BOR3307: Intro to Cybersecurity

Transcription

1 Key Terms for lesson 4 are listed below: It is important that you maintain a copy of these key terms handy as you take this course and complete the readings. Working from a standard lexicon will keep you from misinterpreting what the readings are. Access control list (ACL): the column of attributes associated with a particular object (such as a printer) in lattice- based access control. Access control: the method by which systems determine whether and how to admit a user into a trusted area of the organization that is, information systems, restricted areas such as computer rooms, and the entire physical location. Access point and wireless switch locations: Wireless components with bundled IDPS capabilities must be carefully deployed to optimize the IDPS sensor detection grid. Accountability (auditability): ensures that all actions on a system authorized or unauthorized can be attributed to an authenticated identity. Active vulnerability: scanners scan networks for highly detailed information. Address restrictions: rules designed to prohibit packets with certain addresses or partial addresses from passing through the device. Alarm clustering and compaction: A process of grouping almost identical alarms that happen at close to the same time into a single higher- level alarm. Alarm Filtering: The process of classifying IDPS alerts so that they can be more effectively managed. Alert or Alarm: An indication that a system has just been attacked and/or continues to be under attack. Application gateway (application- level firewall or application firewall): frequently installed on a dedicated computer, separate from the filtering router, but is commonly used in conjunction with a filtering router. Application protocol verification: the higher- order protocols (HTTP, FTP, and Telnet) are examined for unexpected packet behavior or improper use. Asynchronous tokens: don t require that the server and tokens all maintain the same time setting, use a challenge/response system. Authentication: the process of validating a supplicant s purported identity. Authorization: the matching of an authenticated entity to a list of information assets and corresponding access levels. Back hack: a hack into a hacker s system to find out as much as possible about the hacker. Bastion host (sacrificial host): stands as a sole defender on the network perimeter. Biometric access control: based on the use of some measurable human characteristic or trait to authenticate the identity of a proposed systems user (a supplicant). Capabilities table: the row of attributes associated with a particular subject (such as a user) in lattice- based access control. Centralized IDPS: control strategy where all IDPS control functions are implemented and managed in a central location Circuit gateway firewall: operates at the transport layer and connections are authorized based on addresses. Confidence Value: The measure of an IDPS s ability to correctly detect and identify certain types of attacks. Content filter: a software filter technically not a firewall that allows administrators to restrict access to content from within a network. Cost: The more sensors deployed, the more expensive the configuration. Wireless components typically cost more than their wired counterparts, and thus the total cost of ownership of IDPS of both wired and wireless varieties should be carefully considered.

2 Crossover error rate (CER): the level at which the number of false rejections equals the false acceptances, and is also known as the equal error rate. Diameter protocol: defines the minimum requirements for a system that provides authentication, authorization and accounting (AAA) services and can go beyond these basics and add commands and/or object attributes. Discretionary access controls (DACs): implemented at the discretion or option of the data user. Dumb cards: ID cards or ATM cards with magnetic stripes containing the digital (and often encrypted) user personal identification number (PIN), against which the number a user input is compared. Dynamic packet- filtering firewall: allows only a particular packet with a particular source, destination, and port address to enter. Enticement: the act of attracting attention to a system by placing tantalizing information in key locations. Entrapment: the act of luring an individual into committing a crime to get a conviction. Evasion: The process by which attackers change the format and/or timing of their activities to avoid being detected by the IDPS. False accept rate: the percentage of identification instances in which unauthorized users are allowed access to systems or areas as a result of a failure in the biometric device. False Attack Stimulus: An event that triggers alarms and causes a false positive when no actual attacks are in progress. False Negative: The failure of an IDS system to react to an actual attack event. False Positive: An alert or alarm that occurs in the absence of an actual attack. A false positive can sometimes be produced when an IDPS mistakes normal system activity for an attack. False reject rate: the percentage of identification instances in which authorized users are denied access a result of a failure in the biometric device. Fifth generation firewalls: include the kernel proxy, a specialized form that works under Windows NT Executive, which is the kernel of Windows NT. This type of firewall evaluates packets at multiple layers of the protocol stack, by checking security in the kernel as data is passed up and down the stack. Fingerprinting: a systematic survey of all of the target organization s Internet addresses (which were collected during the footprinting phase). Firewall: prevents specific types of information from moving between the outside world and the inside world. First generation firewalls: static packet- filtering firewalls that is, simple networking devices that filter packets according to their headers as the packets travel to and from the organization s networks. Footprinting: the organized research of the Internet addresses owned or controlled by a target organization. Fourth generation firewalls (dynamic packet- filtering firewalls): allow only a particular packet with a particular source, destination, and port address to enter. Fully distributed IDPS control strategy: all control functions are applied at the physical location of each IDPS component. Honeynet: a collection of honeypots connected to several honeypot systems on a subnet. Honeypots: decoy systems designed to lure potential attackers away from critical systems. Host- based IDPS (HIDPS): resides on a particular computer or server, known as the host, and monitors activity only on that system. Hybrid VPN: combines the trusted VPN and secure VPN, providing encrypted

