

25
3-3-3 Intrusion Detection
Concepts
Intrusion detection is the process of detecting
and identifying unauthorized or unusual activity
on the system. By using the audit records, the
intrusion detection system should identify any
undesirable activity. Such a scheme requires
specification of what constitutes an undesirable
activity and a means of automatically detecting
such activity as it occurs.
26
For example, consider a real estate agent who
works 9 AM to 5 PM every weekday. The agent
logs on the real estate database at abut 9 AM
and logs off around 5 PM. Let us assume that
an agent lists or sells no more than one or two
properties in a day.

27
Then we also know that the agent would write
to the database at most two times a day. These
characteristics, put together, constitute a user
profile that can be used to identify any unusual
behavior. If it is found that the agent logs on
late in the night and writes several records on
the real estate database, then this activity may
be considered suspicious. But in order to
automate the system, some thresholds should
be specified.

28
For example, the threshold may specify
that based on the profile for the agent,
more than two logons per week outside 9
AM to 5 PM or more than 20 updates to
the real estate database per week should
be identified as an unusual activity.

29
Design
Intrusion detection design consists of two basic
steps. The first step is the creation of audit
records. The second step is checking the audit
log against the intrusion thresholds. This
design is depicted in the figure and is outlined
below.

30
 Back
up
Identify
Monitoring Format
Intrusions
System Event
Using
Activity Information
Thresholds
System Being Monitored
Step 2
Checking Audit Log
Against Intrusion Thresholds

Step 1
Creation of audit records Intrusion
Report

31
The creation of audit records was described
under the topic of audit trail. In the second step,
the audit records are checked at frequent
intervals for any activity that has exceeded the
specified thresholds. Finally, an intrusion
detection report is generated for review by the
system administrator or investigators for
potential break-ins under way.

32
Intrusion Detection Model
Dorothy Denning (1987) has published an
Intrusion Detection Model that provides a
comprehensive approach for intrusion
detection. Denning's model consists of
subjects, objects, audit records, profiles,
anomaly records, and activity rules as
described below:

33
Subjects, Objects, And Audit Records
Each audit record consists of six fields; subject,
action, object, exception condition, resource
usage, and time stamp, as shown in the figure.

34
 Format Example

Subject Aly

Action File write

Object Employee record file

Exception condition No

Resource usage 10

Time stamp 0600 11272009

Example: Aly wrote 10 records to employee record at 6 AM on November, 2009.

35
The subject field identifies the initiator of
actions on the system.
A subject can be a terminal user or process
acting on behalf of a user.
The action field describes the action taken by
the subject. Examples include log on, log off,
read or write on a file, or execute a program.
The object field identifies the receptors of the
action by the subject.

36
Examples include files, databases, messages,
terminals, printers, and user or program
created data structures.

37
The exception field indicates which, if any,
exception condition was detected as a result of
this action.
The resource usage field includes the amount
of resource used by this action.
For example, it may be the number of lines
printed on a printer, number of records read or
written on a file, or the amount of CPU time
used by a program.
The time stamp field identifies when this action
took place.

38
Profiles
Profiles characterize the behavior of a subject
(or a group of subjects) on an object (or a
group of objects).
Profiles include the description of normal
behavior of subjects with respect to the objects.
So profiles can be detect and report any
abnormal activity as recorded in the audit
records.

39
Three candidate profiles are described, one
each for measuring logon and session activity,
command or program usage, and file access
activity:

40
A-Logon and Session Activity
Logon and session activity is represented in the
audit records as follows:
The subject is the user, the object is the user's
logon location, and action is log on or log off.

41
B-Command or Program Execution
For these profiles, the audit records show the
subject as a user, the object as the name of the
program, and the action is execute. Measures
for these profiles include execution frequency,
resource usage, and execution denied.

42
C-File Access Activity
File access activity is reflected in audit records
where the subject is a user, the object is the
name of a file, and the action is read, write,
create, delete, or append.

43
Anomaly Records
An anomaly record is created when the audit
records show some abnormal behavior
compared to that in the profiles.

44
An anomaly record consists of three fields:
event, time, and profile.
The event indicates the system action,
the time field shows the time when the event
took place, and
the profile field identifies the profile that was not
matched.

45
For example, all users in an office log on
between 7:45 AM and 8:20 AM. One audit
record, however, indicates a user who logged
on at 1 AM. So the anomaly record would
consist of the event as logon time as I AM, and
the profile field will have the logon profile.

46
 3-4 Viruses

3-4-1 Background
The scientifically correct definition for a
computer virus is self-reproducing automation.
Viruses often have the capability to gain control
of the computer. When it is executed, a virus
makes one or more copies of itself, and when
these copies are executed, more copies are
made, ad infinity. A virus is not an independent
program. A virus executes when its home
program executes, as explained later.

47
3-4-2 Taxonomy of Malicious Programs
There is a variety of malicious software that
can attack computer systems. Almost everyone
has heard about viruses, but many people are
not aware of other kinds of vandal programs
and how they differ from each other. In the
following, we present the different types of
malicious software.

49
Malicious Programs can be divided into two
types; programs that must require a host
program and programs that can exist
independently. Programs of the first type are
really fragments of software. These programs
cannot exist by themselves; they need some
application utility, or system program. Viruses,
for example, need a host program and can also
replicate them-selves, as described earlier. The
second type of program is self-contained and
can be scheduled and run independently.
50
Another approach to classifying the malicious
programs is based on whether they can
replicate themselves. Both classifications are
shown in the table.

