Intrusion in Information Security

Exploring Intruders, Techniques and Detections

TYBSC DEPARTMENT OF COMPUTER SCIENCE
 TEAM MEMBERS

1) Muskan Asif Bandri

2) Afsha Arif Khan
3) Isra Rafiuddin Lambe
4) Umaima Nisar Hamdare
5) Aisha Ajaz Mulla
6) Juveriya Ajmal Bhatkar
7) Aisha Ashfaque Mukadam
8) Riya Manorath Parshetye
DEFINITION
Intrusion in Information Security refers to unauthorized
access or an attempt to gain access to a system, network,
or data, often with malicious intent. It involves exploiting
vulnerabilities or weaknesses in the system to gain
control or extract sensitive information. Intruders can be
individuals or automated scripts that breach security
defenses for various purposes, such as theft, disruption,
or espionage.

OR
“Intrusion is any act that compromises the security of a
system by unauthorized entities”
IMPORTANCE
Understanding intrusion in the context of information
security is crucial as it directly impacts the confidentiality,
integrity, and availability of critical data and resources.
With the rise of digital transformation, businesses and
individuals are more vulnerable to these attacks.
Effective measures against intrusion protect sensitive
data, maintain trust, and ensure uninterrupted
operations.
2013 TARGET DATA BREACH

In the 2013 Target breach, intruders exploited a third-

party vulnerability to steal data from 40 million credit
and debit cards, demonstrating how a single weak link
can compromise an entire network.
 TYPES OF INTRUDERS

MALICIOUS INSIDERS HACKERS SCRIPT KIDDIES CYBER TERRORISTS

These are individuals who Hackers are individuals or Cyber terrorists are
have legitimate access to a Script kiddies are intruders motivated by
groups that attempt to gain inexperienced intruders who
system, such as employees, unauthorized access to political or ideological
contractors, or partners, but lack advanced technical skills. goals. They use
systems or networks from the They typically use pre-written
use their access for malicious outside. They typically exploit cyberattacks to create fear,
purposes. They may steal scripts or tools created by cause damage to critical
vulnerabilities in software or other hackers to carry out
sensitive data, disrupt network configurations to infrastructure, or disrupt
operations, or help external attacks. Though less skilled, services. Cyber terrorism
bypass security controls. script kiddies can still cause
attackers gain access. Insider Hackers may be motivated by can target governments,
threats can be particularly damage, especially if they utilities, financial
financial gain, intellectual exploit known vulnerabilities
dangerous because these challenge, or political/social institutions, or other
individuals already have access in outdated systems. entities that are vital to
causes (hacktivism)
to systems and networks. society's functioning
 Brute Force

INTRUSION
DoS/DDoS TECHNIQUES Phishing

XSS SQL Injection

 BRUTE FORCE PHISHING SQL INJECTION XSS DoS/DDoS
In a brute force attack, Phishing is a form of SQL injection is an attack Cross-site scripting A Denial of Service (DoS)
an attacker attempts to social engineering where technique where an (XSS) is a type of attack attack aims to make a
gain unauthorized access attackers trick individuals attacker inserts where an attacker system, network, or
to a system by into revealing sensitive malicious SQL code into injects malicious scripts service unavailable to its
systematically trying information, such as an input field of a web into a trusted website intended users by
every possible usernames, passwords, application. If the input overwhelming it with a
that is then executed in
combination of or credit card numbers, is not properly sanitized, flood of illegitimate
the user's browser.
passwords or encryption by pretending to be a this code is executed by requests. The goal is to
keys until the correct trustworthy entity in the database, allowing These scripts can hijack exhaust the system's
one is found. Although electronic the attacker to gain user sessions, steal resources, making it
time-consuming, brute communication, often unauthorized access to cookies, or redirect unable to respond to
force attacks can be through email or fake or manipulate the users to malicious legitimate requests.
effective if passwords websites. Phishing database. SQL injection websites. XSS exploits Distributed Denial of
are weak or if multi- attacks are one of the attacks are commonly vulnerabilities in web Service (DDoS) attacks
factor authentication is most common methods used to steal sensitive applications that fail to involve multiple
not in place. of intrusion. information from properly sanitize user compromised systems,
databases. input often botnets, to launch
the attack.
INTRUSION DETECTION SYSTEM

An Intrusion Detection System (IDS) is a security solution

designed to monitor network traffic or system activities
for suspicious behavior or policy violations. IDS identifies
potential intrusions or unauthorized activity in real-time
and raises alerts, enabling security teams to take
immediate action to mitigate risks.

