Information Security and IDPS

Questions and Answers

What is the main goal of intrusion prevention?

To detect system intrusions

To correct intrusion events

To notify an external security service organization

To deter an intrusion from occurring (correct)

What is the term for actions an organization undertakes when an intrusion event is detected?

Intrusion correction

Intrusion detection

Intrusion prevention

Intrusion reaction (correct)

What is the purpose of alarm filtering in IDPS?

To reduce false negatives

To detect true attack stimuli

To increase confidence values

To reduce false positives (correct)

What is a honeynet?

A network of honeypot systems

What is the primary advantage of a network-based IDPS sensor location?

It can monitor multiple network segments

What is the difference between a NIDPS and a HIDPS?

NIDPS is used for network-based detection, while HIDPS is used for host-based detection

What is the purpose of tuning in IDPS?

To improve detection accuracy

What is the term for a system that is designed to detect a violation of its configuration and activate an alarm?

Intrusion Detection System (IDS)

What is the primary goal of a honeypot?

To divert potential attackers away from critical systems

What are the four dominant metrics used to evaluate the effectiveness of an IDPS?

Thresholds, blacklists, whitelists, and alert settings

Where should NIDPS sensors be located according to NIST recommendations?

Behind each external firewall, outside an external firewall, on major network backbones, and on critical subnets

What is the main difference between NIDPS and HIDPS?

NIDPS monitors network traffic, while HIDPS monitors host systems

What is a partially distributed IDPS control strategy?

Combines centralized and fully distributed strategies; individual agents can analyze and respond to local threats, while reporting to a hierarchical central facility

What is the primary purpose of a honeynet?

To collect information about attackers and their tactics

What is the main advantage of using honeypots and honeynets?

They can divert potential attackers away from critical systems and collect information about attackers

What is the main disadvantage of using honeypots and honeynets?

They may be legal and ethical implications of using them

What is the primary goal of deploying an IDPS?

To detect and prevent attacks

What is the main advantage of using a partially distributed IDPS control strategy?

It is more scalable and flexible than centralized or fully distributed strategies

What is the primary function of a Network-based IDPS?

To look for signs of attacks by examining packets for attack patterns

What is a disadvantage of NIDPSs?

They can become overwhelmed by network volume and fail to recognize attacks

What is an advantage of HIDPSs?

They can detect local events on host systems and detect attacks that may elude a network-based IDPS

What is not a type of IDPS detection method?

Log file monitors

What is a characteristic of statistical anomaly-based IDPS?

Samples network activity to compare to traffic that is known to be normal

What is a type of IDPS response?

Active response

What is a consideration when selecting an IDPS approach or product?

What is your systems environment?

Where are Network-based IDPS sensors typically located?

Installed at specific place in the network where it can watch traffic going into and out of particular network segment

What is a characteristic of wireless NIDPS?

Monitors and analyzes wireless network traffic

What is a type of IDPS?

Host-based IDPS

Study Notes

Understanding Security Goals and Objectives

• Security goals and objectives include determining organizational requirements and constraints
• Identifying existing security policies and requirements levied from outside the organization
• Considering resource constraints and selecting IDPS approaches and products

Strengths and Limitations of IDPSs

• Strengths:
  • Monitoring and analyzing system events and user behaviors
  • Testing security states of system configurations
  • Baselining security states of systems and tracking changes
  • Recognizing system event patterns matching known attacks
  • Recognizing activity patterns that vary from normal activity
  • Managing OS audit and logging mechanisms and data
  • Alerting staff when attacks are detected
  • Measuring enforcement of security policies
  • Providing default information security policies
  • Allowing non-security experts to perform security monitoring
• Limitations:
  • Not compensating for weak/missing security mechanisms
  • Not detecting new attacks or variants of existing attacks
  • Not responding to attacks by sophisticated attackers
  • Not investigating attacks without human intervention
  • Not resisting attacks intended to defeat or circumvent them
  • Not dealing with problems with fidelity of data sources
  • Not effectively handling switched networks

