System Intrusion Detection and Prevention

Questions and Answers

What are the three fundamental principles of computer network security?

Detection, response, and encryption

Prevention, detection, and response (correct)

Encryption, prevention, and analysis

Prevention, detection, and avoidance

What is the main focus of intrusion detection?

Filtering network traffic actively

Preventing unauthorized access to resources

Auditing user behavior

Detecting unauthorized access to a system (correct)

How does intrusion prevention differ from intrusion detection?

Intrusion prevention actively blocks threats, while intrusion detection monitors activities. (correct)

Intrusion prevention detects threats passively, while intrusion detection prevents them.

Intrusion prevention is only relevant for physical security.

Intrusion prevention and detection processes are identical.

What historical document significantly contributed to the concept of intrusion detection?

A 1980 paper by James Anderson

What does intrusion detection systems utilize to track misuse?

Computer audit trails

What key understanding has driven the notion of system security?

No level of protection is foolproof against failures.

Which of the following statements about intrusion detection and prevention is false?

Intrusion detection primarily focuses on actively blocking threats.

What does the term 'system intrusion' refer to?

Accessing a system without proper authority

What type of intrusion is detected by monitoring specific patterns of activity?

Penetrations of the security control system

Which stage of the intrusion process involves gathering information about weaknesses in the target?

Reconnaissance

What is the main goal of a denial-of-service attack?

To disrupt service and usage

Which of the following types of attacks is characterized by impersonating legitimate users?

Masquerade attacks

How is vulnerability assessment related to the intrusion process?

It is a preliminary step that aids the intrusion.

What might indicate an attempted break-in that could be detected by anomaly-based IDS?

Patterned login attempts

What kind of vulnerabilities can be identified through vulnerability assessment?

Flaws in operating systems and software

Which form of intrusion involves unauthorized access through special privileges?

Physical intrusion

Which attack sends an invalid fragment that disrupts system functionality?

Ping of death

What typically does NOT indicate atypical use of system resources?

High CPU usage during peak hours

What is the primary effect of a SYN flood attack?

It overwhelms the victim's resources by initiating many connections.

Which method is employed by a Land attack?

Forging a SYN packet with identical source and destination.

What can be a consequence of compromised privacy due to system intrusion?

Compromisation of personal data stored by organizations.

What is a potential legal consequence of a data breach in an organization?

The organization could be liable for damages caused by hackers.

What was an ancient method of intrusion detection?

Constructing observation towers on high ground.

What does an Intrusion Detection System (IDS) primarily do?

Detect unauthorized intrusions into systems.

What type of data might be particularly vulnerable during a system intrusion?

Personal data such as bank information.

Which attack method involves sending OOB/URG data to cause a system hang?

WinNuke.

What is a significant risk associated with digital data loss compared to physical data loss?

Intruders can access digital data without detection.

What component is crucial for effective intrusion detection systems historically and currently?

Surveillance and monitoring methods.

What is the main focus of anomaly-based detection?

Identifying abnormal behavior patterns

Which of the following describes signature-based detection?

It relies on a database of known attack signatures.

What is a potential danger of anomaly-based detection?

It may classify unacceptable behavior as normal.

What are the three broad categories used in the signature-based detection model?

Unauthorized access, unauthorized modification, and denial of service

How do anomaly-based systems develop norms for detection?

By continuously creating profiles based on user activities

What is the primary focus of individual profiles in anomaly detection?

Expected user activities with little deviation

What does the hybrid model of intrusion detection aim to improve upon?

Recognition of both known and unknown attacks

What is a characteristic of misuse detection systems?

They rely on unique patterns or signatures of intrusive activities

Which of the following best explains behavior-based detection?

It generates rules from expert insights to define unacceptable actions.

What is a characteristic of anomaly detection regarding intrusive activities?

Considers all intrusive activities to be anomalous

Which profile type includes monitoring the usage patterns of various system resources?

Resource profile

In which area is anomaly detection NOT typically applied?

Malware signature identification

What does the adaptive profile do in relation to work profiles?

It reflects recent upsurges in usage automatically

What is a drawback of anomaly detection systems mentioned in the content?

They are computationally expensive due to profile tracking

What is a critical limitation of signature-based detection systems?

They cannot detect attacks that are not previously known

What is a major limitation of misuse detection systems?

