PoIS Chapter 7 (Discussion)
What is a honeypot? How is it different from a honeynet?
Essentially a honeypot is a sort of trapping method that uses enticing material to lure hackers away from critical systems. In the industry these can be referred to as flytraps or decoys. A honeynet is a string of several honeypots connecte together. Another thing that is noteworthy is the use of the padded cell system, which in essence is a hardened honeypot. These however work with the traditional IDPS system and transfer the attacker to an environment where no harm can be done.
What kind of data and information can be found using a packet sniffer?
Even though we mostly hear about a packet sniffer in the negative sense, both good and bad information can be found from them. On the beneficial side, a network admin could use one to help diagnose and resolve networking issues in a system. From a negative standpoint, a packet sniffer can be used to eavesdrop on the various packets of information moving through a system.
What capabilities should a wireless security toolkit include?
"a wireless security toolkit should include the ability to sniff wireless traffic, scan wireless hosts, and access the level of privacy or confidentiality afforded on the wireless network" (Whitman, p.442). Due to the convenience of wireless networks, security holes can be potentially more common than a wired network (especially if a organization focuses only on wired connections). Utilizing the security toolkit, one will be prepared for the attack protocol, listed as: attack, compromise, and exploit (Whitman, p.422). The textbook even goes further into listing some helpful tools, utilized from Sectools.org: Aircrack, Kismet, NetStumbler, inSSIDer, KisMac, and AirSnare (p.422); some of which is freeware and is a great starting ground for beginners or administrators looking to gain an edge on attackers. Utilizing the tools can prevent organizations from losing information due to unsecured wireless networks, and help round out all aspects of security in terms of both wired and wireless.
How does a false positive alarm differ from a false negative alarm? From a security perspective, which is less desirable?
A false negative alarm is a failure to detect and react to an actual attack. This can be detrimental to a system or network, as one would want to know of any attacks happening at all. A false positive, on the other hand, is when an alert occurs when there is no attack, typically during normal activity. The downside of a false positive is that administrators can become numb to the alarms, potentially ignoring an alert that actually is an attack. The downside of a false negative, on the other hand, is an attack occurring without any warning or alerts. The less desirable is a false negative alarm. A false negative alarm will allow an intruder to continue their attack without any response from the security team or network administrators.
How does a padded cell system differ from a honeypot?
A honeypot is a system that presents seemingly attractive data to an attacker in an attempt to lure them away from the actual valuable computer system. A padded cell system works alongside an IDPS in that after the IDPS detects an attack, the padded cell system then transfers the hacker to a simulated environment where they can do no harm. Therefore, the difference is that the honeypot works individually to draw in the attacker to itself, and the padded cell system works with a traditional IDPS and sends the attacker to a simulated environment after an attack has been detected.
What is a monitoring (or SPAN) port? What is it used for?
A monitoring port falls under the Network-Based IDPS. Which consists of a specialized hardware appliance and/or software designed to monitor the network traffic. The monitoring port, or Switch Port Analysis Port, is used to view all traffic that moves through the entire device. Before monitoring ports, there were hubs. Hubs received traffic from one node and re-transmitted to all other nodes. This became a security risk because anyone connected to the hub could monitor all the traffic moved through the network segment. The reliability of Monitoring ports made it required and necessary for the use of IDPS.
How does a network-based IDPS differ from a host-based IDPS?
A network-based IDPS resides on a computer or an appliance connected to a segment of an organization's network, while a host-based IDPS resides on individual computers and monitors those systems only. Unlike an NIDPS, and HIDPS can access encrypted information and make decisions about potential attacks. However, while a NIDPS is hard to detect by attackers, a HIDPS is vulnerable to both direct attacks and attacks to the system
How does a signature-based IDPS differ from a behavior-based IDPS?
A signature-based IDPs examine data traffic for patterns that match signatures (preconfigured, predetermine attack patterns). New patterns must be continually added to the database of signatures or any new attacks wouldn't be recognized and could succeed. Behavior-based IDPs collect data from normal traffic and establish a baseline. Once the baseline is established, the IDPS periodically samples network activity and uses statistical methods to compare sampled activity to the baseline. When the activity measured is outside the baseline, an alert is sent out to an admin.
What is a system's attack surface? Why should it be minimized when possible?
A system's attack surface is the attack vectors of a software environment that an unauthenticated user can enter or extract data. Attack vectors are paths that a malicious attacker can take in order to gain access to a computer or network. For example, some attack vectors would be interfaces or protocols. To minimize overall risk, these attack vector's should be minimized. For example, there is a common vulnerability found in Windows, BlueKeep (CVE-2019-0708), that can be exploited. To minimize risk, organizations can patch the affected systems since a patch was released by Microsoft in May of 2019 or the can disable the RDP port if the port is not needed for business needs. Reducing the overall attach vectors can lessen the system's attack surface. less
What is a vulnerability scanner? How is it used to improve security?
