Principles of Info Security (6th Ed.) - Chapter 7 Review Questions, Chapter 7 Review Questions
"An IDS works like a burglar alarm in that it detects a violation and activates an alarm." (p. 388) They both can be configured to notify of a break in.
1. What common security system is an IDPS most like? In what ways are these systems similar?
Fingerprinting = systematic survey of target org's internet addresses collected during footprinting phase to ID the network services offered by the hosts in that range Reveals info about internal structure and nature of target system
10. What is network fingerprinting?
Fingerprinting uses the information gleaned from footprinting to dig deeper into internal structures of the target.
11. How are network footprinting and network fingerprinting related?
An attacker can use an open port to send commands to a computer, potentially gain access to a server, and possibly exert control over a networking device.' Rule of thumb: Don't need the port? SECURE IT OR GET RID OF IT.
12. Why do many organizations ban port scanning activities on their internal networks?
ISPs might ban outbound port scanning, because it may put a significant load on the system in some situations. Additionally, outbound scanning might trigger harmful response from a malicious party in the untrusted network.
13. Why would ISPs ban outbound port scanning by their customers? [should be expounded]
An open port is an open communication channel to the computer, system, network, server, etc. An attacker can use an open port to send commands to a computer, potentially gain access to a server, and possibly exert control over a networking device.' Reduces attack surface
14. What is an open port? Why is it important to limit the number of open ports to those that are absolutely essential?
Attack surface = The functions and features that a system exposes to unauthenticated users. It should be minimized to minimize the potential for latent defects and unintended consequences to cause losses (433).
15. What is a system's attack surface? Why should it be minimized when possible?
A software program that scans a range of network addresses and port numbers for open services. Should be proficient at finding known, documented holes. Once you find the vulnerabilities, you can fix them.
16. What is a vulnerability scanner? How is it used to improve security?
Active = An application that scans networks to identify exposed usernames and groups, open network shares, configuration problems, and other vulnerabilities in servers Passive = A scanner that listens in on a network and identifies vulnerable versions of both server and client software. Difference: active scans to find highly detailed info; initiate traffic, while passive merely listens in on the network Active scanner: initiates network traffic to find and evaluate service ports. Passive scanner: uses traffic fro m the target network segment to evaluate the service ports available from hosts on that segment
17. What is the difference between active and passive vulnerability scanners?
A collection of exploits coupled with an interface tha allows pen testers to automate the custom exploitation of vulnerable systems. It can be very dangerous as it exploits the remote machine and allows the vulnerability analyst to create an account, modify a Web page, or view data.
18. What is Metasploit Framework? Why is it considered riskier to use than other vulnerability scanning tools?
Network traffic
19. What kind of data and information can be found using a packet sniffer?
A false positive is an alert that occurs in the ABSENCE of an actual attack. A false negative is the failure of an IDPS to react to an actual attack event. The less desirable is a false NEGATIVE.
2. How does a false positive alarm differ from a false negative alarm? From a security perspective, which is less desirable?
The ability to sniff wireless traffic, scan wireless hosts, and assess the level of privacy/confidentiality afforded on the wireless network.
20. What capabilities should a wireless security toolkit include?
An NIPDS is an IDPS that resides on a computer connected to a segment of the org network and monitors traffic on that segment An HIDPS resides on a PARTICULAR computer/server and monitors activity ONLY ON THAT SYSTEM
3. How does a network-based IDPS differ from a host-based IDPS?
Signature-based = searches system for known attack signatures Behavior-based = compares current data and traffic patterns to a normal baseline
4. How does a signature-based IDPS differ from a behavior-based IDPS?
SPAN port = specially configures connection on a NW that views all traffic moving through a device Also used for occasional use in diagnosing NW faults and measuring NW performance
5. What is a monitoring (or SPAN) port? What is it used for?
> Centralized Control Strategy: All control functions are implemented and managed in a central location. > Fully Distributed Control Strategy: All control functions are applied at the physical location of each IDPS component. > Partially Distributed Control Strategy: Combines the best aspects of centralized and fully distributed strategies. The individual agents analyze and respond to local threats and report to a hierarchical central facility.
6. List and describe the three control strategies proposed for IDPS. (416)
Honeypot = app that entices people who are illegally perusing the internal areas of a network by providing simulated rich content while the SW notifies the admin of intrusion Honeynet = NETWORK of multiple honeypot systems.