They can only flag patterns that have been previously observed

How do group profiles function in the context of anomaly detection?

They represent common work patterns across multiple users

What does the term 'false negatives' refer to in the context described?

Intrusive activities flagged as normal

What is a key feature of an adaptive rule-based profile?

To create new rule sets based on recent historical data

Which profile type aims to regularly maintain and update other profiles?

Static profile

What is the primary function of intrusion detection systems?

To monitor network traffic for anomalous activity.

Which of the following correctly describes network-based intrusion detection systems (NIDS)?

They monitor the entire network traffic to detect intrusions.

How do NIDSs generate an alert?

When a packet contains any anomalies or harmful data.

What is a key limitation of network-based intrusion detection systems?

Attacks can be evaded due to ambiguities in traffic streams.

What distinguishes host-based intrusion detection systems from network-based systems?

Host-based systems only monitor one host's traffic.

Which of the following user categories is NOT identified by intrusion detection systems?

Users with compromised credentials

What aspect of NIDS allows for potential evasion by attackers?

Partial knowledge of protocol implementations and network topology.

In what way do NIDS and firewalls differ?

NIDS captures packets regardless of rules configured.

What do anomalies in network traffic indicate in the context of intrusion detection?

Possible unauthorized or harmful activities.

Why is it important for NIDS to analyze traffic patterns?

To identify deviations indicating possible intrusions.

What is the primary function of the load balancer in a network?

To gather data from the network and distribute it to all network sensors.

Which type of sensor can separate suspicious and normal traffic in a network without a load balancer?

Promiscuous mode sensor

What role does the analyzer play in an intrusion detection system?

It classifies traffic as either safe or an attack.

What is a key capability of the alert notifier?

To contact the responsible security officer during severe threats.

What foundation does the command console provide for the intrusion detection system?

It acts as a central authority for controlling the entire system.

Which of the following is a responsibility of the response subsystem?

To take action based on threats to target systems.

What is a potential drawback of frequent alerts for minor threats in a network?

They can lead to increased false positives.

How do sensors in networks without a load balancer manage traffic?

They operate independently in their own subnetworks.

What determines the severity and scope of a potential threat in an intrusion detection system?

The layers of monitoring conducted by the analyzer.

What type of statistics does the database of an intrusion detection system hold?

Both behavioral and misuse statistics.

What is the primary advantage of placing IDS sensors in the DMZ?

Most attacks enter the network through this area.

Which area is considered a frequent spot for unauthorized activity regarding IDS sensor placement?

Between the firewall and the Internet.

What is a disadvantage of placing IDS sensors inside the internal network?

They may not detect all types of attacks.

Which placement of IDS sensors provides the ability to detect attacks that a host-based system would typically miss?

In the DMZ with access to live traffic.

What is a common challenge of deploying IDS sensors on both sides of a firewall?

They may become overwhelmed by excessive traffic.

Which is NOT a typical strategy when placing IDS sensors?

In employee workstations.

What is a critical benefit of real-time detection capabilities of NIDS?

It allows for immediate administrator response to attacks.

Why is placing IDS sensors inside each firewall beneficial?

It enhances sensor protection from coordinated attacks.

What can hinder the performance of IDS sensors when deployed within the internal network?

Inability to detect certain external attacks.

Which of the following approaches may enhance the effectiveness of IDS sensors in the DMZ?

Placing them in isolated zones within the DMZ.

What is a significant limitation of Network Intrusion Detection Systems (NIDS)?

Blind spots in the internal network

Which aspect of Host-Based Intrusion Detection Systems (HIDS) contributes to their ability to quickly verify an attack?

Logging events that have already occurred

What type of data do HIDS specifically monitor to detect malicious activities?

Operating system-specific logs

What is a common problem associated with analyzing data collected by Host-Based Intrusion Detection Systems?

Overwhelming amount of log data

Which feature distinguishes HIDS from NIDS in terms of traffic handling?

HIDS deals with less traffic

What method is primarily used by HIDS to detect changes that may indicate illegitimate activity?

Comparison with attack signatures

Which of the following statements accurately describes a disadvantage of NIDS?

They are limited by blind spots in the network

What aspect of HIDS allows it to complement NIDS?

Verification of potential successful attacks

When did HIDS begin to see widespread adoption?

Early and mid-1980s

What is an inherent limitation of NIDS concerning data?

