1. CISSP CBK #2 Access Control

2. Access Control This Chapter presents the following material
Identification Methods and technologies
Authentication Methods
DAC, MAC and role based (non-DAC) models
Accountability, monitoring, and auditing
Unauthorized Disclosure of Information
Intrusion Detection Systems
Threats to access control practices and technologies

3. Access Controls
Access controls are security features that control how people can interact with systems, and resources.
Goal is to protect from un-authorized access.

4. Access Access is the data flow between an subject.
Subject is a person, process or program
Object is a resource (file, printer etc)

5. Access Control (157) Access control should support the CIA triad!
Let’s quickly go over the CIA triad again

6. Components of Access Control (158)
Quick overview: details on each coming up
Identification – who am I? (userid etc)
Authentication – prove that I am who I say I
Authorization – now what am I allowed to access
Auditing – Big Brother can see what I accessed.

7. CISSP BUZZWORD
Logical (technical) access controls are used for these 4 items.*
Things like smart cards and biometrics, and passwords, and audit system, and SELinux these are all examples of logical

8. Identification (159 & 162) Identifies a user uniquely (hopefully)
SSN, UID, SID, Username
Should Uniquely identify a user for accountability (don’t share)
Standard naming scheme should be used
Identifier should not indicate extra information about user (like position)
DO NOT SHARE (NO group accounts)

9. Authentication (160)
Proving who you say you are, usually one of these 3
Something you know (password)
Something you have (smart card)
Something you are (biometrics)
What is wrong with just using one of these methods?

10. Strong Authentication (161)
Strong Authentication is the combination of 2 or more of these (also called multi-factor authentication) and is encouraged!
Strong Authentication provides a higher level of assurance*

11. Authorization What does this mean?
What are some type of authorization mechanism? (ACLs, permissions)
We will go more indepth on this later
Authorization is a preventative “control”* (we will talk about controls later)

12. Auditing What is the purpose of auditing?
Auditing is a “detective” control* (we will talk about this later)

13. Recap Identification – what is it?
Authentication – how is this different from identification
Authorization – what does this mean?
Auditing – what’s the point?

14. Identity Management (162)
Identity management products are used to id, authenticate and authorize users in an automated means. It’s a broad term.
These products may (or may not) include
User account management
Access controls
Password management
Single Sign on
Permissions

15. ID Management and the CISSP (164)
Know for the exam that ID management solutions include
Directories
Web Access Management
Password Management
Single Sign On
Account Management
Profile update

16. Profiles updates What is a profile (not a windows profile)
A profiles is the collection of data about a
Home address
Phone
Start date
Certifications
etc

17. Profile updates (117)
IdM systems may have centralized tools to manage profiles, may have “self service” portals where users can update their own info.
Profiles are similar to ‘digital Identity’

18. Directories (165) Information about the users and resources
LDAP (based on X.500)
Key concept is namespaces (like branches of a tree) and DN (distinguished names) Can anyone explain namespaces and DNs?
DN=CN and multiple DCs can include OUs
Active Directory (an implementation of LDAP)
Legacy NT (flat directory structure)
Novell Netware (???)

19. Directories Role in ID management
Specialized database optimized for reading and searching operations
Important because all resource info, users attributes, authorization info, roles, policies etc can be stored in this single place.
Directories allow for centralized management! However these can be broken up and delegated. (trees in a forest)

20. Meta and Virtual Directories (167)
Meta-directories allow for a centralized directory if users information is in multiple different directories (meta-directories synchronizes it’s data against the other databases)
Like meta-dirs, but instead of storing data, just provide links or pointers to the data in the alternate directory
Advantages and Disadvantages?

21. Web Access management (168)
Uses a webserver(s) to deliver resources
Users authentications against the web server using whatever Auth scheme implemented
If authenticated requests and object
Web server verifies authorization
If so web server returns objects
Mainly used for external users/access
Very Web 2.0, you probably see a lot of this now a days.

