Writing Assignment: Module 07 Flashcards
What is an intrusion?
An adverse event in which an attacker attempts to gain entry into an information system or disrupt its normal operations, almost always with the intent to do harm.
What is an IDPS?
The general term for a system that can both detect and modify its configuration and environment to prevent intrusions. An IDPS encompasses the functions of both intrusion detection systems and intrusion prevention technology.
What is an intrusion detection system and how does it differ from an IDPS?
An intrusion detection system (IDS) is defined as a solution that monitors network events and analyzes them to detect security incidents and imminent threats. An intrusion prevention system (IPS) is defined as a solution that performs intrusion detection and then goes one step ahead and prevents any detected threats.
Describe alarm clustering and alarm compaction. Why are these actions performed?
Alarm clustering and alarm compaction are techniques used in alarm management systems.
Alarm clustering involves grouping similar alarms, For example, if multiple alarms are triggered by a single cause, such as a power outage, they can be clustered together to show that there is a single root cause.
Alarm compaction involves reducing the number of alarms presented to the operator by combining multiple alarms into a single notification. Compacting alarms can help operators to focus on important alarms and reduce the risk of alarm overload.
These actions are performed to improve the efficiency and effectiveness of alarm management systems.
What is a confidence value in the context of an IDPS?
A confidence value represents the level of certainty that the system has in its determination that a detected event is indeed an attack or malicious activity, rather than a benign or normal event.
What are the compelling reasons to acquire and use an IDPS?
- Detect and prevent cyber attacks
- Compliance with regulations
3.Reduce risk
4.Provide real-time monitoring
5.Increase network visibility
What is defense in depth?
Defense in depth is a security strategy that involves deploying multiple layers of security controls and countermeasures to protect a network or system.
What are the three dominant placements for IDPSs? Give one advantage and one disadvantage to each approach.
Network-based
Advantage: Network-based IDPSs can detect threats that originate from both external and internal sources.
Disadvantage: Network-based IDPSs can be resource-intensive.
Host-based
Advantage: Host-based IDPSs can detect threats that originate from within the network.
Disadvantage: Host-based IDPSs can be more difficult to manage and maintain.
Hybrid IDPS
Advantage: Hybrid IDPSs can provide a more complete picture of the network environment, and can detect and prevent a wider range of security threats.
Disadvantage: Hybrid IDPSs can be complex and difficult to manage, and may require more resources than other types.
What is the relationship between an IDPS’s total cost of ownership and its acquisition cost?
The total cost of ownership of IDPSs well exceeds acquisition costs
What is a rootkit and why is the presence of a rootkit concerning?
Rootkits are typically inserted into a system through a social engineering attack on an unsuspecting user or during an intrusion by an external attacker.
Rootkits allow access and possibly privilege escalation by subverting standard operating system functionality, common utility programs, or other applications
What are the dominant approaches used to detect intrusions in IDPSs? Give one advantage and one disadvantage to each approach.
Signature-based detection,
Advantage: Signature-based detection is effective at detecting known attacks and can be easy to implement and manage.
Disadvantage: Signature-based detection is not effective at detecting new or unknown attacks.
Anomaly-based detection,
Advantage: Anomaly-based detection can detect previously unknown or zero-day attacks and can be effective at detecting insider threats.
Disadvantage: Anomaly-based detection can generate false positives if the baseline is not properly established.
Behavioral-based detection,
Advantage: Behavioral-based detection can detect previously unknown or zero-day attacks, and is effective at detecting insider threats.
Disadvantage: Behavioral-based detection can be complex and resource-intensive, and may require significant processing power and data storage to be effective.
What is a SPAN port and how is it different from a tap?
difference between a SPAN (Switched Port Analyzer) port and a tap is that a SPAN port is a feature of a network switch, while a tap is a separate physical device that is inserted into the network.
What is the clipping level?
The measured activity level at which an IDPS triggers an alert.
What is a log file monitor? What is it used to accomplish?
log file monitor is a software tool or system component that tracks changes to log files.
log monitoring is used to accomplish,
Troubleshooting
Performance analysis
Security monitoring
Compliance auditing
What does the term trap and trace mean?
A system that combines resources to detect an intrusion and then trace its network traffic back to the source.
