Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
31 Cards in this Set
- Front
- Back
zero-day attack, sometimes referred to as a zero-day threat, |
a computer attack that tries to exploit software vulnerabilities that are unknown or undisclosed by the software vendor, |
|
term zero-hour |
describes the moment when the exploit is discovered |
|
Intrusion Detection Systems (IDSs) |
were implemented to passively monitor the traffic on a network |
|
Working offline means several things: |
IDS works passively IDS device is physically positioned in the network so that traffic must be mirrored in order to reach it Network traffic does not pass through the IDS unless it is mirrored |
|
Although the traffic is monitored and perhaps reported, no action is taken on packets by the IDS. This offline IDS implementation is referred to |
promiscuous mode. |
|
IDS detects malicious attack but can not stop it without hlep |
IPS detects an attack and stops it immediately |
|
IPS |
all traffic must flow through it. monitors Layer 3 and Layer 4 traffic. detection technologies, including signature-based, profile-based, and protocol analysis-based intrusion detection. Inline |
|
IDS and IPS technologies
|
composite signature patterns (multi-packet). atomic signature patterns (single-packet) |
|
Host-based IPS (HIPS) |
software installed on a single host to monitor and analyze suspicious activity. |
|
network-based IPS |
can be implemented using a dedicated or non-dedicated IPS device. |
|
implemented on a router with or without |
IPS Advanced Integration Module (AIM), or an IPS Network Module Enhanced (NME) |
|
Implemented on a firewall with or withoust |
ASA Advanced Inspection and Prevention Security Services Module (AIP-SSM) |
|
IPS added tp a Catalyst 6500 switch using |
Intrusion Detection System Services Module (IDSM-2) |
|
IPS uses three hardware pieces |
NIC, processor, memory |
|
NETWORK IPS ADV |
cost effective not visible on network operations system independant |
|
NETWORK IPS dis-adv |
cannot examine encrypted traffic cannot determine whether an attack was succesful |
|
Inline mode also scans layer 3 to 7 |
for more sophisticated embedded attacks. |
|
Port mirroring |
a feature that allows a switch to make a duplicate copy of an incoming Ethernet frame, and then send it out a port with a packet analyzer attached for capture |
|
Switched Port Analyzer (SPAN) |
feature on Cisco switches sends copies of the frame entering a port, out another port on the same switch |
|
Signatures have three distinctive attributes: |
Type Trigger (alarm) Action |
|
Atomic Signature |
a single packet, activity, or event that is examined to determine if it matches a configured signature |
|
Composite Signature |
identifies a sequence of operations distributed across multiple hosts over an arbitrary period of time. (stateful signature) |
|
The length of time that the signatures must maintain state is known as the |
event horizon. |
|
signature micro-engines (SMEs), |
categorize common signatures in groups |
|
Atomic |
Signatures that examine simple packets, such as ICMP and UDP, |
|
Service |
Signatures that examine the many services that are attacked |
|
String |
Signatures that use regular expression-based patterns to detect intrusions, |
|
Multi-string |
Supports flexible pattern matching and Trend Labs signatures |
|
Other |
Internal engine that handles miscellaneous signatures |
|
four types of signature triggers: |
Pattern-based detection Anomaly-based detection Policy-based detection Honey pot-based detection |
|
protocol decodes |
break down a packet into the fields of a protocol. Protocol decodes then search for specific patterns in a specific protocol field or some other malformed aspect of the protocol fields |