Info Sys Chapter 13 concepts

Passive vs Active tools

• Active tools interact with a target system in a fashion where their use can be detected. - Scanning a network with Nmap (Network Mapper) is an active act that can be detected. • Passive tools are those that do not interact with the system in a manner that would permit detection, as in sending packets or altering traffic. - Examples include Tripwire and OS mapping by analyzing TCP/IP traces with a tool such as Wireshark. - They can use existing traffic to provide data for analysis.

Data Loss Prevention (DLP)

- USB blocking : physically disable ports or use software to control - E-mail : scan mail server

Host based DS vs Network Based DS

-Host based DS are concerned with and examine individual computers - Network based DS It has visibility only into the traffic crossing the network link it is monitoring and typically has no idea of what is happening on individual systems. Pros/Cons of each: NIDS: integrates well with perimeter security but ignores internal problems (many problems originate internally), cheaper deployment, maintenance costs, and fewer systems required, however ineffective when traffic is encrypted, it has to handle high volumes of traffic, and it does not know about host activity HIDS: some advantages include OS specific and detailed signatures, reduce false positives, examine decrypted data, application specific, however, high cost of ownership, could be compromised if logging only locally, and must have a process on every system you want to watch

Anomaly detection model

-more complicated than misuse -identifies a "normal" behavior -it identifies abnormalities and scrutinizes it for malicious activity -allows system to deal with variations in traffic -not restricted to signature set

Misuse detection model

-simpler and more popular - Looks for suspicious activity or activity that violates specific policies and then reacts as it has been programmed to do - Reactions include: alarm, e-mail, router reconfiguration, or TCP reset message - More efficient model - Relies on a predefined signature base - drawback of model - Easier and cheaper to implement

Content vs context based signatures

Content - generally simple, examine network packets or log entries, easy to build and easy to look for certain things Context - generally complicated, Designed to match large patterns of activity and examine how certain types of activity fit into the other activities going on around them

What is IDS, IPS and what are the differences?

IDS - is a security system that detects inappropriate or malicious activity on a computer or network. IPS - An intrusion prevention system (IPS) monitors network traffic for malicious or unwanted behavior and can block, reject, or redirect that traffic in real time. Differences: IPS has to sit inline with flow of traffic, both have weakness in dealing with encryption,

Security Information and Event Management (SIEM)

a combination of hardware and software designed to classify and analyze security data from numerous sources. • SIEMs have the ability through a set of rules and the use of analytical engines to identify specific predetermined patterns and either alert or react to them. • Automated alerting can remove much of the time delays between specific activity and security operations reaction. • A trigger event can result in a connection being highlighted on an analyst's workstation, or in some cases, an automated response. - time synchronization - data aggregation - event duplication - logs and WORMS