Deployment and Implementation of IDPS

• Three basic control strategies:
  • Centralized: all IDPS control functions are implemented and managed in a central location
  • Fully distributed: all control functions are applied at the physical location of each IDPS component
  • Partially distributed: combines centralized and fully distributed approaches
• Deployment strategies:
  • Network-based IDPS (NIDPS): monitors network traffic
  • Host-based IDPS (HIDPS): monitors activity on a particular computer or server
  • NIDPS and HIDPS can be used in tandem to cover both individual systems and networks

Measuring the Effectiveness of IDPSs

• Evaluation metrics:
  • Thresholds
  • Blacklists and whitelists
  • Alert settings
  • Code viewing and editing
• Vendors provide testing mechanisms to verify system performance
• Testing processes:
  • Recording and retransmitting packets from real virus or worm scans
  • Conducting real virus or worm scans against an invulnerable system

Honeypots, Honeynets, and Padded Cell Systems

• Honeypots: decoy systems designed to lure potential attackers away from critical systems
• Honeynets: collections of honeypots connecting several systems on a subnet
• Padded cells: protected honeypots that cannot be easily compromised
• Advantages:
  • Attracting and diverting attackers
  • Collecting information about attacker activity
  • Encouraging attackers to stay on the system long enough for administrators to respond
• Disadvantages:
  • Legal implications of using honeypots and padded cells
  • Not yet proven to be generally useful security technologies
  • Expert attackers may become angry and launch a more hostile attack
  • Require high-level expertise to use effectively

Trap and Trace Systems

• Use a combination of techniques to detect an intrusion and trace it back to its source
• Trap: a honeypot or padded cell with an alarm
• Legal implications: enticement is legal and ethical, but entrapment is not
• Active countermeasures: stopping attacks
• LaBrea: a tool that takes up unused IP address space to pretend to be a computer and allow attackers to complete a connection request

Scanning and Analysis Tools

• Footprinting: researching Internet addresses owned or controlled by a target organization
• Fingerprinting: surveying a target organization's Internet addresses to reveal internal structure and operational nature
• Port scanners: tools used to identify computers active on a network
• Firewalls: several tools automate remote discovery of firewall rules and assist in analyzing them
• Operating system detection tools: detect a target computer's operating system
• Vulnerability scanners: active and passive scanners that identify vulnerabilities
• Packet sniffers: tools that collect and analyze network packets
• Wireless security tools: assess the risk of wireless networks
• Biometric access control: uses measurable human characteristics to authenticate identity

Biometric Access Control

• Relies on recognition

• Includes fingerprint comparison, palm print comparison, hand geometry, facial recognition, retinal print, and iris pattern

• Characteristics considered truly unique: fingerprints, retina, and iris

• Evaluation criteria:

  • False reject rate
  • False accept rate
  • Crossover error rate (CER)

• Acceptability: balancing security and user acceptance

• Ranking of biometric effectiveness and acceptance: various biometric systems ranked by effectiveness and acceptance### Intrusion Detection and Prevention Systems

• An intrusion occurs when an attacker attempts to gain entry into or disrupt the normal operations of an information system, usually with the intent to do harm.

• Intrusion prevention involves activities that seek to deter an intrusion from occurring.

• Intrusion detection consists of procedures and systems created and operated to detect system intrusions.

• Intrusion reaction encompasses actions an organization undertakes when an intrusion event is detected.

• Intrusion correction activities finalize restoration of operations to a normal state.

IDPS Terminology

• Site policy refers to the set of rules and guidelines for an organization's security posture.
• Alert or alarm is a notification triggered by an IDPS when a potential threat is detected.
• Evasion refers to techniques used by attackers to circumvent IDPS detection.
• Tuning involves adjusting IDPS settings to optimize its performance and minimize false alarms.
• True attack stimulus is a legitimate attack that triggers an IDPS alarm.
• Confidence value is a measure of the likelihood that an IDPS alert is a true positive.
• Alarm filtering involves filtering out false alarms and noise to focus on legitimate threats.
• Alarm clustering and compaction group related alarms together to simplify analysis.

Benefits of IDPS

• Enables detection of violations of system configuration and notification of administrators via email or pager.
• Can be configured to notify an external security service organization of a "break-in".
• Enhances security posture by providing real-time threat detection and response.

Description

This quiz covers security goals, organizational requirements, and selecting IDPS approaches and products. It also delves into IDPS product features, testing, and user expertise.