Ch. 7 - Security Technology: Intrusion Detection and Prevention Systems Flashcards
(46 cards)
Story or vignette
The story is about Miller Harrison a contractor whose contract with SLS gets terminated. He is resentful and angry and blames Kelvin and Laverne Nguyen for his firing and thus decides he is going to try to hack the company’s network.
In violation of company policy, he had taken home a copy of the network diagram in previous weeks. And stashed files and access codes in preparation.
First, he attacked from an internet cafe using a VPN
He found himself locked out from both the front door with the remote access VPN not working (crypto-token confiscated) and the backdoor with the attempt at the dial-up connection. His final attempt was a zombie program he had installed on the company’s extranet quality assurance server. With that having failed he went back to the first step launching a port scanner from his laptop.
Footprinting - getting a fully annotated diagram of the network
Footprinting
Footprinting - getting a fully annotated diagram of the network
Learning Objectives
- Identify and describe the different categories and operating models of intrusion detection and prevention systems.
- Define and understand honeypots, honeynets, and padded cell systems
- Understand the major categories of scanning and analysis tools, and describe the specific tools used within each of these categories
- Explain the various methods of access control, including biometrics
Intrusion
occurs when an attacker attempts to gain entry into or disrupt the normal operations of an information system, almost always with the intent to do harm
intrusion prevention
Intrusion prevention consists of activities that deter an intrusion.
intrusion detection
Intrusion detection consists of procedures and systems that identify system intrusions
intrusion reaction
Intrusion reaction encompasses the actions an organization takes when an intrusion is detected.
goals- limit losses and return to a normal state
intrusion correction
Intrusion correction activities finalize the restoration of operations to a normal state and seek to identify the source and method of the intrusion in order to ensure that the same type of attack cannot occur again—thus reinitiating intrusion prevention.
IDS
Intrusion detection systems
IPS
Intrusion preention system
can detect and prevent intrusion from successfully attacking via an active response
IDPS
Intrusion detection and prevention systems
False negative
False negative: The failure of an IDPS to react to an actual attack event. This is the most grievous failure, since the purpose of an IDPS is to detect and respond to attacks.
False positive
False positive: An alert or alarm that occurs in the absence of an actual attack. A false positive can sometimes be produced when an IDPS mistakes normal system activity for an attack. False positives tend to make users insensitive to alarms and thus reduce their reactivity to actual intrusion events
boy who cried wolf
6 Reasons why you should use an IDPS?
- To prevent problem behaviors by increasing the perceived risk of discovery and punishment for those who would attack or otherwise abuse the system
- To detect attacks and other security violations that are not prevented by other security measures
- To detect and deal with the preambles to attacks (commonly experienced as network probes and other “doorknob rattling” activities)
- To document the existing threat to an organization
- To act as quality control for security design and administration, especially in large and complex enterprises
- To provide useful information about intrusions that do take place, allowing improved diagnosis, recovery, and correction of causative factors1
FOOTPRINTING
f footprinting (activities that gather information about the organization and its network activities and assets)
Fingerprinting
fingerprinting (activities that scan network locales for active systems and then identify the network services offered by the host systems).
IPS vs. IDS
IPS can respond to try and stop a detected threat by:
- Terminate the network connection or user session that is being used for the attack
- Block access to the target (or possibly other likely targets) from the offending user account, IP address, or other attacker attribute
- Block all access to the targeted host, service, application, or other resource.
- The IPS changes the security environment.For example, changing the configuration of a firewall, router or switch to block attacker out.
- The IPS changes the attack’s content. Some IPS technologies can remove or replace malicious portions of an attack to make it benign. A simple example is an IPS removing an infected file attachment from an e-mail and then permitting the cleaned e-mail to reach its recipient
Types of IDPS
- Network-based systems - protect network info. assets
- Wireless IDPS
- Network Behavior Analysis (NBA) IDPS
- Host-based systems - protects the server or host’s info. assets
IDPS Detection Methods
- Signature-based approach
- The statistical-anomaly approach
- The stateful packet inspection approach
Log File Monitors (LFMs)
Using LFM, the system reviews the log files generated by servers, network devices, and even other IDPSs, looking for patterns and signatures that may indicate that an attack or intrusion is in process or has already occurred.
IDPS Response Options
- Audible/visual alarm
- SNMP traps and plug-ins
- Email message
- page or text
- Log entry
- Evidentiary packet dump
- Take action against the intruder
- Launch program
- Reconfigure firewall
- Terminate session
- Terminate connection
Strengths of IDPSs
Intrusion detection and prevention systems perform the following functions well:
- Monitoring and analysis of system events and user behaviors
- Testing the security states of system configurations
- Baselining the security state of a system, then tracking any changes to that baseline
- Recognizing patterns of system events that correspond to known attacks
- Recognizing patterns of activity that statistically vary from normal activity
- Managing operating system audit and logging mechanisms and the data they generate
- Alerting appropriate staff by appropriate means when attacks are detected
- Measuring enforcement of security policies encoded in the analysis engine
- Providing default information security policies
- Allowing non-security experts to perform important security monitoring functions
Limitations of IDPS
Intrusion detection systems cannot perform the following functions:
- Compensating for weak or missing security mechanisms in the protection infrastructure, such as firewalls, identification and authentication systems, link encryption systems, access control mechanisms, and virus detection and eradication software
- Instantaneously detecting, reporting, and responding to an attack when there is a heavy network or processing load
- Detecting newly published attacks or variants of existing attacks
- Effectively responding to attacks launched by sophisticated attackers
- Automatically investigating attacks without human intervention
- Resisting all attacks that are intended to defeat or circumvent them
- Compensating for problems with the fidelity of information sources
- Dealing effectively with switched networks
IDPS terrorists, are
are designed to trip the organization’s IDPS, essentially causing the organization to conduct its own DoS attack by overreacting to an actual, but insignificant, attack.
