ISA3100 Chpt 7
To use a packet sniffer legally, the administrator must
(1) be on a network that the organization owns, (2)be under direct authorization of the network's owners, and (3)have knowledge and consent of the content's creators.
An IDPS is capable of interdicting the attack by itself, without human intervention. This could be accomplished by:
1.Terminating the user session or network connection over which the attack is being conducted 2. Blocking access to the target system or systems from the source of the attack, such as a compromised user account, inbound IP address, or other attack characteristic 3.Blocking all access to the targeted information asset
agent or sensors
A hardware and/or software component deployed on a remote computer or network segment and designed to monitor network or system traffic for suspicious activities and report back to the host application. For example, IDPS sensors report to an IDPS application.
blacklist .
A list of systems, users, files, or addresses that have been associated with malicious activity; it is commonly used to block those entities from systems or network access
attack protocol
A logical sequence of steps or processes used by an attacker to launch an attack against a target system or network.
clipping level
A predefined assessment level that triggers a predetermined response when surpassed. Typically, the response is to write the event to a log file and/or notify an administrator.
Alarm clustering and compaction
A process of grouping almost identical alarms that occur nearly at the same time into a single higher-level alarm. This consolidation reduces the number of alarms, which reduces administrative overhead and identifies a relationship among multiple alarms. Clustering may be based on combinations of frequency, similarity in attack signature, similarity in attack target, or other criteria that are defined by system administrators.
known vulnerabilities
A published weakness or fault in an information asset or its protective systems that may be exploited and result in loss.
passive vulnerability scanner
A scanner that listens in on a network and identifies vulnerable versions of both server and client software.
security information and event management (SIEM)
A software-enabled approach to aggregating, filtering, and managing the reaction to events, many of which are collected by logging activities of IDPSs and network management devices.
intrusion detection systems (IDS)
A system capable of automatically detecting an intrusion into an organization's networks or host systems and notifying a designated authority.
threshold
A value that sets the limit between normal and abnormal behavior.
monitoring port
Also known as a switched port analysis (SPAN) port or mirror port, a specially configured connection on a network device that can view all the traffic that moves through the device.
Anomaly-based detection
Also known as behavior-based detection, an IDPS detection method that compares current data and traffic patterns to an established baseline of normalcy
signature-based detection
Also known as knowledge-based detection or misuse detection, the examination of system or network data in search of patterns that match known attack signatures.
fully distributed IDPS control strategy.
An IDPS implementation approach in which all control functions are applied at the physical location of each IDPS component
centralized IDPS control strategy
An IDPS implementation approach in which all control functions are implemented and managed in a central location.
partially distributed IDPS control strategy
An IDPS implementation approach that combines the best aspects of the centralized and fully distributed strategies.
Inline sensors
An IDPS sensor intended for network perimeter use and deployed in close proximity to a perimeter firewall to detect incoming attacks that could overwhelm the firewall.
passive mode
An IDPS sensor setting in which the device simply monitors and analyzes observed network or system traffic.
network-based IDPS (NIDPS)
An IDPS that resides on a computer or appliance connected to a segment of an organization's network and monitors traffic on that segment, looking for indications of ongoing or successful attacks.
host-based IDPS (HIDPS)
An IDPS that resides on a particular computer or server, known as the host, and monitors activity only on that system. Also known as a system integrity verifier.
Site policy awareness
An IDPS's ability to dynamically modify its configuration in response to environmental activity. A so-called dynamic IDPS can adapt its reactions in response to administrator guidance over time and the local environment. A dynamic IDPS logs events that fit a specific profile instead of minor events, such as file modifications or failed user logins. A smart IDPS knows when it does not need to alert the administrator—for example, when an attack is using a known and documented exploit from which the system is protected.
intrusion
An adverse event in which an attacker attempts to gain entry into an information system or disrupt its normal operations, almost always with the intent to do harm.
False positive
An alert or alarm that occurs in the absence of an actual attack. A false positive can sometimes be produced when an IDPS mistakes normal system activity for an attack. False positives tend to make users insensitive to alarms and thus reduce their reactions to actual intrusion events.
