Ch. 7 - Security Technology: Intrusion Detection and Prevention Systems Flashcards
Story or vignette
The story is about Miller Harrison a contractor whose contract with SLS gets terminated. He is resentful and angry and blames Kelvin and Laverne Nguyen for his firing and thus decides he is going to try to hack the company’s network.
In violation of company policy, he had taken home a copy of the network diagram in previous weeks. And stashed files and access codes in preparation.
First, he attacked from an internet cafe using a VPN
He found himself locked out from both the front door with the remote access VPN not working (crypto-token confiscated) and the backdoor with the attempt at the dial-up connection. His final attempt was a zombie program he had installed on the company’s extranet quality assurance server. With that having failed he went back to the first step launching a port scanner from his laptop.
Footprinting - getting a fully annotated diagram of the network
Footprinting
Footprinting - getting a fully annotated diagram of the network
Learning Objectives
- Identify and describe the different categories and operating models of intrusion detection and prevention systems.
- Define and understand honeypots, honeynets, and padded cell systems
- Understand the major categories of scanning and analysis tools, and describe the specific tools used within each of these categories
- Explain the various methods of access control, including biometrics
Intrusion
occurs when an attacker attempts to gain entry into or disrupt the normal operations of an information system, almost always with the intent to do harm
intrusion prevention
Intrusion prevention consists of activities that deter an intrusion.
intrusion detection
Intrusion detection consists of procedures and systems that identify system intrusions
intrusion reaction
Intrusion reaction encompasses the actions an organization takes when an intrusion is detected.
goals- limit losses and return to a normal state
intrusion correction
Intrusion correction activities finalize the restoration of operations to a normal state and seek to identify the source and method of the intrusion in order to ensure that the same type of attack cannot occur again—thus reinitiating intrusion prevention.
IDS
Intrusion detection systems
IPS
Intrusion preention system
can detect and prevent intrusion from successfully attacking via an active response
IDPS
Intrusion detection and prevention systems
False negative
False negative: The failure of an IDPS to react to an actual attack event. This is the most grievous failure, since the purpose of an IDPS is to detect and respond to attacks.
False positive
False positive: An alert or alarm that occurs in the absence of an actual attack. A false positive can sometimes be produced when an IDPS mistakes normal system activity for an attack. False positives tend to make users insensitive to alarms and thus reduce their reactivity to actual intrusion events
boy who cried wolf
6 Reasons why you should use an IDPS?
- To prevent problem behaviors by increasing the perceived risk of discovery and punishment for those who would attack or otherwise abuse the system
- To detect attacks and other security violations that are not prevented by other security measures
- To detect and deal with the preambles to attacks (commonly experienced as network probes and other “doorknob rattling” activities)
- To document the existing threat to an organization
- To act as quality control for security design and administration, especially in large and complex enterprises
- To provide useful information about intrusions that do take place, allowing improved diagnosis, recovery, and correction of causative factors1
FOOTPRINTING
f footprinting (activities that gather information about the organization and its network activities and assets)
Fingerprinting
fingerprinting (activities that scan network locales for active systems and then identify the network services offered by the host systems).
IPS vs. IDS
IPS can respond to try and stop a detected threat by:
- Terminate the network connection or user session that is being used for the attack
- Block access to the target (or possibly other likely targets) from the offending user account, IP address, or other attacker attribute
- Block all access to the targeted host, service, application, or other resource.
- The IPS changes the security environment.For example, changing the configuration of a firewall, router or switch to block attacker out.
- The IPS changes the attack’s content. Some IPS technologies can remove or replace malicious portions of an attack to make it benign. A simple example is an IPS removing an infected file attachment from an e-mail and then permitting the cleaned e-mail to reach its recipient
Types of IDPS
- Network-based systems - protect network info. assets
- Wireless IDPS
- Network Behavior Analysis (NBA) IDPS
- Host-based systems - protects the server or host’s info. assets
IDPS Detection Methods
- Signature-based approach
- The statistical-anomaly approach
- The stateful packet inspection approach
Log File Monitors (LFMs)
Using LFM, the system reviews the log files generated by servers, network devices, and even other IDPSs, looking for patterns and signatures that may indicate that an attack or intrusion is in process or has already occurred.
IDPS Response Options
- Audible/visual alarm
- SNMP traps and plug-ins
- Email message
- page or text
- Log entry
- Evidentiary packet dump
- Take action against the intruder
- Launch program
- Reconfigure firewall
- Terminate session
- Terminate connection
Strengths of IDPSs
Intrusion detection and prevention systems perform the following functions well:
- Monitoring and analysis of system events and user behaviors
- Testing the security states of system configurations
- Baselining the security state of a system, then tracking any changes to that baseline
- Recognizing patterns of system events that correspond to known attacks
- Recognizing patterns of activity that statistically vary from normal activity
- Managing operating system audit and logging mechanisms and the data they generate
- Alerting appropriate staff by appropriate means when attacks are detected
- Measuring enforcement of security policies encoded in the analysis engine
- Providing default information security policies
- Allowing non-security experts to perform important security monitoring functions
Limitations of IDPS
Intrusion detection systems cannot perform the following functions:
- Compensating for weak or missing security mechanisms in the protection infrastructure, such as firewalls, identification and authentication systems, link encryption systems, access control mechanisms, and virus detection and eradication software
- Instantaneously detecting, reporting, and responding to an attack when there is a heavy network or processing load
- Detecting newly published attacks or variants of existing attacks
- Effectively responding to attacks launched by sophisticated attackers
- Automatically investigating attacks without human intervention
- Resisting all attacks that are intended to defeat or circumvent them
- Compensating for problems with the fidelity of information sources
- Dealing effectively with switched networks
IDPS terrorists, are
are designed to trip the organization’s IDPS, essentially causing the organization to conduct its own DoS attack by overreacting to an actual, but insignificant, attack.
