Security in Computing, Chapter 6
MAC Address
Media Access Control
Routing
Supports efficient resource use and quality of service. Misused, it can cause denial of service.
Port 80
The port dedicated to HTTP (web page) traffic
A firewall system
typically does not have compilers, linkers, loaders, general text editors, debuggers, programming libraries, or other tools an attacker might use to extend an attack from the firewall computer.
medium access code (MAC)
unique 48- or 64-bit hardware address
Interception
Communication goes on normally, except that a hidden third party has listened in, too.
Tunnel Mode
the recipient's address is concealed by encryption, and IPsec substitutes the address of a remote device, such as a firewall, that will receive the transmission and remove the IPsec encryption.
substitution attack
the replacement of one piece of a data stream with another
Encryption
the strongest and most commonly used countermeasure against interception
two sides of network security
threats and countermeasures
data-link level
two more headers are added, one for your computer's NIC address (the source MAC) and one for your router's NIC address
WEP
uses short, infrequently changed encryption keys, it requires no authentication, and its integrity is easily compromised
WPA fixes shortcomings of WEP by
using stronger encryption; longer, changing keys; and secure integrity checks.
Denial-of-service attack
usually try to flood a victim with excessive demand.
Wired equivalent privacy
was intended as a way for wireless communication to provide privacy equivalent to conventional wire communications
destination unreachable
which indicates that a destination address cannot be accessed
Source Quench
which means that the destination is becoming saturated and the source should suspend sending packets for a while
PING
which requests a destination to return a reply, intended to show that the destination system is reachable and functioning
ECHO
which requests a destination to return the data sent to it, intended to show that the connection link is reliable (ping is actually a version of echo)
Wireless communication
will never be as secure as wired, because the exposed signal is more vulnerable.
Frame types
• Beacon • Authentication • Association request and response
IANA
Internet Assigned Numbers Authority
ICMP
Internet Control Message Protocols
IETF
Internet Engineering Task Force
ISAKMP.
Internet Security Association Key Management Protocol
Closed or stealth mode, also known as SSID cloaking
The client must first send a signal seeking an access point with a particular SSID before the access point responds to that one query with an invitation to connect
Network Threats
interception, modification, fabrication or insertion, and interruption
IDS
intrusion detection system
misuse intrusion detection.
the real activity is compared against a known suspicious area
command-and-control center.
The bot headquarters - instructs specific machines to target a particular victim at a given time and duration.
transport mode
(normal operation), the IP address header is unencrypted.
Stateful inspection firewalls
- judge according to information from multiple packets.
802.11n Range
1000ft/350m
malicious autonomous mobile agents.
Bots belong to a class of code known more generally as
DNS
Domain Name System
The Onion Router
TOR
TLS
transport layer security
POP
typically bound to port 110
Protocol
a language or set of conventions for how two computers will interact.
Default Deny
that which is not expressly permitted is forbidden
Camellia and Aria
block ciphers similar to DES and AES
Intrusion detection devices
can be network based or host based.
EAP
extensible authentication protocol
DNS cache poisoning attack
is a way to subvert the addressing to cause a DNS server to redirect clients to a specified address
issues to consider when choosing a SIEM
• Cost. • Data portability. • Log-source compatibility. • Deployment complexity. • Customization. • Data storage. • Segregation and access control. • Full-time maintenance. • User training.
IDS Design Approaches
• Filter on packet headers. • Filter on packet content. • Maintain connection state. • Use complex, multipacket signatures. • Use a minimal number of signatures with maximum effect. • Filter in real time, online. • Hide its presence. • Use optimal sliding-time window size to match signatures.
