Page 5 - Cyber Warnings
P. 5
ACTIVE INTRUSION DETECTION
Protecting against data leaks from authorized network users
By Fiach Reid, Director, Infinite Loop Development Ltd
The weakest point of security on a network can often be its users. If a disgruntled employee
emails your server passwords to a competitor, there is no firewall or antivirus that can detect
this. Systems like Firewalls and Antivirus software stop unauthorized users access your
network, but authorized users being either careless or malicious with your sensitive data is not
something that would be detected or prevented by standard network security. A recently
released software package, named “Active Intrusion Detection”, or “AID” for short has been
developed by an Irish software development company named Infinite Loop, which aims at
addressing this significant security hole in modern data networks.
What this software does, is allow the network administrator to define a set of “Red Flags”, which
can be either password fragments, or other sensitive data, and then set the software to listen
silently to network traffic until such time as the user tries to send this sensitive data insecurely
over the network. If an insecure transmission of sensitive data is detected, then immediately an
email is sent to the network administrator, who can take action by resetting the passwords on
any compromised systems, and track down the perpetrator of the leak via the user’s computer
name and IP address.
Although this system does not prevent the transmission of sensitive data over the network, it
does detect when such transmission has occurred, and allows prompt action to limit the damage
caused by such a leak. The concept behind the Active Intrusion Detection system is the idea of
“Red Flags”. These are network-administrator defined pieces of text that indicate a data breach
has occurred.
A sample “Red Flag” could be a password fragment to your production servers. It would be a
network admin’s worst nightmare to think that a junior developer in a company decided to post
the production server’s administrator password onto a public forum. Even if there was no
malicious intent, the security risk would be considerable.
The “Red Flag” itself should be long enough so that it would not randomly occur in a stream of
network traffic that could be completely unrelated, such as within a video or audio data, but at
the same time, should not itself be identifiable enough to become an attack vector in of itself. So
a long fragment would be ideal. Other possible triggers could include a password for a “dummy”
user in a database. This particular user would not be normally accessible to regular users of a
system, but if the password were to be detected in network traffic, then it would be an indication
that a hacker or careless employee was creating an insecure dump of the users database.
At present, the software is available for 64 bit Windows, but a Linux and Mac OS version is in
the pipeline, it can be downloaded from https://www.activeintrusiondetection.com/ for free, and it
installs as a Windows Service on the local machine. Once installed, the website will detect a
5 Cyber Warnings E-Magazine – July 2017 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide