Chapter 7 Review Questions
2. How does a false positive alarm differ from a false negative alarm? From a security perspective, which is less desirable?
False negative - The failure of an IDS system to react to an actual attack event of all failures this is the most grievous, for the very purpose of an IDS to detect attacks. It can be used to distinguish between these stimuli and real attacks. False positive - An alarm or alert that indicates that an attack is in progress or that an attack has successfully occurred when in fact these was no such attack. A false positive operations / activity for an attack. False positive tend to make users in sensitive to alarms, and will reduce their quickness and degree of reaction to actual intrusion events through process of desensitization to alarms and events. This can wake user less inclined, and therefore slow, to react when an actual intrusion occurs.
13. Why would ISPs ban outbound port scanning by their customers?
Following are the reasons for banning of outbound port scanning by the customers of Internet service providers (ISPs): The attackers and defenders can find out the active computers, their ports, and services on the network. The attacker or hacker can collect the internet address of the targeted organizations. The hackers may perform malicious activities.
12. Why do many organizations ban port scanning activities on their internal network?
Following are the reasons for banning of port scanning activities on their internal networks by many organizations: The attackers and defenders can find out the active computers, their ports, and services on the network. The information that is collected can be used for accessing the network illegally. The sensitive information of the organization can be hacked by the attackers and can be misused. Port scanning activities may use some of the system and network resources.
7. What is a honeypot? How is it different from a honeynet?
Honey pots are decoy systems designed to lure potential attackers away from critical systems and encourage attacks against themselves. Indeed, these systems are created for the sole purpose of deceiving potential attackers. In the industry, they are also known as decoys, lures, and fly-traps. When a collection of honey pots connects several honey pot systems on a subnet, it may be called a honey net. A honey pot system contains (or in the case of a honey net, entire subnet network) contains pseudo-services that emulate well-known services.
3. How does a network-based IDPS differ from a host-based IDPS?
A network - based IDS resides on a net work segment and monitors activates across that Segment, A hose based IDS resides on a particular computer or server, known as the host and monitors activity only on that system. A host - based IDS has an advantage over net work based IDS in that it can usually be installed in such a way that it can access information that is encrypted when traveling over the net work. For this reason, a host - based IDS is able to use the content of otherwise encrypted communications to make decision about possible or successful attacks.
19. What kind of data and information can be found using a packet sniffer?
A packet sniffer (sometimes called a network protocol analyzer) is a network tool that collects copies of packets from the network and analyzes them. It can provide a network administrator with valuable information for diagnosing and resolving networking issues. All network traffic that is visible on the network connection of the packet sniffer is visible. If the data in such packets is not encrypted, all contents are also viewable.
8. How does a padded cell system differ from a honeypot?
A padded cell is a honey pot that has been protected so that that it cannot be easily compromised. In other words, a padded cell is a hardened honey pot. In addition to attracting attackers with tempting data, a padded cell operates in tandem with a traditional IDS. When the IDS detects attackers, it seamlessly transfers them to a special simulated environment where they can cause no harm—the nature of this host environment is what gives the approach its name, padded cell.
4. How does a signature-based IDPS differ from a behavior-based IDPS?
A signature-based system looks for patterns of behavior that match a library of known behaviors. A behavior-based system watches for activities that suggest an alert-level activity is occurring based on sequences of actions or the timing between otherwise unrelated events.
16. What is a vulnerability scanner? How is it used to improve security?
A software program or network appliance that scans a range of network addresses and port numbers for open services. When a service port is found, it attempts to identify the service being offered and evaluates the security of that service, perhaps by compromising the service. When an improperly configured or weak service port is found, it can be removed or repaired to reduce risk.
5. What is a monitoring or SPAN port? What is it used for?
A switched-port analysis port is a data port on a switched device that replicates all designated traffic from the switch device so that the traffic can be captured, stored or analyzed for IDS or other purposes.
20. What capabilities should a wireless security toolkit include?
A wireless connection has many potential security holes. An organization that spends all of its time securing the wired network and leaves wireless networks to operate in any manner is opening itself up for a security breach. A wireless security toolkit should include the ability to sniff wireless traffic, scan wireless hosts, and assess the level of privacy or confidentiality afforded on the wireless network.
