ITSY 2330 - Midterm
True
Many DDoS attacks occur after a given attacker sends hundreds of thousands / millions of SYN packets (#1) and upon receiving the SYN-ACK, they "stay quiet" and don't send the ACK of step 3.
security information and event management system (SIEM)
Many IDSes/IPSes/Firewalls, etc. are joined together
demilitarized zone (DMZ)
a separate network located outside the organization's internal information system that permits controlled access from the internet
Cybercriminals, cyberterrorists, black hats
all contribute to hampering the stability of anything IT-related which affects people and organizations.
security information and event management system (SIEM)
technology provides real-time analysis of security alerts generated by network hardware and applications
One of our preferred Nmap options is -Pn.
tells nmap not to use ping to determine whether a system is running; instead, it considers all hosts "alive." If you're performing Internet-based penetration tests, you should use this flag, because most networks don't allow Internet Control Message Protocol (ICMP), which is the protocol that ping uses. If you're performing this scan internally, you can probably ignore this flag.
Nmap
the most popular port scanning tool. Nmap lets you scan hosts to identify the services running on each, any of which might offer a way in.
Internet of Things (IoT)
the network of products embedded with connectivity-enabled electronics
DNS (Domain Name System)
the way we connect hosts and domain names with IPs
Whois
this command can lookup public information about an IP address or a domain name. You may need to install the jwhois package (Kali has this pre-installed of course). You can also use whois.net
Ping
this is by far the most commonly used networking tool because it is a simple ICMP echo / reply packet (it is technically a datagram because a packet is for TCP and datagram is for UDP). If you ping hccs.edu, you'll notice you get a "Request timed out." This does not necessarily mean that the given host is down, but rather that the router or firewall is blocking ICMP requests
One of our preferred Nmap options is -sT.
(TCP Connect Scan) is the most reliable method of determining port activity, which conducts a complete three-way TCP hand-shake. The disadvantage to a TCP connect scan is the amount of traffic required to confirm the existence of an application is much higher and may be noticed by an IDS. The advantage is that after a TCP connect scan, we will know for certain whether an application is truly present or not.
Security Certifications (Examples)
1 CEH Certified Ethical Hacker 2 OSCP Offensive Security Certified Professional 3 Security Plus 4 CCNA Security 5 CISM Certified Information Security Manager 6 Penetration Tester 7 CISSP Certified Information Systems Security Professional 8 CISA Certified Information Security Auditor 9 CCIE Cisco Certified Internetwork Expert 10 CCIP Certified Information Privacy Professional 11 Cisco Certified Network Professional Security 12 CHFI Computer Hacking Forensics Investigator
Companies that sell security products
1 Cisco 2 MacAfee 3 ESET 4 FortiNet 5 SonicWALL 6 CrowdStrike 7 Palo Alto 8 Baracuda 9 Microsoft 10 EMC Dell 11 Amazon 12 IBM 13 Valimail 14 Verimatrix
Companies that provide security services in Houston
1 Datavox 2 RSM International 3 Accudata 4 IBM 5 Cisco 6 Meriplex 7 IT Works 8 AWS Amazon Web Services
IT & security type conferences / seminars
1 DefCon 2 Hackathon 3 F8 (Facebook) 4 Hak5 5 Houston Security Conference 6 UseNIX 7 Hack The Box 8 Authenticate 9 SANS 10 RSA Conference 11 OffZone 12 BSides 13 Virtual Security Conference 14 SANS Pen Test 15 Secure 360
Intrusion detection (IDS) tools
1 Wireshark 2 Snort 3 Kali Linux 4 Security Onion 5 Cain and Able 6 Nmap 7 Metasploit 8 Carbon black 9 Net-miner 10 AIDE 11 Tcpdump
Access Lists (ACLs)
A basic form of firewall protection
Tcpdump
A command-line protocol analyzer. Administrators use it to capture packets.
Stateful Packet Inspection (SPI)
A firewall running this is normally not vulnerable to IP spoofing attacks because it keeps track of the state of network connections by examining the header in each packet.
Distrowatch
A great place to find Linux distributions including many firewalls, honeypots, IDSs, and security OSes - https://distrowatch.com/
Sectools.org
A great resource for network security tools - updated regularly.
Security incident response team (SIRT).
A group of experts that handles computer security incidents.
Security incident response team (SIRT).
A group of people designated to take countermeasures when an incident is reported.
BGP (Border Gateway Protocol)
A path-vector protocol used by ISPs to establish routing between one another.
Wireshark
A popular packet sniffer.
Network Address Translation (NAT)
A process that firewalls use to assign internal Internet protocol addresses on a network.
Honeypot
A security tool used to lure attackers away from the actual network components. Also called a decoy or sacrificial lamb.
demilitarized zone (DMZ)
A separate organizational local area network that is located between an organization's internal network and an external network, usually the Internet.
demilitarized zone (DMZ)
A strip of land running across the Korean Peninsula that serves as a buffer zone between North and South Korea.
Security incident response team (SIRT).
A team of security professionals with the main responsibility of responding to network attacks and security events.
Network Address Translation (NAT)
A technique that allows private IP addresses to be used on the public Internet.
Access Lists (ACLs)
Access lists are used to filter traffic based on source IP address, destination IP address, and ports or services. Firewalls also use this technology. After you understand how to create an access list on a router, creating one on a firewall is a similar process.
ARP
Address Resolution Protocol
ARP
Address Resolution Protocol. Resolves IP addresses to MAC addresses.
IPS (Intrusion Prevention System)
An IPS is also a hardware device or software device and instead of just "detecting" anomalies, the IPS prevents them from happening on the fly (for example if the IPS detects access from an unauthorized IP address, it will create a rule on the firewall to block that IP address.
Packet Filtering
Another basic security function a firewall performs is packet filtering. Packet filters screen packets based on information in the packet header, such as the following: • Protocol type • IP address • TCP/UDP port
POP (Post Office Protocol):
Another protocol also widely used for e-mail
Wireshark
Application that captures and analyzes network packets
Intersecting challenges
As adversaries rapidly refine their ability to develop and deploy malware that can breach network defenses and evade detection, the security industry is responding by innovating their products and cross interconnecting global intel. Companies often choose individual solutions to address security gaps, only to create weaker points in their threat defenses
Honeypot
Decoy servers or systems setup to gather information regarding an attacker or intruder into your system
IEEE 802.3
Ethernet protocol
Stateful Packet Inspection (SPI)
Firewalls usually take the basic filtering a router does a step further by performing stateful packet inspection (SPI). Stateful packet filters record session-specific information about a network connection, including the ports a client uses, in a file called a state table.
Kali Linux
Formerly known as BackTrack Includes a variety of tools and has an easy-to-use KDE interface
layer-3 protocols
IPv4, IPv6, IPsec, ICMP
Reset (RST):
If an error occurs, the reset flag is sent. The connection is closed forcibly or refused.
How Honeypots Work
If attackers can get to your internal network, they can create havoc. A honeypot appears to have important data or sensitive information stored on it. For example, it could store fake financial data that tempts hackers into attempting to browse through the data. The government and private industry have used honeypots to lure attackers into network areas away from the real data for many years. Basically, the belief is that if hackers discover a vulnerability in a system, they'll spend time exploiting the vulnerability and stop looking for other areas to exploit and access a company's resources. Honeypots also enable security professionals to collect data on attackers. In this way, the hunter becomes the hunted. Both commercial and open-source honeypots are available.
Acknowledgement (ACK):
Indicates receipt of a packet and supplies a new Acknowledgement Number. SYN+ACK is used for the second packet in a three-way handshake. Normally, each data packet is sent in numbered sequence, with a numbered ACK response.
Security Certifications
Information security officers and managers Law enforcement officials Military intelligence officers Network administrators Wireless network administrators Network security specialists Security administrators
ICMP
Internet Control Message Protocol
ICMP
Internet Control Message Protocol. Used for diagnostics such as ping. Many DoS attacks use ICMP. It is common to block ICMP at firewalls and routers. If ping fails, but other connectivity to a server succeeds, it indicates that ICMP is blocked.
