IAS 2 Reviewer Attribute-based Access Control – an access

control approach whereby the organization

ACCESS CONTROL
specifies the use of objects based on some
attribute of the user of the system.

Attribute – A characteristic of a
subject that can be used to restrict to
an object.

ACCESS CONTROL MECHANISMS

Four Fundamental Functions of Access

Control Systems

1. Identification - User
2. Authentication - Prove
3. Authorization - Allowed
The selective method by which the systems 4. Accountability – Track and Monitor
specify who may use a particular resource and Identification – Seeks label or username
how they may use it. known by the system.
Discretionary Access Controls - access Authentication – Requires validation and
controls that are implemented at the verification of an entity’s unsubstantiated
judgment or option of the data user.
3 Authentication Factors
Nondiscretionary Access Controls – access
controls that are implement by a central 1. Something you know (Password,
authority. Passphrases, Virtual Password)
2. Something you have (Smart Card,
Lattice-based Access Control – Variation on Dumb Cards, Virtual Password)
mandatory access controls that assigns users 3. Something you are (Fingerprints,
a matrix of authorizations for particular areas. Palm prints, Hand geometry and
Role-based Access Control – A topography, retina and iris scans,
nondiscretionary control where privileges are voice pattern, signatures,
tied to the role or job a user is performing. keyboard kinetic measurements)

Task-based Access Control – A Authorization – matching of an authenticated

nondiscretionary control where privileges are entity to a list of information assets and
temporarily granted to a user based on their corresponding access levels.
task. Accountability – ensures all actions on a
Mandatory Access Control – A required, system – authorized or unauthorized – can be
structured data classification scheme that attributed to an authenticated identity; also
assigns a sensitivity or classification rating to known as auditability.
each collection or information as well as each Biometrics Access Control – Use of
user. physiological characteristics to provide
authentication.
Access Control Architecture Models 8 Primitive Protection Rights

1. TSSEC’s Trusted Computing Base: A 1. Create Object

critical concept in the Trusted 2. Create Subject
Computer System Evaluation Criteria 3. Delete Object
(TCSEC) also known as the orange 4. Delete Subject
book. Developed by the US 5. Read Access Right
Department of Defense to evaluate 6. Grant Access Right
and classify the security of computing 7. Delete Access Right
systems. 8. Transfer Access Right
2. ITSEC – stands for Information
8. Harrison-Ruzzo-Ullman Model – An
Technology Security Evaluation
access control model designed to formally
Criteria, a European set of standards
specify how systems manage access rights
developed in the early 1990s to
and control who can access specific
evaluate the security of information
resources in a secure and structured manner.
systems and products.
Developed by Michael A. Harrison, Walter L.
3. Common Criteria – An International
Ruzzo, and Jeffrey D. Ullman in 1976.
Standard (ISO/IEC 15408) for
Computer Security Certification. HRU is built on an access control
4. Bell-LaPadula Confidentiality Model matrix and includes a set of generic rights and
– A formal security model focused on a specific set of commands.
maintaining confidentiality in multi-
level security systems. It was - Create Object/Subject
developed in the early 1970s by David - Enter specific command or generic
Bell and Leonard LaPadula. right into a subject or object
5. Biba Integrity Model – A formal model - Delete specific command or generic
designed to maintain the integrity of right into a subject or object
data in a system, ensuring that - Destroy Object/Subject
information cannot be improperly 9. Zero Trust Architecture – An approach to
altered. Developed by Kenneth J. Biba access control in IT Networks that does not
in 1977. rely on trusting devices or network
6. Clark-Wilson Integrity Model – A connections.
security model designed to ensure the
integrity of data by enforcing well-
formed transactions and preventing
unauthorized or improper
modifications. Developed by David D.
Clark and David R. Wilson in 1987.
7. Graham-Denning Access Control
Model – A formal security model that
defines how subjects and objects can
be securely managed within a
computer system.
FIREWALLS 7 OSI Layers

A firewall is a system, or group of systems, that

enforces an access control policy between
networks.

