Security in Computing, Chapter 6

Réussis tes devoirs et examens dès maintenant avec Quizwiz!

MAC Address

Media Access Control

Routing

Supports efficient resource use and quality of service. Misused, it can cause denial of service.

Port 80

The port dedicated to HTTP (web page) traffic

A firewall system

typically does not have compilers, linkers, loaders, general text editors, debuggers, programming libraries, or other tools an attacker might use to extend an attack from the firewall computer.

medium access code (MAC)

unique 48- or 64-bit hardware address

Interception

Communication goes on normally, except that a hidden third party has listened in, too.

Tunnel Mode

the recipient's address is concealed by encryption, and IPsec substitutes the address of a remote device, such as a firewall, that will receive the transmission and remove the IPsec encryption.

substitution attack

the replacement of one piece of a data stream with another

Encryption

the strongest and most commonly used countermeasure against interception

two sides of network security

threats and countermeasures

data-link level

two more headers are added, one for your computer's NIC address (the source MAC) and one for your router's NIC address

WEP

uses short, infrequently changed encryption keys, it requires no authentication, and its integrity is easily compromised

WPA fixes shortcomings of WEP by

using stronger encryption; longer, changing keys; and secure integrity checks.

Denial-of-service attack

usually try to flood a victim with excessive demand.

Wired equivalent privacy

was intended as a way for wireless communication to provide privacy equivalent to conventional wire communications

destination unreachable

which indicates that a destination address cannot be accessed

Source Quench

which means that the destination is becoming saturated and the source should suspend sending packets for a while

PING

which requests a destination to return a reply, intended to show that the destination system is reachable and functioning

ECHO

which requests a destination to return the data sent to it, intended to show that the connection link is reliable (ping is actually a version of echo)

Wireless communication

will never be as secure as wired, because the exposed signal is more vulnerable.

Frame types

• Beacon • Authentication • Association request and response

IANA

Internet Assigned Numbers Authority

ICMP

Internet Control Message Protocols

IETF

Internet Engineering Task Force

ISAKMP.

Internet Security Association Key Management Protocol

Closed or stealth mode, also known as SSID cloaking

The client must first send a signal seeking an access point with a particular SSID before the access point responds to that one query with an invitation to connect

Network Threats

interception, modification, fabrication or insertion, and interruption

IDS

intrusion detection system

misuse intrusion detection.

the real activity is compared against a known suspicious area

command-and-control center.

The bot headquarters - instructs specific machines to target a particular victim at a given time and duration.

transport mode

(normal operation), the IP address header is unencrypted.

Stateful inspection firewalls

- judge according to information from multiple packets.

802.11n Range

1000ft/350m

malicious autonomous mobile agents.

Bots belong to a class of code known more generally as

DNS

Domain Name System

The Onion Router

TOR

TLS

transport layer security

POP

typically bound to port 110

Protocol

a language or set of conventions for how two computers will interact.

Default Deny

that which is not expressly permitted is forbidden

Camellia and Aria

block ciphers similar to DES and AES

Intrusion detection devices

can be network based or host based.

EAP

extensible authentication protocol

DNS cache poisoning attack

is a way to subvert the addressing to cause a DNS server to redirect clients to a specified address

issues to consider when choosing a SIEM

• Cost. • Data portability. • Log-source compatibility. • Deployment complexity. • Customization. • Data storage. • Segregation and access control. • Full-time maintenance. • User training.

IDS Design Approaches

• Filter on packet headers. • Filter on packet content. • Maintain connection state. • Use complex, multipacket signatures. • Use a minimal number of signatures with maximum effect. • Filter in real time, online. • Hide its presence. • Use optimal sliding-time window size to match signatures.