BIND
- Berkeley Internet Name Domain - or named (a shorthand for "name daemon)
Denial of Service by Addressing Failures
- DNS Spoofing - Rerouting Routing - Router Takes Over a Network - Source Routing and Address Spoofing -
Routing Attacks
- Excessive Demand - Component Failure
Denial of Service Types
- Flooding - Network Flooding - Denial of Service by addressing failures - Traffic Redirection - DNS Attacks - Physical Disconnection
WPA2
- IEEE standard 802.11i - adds AES as a possible encryption algorithm
Network Flooding by Resource Exhaustion Attacks
- IP Fragmentation: Teardrop
Attacks on WPA
- Man-in-the-Middle - Incomplete Authentication -
DNS Attacks
- Name Server Application Software Flaws - Top-Level Domain Attacks - Session Hijack -
Port Scanning Tools
- Nmap scanner, originally written by Fyodor - Netcat, written by Hobbit - Nessus (Nessus Corp.) - CyberCop Scanner (Network Associates) - Secure Scanner (Cisco) - Internet Scanner (Internet Security Systems)
Strengths of WPA over WEP
- Non-Static Encryption Key - Authentication - Strong Encryption - Integrity Protection - Session Initiation
Flood Attacks
- Ping of Death - Smurf - Echo-Chargen - SYN Flood
Browser Encryption types
- SSH Encryption - SSL and TLS Encryption - Cipher Suite -
Commercial implementations of personal firewalls
- SaaS Endpoint Protection from McAfee, - F-Secure Internet Security, - Microsoft Windows Firewall, - Zone Alarm from CheckPoint.
circuit-level gateway
- is a firewall that essentially allows one network to be an extension of another. - connects two separate subnetworks as if they were one contiguous unit. - It operates at OSI level 5, the session level - it functions as a virtual gateway between two networks.
802.11b Range
300ft/100m
Physical Disconnection
- Tranmission Failure - Component Failure -
Data Corruption Sources
- Typing Error - Software Flaw - Malicious Code - Hardware Failure - Transmission Problem - Hacker Activity - Noise Accident - Human Mistake - Program Error
Wireless Attacks
- Unauthorized WiFi Access - WiFi Protocol Weaknesses - Picking Up the Beacon - SSID in All Frames - Changeable MAC Addresses (MAC Spoofing) - Stealing the Association
WEP Security Weaknesses
- Weak Encryption Key - Static Key - Weak Encryption Process - Weak Encryption Algorithm - Initialization Vector Collisions - Faulty Integrity Check - No Authentication
application proxy gateway (bastion host)
- is a firewall that simulates the (proper) effects of an application at level 7 so that the application receives only requests to act properly. - runs pseudoapplications - behaves like a man in the middle
802.11g Range
300ft/100m
Personal Firewall
- is a program that runs on a single host to monitor and control traffic to that host. It can only work in conjunction with support from the operating system.
A guard firewall
- is a sophisticated firewall. - Like a proxy firewall, it receives protocol data units, interprets them, and emits the same or different protocol data units that achieve either the same result or a modified result. - determines what services to perform on the user's behalf in accordance with its available information, such as whatever it can reliably ascertain of the (outside) user's identity, previous interactions, and so forth. - the degree of control it can provide is limited only by what is computable. - can implement any programmable set of conditions, even if the program conditions become highly sophisticated.
network-based IDS (NIDS)
- is generally a separate network appliance that monitors traffic on an entire network. - It receives data from firewalls, operating systems of the connected computers, other sensors such as traffic volume monitors and load balancers, and administrator actions on the network. - Another advantage is that it can send alarms on a separate network from the one being monitored. That way an attacker will not know the attack has been recognized
WPA
- WiFi Protected Access
Wireless Availability problems.
- a component of a wireless communication stops working because hardware fails, power is lost, or some other catastrophe strikes - loss of some but not all access, typically manifested as slow or degraded service - Service can be slow because of interference - Service can also be slow if the demand for service exceeds the capacity of the receiving end, so either some service requests are dropped or the receiver handles all requests slowly -rouge network connection
WPA protocol steps
- authentication - four-way handshake (to ensure that the client can generate cryptographic keys and to generate and install keys for both encryption and integrity on both ends) - an optional group key handshake (for multicast communication)
Network Encryption
- between two hosts (called link encryption) - between two applications (called end-to-end encryption).
IPsec
- can enforce either or both of confidentiality and authenticity. - Confidentiality is achieved with symmetric encryption - authenticity is obtained with an asymmetric algorithm for signing with a private key
Rate Limiting
- countermeasure that reduces the impact of an attack. - the volume of traffic allowed to a particular address is reduced.