IPv4
Internet Protocol version 4
IPv6
Internet Protocol version 6
Intrusion Detection and Prevention Systems
Intrusion detection systems (IDSs) monitor network devices so that security administrators can identify attacks in progress and stop them. For example, for users to be able to access a Web server, a firewall must allow port 80 to be open. Unfortunately, opening this port can also allow a hacker to attack the Web server. An IDS examines the traffic traversing the connection to port 80 and compares it with known exploits, similar to virus software using a signature file to identify viruses. If an attacker attempts to exploit a known vulnerability in the Web server, the IDS sends an alert of the attack so that the Web server administrator can take action. Intrusion prevention systems (IPSs) are similar to IDSs, but they take the additional step of performing some sort of action to prevent the intrusion, instead of just alerting administrators of the attack. The following section describes two types of intrusion detection and prevention systems: network-based and host-based.
security appliance
It's a single device combining two or more network protection functions, such as those performed by routers, firewalls, intrusion detection and prevention systems, VPNs, Web-filtering systems, and malware detection and filtering systems. For instance, modern Cisco routers can perform firewall functions, address translation (Network Address Translation and Port Address Translation), and intrusion prevention in addition to their router function. As hardware technology gets more powerful, security appliances can perform the same functions that once required using several dedicated systems. They also reduce administrative effort because multiple network protection functions are managed via a common interface.
Security Onion
Linux distro intended to support security analysts with tools for: - Network security monitoring - Intrusion detection - Log management Based on Ubuntu
One of our preferred Nmap options is -A.
More detail. This option will attempt advanced service enumeration and banner grabbing, which may give you even more details about the target system.
Network-based IDSs and IPSs Signatures
Most of these systems detect malicious activity by using a database
Signatures or Anomalies
Network-based IDSs and IPSs can be further categorized by the way they detect attacks
Packet Filtering
a process that uses various fields in a packet's IP and TCP headers to decide what to do with the packet
Using Configuration and Risk Analysis Tools for Firewalls and Routers
Patching systems is only one part of protecting them from compromise. You must also configure them securely. Fortunately, plenty of resources are available for this task. One of the best Web sites for finding configuration benchmarks and configuration assessment tools for Cisco routers and firewalls is the Center for Internet Security (CIS, www.cisecurity.org). A benchmark is an industry consensus of best configuration practices on the hows (using step-by-step guidance) and whys (explaining the reasons for taking these steps) of securing a Cisco router or firewall. Reviewing all the configuration steps in these benchmarks can take quite a bit of time, however.
Implementing a Firewall
Placing a firewall between a company's internal network and the Internet can be dangerous because if hackers compromise the firewall, they have complete access to the internal network. To reduce this risk, most enterprise firewall topologies use a demilitarized zone, discussed in the following section, to add a layer of defense.
Synchronize (SYN):
Request a new connection and synchronize sequence numbers. See ECE and ACK flags.
Security Onion
Security Onion is a Linux distro for intrusion detection, network security monitoring, and log management. It's based on Ubuntu and contains Snort, Suricata, Bro, OSSEC, Sguil, Squert, ELSA, Xplico, NetworkMiner, and many other security tools. Security Onion's use of open source tools is very similar to the ones that AlienVault uses.
Host-based IDSs/IPSs
Software used to protect a critical network server or database server. The software is installed on the system you're attempting to protect, just like installing antivirus software on a desktop system.
Security incident response team (SIRT).
Some organizations need a permanent team whose members are responsible solely for security-response functions. Other organizations might better spend their resources setting up an ad hoc team, with members who normally have other roles and are called in response to a specific incident. You can find more information on forming SIRTs at www.cert.org.
Web Filtering
Statistically speaking, firewalls and IPSs do a good job of protecting a network from attacks from the Internet. Hackers know the statistics, so recently they've been using a new way into the network that doesn't require breaching the network's hardened perimeter defenses. This new way in is out—that is, using the least restricted pathway through a firewall, which on most networks is the outbound rules. How does this attack method work? Attackers target the devices that are usually allowed access out of the network automatically: user workstations. If they can get an internal user to visit a bogus Web site or install malicious code from an e-mail attachment, they don't need to break through the firewall. After Trojan code is installed on a user's workstation, attackers can control the Trojan remotely with commands that might seem to be normal traffic. They can take advantage of this compromise to expand through the network by running network scans from the compromised workstation, cracking system passwords, and exploiting vulnerabilities they discover on other systems. Firewall application layer inspection might not detect this kind of attack, especially if attackers hide the command-and-control activity inside HTTP and HTTPS traffic. In this situation, Web filtering can be used to detect users' attempts to access malicious Web sites and block these attempts, and some Web-filtering systems can actually block malicious code before it gets to a user's workstation or before it has a chance to connect to an attacker's control system outside the network. Organized cybercriminals often try to hack busy Web sites that have the best chance of infecting thousands of Web site visitors with their malicious code.
passive systems
Systems that don't take any action to stop or prevent an activity. They do, of course, send an alert and log the activity, much like an underpaid security guard at a shopping mall witnessing an armed robbery.