BIND

- Berkeley Internet Name Domain - or named (a shorthand for "name daemon)

Denial of Service by Addressing Failures

- DNS Spoofing - Rerouting Routing - Router Takes Over a Network - Source Routing and Address Spoofing -

Routing Attacks

- Excessive Demand - Component Failure

Denial of Service Types

- Flooding - Network Flooding - Denial of Service by addressing failures - Traffic Redirection - DNS Attacks - Physical Disconnection

WPA2

- IEEE standard 802.11i - adds AES as a possible encryption algorithm

Network Flooding by Resource Exhaustion Attacks

- IP Fragmentation: Teardrop

Attacks on WPA

- Man-in-the-Middle - Incomplete Authentication -

DNS Attacks

- Name Server Application Software Flaws - Top-Level Domain Attacks - Session Hijack -

Port Scanning Tools

- Nmap scanner, originally written by Fyodor - Netcat, written by Hobbit - Nessus (Nessus Corp.) - CyberCop Scanner (Network Associates) - Secure Scanner (Cisco) - Internet Scanner (Internet Security Systems)

Strengths of WPA over WEP

- Non-Static Encryption Key - Authentication - Strong Encryption - Integrity Protection - Session Initiation

Flood Attacks

- Ping of Death - Smurf - Echo-Chargen - SYN Flood

Browser Encryption types

- SSH Encryption - SSL and TLS Encryption - Cipher Suite -

Commercial implementations of personal firewalls

- SaaS Endpoint Protection from McAfee, - F-Secure Internet Security, - Microsoft Windows Firewall, - Zone Alarm from CheckPoint.

circuit-level gateway

- is a firewall that essentially allows one network to be an extension of another. - connects two separate subnetworks as if they were one contiguous unit. - It operates at OSI level 5, the session level - it functions as a virtual gateway between two networks.

802.11b Range

300ft/100m

Physical Disconnection

- Tranmission Failure - Component Failure -

Data Corruption Sources

- Typing Error - Software Flaw - Malicious Code - Hardware Failure - Transmission Problem - Hacker Activity - Noise Accident - Human Mistake - Program Error

Wireless Attacks

- Unauthorized WiFi Access - WiFi Protocol Weaknesses - Picking Up the Beacon - SSID in All Frames - Changeable MAC Addresses (MAC Spoofing) - Stealing the Association

WEP Security Weaknesses

- Weak Encryption Key - Static Key - Weak Encryption Process - Weak Encryption Algorithm - Initialization Vector Collisions - Faulty Integrity Check - No Authentication

application proxy gateway (bastion host)

- is a firewall that simulates the (proper) effects of an application at level 7 so that the application receives only requests to act properly. - runs pseudoapplications - behaves like a man in the middle

802.11g Range

300ft/100m

Personal Firewall

- is a program that runs on a single host to monitor and control traffic to that host. It can only work in conjunction with support from the operating system.

A guard firewall

- is a sophisticated firewall. - Like a proxy firewall, it receives protocol data units, interprets them, and emits the same or different protocol data units that achieve either the same result or a modified result. - determines what services to perform on the user's behalf in accordance with its available information, such as whatever it can reliably ascertain of the (outside) user's identity, previous interactions, and so forth. - the degree of control it can provide is limited only by what is computable. - can implement any programmable set of conditions, even if the program conditions become highly sophisticated.

network-based IDS (NIDS)

- is generally a separate network appliance that monitors traffic on an entire network. - It receives data from firewalls, operating systems of the connected computers, other sensors such as traffic volume monitors and load balancers, and administrator actions on the network. - Another advantage is that it can send alarms on a separate network from the one being monitored. That way an attacker will not know the attack has been recognized

WPA

- WiFi Protected Access

Wireless Availability problems.

- a component of a wireless communication stops working because hardware fails, power is lost, or some other catastrophe strikes - loss of some but not all access, typically manifested as slow or degraded service - Service can be slow because of interference - Service can also be slow if the demand for service exceeds the capacity of the receiving end, so either some service requests are dropped or the receiver handles all requests slowly -rouge network connection

WPA protocol steps

- authentication - four-way handshake (to ensure that the client can generate cryptographic keys and to generate and install keys for both encryption and integrity on both ends) - an optional group key handshake (for multicast communication)

Network Encryption

- between two hosts (called link encryption) - between two applications (called end-to-end encryption).

IPsec

- can enforce either or both of confidentiality and authenticity. - Confidentiality is achieved with symmetric encryption - authenticity is obtained with an asymmetric algorithm for signing with a private key

Rate Limiting

- countermeasure that reduces the impact of an attack. - the volume of traffic allowed to a particular address is reduced.

