Please enable JavaScript.

Coggle requires JavaScript to display documents.

15:5 (INTRUSION DETECTION SYSTEMS (Features (• Intrusion detection, •…

- - - - identify attacks within the monitored
        network
      - placed between the Internet and the firewall,
      - detect all the attack attempts, whether or not they enter the firewall
      - If it is placed between a firewall and the corporate network, it will detect those attacks that enter the firewall (it will detect intruders).
    - - configured for a specific environment
      - monitor various internal resources of the OS to warn of a possible attack.
      - detect the modification of executable programs,
      - detect the deletion of files
      - issue a warning when an attempt is made to use a privileged command
  - - - protect against detected intrusion patterns. Identified intrusive patterns are stored as signatures.
        
        cannot detect all types of intrusions due to the
        limitations of the detection rules
    - - need a comprehensive definition of the
        known and expected behavior of systems.
        
        may report many events outside of the defined normal activity but which are normal activities on the network.
    - - feature monitors the general patterns of activity and traffic on the network and creates a database
        
        similar to the statistical model but with added self-learning functionality
  - - - significant risk to the organization’s
        data or systems, immediate termination is the usual procedure
    - - risk to the data is low, the activity is not immediately threatening, or analysis of the entry point and attack method is desirable,
        
        IDS can be used to trace the origin of the intrusion.
        
        used to determine and correct any system weaknesses and to collect evidence of the attack which may be used in a subsequent court action
- - - - vulnerable server on the Internet and is not set up to actively protect against break-ins
    - - technically related to IDSs and firewalls, it has no real production value as an active sentinel of networks.
    - - • High-interaction—Give hackers a real environment to attack
      - • Low-interaction—Emulate production environments and provide limited information
  - - - Hackers infiltrate the honeynet, which allows investigators to observe the hackers’ actions using a combination of surveillance technologies.
- - - - uses algorithms to calculate threat levels incurred by relevant events on various IT assets.
    - - create situation-specific rules that establish a pattern of events.
  - - - organized team created to improve the security posture of an organization and to respond to cybersecurity incidents.
        
        uses SIEM for monitoring and
        detection
- - - - evaluated to ensure that they support SoD (e.g., development vs. operation, security administration vs. audit)
    - - designed to support the security of the services being provided (e.g., screening routers, dual/multihomed host, screened subnet and DMZ proxy servers).
    - - to determine good
        practices are in place
    - - segmented by trust levels, using appropriately
        configured routers.
    - - – Intrusion detection software is in place.
      - – Filtering is being performed.
      - – Encryption is being used (consider VPNs/tunneling, digital signatures for email).
      - Strong forms of authentication are being used
        
        (consider use of smart cards, biometrics, for authentication to firewalls, to internal software/hardware within the network, and to external hardware/software).
      - firewalls have been configured properly
        
        (consider removal of all unnecessary software, addition of security and auditing software, removal of unnecessary logon IDs, disabling of unused services).
      - application- or circuit-level gateways in use are running proxy servers for all legitimate services (e.g., teletype network [Telnet], HTTP and FTP).
      - Virus scanning is being used
      - Periodic penetration testing is being completed.
      - Audit logging is undertaken for all key systems (e.g., firewalls, application gateways and routers) and audit logs are copied to secure file systems (consider the use of SIEM software).
      - security administrators are keeping up to date with the latest known vulnerabilities
        
        organizations’ vendors, their local and international CERT, and vulnerability databases (e.g., the National Vulnerability Database operated by the NIST)