Honeypots
Honeypots are decoy systems designed to lure potential attackers away from critical systems. In the industry, they are also known as decoys, lures, and fly-traps.
Honeynet
When a collection of honeypots connects several honeypot systems on a subnet, it may be called a honeynet
Padded cell
A padded cell is a honeypot that has been protected so that that it cannot be easily compromised—in other words, a hardened honeypot.
Trap and trace applications
Trap-and-trace applications, which are an extension of the attractant technologies discussed in the previous section, are growing in popularity. These systems use a combination of techniques to detect an intrusion and then trace it back to its source. The trap usually consists of a honeypot or padded cell and an alarm. While the intruders are distracted, or trapped, by what they perceive to be successful intrusions, the system notifies the administrator of their presence. The trace feature is an extension to the honeypot or padded cell approach. The trace—which is similar to caller ID—is a process by which the organization attempts to identify an entity discovered in unauthorized areas of the network or systems.
Enticement vs. Entrapment
When using honeypots and honeynets, administrators should be careful not to cross the line between enticement and entrapment. Enticement is the act of attracting attention to a system by placing tantalizing information in key locations. Entrapment is the act of luring an individual into committing a crime to get a conviction. Enticement is legal and ethical, whereas entrapment is not
wasp trap syndrome
In this syndrome, a concerned homeowner installs a wasp trap in his back yard to trap the few insects he sees flying about. Because these traps use scented bait, however, they wind up attracting far more wasps than were originally present
Attack protocol
The attack protocol is a series of steps or processes used by an attacker, in a logical sequence, to launch an attack against a target system or network. One of the preparatory parts of the attack protocol is the collection of publicly available information about a potential target, a process known as footprinting
Footprinting
. Footprinting is the organized research of the Internet addresses owned or controlled by a target organization. The attacker uses public Internet data sources to perform keyword searches to identify the network addresses of the organization. This research is augmented by browsing the organization’s Web pages. Web pages usually contain quantities of information about internal systems, individuals developing Web pages, and other tidbits, which can be used for social engineering attacks.
view source option
The view source option on most popular Web browsers allows the user to see the source code behind the graphics. A number of details in the source code of the Web page can provide clues to potential attackers and give them insight into the configuration of an internal network, such as the locations and directories for Common Gateway Interface (CGI) script bins and the names or possibly addresses of computers and servers.
Port Scanners
Port scanning utilities, or port scanners, are tools used by both attackers and defenders to identify (or fingerprint) the computers that are active on a network, as well as the ports and services active on those computers, the functions and roles the machines are fulfilling, and other useful information. These tools can scan for specific types of computers, protocols, or resources, or their scans can be generic.
What is a port?
A port is a network channel or connection point in a data communications system. Within the TCP/IP networking protocol, TCP and User Datagram Protocol (UDP) port numbers differentiate the multiple communication channels that are used to connect to the network services being offered on the same network device. Each application within TCP/IP has a unique port number.
Vulnerability Scanners
Active vulnerability scanners scan networks for highly detailed information. An active scanner is one that initiates traffic on the network in order to determine security holes. As a class, this type of scanner identifies exposed usernames and groups, shows open network shares, and exposes configuration problems and other vulnerabilities in servers
Passive vulnerability scanner
A passive vulnerability scanner is one that listens in on the network and determines vulnerable versions of both server and client software. At the time of this writing, there are two primary vendors offering this type of scanning solution: Tenable Network Security with its Passive Vulnerability Scanner (PVS) and Sourcefire with its RNA product.
Packet Sniffers
A packet sniffer (sometimes called a network protocol analyzer) is a network tool that collects copies of packets from the network and analyzes them. It can provide a network administrator with valuable information for diagnosing and resolving networking issues. In the wrong hands, however, a sniffer can be used to eavesdrop on network traffic.
Biometric access control
Biometric access control is based on the use of some measurable human characteristic or trait to authenticate the identity of a proposed systems user (a supplicant). It relies upon recognition—the same thing you rely upon to identify friends, family, and other people you know
Biometric authentication technologies include:
- Fingerprint comparison
- Palm print comparison
- Hand geometry comparison
- Facial recognition using a photographic ID
- Facial recognition using a digital camera
- Retinal print comparison
- Iris pattern comparison
Truly unique human characterisics (3):
fingerprints, retina (blood vessel pattern), and iris
False Reject Rate
The false reject rate is the percentage of identification instances in which authorized users are denied access as a result of a failure in the biometric device. This failure is known as a Type I error.
False Accept Rate
The false accept rate is the percentage of identification instances in which unauthorized users are allowed access to systems or areas as a result of a failure in the biometric device. This failure is known as a Type II error, and is unacceptable to security professionals.
Crossover Error Rate (CER)
The crossover error rate (CER) is the level at which the number of false rejections equals the false acceptances, and is also known as the equal error rate. This is possibly the most common and important overall measure of the accuracy of a biometric system.
Network-based IDPS
(NIDPS)
A network-based IDPS (NIDPS) resides on a computer or appliance connected to a segment of an organization’s network and monitors network traffic on that network segment, looking for indications of ongoing or successful attacks. When the NIDPS identifies activity that it is programmed to recognize as an attack, it responds by sending notifications to administrators
application protocol verification
the process of examining and verifying higher-order protocols (HTTP, FTP, and Telnet) in network traffic for unexpected packet behavior or improper use
ADVANTAGES AND DISADVANTAGES OF
NETWORK VS HOST-BASED IDPS (FINAL EXAM)