Link Encryption

- data are encrypted just before the system places them on the physical communications link. - In this case, encryption occurs at layer 1 or 2 in the OSI model.

insertion attack

- data values are inserted into a stream. - An attacker does not even need to break an encryption scheme in order to insert authentic-seeming data - as long as the attacker knows precisely where to slip in the data, the new piece is encrypted under the same key as the rest of the communication.

A packet filtering gateway (screening router)

- is the simplest, and in some situations, the most effective type of firewall. - controls access on the basis of packet address (source or destination) or specific transport protocol type (such as HTTP web traffic), that is, by examining the control information of each single packet. - operate at OSI level 3. - do not "see inside" a packet; they block or accept packets solely on the basis of the IP addresses and ports - do not "see inside" a packet; they block or accept packets solely on the basis of the IP addresses and ports

Signature-based IDSs

- look for patterns; - are limited to known patterns.

front-end device IDSs

- monitors traffic as it enters the network and thus can inspect all packets; - it can take as much time as needed to analyze them - if it finds something that it classifies as harmful, it can block the packet before the packet enters the network.

Botnets

- networks of bots, are used for massive denial-of-service attacks, implemented from many sites working in parallel against a victim. - They are also used for spam and other bulk email attacks, in which an extremely large volume of email from any one point might be blocked by the sending service provider.

IKE

- provides a way to agree on and manage protocols, algorithms, and keys. - uses the Diffie-Hellman scheme to generate a mutually shared secret that will then be used as an encryption key.

end-to-end encryption

- provides security from one end of a transmission to the other. - The encryption can be applied between the user and the host by a hardware device. - Alternatively, the encryption can be done by software running on the host computer. - In either case, the encryption is performed at the highest levels, usually by an application at OSI level 7, but sometimes 5 or 6.

Microwave

- signals are not carried along a wire; they are broadcast through the air, making them more accessible to outsiders - It requires line-of-sight

Inference engines work in two ways.

- state-based intrusion detection systems, - model-based intrusion detection systems.

Blocked Access

- the attacker may simply prevent a service from functioning. - The attacker could exploit a software vulnerability in an application and cause the application to crash. - The attacker could interfere with the network routing mechanisms, preventing access requests from getting to the server. - Yet another approach would be for the attacker to manipulate access control data, deleting access permissions for the resource, or to disable the access control mechanism so that nobody could be approved for access.

IPsec modes of operation

- transport mode - tunnel mode

DoS attacks defensive techniques

- tuning (adjusting the number of active servers), - load balancing (evening the computing load across available servers), - shunning (reducing service given to traffic from certain address ranges), - blacklisting (rejecting connections from certain addresses).

The echo-chargen attack

- works between two hosts - The attacker picks two victims, A and B, and then sets up a chargen process on host A that generates its packets as echo packets with a destination of host B. Thus, A floods B with echo packets

Darknet

Tor also facilitates the so-called dark side of the Internet, used to implement illegal traffic in child pornography, drugs, and stolen credit card and identity details.

802.11a Range

100ft/35m

OSI model

1 - Physical 2 - Data Link 3 - Network 4 - transport 5 - Session 6 - Presentation 7 - Application

Things port scanning tells an attacker

1 - which standard ports or services are running and responding on the target system 2 - what operating system is installed on the target system 3 - what applications and versions of applications are present

Distributed Denial of Service Steps

1. the attacker wants to conscript an army of compromised machines (Zombies) to attack a victim. 2. At some point the attacker chooses a victim and sends a signal to all the zombies to launch the attack.

Authentication.

A NIC initiates a request to interact with an access point by sending its identity in an authentication frame. The access point may request additional authentication data and finally either accepts or rejects the request. Either party sends a deauthentication frame to terminate an established interaction.

Authentication Frame

A NIC requests a connection by sending an ____________ frame.

Security Operations Center (SOC)

A SOC is a team of security personnel dedicated to monitoring a network for security incidents and investigating and remediating those incidents.