Common Properties

1. Firewalls are resistant to network

attacks.
2. Firewalls are the only transit point
between integral corporate networks
and external networks because all
traffic flows through firewalls.
3. Firewalls enforce the access control
policy

Benefits

1. Prevent exposure of sensitive hosts,

resources, and applications to
untrusted users.
2. Sanitize flow protocol, which prevents
the exploitation of protocol flaws. TYPES OF FIREWALLS
3. Blocks malicious data from servers 1. Packet Filtering Firewalls – Usually a
and clients. part of a router firewall, which permits
4. Reduce security management or denies traffic based on Layer 3 and
complexity by off-loading most of Layer 4 information.
network access control to a few 2. Stateful Firewalls – Provide stateful
firewalls in the network. packet filtering by using connection
Limitations information maintained in a state
table. It’s classified at the network
1. A misconfigured firewall can be a layer. It also analyzes traffic at OSI
single point of failure. Layer 4 and 5.
2. Data from many applications cannot 3. Application Gateway Firewall -
be passed over firewalls securely. Filters information at Layers 3, 4, 5,
3. Users may try to install an unsafe and 7 of the OSI reference model.
application bypassing the firewall that 4. Next-Generation Firewalls –
can lead to exposure. Integrated intrusion prevention,
4. Network performance can slow down. application awareness and control to
5. Unauthorized traffic can be tunneled see block risky apps, upgrade paths to
or hidden as legitimate traffic through include future information feeds,
the firewall. techniques to address evolving
security threats.
5. Host-based Firewall – A PC or server
with firewall software running on it.
 6. Transparent Firewall – Filters IP traffic 3. Stateful firewalls improve
between a pair of bridged interfaces. performance over packet filters or
7. Hybrid Firewall – A combination of the proxy servers.
various firewall. 4. Stateful firewalls defend against
spoofing and DoS attacks by
PACKET FILTERING BENEFITS AND
determining whether packets
LIMITATIONS
belong to an existing connection or
Advantages are from an unauthorized source.
5. Stateful firewalls provide more log
1. Packet filters implement simple information than a packet filtering
permit or deny rule sets. firewall.
2. Packet filters have a low impact o
network performance. Disadvantages
3. Packet filters are easy to
1. Stateful firewalls cannot prevent
implement and are supported by
application layer attacks because
most routers.
they do not examine the actual
4. Packet filters provide an initial
contents of the HTTP connection.
degree of security at the network
2. Not all protocols stateful.
layer.
3. It’s difficult to track connections
5. Packet filters perform almost all
that use dynamic port
the tasks of a high-end firewall at a
negotiations.
much lower cost.
4. Stateful firewalls do not support
Disadvantages user authentication.

