Lesson 6

Question 1

Attempts to gain entry to a system.

Answer 1

Intrusion

Question 2

Activities that deter intrusion.

Answer 2

Intrusion Prevention

Question 3

Procedures, detect system intrusions.

Answer 3

Intrusion Detection

Question 4

Actions when an intrusion occurs.

Answer 4

Intrusion Reaction

Question 5

Restoration of operations.

Answer 5

Intrusion Correction Activities

Question 6

– detect violations and activate the alarm.
– notify administrators of trouble.
– notify external security services.

Answer 6

Intrusion Detection & Prevention Systems

Question 7

IDPS Terminologies (12)

Answer 7

Site Policy Awareness
Tuning
True Attack Stimulus
Confidence Value
Alarm Filtering
Alarm Clustering & Compaction
Alert/Alarm
Evasion
False Attack Stimulus
False Negative & False Positive
Noise
Site Policy

Question 8

– protecting network information assets.
– connected to a segment of a network.
– looks for attack patterns in packets.
– installed where it can watch traffic.
– done through special TCP/IP stacks (where data packets are invalid or used improperly).

Answer 8

Network-based IDPS

Question 9

For wireless networks.
Ex. physical security, sensor range, switch

Answer 9

Wireless IDPS

Question 10

Examines traffic flow, abnormal patterns.
Ex. DoS, scanning, worms, violations

Answer 10

Network Behavior Analysis IDPS

Question 11

Advantages of NIDPS (3)

Answer 11

Can use devices to monitor larger networks, passive and can be deployed into existing networks, not susceptible and detectable by attacks.

Question 12

Disadvantages of NIDPS (5)

Answer 12

Can be overwhelmed by network volume, require access to all traffic, cannot analyze encrypted packets, cannot ascertain if an attack is successful, bad for fragmented packets.

Question 13

Disadvantages of NIDPS (4)

Answer 13

Can be overwhelmed by network volume, require access to all traffic, cannot analyze encrypted packets, cannot ascertain if an attack is successful, bad for fragmented packets.

Question 14

– resides on a server.
– benchmark and monitor key files.
– detects intruders modifying files.
– principle of configuration.
– change management.

Answer 14

Host-based IDPS

Question 15

– resides on a server.
– benchmark and monitor key files.
– detects intruders modifying files.
– principle of configuration.
– change management.

Answer 15

Host-based IDPS

Question 16

Advantages of HIDPS (6)

Answer 16

installed, access encrypted network, detect local events, functions on host systems where traffic is decrypted, not affected by switch networks, detect inconsistencies through audit logs.

Question 17

Disadvantages of HIDPS (5)

Answer 17

Management issues, vulnerable to direct and host-targeted attacks, susceptible to DoS, large disk space, performance overhead.

Question 18

– examine patterns that match signatures.
– attacks have distinct signatures.
– must be continuously updated.

Answer 18

Signature-based IDPS

Question 19

– AKA stat IDPS or behavior-based IDPS.
– compare traffic known to be normal.
– baseline parameters/clipping level.
– can detect new attacks.
– requires more overhead.
– may generate false positives.

Answer 19

Statistical Anomaly-based IDPS

Question 20

– stores relevant data involving multiple attack requests (detect multi-session attacks).
– analytical complexity, may fail to detect unless a protocol is violated.

Answer 20

Stateful Protocol Analysis IDPS

Question 21

Comparing predetermined profiles.

Answer 21

Stateful Protocol Analysis

Question 22

– similar to NIDPS.
– reviews log files for patterns or signs.
– allocation of resources for log data.

Answer 22

Log File Monitor

Question 23

– systems environment?
– security goals and objectives?
– existing security policy?

Answer 23

Technical Policy Considerations

Question 24

– required levied from the organization?
– resource constraints?

Answer 24

Organizational Requirements

Question 25

– sufficiently scalable?
– tested?
– user level of expertise?
– designed to evolve?
– support provisions?

Answer 25

IDPS Product Features & Quality

Question 26

Strengths of IDPS (10)

Answer 26

Analysis of system events, testing and baselining security states, tracking changes, recognizing attack patterns, recognizing activity patterns, managing OS audit, alerting staff, measuring enforcement of security policies, providing default info, allows non-security experts to perform functions.

