Information Security Chapter 7
SPAN
A __________ port, also known as a monitoring port, is a specially configured connection on a network device that is capable of viewing all of the traffic that moves through the entire device.
false
A false positive is the failure of an IDPS system to react to an actual attack event.
whitelist
A list of systems, users, files, or addresses that are known to be benign; it is commonly used to expedite those entities' access to systems or networks.
attack protocol
A logical sequence of steps or processes used by an attacker to launch an attack against a target system or network.
honeynet
A monitored network or network segment that contains multiple honeypot systems.
Alarm clustering and compaction
A process of grouping almost identical alarms that happen at close to the same time into a single higher-level alarm.
padded cell system
A protected honeypot that cannot be easily compromised.
Passive vulnerability scanner
A scanner that listens in on a network and identifies vulnerable versions of both server and client software.
security information and event management (SIEM)
A software-enabled approach to aggregating, filtering, and managing the reaction to events, many of which are collected by logging activities of IDPSs and network management devices.
true
A(n) known vulnerability is a published weakness or fault in an information asset or its protective systems that may be exploited and result in loss
fingerprinting
Activities that scan network locales for active systems and then identify the network services offered by the host systems is known as __________.
false
Alarm filtering may be based on combinations of frequency, similarity in attack signature, similarity in attack target, or other criteria that are defined by the system administrators. _________________________
monitoring port
Also known as a switched port analysis (SPAN) port or mirror port, a specially configured connection on a network device that can view all the traffic that moves through the device.
anomaly-based detection
Also known as behavior-based detection, an IDPS detection method that compares current data and traffic patterns to an established baseline of normalcy.
signature-based detection
Also known as knowledge-based detection or misuse detection, the examination of system or network data in search of patterns that match known attack signatures.
network-based IDPS
An IDPS that resides on a computer or appliance connected to a segment of an organization's network and monitors traffic on that segment, looking for indications of ongoing or successful attacks.
host-based IDPS
An IDPS that resides on a particular computer or server, known as the host, and monitors activity only on that system. Also known as a system integrity verifier.
site policy awareness
An IDPS's ability to dynamically modify its configuration in response to environmental activity.
log file monitor
An attack detection method that reviews the log files generated by computer systems, looking for patterns and signatures that may indicate an attack or intrusion is in process or has already occurred.
false attack stimulus
An event that triggers an alarm when no actual attack is in progress.
alert or alarm
An indication that a system has just been attacked and/or continues to be under attack.
true
In DNS cache poisoning, valid packets exploit poorly configured DNS servers to inject false information to corrupt the servers' answers to routine DNS queries from other systems on the network.
correction
Intrusion __________ activities finalize the restoration of operations to a normal state and seek to identify the source and method of the intrusion in order to ensure that the same type of attack cannot occur again.
signatures
Patterns that correspond to a known attack.
entrapment
The act of luring a person into committing a crime in order to get a conviction.
stateful protocol analysis (SPA)
The comparison of vendor-supplied profiles of protocol use and behavior against observed data and network patterns in an effort to detect misuse and attacks.
false negative
The failure of an IDPS to react to an actual attack event.
attack surface
The functions and features that a system exposes to unauthenticated users.
confidence value
The measure of an IDPS's ability to correctly detect and identify certain types of attacks.
footprinting
The organized research and investigation of Internet addresses owned or controlled by a target organization.
tuning
The process of adjusting an IDPS to maximize its efficiency in detecting true positives, while minimizing both false positives and false negatives.
alarm filtering
The process of classifying IDPS alerts so that they can be more effectively managed.
protocol stack verification
The process of examining and verifying network traffic for invalid data packets—that is, packets that are malformed under the rules of the TCP/IP protocol.
application protocol verification
The process of examining and verifying the higher-order protocols (HTTP, FTP, and Telnet) in network traffic for unexpected packet behavior or improper use.
back hack
The process of illegally attempting to determine the source of an intrusion by tracing it and trying to gain access to the originating system.
site policy
The rules and configuration guidelines governing the implementation and operation of IDPSs within the organization.
fingerprinting
The systematic survey of a targeted organization's Internet addresses collected during the footprinting phase to identify the network services offered by the hosts in that range.
port scanners
Tools used both by attackers and defenders to identify or fingerprint active computers on a network, the active ports and services on those computers, the functions and roles of the machines, and other useful information.
LFM
Using __________, the system reviews the log files generated by servers, network devices, and even other IDPSs.
trap and trace
__________ applications use a combination of techniques to detect an intrusion and then trace it back to its source.
HIDPS's
_______________ benchmark and monitor the status of key system files and detect when an intruder creates, modifies, or deletes monitored files.
sensors
a hardware and/or software component deployed on a remote computer or network segment and designed to monitor network or system traffic for suspicious activities and report back to the host application
blacklist
a list of systems, users, files, or addresses that have been associated with malicious activity; it is commonly used to block those entities from systems or network access
clipping level
a predefined assessment level that triggers a predetermined response when surpassed. Typically, the response is to notify an administrator.
known vulnerabilities
a published weakness or fault in an information asset or its protective systems that may be exploited and result in loss
intrusion detection systems (IDS)
a system capable of automatically detecting an intrusion into an organization's networks or host systems and notifying a designated authority
threshold
a value that sets the limit between normal and abnormal behavior
Fully distributed IDPS control strategy
an IDPS implementation approach in which all control functions are applied at the physical location of each IDPS component
Centralized IDPS control strategy
an IDPS implementation approach in which all control functions are implemented and managed in a central location
partially distributed IDPS control strategy
an IDPS implementation approach that combines the best aspects of the centralized and fully distributed strategies
inline sensors
an IDPS sensor intended for network perimeter use and deployed in close proximity to a perimeter firewall to detect incoming attacks that could overwhelm the firewall
passive mode
an IDPS sensor setting in which the device simply monitors and analyzes observed network traffic
intrusion
an adverse event in which an attacker attempts to gain entry into an information system or disrupt its normal operations, almost always with the intent to do harm
false positive
an alert or alarm that occurs in the absence of an actual attack
trap-and-trace
an application that combines the function of honeypots or honeynets with the capability to track the attacker back through the network
honeypots
an application that entices people who are illegally perusing the internal areas of a network by providing simulated rich content while the software notifies the administrator of the intrusion
pen registers
an application that records information about outbound communications
active vulnerability scanners
an application that scans networks to identify exposed usernames and groups, open network shares, configuration problems, and other vulnerabilities in servers
true attack stimulus
an event that triggers an alarm and causes an IDPS to react as if a real attack is in progress
zero day vulnerabilities
an unknown or undisclosed vulnerability in an information asset or its protection systems that may be exploited and result in loss
enticement
the act of attracting attention to a system by placing tantalizing information in key locations.
intrusion detection and prevention system (IDPS)
the general term for a system that can both detect and modify its configuration and environment to prevent intrusions
noise
the presence of additional and disruptive signals in network communications or electrical power delivery
evasion
the process by which attackers change the format and/or timing of their activities to avoid being detected by an IDPS