Link Encryption
- data are encrypted just before the system places them on the physical communications link. - In this case, encryption occurs at layer 1 or 2 in the OSI model.
insertion attack
- data values are inserted into a stream. - An attacker does not even need to break an encryption scheme in order to insert authentic-seeming data - as long as the attacker knows precisely where to slip in the data, the new piece is encrypted under the same key as the rest of the communication.
A packet filtering gateway (screening router)
- is the simplest, and in some situations, the most effective type of firewall. - controls access on the basis of packet address (source or destination) or specific transport protocol type (such as HTTP web traffic), that is, by examining the control information of each single packet. - operate at OSI level 3. - do not "see inside" a packet; they block or accept packets solely on the basis of the IP addresses and ports - do not "see inside" a packet; they block or accept packets solely on the basis of the IP addresses and ports
Signature-based IDSs
- look for patterns; - are limited to known patterns.
front-end device IDSs
- monitors traffic as it enters the network and thus can inspect all packets; - it can take as much time as needed to analyze them - if it finds something that it classifies as harmful, it can block the packet before the packet enters the network.
Botnets
- networks of bots, are used for massive denial-of-service attacks, implemented from many sites working in parallel against a victim. - They are also used for spam and other bulk email attacks, in which an extremely large volume of email from any one point might be blocked by the sending service provider.
IKE
- provides a way to agree on and manage protocols, algorithms, and keys. - uses the Diffie-Hellman scheme to generate a mutually shared secret that will then be used as an encryption key.
end-to-end encryption
- provides security from one end of a transmission to the other. - The encryption can be applied between the user and the host by a hardware device. - Alternatively, the encryption can be done by software running on the host computer. - In either case, the encryption is performed at the highest levels, usually by an application at OSI level 7, but sometimes 5 or 6.
Microwave
- signals are not carried along a wire; they are broadcast through the air, making them more accessible to outsiders - It requires line-of-sight
Inference engines work in two ways.
- state-based intrusion detection systems, - model-based intrusion detection systems.
Blocked Access
- the attacker may simply prevent a service from functioning. - The attacker could exploit a software vulnerability in an application and cause the application to crash. - The attacker could interfere with the network routing mechanisms, preventing access requests from getting to the server. - Yet another approach would be for the attacker to manipulate access control data, deleting access permissions for the resource, or to disable the access control mechanism so that nobody could be approved for access.
IPsec modes of operation
- transport mode - tunnel mode
DoS attacks defensive techniques
- tuning (adjusting the number of active servers), - load balancing (evening the computing load across available servers), - shunning (reducing service given to traffic from certain address ranges), - blacklisting (rejecting connections from certain addresses).
The echo-chargen attack
- works between two hosts - The attacker picks two victims, A and B, and then sets up a chargen process on host A that generates its packets as echo packets with a destination of host B. Thus, A floods B with echo packets
Darknet
Tor also facilitates the so-called dark side of the Internet, used to implement illegal traffic in child pornography, drugs, and stolen credit card and identity details.
802.11a Range
100ft/35m
OSI model
1 - Physical 2 - Data Link 3 - Network 4 - transport 5 - Session 6 - Presentation 7 - Application
Things port scanning tells an attacker
1 - which standard ports or services are running and responding on the target system 2 - what operating system is installed on the target system 3 - what applications and versions of applications are present
Distributed Denial of Service Steps
1. the attacker wants to conscript an army of compromised machines (Zombies) to attack a victim. 2. At some point the attacker chooses a victim and sends a signal to all the zombies to launch the attack.
Authentication.
A NIC initiates a request to interact with an access point by sending its identity in an authentication frame. The access point may request additional authentication data and finally either accepts or rejects the request. Either party sends a deauthentication frame to terminate an established interaction.
Authentication Frame
A NIC requests a connection by sending an ____________ frame.
Security Operations Center (SOC)
A SOC is a team of security personnel dedicated to monitoring a network for security incidents and investigating and remediating those incidents.