3 transmissions (as in secure VPN) over some or all of a trusted VPN network. Identification: a mechanism whereby an unverified entity called a supplicant that seeks access to a resource proposes a label by which they are known to the system. Inline sensors: typically intended for network perimeter use, so they would be deployed in close proximity to the perimeter firewalls, often between the firewall and the Internet border router to limit incoming attacks that could overwhelm the firewall. Intrusion detection and prevention system (IDPS): combined term; generally used to describe current anti- intrusion technologies. Intrusion detection systems (IDSs): works like a burglar alarm in that it detects a violation (some system activity analogous to an opened or broken window) and activates an alarm. Intrusion prevention system (IPS): can detect an intrusion and also prevent that intrusion from successfully attacking the organization by means of an active response. Kerberos: uses symmetric key encryption to validate an individual user to various network resources. Lattice- based access control: are assigned a matrix of authorizations for particular areas of access. Log file monitor (LFM) IDPS: similar to a NIDPS. Using LFM, the system reviews the log files generated by servers, network devices, and even other IDPSs, looking for patterns and signatures that may indicate that an attack or intrusion is in process or has already occurred. Mandatory access controls (MACs): use data classification schemes; they give users and data owners limited control over access to information resources. Minutiae: unique points of reference that are digitized and stored in an encrypted format when the user s system access credentials are created. Monitoring port (switched port analysis (SPAN) port or mirror port): a specially configured connection on a network device that is capable of viewing all of the traffic that moves through the entire device. Network- based IDPS (NIDPS): resides on a computer or appliance connected to a segment of an organization s network and monitors network traffic on that network segment, looking for indications of ongoing or successful attacks. Noise: Alarm events that are accurate and noteworthy but that do not pose significant threats to information security. Nondiscretionary controls: a strictly- enforced version of MACs that are managed by a central authority in the organization. Packet sniffer (network protocol analyzer): a network tool that collects copies of packets from the network and analyzes them. Packet- filtering firewall (filtering firewall): examines the header information of data packets that come into a network. Partially distributed IDPS control strategy: combines the best of centralized and fully distributed IDPS strategies. Passive vulnerability scanner: one that listens in on the network and determines vulnerable versions of both server and client software. Passphrase: a series of characters, typically longer than a password. Password: a private word or combination of characters that only the user should know. Physical security: Unlike wired network sensors, which can be physically secured, many wireless sensors are located in public areas like conference rooms, assembly areas, and hallways in order to obtain the widest possible network range. Port scanners: tools used by both attackers and defenders to identify (or fingerprint) the computers that are active on a

4 network, as well as the ports and services active on those computers, the functions and roles the machines are fulfilling, and other useful information. Protocol stack verification: in this process the NIDPSs look for invalid data packets that is, packets that are malformed under the rules of the TCP/IP protocol. Proxy server: see application gateway. Remote Authentication Dial- In User Service (RADIUS) system: centralizes the management of user authentication by placing the responsibility for authenticating each user in the central RADIUS server. Reverse firewalls: see content filters. Screened subnet: an entire network segment that performs two functions: it protects the DMZ systems and information from outside threats by providing a network of intermediate security (more secure than the general public networks but less secure than the internal network); and it protects the internal networks by limiting how external connections can gain access to them. Second generation firewalls: application- level firewalls or proxy servers that is, dedicated systems that are separate from the filtering router and that provide intermediate services for requestors. Secure VPNs: use security protocols and encrypt traffic transmitted across unsecured public networks like the Internet. Sensor range: A wireless device s range can be affected by atmospheric conditions, building construction, and the quality of both the wireless network card and access point. Signature- based IDPS (knowledge- based IDPS or a misuse- detection IDPS): examines network traffic in search of patterns that match known signatures that is, preconfigured, predetermined attack patterns. Site Policy Awareness: An IDS s ability to dynamically modify its site policies in reaction or response to environmental activity. Site Policy: The rules and configuration guidelines governing the implementation and operation of IDSs within the organization. Smart card: contains a computer chip that can verify and validate a number of pieces of information instead of just a PIN. State table: tracks the state and context of each packet in the conversation by recording which station sent what packet and when. Stateful inspection firewalls (stateful firewalls): keep track of each network connection between internal and external systems using a state table. Stateful protocol analysis (SPA): a process of comparing predetermined profiles of generally accepted definitions of benign activity for each protocol state against observed events to identify deviations. Statistical anomaly- based IDPS (stat IDPS) or behavior- based IDPS: collects statistical summaries by observing traffic that is known to be normal. Strong authentication: at minimum two different authentication mechanisms drawn from two different factors of authentication, most often something you have and something you know. Synchronous tokens: synchronized with a server, both devices (server and token) use the same time or a time- based database to generate a number that must be entered during the user login phase. System integrity verifiers: also known as HIDPSs; benchmark and monitor the status of key system files and detect when an intruder creates, modifies, or deletes monitored files. Terminal Access Controller Access Control System (TACACS): another remote access authorization system that is based on a client/server configuration. Third generation firewalls: stateful inspection firewalls, which, as described

5 previously, monitor network connections between internal and external systems using state tables. Trap- and- trace applications: an extension of the attractant technologies discussed in the previous section, are growing in popularity. True Attack Stimulus: An event that triggers alarms and causes an IDS to react as if a real attack was in progress. Trusted network: the inside world. Trusted VPN (legacy VPN): uses leased circuits from a service provider and conducts packet switching over these leased circuits. Tuning: The process of adjusting an IDPS to maximize its efficiency in detecting true positives, while minimizing both false positives and false negatives. Untrusted network: outside world for example, the Internet. Virtual password: derived from a passphrase. Virtual private network (VPN): a private and secure network connection between systems that uses the data communication capability of an unsecured and public network. War dialer: an automatic phone- dialing program that dials every number in a configured range (e.g., to ), and checks to see if a person, answering machine, or modem picks up. Wired network connections: Wireless network components work independently of the wired network when sending and receiving between stations and access points.