1. Packet filters are susceptible to IP COMMON SECURITY ARCHITECTURES

spoofing.
1. Firewall design is primarily about
2. Packet filters do not reliably filter
device interfaces permitting or
fragmented packets.
denying traffic based on the source,
3. Packet filters use complex ACLs
the destination, and the type of traffic.
which can be difficult to
2. Public Network -> Untrusted, Private
implement and maintain.
Network -> Trusted
4. Packet filters cannot dynamically
3. Typically, a firewall with two interfaces
filter certain services.
is configures as follows:
STATEFUL FIREWALL BENEFITS AND a. Traffic origination from the
LIMITATIONS private network is permitted
and inspected as it travels
Advantages toward the public network.
1. Stateful firewalls are often used as b. Traffic originating from the
a primary means of defense by public network and traveling to
filtering unwanted, unnecessary, the private network is generally
or undesirable traffic. blocked.
2. Stateful firewalls strengthen 4. A Demilitarized Zone (DMZ) is
packet filtering by providing more firewall design where there is typically
stringent control over security. one interface connected to the private
 network, one outside interface A Network Administrator must consider many
connected to the public network, and factors when building a complete in-depth
one DMZ interface. defense:
a. Traffic origination from the
1. Firewalls typically do not stop
private network is permitted
intrusions that come from hosts
and inspected as it travels
within a network or zone.
toward the public network.
2. Firewalls do not protect against
b. Traffic originating from the
rogue access point installations.
DMZ network and traveling to
3. Firewalls do not replace backup
the private network is usually
and disaster recovery
blocked.
mechanisms resulting from attack
c. Traffic originating from the
or hardware failure.
DMZ network and traveling to
4. Firewalls are no substitute for
the public network is
informed administrators and
selectively permitted based on
users.
service requirements.
d. Traffic originating from the BEST PRACTICES FOR FIREWALLS
public network and traveling
toward the DMZ is selectively 1. Position firewalls at security
permitted and inspected. boundaries.
e. Traffic originating from the 2. Deny all traffic by default.
public network and traveling to 3. Permit only services that are needed.
the private network is blocked. 4. Ensure that physical access to the
5. Zone-based Policy Firewalls use the firewall is controlled.
concept of zones to provide additional 5. Regularly monitor firewall logs.
flexibility. 6. Practice change management for
a. A zone is a group of one or firewall configuration changes.
more interfaces that have 7. Remember that firewalls primarily
similar functions or features. protect from technical attacks
originating from the outside.
LAYERED DEFENSE 8. All traffic from the trusted network is
allowed out.
1. Network Core Security – Protects
9. The firewall device is never directly
against malicious software and
accessible from the public network or
traffic anomalies, enforces
configuration or management
network policies, and ensure
purposes.
survivability.
10. Simple Mail Transfer Protocol data is
2. Perimeter Security – Secures
allowed to enter through the firewall
boundaries between zones.
but is routed to a well-configured
3. Communications Security –
SMTP gateway to filer and route
Provides information assurance
messing traffic securely
4. Endpoint Security – Provides
11. All Internet Control Message Protocol
identity and device security policy
data should be denied.
compliance
 12. Telnet (Terminal Emulation) access 3. Kerberos Ticket Granting Service
should be blocked to all internal – Provides tickets to clients who
servers from the public networks. requested services. A ticket is an
13. All data that is not verifiably authentic identification card for a particular
should be denied. client that verifies to the server
that the client is requesting
RADIUS, DIAMETER AND TACACS
services.
RADIUS and TACACS are systems that
KERBEROS PRINCIPLES:
authenticate the credentials of users who are
trying to access an organization’s network via 1. Knows the secret keys of all clients and
a dial-up connection servers on the network.
2. Initially exchanges information with
Remote Authentication Dial-In User
the client and server by using these
Service: A computer connection system that
secret keys.
centralizes the management of user
3. Authenticates a client to a requested
authentication by placing the responsibility for
service on a server through TGS and by
authenticating each user on a central
issuing temporary session keys for
authentication server.
communications.
Diameter Protocol: Defines the minimum
Secure European System for Applications in
requirements for a system that provides
a Multivendor Environment (SESAME): An
authentication, authorization, and accounting
advanced network authentication protocol
services.
designed to enhance the security features of
Terminal Access Controller Access Control Kerberos while addressing some of its
System: Remote access authorization system limitations, especially for large-scale,
that is based on a client/server configuration distributed environments.

3 Versions of TACACS Sesame separates its functions between two

servers: the Authentication Server and the
TACACS Privilege Attribute Server
Extended TACACS AS – Verifies their identity
TACACS+ - Uses dynamic passwords and PAS – handles the authorization by
incorporates two-factor authentication. issuing PACs.
Kerberos: An authentication system that uses
symmetric key encryption to validate an
individual user’s access to various network VIRTUAL PRIVATE NETWORK
resources by keeping a database containing
- A private, secure network operated
the private keys of clients and servers that are
over a public and insecure network; it
in the authentication domain it supervises.
uses encryption to protect the data
1. Authentication Server – between endpoints.
Authenticates clients and servers.
TYPES OF VPNs
2. Key Distribution Center –
Generates and issues session keys
 1. Trusted VPN – Also known as legacy
VPN, a VPN implementation that uses
leased circuits from a service provider
who gives contractual assurance that
no one else is allowed to use these
circuits that they are properly
maintained and protected.
2. Secure VPN – A VPN implementation
that uses security protocols to encrypt
traffic transmitted across unsecured
public networks.
3. Hybrid VPN – A combination of trusted
and secure VPN implementations.

A VPN that proposes to offer a secure and

reliable capability while relying on public
networks must accomplish the following:

1. Encapsulation
2. Encryption
3. Authentication

IPSec, the dominant protocol used in VPNs,

uses either transport or tunnel mode. It can be
used as a stand-alone protocol or coupled
with the Layer Two Tunneling Protocol
(L2TP).

Transport Mode – The data within an IP packet

is encrypted, but the header information is
not.