7. What is a honeypot? How is it different from a honeynet?
Honeypot = app that entices people who are illegally perusing the internal areas of a network by providing simulated rich content while the SW notifies the admin of intrusion Padded cell system: A PROTECTED honeypot not easily compromised
8. How does a padded cell system differ from a honeypot?
Footprinting = organized research and investigation of internet addresses owned/controlled by target org Collecting publicly available information about a potential target
9. What is network footprinting?
3. How does a network-based IDPS differ from a host-based IDPS?
A network - based IDS resides on a net work segment and monitors activates across that Segment, A hose based IDS resides on a particular computer or server, known as the host and monitors activity only on that system. A host - based IDS has an advantage over net work based IDS in that it can usually be installed in such a way that it can access information that is encrypted when traveling over the net work. For this reason, a host - based IDS is able to use the content of otherwise encrypted communications to make decision about possible or successful attacks.
19. What kind of data and information can be found using a packet sniffer?
A packet sniffer (sometimes called a network protocol analyzer) is a network tool that collects copies of packets from the network and analyzes them. It can provide a network administrator with valuable information for diagnosing and resolving networking issues. All network traffic that is visible on the network connection of the packet sniffer is visible. If the data in such packets is not encrypted, all contents are also viewable.
8. How does a padded cell system differ from a honeypot?
A padded cell is a honey pot that has been protected so that that it cannot be easily compromised. In other words, a padded cell is a hardened honey pot. In addition to attracting attackers with tempting data, a padded cell operates in tandem with a traditional IDS. When the IDS detects attackers, it seamlessly transfers them to a special simulated environment where they can cause no harm—the nature of this host environment is what gives the approach its name, padded cell.
4. How does a signature-based IDPS differ from a behavior-based IDPS?
A signature-based system looks for patterns of behavior that match a library of known behaviors. A behavior-based system watches for activities that suggest an alert-level activity is occurring based on sequences of actions or the timing between otherwise unrelated events.
16. What is a vulnerability scanner? How is it used to improve security?
A software program or network appliance that scans a range of network addresses and port numbers for open services. When a service port is found, it attempts to identify the service being offered and evaluates the security of that service, perhaps by compromising the service. When an improperly configured or weak service port is found, it can be removed or repaired to reduce risk.
5. What is a monitoring or SPAN port? What is it used for?
A switched-port analysis port is a data port on a switched device that replicates all designated traffic from the switch device so that the traffic can be captured, stored or analyzed for IDS or other purposes.
20. What capabilities should a wireless security toolkit include?
A wireless connection has many potential security holes. An organization that spends all of its time securing the wired network and leaves wireless networks to operate in any manner is opening itself up for a security breach. A wireless security toolkit should include the ability to sniff wireless traffic, scan wireless hosts, and assess the level of privacy or confidentiality afforded on the wireless network.
17. What is the difference between passive and active vulnerability scanners?
Active vulnerability scanners scan networks for highly detailed information. An active scanner is one that initiates traffic on the network in order to determine security holes. As a class, this type of scanner identifies exposed usernames and groups, shows open network shares, and exposes configuration problems and other vulnerabilities in servers. An active scanner will initiate network traffic to find and evaluate service ports. Active scanners try to penetrate the systems in much the same way that a real hacker would. They can sometimes cause interruption of network services or bring servers down, so they should be run during times when network usage is low (such as at night or on the weekend). They perform a much more aggressive and more thorough scan. A passive vulnerability scanner is one that listens in on the network and determines vulnerable versions of both server and client software. A passive scanner uses traffic from the target network segment to evaluate the service ports available from hosts on the network segment. Passive scanners are advantageous in that they do not require vulnerability analysts to get approval prior for testing. These tools simply monitor the network connections to and from a server to gain a list of vulnerable applications. Furthermore, passive vulnerability scanners have the ability to find client-side vulnerabilities that are typically not found in active scanners. For instance, an active scanner operating without DOMAIN Admin rights would be unable to determine the version of the Internet Explorer running on a desktop machine, where as a passive scanner will be able to make that determination by observing the traffic to and from the client. Passive scanning products are designed not to interfere with normal network activity. They can run continuously in the background, monitoring the systems and checking for vulnerabilities without degrading network performance or crashing the systems. It is sometimes desirable to run a passive scanner in an "always on" mode and also run a more thorough active scan at regular intervals.
1. What common security system is an IDPS most like? In what ways are these systems similar?
An IDS (Intrusion Detection System) works like a burglar alarm in that it detects a violation of its configuration and activates an alarm.This alarm can be audible and / or visual, or it can be silent. This system enables the systems to notify them directly of trouble via e - mail or pages. This system can also be configured - again like burglar alarm - to notify an external security service organization of a "break - in".
