Ch. 7 - Security Technology: Intrusion Detection and Prevention Systems Flashcards
Story or vignette
The story is about Miller Harrison a contractor whose contract with SLS gets terminated. He is resentful and angry and blames Kelvin and Laverne Nguyen for his firing and thus decides he is going to try to hack the company’s network.
In violation of company policy, he had taken home a copy of the network diagram in previous weeks. And stashed files and access codes in preparation.
First, he attacked from an internet cafe using a VPN
He found himself locked out from both the front door with the remote access VPN not working (crypto-token confiscated) and the backdoor with the attempt at the dial-up connection. His final attempt was a zombie program he had installed on the company’s extranet quality assurance server. With that having failed he went back to the first step launching a port scanner from his laptop.
Footprinting - getting a fully annotated diagram of the network
Footprinting
Footprinting - getting a fully annotated diagram of the network
Learning Objectives
- Identify and describe the different categories and operating models of intrusion detection and prevention systems.
- Define and understand honeypots, honeynets, and padded cell systems
- Understand the major categories of scanning and analysis tools, and describe the specific tools used within each of these categories
- Explain the various methods of access control, including biometrics
Intrusion
occurs when an attacker attempts to gain entry into or disrupt the normal operations of an information system, almost always with the intent to do harm
intrusion prevention
Intrusion prevention consists of activities that deter an intrusion.
intrusion detection
Intrusion detection consists of procedures and systems that identify system intrusions
intrusion reaction
Intrusion reaction encompasses the actions an organization takes when an intrusion is detected.
goals- limit losses and return to a normal state
intrusion correction
Intrusion correction activities finalize the restoration of operations to a normal state and seek to identify the source and method of the intrusion in order to ensure that the same type of attack cannot occur again—thus reinitiating intrusion prevention.
IDS
Intrusion detection systems
IPS
Intrusion preention system
can detect and prevent intrusion from successfully attacking via an active response
IDPS
Intrusion detection and prevention systems
False negative
False negative: The failure of an IDPS to react to an actual attack event. This is the most grievous failure, since the purpose of an IDPS is to detect and respond to attacks.
False positive
False positive: An alert or alarm that occurs in the absence of an actual attack. A false positive can sometimes be produced when an IDPS mistakes normal system activity for an attack. False positives tend to make users insensitive to alarms and thus reduce their reactivity to actual intrusion events
boy who cried wolf
6 Reasons why you should use an IDPS?
- To prevent problem behaviors by increasing the perceived risk of discovery and punishment for those who would attack or otherwise abuse the system
- To detect attacks and other security violations that are not prevented by other security measures
- To detect and deal with the preambles to attacks (commonly experienced as network probes and other “doorknob rattling” activities)
- To document the existing threat to an organization
- To act as quality control for security design and administration, especially in large and complex enterprises
- To provide useful information about intrusions that do take place, allowing improved diagnosis, recovery, and correction of causative factors1
FOOTPRINTING
f footprinting (activities that gather information about the organization and its network activities and assets)
Fingerprinting
fingerprinting (activities that scan network locales for active systems and then identify the network services offered by the host systems).
IPS vs. IDS
IPS can respond to try and stop a detected threat by:
- Terminate the network connection or user session that is being used for the attack
- Block access to the target (or possibly other likely targets) from the offending user account, IP address, or other attacker attribute
- Block all access to the targeted host, service, application, or other resource.
- The IPS changes the security environment.For example, changing the configuration of a firewall, router or switch to block attacker out.
- The IPS changes the attack’s content. Some IPS technologies can remove or replace malicious portions of an attack to make it benign. A simple example is an IPS removing an infected file attachment from an e-mail and then permitting the cleaned e-mail to reach its recipient
Types of IDPS
- Network-based systems - protect network info. assets
- Wireless IDPS
- Network Behavior Analysis (NBA) IDPS
- Host-based systems - protects the server or host’s info. assets