Tunnel Mode – Establishes two perimeter

tunnel servers to encrypt all traffic that will
traverse an unsecured network.
 IDPS can dynamically modify its environment
by changing the configuration of other security
IAS2 Reviewer
controls to disrupt an attack.
INTRUSION DETECTION AND PREVENTION
Some IDPSs are capable of changing an
SYSTEMS
attack’s components by replacing malicious
Intrusion– An adverse event in which an content with benign material or by
attacker attempts to enter an information quarantining a network packet’s contents.
system or disrupts its normal operations,
IDPS TERMINOLOGIES
almost always with the intent to do harm.
1. Alarm or alert: An indication or
Intrusion Detection – consists of procedures
notification of a system that’s been
and systems that identify system intrusions.
attacked or under attack.
Intrusion Reaction – encompasses 2. Alarm clustering and compaction: A
the actions an organization takes process of grouping almost identical
when an intrusion is detected. alarms.
3. Alarm filtering: The process of
Intrusion Correction – activities that classifying IDPS alerts.
completes the restoration of 4. Confidence value: The measure of an
operations to a normal state and seek IDPS’s ability to correctly detect and
to identify the source and method of identify certain types of attacks.
the intrusion. 5. Evasion: The process by which
Intrusion Detection System – A system attackers change the format or timing
capable of automatically detecting an of their attack.
intrusion into an organization’s networks or 6. False Attack Stimulus: An event that
host systems. triggers an alarm when no actual
attack is in progress.
Intrusion Detection and Prevention 7. False Negative: The failure of a
Systems – The general term for a system that technical control to react to an actual
can both detect and modify its configuration attack event.
and environment to prevent intrusions. 8. False Positive: An alert or alarm that
IDPSs use several techniques, which can be occurs in the absence of an actual
divided into the following groups: attack.
9. Noise: In incident response, alarm
- Terminating the user session or events that are accurate and
network connection over which noteworthy but do not pose significant
the attack is being conducted. threats to information security.
- Blocking access to the target 10. Site Policy: The rules and
system or systems from the source configuration guidelines governing the
of the attack, such as a implementation and operation of
compromised user account, IDPSs within the organization.
inbound IP address, or other 11. Site Policy Awareness: An IDPS’s
attack characteristic. ability to dynamically modify its
- Blocking all access to the targeted configuration in response to
information asset. environmental activity.
 12. True Attack Simulus: An event that and designed to monitor
triggers an alarm and causes in IDPS to network or system traffic for
react as if a real attack is in progress. suspicious activities and
13. Tuning: The process of adjusting an report back to the host
IDPS to maximize its efficiency in application.
detecting true positives while i. Monitoring Port:
minimizing false positives and false specially configured
negatives. connection on a
network device that
WHY USE AN IDPS
can view all the traffic
- To log data for later analysis that moves through the
- To serve as a deterrent by device; also known as
increasing the fear of detection a switched port
among would-be attackers. analysis port or mirror
- To provide a level of quality control port.
for security policy - To determine whether an attack
implementation. has occurred or is under way,
NIDPSs compare measured
activity to known signatures in
their knowledge base.
- The comparisons are made
through a special implementation
of the TCP/IP stack that that
reassembles the packets and
applies protocol stack verification,
application protocol verification,
other verification and comparison
techniques.
2. Protocol Stack Verification: The
process of examining and verifying
network traffic for invalid data packets
– that is, packets that are malformed
TYPES OF IDPSS under the rules of the TCP/IP protocol.
1. Network-based IDPS – An IDPS that 3. Application Protocol Verification:
resides on a computer or appliance The process of examining and verifying
connected to a segment of an the higher-order protocols (HTTP, FTP,
organization’s network and monitors and Telnet) in network traffic for
traffic on that segment, looking for unexpected packet behavior or
indication of ongoing or successful improper use.
attacks. 4. It may be necessary to have more than
a. Sensor or Agent: A hardware one NIDPS installed, with one of them
and software component performing protocol stack verification
deployed on a remote and one performing protocol stack
computer or network segment
 verification and one performing o Access Point and Wireless
application protocol verification. Switch Locations
o Wired Network
ADVANTAGES OF NIDPS
Connections
- Good network design and o Cost
placement of NIDPS devices can - Network Behavior Analysis
enable an organization to monitor System: Identify problems related
a large network using only a few to the flow of network traffic.
devices. - Intrusion Detection and
- NIDPSs are usually passive Prevention typically includes the
devices and can be deployed into following relevant flow data:
existing networks with little or no o Source and destination IP
disruption to normal network addresses
operations. o Source and destination
- NIDPSs are not usually TCP or UDP ports or ICP
susceptible to direct attack and types and codes.
may not be detectable by o Number of packets and
attackers. bytes transmitted in the
session
DISADVANTAGES OF NIDPS o Starting and ending
- An NIDPS can become timestamps for the
overwhelmed by network volume. session.
- NIDPSs require access to all traffic o Most NBA sensors can be
to be monitored. deployed in passive mode
- NIDPSs cannot analyze encrypted only, using the same
packets. connection methods.
- NIDPSs cannot reliably ascertain ▪ Detects DoS
whether an attack was successful. attacks
- Some forms of attack are not ▪ Detects scanning
easily discerned by NIDPSs. ▪ Detects worms
▪ Detects
TYPES OF IDPSS unexpected
- Wireless IDPS – A wireless IDPS application
monitors and analyzes wireless services.
network traffic, looking for ▪ Detects policy
potential problems with the violations
wireless protocols (Layers 2 and 3 o Inline sensors are typically
of the OSI model). intended for network
- The implementation of wireless perimeter use, so they
IDPSs includes the following would be deployed in close
issues: proximity to the perimeter
o Physical Security firewalls.
o Sensor Range - Host-based: an IDPS that resides
on a particular computer or server,
 known as the host, and monitor Log File Monitor – An attack detection method
activity only on that system. that review log files generated by computer
system looking for patterns and signatures.
ADVANTAGES OF HIDPSs
Security Information and Event
- It can detect local events on host
Management – Specifically tasked to collect
systems and attacks that may
and correlate events and other log data from a
elude a network-based IDPS.
number of servers or devices for the purpose
- Encrypted traffic will be decrypted
of filtering, correlating, analyzing, storing,
and is available for processing.
reporting, and acting.
- It can detect inconsistencies using
the records in the audit logs. - Supports threat detection and
informs many aspects of threat
DISADVANTAGES OF HIDPSs
intelligence.
- Pose more management issues o Threat Intelligence – A
- Vulnerable both to direct attacks process used to develop
and against the host operating knowledge to understand
system. the actions and intentions
- Susceptible to some DoS attacks of threat actors.
- Uses large amounts of disk space
Larger Organizations are faced with several
- Inflict a performance overhead.
needs that SIEM platforms can address:
IDPS DETECTION METHODS 1. Aggregation