22. Password Management (171)
Allows for users to change their passwords,
May allow users to retrieve/reset password automatically using special information (challenge questions) or processes
Helpdesk assisted resets/retrievals (same as above, but helpdesk people might ask questions instead of automated)
May handle password synchronization

23. Single Sign On Log in one time, and access resources many places
Not the same as password synchronization
SSO software handles the authorization to multiple systems
What is a security problems with this?
What are advantages?

24. Account Management Software
Idea is to centrally manage user accounts rather than to manually create/update them on multiple systems
Often include workflow processes that allow distributed authorization. I.e.. A manager can put in a user request or authorize a request, tickets might be generated for a Key card system for their locations, Permissions might be created for their specific needs etc.
Automates processes
Can includes records keeping/auditing functions
Can ensure all accesses/accounts are cleaned up with users leave.

25. Federation (I hate this word) (178)
A Federation is multiple computing and/or network providers agreeing upon standards of operation in a collective fashion. (self governing entities that agree on common grounds to easy access between them)
A federated Identity is an identity and entitlements that can be used across business boundaries. (MS passport, Google checkout)

26. Identity Management Overview
Idea is to manage, identify and authorize users in an automated fashion
Know for the exam that ID management solutions include
Directories
Web Access Management
Password Management
Single Sign On
Account Management
Profile update

27. Who needs ID management (178)
Really everyone! (at least anyone that you will probably deal with)
See table on Page 178

28. Break?

29. Biometrics (179) Bio – life, metrics - measure
Biometrics verifies (authenticates) an individuals identity by analyzing unique personal attribute (something they ARE)
Require enrollment before being used* (what is enrollment? Any ideas)
EXPENSIVE
COMPLEX

30. Biometrics (179) Can be based on Can give incorrect results
behavior (signature dynamics) – might change over time
Physical attribute (fingerprints, iris, retina scans)
We will talk about the different types of biometrics later
Can give incorrect results
False negative – Type 1 error* (annoying)
False positive – Type 2 error* (very bad)

31. CER (179)
Crossover Error Rate (CER)* is an important metric that is stated as a percentage that represents the point at which the false rejection rate equals the false positive rate.
Lower number CER is better/more accurate*. (3 is better than an 4)
Also called Equal Error Rate
Use CER to compare vendors products objectively

32. Biometrics (180)
Systems can be calibrated, for example of you adjust the sensitivity to decrease fall positives, you probably will INCREASE false negatives, this is where the CER come in.
Draw diagram on board
Some areas (like military) are more concerned with one error than the other (ex. Would rather deny a valid user than accept an invalid user)
Can you think of any situations for each case?

33. Biometric problems? Expensive Unwieldy Intrusive
Can be slow (should not take more than 5-10 seconds)*
Complex (enrollment)

34. Biometric Types Overview* (182)
We will talk in more depth of each in the next couple slides
Fingerprint
Palm Scan
Hand Geometry
Retina Scan
Iris Scan
Keyboard Dynamics
Voice Print
Facial Scan
Hand Topography

35. Fingerprint (182)
Measures ridge endings an bifurcations (changes in the qualitative or topological structure) and other details called “minutiae”
Full fingerprint is stored, the scanners just compute specific features and values and sends those for verification against the real fingerprint.

36. Palm Scan
Creases, ridges, grooves
Can include fingerprints

37. Hand Geometry Overall shape of hand Length and width of fingers
This is significantly different between individuals

38. Retina Scan Reads blood vessel patterns on the back of the eye.
Patterns are extremely unique

39. Iris Scan Measures colors Measures rifts Measures rings
Measures furrow (wrinkle, rut or groove)
Most accurate of all biometric systems
IRIS remains constant through adulthood
Place scanner so sun does NOT shine through aperture*

40. Signature Dynamics Most people sign in the same manner (really???)
Monitor the motions and the pressure while moving (as opposed to a static signature)
Type I (what is type I again?) error high
Type II (what is type II again?) error low

41. Keyboard dynamics
Measure the speeds and motions as you type, including timed difference between characters typed. For a given phrase
This is more effective than a password believe it or not, as it is hard to repeats someone's typing style, where as it’s easy to get someone's password.