Frame
A data-link layer structure with destination MAC, source MAC, and data
BGP
Border Gateway protocol
Cipher Suite
Client and server negotiate encryption algorithms for authentication, session encryption, and hashing.
Frame
Each WiFI Data Unit
Beacon.
Each access point periodically sends a beacon frame to announce its presence and relay information, such as timestamp, identifier, and other parameters regarding the access point. Any NICs that are within range receive this beacon.
Association request and response.
Following authentication, a NIC requests an access point to establish a session, meaning that the NIC and access point exchange information about their capabilities and agree on parameters of their interaction. An important part of establishing the association is agreeing on encryption. A deassociation request is a request to terminate a session.
SSL is commonly Know
HTTPS (HTTP Secure)
ISAKMP key exchange
IKE
IPSec (IP Security Protocol Suite)
IPsec implements encryption and authentication in the Internet protocols.
IPS
Intrusion prevention system
frame fields:
MAC header, payload, and FCS (frame check sequence)
Denial-of-service attacks
Network loss of availability
Data Corruption
Network loss of integrity
OSI
Open System Interconnection
Post Office Protocol
POP
Bootmasters
People who infect machines to turn them into bots
Well know ports
Ports 0 to 4095
Routers
Routers direct traffic on a path that leads to a destination.
War driving
Searching for open wireless networks within range
SSL
Secure Sockets Layer
SSH Encryption
Secure shell Encryption is a pair of protocols (versions 1 and 2) originally defined for Unix but now available under most operating systems it provides an authenticated and encrypted path to the shell or operating system command interpreter.
SIEM
Security Information and Event Management
Packet
Smallest individually addressable data unit transmitted
TKIP
Temporal Key Integrity Program
security association
The basis of IPsec
SYN Flood
This attack uses the TCP protocol suite, making the session-oriented nature of these protocols work against the victim
Port 123
This post is assigned to the Network Time Protocol for clock synchronization
WEP
Wired equivalent privacy
Shunning
With reliable source addresses, network administrators can set edge routers to drop packets engaging in a denial-of-service attack.
rogue access point
is another means to intercept sensitive information. All you have to do is broadcast an open access point in a coffee shop or near a major office building, allow people to connect, and then use a network sniffer to copy traffic surreptitiously
The source of a denial-of-service attack
is typically difficult or impossible to determine with certainty.
three basic causes of failed service
lack of capacity or overload, blocked access, and unresponsive components
heuristic IDSs
learn characteristics of unacceptable behavior over time
network-based IDS
a stand-alone device attached to the network to monitor traffic throughout that network;
security parameter index (SPI)
a data element that is essentially a pointer into a table of security associations.
DNS Spoofing
a man-in-the-middle attack involves the attacker's intercepting and replying to a query before the real DNS server can respond.
model-based intrusion detection systems
a model of known bad activity whereby the intrusion detection system raises an alarm when current activity matches the model to a certain degree
interruption
a network denial of service
Port
a number associated with an application program that serves or monitors for a network service
chaining
a process in which each segment of a message is encrypted so that the result depends on all preceding segments
Source Routing
a sender can specify some or all of the intermediate points by which a data unit is transferred.
security policy
a set of rules that determine what traffic can or cannot pass through the firewall
Ping of Death
a simple attack, using the ping command that is ordinarily used to test response time from a host. Since ping requires the recipient to respond to the packet, all the attacker needs to do is send a flood of pings to the intended victim.
Replay Attack
legitimate data are intercepted and reused, generally without modification
Packet filters
limit traffic based on packet header data: addresses and ports on packets
Zombies or bots
machines running pieces of malicious code under remote control.
Botnet operators
make money by renting compromised hosts for DDoS or other activity. The rent is mostly profit.
Network Layer
adds two headers to show your computer's address as the source and the address of the destination
beacon signal
advertises a network accepting connections.
