Intrusion Detection System

An Intrusion Detection System (IDS) is a system that is used to monitor
network traffic or to monitor host audit logs in order to determine if any violations of an
organization's system security policy have taken place.
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the
Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 48.

Detection of denial of service

Because a network-based IDS reviews packets and headers, denial of
service attacks can also be detected.
This question is an easy question if you go through the process of elimination. When you
see an answer containing the keyword: ALL It is something a give away that it is not the
proper answer. On the real exam you may encounter a few question where the use of the
work ALL renders the choice invalid. Pay close attention to such keyword.
The following are incorrect answers:
Even though most IDSs can detect some viruses and some password guessing attacks,
they cannot detect ALL viruses or ALL password guessing attacks. Therefore these two
answers are only detractors.
Unless the IDS knows the valid values for a certain dataset, it can NOT detect data
corruption.
Reference used for this question:
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten
Domains of Computer Security, 2001, John Wiley & Sons, Page 48.

Ethical hackers never use tools that have the potential of affecting servers or services.

This means that many of the tools used for ethical hacking have the potential
of exploiting vulnerabilities and causing disruption to IT system. It is up to the individuals
performing the tests to be familiar with their use and to make sure that no such disruption
can happen or at least shoudl be avoided.
The first step before sending even one single packet to the target would be to have a
signed agreement with clear rules of engagement and a signed contract. The signed
contract explains to the client the associated risks and the client must agree to them before
you even send one packet to the target range. This way the client understand that some of
the test could lead to interruption of service or even crash a server. The client signs that he
is aware of such risks and willing to accept them.
The following are incorrect answers:
An organization should use ethical hackers who do not sell auditing, hardware, software,
firewall, hosting, and/or networking services. An ethical hacking firm's independence can
be questioned if they sell security solutions at the same time as doing testing for the same
client. There has to be independance between the judge (the tester) and the accuse (the
client).
Testing should be done remotely to simulate external threats Testing simulating a cracker
from the Internet is often time one of the first test being done, this is to validate perimeter
security. By performing tests remotely, the ethical hacking firm emulates the hacker's
approach more realistically.
Ethical hacking should not involve writing to or modifying the target systems negatively.
Even though ethical hacking should not involve negligence in writing to or modifying the
target systems or reducing its response time, comprehensive penetration testing has to be
performed using the most complete tools available just like a real cracker would.
Reference(s) used for this question:
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten
Domains of Computer Security, John Wiley & Sons, 2001, Appendix F: The Case for
Ethical Hacking (page 520).

Objectivity

To maintain operational assurance, organizations use two basic methods:
system audits and monitoring. Monitoring refers to an ongoing activity whereas audits are
one-time or periodic events and can be either internal or external. The essential difference
between a self-audit and an independent audit is objectivity, thus indirectly affecting the
results of the audit. Internal and external auditors should have the same level of
competence and can use the same tools.
Source: SWANSON, Marianne & GUTTMAN, Barbara, National Institute of Standards and
Technology (NIST), NIST Special Publication 800-14, Generally Accepted Principles and
Practices for Securing Information Technology Systems, September 1996 (page 25).

Signature-based intrusion detection

A weakness of the signature-based (or knowledge-based) intrusion detection
approach is that only attack signatures that are stored in a database are detected.
Network-based intrusion detection can either be signature-based or statistical anomalybased
(also called behavior-based).
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the
Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 2: Access control
systems (page 49)

Information systems auditors

IT auditors determine whether systems are in compliance with the security
policies, procedures, standards, baselines, designs, architectures, management direction
and other requirements" and "provide top company management with an independent view
of the controls that have been designed and their effectiveness."
"Information systems security professionals" is incorrect. Security professionals develop
the security policies and supporting baselines, etc.
"Data owners" is incorrect. Data owners have overall responsibility for information assets
and assign the appropriate classification for the asset as well as ensure that the asset is
protected with the proper controls.
"Data custodians" is incorrect. Data custodians care for an information asset on behalf of
the data owner.
References:
CBK, pp. 38 - 42.
AIO3. pp. 99 - 104

Compare system activity, looking for events or sets of events that match a predefined
pattern of events that describe a known attack.

Misuse detectors compare system activity, looking for events or sets of
events that match a predefined pattern of events that describe a known attack. As the
patterns corresponding to known attacks are called signatures, misuse detection is
sometimes called "signature-based detection."
The most common form of misuse detection used in commercial products specifies each
pattern of events corresponding to an attack as a separate signature. However, there are
more sophisticated approaches to doing misuse detection (called "state-based" analysis
techniques) that can leverage a single signature to detect groups of attacks.
Reference:
Old Document:
BACE, Rebecca & MELL, Peter, NIST Special Publication 800-31 on Intrusion Detection
Systems, Page 16.
The publication above has been replaced by 800-94 on page 2-4
The Updated URL is: http://csrc.nist.gov/publications/nistpubs/800-94/SP800-94.pdf

