Information Security Chapter 7

Ace your homework & exams now with Quizwiz!

SPAN

A __________ port, also known as a monitoring port, is a specially configured connection on a network device that is capable of viewing all of the traffic that moves through the entire device.

false

A false positive is the failure of an IDPS system to react to an actual attack event.

whitelist

A list of systems, users, files, or addresses that are known to be benign; it is commonly used to expedite those entities' access to systems or networks.

attack protocol

A logical sequence of steps or processes used by an attacker to launch an attack against a target system or network.

honeynet

A monitored network or network segment that contains multiple honeypot systems.

Alarm clustering and compaction

A process of grouping almost identical alarms that happen at close to the same time into a single higher-level alarm.

padded cell system

A protected honeypot that cannot be easily compromised.

Passive vulnerability scanner

A scanner that listens in on a network and identifies vulnerable versions of both server and client software.

security information and event management (SIEM)

A software-enabled approach to aggregating, filtering, and managing the reaction to events, many of which are collected by logging activities of IDPSs and network management devices.

true

A(n) known vulnerability is a published weakness or fault in an information asset or its protective systems that may be exploited and result in loss

fingerprinting

Activities that scan network locales for active systems and then identify the network services offered by the host systems is known as __________.

false

Alarm filtering may be based on combinations of frequency, similarity in attack signature, similarity in attack target, or other criteria that are defined by the system administrators. _________________________

monitoring port

Also known as a switched port analysis (SPAN) port or mirror port, a specially configured connection on a network device that can view all the traffic that moves through the device.

anomaly-based detection

Also known as behavior-based detection, an IDPS detection method that compares current data and traffic patterns to an established baseline of normalcy.

signature-based detection

Also known as knowledge-based detection or misuse detection, the examination of system or network data in search of patterns that match known attack signatures.

network-based IDPS

An IDPS that resides on a computer or appliance connected to a segment of an organization's network and monitors traffic on that segment, looking for indications of ongoing or successful attacks.

host-based IDPS

An IDPS that resides on a particular computer or server, known as the host, and monitors activity only on that system. Also known as a system integrity verifier.

site policy awareness

An IDPS's ability to dynamically modify its configuration in response to environmental activity.

log file monitor

An attack detection method that reviews the log files generated by computer systems, looking for patterns and signatures that may indicate an attack or intrusion is in process or has already occurred.

false attack stimulus

An event that triggers an alarm when no actual attack is in progress.

alert or alarm

An indication that a system has just been attacked and/or continues to be under attack.

true

In DNS cache poisoning, valid packets exploit poorly configured DNS servers to inject false information to corrupt the servers' answers to routine DNS queries from other systems on the network.

correction

Intrusion __________ activities finalize the restoration of operations to a normal state and seek to identify the source and method of the intrusion in order to ensure that the same type of attack cannot occur again.

signatures

Patterns that correspond to a known attack.

entrapment

The act of luring a person into committing a crime in order to get a conviction.

stateful protocol analysis (SPA)

The comparison of vendor-supplied profiles of protocol use and behavior against observed data and network patterns in an effort to detect misuse and attacks.

false negative

The failure of an IDPS to react to an actual attack event.

attack surface

The functions and features that a system exposes to unauthenticated users.

confidence value

The measure of an IDPS's ability to correctly detect and identify certain types of attacks.

footprinting

The organized research and investigation of Internet addresses owned or controlled by a target organization.

tuning

The process of adjusting an IDPS to maximize its efficiency in detecting true positives, while minimizing both false positives and false negatives.

alarm filtering

The process of classifying IDPS alerts so that they can be more effectively managed.

protocol stack verification

The process of examining and verifying network traffic for invalid data packets—that is, packets that are malformed under the rules of the TCP/IP protocol.

application protocol verification

The process of examining and verifying the higher-order protocols (HTTP, FTP, and Telnet) in network traffic for unexpected packet behavior or improper use.

back hack

The process of illegally attempting to determine the source of an intrusion by tracing it and trying to gain access to the originating system.

site policy

The rules and configuration guidelines governing the implementation and operation of IDPSs within the organization.

fingerprinting

The systematic survey of a targeted organization's Internet addresses collected during the footprinting phase to identify the network services offered by the hosts in that range.

port scanners

Tools used both by attackers and defenders to identify or fingerprint active computers on a network, the active ports and services on those computers, the functions and roles of the machines, and other useful information.

LFM

Using __________, the system reviews the log files generated by servers, network devices, and even other IDPSs.

trap and trace

__________ applications use a combination of techniques to detect an intrusion and then trace it back to its source.

HIDPS's

_______________ benchmark and monitor the status of key system files and detect when an intruder creates, modifies, or deletes monitored files.

sensors

a hardware and/or software component deployed on a remote computer or network segment and designed to monitor network or system traffic for suspicious activities and report back to the host application

blacklist

a list of systems, users, files, or addresses that have been associated with malicious activity; it is commonly used to block those entities from systems or network access

clipping level

a predefined assessment level that triggers a predetermined response when surpassed. Typically, the response is to notify an administrator.

known vulnerabilities

a published weakness or fault in an information asset or its protective systems that may be exploited and result in loss

intrusion detection systems (IDS)

a system capable of automatically detecting an intrusion into an organization's networks or host systems and notifying a designated authority

threshold

a value that sets the limit between normal and abnormal behavior

Fully distributed IDPS control strategy

an IDPS implementation approach in which all control functions are applied at the physical location of each IDPS component

Centralized IDPS control strategy

an IDPS implementation approach in which all control functions are implemented and managed in a central location

partially distributed IDPS control strategy

an IDPS implementation approach that combines the best aspects of the centralized and fully distributed strategies

inline sensors

an IDPS sensor intended for network perimeter use and deployed in close proximity to a perimeter firewall to detect incoming attacks that could overwhelm the firewall

passive mode

an IDPS sensor setting in which the device simply monitors and analyzes observed network traffic

intrusion

an adverse event in which an attacker attempts to gain entry into an information system or disrupt its normal operations, almost always with the intent to do harm

false positive

an alert or alarm that occurs in the absence of an actual attack

trap-and-trace

an application that combines the function of honeypots or honeynets with the capability to track the attacker back through the network

honeypots

an application that entices people who are illegally perusing the internal areas of a network by providing simulated rich content while the software notifies the administrator of the intrusion

pen registers

an application that records information about outbound communications

active vulnerability scanners

an application that scans networks to identify exposed usernames and groups, open network shares, configuration problems, and other vulnerabilities in servers

true attack stimulus

an event that triggers an alarm and causes an IDPS to react as if a real attack is in progress

zero day vulnerabilities

an unknown or undisclosed vulnerability in an information asset or its protection systems that may be exploited and result in loss

enticement

the act of attracting attention to a system by placing tantalizing information in key locations.

intrusion detection and prevention system (IDPS)

the general term for a system that can both detect and modify its configuration and environment to prevent intrusions

noise

the presence of additional and disruptive signals in network communications or electrical power delivery

evasion

the process by which attackers change the format and/or timing of their activities to avoid being detected by an IDPS


Related study sets

RN Pharmacology Online Practice 2023 B

View Set

Nursing Management: Patients With Eye and Vision Disorders

View Set

Psychology Statistics Final Practice Exam Part 3

View Set

Business Law 2, Test 1 - Chapter 20

View Set