They lack the capability to decrypt encrypted data

What should be prioritized first when handling an incident according to security policy?

Human life and people's safety

Which is NOT a responsibility of an Incident Response Team (IRT)?

Storing data for future analysis

What is one of the challenges faced by deploying Intrusion Detection Systems (IDS) in switched environments?

Limited visibility of network traffic

What approach is used to mitigate the overload of traffic on a single port in switched networks?

Attaching a network sensor to a mirror port

What is a common issue with IDS technology despite advancements?

Frequent false alarms

What should the postmortem analysis of an incident include?

Steps to handle future incidents

Which action is essential when recovering from an incident?

Conduct a thorough check of system logs

What is the primary function of the interface in intrusion detection systems?

To gather, analyze, and report data from monitored networks

What do IDS logs primarily help with in organizations?

Legal proceedings protection

Which is a common misconception about intrusions in network systems?

Most intrusions occur from outside threats

What is the purpose of a honeypot in network security?

To attract attackers and study their methods

What concept allows IDS sensors to work effectively in a switched environment?

Port mirroring

What is the main focus of incident damage assessment?

Conducting a thorough check on system components

What type of IDS focuses on analyzing trends within generated log files?

LFMs

What is a significant challenge faced by intrusion detection systems as network traffic grows?

Difficulty in monitoring all traffic in switched networks

What do System Integrity Verifiers (SIVs) primarily monitor?

Changes to critical system files

In what kind of network area is it best to strategically place a honeypot?

In the DMZ or behind a firewall

Which category do host-based intrusion detection systems (HIDS) belong to?

Systems focusing on individual host or component activities

What type of approach is increasingly adopted in intrusion detection systems due to changing network dynamics?

Hybrid systems incorporating elements of both HIDS and NIDS

What is the role of trend analysis in log file monitoring?

To identify potential security threats from usage patterns

What is a major advantage of using Host Intrusion Detection Systems (HIDS) over Network Intrusion Detection Systems (NIDS)?

HIDS can detect low-level local activities quickly.

Why are HIDS considered cost-effective compared to NIDS?

HIDS do not require additional hardware installations.

What limitation is present in both HIDS and NIDS?

Inability to detect high-speed network traffic.

What characteristic of HIDS enables it to better handle encrypted traffic compared to NIDS?

HIDS monitor operating systems after decryption.

What disadvantage do HIDS face due to their deployment location?

They are subject to potential illegal tampering.

What is the primary benefit of a Hybrid Intrusion Detection System?

Incorporates strengths from both HIDS and NIDS.

Which challenge is associated with deploying NIDS in heavily switched networks?

It is difficult to determine effective deployment spots.

Why might some small low-level attacks go undetected by NIDS?

NIDS often miss subtle local activities.

What is a crucial factor that limits the effectiveness of both HIDS and NIDS?

Inability to monitor high-speed networks.

How do HIDS and NIDS complement each other in a network security strategy?

Each compensates for the other's weaknesses.

What is one primary advantage of using honeypots in network security?

They help differentiate between hostile and non-hostile activities.

What role does a firewall play in relation to a honeypot?

It can manage and log the traffic directed to the honeypot, aiding in monitoring intruder activity.

What is the simplest type of honeypot described?

Port monitor.

How does a deception system enhance the effectiveness of a honeypot?

By engaging with intruders to make them believe they are interacting with a real server.

Which factor is crucial for an effective response from an intrusion detection system?

A preplanned set of defensive measures and an incident response team.

What signifies that a honeypot might be compromised?

Outgoing traffic originating from the honeypot.

Which of the following describes a multiprotocol deception system?

It provides tools for handling multiple commonly hacked protocols.

What happens when an intruder accesses a honeypot without any expected traffic?

It could suggest a focused intrusion attempt due to honeypots being isolated.

What is the purpose of having an incident response team (IRT)?

To serve as the first contact team during security incidents.

What is a common characteristic of honeypots that makes them appealing to network security?

They can lure in potential attackers through misleading setups.

Study Notes

System Intrusion Detection and Prevention

• Ownership motivates individuals and groups to protect valuable resources, given the inherent risks of security failure.
• Computer network security centers on three principles: prevention, detection, and response; with emphasis on detection and prevention.
• Intrusion detection identifies unauthorized access attempts to computer systems and networks while intrusion prevention actively blocks these attempts.

