Ch. 7 - Security Technology: Intrusion Detection and Prevention Systems Flashcards

1
Q

Story or vignette

A

The story is about Miller Harrison a contractor whose contract with SLS gets terminated. He is resentful and angry and blames Kelvin and Laverne Nguyen for his firing and thus decides he is going to try to hack the company’s network.

In violation of company policy, he had taken home a copy of the network diagram in previous weeks. And stashed files and access codes in preparation.

First, he attacked from an internet cafe using a VPN

He found himself locked out from both the front door with the remote access VPN not working (crypto-token confiscated) and the backdoor with the attempt at the dial-up connection. His final attempt was a zombie program he had installed on the company’s extranet quality assurance server. With that having failed he went back to the first step launching a port scanner from his laptop.

Footprinting - getting a fully annotated diagram of the network

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Footprinting

A

Footprinting - getting a fully annotated diagram of the network

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Learning Objectives

A
  1. Identify and describe the different categories and operating models of intrusion detection and prevention systems.
  2. Define and understand honeypots, honeynets, and padded cell systems
  3. Understand the major categories of scanning and analysis tools, and describe the specific tools used within each of these categories
  4. Explain the various methods of access control, including biometrics
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Intrusion

A

occurs when an attacker attempts to gain entry into or disrupt the normal operations of an information system, almost always with the intent to do harm

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

intrusion prevention

A

Intrusion prevention consists of activities that deter an intrusion.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

intrusion detection

A

Intrusion detection consists of procedures and systems that identify system intrusions

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

intrusion reaction

A

Intrusion reaction encompasses the actions an organization takes when an intrusion is detected.

goals- limit losses and return to a normal state

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

intrusion correction

A

Intrusion correction activities finalize the restoration of operations to a normal state and seek to identify the source and method of the intrusion in order to ensure that the same type of attack cannot occur again—thus reinitiating intrusion prevention.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

IDS

A

Intrusion detection systems

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

IPS

A

Intrusion preention system

can detect and prevent intrusion from successfully attacking via an active response

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

IDPS

A

Intrusion detection and prevention systems

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

False negative

A

False negative: The failure of an IDPS to react to an actual attack event. This is the most grievous failure, since the purpose of an IDPS is to detect and respond to attacks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

False positive

A

False positive: An alert or alarm that occurs in the absence of an actual attack. A false positive can sometimes be produced when an IDPS mistakes normal system activity for an attack. False positives tend to make users insensitive to alarms and thus reduce their reactivity to actual intrusion events

boy who cried wolf

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

6 Reasons why you should use an IDPS?

A
  1. To prevent problem behaviors by increasing the perceived risk of discovery and punishment for those who would attack or otherwise abuse the system
  2. To detect attacks and other security violations that are not prevented by other security measures
  3. To detect and deal with the preambles to attacks (commonly experienced as network probes and other “doorknob rattling” activities)
  4. To document the existing threat to an organization
  5. To act as quality control for security design and administration, especially in large and complex enterprises
  6. To provide useful information about intrusions that do take place, allowing improved diagnosis, recovery, and correction of causative factors1
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

FOOTPRINTING

A

f footprinting (activities that gather information about the organization and its network activities and assets)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Fingerprinting

A

fingerprinting (activities that scan network locales for active systems and then identify the network services offered by the host systems).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

IPS vs. IDS

A

IPS can respond to try and stop a detected threat by:

  • Terminate the network connection or user session that is being used for the attack
  • Block access to the target (or possibly other likely targets) from the offending user account, IP address, or other attacker attribute
  • Block all access to the targeted host, service, application, or other resource.
  • The IPS changes the security environment.For example, changing the configuration of a firewall, router or switch to block attacker out.
  • The IPS changes the attack’s content. Some IPS technologies can remove or replace malicious portions of an attack to make it benign. A simple example is an IPS removing an infected file attachment from an e-mail and then permitting the cleaned e-mail to reach its recipient
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Types of IDPS

A
  1. Network-based systems - protect network info. assets
    1. Wireless IDPS
    2. Network Behavior Analysis (NBA) IDPS
  2. Host-based systems - protects the server or host’s info. assets
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

IDPS Detection Methods

A
  1. Signature-based approach
  2. The statistical-anomaly approach
  3. The stateful packet inspection approach
20
Q

Log File Monitors (LFMs)

A

Using LFM, the system reviews the log files generated by servers, network devices, and even other IDPSs, looking for patterns and signatures that may indicate that an attack or intrusion is in process or has already occurred.