A vulnerability scanner, in the simplest terms, is a tool used to scan a system and identify vulnerable elements that could be potential targets for attack. An active vulnerability scanner searches through a system by initiating traffic throughout the network system and recording any potential security holes it may find. A passive vulnerability scanner listens to the traffic on a network and identifies what vulnerabilities may exist in the traffic itself or the way the traffic is handled on the system. It should go without saying that using these tools in a controlled setting is an excellent method to identify any security flaws that may exist within a given system. It is certainly better to identify a potential vulnerability on your own than to have it exploited by an outside hacker with ill-intent.
What common security system is an IDPS most like? In what ways are these systems most similar?
An intrusion detection and prevention system (IDPS)--the latest form of intrusion detection systems (IDSs)--is like a traditional burglar alarm: it detects trespass into a system and sounds an alarm (or alerts the user in some other way, like via email). It can also alert external security.
Why do many organizations ban port scanning activities on their internal networks?
Many organizations ban port scanning on their internal networks because this could be an easy way for a hacker to footprint a large number of computers quickly. Also, port scanning takes up un-necessary system and network resources. This slow down can cause an unproductive office if it is done often or on a large scale. ISPs may ban outbound port scanning because this can be considered a DoS, which could lead to law suits, and on large ISPs with broadband users, their customer computers could be used as drone computers to DoS a large network or system.
What is Metasploit Framework? Why is it considered riskier to use than other vulnerability scanning tools?
Metasploit is one of a class of scanners that exploit the remote machine and allow the vulnerability analyst to create an account, modify a Web page (437). This tool is considered risky and should only be used when necessary. Metasploit Framework is considered dangerous because the tool can allow you to exploit a server and run a single command and customize the overflow.
What is network fingerprinting?
Network fingerprinting is a collection of information that would consist of different items such as software, network protocols, hardware devices and possibly operating systems that would aid in planning a strategy to exploit a weakness either from a penetration tester or an actual attacker.
What are networking footprinting and network fingerprinting and how are they related?
Networking footprinting is when hacker researches information on target with publicly available data. Network fingerprinting is a more focused form of research to acquire the forms or tools to attack a target. The use of these tools to find vulnerabilities. Both footprinting and fingerprinting are used as an attack protocol to penetrate a system.
What is the difference between active and passive vulnerability scanners?
Passive scanners emphasize monitoring network activity, while active scanners are capable of simulating attacks and repairing weak spots. Both types of scanner can co-exist within a network, complementing each other's capabilities. less
Why would ISPs ban outbound port scanning by their customers?
Port scanning reveals potential access points to the systems ports being that information gets transferred from port to computer and then out the computer.Therefor, Internet service providers(ISPs) are obligated to prohibit customers from outbound post scanning for reasons such as revoking the user access to their network if they discover a user is using hacking tools to footprint computers and perform malicious activities.
List and describe the three control strategies proposed for IDPSs.
The three control strategies are centralized, fully distributed, and partially distributed. Centralized IDPS control strategy means that all control functions are implemented and controlled from a centralized location. This is common because it only needs only management system, one place for reports, one staff evaluating it, etc. Fully distributed IDPS control strategy is when all control functions are implemented at the specific physical location of each component. They will have a set of paired sensors at each location to manage its own control functions and work through detection, reaction, and response as necessary. The benefit to this control system is that it is fast; it does not have to wait on the centralized system to respond.The main benefits are cost and control or it being all together. Partially distributed IDPS control strategy is truly just a mesh of the first two. It will take the best aspects of each of them and apply it as necessary. This one tends to be one of the more effective systems since you get the speed/details of the fully distributed, but it also economically effective like the centralized system. It is very effective at detecting intelligent attackers like those that try to enter from multiple locations.
What is an open port? Why is it important to limit the number of open ports to those that are absolutely essential?
There are two types of ports, one is TCP and UDP. These two types are numbered differently but both have 65,536 ports each. To have a port open means that the port can be used to communicate between two things. One of the issues with having all ports open is that you make yourself more vulnerable to a lot more attacks because you have basically left your computer door wide open. The fewer ports you have open will lessen the amount of attacks that will succeed in compromising your system. less 0
What is network footprinting?
When a hacker is preparing for an attack, he often researches a target by perusing its publicly available information. This is known as (network) footprinting. A common source of information for hackers can be found on a target's web page (good for learning personnel names, for example) as well as in the page's source code (which may reveal details about an internal network).