CIA Triad/SNORT/Defensive Measures Flashcards
assurance that sensitive information can only be read/interpreted by people/processes that are authorized to
Confidentiality
assurance that authorized users can access/work with information assets, resources when needed with sufficient response and performance.
Availability
assurance that information remains correct and authentic, protected by means of preventing/detecting unauthorized creation, modification and destruction of information.
Integrity
What are some examples of a threat-source?
Natural (Hurricane), human (internal/external).
flaw that can present a security breach
vulnerability
safeguards/countermeasures to reduce risk
management controls
What is the goal of risk management? How can it be accomplished?
to reach zero risk and it can be accomplished by eliminating the threat or the vulnerability.
What are the four approaches when planning additional defensive measures?
Uniform Protection, Protected Enclaves, Information Centric, Vector-Oriented
Information Centric and Vector are typically used when creating new networks. True or False?
False
Uniform Protection and Protected Enclaves are typically used when creating new enterprise networks.
True
defensive approach when all internal hosts receive same level of protection
Uniform Protection
defensive approach when you subdivide the internal network (subdivide and separate networks) so it isn’t one large zone with no internal protections
Protected Enclaves
where the client (supplicant) must pass muster with the networks policy server before getting to the resources on the network
Network Admissions Control
Why do we use firewalls?
to isolate or split up groups and sensitive data from everyone else
In order to travel from one VLAN to another, what do you have to pass through?
Access Control List (ACL)
VPNs can give you two things. What are they?
confidentiality and ability that only hosts that are authorized to connect to other hosts to do so
defensive measure that prioritizes protection of information over systems
Information Centric
The goal of information centric is to protect the information regardless of where the information is. True or False?
True
fast, flexible, open-source Network Intrusion Detection System developed in 1998,
SNORT
Snort is not rule-based. (T or F)
F
Snort looks at all traffic over IP and sniffs both traffic in both directions. (T or F)
T
What are the three main operational modes when using Snort? How are they configured?
Sniffer, Packet Logger, Network Intrusion Detection System (NIDS).
They are configured via command line switches.
Snort operational mode that logs all data and post-process to look for anomalous activity
Packet Logger
Snort operational mode that can perform portscan detection, ip defrag, app layer analysis
NIDS mode
This is used to set the operational configuration of Snort (what to log, what to alert on, what rules to include/location, setting substitution variables?)
snort.conf file
Default path of snort.conf
/etc/snort/snort/snort.conf
The three types of variables in snort.conf
var, portvar, ipvar
Why is setting correct values in variables important?
reduce “false-positive” alerts
plug-in tools that allow Snort to look for certain criteria in a packet after it has been decoded but before it is put through the detection engine
Snort Preprocessors
set of instructions designed to pick out network traffic that matches a specified pattern, then takes chosen action when traffic matches (Snort)
Rule
Most Snort rules are written in a single line. (T or F)
T
the two sections of Rules
rule header and rule options
alert messages and parts of packet inspected to determine further rule action or not (A Snort Rules Section)
Rule Options
action, protocol, source and destination ports and IP addresses (a Snort Rules section)
Rule Header
alert tcp any any -> 192.168.1.0/24 80 . Would this be the rule options or rule header?
Rule Header because it contains ip address and destination
alert, log, pass, activate and dynamic. which mode is this? (snort rule actions)
detection mode
ignore the packet (detection mode)
pass
alert and then turn on another dynamic rule (detection mode)
activate
drop, reject and sdrop. which mode is this? (snort rule actions)
inline mode
make iptables drop packet but do not log (inline mode)
sdrop
make iptables drop packet, log and send tcp reset if protocol is tcp (icmp port msg if protocol is UDP) - inline mode.
reject
four major categories of rule options
general, payload, non-payload, post-detection
provides information about the rule but do not have any effect during detection (Snort rule options)
general options
looks for data inside packet payload, can be inter-related (Snort rule options)
payload
rule specific triggers that happen after a rule has “fired” (Snort rule options)
post-detection
tells logging and alerting engine that the message to print with packet dump or to an alert (Snort rule options)
msg rule option
allows rules to include references to external identification systems (could reference bugtraq, cve, or URLs) . (Snort rule options)
reference keyword
external attack ID systems
BID and CVE
<100 means what? (Snort Rule Options Keywords)
reserved for future use
100-1,000,000 means what? (Snort Rule Options Keywords)
rules included with the Snort distribution
> 1,000,000 means what? (Snort Rule Options Keywords)
used for local rules
what keyword would you use to uniquely identify Snort rules? (hint: three letter word)
sid
PHP-based analysis engine to search and process database of security events (various IDSs, firewalls, and network monitoring tools)
Basic Analysis and Security Engine (BASE)
In order for BASE to work, you must periodically do what?
refresh the screen