42. Voice Print Enrollment, you say several different phrases.
For authentication words are jumbled.
Measures speech patterns, inflection and intonation (i.e.. pitch and tone)

43. Facial Scan Geometric measurements of Bone structure Nose ridges
Eye width
Chin shape
Forehead size

44. Hand Topography
Peaks and valleys of hand along with overall shape and curvature
This is opposed to size and width of the fingers (hand geometry)
Camera on the side at an angle snaps a pictures
Not unique enough to stand on it’s own, but can be used with hand geometry to add assurance

45. Biometrics wrap up We covered a bunch of different biometrics
Understand some are behavioral* based
Voice print
Keyboard dynamics
Can change over time
Some are physically based
Fingerprint
Iris scan

46. Biometrics wrap Up
Fingerprints are probably the most commonly used and cheapest
Iris scanning provides the most “assurance”
Some methods are intrusive
Understand Type I and Type II errors
Be able to define CER, is a lower CER value better or worse?

47. Passwords (184)
What is a password? (someone tell me because I forgot…)
Works on what you KNOW
Simplest form of authentication*
Cheapest form of authentication*
Oldest form of authentication
Most commonly used form of authentication*
WEAKEST form of authentication*

48. Problems with Passwords (184)
People write down passwords (bad)
People use weak passwords (bad)
People re-use passwords (bad)
If you make passwords to hard to remember people often write them down
If you make them too easy… they are easily cracked

49. How to make a good password
Don’t use common words
Don’t use names or birthdates
Use at least 8 characters
Combine numbers, symbols and case
Use a phrase and take attributes of a phrase, transpose characters

50. Attacks on Password (185) Sniffing (Electronic Monitoring)
Brute force attacks
Dictionary Attack
Social Engineering (what is social Engineering?)
Rainbow tables – a table that contains passwords in hash format for easy/quick comparison

51. Passwords and the OS (184) The OS should enforce password requirements
Aging –when a password expires
Reuse of old passwords
Minimum number of characters
Limit login attempts – disable logins after a certain number of failed attempts

52. System password protection
System should NOT store passwords in plaintext. Use a hash (what is a hash?)
Can encrypt hashes
Passwords salts – random values added to the encryption/hash process to make it harder to brute force (one password may hash/encrypt to multiple different results)

53. Cognitive passwords (187)
Not really passwords, but facts that only a user would know. Can be used to verify who you are talking to without giving out password, or for password reset challenges.
Not really secure, I’m not a big fan.

54. One Time Password Password is good only once then no longer valid
Used in high security environments
VERY secure
Not vulnerable to electronic eavesdropping, but vulnerable to loss of token, (though must have pin)
Require a token device to generate passwords. (RSA SecureID key is an example)

55. One Time Password Token Type
One of 2 types
Synchronous – uses time to synchronize between token and authentication server
Clocks must be synchronized!
Can also use counter-sync which a button is pushed that increments values on the token and the server

56. OTP Token Types (189) Asynchronous Challenge response
Auth sends a challenge (a random value called a nonce)*
User enters nonce into token, along with PIN
Token encrypts nonce and returns value
Users inputs value into workstation
If server can decrypt then you are good.

57. Other Types of Authentication (190)
Digital Signature (talk about in more depth in chapter 8).
Take a hash value of a message, encrypt hash with your private key
Anyone with your public key can decrypt and verify message is from you.