Signature-based Detection: the examination 2. Correlation

of system or network data in search of
3. Integration
patterns that match known attack signatures.
4. Detection
Signature-based technology is widely used
because many attacks have clear and distinct 5. Enablement
signatures
6. Tracking
Anomaly-based Detection: Compares
7. Possible Detection
current data and traffic patterns to an
established baseline of normalcy. It sends an Essential Capabilities of an Analytics-Driven
alert when exceeding the clipping level. SIEM System should provide the following:
- Clipping Level: A predefined 1. Real-time Monitoring
assessment level that triggers a 2. Incident Response
predetermined response when 3. User Monitoring
surpassed. 4. Threat Intelligence
5. Analytics and Threat Detection
Stateful Protocol Analysis: Comparison of
vendor-supplied profiles of protocol use and IDPS RESPONSE BEHAVIOR
behavior against observed data and network
patters to detect misuse and attacks. - The system administrator must
ensure that a response to an
attack or potential attack not
 inadvertently exacerbate the LIMITATION OF IDPSS
situation.
1. Compensating
- IDPS responses can be classified
2. Instantaneously detecting, reporting,
as active or passive.
and responding to an attack
o Active – definitive action
3. Detecting newly published attacks or
that is automatically
variants of existing attacks
initiated.
4. Effectively responding to attacks
o Passive – simply report the
launched by sophisticated attackers
information they have
5. Automatically investigating attacks
collected.
without human intervention.
These can be configured for the responses of 6. Resisting all attacks
an IDPS: 7. Compensating for problems
8. Dealing effectively with switched
1. Audible/Visual Alarm
networks
2. SNMP Traps and Plugins
3. E-mail Message DEPLOYMENT AND IMPLEMENTATION OF
4. Phone or SMS Message AN IDPS