True
TCP is a connection-oriented protocol (UDP is connectionless) and uses a three-way handshake to establish connections
Stateful Packet Inspection (SPI)
Technology used in today's firewalls that keeps track of the state of network connections by examining the header in each packet. It should be able to distinguish between legitimate and illegitimate packets.
IPS (Intrusion Prevention System)
The "cousin" of IDS.
Security Incident Response Teams
The IDSs, IPSs, and honeypots (discussed in the next section) that help keep a network secure require administrative expertise to set up, run, and maintain. When a security event happens, usually administrators have to clean up the mess and then make a report to management or the legal department or work with law enforcement. For large organizations that have sensitive or critical data, normal administrative expertise isn't enough to follow up and do damage assessment, risk remediation, and legal consultation.
IPv4
The Internet Protocol version 4 is the dominant protocol for routing traffic on the Internet, specifying "to" and "from" addresses using a dotted-decimal such as "122.45.255.0".
IPv6
The Internet Protocol version 6 provides a large number of new addresses to route Internet traffic, using "from" and "to" addresses written as colon-hexadecimal notation, such as "fe80::42:acff:feaa:1bf0".
DNS (Domain Name System)
The Internet's system for converting alphabetic names into numeric IP addresses.
Finalize (FIN):
The connection can close because there is no more data to send.
BGP (Border Gateway Protocol)
The core routing protocol for Internet Wide Area Networks (WANs)
Internet of Things (IoT)
The idea that objects are becoming connected to the Internet so they can interact with other devices, applications, or services.
SSL (Secure Socket Layer)
The protocol that encrypts HTTP traffic
SMTP (Simple Mail Transfer Protocol)
The protocol widely used for e-mail
HTTP (HyperText Transfer Protocol)
The universally adopted World Wide Web protocol
Network-based IDS (NIDS)
This is an IDS that analyses network traffic.
Snort
This network intrusion detection and prevention system excels at traffic analysis and packet logging on IP networks. Snort is the industry's de-factor IDS nowadays and part of many newer NGFW
One of our preferred Nmap options is -sS.
This runs a stealth TCP scan that determines whether a specific TCP-based port is open.
Network Address Translation (NAT)
Translates the private IP address to a public address for routing over the Internet
TCP
Transmission Control Protocol
TCP
Transmission Control Protocol - provides reliable, ordered, and error-checked delivery of a stream of packets on the internet. TCP is tightly linked with IP and usually seen as TCP/IP in writing.
Stateful Packet Inspection (SPI)
Type of firewall that inspects incoming data packets to make sure they correspond to an outgoing request
UDP
User Datagram Protocol
UDP
User Datagram Protocol. Used instead of TCP when guaranteed delivery of each packet is not necessary. UDP uses a best-effort delivery mechanism.
Honeypot
Vulnerable computer that is set up to entice an intruder to break into it
Tracert / Traceroute
We can use the tracert command (Windows) and traceroute command (Linux) to perform a network trace to a given host (domain name or IP). The trace route will show us all the networking hops that it takes for our host to reach another given host. The first hop is the gateway IP (router). If you see network time-outs and the trace route resumes after those time-outs, then it most likely means that the routers in between denied ICMP requests, but still moved the packet along to the next routers. If you see a time-out after a given hop that keeps timing out, then it could mean that these is an actual network time-out or the firewall blocked further communication.
drive-by downloads
Web site visitors download malicious code without their knowledge. Usually the drive-by download exploits a security flaw in the browser or a third-party application, such as Javascript, Flash, Adobe Reader or Apple QuickTime. Because malicious Web sites and code change daily, Web-filtering system providers need to update their signatures and databases of malicious Web sites constantly. Examples of vendors offering Web-filtering products on a subscription basis are Websense (www.websense.com) and Blue Coat (www.bluecoat.com).
Tcpdump
Which of the following is a command-line packet analyzer similar to GUI-based Wireshark?