Trap-and-trace
An application that combines the function of honeypots or honeynets with the capability to track the attacker back through the network.
pen registers
An application that records information about outbound communications.
Active vulnerability scanners
An application that scans networks to identify exposed usernames and groups, open network shares, configuration problems, and other vulnerabilities in servers.
log file monitor (LFM) .
An attack detection method that reviews the log files generated by computer systems, looking for patterns and signatures that may indicate an attack or intrusion is in process or has already occurred
True attack stimulus
An event that triggers an alarm and causes an IDPS to react as if a real attack is in progress. The event may be an actual attack, in which an attacker is attempting a system compromise, or it may be a drill, in which security personnel are using hacker tools to test a network segment.
False attack stimulus
An event that triggers an alarm when no actual attack is in progress. Scenarios that test the configuration of IDPSs may use false attack stimuli to determine if the IDPSs can distinguish between these stimuli and real attacks.
Alert or alarm
An indication or notification that a system has just been attacked or is under attack. IDPS alerts and alarms take the form of audible signals, e-mail messages, pager notifications, or pop-up windows.
Zero day vulnerabilities or zero day attacks
An unknown or undisclosed vulnerability in an information asset or its protection systems that may be exploited and result in loss. This vulnerability is also referred to as zero day (or zero hour) because once it is discovered, the technology owners have zero days to identify, mitigate, and resolve the vulnerability.
A list of the top commercial and residential vulnerability scanners includes the following products:
Core Impact GFI LanGuard Microsoft Baseline Security Analyzer (MBSA) Nessus Nexpose Nipper OpenVAS QualysGuard Retina Secunia PSI Security Administrator's Integrated Network Tool (SAINT)
NBA sensors can most commonly detect:
DoS attacks (including DDoS attacks) Scanning Worms Unexpected application services, such as tunneled protocols, back doors, and use of forbidden application protocols Policy violations
A false positive is the failure of an IDPS system to react to an actual attack event.
FALSE
Alarm filtering may be based on combinations of frequency, similarity in attack signature, similarity in attack target, or other criteria that are defined by the system administrators. _________________________
FALSE
Signature-based technology is widely used because many attacks have clear and distinct signatures:
Footprinting and fingerprinting activities use ICMP, DNS querying, and e-mail routing analysis. Exploits use a specific attack sequence designed to take advantage of a vulnerability to gain access to a system. DoS and DDoS attacks, during which the attacker tries to prevent the normal usage of a system, overload the system with requests so that its ability to process them efficiently is compromised or disrupted
__________ benchmark and monitor the status of key system files and detect when an intruder creates, modifies, or deletes monitored files.
HIDPSs
Using __________, the system reviews the log files generated by servers, network devices, and even other IDPSs.
LFM
NBA sensors offer the following intrusion prevention capabilities, which are grouped by sensor type:
Passive only: Ending the current TCP session. A passive NBA sensor can attempt to end an existing TCP session by sending TCP reset packets to both endpoints. Inline only: Performing inline firewalling. Most inline NBA sensors offer firewall capabilities that can be used to drop or reject suspicious network activity. Both passive and inline:
signatures
Patterns that correspond to a known attack.
A __________ port, also known as a monitoring port, is a specially configured connection on a network device that is capable of viewing all of the traffic that moves through the entire device.
SPAN
Intrusion detection and prevention typically includes the following relevant flow data:
Source and destination IP addresses Source and destination TCP or UDP ports or ICMP types and codes Number of packets and bytes transmitted in the session Starting and ending timestamps for the session
A(n) known vulnerability is a published weakness or fault in an information asset or its protective systems that may be exploited and result in loss. _________________________
TRUE
In DNS cache poisoning, valid packets exploit poorly configured DNS servers to inject false information to corrupt the servers' answers to routine DNS queries from other systems on the network.
TRUE
stateful protocol analysis (SPA)
The comparison of vendor-supplied profiles of protocol use and behavior against observed data and network patterns in an effort to detect misuse and attacks.