On each of the critical hosts

A host-based IDS is resident on a host and reviews the system and event
logs in order to detect an attack on the host and to determine if the attack was successful.
All critical serves should have a Host Based Intrusion Detection System (HIDS) installed.
As you are well aware, network based IDS cannot make sense or detect pattern of attacks
within encrypted traffic. A HIDS might be able to detect such attack after the traffic has
been decrypted on the host. This is why critical servers should have both NIDS and HIDS.
FROM WIKIPEDIA:
A HIDS will monitor all or part of the dynamic behavior and of the state of a computer
system. Much as a NIDS will dynamically inspect network packets, a HIDS might detect
which program accesses what resources and assure that (say) a word-processor hasn\'t
suddenly and inexplicably started modifying the system password-database. Similarly a
HIDS might look at the state of a system, its stored information, whether in RAM, in the filesystem,
or elsewhere; and check that the contents of these appear as expected.
One can think of a HIDS as an agent that monitors whether anything/anyone - internal or
external - has circumvented the security policy that the operating system tries to enforce.
http://en.wikipedia.org/wiki/Host-based_intrusion_detection_system

The deployment of network-based IDSs has little impact upon an existing network.

Network-based IDSs are usually passive devices that listen on a network
wire without interfering with the normal operation of a network. Thus, it is usually easy to
retrofit a network to include network-based IDSs with minimal effort.
Network-based IDSs are not vulnerable to attacks is not true, even thou network-basedIDSs can be made very secure against attack and even made invisible to many attackers
they still have to read the packets and sometimes a well crafted packet might exploit or kill
your capture engine.
Network-based IDSs are well suited for modern switch-based networks is not true as most
switches do not provide universal monitoring ports and this limits the monitoring range of a
network-based IDS sensor to a single host. Even when switches provide such monitoring
ports, often the single port cannot mirror all traffic traversing the switch.
Most network-based IDSs can automatically indicate whether or not an attack was
successful is not true as most network-based IDSs cannot tell whether or not an attack was
successful; they can only discern that an attack was initiated. This means that after a
network-based IDS detects an attack, administrators must manually investigate each
attacked host to determine whether it was indeed penetrated.
Reference:
NIST special publication 800-31 Intrusion Detection System pages 15-16
Official guide to the CISSP CBK. Pages 196 to 197

Detective control

Detective security controls are like a burglar alarm. They detect and report
an unauthorized or undesired event (or an attempted undesired event). Detective security
controls are invoked after the undesirable event has occurred. Example detective security
controls are log monitoring and review, system audit, file integrity checkers, and motion
detection. Visual surveillance or recording devices such as closed circuit television are used in
conjunction with guards in order to enhance their surveillance ability and to record events
for future analysis or prosecution.
When events are monitored, it is considered preventative whereas recording of events is
considered detective in nature.
Below you have explanations of other types of security controls from a nice guide produce
by James Purcell (see reference below):
Preventive security controls are put into place to prevent intentional or unintentional
disclosure, alteration, or destruction (D.A.D.) of sensitive information. Some example
preventive controls follow:
Policy – Unauthorized network connections are prohibited.
Firewall – Blocks unauthorized network connections.
Locked wiring closet – Prevents unauthorized equipment from being physically plugged into
a network switch.
Notice in the preceding examples that preventive controls crossed administrative, technical,
and physical categories discussed previously. The same is true for any of the controls
discussed in this section.
Corrective security controls are used to respond to and fix a security incident. Corrective
security controls also limit or reduce further damage from an attack. Examples follow:
Procedure to clean a virus from an infected system
A guard checking and locking a door left unlocked by a careless employee
Updating firewall rules to block an attacking IP address
Note that in many cases the corrective security control is triggered by a detective security
control.
Recovery security controls are those controls that put a system back into production after
an incident. Most Disaster Recovery activities fall into this category. For example, after a
disk failure, data is restored from a backup tape.
Directive security controls are the equivalent of administrative controls. Directive controls
direct that some action be taken to protect sensitive organizational information. The
directive can be in the form of a policy, procedure, or guideline. Deterrent security controls are controls that discourage security violations. For instance,
“Unauthorized Access Prohibited” signage may deter a trespasser from entering an area.
The presence of security cameras might deter an employee from stealing equipment. A
policy that states access to servers is monitored could deter unauthorized access.
Compensating security controls are controls that provide an alternative to normal controls
that cannot be used for some reason. For instance, a certain server cannot have antivirus
software installed because it interferes with a critical application. A compensating control
would be to increase monitoring of that server or isolate that server on its own network
segment.
Note that there is a third popular taxonomy developed by NIST and described in NIST
Special Publication 800-53, “Recommended Security Controls for Federal Information
Systems.” NIST categorizes security controls into 3 classes and then further categorizes
the controls within the classes into 17 families. Within each security control family are
dozens of specific controls. The NIST taxonomy is not covered on the CISSP exam but is
one the CISSP should be aware of if you are employed within the US federal workforce.
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the
Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 10: Physical
security (page 340).
and
CISSP Study Guide By Eric Conrad, Seth Misenar, Joshua Feldman, page 50-52
and
Security Control Types and Operational Security, James E. Purcell,
http://www.giac.org/cissp-papers/207.pdf