Wireshark
Wireshark (known as Ethereal before 2006) is the industry's de-facto & multi-platform network protocol analyzer (it is open source). Wireshark allows you to examine data from a live network or from a capture file on disk. You can interactively browse the capture data, delving down into just the level of packet detail you need. Wireshark has several powerful features, including a rich display filter language and the ability to view the reconstructed stream of a TCP session. It also supports hundreds of protocols and media types.
Firewall Technology
You have seen numerous methods that attackers use to scan a network and launch exploits. Firewalls can help reduce these attacks by using several technologies: • Network Address Translation • Access lists • Packet filtering • Stateful packet inspection • Application layer inspection
Packet Filtering
a process in which firewalls are configured so that they filter out packets sent to specific logical ports
User Datagram Protocol (UDP)
an alternative communications protocol to Transmission Control Protocol (TCP) used primarily for establishing low-latency and loss tolerating connections between applications on the Internet. Examples: voice chats, video streaming, gaming. Layer 4 protocol.
Host-based IDSs/IPSs
are most often used to protect a critical network server or database server, although they can also run on workstations. The IDS or IPS software is installed on the system you're attempting to protect, just like installing antivirus software on your desktop system.
SDN (Software Defined Networks)
are the term you will hear for virtual networks. An example is of that technology is VMware NSX (a virtual networking and security software product family from Vmware). Software firewalls also rely on the OS on which they're running. Windows Firewall is a software firewall. Iptables is the default firewall in Linux distributions. Hardware firewalls, such as Cisco Adaptive Security Appliance are usually faster and can handle a larger throughput than software firewalls can. As you have seen, a router can also be used to filter traffic entering or leaving its interface. Filtering can be set up with access lists that restrict traffic based on the source IP address, destination IP address, protocol, and port. However, a firewall is specifically designed as a network protection system and has more security features than a router.
TCP connections
are used by application-level protocols, which add their own header and payload to the TCP stack.
Firewalls
can be hardware devices with embedded OSs or software installed on general-purpose computer systems. Firewalls serve two main purposes: controlling access to traffic entering an internal network and controlling traffic leaving an internal network. Firewalls can be installed on a network to protect a company's internal network from dangers existing on the Internet. On large enterprise networks, firewalls can also protect internal network segments, such as those containing only application servers, from other internal network segments—for example, those containing employee workstations. For instance, a typical enterprise firewall approach is restricting the remote desktop port TCP 3389, used for remote administration of application servers, to only the system administrator network segment and allowing only ports 80 and 443 for Web traffic on the network segment containing employee workstations. In this example, clearly typical employees don't need to administer application servers, so this approach reflects a least-privileges philosophy. There are advantages and disadvantages of hardware and software firewalls. However, instead of making recommendations, this chapter focuses on how firewalls fit into a security strategy. Briefly, the disadvantage of hardware firewalls is that you're locked into the firewall's hardware, such as the number of interfaces it includes. With a software firewall, you can add NICs easily to the server running the software. A disadvantage of software firewalls is that you might have to worry about configuration problems, such as memory requirements, hard disk space requirements, number of CPUs supported, and so on.
ARP poisoning attacks
can redirect traffic through an attacker's system by sending false MAC address updates. VLAN segregation helps prevent the scope of ARP poisoning attacks within a network.
Finger
command is used to get back information regarding a specific user. This is often useful for a system administrator. You could run finger on a given user after you found out that this user is currently logged in.
who
command shows who is currently logged into a machine/server
ACK flag
confirms the connection acknowledgement.
drive-by downloads
consisting of malware that comes with a downloaded file that a user intentionally or unintentionally requests
port states Closed
does not necessarily mean that the port is closed. It means that no service is listening on that port.
Packet Filtering
inspects each packet that passes through the firewall and accepts or rejects it based on a set of rules.
application-aware firewall (Application Layer Inspection)
inspects network traffic at a higher level in the OSI model than a traditional stateful packet inspection firewall does. SPI ensures that a packet's source, destination, and port are expected before forwarding the packet, but a firewall performing application layer inspection also makes sure that the network traffic's application protocol is the type allowed by a rule. For example, many Trojans get past firewalls by launching a reverse shell that originates from the compromised system and connects to a remote system the hacker controls. This reverse shell is the hacker's secure command-and-control tunnel, and it's usually disguised by using a commonly allowed outbound port, such as port 80. The hacker-controlled channel then penetrates from inside the network to outside over the allowed outbound port. Workstations use port 80 outbound for Web browsing via HTTP, an application protocol. If the reverse shell uses Telnet or SSH application protocols, however, an application-aware firewall can prevent the reverse shell from being used on a port reserved for HTTP traffic. Some application-aware firewalls act as a proxy for all connections, thus serving as a safety net for servers or clients (or both), depending on what the firewall is protecting. If an application-aware firewall is protecting a Web server, for example, it prevents buffer overflows that target a specific application protocol.