The following list describes some of the NIST SP 800-94, Rev. 1, provides the following
responses: recommendations or implementation:

1. Log Entry - Organizations should ensure that

2. Evidentiary Packet Dump al IDPS components are
3. Acting against the intruder. appropriately, as IDPS are a prime
4. Launching a program target for attackers.
5. Reconfiguring a firewall - Organizations should consider
6. Terminating the Session using multiple types of IDPS
7. Terminating the connection technologies to achieve more
comprehensive and accurate
STRENGTHS OF IDPSS
detection and prevention of
- Monitoring and analysis. malicious activity.
- Testing - Organizations that plan to use
- Baselining multiple types of IDPS
- Recognizing patterns of system technologies or multiple products
- Recognizing patterns of activity of the same IDPS technology type
- Managing Operating System Audit should consider whether the
and Logging Mechanisms IDPSs should be integrated.
- Alerting - Before evaluating IDPS products,
- Measuring organizations should define the
- Providing default security requirements that the products
information should meet.
- Allowing people to perform - When evaluating IDPS products,
important security monitoring organizations should consider
functions using combination of data sources
 to evaluate the products 2. Blacklists – Addresses that a system
characteristics and capabilities. has been associated with malicious
activity.
IDPS CONTROL STRATEGIES
3. Whitelists – Systems are known to be
- Control Strategy: Determines benign.
how an organization supervises 4. Alert Settings
and maintains the configurations 5. Code Viewing and Editing
of an IDPS.
- 3 Common control strategies are
Centralized, Partially
Distributed, and Fully
Distributed.

Centralized – All control functions are

managed in a central location

Fully Distributed – All control functions are

applied at the physical location of each IDPS
component

IDPS DEPLOYMENT

An organization selects an IDPS and prepares

for implementation, planners must select a
deployment strategy that is based on a careful
analysis of the organization’s information
security requirements and that integrates with
the existing IT infrastructure while causing
minimal impact.

DEPLOYING HOST-BASED IDPSS

- Deployment begins on the most

critical systems first.
- Practice an implementation on a
test server.
- Installation continues until all
systems are installed.
- Provide ease of management,
control, and reporting.

MEASURING THE EFFECTIVENESS OF IDPSS

1. Threshold – Value that sets the limit

between normal and abnormal
behavior.
HONEYPOT – An application that entices and launch a more aggressive attack
people who are illegally perusing the internal against an organization’s systems.
areas of a network by providing simulated - Administrators and security managers
contents. Also known as decoys, lures, and need a high level of expertise to use
flytraps. these systems.

HONEYPOT FARM or HONEYNET – Multiple TRAP-AND-TRACE APPLICATION - An

honeypot systems. application that combines both honeypots or
honeynets with the capability to track the
HONEYTOKEN – Any system resource that is
attacker through the network.
placed in a functional system but has no
normal use in the system that serves as a PEN REGISTER - An application that records
decoy and alarm. Similar to honeypot. information about outbound
communications. Used frequently in law
PADDED CELL SYSTEM
enforcement and antiterrorism operations.
- A protected honeypot that cannot be
BACK HACK – The process of illegally
accessed easily.
attempting to determine the source of an
- Transfers the attackers to a special
intrusion by tracing it.
simulated environment where the can
cause no harm. LEGAL CONCERNS