False negative
The failure of an IDPS to react to an actual attack event. This is the most grievous IDPS failure, given that its purpose is to detect and respond to attacks.
attack surface
The functions and features that a system exposes to unauthenticated users.
intrusion detection and prevention system (IDPS)
The general term for a system that can both detect and modify its configuration and environment to prevent intrusions. An IDPS encompasses the functions of both intrusion detection systems and intrusion prevention technology.
Confidence value
The measure of an IDPS's ability to correctly detect and identify certain types of attacks. The confidence value an organization places in the IDPS is based on experience and past performance measurements. The confidence value, which is based on fuzzy logic, helps an administrator determine the likelihood that an IDPS alert or alarm indicates an actual attack in progress. For example, if a system deemed 90 percent capable of accurately reporting a denial-of-service (DoS) attack sends a DoS alert, there is a high probability that an actual attack is occurring.
footprinting
The organized research and investigation of Internet addresses owned or controlled by a target organization.
Noise
The presence of additional and disruptive signals in network communications or electrical power delivery. Also, noise can be alarm events that are accurate and noteworthy but do not pose significant threats to information security. Unsuccessful attacks are the most common source of IDPS noise, although some noise might be triggered by scanning and enumeration tools run by network users without harmful intent.
Evasion
The process by which attackers change the format and/or timing of their activities to avoid being detected by an IDPS.
Tuning
The process of adjusting an IDPS to maximize its efficiency in detecting true positives while minimizing false positives and false negatives.
Alarm filtering
The process of classifying IDPS alerts so they can be more effectively managed. An IDPS administrator can set up alarm filtering by running the system for a while to track the types of false positives it generates and then adjusting the alarm classifications. For example, the administrator may set the IDPS to discard alarms produced by false attack stimuli or normal network operations. Alarm filters are similar to packet filters in that they can filter items by their source or destination IP addresses, but they can also filter by operating systems, confidence values, alarm type, or alarm severity.
protocol stack verification
The process of examining and verifying network traffic for invalid data packets—that is, packets that are malformed under the rules of the TCP/IP protocol.
application protocol verification
The process of examining and verifying the higher-order protocols (HTTP, FTP, and Telnet) in network traffic for unexpected packet behavior or improper use.
back hack
The process of illegally attempting to determine the source of an intrusion by tracing it and trying to gain access to the originating system.
Site policy
The rules and configuration guidelines governing the implementation and operation of IDPSs within the organization.
fingerprinting
The systematic survey of a targeted organization's Internet addresses collected during the footprinting phase to identify the network services offered by the hosts in that range.
Trap-and-trace systems and pen registers are covered under
Title 18, U.S. Code Chapter 206, 3121, which essentially states that you can't use one unless you're a service provider attempting to prevent misuse and (1) it is used for systems maintenance and testing, (2)it is used to track connections, or (3)you have permission from the user of the service:
actions that can be performed on an alert type include:
Toggling it on or off Setting a default priority or severity level Specifying what information should be recorded and what notification methods (e.g., e-mail, pager) should be used Specifying which prevention capabilities should be used
__________ applications use a combination of techniques to detect an intrusion and then trace it back to its source.
Trap and trace
In addition to the traditional types of intrusions detected by other IDPSs, the wireless IDPS can also detect existing WLANs and WLAN devices for inventory purposes as well as detect the following types of events:
Unauthorized WLANs and WLAN devices Poorly secured WLAN devices Unusual usage patterns The use of wireless network scanners DoS attacks and conditions Impersonation and man-in-the-middle attacks
The IDPS can modify its environment by
changing the configuration of other security controls to disrupt an attack. This could include modifying a firewall's rule set or configuring another network device to shut down the communications channel to filter the offending packets.
Intrusion __________ activities finalize the restoration of operations to a normal state and seek to identify the source and method of the intrusion in order to ensure that the same type of attack cannot occur again.
correction
Activities that scan network locales for active systems and then identify the network services offered by the host systems is known as __________.
fingerprinting
Some IDPSs are capable of changing an attack's components by
replacing malicious content with benign material or by quarantining a network packet's contents