Netstat
is a command-line tool that displays network connections for the Transmission Control Protocol (both incoming and outgoing), routing tables, and many network interfaces (network interface controller or software-defined network interface) and network protocol statistics.
Honeypot
is a computer placed on the network perimeter that contains information or data intended to lure and then trap hackers. The main goal is to distract hackers from attacking legitimate network resources. A security professional configures the computer to have vulnerabilities so that hackers spend time trying to exploit these vulnerabilities. Another goal of a honeypot is to have hackers connect to the "phony" computer long enough to be traced, as in movies when the FBI wants a criminal to stay on the phone long enough to trace his or her location. In addition, a honeypot can serve as an excellent data collector and early warning system to help characterize new attacks and threats; this information makes it easier for security professionals to defend networks against them. For more information on honeypots, visit www.honeynet.org. This Web site offers exercises and challenges that encourage user participation, contains white papers on honeypots, and includes workshop presentations describing the Honeynet Project. If you decide to participate in any exercises, you might want to use a computer lab isolated from any production servers or networks. A test computer should be used because of the possibility of virus infection or data corruption.
Three way handshake (SYN flag)
is a connection request.
three-way handshake
is a process which is used in a TCP/IP network to make a connection between the server and client. It is a three-step process that requires both the client and server to exchange synchronization and acknowledgment packets before the real data communication process starts.
demilitarized zone (DMZ)
is a small network containing resources that a company wants to make available to Internet users; this setup helps maintain security on the company's internal network. A DMZ sits between the Internet and the internal network and is sometimes referred to as a "perimeter network." Figure 13-2 shows how outside users can access the e-mail and Web servers in the DMZ, but the internal network is protected from these outside Internet users.
SYN-ACK packet
is a successful response
Internet Control Message Protocol (ICMP)
is a supporting protocol in the Internet protocol suite. It is used by network devices, including routers, to send error messages and operational information indicating, for example, that a requested service is not available or that a host or router could not be reached. Commands such as ping and traceroute/tracert use the ICMP protocol.
Dig
is a very powerful command for DNS related queries.
Internet of Things (IoT)
is an environment in which objects, animals or people are provided with unique identifiers and the ability to transfer data over a network without requiring human-to-human or human-to-computer interaction. IoT are smart devices that can communicate using networking technology - mobile phones, tablets, fridges, thermostats, baby monitors, watches can all be smart devices by having web or private network connectivity.
Host-based IDS (HIDS)
is an intrusion detection system that monitors and analyzes the internals of a computing system (PC, laptop, server). Note: A HIDS can also analyze (in some cases) the network packets on its network interfaces, just like a NIDS would.
Netcat
is often referred to as a Swiss army knife of networking tools. Netcat can assist you in monitoring, testing, and sending data across network connections.
Kali Linux
is popular Ubuntu-based operating system that comes with many security tools (an updated version of BackTrack).
network protection system
is simply any device or system designed to protect a network.
Tcpdump
is the network sniffer we all used before (Wireshark) came on the scene, and many of us continue to use it frequently. It may not have the bells and whistles (such as a pretty GUI and parsing logic for hundreds of application protocols) that Wireshark has, but it does the job well and with less security risk. It also requires fewer system resources. While Tcpdump doesn't receive new features often, it is actively maintained to fix bugs and portability problems. It is great for tracking down network problems or monitoring activity. There is a separate Windows port named WinDump. tcpdump is the source of the Libpcap/WinPcap packet capture library, which is used by Nmap and many other tools.