Frame

A data-link layer structure with destination MAC, source MAC, and data

BGP

Border Gateway protocol

Cipher Suite

Client and server negotiate encryption algorithms for authentication, session encryption, and hashing.

Frame

Each WiFI Data Unit

Beacon.

Each access point periodically sends a beacon frame to announce its presence and relay information, such as timestamp, identifier, and other parameters regarding the access point. Any NICs that are within range receive this beacon.

Association request and response.

Following authentication, a NIC requests an access point to establish a session, meaning that the NIC and access point exchange information about their capabilities and agree on parameters of their interaction. An important part of establishing the association is agreeing on encryption. A deassociation request is a request to terminate a session.

SSL is commonly Know

HTTPS (HTTP Secure)

ISAKMP key exchange

IKE

IPSec (IP Security Protocol Suite)

IPsec implements encryption and authentication in the Internet protocols.

IPS

Intrusion prevention system

frame fields:

MAC header, payload, and FCS (frame check sequence)

Denial-of-service attacks

Network loss of availability

Data Corruption

Network loss of integrity

OSI

Open System Interconnection

Post Office Protocol

POP

Bootmasters

People who infect machines to turn them into bots

Well know ports

Ports 0 to 4095

Routers

Routers direct traffic on a path that leads to a destination.

War driving

Searching for open wireless networks within range

SSL

Secure Sockets Layer

SSH Encryption

Secure shell Encryption is a pair of protocols (versions 1 and 2) originally defined for Unix but now available under most operating systems it provides an authenticated and encrypted path to the shell or operating system command interpreter.

SIEM

Security Information and Event Management

Packet

Smallest individually addressable data unit transmitted

TKIP

Temporal Key Integrity Program

security association

The basis of IPsec

SYN Flood

This attack uses the TCP protocol suite, making the session-oriented nature of these protocols work against the victim

Port 123

This post is assigned to the Network Time Protocol for clock synchronization

WEP

Wired equivalent privacy

Shunning

With reliable source addresses, network administrators can set edge routers to drop packets engaging in a denial-of-service attack.

rogue access point

is another means to intercept sensitive information. All you have to do is broadcast an open access point in a coffee shop or near a major office building, allow people to connect, and then use a network sniffer to copy traffic surreptitiously

The source of a denial-of-service attack

is typically difficult or impossible to determine with certainty.

three basic causes of failed service

lack of capacity or overload, blocked access, and unresponsive components

heuristic IDSs

learn characteristics of unacceptable behavior over time

network-based IDS

a stand-alone device attached to the network to monitor traffic throughout that network;

security parameter index (SPI)

a data element that is essentially a pointer into a table of security associations.

DNS Spoofing

a man-in-the-middle attack involves the attacker's intercepting and replying to a query before the real DNS server can respond.

model-based intrusion detection systems

a model of known bad activity whereby the intrusion detection system raises an alarm when current activity matches the model to a certain degree

interruption

a network denial of service

Port

a number associated with an application program that serves or monitors for a network service

chaining

a process in which each segment of a message is encrypted so that the result depends on all preceding segments

Source Routing

a sender can specify some or all of the intermediate points by which a data unit is transferred.

security policy

a set of rules that determine what traffic can or cannot pass through the firewall

Ping of Death

a simple attack, using the ping command that is ordinarily used to test response time from a host. Since ping requires the recipient to respond to the packet, all the attacker needs to do is send a flood of pings to the intended victim.

Replay Attack

legitimate data are intercepted and reused, generally without modification

Packet filters

limit traffic based on packet header data: addresses and ports on packets

Zombies or bots

machines running pieces of malicious code under remote control.

Botnet operators

make money by renting compromised hosts for DDoS or other activity. The rent is mostly profit.

Network Layer

adds two headers to show your computer's address as the source and the address of the destination

beacon signal

advertises a network accepting connections.

