Lecture 7 Flashcards
1
Q
?
is a type of attack on information assets in which the instigator attempts to gain entry into a system or disrupt the normal operation of system with, almost always, the intent to do malicious harm.
Identify
A
Intrusion
2
Q
?
activities that deter an intrusion
Identify
A
Intrusion prevention
3
Q
?
procedures and systems that identify sys intrusions
Identify
A
Intrusion detection
4
Q
?
Activities finalize the restoration of operations to a normal state
Identify
1/2 ?
A
Intrusion correction
5
Q
?
Activities seek to identify the source & method of attack for prevention
Identify
2/2 ?
A
Intrusion correction
6
Q
?
Intrusion prevention systems
Identify
Intrusion Detection Systems
A
Extension
7
Q
?
: indication that attack is happening
Identify
IDPS Terminology
A
Alarm or alert
8
Q
?
: attacker change the format and/or timing of activities to avoid being detected
Identify
IDPS Terminology
A
Evasion
9
Q
?
: event triggers alarm – no real attack
Identify
IDPS Terminology
A
False attack stimulus
10
Q
?
: failure of IDPS to react to attack
Identify
IDPS Terminology
A
False negative
11
Q
?
: alarm activates in the absence of an actual attack
Identify
IDPS Terminology
A
False positive
12
Q
?
: alarms events that are accurate but do not pose threats
Identify
IDPS Terminology
A
Noise
13
Q
?
: rules & configuration guidelines governing the implementation & operation of IDPS
Identify
IDPS Terminology
A
Site policy
14
Q
?
: ability to dynamically modify config in response to environmental activity
Identify
IDPS Terminology
A
Site policy awareness
15
Q
?
: event that triggers alarms in event of real attack
Identify
IDPS Terminology
A
True attack stimulus
16
Q
?
: adjusting an IDPS
Identify
IDPS Terminology
A
Tuning
17
Q
?
: measure IDPS ability correctly detect & identify type of attacks
Identify
IDPS Terminology
A
Confidence value
18
Q
?
: Classification of IDPS alerts
Identify
IDPS Terminology
A
Alarm filtering
19
Q
?
: grouping almost identical alarms happening at close to the same time
Identify
IDPS Terminology
A
Alarm clustering and compaction
20
Q
?
Prevent problem behaviors by increasing the perceived risk of discovery and punishment
Identify
1/6 ?
A
IDS (Intrusion Detection Systems)
21
Q
?
Detect attacks and other security violations
Identify
2/6 ?
A
IDS (Intrusion Detection Systems)
22
Q
?
Detect and deal with preambles to attacks
Identify
3/6 ?
A
IDS (Intrusion Detection Systems)
23
Q
?
Document existing threat to an organization
Identify
4/6 ?
A
IDS (Intrusion Detection Systems)
24
Q
?
Act as quality control for security design & administration
Identify
5/6 ?
A
IDS (Intrusion Detection Systems)
25
# **?**
**Provide useful information about intrusions** that take place
| Identify
## Footnote
6/6 ?
IDS (Intrusion Detection Systems)
26
# **?** **??**
(2) Types of IDS
| Enumerate
* Network based
* Hot-based
27
# **?**
* Focused on protection **network information assets**
* **Wireless**
* **Network behavior analysis**
| Identify
## Footnote
1/2 Types of IDS
Network based
28
# **?**
Focused on protection server of **host’s information assets**
| Identify
## Footnote
2/2 Types of IDS
Host-based
29
# **?**
Resides on computer or appliance **connected to an a segment of orgs. network**
| Identify
## Footnote
Types of IDS - 1/6 ?
Network-Based
30
# **?**
**Monitors network traffic** on the segment
| Identify
## Footnote
Types of IDS - 2/6 ?
Network-Based
31
# **?**
**Monitors packets**
| Identify
## Footnote
Types of IDS - 3/6 ?
Network-Based
32
# **?**
**Monitoring port** (switched port analysis)
| Identify
## Footnote
Types of IDS - 4/6 ?
Network-Based
33
# **?**
**Looks for attack patterns**
| Identify
## Footnote
Types of IDS - 5/6 ?
Network-Based
34
# **?**
**Compares measured activity** to known signatures
| Identify
## Footnote
Types of IDS - 6/6 ?
Network-Based
35
# **?**
packet structure
| Identify
## Footnote
Types of IDS - Compares measured activity to known signatures - 1/2 ?
Protocol verification
36
# **?**
packet use
| Identify
## Footnote
Types of IDS - Compares measured activity to known signatures - 1/2 ?