Question 27

Limitations of IDPS (8)

Answer 27

cannot compensate for missing security mechanisms, detect attacks in heavy network load, detect new attacks, respond to sophisticated attacks, investigate without human intervention, resist attacks, compensate fidelity issues, deal with switched networks.

Question 28

Managed at a central location

Answer 28

Centralized

Question 29

Applied at the physical location.

Answer 29

Fully Distributed

Question 30

Combines the two, reports to a hierarchical central facility.

Answer 30

Partially Distributed

Question 31

Deploying NIDPS Locations (4)

Answer 31

Location 1: Behind each external firewall, in the network DMZ.
Location 2: Outside an external firewall.
Location 3: On major network backbones.
Location 4: On critical subnets.

Question 32

Deploying HIDPS (2)

Answer 32

– implementing most critical systems first.
– continues until all systems are installed.

Question 33

IDPS are measured using… (4)

Answer 33

…threshold, blacklists and whitelists, alert settings, and code viewing and editing.

Question 34

Decoy systems to lure attackers.

Answer 34

Honeypots

Question 35

Collection of honeypots on a subnet.

Answer 35

Honeynets

Question 36

– a protected honeypot.
– operates in tandem with an IDS.
– a simulated environment.

Answer 36

Padded Cell

Question 37

– detect intrusion and trace the source.
– consists of a honeypot and alarm.

Answer 37

Trap & Trace Systems

Question 38

Attracting attention by placing tantalizing bits of information.

Answer 38

Enticement

Question 39

luring someone to commit a crime.
– enticement = legal, _______ = illegal

Answer 39

Entrapment

Question 40

– active countermeasures to stop attacks.
Ex. LaBrea

Answer 40

Active Intrusion Prevention

Question 41

Collect information that an attacker would need to launch successful attacks.

Answer 41

Scanning & Analysis Tools

Question 42

Series of steps used by an attacker.

Answer 42

Attack Protocol

Question 43

Research of internet addresses

Answer 43

Footprinting

Question 44

Survey of internet addresses from footprinting, reveals internal structure.

Answer 44

Fingerprinting

Question 45

– tool used to identify active computers.
– can scan generic and specific types of computers or protocols.

Answer 45

Port Scanners

Question 46

– remote discovery of firewall rules.
– close an open firewall.

Answer 46

Firewall Analysis Tools

Question 47

– detecting a target’s operating system.
– networking protocols to determine OS.

Answer 47

Operating System Detection Tools

Question 48

Scan networks for highly-detailed information, initiate traffic.

Answer 48

Active Vulnerability Scanner

Question 49

Listen-in on networks, find client-side vulnerabilities.

Answer 49

Passive Vulnerability Scanner

Question 50

– collects copies of packets.
– diagnosing network issues.
– can be used to eavesdrop on traffic.

Answer 50

Packet Sniffers

Question 51

Sniff wireless traffic, scan wireless hosts, and assess the level of privacy or confidentiality afforded on the wireless network.

Answer 51

Wireless Security Tools

Question 52

To use packet sniffers legally, an administrator must… (3)

Answer 52

Be on a network that organization owns, be under direct authorization of the owner of the network, and have knowledge and consent of the content creators.

Question 53

– measurable human characteristics to authenticate identity of a prospective user (supplicant).
– recognition.
Ex. fingerprint comparison, palm print comparison, hand geometry, facial recognition, retinal print, iris pattern

Answer 53

Biometric Access Control

Question 54

The unique traits of humans include… (3)

Answer 54

fingerprints, retina, iris

Question 55

Rejection of legit users.

Answer 55

False Reject Rate

Question 56

Rejection of legit users.

Answer 56

False Reject Rate

Question 57

Acceptance of unknown users.

Answer 57

False Accept Rate

Question 58

Where false accept and false reject crosses when graphed.

Answer 58

Crossover Error Rate

Question 59

Validation of user (supplicant)’s identity.

Answer 59

Authentication