Information Systems Security Chapter 2

Questions and Answers

What is a primary advantage of a host-based IDS over a network-based IDS?

Ability to monitor multiple systems simultaneously

Detailed examination of a single system (correct)

Lower cost of management

Detection of network-only attacks

A host-based IDS can detect network-only attacks.

False

What is one major limitation of a host-based IDS?

It cannot detect network-only attacks.

A host-based IDS monitors activity on a __________ system.

single computer

Match the following characteristics with host-based IDSs:

Detailed examination = Focus on a single system Higher cost = More expensive to manage Resource consumption = Degrades system performance Anticipated attacks = Easier for intruders to disable

Which of the following is a disadvantage of using a host-based IDS?

Requires installation on each monitored system

A host-based IDS can effectively monitor denial-of-service attacks related to bandwidth.

False

In what way can attackers manipulate a host-based IDS?

They can discover and disable the IDS software.

What is the primary purpose of a SYN flood attack?

To consume server resources by leaving sessions open

A SYN flood attack involves completing the three-way handshake.

False

What is a common characteristic of the source addresses used in SYN packets during an attack?

They are often spoofed.

A SYN flood attack can result in a _____ of service for legitimate users.

denial

What is a significant advantage of using network-based IDSs?

They operate in stealth mode.

Match the following components of the TCP three-way handshake with their roles:

SYN packet = Initiates the connection SYN/ACK packet = Acknowledges receipt of SYN ACK packet = Finalizes the connection Half-open session = Connection waiting for completion

Network-based IDSs can analyze the contents of encrypted network traffic.

False

What can result from a large number of half-open sessions on a server?

Overtaxing and potential server failure

What is one limitation of a network-based IDS when traffic load is high?

It may be unable to process packets efficiently.

Patches are not usually released to address self-inflicted DoS conditions.

False

A network-based IDS usually cannot determine if an attack was __________.

successful

What occurs when the server does not receive an ACK packet during a SYN flood attack?

The session remains half-open and consumes resources.

Match the following functionalities of IDSs with their correct descriptions:

Stealth mode = Invisible to the network Knowledge-based detection = Uses a signature database RARP = Used to discover the source of an attack DoS = Type of attack detected by IDS

Which of the following does a network-based IDS NOT perform?

Decrypting encrypted sessions

Host-based IDSs can examine every detail of the host system as long as it has sufficient processing time.

True

What is one method by which an IDS detects malicious events?

Knowledge-based detection or signature-based detection.

Study Notes

Information Systems Security

• This presentation covers information systems security topics including monitoring, intrusion detection, penetration testing, and access control attacks.

Chapter 2: Attacks and Monitoring

• The chapter covers monitoring, intrusion detection, penetration testing, and access control attacks.

Introduction

• Access control is any hardware, software, or policy that manages and regulates access, monitors access attempts, identifies users attempting to access, and determines whether access is authorized.

Monitoring

• Monitoring is the programmatic way subjects are held accountable for their activities on a system.
• It also detects unauthorized or unusual system activities.
• Monitoring is crucial for identifying malicious activity, attempted intrusions, and system failures.
• Monitors can reconstruct events, provide evidence, and produce reports for analysis

Monitoring (continued)

• Using log files to detect issues is common, but the sheer volume of data can make important details difficult to find.
• Data reduction tools (data mining) are necessary to find relevant details from large data sets in log files.
• Intrusion Detection Systems (IDS) are a specialized data mining tool for real-time analysis of events.
• Accountability is maintained by recording subject and object activities as well as core system functions.
• Audit trails constructed by logging system events can be used to evaluate system health and performance.

Monitoring (continued)

• Monitoring is a necessary component of the auditing process, holding subjects accountable for their actions related to other subjects, objects, or functions on a system.
• Additional layers of defense can be built around monitoring, auditing, and accounting for real-time attack detection and prevention.

Intrusion Detection

• Intrusion Detection Systems (IDSs) automate the inspection of audit logs and real-time events.
• IDSs primarily detect intrusion attempts and system failures, but can also rate overall performance.
• IDSs monitor for violations in confidentiality, integrity, and availability.
• Attacks identified by IDSs can come from various sources: external connections, viruses, malicious code, unauthorized activities from internal users or trusted locations.
• IDSs are technical detective security controls.

Intrusion Detection (continued)

• IDSs actively watch for suspicious activity, review audit logs, and alert administrators.
• IDSs can lock down system files, track intrusion attempts, identify origination points of intrusions, and pinpoint perpetrators.
• IDSs can take action like stopping or terminating attacks, reconfiguring firewalls, or other forms of network protection.
• IDS alerts can be communicated using onscreen notifications, sounds, emails, pagers, or recording information in a log file.

Intrusion Detection (continued)

• Responses from IDSs can be active—affecting malicious activity—passive—recording malicious activity and alerting administrators— or hybrid.
• IDSs are used to detect unauthorized or malicious activity within a trusted network, be it from internal or external sources.
• IDS capabilities are limited, as stopping current and preventing future attacks is generally not possible.
• A common response to attacks involves blocking ports, blocking source addresses, and/or disabling communications on a segment.

Intrusion Detection (continued)

• IDSs are considered an important component of a complete network security plan, complementing other security controls like physical and logical access controls.
• Maintenance of overall system security is crucial, including applying security patches, setting security controls, and responding to discovered issues to prevent recurrence.