Application verification
37
# **?** **??**
(2) Forms of attack that are not easily discerned
| Enumerate
* Fragmented packets
* Malformed packets
38
# **?**
Monitors and analyzes **wireless network traffic**
| Identify
## Footnote
1/3 ?
Wireless NIDPS
39
# **?**
Looks for potential problems with the **wireless protocols**
| Identify
## Footnote
2/3 ?
Wireless NIDPS
40
# **?**
**Cannot evaluate & diagnose** issue with **higher level layers**
| Identify
## Footnote
3/3 ?
Wireless NIDPS
41
# **?** **??** **???** **????** **?????**
(5) Issues associated with implementation
| Enumerate
## Footnote
Wireless NIDPS
* Physical security
* Sensor range
* Access point and wireless switch locations
* Wired network connections
* Cost
42
# **?**
**Resides on a particular computer** or server & **monitors traffic only on that system**
| Identify
## Footnote
Types of IDS - 1/6 ?
Host-Based
43
# **?**
**Resides on a particular computer** or server & **monitors traffic only on that system**
| Identify
## Footnote
Types of IDS - 1/6 ?
Host-Based
44
# **?**
Also known as **system integrity verifiers**
| Identify
## Footnote
Types of IDS - 2/6 ?
Host-Based
45
# **?**
Works on **principle of configuration** and change management
| Identify
## Footnote
Types of IDS - 3/6 ?
Host-Based
46
# **?**
**Classifies files in categories** & applies various notification actions **based on rules**
| Identify
## Footnote
Types of IDS - 4/6 ?
Host-Based
47
# **?**
**Maintains own** log file
| Identify
## Footnote
Types of IDS - 5/6 ?
Host-Based
48
# **?**
Can **monitor multiple computers simultaneously**
| Identify
## Footnote
Types of IDS - 6/6 ?
Host-Based
49
# **?**
**Examines application** for abnormal events
| Identify
## Footnote
1/5 ?
Application Based
50
# **?**
Tracks interaction between users and **applications**
| Identify
## Footnote
2/5 ?
Application Based
51
# **?**
Able to **tract specific activity back to individual user**
| Identify
## Footnote
3/5 ?
Application Based
52
# **?**
Able to **view encrypted data**
| Identify
## Footnote
4/5 ?
Application Based
53
# **?**
Can **examine encryption/decryption process**
| Identify
## Footnote
5/5 ?
Application Based
54
# **?**
Two dominate methodologies
| Identify
## Footnote
IDS Methodologies
* Signature-based (knowledge-based)
* Statistical-anomaly approach
55
# **?**
* Examines data traffic in search of patterns that match **known signature**
* Widely used
* **Signature database** must be continually updated
* Attack time-frame **sometimes problematic**
| Identify
## Footnote
1/2 IDS Methodologies
Signature Based
56
# **?**
Based on **frequency** on which network activities take place
| Identify
## Footnote
2/2 IDS Methodologies 1/7 ?
Statistical Anomaly Based
57
# **?**
Collect **statistical summaries** of “normal” traffic to form baseline
| Identify
## Footnote
2/2 IDS Methodologies 2/7 ?
Statistical Anomaly Based
58
# **?**
**Measure** current traffic against baseline
| Identify
## Footnote
2/2 IDS Methodologies 3/7 ?
Statistical Anomaly Based
59
# **?**
**Traffic outside** baseline will **generate alert**
| Identify
## Footnote
2/2 IDS Methodologies 4/7 ?
Statistical Anomaly Based
60
# **?**
Can **detect new type of attacks**
| Identify
## Footnote
2/2 IDS Methodologies 5/7 ?
Statistical Anomaly Based
61
# **?**
**Requires much more overhead** and processing capacity
| Identify
## Footnote
2/2 IDS Methodologies 6/7 ?
Statistical Anomaly Based
62
# **?**
**May not detect minor changes** to baseline
| Identify
## Footnote
2/2 IDS Methodologies 7/7 ?
Statistical Anomaly Based
63
# **?**
Similar to NIDS
| Identify
## Footnote
1/5 ?
Log file Monitors
64
# **?**
Reviews **logs**
| Identify
## Footnote
2/5 ?
Log file Monitors
65
# **?**
Looks for patterns & signatures in **log files**
| Identify
## Footnote
3/5 ?
Log file Monitors
66
# **?**
Able to look at **multiple log files** from different systems
| Identify
## Footnote
4/5 ?