14. What is an open port? Why is it important to limit the number of open ports to those that are absolutely essential?
An open port is a TCP or UDP service port that accepts traffic and responds with services at that port address. Ports that are not required are often poorly configured and subject to misuse. Only essential services should be offered on secure networks.
6. List and describe the three control strategies proposed for IDPSs.
Centralized control strategy: • In this strategy, the central location holds all the IDS functions that are implemented and managed. • This strategy analyse the system and the networks that are collected by the control function, by that the current situation is determined Fully distributed control strategy: • It is opposite to centralized; it identifies the physical location of all the control functions • It delivers three functions on its own, they are detection, reaction and response functions to monitor the site used by a remote sensor. Partially distributed control strategy: • It is the combination of above two strategies. • It provides safety to the system by detecting the threats in a system by analysing and responding to them. • The strategy enables the agents to analyse individually and to report if the widespread attacks are detected. • By this, the system can configure to try out of the attacks that are concerned.
2. How does a false positive alarm differ from a false negative alarm? From a security perspective, which is less desirable?
False negative - The failure of an IDS system to react to an actual attack event of all failures this is the most grievous, for the very purpose of an IDS to detect attacks. It can be used to distinguish between these stimuli and real attacks. False positive - An alarm or alert that indicates that an attack is in progress or that an attack has successfully occurred when in fact these was no such attack. A false positive operations / activity for an attack. False positive tend to make users in sensitive to alarms, and will reduce their quickness and degree of reaction to actual intrusion events through process of desensitization to alarms and events. This can wake user less inclined, and therefore slow, to react when an actual intrusion occurs.
13. Why would ISPs ban outbound port scanning by their customers?
Following are the reasons for banning of outbound port scanning by the customers of Internet service providers (ISPs): The attackers and defenders can find out the active computers, their ports, and services on the network. The attacker or hacker can collect the internet address of the targeted organizations. The hackers may perform malicious activities.
12. Why do many organizations ban port scanning activities on their internal network?
Following are the reasons for banning of port scanning activities on their internal networks by many organizations: The attackers and defenders can find out the active computers, their ports, and services on the network. The information that is collected can be used for accessing the network illegally. The sensitive information of the organization can be hacked by the attackers and can be misused. Port scanning activities may use some of the system and network resources.
7. What is a honeypot? How is it different from a honeynet?
Honey pots are decoy systems designed to lure potential attackers away from critical systems and encourage attacks against themselves. Indeed, these systems are created for the sole purpose of deceiving potential attackers. In the industry, they are also known as decoys, lures, and fly-traps. When a collection of honey pots connects several honey pot systems on a subnet, it may be called a honey net. A honey pot system contains (or in the case of a honey net, entire subnet network) contains pseudo-services that emulate well-known services.
18. What is Metasploit Framework? Why is it considered riskier to use than other vulnerability scanning tools?
Metasploit Framework: It is a tool that allows creation of an account or modification of a web page or viewing the data by a vulnerability analyst on a remote target machine. It is the only tool, which is available without a license fee. The penetration testers to verify the vulnerabilities in the system use it. It is a powerful tool for performing penetration testing. It is more dangerous and riskier to use than the other vulnerability scanning tools because it can penetrate the code and can modify the memory.
10. What is network fingerprinting?
Network fingerprinting is the process of performing a systematic survey of the organization that is targeted to collect the internet address related to the organization. The collection of the internet address is performed in the phase of foot printing. The survey is performed on the host in that range to identify the network services offered by it.
9. What is network footprinting?
Network footprinting is an organized collection of information about a targeted network environment. The attackers, before attacking a network, collect the information such as the IP address of the targeted organization. The attackers, to perform footprinting, use public Internet.
15. What is a system's attack surface? Why should it be minimized when possible?
System's attack surface: Attack surface of a system refers to the functions and features of the system that are easily exposed to an unauthenticated users. The attacker uses the attack protocol, which is a logical sequence of steps to attack the system. Following are the reasons for the system to minimize functions and features that are exposed to the unauthorized users: The probability for the attackers to attack the system can be reduced. The features that are vulnerable and may compromise the security of the system can be reduced. It is possible to optimize the resources of the computer.
11. How are network footprinting and network fingerprinting related?
The relationship between network footprinting and network fingerprinting is that network footprinting is one of the phases in network fingerprinting. In network fingerprinting, in order to perform a systematic survey of the organization that is targeted, internet address related to the organization are to be collected. Network footprinting is the collection of the internet address of the targeted organization. Network footprinting is an organized collection of information about a prospective target, which is available publicly. Network fingerprinting with the help of the internet address of the targeted organization that are collected by network footprinting, will perform a survey on the host in that range to identify the network services offered by it.