IDS Stealth Mode
an IDS has two network interfaces: one for the network (or network segment) it is monitoring and the other to generate alerts and perhaps perform other administrative needs
open mode
an access point continually broadcasts its appeal in its beacon, indicating that it is open for the next step in establishing a connection
Extreme Demand
an attacker can overwhelm a critical part of a network, from a web page server to a router or a communications line
cache poisoning
an incorrect name-to-address DNS conversion is placed in and remains in a translation cache.
frame check sequence
an integrity check (actually a cyclic redundancy check) to ensure accurate transmission of the entire frame.
inductance
an intruder can tap a wire and read radiated signals without making physical contact with the cable;
NIDS
analyzes activity across a whole network to detect attacks on any network host
Compromised zombies
are located by scanning random computers for unpatched vulnerabilities.
SIEMs
are software systems that collect security-relevant data from a variety of hardware and software products in order to create a unified security dashboard for SOC personnel
DNS Poisoning
attackers try to insert inaccurate entries into that cache so that future requests are redirected to an address the attacker has chosen
The 802.11 Protocol Suite
describe how devices communicate in the 2.4 GHz radio signal band (essentially 2.4 GHz-2.5 GHz) allotted to WiFi.
DDoS attack
distributed denial-of-service
the data link layer
divides data into manageable blocks for efficient transfer
Heuristic (anomaly Based)
build a model of acceptable behavior and flag exceptions to that model
Next Hop
each router determines the best next path to which to direct a data unit
Interception
eavesdropping or wiretapping,
Port Scan
maps the topology and hardware and software components of a network segment.
spanning tree algorithm
essentially a map of the shortest route to each known destination in the network.
Intrusion prevention systems
extend IDS technology with built-in protective response. - tries to block or stop harm
heuristic intrusion detection system categories:
good/benign, suspicious, or unknown.
the network layer
handles addressing to determine how to route data
inference engine,
identifies pieces of attacks and rates the degree to which these pieces are associated with malicious behavior.
Routers
implicitly trust each other.
Network Design
incorporates redundancy to counter hardware failures.
targets of a flooding attacks
can be an application, such as a database management system; an operating system or one of its components, for example, file or print server; or a network appliance like a router. Alternatively, the attack can be directed against a resource, such as a memory allocation table or a web page.
Network and vulnerability scanners
can be used positively for management and administration and negatively for attack planning.
DoS
can occur from excessive volume, a failed application, a severed link, or hardware or software failure.
Nonmalicious substitution
can occur if a hardware or software malfunction causes two data streams to become tangled, such that a piece of one stream is exchanged with the other stream.
Protected subnetworks
can separate departments, projects, clients, areas—any subgroup requiring controlled access to data or communication.
loose source routing
certain (some or all) required intermediate points are specified.
Distributed denial-of-service attacks
change the balance between adversary and victim by marshalling many forces on the attack side.
information and event management devices
collect status indications from a range of products—including firewalls, IDSs, routers, load balancers—and put these separate data streams together into a unified view.
Network address translation
conceals real internal addresses; outsiders who do not know real addresses cannot access them directly.
IPsec encapsulated security payload
contains descriptors to tell a recipient how to interpret encrypted content.
SSL encryption
covers communication between a browser and the remote web host.
capacity planning
involves monitoring network traffic load and performance to determine when to upgrade which aspects.
Rerouting Routing
involves one node's redirecting a network so that all traffic flows through the attacking node, leading to a potential for interception
Sequencing attack or problem
involves permuting the order of data.
A firewall
is a device that filters all traffic between a protected or "inside" network and a less trustworthy or "outside" network
firewall
is a reference monitor, positioned to monitor all traffic, not accessible to outside attacks, and implementing only access control.
blacklist
meaning that no traffic goes to that address, from legitimate or malicious sources alike.
Smurf Attack
is a variation of a ping attack. It uses the same vehicle, a ping packet, with two extra twists. - First, the attacker chooses a network of unwitting victims that become accomplices. The attacker spoofs the source address in the ping packet so that it appears to come from the victim, which means a recipient will respond to the victim. - Then, the attacker sends this request to the network in broadcast mode by setting the last byte of the address to all 1s; broadcast mode packets are distributed to all hosts on the subnetwork
teardrop attack
misuses a feature ironically intended to improve network communication.
load balancer
is an appliance that redirects traffic to different servers while working to ensure that all servers have roughly equivalent workloads.