17. What is the difference between passive and active vulnerability scanners?
Active vulnerability scanners scan networks for highly detailed information. An active scanner is one that initiates traffic on the network in order to determine security holes. As a class, this type of scanner identifies exposed usernames and groups, shows open network shares, and exposes configuration problems and other vulnerabilities in servers. An active scanner will initiate network traffic to find and evaluate service ports. Active scanners try to penetrate the systems in much the same way that a real hacker would. They can sometimes cause interruption of network services or bring servers down, so they should be run during times when network usage is low (such as at night or on the weekend). They perform a much more aggressive and more thorough scan. A passive vulnerability scanner is one that listens in on the network and determines vulnerable versions of both server and client software. A passive scanner uses traffic from the target network segment to evaluate the service ports available from hosts on the network segment. Passive scanners are advantageous in that they do not require vulnerability analysts to get approval prior for testing. These tools simply monitor the network connections to and from a server to gain a list of vulnerable applications. Furthermore, passive vulnerability scanners have the ability to find client-side vulnerabilities that are typically not found in active scanners. For instance, an active scanner operating without DOMAIN Admin rights would be unable to determine the version of the Internet Explorer running on a desktop machine, where as a passive scanner will be able to make that determination by observing the traffic to and from the client. Passive scanning products are designed not to interfere with normal network activity. They can run continuously in the background, monitoring the systems and checking for vulnerabilities without degrading network performance or crashing the systems. It is sometimes desirable to run a passive scanner in an "always on" mode and also run a more thorough active scan at regular intervals.
1. What common security system is an IDPS most like? In what ways are these systems similar?
An IDS (Intrusion Detection System) works like a burglar alarm in that it detects a violation of its configuration and activates an alarm.This alarm can be audible and / or visual, or it can be silent. This system enables the systems to notify them directly of trouble via e - mail or pages. This system can also be configured - again like burglar alarm - to notify an external security service organization of a "break - in".
14. What is an open port? Why is it important to limit the number of open ports to those that are absolutely essential?
An open port is a TCP or UDP service port that accepts traffic and responds with services at that port address. Ports that are not required are often poorly configured and subject to misuse. Only essential services should be offered on secure networks.
6. List and describe the three control strategies proposed for IDPSs.
Centralized control strategy: • In this strategy, the central location holds all the IDS functions that are implemented and managed. • This strategy analyse the system and the networks that are collected by the control function, by that the current situation is determined Fully distributed control strategy: • It is opposite to centralized; it identifies the physical location of all the control functions • It delivers three functions on its own, they are detection, reaction and response functions to monitor the site used by a remote sensor. Partially distributed control strategy: • It is the combination of above two strategies. • It provides safety to the system by detecting the threats in a system by analysing and responding to them. • The strategy enables the agents to analyse individually and to report if the widespread attacks are detected. • By this, the system can configure to try out of the attacks that are concerned.
18. What is Metasploit Framework? Why is it considered riskier to use than other vulnerability scanning tools?
Metasploit Framework: It is a tool that allows creation of an account or modification of a web page or viewing the data by a vulnerability analyst on a remote target machine. It is the only tool, which is available without a license fee. The penetration testers to verify the vulnerabilities in the system use it. It is a powerful tool for performing penetration testing. It is more dangerous and riskier to use than the other vulnerability scanning tools because it can penetrate the code and can modify the memory.
10. What is network fingerprinting?
Network fingerprinting is the process of performing a systematic survey of the organization that is targeted to collect the internet address related to the organization. The collection of the internet address is performed in the phase of foot printing. The survey is performed on the host in that range to identify the network services offered by it.
9. What is network footprinting?
Network footprinting is an organized collection of information about a targeted network environment. The attackers, before attacking a network, collect the information such as the IP address of the targeted organization. The attackers, to perform footprinting, use public Internet.
15. What is a system's attack surface? Why should it be minimized when possible?
System's attack surface: Attack surface of a system refers to the functions and features of the system that are easily exposed to an unauthenticated users. The attacker uses the attack protocol, which is a logical sequence of steps to attack the system. Following are the reasons for the system to minimize functions and features that are exposed to the unauthorized users: The probability for the attackers to attack the system can be reduced. The features that are vulnerable and may compromise the security of the system can be reduced. It is possible to optimize the resources of the computer.
11. How are network footprinting and network fingerprinting related?
The relationship between network footprinting and network fingerprinting is that network footprinting is one of the phases in network fingerprinting. In network fingerprinting, in order to perform a systematic survey of the organization that is targeted, internet address related to the organization are to be collected. Network footprinting is the collection of the internet address of the targeted organization. Network footprinting is an organized collection of information about a prospective target, which is available publicly. Network fingerprinting with the help of the internet address of the targeted organization that are collected by network footprinting, will perform a survey on the host in that range to identify the network services offered by it.