Intrusion Detection Systems (IDS)

Questions and Answers

What does an intrusion detection system (IDS) primarily monitor?

• Physical security perimeters
• Social media trends
• Network traffic (correct)
• Employee attendance

What is 'intrusion' defined as?

• The act of intruding or the state of being intruded (correct)
• The act of securing a network
• The process of encrypting data
• The method of backing up files

What are the two primary threat detection methods used by IDS?

• Firewall-based and antivirus-based
• Encryption-based and decryption-based
• Password-based and biometric-based
• Signature-based and anomaly-based (correct)

What does a signature-based intrusion detection system (SIDS) primarily rely on?

A database of known threats (B)

What does an anomaly-based intrusion detection system (AIDS) compare network traffic against?

A predefined baseline of normal activity (A)

What is the primary function of an intrusion prevention system (IPS)?

To automatically block potential threats (A)

Which of the following is a threat detection method used by IPS?

Signature-based detection (B)

What does signature-based detection analyze in network packets?

Attack signatures (B)

What does anomaly-based detection use to create a baseline model of normal network activity?

Artificial intelligence and machine learning (A)

What is the basis of policy-based detection methods?

Security policies set by the security team (A)

What is NIPS?

Network-based Intrusion Prevention System (D)

What does a Host-based intrusion detection system (HIDS) monitor?

Individual devices connected to the network (C)

What is the focus of network behavior analysis (NBA)?

Monitoring network traffic flows (D)

What does a wireless intrusion prevention system (WIPS) monitor?

Wireless network protocols (C)

What is the purpose of access control?

To restrict and allow access to certain items (D)

Which of the following is the first part of four-part access control?

Identification (C)

What does the 'policy definition phase' determine in access control?

Who has access and what systems or resources they can use (D)

What is an example of a physical access control?

A key to a building (A)

In access control policies, what are users referred to as?

Subjects (C)

What is 'authentication'?

Can the requestor's identity be verified? (A)

Which of the following is a type of authentication based on 'knowledge'?

A password. (D)

Which of the following involves trying every possible combination of characters?

Brute-force attack (C)

What is another term indicated for characteristics?

Biometrics (C)

Fingerprints, iris granularity and retina blood vessels are considered what type of biometrics?

Static (A)

Voice inflections, keyboard strokes and signature motions are considered to be what kind of biometric?

Dynamic (D)

What is a security control?

A mechanism intended to minimize risk of attack (C)

Disclosure of private information is an effect from what?

Breaches in Access Control (A)

What is the definition of cloud computing?

Using computing services delivered over a network (D)

Which type of cloud infrastructure is operated for a single organization?

Private Cloud (B)

Which of the following cloud services is available to the general public?

Public Cloud (C)

Which of the following cloud services contains components of multiple clouds, including private, community and public clouds?

Hybrid Cloud (D)

In information security, what is a firewall?

Hardware and software that prevents specific information from moving between networks (A)

What is the term for the system of networks inside the organization that contains information assets?

Trusted network (B)

Which firewall examines the header information of data packets?

Packet-filtering firewall (B)

What is a stateful packet inspection(SPI) firewall?

A firewall that keeps track of each network connection (C)

What is a DMZ in the context of application layer proxy firewalls?

An intermediate area between two networks. (C)

Which layer operate at the media access control layer firewall?

Layer 2 (A)

Hybrid firewalls combine elements from which types of firewalls?

Packet filtering, application layer proxy, and media access control layer. (B)

What does UTM stands for?

Unified Threat Management (A)

What is a single bastion host?

A highly secured computer system placed outside the organization's network. (A)

How many firewalls do Screened Hosts use?

Two (A)

Flashcards

Intrusion

The act of intruding or the state of being intruded upon.

Intrusion Detection System (IDS)

Application that monitors network traffic for threats and suspicious activity.

Signature-based detection

Threat detection method that compares network packets with a database of known threats.

Anomaly-based detection

Threat detection method that compares network traffic to a predefined baseline of normal behavior.