Port Scanning
is an inspection activity, and as such it causes no harm itself
the physical layer
deals with the electrical or other technology by which signals are transmitted across some physical medium.
Port 110
the port number associated with Post Office Protocol for email
onion routing.
model uses a collection of forwarding hosts, each of whom knows only from where a communication was received and to where to send it next. Any intermediate recipients—those other than the original sender and ultimate recipient— know neither where the package originated nor where it will end.
Integrity failures
modification and fabrication
internal device IDSs
monitors activity within the network
HIDS
monitors host traffic
demilitarized zone or DMZ,
named after the military buffer space, sometimes called the "no man's land," between the territories held by two competing armies.
wiretapping
network loss of confidentiality
Flooding
occurs because the incoming bandwidth is insufficient or resources—hardware devices, computing power, software, or table capacity —are inadequate.
A flooding attack
occurs from demand in excess of capacity, from malicious or natural causes.
Network Data Corruption
occurs naturally because of minor failures of transmission media. Corruption can also be induced for malicious purposes. Both must be controlled.
sequencing error
occurs when a later fragment of a data stream arrives before a previous one: Packet 2 arrives before packet 1.
Scanning
often used as a first step in an attack, a probe, to determine what further attacks might succeed
MAC Spoofing
one device impersonates another, thereby assuming another device's communication session
zero-day exploit
one for which an exploitation occurs before the vulnerability is publicly known and hence before a patch is available.
Protocol
orderly set of exchanges
intercept the data
other terms used are eavesdrop, wiretap, or sniff.
Signature Based
perform simple pattern-matching and report situations that match a pattern (signature) corresponding to a known attack type.
the transport layer
performs error checking and correction to ensure a reliable data flow
Port Scanner
port scanner, a program that, for a particular Internet (IP) address, reports which ports respond to queries and which of several known vulnerabilities seem to be present
Tor (onion routing)
prevents an eavesdropper from learning source, destination, or content of data in transit in a network.
Stealth mode IDS
prevents the attacker from knowing an alarm has been raised.
Host-based intrusion detection (HIDS)
protects a single host against attack.
SSL encryption
protects only from the browser to the destination decryption point. Vulnerabilities before encryption or after decryption are unaffected.
Data loss prevention (DLP)
refers to a set of technologies designed to detect and possibly prevent attempts to send data where it is not allowed to go
packet sniffer
retrieves all packets on its LAN
host-based IDS
runs on a single workstation or client or host, to protect that one host.
state-based intrusion detection systems,
see the system going through changes of overall state or configuration. They try to detect when the system has veered into unsafe modes.
Overload or flood
servers often queue unmet commands during moments of overload for service when the peak subsides, but if the commands continue to come too quickly, the server eventually runs out of space to store the demand.
Types of IDSs
signature based and heuristic
A virtual private network
simulates the security of a dedicated, protected communication line on a shared network.
promiscuous access points
some access point hardware and firmware is known to be flawed and will accept any association it can receive
Component Failure
tend to be sporadic, individual, unpredictable, and nonmalicious
Default Permit
that which is not expressly forbidden is permitted
The payload or frame body
the actual data being transmitted
sinkholing
the administrator may redirect traffic to a valid address where the incoming traffic can be analyzed
Session Hijack
the attacker literally steals an established TCP connection by rewriting source and destination addresses.
The fundamental data structures of IPsec
the authentication header (AH) and the encapsulated security payload (ESP).
Independence
the communication is separated from the actual medium of communication
Strict Source Routing
the complete path from source to destination is specified
Service Set Identifier, or SSID
the identification of an access point; it is a string of up to 32 characters chosen by the access point's administrator
Packet
the network layer structure with destination address, source address, and data
actions an IDS can take
• Continue to monitor the network. • Block the attack by redirecting attack traffic to a monitoring host, discarding the traffic, or terminating the session. • Reconfigure the network by bringing other hosts online (to increase capacity) or adjusting load balancers. • Adjust performance to slow the attack, for example, by dropping some of the incoming traffic. • Deny access to particular network hosts or services. • Shut down part of the network. • Shut down the entire network.