Intrusion Detection (continued)

• IDSs can be categorized as either host-based or network-based.
• Host-based IDS monitors individual computer systems, while network-based IDS monitors the network itself.
• Host-based IDSs are suited to detailed examination of specific events on a computer, while network-based IDSs are designed to cover the larger network more efficiently.
• Network-based IDSs are fitted on single-purpose computers, enabling them to be hardened against attack and operate in stealth mode.
• Network-based IDSs have limited impact on overall network performance.

Intrusion Detection (continued)

• Network-based IDSs detect attacks or events through the capture and evaluation of network packets.
• These IDSs are capable of monitoring a large network when appropriately placed within the network's backbone.
• Some network-based IDSs use remote agents to collect data from subnets and report to a central management console.

Intrusion Detection (continued)

• Sensor placement varies; some are in front of firewalls to detect attempts to enter the network, others behind firewalls to detect intruders who have already entered the network, and others within the company network to detect internal attacks.

Intrusion Detection (continued)

• Network-based IDSs are used to monitor the content of network traffic.
• They function effectively even when traffic is encrypted.
• IDSs often provide functionality to discover points of attacks through RARP or DNS lookups.

Intrusion Detection (continued)

• IDS use two main means of detecting malicious events: knowledge-based (or signature-based) detection and behavior-based detection (or anomaly-based detection).
• In knowledge-based detection, the system matches monitored events against a database of known attack signatures or patterns; the success of detection relies on an accurate and up-to-date signature database.
• Behavior-based detection monitors normal activity to develop profiles for recognizing abnormalities and malicious event patterns.

Intrusion Detection (continued)

• Knowledge-based IDSs have a drawback of limited effectiveness against unknown or modified attacks. Their usefulness depends heavily on having an up-to-date signature file.
• Behavior-based IDSs provide a more flexible system that can learn from normal activity to detect abnormalities; however, they tend to yield a higher volume of false alarms.
• Behavior-based systems are more capable of anticipating new threats.

Intrusion Detection (continued)

• Various complimentary tools exist to expand IDS use and improve efficiency. These tools include honey pots, padded cells, and vulnerability scanners.

Intrusion Detection (continued)

• Honey pots are individual computers or networks created as decoys to lure attackers.
• Monitoring a honey pot enables a deeper understanding of an attacker's methods.
• Padded cells are similar to honey pots but add the ability to isolate attackers without access to sensitive data.
• Vulnerability scanners are used to test systems for known security vulnerabilities and weaknesses.

Penetration Testing

• Penetration testing simulates attacks to assess the strength of security measures.
• Such testing aims to discover vulnerabilities in a network so that they can be fixed before any actual attack takes place.
• Testing is a vigorous attempt to break into a network's perimeter using any means available.

Penetration Testing (continued)

• Penetration testing attempts to find detectable weaknesses in a network's security perimeter.
• Testing seeks to find known and unknown threats.
• Testing helps in the discovery of vulnerabilities.

Penetration Testing (continued)

• Penetration testing can be performed using automated tools for attack simulations, manual network utilities, or scripting.
• Tools may range from professional vulnerability scanners to underground tools.
• Penetration testing is only effective with proper consent from management.
• Unapproved testing can result in productivity loss, triggering emergency response teams, or severe consequences such as legal or job-related issues.

Methods of Attack

• Several types of attacks are available for network attacks; these are common types, including brute-force attacks, denial-of-service attacks, spoofing attacks, man-in-the-middle attacks, and smurf attacks.
• The sophistication of the attack tools can range from readily available open-source tools to elaborate proprietary tools.

Methods of Attack (continued)

• Brute-force and dictionary attacks require trying combinations of possible passwords to determine access.

Methods of Attack (continued)

• Denial-of-service (DoS) attacks disrupt the intended system's processing by flooding the intended system with network packages.

Methods of Attack (continued)

• Spoofing attacks attempt to impersonate another party, concealing an attacker's true identity.

Methods of Attack (continued)

• Man-in-the-middle (MitM) attacks are performed by positioning devices between the entities communicating.

Methods of Attack (continued)

• Smurf attacks employ broadcast attacks to flood the intended system with excessive network packages to cause a denial-of-service (DOS) condition.

Methods of Attack (continued)

• Ping-of-death, WinNuke, stream, teardrop, and land attacks are the next generation of denial-of-service (DoS) attacks and related attacks.

Methods of Attack (continued)

• Botnet attacks take advantage of coordinated systems of compromised machines.
• Spoofing attacks can involve impersonation or masquerading to gain access to a system.

Methods of Attack (continued)

• Types of man-in-the-middle attacks include hijack and replay attacks. The purpose of MitM is often to hijack and compromise communications (and data) between two communicating devices.

Methods of Attack (continued)

• Sniffer attacks involve using monitoring software to collect communications.
• Spamming attacks involve sending unsolicited emails to a victim.

Methods of Attack (continued)

• Crackers/Hackers/Attackers/Intruders are those involved in malicious network attacks.

Access Control Compensations

• Access control measures are designed to control and regulate object access by individuals ("subjects") in an organization.
• Countermeasures to attacks include utilizing backups, backups can aid in the speedy recovery from data loss or device failures and restore data.

Access Control Compensations (continued)

• Fault-tolerant systems can compensate for a single point of failure by creating redundant operations.
• Businesses should have procedures in place to deal with severe or systemic failure and access violations that may lead to the system's unavailability.
• Insurance and business continuity planning are crucial for effective compensation recovery.

Description

This quiz explores the critical concepts of information systems security, focusing on monitoring, intrusion detection, penetration testing, and access control attacks. Test your understanding of these vital security measures and their importance in safeguarding systems against unauthorized access and attacks.