IDS Stealth Mode

an IDS has two network interfaces: one for the network (or network segment) it is monitoring and the other to generate alerts and perhaps perform other administrative needs

open mode

an access point continually broadcasts its appeal in its beacon, indicating that it is open for the next step in establishing a connection

Extreme Demand

an attacker can overwhelm a critical part of a network, from a web page server to a router or a communications line

cache poisoning

an incorrect name-to-address DNS conversion is placed in and remains in a translation cache.

frame check sequence

an integrity check (actually a cyclic redundancy check) to ensure accurate transmission of the entire frame.

inductance

an intruder can tap a wire and read radiated signals without making physical contact with the cable;

NIDS

analyzes activity across a whole network to detect attacks on any network host

Compromised zombies

are located by scanning random computers for unpatched vulnerabilities.

SIEMs

are software systems that collect security-relevant data from a variety of hardware and software products in order to create a unified security dashboard for SOC personnel

DNS Poisoning

attackers try to insert inaccurate entries into that cache so that future requests are redirected to an address the attacker has chosen

The 802.11 Protocol Suite

describe how devices communicate in the 2.4 GHz radio signal band (essentially 2.4 GHz-2.5 GHz) allotted to WiFi.

DDoS attack

distributed denial-of-service

the data link layer

divides data into manageable blocks for efficient transfer

Heuristic (anomaly Based)

build a model of acceptable behavior and flag exceptions to that model

Next Hop

each router determines the best next path to which to direct a data unit

Interception

eavesdropping or wiretapping,

Port Scan

maps the topology and hardware and software components of a network segment.

spanning tree algorithm

essentially a map of the shortest route to each known destination in the network.

Intrusion prevention systems

extend IDS technology with built-in protective response. - tries to block or stop harm

heuristic intrusion detection system categories:

good/benign, suspicious, or unknown.

the network layer

handles addressing to determine how to route data

inference engine,

identifies pieces of attacks and rates the degree to which these pieces are associated with malicious behavior.

Routers

implicitly trust each other.

Network Design

incorporates redundancy to counter hardware failures.

targets of a flooding attacks

can be an application, such as a database management system; an operating system or one of its components, for example, file or print server; or a network appliance like a router. Alternatively, the attack can be directed against a resource, such as a memory allocation table or a web page.

Network and vulnerability scanners

can be used positively for management and administration and negatively for attack planning.

DoS

can occur from excessive volume, a failed application, a severed link, or hardware or software failure.

Nonmalicious substitution

can occur if a hardware or software malfunction causes two data streams to become tangled, such that a piece of one stream is exchanged with the other stream.

Protected subnetworks

can separate departments, projects, clients, areas—any subgroup requiring controlled access to data or communication.

loose source routing

certain (some or all) required intermediate points are specified.

Distributed denial-of-service attacks

change the balance between adversary and victim by marshalling many forces on the attack side.

information and event management devices

collect status indications from a range of products—including firewalls, IDSs, routers, load balancers—and put these separate data streams together into a unified view.

Network address translation

conceals real internal addresses; outsiders who do not know real addresses cannot access them directly.

IPsec encapsulated security payload

contains descriptors to tell a recipient how to interpret encrypted content.

SSL encryption

covers communication between a browser and the remote web host.

capacity planning

involves monitoring network traffic load and performance to determine when to upgrade which aspects.

Rerouting Routing

involves one node's redirecting a network so that all traffic flows through the attacking node, leading to a potential for interception

Sequencing attack or problem

involves permuting the order of data.

A firewall

is a device that filters all traffic between a protected or "inside" network and a less trustworthy or "outside" network

firewall

is a reference monitor, positioned to monitor all traffic, not accessible to outside attacks, and implementing only access control.

blacklist

meaning that no traffic goes to that address, from legitimate or malicious sources alike.

Smurf Attack

is a variation of a ping attack. It uses the same vehicle, a ping packet, with two extra twists. - First, the attacker chooses a network of unwitting victims that become accomplices. The attacker spoofs the source address in the ping packet so that it appears to come from the victim, which means a recipient will respond to the victim. - Then, the attacker sends this request to the network in broadcast mode by setting the last byte of the address to all 1s; broadcast mode packets are distributed to all hosts on the subnetwork

teardrop attack

misuses a feature ironically intended to improve network communication.

load balancer

is an appliance that redirects traffic to different servers while working to ensure that all servers have roughly equivalent workloads.