Intrusion Prevention System (IPS)

System that monitors network traffic and automatically blocks potential threats.

Signature-based IPS detection

Threat detection analyzing network packets for unique characteristics associated with specific threats.

Anomaly-based IPS detection

Threat detection using AI/ML for finding deviations from normal network activity.

Policy-based IPS detection

Threat detection based on security policies set by the security team.

Network-based IPS (NIPS)

IPS deployed at strategic points to monitor incoming and outgoing network traffic.

Host-based IPS (HIPS)

IPS installed on individual devices connected to a network.

Network Behavior Analysis (NBA)

IPS that monitors network traffic flows, focusing on higher-level session details.

Wireless IPS (WIPS)

IPS that monitors wireless network protocols for suspicious activity.

Access Control

Restricting and allowing access to certain items or resources.

Identification

Identifying who is requesting access to an asset.

Authentication

Verifying the requestor's identity.

Authorization

Determining what a requestor can access and do.

Accountability

Tracing actions back to an individual user.

Policy definition phase

Phase determining who has access and what they can use.

Policy enforcement phase

Phase granting or rejecting access requests based on defined authorizations.

Physical Access Controls

Controls for physical resources like buildings and parking lots.

Logical Access Controls

Controls access to computer systems or networks.

Access Control Policy

Set of rules allowing specific users to perform actions on resources.

Users

People using a system or processes; can be referred to as subjects.

Resources

Protected objects in a system accessible only by authorized subjects.

Actions

Activities authorized users can perform on resources.

Relationships

Optional conditions existing between users and resources; permissions.

Knowledge-based authentication

Something you know, such as a password or PIN.

Ownership-based authentication

Something you have, such as a smart card or token.

Characteristics-based authentication

Unique attribute, like fingerprints or retina scans.

Location-based authentication

Your physical location when accessing a resource.

Action-based authentication

How or what you do, such as typing.

Brute-force attack

Trying every possible combination of characters to crack a password.

Dictionary Attack

Hashing words to crack passwords.

Biometrics

Using measurable physical traits for identification and authentication.

Static Biometrics

Using recognizing fingerprints or facial looks.

Dynamic biometrics

Using voice inflections or keyboard strokes.

Security Control

Mechanism to avoid, stop, or minimize attack risk.

Cloud computing

Using computing services delivered over a network.

Private Cloud

All hardware and software operated for a single organization.

Community Cloud

Cloud services shared by organizations.

Public Cloud

Cloud infrastructure available to unrelated orgs.

Hybrid Cloud

Cloud contains more than one cloud type.

Firewall

Combines hardware and software to filter information.

Trusted network

Networks inside an org containing information assets.

Untrusted network

Networks outside an org with no control.

Packet-filtering firewall

Examines the header of data packets entering.

Dynamic packet-filtering firewall

Alters rules to traffic needs.

Static packet-filtering firewall

Requires manual config of rules.

Stateful Packet Inspection (SPI) firewall

Traffic is filter expeditiously.

Application layer proxy firewall

Proxy server and a software.

Demilitarized zone (DMZ)

Intermediates area that filters firewalls.

Proxy server

Requests that intercepts servers.

Reverse proxy

Requests are provided to users.

Media access control layer firewall

Operates a media access control sublayer of network's data.

Hybrid firewalls

Combines types of firewalls.

Unified Threat Management (UTM)

Networking devices multiple protocols in a single app.

Delivers unified threat management in single app

Next Generation Firewall (NextGen or NGFW)

Single bastion host

Secured app that withstands internet's attacks.

Screened hosts

Uses two firewalls.

Screened subnets

Provides demilitarized zone.

Study Notes

Intrusion Detection

• Intrusion is the act or state of being intruded upon.
• An intrusion detection system (IDS) is an application monitoring network traffic for known threats and suspicious activity.
• IDS tools are software applications that run on an organization's hardware or as a network security solution.