Log file Monitors
67
# **?**
**Large storage requirement**
| Identify
## Footnote
5/5 ?
Log file Monitors
68
# **?**
**Vary according to organization policy**, objectives, and system capabilities
| Identify
## Footnote
1/3 ?
Responses to IDS
69
# **?**
**Administrator must be careful** not to increase the problem
| Identify
## Footnote
2/3 ?
Responses to IDS
70
# **?**
**Responses** active or passive
| Identify
## Footnote
3/3 ?
Responses to IDS
71
# **?** **??** **???**
(3) Control Strategies
| Enumerate
* Centralized
* Partially distributed
* Fully distributed
72
# **?**
* All IDS control functions are implemented and managed in a **centralized location**
* **1 management system**
| Identify
## Footnote
1/3 Control Strategies
Centralized
73
# **?**
**Opposite of centralized**
| Identify
## Footnote
2/3 Control Strategies 1/3 ?
Fully Distributed
74
# **?**
All control functions applied at the **physical location of each IDS component**
| Identify
## Footnote
2/3 Control Strategies 2/3 ?
Fully Distributed
75
# **?**
* **Each sensor/agent** is best configured to **deal with its own environment**
* Reaction to attacks sped up
| Identify
## Footnote
2/3 Control Strategies 3/3 ?
Fully Distributed
76
# **?**
Individual agents **respond to local threats**
| Identify
## Footnote
3/3 Control Strategies 1/3 ?
Partially Distributed Control
77
# **?**
Report to a **hierarchical central facility**
| Identify
## Footnote
3/3 Control Strategies 2/3 ?
Partially Distributed Control
78
# **?**
One of the **more effective methods**
| Identify
## Footnote
3/3 Control Strategies 3/3 ?
Partially Distributed Control
79
# **?**
**Decoy** systems
| Identify
## Footnote
1/3 ?
Honey Pots
80
# **?**
**Lure potential attackers away** from critical systems
| Identify
## Footnote
2/3 ?
Honey Pots
81
# **?**
**Encourages attacks against themselves**
| Identify
## Footnote
3/3 ?
Honey Pots
82
# **?**
**Collection of honey pots**
| Identify
## Footnote
1/4 ?
Honey Net
83
# **?**
**Connects honey pots** on a **subnet**
| Identify
## Footnote
2/4 ?
Honey Net
84
# **?**
Contains **pseudo-services** the **emulated well-known services**
| Identify
## Footnote
3/4 ?
Honey Net
85
# **?**
**Filled with factious information**
| Identify
## Footnote
4/4 ?
Honey Net
86
# **?**
Protected honey pot
| Identify
## Footnote
1/3 ?
Padded Cell
87
# **?**
**IDS detects attacks** and **transfers to simulated environment**
| Identify
## Footnote
2/3 ?
Padded Cell
88
# **?**
**Monitors action of attacker**
| Identify
## Footnote
3/3 ?
Padded Cell
89
# **?**
Detect intrusion and **trace incident back**
| Identify
## Footnote
1/3 ?
Trap and Trace Systems
90
# **?**
**Consist of honey pot** or **padded cell** & alarm
| Identify
## Footnote
2/3 ?
Trap and Trace Systems
91
# **?**
Similar to concept of **caller ID**
| Identify
## Footnote
3/3 ?
Trap and Trace Systems
92
# **?**
Considered unethical
| Identify
## Footnote
Trap and Trace Systems
Back-hack
93
# **?**
Legal drawbacks to trap and trace
| Identify
## Footnote
Trap and Trace Systems
Enticement and entrapment
94
# **?**
**Help find vulnerabilities in system**, holes in security components, and unsecure aspects of the network
| Identify
## Footnote
1/3 ?
Scanning and Analysis Tools
95
# **?**
Allow system admin to **see what the attacker sees**
| Identify
## Footnote
2/3 ?
Scanning and Analysis Tools
96
# **?**
May **run into problems with ISP**
| Identify
## Footnote
3/3 ?
Scanning and Analysis Tools
97
# **?** **??** **???** **????** **?????**
(5) Scanning and Analysis Tools
| Enumerate
## Footnote
Scanning and Analysis Tools
* Port scanners
* Firewall analysis tools
* Operating system detection tools
* Vulnerability scanners
* Packet sniffers
98
# **?**
– validation of users identity
| Identify
## Footnote
Access Control Tools
Authentication
99
# **?** **??** **???** **????**
4 general ways carried out
| Enumerate
## Footnote
Access Control Tools
* What he knows
* What he has
* Who he is
* What he produces