58. Passphrase (190)
Simply a phrase, application will probably make a “virtual password” from the passphrase (etc a hash)
Generally more secure than a password
Longer
Yet easier to remember

59. Memory Cards (191) NOT a smart card
Holds information, does NOT process
A memory card holds authentication info, usually you’ll want to pair this with a PIN… WHY? You tell me.
A credit card or ATM card is a type of memory card, so is a key/swipe card
Usually insecure, easily copied.*

60. Smart Card (193) Much more secure than memory cards
Can actually process information
Includes a microprocessor and ICs
Can provide two factor authentication, as you the card can store authentication protected by a pin. (so you need the card, and you need to know something)
Two type
Contact
contactless

61. Smart Card Attacks (193) There are attacks against smart cards
Fault generation – manipulate environmental controls and measure errors in order to reverse engineer logic etc.

62. Smart Card Attacks
Side Channel Attacks – Measure the cards while they work
Differential power analysis – measure power emissions
Electromagnetic analysis – example frequencies emitted

63. Smart Card Attacks
Micro probing* - using needles to vibrations to remove the outer protection on the cards circuits. Then tap into ROMS if possible or “die” ROMS to read data (use chemicals to stain ROMS and determine values) (this is actually done… someone just reversed engineered the game boy BIOS using this method)

64. OK enough authentication already

65. Authorization Now that I am who I say I am, what can I do?
Both OSes and Applications can provide this functionality.
Authorization can be provided based on user, groups, roles, rules, physical location, time of day (temporal isolation)* or transaction type (example a teller may be able to withdrawal small amounts, but require manager for large withdrawals)

66. Authorization principals (pg 197)
Default NO access (implicit deny)*
Need to Know

67. Authorization Creep* (197)
What is authorization creep*? (permissions accumulate over time even if you don’t need them anymore)
Auditing authorization can help mitigate this. SOX requires yearly auditing.

68. Single Sign on (200)
Why is this section here? It’s poorly located, but anyway let’s follow the flow of the book)

69. SSO
Idea
One identification/authentication instance for all networks/systems/resources
Eases management
Makes things more secure (not written down passwords hopefully)
Can focus budgets and time on securing one method rather than many!
Makes things integrated

70. SSO downsides Centralized point of failure* Can cause bottlenecks*
All vendors have to play nicely (good luck)
Often very difficult to accomplish* (golden ring of network authentication)
One ring to bind them all! (wait...no…) If you can access once, you can access ALL!

71. SSO technologies
Kerberos (yeay!)
SESAME

72. Kerberos (201) From MIT’s Athena project
Designed to eliminate transmitting passwords over the network.
Scalable, reliable, secure, flexible
Uses Symmetric Key cryptology*

73. Kerberos Components* (201)
Key Distribution Center. (you CAN/SHOULD have backups KDCs, though the exam states that this is a central point of failure for Kerberos*)
Principals (users, applications, and services) each principal gets an account!*
Tickets, generated by TGS on KDC
Important ticket is the Ticket Granting Ticket*
Realm is the domain of all principals that a Kerberos server provides tickets for.

74. Kerberos Process (202) Go over process on page 202*
Understand the different between a session key and a secret key* (pg 203)
Note* Kerberos systems MUST be time synchronized

75. Kerberos Problems*
Single point of failure* (though this can be made redundant)
KDC must be scalable
Secret keys are stored on the workstation, if you can get these keys, you can break things
Same with session keys
Vulnerable to password guessing
Traffic is not encrypted if not enabled

76. SESAME
European technology, developed to extend Kerberos and improve on it’s weaknesses
Sesame uses both symmetric and asymmetric cryptography.
Uses “Privileged Attribute Certificates” rather than tickets, PACS are digitally signed and contain the subjects identity, access capabilities for the object, access time period and lifetime of the PAC.
PACS come from the Privileged Attribute Server.

77. SESAME procedure (205)
See page 206, note that SESAME uses public/private keys for initial authentication. (send an authenticator message, and a timestamp or random number, sign this message)

78. Access Control Models (211)
A framework that dictates how subjects access objects.
Uses access control technologies and security mechanisms to enforce the rules
Business goals and culture of the organization will prescribe which model it uses
Every OS has a security kernel/reference monitor (talk about in another chapter) that enforces the access control model.