Intrusion Detection System (IDS)

• IDS uses one or both of two primary threat detection methods.
• Signature-based method.
• Anomaly-based detection.

Common Types of Intrusion Detection Systems

• Signature-based intrusion detection system (SIDS) monitors packets on a network and compares them with attack signatures in a database of known threats.
• Anomaly-based intrusion detection system (AIDS) monitors network traffic and compares it with a predefined baseline of normal activity.
  • AIDS can detect anomalous activity and behavior across the network, including bandwidth, devices, ports, and protocols.
• AIDS solutions use machine-learning techniques to build a baseline of normal behavior and establish a corresponding security policy.

Intrusion Prevention System (IPS)

• An intrusion prevention system (IPS) monitors network traffic for potential threats and blocks them automatically.
• Actions include alerting the security team or terminating dangerous connections.
• Removing malicious content and triggering other security devices.

Intrusion Prevention System (IPS) Threat Detection Methods

• Threat detection methods of IPS:
  • Signature-based detection: Analyzes network packets for attack signatures, such as code in a malware variant.
  • Anomaly-based detection: Uses AI and machine learning to create and refine a baseline model of normal network activity, comparing real-time activity to this model.
  • Policy-based detection: Uses security policies set by the security team, blocking any action that violates these policies.

Common Types of Intrusion Prevention Systems

• Network-based intrusion prevention systems (NIPS).
• Host-based intrusion prevention systems (HIPS).
• Network behavior analysis (NBA).
• Wireless intrusion prevention systems (WIPS).
• Network intrusion detection system (NIDS) is deployed at strategic points within an organization's network to monitor incoming and outgoing traffic, as well as detect malicious and suspicious traffic from all devices connected to the network.
• Host-based intrusion detection system (HIDS) is installed on individual devices connected to the internet and an organization's internal network.
  • HIDS can detect packets coming from inside the business.
  • Detects malicious traffic that a Network intrusion detection system cannot.
  • Discovers malicious threats coming from the host, such as malware attempting to spread.
• Network behavior analysis (NBA) solutions monitor network traffic flows.
  • NBAs inspect packets and focus on higher-level details of communication sessions like source and destination IP addresses, ports, and packet counts.
  • NBAs use anomaly-based detection methods, flagging and blocking flows deviating from the norm.
• Wireless intrusion prevention system (WIPS) monitors wireless network protocols for suspicious activity like unauthorized users and devices accessing the company's Wi-Fi.

Access Control

• These are methods that restrict and allow access to automobiles, homes, computers, and smartphones.
• Access control is the process of protecting a resource so that it is used only by those allowed to use it.

Four-Part Access Control

• Identification: Determines who is asking to access the asset.

• Authentication: Verifies the identity of the requestor.

• Authorization: Specifies what the requestor can access and do.

• Accountability: Traces actions to an individual, associating actions with users for later analysis and reporting.

• These four parts are divided into two phases:

  • Policy definition phase: Determines who has access and what systems or resources they can use.
  • Policy enforcement phase: Grants or rejects requests based on authorizations defined earlier, executing identification, authentication, authorization, and accountability processes.

Categories of Access Controls

• Physical access controls control access to physical resources.
• This can include buildings, parking lots, and protected areas with examples such as key access to an office.
• Logical access controls control access to a computer system or network.
• This includes username and password for accessing a corporate computer and associated network resources.

Access Control Policies

• Access control policy is a set of rules assigning access permissions to specific users for particular actions on designated resources.
• Understanding is important for managing access control policies.
• The 4 central components of Access control policy:
  • Users: Are the people who use the system or processes, also known as subjects.
  • Resources: Protected objects within the system that can only be accessed by authorized subjects and used in authorized ways.
  • Actions: Activities that authorized users can perform on the resources.
• Relationships: Optional conditions between users and resources which are the permissions granted to an authorized user, such as read, write, or execute.