ADVANTAGES OF HONEYPOTS AND - Trap-and-trace systems and pen

PADDED CELL SYSTEM registers are covered under Title 18,
U.S. Code Module 206, §3121, which
- Attackers can be diverted to targets
essentially states that you can’t use
that they cannot damage.
them unless you’re a service provider
- Administrators have time to decide
attempting to prevent misuse and (1)
how to respond to an attacker.
they are used for systems
- Attackers’ actions can be easily and
maintenance and testing (2) they are
more extensively monitored, and the
used to track connections, or (3) you
records can be used to refine threat
have permission from the user of the
models and improve system
service.
protections.
- When using trap and trace,
- Honeypots may be effective at
administrators should be careful not
catching insiders who are snooping
to cross the line between enticement
around a network.
and entrapment.
DISADVANTAGES OF HONEYPOTS AND - Enticement: The act of attracting
PADDED CELL SYSTEM attention to a system by placing
tantalizing information in key
- The legal implications of using such locations.
devices are not well understood. - Entrapment: The act of luring a person
- Honeypots and padded cells have not into committing a crime in order to get
yet been shown to be generally useful a conviction.
security technologies.
- An expert attacker, once diverted into
a decoy system, may become angry
ACTIVE INTRUSION PREVENTION – LaBrea: - As a rule of thumb, any port that is not
A program that creates a tarpit or, as some absolutely necessary for conducting
have called it, a “Sticky Honeypot”. business should be secured or
removed from service.
SCANNING AND ANALYSIS TOOL - Used as a
- The number and nature of the open
part of an Attack Protocol.
ports on a system are an important
ATTACK PROTOCOL - a logical sequence of part of its attack surface.
steps or processes used by an attacker to o Attack Surface: the functions
launch an attack against a target system or and features that a system
network. exposes to unauthenticated
users.
FOOTPRINTING - the organized research and
investigation of Internet addresses owned or FIREWALL ANALYSIS TOOL - specialized
controlled by a target organization. software solutions designed to help
organizations assess, monitor, optimize, and
- “A chain is only as strong as its troubleshoot their firewall configurations and
weakest link” relevant to network and rules.
computer security.
NMAP - Running the Nmap idle scan
FINGERPRINTING - the systematic survey of a allows attackers to scan an internal
targeted organization’s Internet addresses network as if they were on a trusted
collected during the footprinting phase to machine inside the DMZ.
identify the network services offered by the
hosts in that range. FIREWALK - Written by noted network
security experts Mike Schiffman and
PORT SCANNERS - A type of tool used both by David Goldsmith, Firewalk uses
attackers and defenders to identify or incrementing Time-To-Live (TTL)
fingerprint active computers on a network, the packets to determine the path into a
active ports and ser- vices on those network as well as the default firewall
computers, the functions and roles of the policy.
machines, and other useful information.
OPERATING SYSTEM DETECTION TOOLS -
The ability to detect a target computer’s
operating system is very valuable to an
attacker.

XPROBE – Uses ICMP to determine the

remote OS.

VULNERATBILITY SCANNERS
WHY SECURE OPEN PORTS?
ACTIVE VULNERABILITY SCANNERS: An
- An attacker can use an open port to
application that scans networks to identify
send commands to a computer,
exposed usernames and groups, open
potentially gain access to a server, and
network shares, configuration problems, and
possibly exert control over a
other vulnerabilities in servers.
networking device.
NESSUS - is a professional freeware utility that 2 PRIMARY VENDORS OFFERING THIS TYPE
uses IP packets to identify hosts available on OF SCANNERS:
the network
1. Tenable Nessus Network Monitor (
FUZZERS - Automated tools used to identify formerly Passive Vulnerability Scanner
vulnerabilities in software, applications, or (PVS))
systems by sending a large volume of 2. Watcher Web Security Scanner from
unexpected, malformed, or random inputs Casaba
(fuzz) to a target system.
PACKET SNIFFERS - A software program or
A list of the top commercial and residential hardware appliance that can intercept, copy,
vulnerability scanners includes the following and interpret network traffic.
products:
- Consent is usually obtained by having
• Nessus all system users sign a release when
they are issued a user ID and
• OpenVAS
passwords; the release states that
• Core Impact “use of the systems is subject to
monitoring.”
• Nexpose
WIRELESS SECURITY TOOLS
• GFI LanGuard
- As a security professional, you must
• QualysGuard assess the risk of wireless networks.
• Microsoft Baseline Security Analyzer (MBSA) - A wireless security toolkit should
• Retina include the ability to sniff wireless
traffic, scan wireless hosts, and
• Secunia PSI assess the level of privacy or
• Nipper confidentiality afforded on the
wireless network.
• Security Administrator’s Integrated Network
Tool (SAINT TOP WIRELESS TOOLS USED:

Members of an organization often require - Aircrack

proof that a system is vulnerable to a certain - Kismet
attack. - NetStumbler
- inSSIDer
METASPLOT FRAMEWORK - A collection of - KisMac
exploits coupled with an interface that allows
penetration testers to automate the custom
exploitation of vulnerable systems.

PASSIVE VULNERABILITY SCANNERS - A

scanner that listens in on a network and
identifies vulnerable versions of both server
and client software.