Information security chapter 7

Sensors

A hardware and/or software component deployed on a remote computer or network segment and is designed to monitor system traffic for suspicious activities and report back to the host application. For example, IDPS sensors report to an IDPS application.

blacklist

A list of system, files, users, or addresses

Whitelist

A list of systems, users, files, or addresses that are known to be benign; it is commonly used to expedite those entities access to systems or networks.

attack protocol

A logical sequence of steps or processes used by an attacker to launch an attack against a target system or network.

Honeynet

A monitored network or network segment that contains multiple honeypot systems.

Alarm clustering and compaction

A process of grouping almost identical alarms that occur nearly at the same time into a single higher-level alarm. This consolidation reduces the number of alarms, which reduces administrative overhead and identifies a relationship among multiple alarms. Clustering may be based on combination of frequency, similarity in attack signature, similarity in attack target, or other criteria that are defined by system administrators.

Padded cell system

A protected honeypot that cannot be easily compromised.

known vulnerability

A published weakness or fault in an information asset or its protective systems that may be exploited and result in loss.

positive vulnerability scanner

A scanner that listens in on a network and identifies vulnerable versions of both client and server software.

SIEM (Security Information and Event Management)

A software-enabled approach to aggregating, filtering, and managing the reaction to events, many of which are collected by logging activities of IDPSs and network management devices.

IDS (Intrusion Detection System)

A system capable of automatically detecting an intrusion into an organization's networks or host systems and notifying a designated authority.

threshold

A value that sets the limit between normal and abnormal behavior. see also clipping level.

monitoring port

Also known as a switched port analysis (SPAN) port or mirror port, a specially configured connection on a network device that can view all the traffic that moves through the device.

Anomaly-based detection

Also known as behavior-based detection, an IDPS detection method that compares current data and traffic patterns to an established baseline of normalcy.

Signature-based detection

Also known as knowledge-based detection or misuse detection, the examination of system or network data in search of patterns that match known attack signatures.

Inline sensor

An IDPS sensor intended for network perimeter use and deployed in close proximity to a perimeter firewall to detect incoming attacks that could overwhelm the firewall.

Host-based IDPSs (HIDPS)

An IDPS that reside on a particular computer or server, known as the host, and monitors activity only on that system. Also known as a system integrity verifier.

network based IDPS (NIDPS)

An IDPS that resides on a computer or appliance connected to a segment of an organization's network and monitors traffic on that segment, looking for indications of ongoing or successful attacks.

Site Policy Awareness

An IDPS's ability to dynamically modify its configuration in response to environmental activity. A so-called dynamic IDPS can adapt its reaction in response to administrators guidance over time and the local environment. A dynamic IDPS logs events that fits a specific profile instead of minor events, such as file modifications or failed user logins. A smart IDPS knows when it does not need to alert the administrator- for example, when an attack is using a known and documented exploit from which the system is protected.

False positive

An alert or alarm that occurs in the absence of the actual attack.A false positive can sometimes be produced when an IDPS mistakes normal system activity for an attack. False positives tend to make users insensitive to alarms and thus reduce their reactions to actual intrusion events.

Honeypots

An application that entices people who are illegally perusing the internal areas of a network by providing simulated rich content while the software notifies the administrator of the intrusion.

pen registers

An application that records information about outbound communications.

Active vulnerability scanners

An application that scans networks to identify exposed usernames and groups, open network shares, configuration problems, and other vulnerability in servers.

log file monitor (LFM)

An attack detection method that reviews the log files generated by computer systems, looking for patterns and signatures that may indicate an attack or intrusion is in process or has already occurred.

True Attack Stimulus

An event that triggers alarms and causes an IDS to react as if a real attack is in progress. The event may be an actual attack, in which an attacker is attempting a system compromise, or it may be a drill, in which security personnel are using hacking tools to test a network segment.

False Attack Stimulus

An event that triggers an alarm when no actual attack is in progress. Scenarios that test the configuration of the IDPSs may use false attack stimuli to determine if the IDPSs can distinguish between these stimuli and real attacks.