Authentication

• There are five types :
  • Knowledge: Something you know, such as a password or PIN.
  • Ownership: Something you have, such as a smart card or badge.
  • Characteristics: Something unique to you, such as fingerprints or retina scans.
  • Location: Where you are, such as your physical location when attempting to access a resource.
  • Action: Something you do, such as the way you type on a keyboard.

Authentication by Knowledge

• Attackers use brute-force or dictionary attacks to crack passwords, targeting weak passwords.
  • Brute-force attack: Tries every possible combination of characters.
  • Dictionary attack: Hashes dictionary words and compares the values with the system password file.

Authentication by Characteristics/Biometrics

• Biometrics can be used for physical and logical identification/authentication.

Two Categories of Common Biometrics Measures

• Static (physiological) measures: Based on recognizing what you are, such as fingerprints, iris scans, and facial features.
• Dynamic (behavioral) measures: Based on what you do, examples are voice inflections, keyboard strokes, and signature motions

Types of Biometrics

• Fingerprint scans record ridge and valley patterns on fingertips.
• Palm print scans examine the physical structure of the palm.
• Hand geometry: A camera takes a picture of the palm and side of the hand using a 45-degree mirror.
• Analysis uses the length, width, thickness, and contour of the fingers.
• Response time of 1-3 seconds.
• Retina scan: Analyzes blood-vessel patterns in the retina using a low-level light source and a camera.
• Iris scan: Uses a small video recorder to capture unique patterns in the iris, caused by striations, pits, freckles, and fibers.
• Facial Recognition: Video cameras measure facial features like eye distance, chin and jaw shape, nose dimensions, and cheekbone/eye socket shapes.
• Voice pattern: voice-pattern biometrics capture parameters such as nasal tones, larynx and throat vibrations, and air pressure from the voice.
• Keystroke dynamics: Measures dwell time and flight time when a user types a phrase, capturing typing rhythm.
• Signature dynamics: Sensors in a pen or writing tablet record pen-stroke speed, direction, and pressure.

Security Controls

• This is any mechanism to avoid, stop, or minimize a risk of attack for one or all resources.

Effects of Breaches in Access Control

• Disclosure of private information
• Corruption of data
• Loss of business intelligence
• Danger to facilities, staff, and systems
• Damage to equipment
• Failure of systems and business processes

Cloud Computing

• The practice of using computing services that are delivered over a network.
• Cloud service categories:
  • Private cloud.
  • Community Cloud.
  • Public Cloud.
  • Hybrid Cloud.

Private Cloud

• All the hardware and software required to provide services, including the network infrastructure, is operated for a single organization.
• The components may be managed by the organization or by a third-party provider. The actual infrastructure can be located within the organization's network or outside it.

Community Cloud

• This type of infrastructure provides services for several organizations.
• The different organizations share the cloud environment and use it for their specific needs.
• The infrastructure can be managed by one of the participating organizations or by a third party.

Public Cloud

• This type of cloud infrastructure is available to unrelated organizations or individuals.
• Public clouds are generally available for public use and are managed by a third-party provider.

Hybrid Cloud

• This type of cloud infrastructure contains components of more than one type of cloud, including private, community, and public clouds.
• Hybrid clouds are useful to extend the limitations of more restrictive environments.

Firewall

• Combination of hardware and software that filters/prevents specific information from moving between outside and inside networks in information security.
  • Trusted network: The system of networks inside the organization containing information assets and is under the organization's control.
• Untrusted network: The system of networks outside the organization over which the organization has no control. The internet is considered an untrusted network.
• A firewall in information security prevents selected information types from moving between different network levels like the Internet (untrusted network) and the internal network (trusted).

Firewall Processing Modes

• Firewall categories include:
  • Packet-filtering firewalls.
  • Application layer proxy firewalls.
  • Media access control layer firewalls.
  • Hybrids.

Packet-Filtering Firewalls

• Examine the header information within data packets.
• Scan network data packets to check compliance with firewall rules or violations within the network.
• Filtering firewalls inspect packets at the Network layer (Layer 3) of the OSI model, which represents the seven layers of networking processes.