51
 Can Replicate Host Program
Itself Required
Viruses Yes Yes
Bacteria Yes No
Worms Yes No
Trapdoors No Yes
Logic bombs No Yes
Trojan Horses No Yes

Classes of Malicious Programs

52
Bacteria
Bacteria are programs that duplicate themselves.
While these programs do not directly attack any
software, they consume resources simply by
replicating themselves. For example, a bacteria
program may create two new files by copying its
own source file. These source files execute again
to replicate themselves, and so on. So, bacteria
grow exponentially, eventually consuming all the
processor capacity, system memory, or disk
space.
53
Worms
A worm is an independent program that can
replicate itself and often spreads to different
sites over a network. Since it is an independent
program, it does not need another program to
spread itself. A worm usually does not attack
other programs or files. At the same time, it is
not benign: it consumes network resources and
can bring the network to a near shutdown.

54
Trapdoors
A trapdoor is an undocumented entry point into
software that circumvents the normal system
protection. Trapdoors have been used
legitimately by programmers to test, monitor,
trace, debug, and sometimes even fix
programs. Mostly, trapdoors are used during
software development. But sometimes the
trapdoors are left in the programs by design or
oversight.

55
When a programmer inserts a trapdoor, usually
the programmer does not expect others to find
out the method of access to the trapdoor. It
may be a special keystroke or a special
command. If another programmer finds out the
trapdoor, then that programmer has instantly
gained special privileges to change or modify
the program.

56
Logic Bombs
A software logic bomb or a time bomb is a fragment of
software that is set to inflict damage when a certain set
of conditions exist.
A logic bomb needs a host software program to carry
the bomb. The conditions that would trigger the bomb
may include the presence or absence of a file, a
particular user accessing a file or logging on, or a
particular day of the week or a date. Once triggered, a
bomb may modify or delete data, delete an entire file,
cause the machine to halt, or inflict some other
damage.
57
Trojan Horses
In classical mythology, a Trojan horse was a
large hollow horse made of wood in which the
Greeks hid their soldiers and left it at the gates
of Troy. When the Trojans brought the horse
inside Troy, the hidden soldiers came out and
opened the gates for the rest of the Greek
army, which led to the Greeks winning the war.

58
For computer systems, a Trojan horse is a
piece of code that hides inside a program and
performs a disguised function.
This piece of code does not exist independently
and needs to be planted in another program for
disguise.

59
3-4-3 Types of Viruses
There are three types of viruses that run on
PC. The first type of virus attaches itself to
EXE, COM, or SYS files and is executed
whenever that particular file is executed. The
second type of virus attaches to a specific file,
rather than attacking any file of a given type.
For this type of virus, the creator must gain
extensive knowledge of the particular file. A
virus of this type can then hide inside the file,
such as in the data area. The third type of virus
is called a boot sector virus. 60
Here the virus resides on the boot sector of the
disk drive.
When the computer is powered on, it loads the
boot sector before executing any other
program. In this way, the virus is executed
before any other program can execute and
detect the existence of the virus.
Viruses can infect several kinds of computer
systems. Although many viruses are designed
to attack PCs.

61
3-4-4 Designing a Virus
Consider a virus that is designed to infect
an assembly language program. It must
execute a sequence of steps to effectively
plant the virus code for execution. These
steps are listed below:
1- Locate the first executable instruction in the
target program.
2- Replace that instruction with an instruction to
jump to the memory location next to the last
instruction of the target program.
62
3- Insert the virus code for execution at the end
of the target program.
4- Insert an instruction at the end of the virus
program to simulate the original first
instruction of the target program that the
virus replaced in step 2.
5- Add another instruction at the end of the
virus code to jump back to the second
instruction of the target program.

63
3-4-5 Elements of a Virus
Any virus must consist of some basic functions.
It must be able to locate new areas of target,
must be able to copy to those new areas, must
have executable code to inflict the damage,
and must have a set of anti-detection routines
to protect all of the virus code from being
detected.

64
To begin with, the virus needs a search routine.
The search routine finds new areas for the
virus to extend, such as disk space of
programs. These are the areas that would be
the next targets for the virus to locate its
copies. The search routine finds safe areas
where the virus can hide its copies. There is a
tradeoff here between the size of the routine
and the search for target areas.

65
A good search program will quickly find new
target areas. However, this may lead to a large
search routine, which leads to a larger size for
the virus code, thereby increasing the chances
of the virus being detected.

66
Next, the virus must include a copy routine to
copy the virus to new target areas. The size of
the copy routine depends on the complexity of
the virus code and the target area. The copy
routine must also be as small as possible to
avoid detection.

67
Additionally, the virus must include a viral
routine that executes the unauthorized actions
such as deletion of records from a particular file
or preventing the user from accessing
computer resources.

68
Finally, the anti-detection routine is embedded
all through the virus code and protects the virus
from detection. This routine, as well as the rest
of the virus code, should add up to a small
piece of code. A smaller code size makes it
easier to hide and reduces the chances of
being detected. Anti-detection routines may
also control the timing of the execution of the
virus code.

69
For example, it may not let the virus code
access a file continuously over aver a short
period of time, in order to avoid arousing the
user's suspicion by noticing unauthorized file
accesses. On the other hand, the anti-detection
routine may let the virus access a particular file
when the user is accessing some other file, so
the file access by the virus code may go
undetected.

70
3-4-6 Virus Precautions
There are several precautions that can help private
companies protect against viruses. These steps
include scanning all disks for viruses, especially
those coming from employees' homes or in the
mail. Many viruses are brought in when employees
take work home on disks. Companies may provide
employees with virus protection software for their
home workstations. Finally, once a PC is
determined to be free from viruses, reconfigure the
PC so that it will not boot from a disk.

71