Intrusion detection
is the term given for monitoring a given network or a given computer and taking this information and finding out information such as if there is an anomaly (unauthorized access to systems, unauthorized changes to data, etc.). The common term that you will hear for the device or software application that performs this "intrusion detection" is called an intrusion detection system (IDS).
netstat -anl
listens to all ports and doesn't show the name of the host
Active systems
log events and send alerts, but they can also interoperate with routers and firewalls. For example, an active IDS can send an access list to a router that closes an interface to prevent attackers from damaging the network. Some active IDSs send spoofed reset packets that fool the TCP/IP stacks of both the victim and attacker into tearing down the malicious connection. Of course, the time from the start of an attack to the time it compromises a system can be mere milliseconds, too fast for a human to take action. For this reason, vendors have started focusing their marketing efforts on IPSs. There's a difference between an active IDS and a true IPS. A true network-based IPS is installed inline to the network infrastructure, meaning traffic has to pass through the IPS before going into or out of the network. An active IDS just sniffs traffic and can be turned off or unplugged from the network without affecting network connectivity. Because an IPS is inline, generally it's more capable of stopping malicious traffic than an active IDS is, especially against UDP-based attacks. Many current IDSs include IPS features and often have optional modules, such as malware detection and Web filtering. In addition, host-based IPSs are available; they operate at the OS (or kernel) level and intercept traffic that's not allowed by the host policy. Because host-based IPSs share resources with the OS they run on, they can slow down performance if the hardware isn't adequate.
drive-by downloads
malware that comes with a downloaded file that a user intentionally or unintentionally requests
port states Open
means that given port has a service that is listening on it.
port states Filtered
means that the given port has a service listening on it and is filtered by a firewall.
Security Certifications
measures a candidate's ability to identify and control security risks associated with any event or action that could cause a loss or damage to computer hardware, software, data, information, or processing capability.
Network-based IDSs/IPSs
monitor activity on network segments. Essentially, they sniff traffic as it flows over the network and alert a security administrator when something suspicious occurs. Some of these systems can also block traffic.
Routers
operate at the Network layer of the OSI model, are hardware devices used to send packets to different network segments. Their main purpose is to reduce broadcast traffic passing over a network and to choose the best path for moving packets. For example, if Router A in Houston wants to send a packet to Router B in New York, the packet will take several paths. Routers use routing protocol in a best path decision-making process. (Note: there are different routing protocols which vary the way routers function including: link-state routing protocol, distance-vector routing protocol, and path-vector protocol). As a security professional, your main concern is confirming that a router filters certain traffic, not designing a router infrastructure and determining the routing protocol an organization uses (that's what network engineers/architects/sys admins do).
OSSEC HIDS
performs log analysis, integrity checking, rootkit detection, time-based alerting and active response. In addition to its IDS functionality, it is commonly used as a SEM/SIM solution. Because of its powerful log analysis engine, ISPs, universities and data centers are running OSSEC HIDS to monitor and analyze their firewalls, IDSs, web servers and authentication logs.
last
shows the last connections on a given machine/server
0-day (zero-day) attacks or malware
this is malware or an attack that has either just been introduced publicly or not yet. It is called "0-day" because we (people and companies) haven't had a chance or time (hence 0-day preparation time) to defend ourselves. These are very hard to remediate because patches can take a while to be created, distributed, and updated - 0-day attacks are very dangerous and that is why bounty hunters are rewarded handsomely to find exploits either through "white security" or "black hat" - Apple/Google vs some hacker groups on the darknet.
Network-based IDSs and IPSs Anomaly
use a baseline of normal activity and then send an alert if the activity deviates significantly from this baseline. IDSs and IPSs play an important role in defending against network attacks. When combined with routers and firewall technology, they can help you protect the network you've been asked to secure.
Transmission Control Protocol (TCP)
used for reliable transmission of data that needs integrity (every packet is checked and in order) which contracts from UDP. TCP is used by web sites, email, VPN, etc. TCP is the basis for most application layer protocols such as SSH, DNS, DHCP, HTTP, SSL, SMTP, POP, BGP, and SNMP. TCP is the most important Layer 4 protocol because it provides reliable message transport.
IEEE 802.11
wireless protocols (commercially known as Wi-Fi)
True
· Employees download and bring malware the most
True
· IoT devices are worsening the state of current security
True
· It's not a matter of if but when a company will get "hacked"
True
· Malware is on the rise (especially malvertizing, cryptojacking, mobile apps, and ransomware)
True
· Most of organizations use at least one high-risk application