Subsets of Packet-Filtering Firewalls

• Dynamic packet-filtering firewall: Reacts to network traffic; it creates or modifies configuration rules to adapt.
• Static packet-filtering firewall: Requires manual creation, sequencing, and modification of configuration rules within the firewall.
• Stateful packet inspection (SPI) firewall: Tracks each network connection between internal and external systems using a state table which expedites filtering (also known as a stateful inspection firewall).

Stateful Packet Inspection (SPI) Firewall

• SPI firewalls operate at the Network layer (Layer 3) and Transport layer (Layer 4) of the OSI model.
• Inspect data packets as they pass through, comparing them to a list of known connections.
• Monintoring permits only traffic that matches an existing connection to pass.

Application Layer Proxy Firewalls

• Device capable of functioning both as a firewall and an application layer proxy server.
• Demilitarized zone (DMZ) is an intermediate area between two networks designed to provide servers and firewall filtering between a trusted internal network and the outside, untrusted network and carries a higher level of risk.
• Proxy server intercepts requests for information from external users, provides requested information from an internal server, protect and minimize the demand on internal servers with common ones being cache servers.
• Reverse proxy is a proxy server that retrieves information from inside an organization and delivers it to a requesting user or system outside the organization.
• Application firewall, also known as an application layer proxy firewall, is installed on a dedicated computer separate from the filtering router but is commonly used with one.
• The application firewall is also known as a proxy server or reverse proxy to run special software, that acts as a proxy for a service request.
• Benefits include the proxy server being placed in an unsecured area of the network/demilitarized zone (DMZ), exposing it to higher risks, not high risk Web servers

Media Access Control Layer Firewalls

• Operates at the media access control sublayer of the network's data link layer (Layer 2).
• Filters decisions based on the specific host computer's identity, as represented by its media access control (MAC) or network adapter (NIC) address
• Operates at the data link layer of the OSI model / the subnet layer of the TCP/IP model.

Hybrid Firewalls

• Combines elements of other firewall types like packet filtering, application layer proxy, media access control layer firewalls.
• Unified Threat Management (UTM) Networking devices categorized by their ability to perform the work of multiple devices, such as stateful packet inspection firewalls, network intrusion detection and prevention systems, content filters, spam filters, and malware scanners and filters.
• Unified Threat Management (UTM) is categorized by ability to perform work of an SPI firewall, network intrusion detection and prevention system, content filter, spam filter, and malware scanner and filter.
• Next Generation Firewall (NextGen or NGFW) is a security appliance that delivers unified threat management capabilities in a single appliance .
• NextGen firewalls are similar to UTM devices and combine traditional firewall functions with other network security functions, such as deep packet inspection, IDPSs, and the ability to decrypt encrypted traffic.

Firewall Architectures

• A firewall's value comes from filtering out dangerous external traffic upon network entry in an organization.
• Value propositions offered by firewalls is the changing nature of the way networks are used.
• Configuration depends on network objectives, organizational ability to develop and implement architectures, and available budget.
• Common implementations:
  • Single bastion hosts.
  • Screened host firewalls.
  • Screened subnet firewalls.

Single Bastion Host

• A highly secured computer system outside the organization's network that is designed to withstand attacks from the internet.
• All traffic from the internet must pass through this host before reaching the internal network.
• Provides a high level of security, but it can be expensive to implement.

Screened Hosts

• Uses two firewalls, an external firewall that faces the internet and an internal firewall that faces the internal network.
• The external firewall allows designated traffic based on specific criteria to pass through to the internal firewall, which then filters traffic based on a set of rules.
• Balances security and cost-effectiveness.

Screened Subnets

• Uses multiple firewalls to create a DMZ (demilitarized zone) between the internet and the internal network.
• The DMZ contains servers that can be accessed from both the internet/internal network but are isolated from each other.
  • Provides a high level of security but can be complex to implement.