Chapter 07
sensor
A hardware and/or software component deployed on a remote computer or network segment and designed to monitor network or system traffic for suspicious activities and report back to the host application. For example, IDPS sensors report to an IDPS application.
whitelist
A list of systems, users, files, or addresses that are known to be benign; it is commonly used to expedite those entities' access to systems or networks.
attack protocol
A logical sequence of steps or processes used by an attacker to launch an attack against a target system or network.
honeynet
A monitored network or network segment that contains multiple honeypot systems.
padded cell system
A protected honeypot that cannot be easily compromised.
known vulnerability
A published weakness or fault in an information asset or its protective systems that may be exploited and result in loss.
Passive vulnerability scanner
A scanner that listens in on a network and identifies vulnerable versions of both server and client software.
packet sniffer
A software program or hardware appliance that can intercept, copy, and interpret network traffic.
Security Information and Event Management (SIEM)
A software-enabled approach to aggregating, filtering, and managing the reaction to events, many of which are collected by logging activities of IDPSs and network management devices.
intrusion detection system (IDS)
A system capable of automatically detecting an intrusion into an organization's networks or host systems and notifying a designated authority.
monitoring port
Also known as a switched port analysis (SPAN) port or mirror port, a specially configured connection on a network device that can view all the traffic that moves through the device.
anomaly-based detection
Also known as behavior-based detection, an IDPS detection method that compares current data and traffic patterns to an established baseline of normalcy.
Signature-based detection
Also known as knowledge-based detection or misuse detection, the examination of system or network data in search of patterns that match known attack signatures.
inline sensor
An IDPS sensor intended for network perimeter use and deployed in close proximity to a perimeter firewall to detect incoming attacks that could overwhelm the firewall.
network-based IDPS (NIDPS)
An IDPS that resides on a computer or appliance connected to a segment of an organization's network and monitors traffic on that segment, looking for indications of ongoing or successful attacks.
host-based IDPS (HIDPS)
An IDPS that resides on a particular computer or server, known as the host, and monitors activity only on that system. Also known as a system integrity verifier.
trap-and-trace application
An application that combines the function of honeypots or honeynets with the capability to track the attacker back through the network.
honeypot
An application that entices people who are illegally perusing the internal areas of a network by providing simulated rich content while the software notifies the administrator of the intrusion.
pen register
An application that records information about outbound communications.
active vulnerability scanner
An application that scans networks to identify exposed usernames and groups, open network shares, configuration problems, and other vulnerabilities in servers.
log file monitor (LFM)
An attack detection method that reviews the log files generated by computer systems, looking for patterns and signatures that may indicate an attack or intrusion is in process or has already occurred.
zero day vulnerability
An unknown or undisclosed vulnerability in an information asset or its protection systems that may be exploited and result in loss. This vulnerability is also referred to as zero day (or zero hour) because once it is discovered, the technology owners have zero days to identify, mitigate, and resolve the vulnerability
signatures
Patterns that correspond to a known attack.
behavior-based detection
See anomaly-based detection
knowledge-based detection
See signature-based detection.
misuse detection
See signature-based detection.
entrapment
The act of luring a person into committing a crime in order to get a conviction.
Stateful protocol analysis (SPA)
The comparison of vendor-supplied profiles of protocol use and behavior against observed data and network patterns in an effort to detect misuse and attacks.
attack surface
The functions and features that a system exposes to unauthenticated users.
intrusion detection and prevention system (IDPS)
The general term for a system that can both detect and modify its configuration and environment to prevent intrusions. An IDPS encompasses the functions of both intrusion detection systems and intrusion prevention technology.
protocol stack verification
The process of examining and verifying network traffic for invalid data packets—that is, packets that are malformed under the rules of the TCP/IP protocol.
application protocol verification
The process of examining and verifying the higher-order protocols (HTTP, FTP, and Telnet) in network traffic for unexpected packet behavior or improper use.
fingerprinting
The systematic survey of a targeted organization's Internet addresses collected during the footprinting phase to identify the network services offered by the hosts in that range.
port scanners
Tools used both by attackers and defenders to identify or fingerprint active computers on a network, the active ports and services on those computers, the functions and roles of the machines, and other useful information.
blacklist
a list of systems, users, files, or addresses that have been associated with malicious activity; it is commonly used to block those entities from systems or network access.
clipping level
a predefined assessment level that triggers a predetermined response when surpassed. Typically, the response is to write the event to a log file and/or notify an administrator.
threshold
a value that sets the limit between normal and abnormal behavior. See also clipping level
Fully distributed IDPS control strategy
an IDPS implementation approach in which all control functions are applied at the physical location of each IDPS component
Centralized IDPS control strategy
an IDPS implementation approach in which all control functions are implemented and managed in a central location
partially distributed IDPS control strategy
an IDPS implementation approach that combines the best aspects of the centralized and fully distributed strategies
passive mode
an IDPS sensor setting in which the device simply monitors and analyzes observed network traffic
intrusion
an adverse event in which an attacker attempts to gain entry into an information system or disrupt its normal operations, almost always with the intent to do harm.
Switched Port Analysis (SPAN) port
see monitoring port
mirror port
see monitoring port.
agent
see sensor
enticement
the act of attracting attention to a system by placing tantalizing information in key locations.
footprinting
the organized research and investigation of internet addresses owned or controlled by a target organization
back hack
the process of illegally attempting to determine the source of an intrusion by tracing it and trying to gain access to the originating system.