21
Q

IDPS Response Options

A
  1. Audible/visual alarm
  2. SNMP traps and plug-ins
  3. Email message
  4. page or text
  5. Log entry
  6. Evidentiary packet dump
  7. Take action against the intruder
  8. Launch program
  9. Reconfigure firewall
  10. Terminate session
  11. Terminate connection
22
Q

Strengths of IDPSs

A

Intrusion detection and prevention systems perform the following functions well:

  • Monitoring and analysis of system events and user behaviors
  • Testing the security states of system configurations
  • Baselining the security state of a system, then tracking any changes to that baseline
  • Recognizing patterns of system events that correspond to known attacks
  • Recognizing patterns of activity that statistically vary from normal activity
  • Managing operating system audit and logging mechanisms and the data they generate
  • Alerting appropriate staff by appropriate means when attacks are detected
  • Measuring enforcement of security policies encoded in the analysis engine
  • Providing default information security policies
  • Allowing non-security experts to perform important security monitoring functions
23
Q

Limitations of IDPS

A

Intrusion detection systems cannot perform the following functions:

  • Compensating for weak or missing security mechanisms in the protection infrastructure, such as firewalls, identification and authentication systems, link encryption systems, access control mechanisms, and virus detection and eradication software
  • Instantaneously detecting, reporting, and responding to an attack when there is a heavy network or processing load
  • Detecting newly published attacks or variants of existing attacks
  • Effectively responding to attacks launched by sophisticated attackers
  • Automatically investigating attacks without human intervention
  • Resisting all attacks that are intended to defeat or circumvent them
  • Compensating for problems with the fidelity of information sources
  • Dealing effectively with switched networks
24
Q

IDPS terrorists, are

A

are designed to trip the organization’s IDPS, essentially causing the organization to conduct its own DoS attack by overreacting to an actual, but insignificant, attack.

25
Q

Honeypots

A

Honeypots are decoy systems designed to lure potential attackers away from critical systems. In the industry, they are also known as decoys, lures, and fly-traps.

26
Q

Honeynet

A

When a collection of honeypots connects several honeypot systems on a subnet, it may be called a honeynet

27
Q

Padded cell

A

A padded cell is a honeypot that has been protected so that that it cannot be easily compromised—in other words, a hardened honeypot.

28
Q

Trap and trace applications

A

Trap-and-trace applications, which are an extension of the attractant technologies discussed in the previous section, are growing in popularity. These systems use a combination of techniques to detect an intrusion and then trace it back to its source. The trap usually consists of a honeypot or padded cell and an alarm. While the intruders are distracted, or trapped, by what they perceive to be successful intrusions, the system notifies the administrator of their presence. The trace feature is an extension to the honeypot or padded cell approach. The trace—which is similar to caller ID—is a process by which the organization attempts to identify an entity discovered in unauthorized areas of the network or systems.

29
Q

Enticement vs. Entrapment

A

When using honeypots and honeynets, administrators should be careful not to cross the line between enticement and entrapment. Enticement is the act of attracting attention to a system by placing tantalizing information in key locations. Entrapment is the act of luring an individual into committing a crime to get a conviction. Enticement is legal and ethical, whereas entrapment is not

30
Q

wasp trap syndrome

A

In this syndrome, a concerned homeowner installs a wasp trap in his back yard to trap the few insects he sees flying about. Because these traps use scented bait, however, they wind up attracting far more wasps than were originally present

31
Q

Attack protocol

A

The attack protocol is a series of steps or processes used by an attacker, in a logical sequence, to launch an attack against a target system or network. One of the preparatory parts of the attack protocol is the collection of publicly available information about a potential target, a process known as footprinting

32
Q

Footprinting

A

. Footprinting is the organized research of the Internet addresses owned or controlled by a target organization. The attacker uses public Internet data sources to perform keyword searches to identify the network addresses of the organization. This research is augmented by browsing the organization’s Web pages. Web pages usually contain quantities of information about internal systems, individuals developing Web pages, and other tidbits, which can be used for social engineering attacks.