Intrusion Detection Overview

• Intrusion detection emerged from James Anderson's 1980 paper, highlighting the role of audit trails in tracking misuse and user behavior.
• An intrusion is defined as an unauthorized attempt to access or manipulate valuable property, which can render the property unreliable.
• Types of intrusions include attempted break-ins, masquerade attacks, penetrations of security controls, leakage, denial of service, and malicious use.

The Intrusion Process

• Intrusion occurs in stages: target identification, reconnaissance, gaining access, and utilizing system resources.
• Reconnaissance involves thorough information gathering about the target, including vulnerabilities, often using systematic scans.

Vulnerability Assessment

• Vulnerability assessment identifies weaknesses in systems via automated scanning methods that detect known vulnerabilities in software and protocols.
• Advances in technology have led to improved vulnerability assessment procedures.

Types of Intrusions

• Physical Intrusion: Intruders infiltrate networks by masquerading as legitimate users or exploiting security lapses.
• Denial of Service (DoS): Attacks aimed at crashing services or overwhelming resources without exploiting information but disrupting operations.
• Common DoS tactics include Ping of Death, SYN flood, Land/Latierra, and WinNuke which cause system disruptions.

Dangers of Intrusions

• Loss of personal data poses significant risks as intruders can copy sensitive information without detection, leading to severe damage.
• Compromised privacy results in unauthorized access to personal information stored in various organizations.
• Organizations bear legal liabilities when personal customer information is hacked, potentially facing damages from breaches.

Intrusion Detection Systems (IDSs)

• IDSs monitor unauthorized intrusions to safeguard computer systems and networks, evolving from historical security practices like castle fortifications.
• Historical intrusion detection utilized physical barriers and vigilant observation; modern systems adapt these concepts using technological advancements.

Models of Intrusion Detection Mechanisms

• Intrusion detection can be classified into three models: anomaly-based detection, signature-based detection, and hybrid detection models.
• Anomaly-based Detection: Focuses on identifying actions that deviate from established norms; relies on continuous updates of what constitutes normal behavior.
• Signature-based Detection: Identifies known attack patterns and misuse signatures but cannot detect new, unknown attacks.

Anomaly Detection

• Anomaly detection systems learn to establish "normal" activity profiles to identify deviations.
• Profiles may be based on user actions, group behaviors, or resource usage, though this can lead to false positives/negatives and require high computational resources.

Misuse Detection

• Misuse detection uses specific patterns or signatures of known attacks.
• While effective for identifying known threats, it cannot detect novel attacks and relies on a continually updated knowledge database.

Types of Intrusion Detection Systems

• Intrusion detection systems are categorized by their monitoring scope:
  • Network-Based Intrusion Detection Systems (NIDSs): Monitor entire network traffic for unauthorized activities, capturing all packets regardless of predetermined filters.
  • Host-Based Intrusion Detection Systems (HIDSs): Focus on individual hosts, analyzing activities within a specific system to detect intrusions.### Network Intrusion Detection Systems (NIDS)
• Alert generation occurs when packet signatures do not match acceptable criteria.
• NIDS can operate as standalone machines or monitor their own traffic, useful for tracking SYN floods or TCP port scans.
• Attackers can exploit traffic stream ambiguities to evade NIDS detection.
• Limited analysis capabilities and lack of host protocol implementation knowledge hinder NIDS effectiveness.

Components of an Intrusion Detection System

• Network Tap/Load Balancer: Gathers and distributes network data to sensors; crucial for preventing packet loss.
• Network Sensor/Monitoring: Dedicated programs that classify traffic as normal or suspicious, can operate in anomaly-based or signature-based modes.
• Analyzer: Assesses incoming traffic based on threat severity and classifies it as safe or an attack.
• Alert Notifier: Alerts security personnel about significant threats via various notification methods.
• Command Console/Manager: Central command for managing incidents and monitoring the system.
• Response Subsystem: Executes actions based on threats, such as reconfiguring routers or shutting connections.
• Database: Stores observed data and statistics to aid in damage assessment and intrusion detection.

Placement of IDS Sensors

• Sensors should be placed in strategic locations, such as:
  • Inside the DMZ for optimal detection of attacks entering the internal network.
  • On both sides of firewalls and in low-bandwidth links to catch external attacks.
  • In weak points within the internal network for monitoring suspicious activity.