79. Access Control Models DAC MAC Roles based
Each will be discussed in upcoming slides

80. DAC Discretionary Access Control*
Owner or creator of resource specifies which subjects have which access to a resource. Based on the Discretion of the data owner*
Common example is an ACL (what is an ACL?)
Commonly implemented in commercial products (Windows, Linux, MacOS)

81. MAC Mandatory Access Control* Data owners cannot grant access!*
OS makes the decision based on a security label system*
Users and Data are given a clearance level (confidential, secret, top secret etc)*
Rules for access are configured by the security officer and enforced by the OS.

82. MAC (212)
MAC is used where classification and confidentiality is of utmost importance… military.
Generally you have to buy a specific MAC system, DAC systems don’t do MAC
SELinux
Trusted Solaris

83. MAC sensitivity labels
Again all objects in a MAC system have a security label*
Security labels can be defined the organization.
They also have categories to support “need to a certain level.
Categories can be defined by the organization
If I have “top secret” clearance can I see all projects in the “secret” level???

84. Role Based Access Control (214)
Also called non-discretionary.
Uses a set of controls to determine how subjects and objects interact.
Allows you to be assigned a role, and your roles dictates your access to a resources, rather than your direct user.
This scales better than DAC methods
You don’t have to continually change ACLs or permissions per user, nor do you have to remember what perms to set on a new user, just make them a certain role
You can simulate this with “groups” in Windows and Linux, especially with LDAP/AD.

85. Role based Access control
When to use
If you need centralized access
If you DON’T need MAC ;)
If you have high turnover*

86. Software and Hardware Guards
Allow the exchange of data between trusted and less trusted systems. We will talk about this in another chapter, let’s not worry about it now.

87. Access Control technologies that support access control models (217)
We will talk more in depth of each in the next few slides.
Rule-based Access Control
Constrained User Interfaces
Access Control Matrix
Access Control Lists
Content-Dependant Access Control
Context-Dependant Access Control

88. Rule Based Access Control (217)
Uses specific rules that indicate what can and cannot transpire between subject and object.
“if x then y” logic
Before a subject can access and object it must meet a set of predefined rules.
ex. If a user has proper clearance, and it’s between 9AM -5PM then allow access
However it does NOT have to deal specifically with identity/authorization
Ex. May only accept attachments 5M or less

89. Rules Based Access Control
Is considered a “compulsory control” because the rules are strictly enforced and not modifiable by users.
Routers and firewalls use Rule Based access control heavily

90. Constrained User Interfaces (218)
Restrict user access by not allowing them see certain data or have certain functionality
Views – only allow access to certain data (canned interfaces)
Restricted shell – like a real shell but only with certain commands. (like Cisco's non-enable mode)
Menu – similar but more “gui”
Physically constrained interface – show only certain keys on a keypad/touch screen. – like an ATM. (a modern type of menu) Difference is you are physically constrained from accessing them.

91. Access Control Matrix* (220)
Table of subjects and objects indicating what actions individuals subjects can take on individual objects*
See page 220 (top)

92. Capability Table*
Bound to subjects, lists what permissions a subject has to each object
This is a row in the access matrix
(see 220 bottom)
NOT an ACL.. In fact the opposite

93. ACL* Lists what (and how) subjects may access a certain object.
It’s a column of an access matrix
See page 220

94. Content Dependant Access Controls (221)
Access is determined by the type of data.
Example, filters that look for specific things like “confidential”, “SSN”, images.
Web Proxy servers may be content based.

95. Context Dependant Access Control (221)
System reviews a Situation then makes a decision on access.
A firewall is a great example of this, if session is established, then allow
Another example, allow access to certain body imagery if previous web sessions are referencing medical data.