Port Scanning

is an inspection activity, and as such it causes no harm itself

the physical layer

deals with the electrical or other technology by which signals are transmitted across some physical medium.

Port 110

the port number associated with Post Office Protocol for email

onion routing.

model uses a collection of forwarding hosts, each of whom knows only from where a communication was received and to where to send it next. Any intermediate recipients—those other than the original sender and ultimate recipient— know neither where the package originated nor where it will end.

Integrity failures

modification and fabrication

internal device IDSs

monitors activity within the network

HIDS

monitors host traffic

demilitarized zone or DMZ,

named after the military buffer space, sometimes called the "no man's land," between the territories held by two competing armies.

wiretapping

network loss of confidentiality

Flooding

occurs because the incoming bandwidth is insufficient or resources—hardware devices, computing power, software, or table capacity —are inadequate.

A flooding attack

occurs from demand in excess of capacity, from malicious or natural causes.

Network Data Corruption

occurs naturally because of minor failures of transmission media. Corruption can also be induced for malicious purposes. Both must be controlled.

sequencing error

occurs when a later fragment of a data stream arrives before a previous one: Packet 2 arrives before packet 1.

Scanning

often used as a first step in an attack, a probe, to determine what further attacks might succeed

MAC Spoofing

one device impersonates another, thereby assuming another device's communication session

zero-day exploit

one for which an exploitation occurs before the vulnerability is publicly known and hence before a patch is available.

Protocol

orderly set of exchanges

intercept the data

other terms used are eavesdrop, wiretap, or sniff.

Signature Based

perform simple pattern-matching and report situations that match a pattern (signature) corresponding to a known attack type.

the transport layer

performs error checking and correction to ensure a reliable data flow

Port Scanner

port scanner, a program that, for a particular Internet (IP) address, reports which ports respond to queries and which of several known vulnerabilities seem to be present

Tor (onion routing)

prevents an eavesdropper from learning source, destination, or content of data in transit in a network.

Stealth mode IDS

prevents the attacker from knowing an alarm has been raised.

Host-based intrusion detection (HIDS)

protects a single host against attack.

SSL encryption

protects only from the browser to the destination decryption point. Vulnerabilities before encryption or after decryption are unaffected.

Data loss prevention (DLP)

refers to a set of technologies designed to detect and possibly prevent attempts to send data where it is not allowed to go

packet sniffer

retrieves all packets on its LAN

host-based IDS

runs on a single workstation or client or host, to protect that one host.

state-based intrusion detection systems,

see the system going through changes of overall state or configuration. They try to detect when the system has veered into unsafe modes.

Overload or flood

servers often queue unmet commands during moments of overload for service when the peak subsides, but if the commands continue to come too quickly, the server eventually runs out of space to store the demand.

Types of IDSs

signature based and heuristic

A virtual private network

simulates the security of a dedicated, protected communication line on a shared network.

promiscuous access points

some access point hardware and firmware is known to be flawed and will accept any association it can receive

Component Failure

tend to be sporadic, individual, unpredictable, and nonmalicious

Default Permit

that which is not expressly forbidden is permitted

The payload or frame body

the actual data being transmitted

sinkholing

the administrator may redirect traffic to a valid address where the incoming traffic can be analyzed

Session Hijack

the attacker literally steals an established TCP connection by rewriting source and destination addresses.

The fundamental data structures of IPsec

the authentication header (AH) and the encapsulated security payload (ESP).

Independence

the communication is separated from the actual medium of communication

Strict Source Routing

the complete path from source to destination is specified

Service Set Identifier, or SSID

the identification of an access point; it is a string of up to 32 characters chosen by the access point's administrator

Packet

the network layer structure with destination address, source address, and data

actions an IDS can take

• Continue to monitor the network. • Block the attack by redirecting attack traffic to a monitoring host, discarding the traffic, or terminating the session. • Reconfigure the network by bringing other hosts online (to increase capacity) or adjusting load balancers. • Adjust performance to slow the attack, for example, by dropping some of the incoming traffic. • Deny access to particular network hosts or services. • Shut down part of the network. • Shut down the entire network.