Advantages of NIDS

• Detects intrusions in real-time, allowing for quick administrator responses.
• Catches both successful and unsuccessful attacks based on traffic visibility.

Disadvantages of NIDS

• Blind spots in internal networks due to strategic placement.
• Ineffective against encrypted data; unable to decrypt it despite scanning headers.

Host-Based Intrusion Detection Systems (HIDS)

• Focuses on monitoring a single computer's activity to detect malicious actions using operating system-specific logs.
• HIDS can be deployed on remote hosts or segments of a network.
• Analysis of extensive log data may lead to significant processing overhead.

Advantages of HIDS

• Offers quick verification of attack success and greater accuracy in detecting events.
• Monitors low-level activities that NIDS may miss, providing timely responses.
• Capable of dealing with encrypted traffic since it operates at the host level, allowing visibility into decrypted data.

Disadvantages of HIDS

• Limited view of the network, making them susceptible to local tampering.

Hybrid Intrusion Detection System

• Combines features of both NIDS and HIDS to provide comprehensive network security.
• Aims to eliminate the limitations of both systems by integrating their strengths.

Changing Nature of IDS Tools

• Focus is shifting towards addressing insider threats due to the prevalence of internal misuse.
• IDS tools are evolving to adapt to new attack patterns and increasingly complex network environments.

Other Types of Intrusion Detection Systems

• System Integrity Verifiers (SIVs): Monitor critical files and system components for unauthorized changes and elevated privileges.### Log File Monitors (LFM)
• LFMs record log files generated by network services and monitor them for trends indicating potential attacks.
• Serve a similar role to Network Intrusion Detection Systems (NIDS), identifying suspicious patterns.

Honeypots

• Honeypots mimic vulnerable systems to attract and learn from intruders, enabling analysis of their methods.
• Operate as deceptive tools, differing from traditional intrusion detection systems like Host Intrusion Detection Systems (HIDS) and NIDS.
• Optimal placement is within the Demilitarized Zone (DMZ) of a network or behind a firewall to enhance security and monitoring capabilities.

Honeypot Positioning

• Firewalls log all traffic, aiding in tracking intruder activities directed at the honeypot.
• Unique packets targeting the honeypot denote unauthorized access, suggesting probing by adversaries.
• Any outgoing traffic indicates potential compromise of the honeypot.

Types of Honeypots

• Port Monitor: Simple program that listens for traffic on designated ports and alerts administrators of scans.
• Deception System: Interacts with intruders, mimicking a real server to trap attacks against common protocols.
• Multiprotocol Deception System: Incorporates multiple commonly hacked protocols for broader detection.
• Full Systems: Go beyond deception, offering alerting capabilities for unusual conditions and combining with NIDS for internal logging.

Advantages of Honeypots

• Enhance detection of hostile intrusions by serving as isolated traps for attackers.
• Capable of luring hackers through deceptive banners, making them appear vulnerable to hacking.

Incident Response to System Intrusion

• An effective IDS should trigger a preplanned response that may vary in urgency based on the type of attack.
• Response procedures should include a well-prepared incident response team and methods for collecting logs as evidence.

Incident Response Team (IRT)

• Centralized group responsible for initial contact and management during an incident.
• Must stay updated on threats, assess damage, and formulate recovery strategies post-incident.
• Actions taken should prioritize human safety, protection of sensitive data, and minimize system damage.

IDS Logs as Evidence

• Logs serve as protection for organizations in potential legal situations, requiring a clear monitoring policy to inform users of data collection.

Challenges to Intrusion Detection Systems

• Deployment in switched environments poses severe limitations, as IDS sensors are restricted from accessing all network traffic, leading to potential gaps in detection.
• Solutions like port mirroring can create overhead and inefficiencies when traffic spikes.

Deployment Solutions

• Tapping: Use passive taps to create copies of traffic for analysis, preventing overload on single ports.
• Issues include false alarms and high resource demands during large-scale attacks, which challenge current IDS capabilities.
• Technology is effective but should not be seen as a definitive solution to all network security issues.

Description

This quiz explores the concepts of system intrusion detection and prevention, focusing on the psychology and politics of ownership in relation to resource security. Understand the factors that shape security measures and the inherent vulnerabilities present. Test your knowledge on how these concepts apply in modern cybersecurity contexts.