96. Review of Access Control Technology / Techniques
Constrained User Interfaces*
view, shell, menu, physical
Access Control Matrix*
Capability Tables*
ACL*
Content Dependant Access Control
Context Dependant Access Control
You should really know ALL of these and be able to differential between similar types!

97. Centralized Access Control Administration (223)
What is it?
A centralized place for configuring and managing access control
All the ones we will talk about (next) are “AAA” protocols*
Authentication
Authorization
Auditing

98. Centralized Access Control Technologies
We will talk about each of these in the upcoming slides
Radius
TACACS, TACACS+
Diameter

99. Radius* (223)
Initially developed by Livingston to authenticate modem users
Access Server sends credentials to Radius server. Which sends back authorization and connection parameters (IP address etc) (see diagram on 224)
Can use multiple authentication type (PAP, CHAP, EAP)
Uses UDP port 1812 , and auditing 1813*
Sends Attribute Value Pair (Ex. IP= )
Access server notifies Radius server on disconnect (for auditing)

100. What is radius used for Network access Dial up VLAN provisioning
IP address assignment

101. Radius benefits
It’s been around, a lot of vendor support

102. Radius issues
Radius can share symmetric key between NAS and Radius server, but does not encrypt attribute value pairs, only user info. This could provide info to people doing reconnaissance
PAP password go clear text from dial up user to NAS

103. TACACS(+) (225) TACACS uses fixed passwords
TACACS uses TCP or UDP port 49
TACACS is old (1990) TACACS+ replaces it
TACACS+ can support one time passwords
Provides the same functionality of Radius
TACACS+ uses TCP port 49

104. TACACS+ benefits TCP? Is this a benefit? Discuss… Encrypts ALL traffic
TACACS+ separates each AAA function.
For example can use AD for authentication (radius can actually do this too.. But you have to write plug-ins)
Has more AVP pairs than Radius, more flexible

105. Diameter (229) Builds upon Radius
Similar functionality to Radius and TACACS+
NOT Backwards compatible with Radius (book is wrong) but is similar and an upgrade path
Uses TCP, or STCP (stream TCP)

106. Diameter benefits
With Diameter the DS can connect to the NAS (i.e.. Could say kick user off now). Radius servers only respond to client requests.
Has a lot more AVP pairs (2^32 rather than 2^8)

107. Centralized Access Controls overview
Idea centralize access control
Radius, TACACS, diameter
Is Active Directory a type of Centralized Access Control?
Decentralized is simply maintaining access control on all nodes separately.

108. Controls and Control Types*
STOP
Before we move on you need to understand the definitions/terms that we are about to cover for the exam. (controls and control types) They are used ambiguously on the exam, so you need to think about them. We will give an overview now, but we’ll keep seeing them again and again.

109. Controls and Control Types* Not directly in book
There are Controls and Control types, need to understand these `
Controls
Administrative
Physical
Technical
Now we’ll talk about control types

110. Control types (241 skip ahead)
Types (can occur in each “control” category)
Deterrent – intended to discourage attacks
Preventative – intended to prevent incidents
Detective – intended to detect incidents
Corrective – intended to correct incidents
Recovery – intended to bring controls back up to normal operation
Compensative – provides alternative controls to other controls

111. Administrative Controls (back to 231)
Personnel – HR practices
Supervisory – Management practices (supervisor, corrective actions)
Training – that’s pretty obvious
Testing – not technical, and managements* responsibility to ensure it happens

112. Physical Controls (223)
Physical Network Segregation (not logical) – ensure certain networks segments are physically restricted
Perimeter Security – CCTV, fences, security guards, badges
Computer Controls – physical locks on computer equipment, restrict USB access etc.