33
Q

view source option

A

The view source option on most popular Web browsers allows the user to see the source code behind the graphics. A number of details in the source code of the Web page can provide clues to potential attackers and give them insight into the configuration of an internal network, such as the locations and directories for Common Gateway Interface (CGI) script bins and the names or possibly addresses of computers and servers.

34
Q

Port Scanners

A

Port scanning utilities, or port scanners, are tools used by both attackers and defenders to identify (or fingerprint) the computers that are active on a network, as well as the ports and services active on those computers, the functions and roles the machines are fulfilling, and other useful information. These tools can scan for specific types of computers, protocols, or resources, or their scans can be generic.

35
Q

What is a port?

A

A port is a network channel or connection point in a data communications system. Within the TCP/IP networking protocol, TCP and User Datagram Protocol (UDP) port numbers differentiate the multiple communication channels that are used to connect to the network services being offered on the same network device. Each application within TCP/IP has a unique port number.

36
Q

Vulnerability Scanners

A

Active vulnerability scanners scan networks for highly detailed information. An active scanner is one that initiates traffic on the network in order to determine security holes. As a class, this type of scanner identifies exposed usernames and groups, shows open network shares, and exposes configuration problems and other vulnerabilities in servers

37
Q

Passive vulnerability scanner

A

A passive vulnerability scanner is one that listens in on the network and determines vulnerable versions of both server and client software. At the time of this writing, there are two primary vendors offering this type of scanning solution: Tenable Network Security with its Passive Vulnerability Scanner (PVS) and Sourcefire with its RNA product.

38
Q

Packet Sniffers

A

A packet sniffer (sometimes called a network protocol analyzer) is a network tool that collects copies of packets from the network and analyzes them. It can provide a network administrator with valuable information for diagnosing and resolving networking issues. In the wrong hands, however, a sniffer can be used to eavesdrop on network traffic.

39
Q

Biometric access control

A

Biometric access control is based on the use of some measurable human characteristic or trait to authenticate the identity of a proposed systems user (a supplicant). It relies upon recognition—the same thing you rely upon to identify friends, family, and other people you know

40
Q

Biometric authentication technologies include:

A
  1. Fingerprint comparison
  2. Palm print comparison
  3. Hand geometry comparison
  4. Facial recognition using a photographic ID
  5. Facial recognition using a digital camera
  6. Retinal print comparison
  7. Iris pattern comparison

Truly unique human characterisics (3):

fingerprints, retina (blood vessel pattern), and iris

41
Q

False Reject Rate

A

The false reject rate is the percentage of identification instances in which authorized users are denied access as a result of a failure in the biometric device. This failure is known as a Type I error.

42
Q

False Accept Rate

A

The false accept rate is the percentage of identification instances in which unauthorized users are allowed access to systems or areas as a result of a failure in the biometric device. This failure is known as a Type II error, and is unacceptable to security professionals.

43
Q

Crossover Error Rate (CER)

A

The crossover error rate (CER) is the level at which the number of false rejections equals the false acceptances, and is also known as the equal error rate. This is possibly the most common and important overall measure of the accuracy of a biometric system.

44
Q

Network-based IDPS

(NIDPS)

A

A network-based IDPS (NIDPS) resides on a computer or appliance connected to a segment of an organization’s network and monitors network traffic on that network segment, looking for indications of ongoing or successful attacks. When the NIDPS identifies activity that it is programmed to recognize as an attack, it responds by sending notifications to administrators

45
Q

application protocol verification

A

the process of examining and verifying higher-order protocols (HTTP, FTP, and Telnet) in network traffic for unexpected packet behavior or improper use

46
Q

ADVANTAGES AND DISADVANTAGES OF

NETWORK VS HOST-BASED IDPS (FINAL EXAM)

A