Chapter 7 Principles of Information Security.
Sensor
A hardware or software component deployed on a remote computer or network segment and designed to monitor network or system traffic for suspicious activities and report back to the host application. idps sensors report to IDPS application. AKA agent
Blacklist
A list of systems, users, files or addresses that have been associated with malicious activity; it is commonly used to block those entities from systems or network access.
Attack Protocol
A logical sequence of steps or processes used by an attacker to launch an attack against a target system or network.
Honeynet
A monitored network or network segment that contains multiple honeypot systems.
Padded Cell System
A protected honeypot that cannot be easily compromised.
Known vulnerability
A published weakness or fault in an information asset or its protective systems that may be exploited an result in a loss.
Security Information & Event Management (SIEM)
A software enable approach to aggregating, filtering, and managing the reaction to events, many of which are collected by logging activities of IDPS and network management devices.
Packet Sniffer
A software program or hardware appliance that can intercept, copy, and interpret network traffic.
Intrusion detection system (IDS)
A system capable of automatically detecting an intrusion into an organizations networks or host systems and notifying a designated authority.
Threshold
A value that sets the limit between normal and abnormal behaviors. Related to clipping
Anomaly based detection
AKA behavior based detection, an IDPS detection method that compares current data and traffic patterns to an established baseline of normalcy.
Signature based detection
AKA knowledge based detection or misuse detection. the examination of system or network data in search of patterns that match known attack signatures
Monitoring port
Also known as a switched port analysis (SPAN) port or mirror port, a specially configured connection on a network device that can view all the traffic that moves through the device.
Fully distributed IDPS control strategy
An IDPS implementation in which all control functions are applied at the physical location of each idps component.
Passive mode
An IDPS sensor setting in which the device simply monitors and analyzes observed network or system traffic.
Host-based IDPS (HIDPS)
An Idps that resides on a particular computer or server, known as the host, and monitors activity only on that system. AKA system integrity verifier
Intrusion
An adverse event in which an attacker attempts to gain entry into an information system or disrupt its normal operations, almost always with the intent to harm.
Trap-and-Trace Application
An application that combines the function of honeypots or honeynets with the capability to track the attacker back through the network.
Honeypot
An application that entices people who are illegally perusing the internal areas of a network by providing simulated rich content while software notifies the administrator of the intrusion.
Pen Register
An application that records information about outbound communications.
Active Vulnerability Scanner
An application that scans networks to identify exposed usernames and groups, open network shares, configuration problems and other vulnerabilities in servers.
Log File Monitor (LFM)
An attack detection method that reviews the log files generated by computer systems, looking for patterns and signatures that may indicate an attack or intrusion is in process or has already occurred.
Centralized IDPS control strategy
An idps implementation approach in which all control functions are implemented and managed by a central location
Network Based IDPS (NIDPS)
An idps that resides on a computer or appliance connected to a segment of an organizations network and monitors traffic on that segment, looking for indications of ongoing or successful attacks.
Zero Day Vulnerability
An unknown or undisclosed vulnerability in an information asset or its protection systems that may be exploited and result in a loss. This vulnerability is also referred to as a zero day or zero hour because once it is discovered, the technology owners have zero days to identify, mitigate, and resolve the vulnerability.
Enticement
The act of attracting attention to a system by placing tantalizing information in key locations
Entrapment
The act of luring a person into committing a crime in order to get a conviction.
Stateful Protocol Analysis (SPA)
The comparison of vendor supplied profiles of protocol use and behavior against observed data and network patterns in an effort to detect misuse attacks.
Intrusion Detection and Prevention System (IDPS)
The general term for a system that can both detect and modify its configuration and environment to prevent intrusions. An IDPS encompasses the functions of both intrusion detection systems and intrusion prevention technology.
Footprinting
The organized research and investigation of internet addresses owned or controlled by a target organization.
Application Protocol verification
The process of examining and verifying the higher order protocols (HTTP, FTP, Telent) in network traffic for unexpected packet behavior or improper use.
Back hack
The process of illegally attempting to determine the source of an intrusion by tracing it and trying to gain access to the originating system.
Fingerprinting
The systematic survey of a targeted organizations internet addresses collected during the footprinting phase to identify the network services offered by the hosts in that range.
Whitelist
a list of systems, users, files, or addresses that are known to be benign; it is commonly used to expedite those entities access to systems or networks.
Clipping Level
a predefined assessment level that triggers a predetermined response when surpassed. Typically, the response is to write the event to a log file and or notify the administrator
Passive vulnerability scanner
a scanner that listens in on a network and identifies vulnerable versions of both server and client software.
Partially distributed idps control strategy
an idps implementation approach that combines the best aspects of the centralized and fully distributed strategies
Inline sensor
and IDPS sensor intended for network perimeter use and deployed in close proximity to a perimeter firewall to detect incoming attacks that could overwhelm the firewall.
signatures
patterns that correspond to a known attack
Protocol stack verification
the process of examining and verifying network traffic for invalid data packets-that is, packets that are malformed under the rules of TCP/IP protocol.
