Term
|
Definition
| Considered the first worm and was certainly the first to gain significant mainstream media attention. It also resulted in the first conviction in the US under the 1986 Computer Fraud and Abuse Act. It was written by a student at Cornell University, Robert Tappan Morris, and launched on November 2, 1988 from MIT. |
|
|
Term
|
Definition
| A 1989 book written by Clifford Stoll. It is his first-person account of the hunt for a computer cracker who broke into a computer at the Lawrence Berkeley National Laboratory (LBL). |
|
|
Term
| Instrution Prevention System (definition) |
|
Definition
| Network security appliances that monitor network and/or system activities for malicious activity. The main functions of it are to identify malicious activity, log information about said activity, attempt to block/stop activity, and report activity. |
|
|
Term
| Instrution Prevention System (types) |
|
Definition
They can be classified into four different types:
1. Network-based Intrusion Prevention (NIPS)
2. Wireless Intrusion Prevention Systems (WIPS)
3. Network Behavior Analysis (NBA)
4. Host-based Intrusion Prevention (HIPS)
|
|
|
Term
| Instrution Prevention System: Network-based Intrusion Prevention (NIPS) |
|
Definition
Monitors the entire network for suspicious traffic by analyzing protocol activity.
Note: Focus on packet inspection. |
|
|
Term
| Instrution Prevention System: Wireless Intrusion Prevention Systems (WIPS) |
|
Definition
| Monitors a wireless network for suspicious traffic by analyzing wireless networking protocols. |
|
|
Term
| Instrusion Prevention System: Network Behavior Analysis (NBA) |
|
Definition
Examines network traffic to identify threats that generate unusual traffic flows, such as distributed denial of service (DDoS) attacks, certain forms of malware, and policy violations.
Note: Focus on what's happening inside the network and aggregating data from many places to support determining a threat. |
|
|
Term
| Intrusion Detection System: Host-based Intrusion Prevention (HIPS) |
|
Definition
| An installed software package that monitors a single host for suspicious activity by analyzing events occurring within that host. |
|
|
Term
| Intrusion Prevention System: Detection Method: Signature-based Detection |
|
Definition
| This method of detection utilizes signatures, which are attack patterns that are preconfigured and predetermined. A signature-based intrusion prevention system monitors the network traffic for matches to these signatures. Once a match is found the intrusion prevention system takes the appropriate action. |
|
|
Term
| Intrusion Prevention System: Detection Method: Statistical Anomaly-based Detection: |
|
Definition
| This method of detection baselines performance of average network traffic conditions. After a baseline is created, the system intermittently samples network traffic, using statistical analysis to compare the sample to the set baseline. If the activity is outside the baseline parameters, the intrusion prevention system takes the appropriate action. |
|
|
Term
| Intrusion Prevention System: Detection Method: Stateful Protocol Analysis Detection |
|
Definition
| This method identifies deviations of protocol states by comparing observed events with “predetermined profiles of generally accepted definitions of benign activity. |
|
|
Term
| What does detect unauthorized access mean? |
|
Definition
• Detect exploits of vulnerabilities by unauthorized
users.
• Detect security vulnerabilities created by
authorized users.
• Control and contain all authorized user activity in
the information systems environment. |
|
|
Term
|
Definition
• authorized users using an authorized access
path in a way that does not correspond to its
purpose
• system activity by an unauthorized person who
is impersonating an authorized user (thus
appearing to the ISO as an authorized user)
• use of an access path for which there is no
business purpose, and thus is unauthorized,
due to:
• inadequate controls, or
• a zero-day threat |
|
|
Term
|
Definition
While people may be focused on their individual selves, which in this case is represented by the “home”, they are not as focused on the relationships which connect these selves, which in this case is represented by the “sidewalk”, or any “in-between” area.
Relation to security: People spend more time creating and perfecting their systems than they do the connections that tie the systems together. |
|
|
Term
| Cyber attacks can be evidenced by: |
|
Definition
• Behavioral activity
• Configuration checking tools, e.g., unexplained configuration change
• Honey pots
• Performance monitoring
• Empty log files or log indicating bypass of security
mechanisms
• explicit policy violation
• data corruption |
|
|
Term
|
Definition
| A trap set to detect, deflect, or in some manner counteract attempts at unauthorized use of information systems. Generally it consists of a computer, data, or a network site that appears to be part of a network, but is actually isolated and monitored, and which seems to contain information or a resource of value to attackers. |
|
|
Term
| Behavioral Clues indicating a possible cyber attack |
|
Definition
• Repetition of suspicious action
• Mistyped commands or responses during automated
sequences
• Exploitation of known vulnerabilities (using scanning
tools)
• Directional inconsistencies in inbound or outbound packets
• Unexpected attributes of some service request or packet
• Unexplained problems in some service request
• Out of band knowledge about an intrusion (e.g from hacker web pages)
• Suspicious character traffic (e.g. unencrypted traffic in a secure environment) |
|
|
Term
| A Warning about False Positives |
|
Definition
It is almost impossible to tell the behavioral
difference between and intruder and a system
administrator, both enter a system with the
intent to query every possible aspect of its
operation
|
|
|
Term
| Basic Intrusion Detection Metrics |
|
Definition
• A - The number of machines you manage in a network
management system is one measuremen.
• B - The number of reports of security alerts.
• C - The number of those reports that signified actual
intrusions rather than false positives.
• C/A - should grow lower as systems grow more secure.
• (B-C)/A - should approach zero as intrusion detection
system gets better. |
|
|