What Firewalls Can—and Cannot—Block
• Firewalls can protect an environment only if the firewalls control the entire perimeter. • Firewalls do not protect data outside the perimeter • Firewalls are the most visible part of an installation to the outside, so they are the most attractive target for attack. • Firewalls must be correctly configured, that configuration must be updated as the internal and external environment changes, and firewall activity reports must be reviewed periodically for evidence of attempted or successful intrusion. • Firewalls are targets for penetrators. Designers intentionally keep a firewall small and simple so that even if a penetrator breaks it, the firewall does not have further tools, such as compilers, linkers, loaders, and the like, to continue an attack. • Firewalls exercise only minor control over the content admitted to the inside
DLP solutions indicators:
• Keywords. Certain words or phrases, such as "secret," "classified," or "proprietary," are strong indicators of sensitive data. DLP solutions may also allow customers to search for keywords that have specific meaning for a particular business, such as a codename for a new product. • Traffic patterns. Some traffic patterns that may indicate suspicious behavior are bulk file transfers, connections to outside email or file sharing services, emails to unknown recipients, and connections to unknown network services. • Encoding/encryption. DLP can be easily defeated by strong encryption, because no DLP solution can determine the sensitivity of a file it cannot read. To address this issue, DLP solutions commonly block outgoing files that they cannot decode or decrypt. Many malware scanners treat incoming files, such as encrypted email attachments, the same way.
IPS response categories
• Monitor, collect data, perhaps increase amount of data collected. • Protect, act to reduce exposure. • Signal an alert to other protection components. • Call a human.
DoS Attack Causes
• One potential weakness is the capacity of the system. If demand is higher than the system can handle, some data will not move properly through the network. These attacks are also known as volume-based or volumetric attacks. • Similarly to overwhelming basic network capacity, an attack can exhaust the application that services a particular network, in what is called an application-based attack. • Another way to deny service is to cut or disable the communications link between two points. Many users will be unable to receive service, especially if that link is a single point through which much traffic must pass. • A final cause of denied access is a hardware or software failure. Although similar to a failure of a communications link, in this case the problem relates to machinery or programs, for which protection can involve concepts like fault tolerance.
reference monitor characteristic:
• always invoked • tamperproof • small and simple enough for rigorous analysis
A security association includes
• encryption algorithm and mode (for example, AES) • encryption key • encryption parameters, such as the initialization vector • authentication protocol and key • life span of the association, to permit long running sessions to select a new cryptographic key as often as needed • address of the opposite end of association • sensitivity level of protected data (usable for classified data)
The MAC header fields
• frame type: control, management, or data • ToDS, FromDS: direction of this frame: to or from the access point • fragmentation and order control bits • WEP (wired equivalent privacy) or encryption bit: encryption, described shortly • up to four MAC addresses (physical device identifiers): sender and receiver's addresses, plus two optional addresses for traffic filtering points
three root threats to availability
• insufficient capacity; overload • blocked access • unresponsive component
Potential types of harm
• interception, or unauthorized viewing • modification, or unauthorized change • fabrication, or unauthorized creation • interruption, or preventing authorized access
IDSs functions:
• monitoring users and system activity • auditing system configuration for vulnerabilities and misconfigurations • assessing the integrity of critical system and data files • recognizing known attack patterns in system activity • identifying abnormal activity through statistical analysis • managing audit trails and highlighting user violation of policy or normal activity • correcting system configuration errors • installing and operating traps to record information about intruders
Types of firewalls
• packet filtering gateways or screening routers • stateful inspection firewalls • application-level gateways, also known as proxies • circuit-level gateways • guards • personal firewalls
ICMP Protocols
• ping • echo • destination unreachable, • source quench,
Integrity Properties
• precise • accurate • unmodified • modified only in acceptable ways • modified only by authorized people • modified only by authorized processes • consistent • internally consistent • meaningful and usable