What Firewalls Can—and Cannot—Block

• Firewalls can protect an environment only if the firewalls control the entire perimeter. • Firewalls do not protect data outside the perimeter • Firewalls are the most visible part of an installation to the outside, so they are the most attractive target for attack. • Firewalls must be correctly configured, that configuration must be updated as the internal and external environment changes, and firewall activity reports must be reviewed periodically for evidence of attempted or successful intrusion. • Firewalls are targets for penetrators. Designers intentionally keep a firewall small and simple so that even if a penetrator breaks it, the firewall does not have further tools, such as compilers, linkers, loaders, and the like, to continue an attack. • Firewalls exercise only minor control over the content admitted to the inside

DLP solutions indicators:

• Keywords. Certain words or phrases, such as "secret," "classified," or "proprietary," are strong indicators of sensitive data. DLP solutions may also allow customers to search for keywords that have specific meaning for a particular business, such as a codename for a new product. • Traffic patterns. Some traffic patterns that may indicate suspicious behavior are bulk file transfers, connections to outside email or file sharing services, emails to unknown recipients, and connections to unknown network services. • Encoding/encryption. DLP can be easily defeated by strong encryption, because no DLP solution can determine the sensitivity of a file it cannot read. To address this issue, DLP solutions commonly block outgoing files that they cannot decode or decrypt. Many malware scanners treat incoming files, such as encrypted email attachments, the same way.

IPS response categories

• Monitor, collect data, perhaps increase amount of data collected. • Protect, act to reduce exposure. • Signal an alert to other protection components. • Call a human.

DoS Attack Causes

• One potential weakness is the capacity of the system. If demand is higher than the system can handle, some data will not move properly through the network. These attacks are also known as volume-based or volumetric attacks. • Similarly to overwhelming basic network capacity, an attack can exhaust the application that services a particular network, in what is called an application-based attack. • Another way to deny service is to cut or disable the communications link between two points. Many users will be unable to receive service, especially if that link is a single point through which much traffic must pass. • A final cause of denied access is a hardware or software failure. Although similar to a failure of a communications link, in this case the problem relates to machinery or programs, for which protection can involve concepts like fault tolerance.

reference monitor characteristic:

• always invoked • tamperproof • small and simple enough for rigorous analysis

A security association includes

• encryption algorithm and mode (for example, AES) • encryption key • encryption parameters, such as the initialization vector • authentication protocol and key • life span of the association, to permit long running sessions to select a new cryptographic key as often as needed • address of the opposite end of association • sensitivity level of protected data (usable for classified data)

The MAC header fields

• frame type: control, management, or data • ToDS, FromDS: direction of this frame: to or from the access point • fragmentation and order control bits • WEP (wired equivalent privacy) or encryption bit: encryption, described shortly • up to four MAC addresses (physical device identifiers): sender and receiver's addresses, plus two optional addresses for traffic filtering points

three root threats to availability

• insufficient capacity; overload • blocked access • unresponsive component

Potential types of harm

• interception, or unauthorized viewing • modification, or unauthorized change • fabrication, or unauthorized creation • interruption, or preventing authorized access

IDSs functions:

• monitoring users and system activity • auditing system configuration for vulnerabilities and misconfigurations • assessing the integrity of critical system and data files • recognizing known attack patterns in system activity • identifying abnormal activity through statistical analysis • managing audit trails and highlighting user violation of policy or normal activity • correcting system configuration errors • installing and operating traps to record information about intruders

Types of firewalls

• packet filtering gateways or screening routers • stateful inspection firewalls • application-level gateways, also known as proxies • circuit-level gateways • guards • personal firewalls

ICMP Protocols

• ping • echo • destination unreachable, • source quench,

Integrity Properties

• precise • accurate • unmodified • modified only in acceptable ways • modified only by authorized people • modified only by authorized processes • consistent • internally consistent • meaningful and usable


Ensembles d'études connexes

Energy in Every Day Life - Mod 4

View Set

CLIMAT - 1. le système climatique

View Set

transcultural nursing final exam

View Set

PEDS: Prep-U Chapter 45: Nursing Care of a Family when a child has a Gastrointestinal Disorder

View Set