OR
“Intrusion Detection Systems (IDS) monitor network or
system activities for malicious actions or security policy
violations, providing alerts for potential intrusions”
 TYPES OF IDS
NETWORK-BASED IDS (NIDS) HOST-BASED IDS (HIDS)
• Network-based IDS (NIDS) monitors traffic across • Host-based IDS (HIDS) focuses on individual system or
entire networks host activities

• NIDS analyzes network packets in real-time • HIDS inspects files, logs, and system calls on a specific
device

• NIDS detects threats from external sources targeting • HIDS identifies internal threats specific to a single host
the network

• NIDS has broader coverage but may miss encrypted • HIDS provides deeper insight into host behavior but
traffic lacks overall network visibility

• NIDS is placed at key network points like routers • HIDS is installed on individual devices like servers or PCs
 METHODS OF DETECTION

Signature-based Anamoly-based
Detection Detection
IDS ALERTS AND ERRORS
When an IDS detects suspicious activity, it
generates an alert, allowing the security team to
investigate and respond. This could involve
blocking malicious traffic, isolating affected
systems, or escalating the incident for further
analysis. In some cases, advanced IDS systems
may automatically respond to threats by taking
predefined actions such as blocking IP addresses
or shutting down compromised systems
INTRUSION PREVENTION SYSTEM

An Intrusion Prevention System (IPS) is a

network security solution that not only detects
potential threats but also actively prevents
them by blocking malicious traffic in real-time. It
takes proactive actions such as blocking IP
addresses, terminating sessions, and preventing
harmful data from entering or exiting the
network
HOW IPS WORKS
Incoming IPS Analyzes
Traffic Traffic

Legitimate Traffic is Malicious Traffic is

Allowed through Blocked
 METHODS OF PREVENTION
SIGNATURE-BASED PREVENTION ANAMOLY-BASED PREVENTION
• Signature-based prevention detects known threats • Anomaly-based prevention identifies unusual or
using predefined patterns suspicious behavior.

• Signature-based prevention is effective against • Anomaly-based prevention can detect novel or

previously documented attacks unknown threats

• Signature-based systems require regular updates to • Anomaly-based systems rely on baselines of normal
their threat databases behavior for detection

• Signature-based prevention has lower false positives • Anomaly-based prevention is more prone to false
but can miss zero-day attacks positives but excels at identifying unknown threats

• Signature-based systems are faster and less resource- • Anomaly-based systems require more computation to
intensive analyze deviations from normal behaviors
Limitations and Challenges of IPS:
• False Positives:
IPS can sometimes block legitimate traffic if it incorrectly identifies it as
malicious. These false positives can disrupt normal operations, so it's
important for IPS to be finely tuned to avoid overblocking

• Performance Impact:
Since IPS is deployed inline, it may introduce latency, especially in high-
traffic environments. The performance of IPS must be carefully
managed to ensure that it can scale with the network without
introducing unacceptable delays
Intrusion Detection and Prevention Systems
(IDPS)
Intrusion Detection and Prevention Systems
(IDPS) combine the functionality of both IDS and
IPS into one unified security solution. They
identify and prevent malicious activity, providing
real-time protection against cyber threats. IDPS
solutions actively monitor traffic and take action
to stop attacks while alerting security teams for
further investigation.
FEATURES OF IDPS:
• Behavioral and Signature-Based Detection:
IDPS uses a combination of signature-based and behavioral detection
techniques to identify threats. This ensures protection against known
vulnerabilities while also catching new, previously unseen attacks through
anomaly detection .

• Granular Control and Configurability:

IDPS solutions allow for detailed configuration of rules and policies,
ensuring that the system can be adapted to the organization's specific needs.
This level of customization allows for targeted protection.
ADVANTAGES OF IDPS:
• Unified Approach:
IDPS combines the detection capabilities of IDS with the prevention
capabilities of IPS. This unified approach provides more thorough security
coverage, ensuring both immediate action and long-term protection.
• Reduced Manual Intervention:
By automating many threat responses, IDPS systems reduce the amount
of manual intervention required by security teams. This allows teams to
focus on strategic decision-making rather than reacting to every potential
incident.
Intrusion Prevention: Best Practices
1. Strong Authentication:
Use of multi-factor authentication

2. Regular Patching:
Keeping systems and software updated

3. Employee Training:
Educating about social engineering and phishing
attacks

4. Monitoring & Logging:

Continuous monitoring of network activity
 CASE STUDY
Equifax Data Breach (2017)
 DETAILS OF THE ATTACK

• Attack Vector: The breach was caused by an unpatched vulnerability in

the Apache Struts Web Application Framework.

• Stolen Data: Social Security numbers, birth dates, addresses, and, in

some cases, driver’s license numbers and credit card details.

• Duration: Attackers had access to the data for over two months before
detection
 CONSEQUENCES

• Impact on Consumers: Approximately 147 million consumers were

affected, with stolen personal and financial data potentially leading to
identity theft and fraud.

• Financial Cost: The breach cost Equifax over $700 million in settlement
claims, fines, and legal fees.

• Reputation Damage: Equifax's reputation was severely damaged,

leading to loss of consumer trust and significant scrutiny from regulators
 RESPONSE AND MITIGATION

• Post-Breach Actions: Equifax implemented stricter security controls,

improved patch management, and enhanced monitoring systems to
prevent future incidents.

• Public Response: The company offered free credit monitoring services

and identity theft protection to those affected.

• Regulatory Scrutiny: The breach led to increased regulatory focus on

data protection and breach notification laws.
 LESSONS LEARNED

• Importance of Patch Management: The breach highlighted the critical

importance of timely patching of known vulnerabilities.

• Continuous Monitoring: Organizations need to implement continuous

security monitoring to detect unauthorized access early.

• Regulatory Compliance: This case underscored the need for companies

to comply with data protection laws and implement stronger security
controls.
THANK YOU SO MUCH