113. Physical Controls continued
Work Area Separation – keep accountants out of R&D areas
Cabling – shielding, Fiber
Control Zone – break up office into logical areas (lobby – public, R&D- Top Secret, Offices – secret)

114. Technical or Logical controls (235)
Using technology to protect
System Access – Kerberos, PKI, radius (specifically access to a system)
Network Architecture – IP subnets, VLANS , DMZ
Network Access – Routers, Switches and Firewalls that control access
Encryption – protect confidentiality, integrity
Auditing – logging and notification systems.

115. Ok we went out of order.. Skip to 247
This is out of WAY out of order, but for the exam you should know the table on 247 (Access control practices) let’s read it together.

116. Unauthorized Disclosure of Information
Sometimes things are disclosed un-intentionally. In the next couple slides we will talk about
Object reuse
Emanation security

117. Object reuse (248) Media may be re-used without cleaning off old data!
Fix this
Destroy or wipe (destroy) old data
Why destroy?
What is degaussing?*

118. Emanation Security (249)
All devices give off electrical / magnetic signals. This can be used against you (we’ve all seen Alias and 24?)
Hard/expensive to do often but not always.
A non-obvious example is reading info from a CRT bouncing off something (we’ve seen CSI right?)
Tempest* is a standard to develop countermeasures to protect against this.
Let’s talk about emanation countermeasures

119. Emanation Countermeasures
Faraday cage – a metal mesh cage around an object, it negates a lot of electrical/magnetic fields.
White Noise – a device that emits uniform spectrum of random electronics signals. You can buy sounds frequency white noise machines. (call centers, doctors)
Control Zones – protect sensitive devices in special areas with special walls etc.

120. Intrusion detection (250)
IDS allow you to detect intrusion and unauthorized access.
Different types (we will discuss), but usually consist of
Sensors
Storage
Analysis engine
Management Console
(see diagram on 260)

121. NIDS Network Based Monitor network traffic ONLY
Can be of multiple types (discuss later)
Watch out for switches (use mirroring), and subnets (use multiple sensors)

122. HIDS Host based – installed on computers Monitor logs
Monitor system activity
Monitor configuration files
Could monitor network traffic to and from the computer installed on only.
Multiple types – discussed later

123. IDS types (251)
Signature based – like a virus scanner, look for known attack signature
MUST be updated with new signatures
Will not stop unknown attacks (0-day)
Relatively high rate of assurance
Commonly used

124. Statistical Anomaly Based IDS / heuristic
Based on what is “normal” behavior (builds a profile)
Detects when thing are not normal
Very subjective -
Very high rate of false positives, may lead to info being ignored. –
Require high degree of knowledge and maintenance to run -
Can possibly detect zero days +

125. Protocol* based IDS What is a protocol? Anyone?
Understand the protocols it’s watching (like HTTP, SMTP)
Looks for deviations from the normal protocol traffic
Good to combined with other IDS types (signature based, or statistical based)
A lot of protocols are open to interpretation which can confuse protocol based IDS*

126. Rules Based 255 Uses expert system/knowledge based systems.
These use a database of knowledge and an “inference engine”) to try to mimic human knowledge. It’s like of a person was watching data in real time and had knowledge of how attacks work.

127. IDS review Signature Based Anomaly Based Rule Based
When studding review the table on page 257

128. IPS
Like an IDS, but actively take steps to neutralize attacks in real time. (doest require IDS functionality)
Might reset TCP connections, might updates firewall rules to block traffic.
Cool right?
May create problems in troubleshooting network behavior/issues.

129. Honey Pots/ Honey Nets (263)
Computer or network setup to “distract” attackers to this machine/net rather than the real machines.
Can be restricted and monitored so you can see who’s trying to do what, and stop them.
Be weary of enticement vs. entrapment. Can anyone explain the difference?

130. Threats to Access Control
We will talk about these later.. But let’s review these now
Dictionary attacks – what is this?
Sniffers – what is this?
Brute force attacks – how is this different then a dictionary attack.
Spoofing login/trusted path
Phishing
Identity theft

131. Wow that was a lot, lets review
Read quick tips on pg 269
Lets’ review the questions from the book.