Alert or alarm

An indication or notification that a system has just been attacked and/or is under attack. IDPS alerts and alarms take the form of audible signals, e-mail messages, pager notifications, or pop-up windows.

zero-day vulnerabilities

An unknown or undisclosed vulnerability in an information asset or its protection systems that may be exploited and result in loss. This vulnerability is also referred to as zero day (or zero hour) because once it is discovered, the technology owners have zero days to identify, mitigate, and resolve the vulnerability.

signatures

Patterns that correspond to a known attack.

behavior-based detection

See anomaly-based detection no.33

knowledge-based detection

See signature-based detection. 31

Misuse detection

See signature-based detection. no 31.

entrapment

The act of luring a person into committing a crime in order to get a conviction.

Stateful protocol analysis (SPA)

The comparison of vendor-supplied profiles of protocol use and behavior against observed data and network patterns in an effort to detect misuse and attacks.

False negative

The failure of an IDPS to react to an actual attack event. That is the most grievous IDPS failure, given that its purpose is to detect and respond to attack.

attack surface

The function and features that a system exposes to unauthenticated users.

IDPS- Intrusion detection and prevention system

The general term for a system that can both detect and modify its configuration and environment to prevent intrusions. An IDPS encompasses the functions of both IDS and Intrusion prevention technology.

Confidence Value

The measure of an IDPS's ability to correctly detect and identify certain types of attacks. The confidence value an organization places in an IDPS is based on experience and past performance measurements. The confidence value, which is based on confidence logic, helps an administrator determine the likelihood that an IDPS alarm or alert indicates an actual attack in progress For example, if a system deemed 90% capable of accurately reporting a denial-of-service (DoS) attack, sends a DoS alert, there is a high probability that an actual attack is occuring.

footprinting

The organized research and investigation of Internet addresses owned or controlled by a target organization.

Noise

The presence of additional and disruptive signals in network communications or electrical power delivery. Also, noise can be alarm events that are accurate and noteworthy but do not pose significant threats to information security. Unsuccessful attacks are the most common source of IDPS noise , although some noise might be triggered by scanning and enumeration tools run by network users without harmful intent.

Evasion

The process by which attackers change the format and/or timing of their activities to avoid being detected by an IDPS.

Tuning

The process of adjusting an IDPS to maximize its efficiency in detecting true positives while minimizing false positives and false negatives.

Alarm filtering

The process of classifying IDPS alerts so that they can be more effectively managed. An IDPS administrator can set up alarm filtering by running the system for a while to track the types of false positives it generates and then adjusting the alarm classifications. for example the administrator may set the IDPS to discard the alarm produced by false attack stimuli or normal network operations. Alarm filters are similar to packet filters in hat they can filter items by their source or destination IP addresses, but they can also filter by operating systems, confidence values, alarm type, or alarm severity.

protocol stack verification

The process of examining ad verifying network traffic for invalid data packets , that is, packets that are malformed under the rules of TCP/IP protocol.

application protocol verification

The process of examining and verifying the higher-order protocols (HTTP, FTP, and Telnet) in network traffic for unexpected packet behavior or improper use.

back hack

The process of illegally attempting to determine the source of an intrusion by tracing it and trying to gain access to the originating system.

Site Policy

The rules and configuration guidelines governing the implementation and operation of IDPSs within the organization.

Fingerprinting

The systematic survey of a targeted organization's Internet addresses collected during the footprinting phase to identify the network services offered by the hosts in that range.

port scanners

Tools used both by attackers and defenders to identify or fingerprint active computers on a network, the active ports and services on those computers, the functions and roles of the machines, and other useful information.

clipping level

a predefined assessment level that triggers a predetermined response when surpassed. Typically, the response is to write the event to a log file and/or notify an administrator.

Fully distributed IDPS control strategy

an IDPS implementation approach in which all control functions are applied at the physical location of each IDPS component

Centralized IDPS control strategy

an IDPS implementation approach in which all control functions are implemented and managed in a central location.

partially distributed IDPS control strategy

an IDPS implementation approach that combines the best aspects of the centralized and fully distributed strategies

Passive Mode

an IDPS sensor setting in which the device simply monitors and analyzes observed network or system traffic

intrusion

an adverse event in which an attacker attempts to gain entry into an information system or disrupt its normal operations, almost always with the intend to do harm.

Trap-and-trace

an application that combines the function of honeypots or honeynets with the capability to track the attacker back through the network.

switched port analysis (SPAN) port

see monitoring port 22.

agents

see no 19. sensors.

mirror port

see no 22.

enticement

the act of attracting attention to a system by placing tantalizing information in key locations.