Reading...
Play button
Play button
Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
20 Cards in this Set
- Front
- Back
|
The operational model of security is
|
protection = prevention + (detection + response)
|
|
|
Access controls and filters seek to prevent what kind of activites?
|
unauthorized or damaging activity.
|
|
|
When does intrusion and misuse detection mechanisms aim to detect said intrusion or misuse?
|
at its outset or after the fact.
|
|
|
Intrusion and misuse detection has its roots in what files?
|
Intrusion and misuse detection has its roots in audit log files
|
|
|
Intrusion and misuse detection operate on the principle that it is neither _________ nor ________ to prevent all attacks.
|
Operate on the principle that it is neither practical nor feasible to prevent all attacks.
|
|
|
True or False: Intrusion Detection can be manual (review of logs), automated, or a combination.
|
True
|
|
|
True or False: Intrusion dectection isn't closely related to monitoring.
|
False
|
|
|
Workplace monitoring is used to do what 3 things?
|
* Ensure quality
* Assess performance * Comply with regulations (e.g. ensure stockbrokers aren’t using high-pressure tactics in violation of stock exchange rules) |
|
|
Logs can be used to do what?
|
* troubleshoot problems
* track network anomolies * trace an intruder * provide evidence if case brought to trial * determine the extent of damage. |
|
|
What do you need to establish a logging policy?
|
~ What are you going to log?
~ What tools will be used to create the logs? ~ Who will review logs and how often? ~ How long will logs be stored? ~ Where and how? |
|
|
True or False: Most OS’s have logging functions built in.
|
True
|
|
|
As an example of logging tools, what is SWATCH?
|
As an example of logging tools, SWATCH provides real-time monitoring, logging, and reporting.
|
|
|
SWATCH's features include what 3 things?
|
~ A “backfinger” utility to grab finger information from an attacking host.
~ Support for instant paging ~ Conditional execution of commands (e.g. if a certain condition is found in a log file, then execute a certain sequence of commands) |
|
|
Name 5 of the various types of activities that an IDS checks for.
|
~ Attempted/successful break-ins
~ Masquerading ~ Penetration by legitimate users ~ Leakage by legitimate users ~ Inference by legitimate users ~ Trojan horses ~ Viruses ~ Denial-of-service |
|
|
IDS
|
Intrusion Detection System
|
|
|
SWATCH stands for?
|
System watcher
|
|
|
Four major methods attempted to perform intrusion detection:
|
~ User Profiling
~ Intruder Profiling ~ Signature Analysis ~ Action-based (attack “signatures”) |
|
|
What is user profiling?
|
~Basic Premise: the identity of any specific user can be described by a profile of commonly performed actions.
~ The user’s pattern of behavior is observed and established over a period of time. ~ A user profile can be established based on these activities and maintained through frequent updating. ~ A masquerading intruder will not match this profile. |
|
|
What is intruder profiling?
|
~ Concept similar to criminal profiles used in the Law Enforcement community.
~ Attempt to define the actions that an intruder will take when unauthorized action is obtained. ~ Can also apply to insiders gaining access to files they are not authorized to access. |
|
|
What is signature analysis?
|
~ Just as an individual has a unique written signature which can be used for identification purposes, individuals also have a “typing signature”.
~ This characteristic first noticed in telegraph days. ~ The time it takes to type certain pairs or triplets of letters can be measured and the collection of these digraphs and trigraphs together form a unique collections used to characterize individuals. ~ This technique requires special equipment. ~ Variation on this is to watch for certain abbreviations for commands and common errors. |