Traffic anomaly-based

Traffic anomaly-based is the correct choice. An anomaly based IDS can
detect unknown attacks. A traffic anomaly based IDS identifies any unacceptable deviation
from expected behavior based on network traffic.
Protocol anomaly based is not the best choice as while a protocol anomaly based IDS can
identify unknown attacks, this type of system is more suited to identifying deviations from
established protocol standards such as HTTP. This type of IDS faces problems in
analyzing complex or custom protocols.
Pattern matching is not the best choice as a pattern matching IDS cannot identify unknown
attacks. This type of system can only compare packets against signatures of known
attacks.
Stateful matching is not the best choice as a statful matching IDS cannot identify unknown
attacks. This type of system works by scanning traffic streams for patterns or signatures of
attacks.
Reference:
Official guide to the CISSP CBK. pages 198 to 201

Behavior-based IDS

Knowledge-based IDS are more common than behavior-based ID systems.
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the
Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 63. Application-Based IDS - "a subset of HIDS that analyze what's going on in an application
using the transaction log files of the application." Source: Official ISC2 CISSP CBK Review
Seminar Student Manual Version 7.0 p. 87
Host-Based IDS - "an implementation of IDS capabilities at the host level. Its most
significant difference from NIDS is intrusion detection analysis, and related processes are
limited to the boundaries of the host." Source: Official ISC2 Guide to the CISSP CBK - p.
197
Network-Based IDS - "a network device, or dedicated system attached to the network, that
monitors traffic traversing the network segment for which it is integrated." Source: Official
ISC2 Guide to the CISSP CBK - p. 196
CISSP for dummies a book that we recommend for a quick overview of the 10 domains has
nice and concise coverage of the subject:
Intrusion detection is defined as real-time monitoring and analysis of network activity and
data for potential vulnerabilities and attacks in progress. One major limitation of current
intrusion detection system (IDS) technologies is the requirement to filter false alarms lest
the operator (system or security administrator) be overwhelmed with data. IDSes are
classified in many different ways, including active and passive, network-based and hostbased,
and knowledge-based and behavior-based:
Active and passive IDS
An active IDS (now more commonly known as an intrusion prevention system — IPS) is a
system that's configured to automatically block suspected attacks in progress without any
intervention required by an operator. IPS has the advantage of providing real-time
corrective action in response to an attack but has many disadvantages as well. An IPS
must be placed in-line along a network boundary; thus, the IPS itself is susceptible to
attack. Also, if false alarms and legitimate traffic haven't been properly identified and
filtered, authorized users and applications may be improperly denied access. Finally, the
IPS itself may be used to effect a Denial of Service (DoS) attack by intentionally flooding
the system with alarms that cause it to block connections until no connections or bandwidth
are available.
A passive IDS is a system that's configured only to monitor and analyze network traffic
activity and alert an operator to potential vulnerabilities and attacks. It isn't capable of
performing any protective or corrective functions on its own. The major advantages of
passive IDSes are that these systems can be easily and rapidly deployed and are not normally susceptible to attack themselves.
Network-based and host-based IDS
A network-based IDS usually consists of a network appliance (or sensor) with a Network
Interface Card (NIC) operating in promiscuous mode and a separate management
interface. The IDS is placed along a network segment or boundary and monitors all traffic
on that segment.
A host-based IDS requires small programs (or agents) to be installed on individual systems
to be monitored. The agents monitor the operating system and write data to log files and/or
trigger alarms. A host-based IDS can only monitor the individual host systems on which the
agents are installed; it doesn't monitor the entire network.
Knowledge-based and behavior-based IDS
A knowledge-based (or signature-based) IDS references a database of previous attack
profiles and known system vulnerabilities to identify active intrusion attempts. Knowledgebased
IDS is currently more common than behavior-based IDS.
Advantages of knowledge-based systems include the following:
It has lower false alarm rates than behavior-based IDS.
Alarms are more standardized and more easily understood than behavior-based IDS.
Disadvantages of knowledge-based systems include these:
Signature database must be continually updated and maintained.
New, unique, or original attacks may not be detected or may be improperly classified.
A behavior-based (or statistical anomaly–based) IDS references a baseline or learned
pattern of normal system activity to identify active intrusion attempts. Deviations from this
baseline or pattern cause an alarm to be triggered.
Advantages of behavior-based systems include that they
Dynamically adapt to new, unique, or original attacks.
Are less dependent on identifying specific operating system vulnerabilities.
Disadvantages of behavior-based systems include
Higher false alarm rates than knowledge-based IDSes.
Usage patterns that may change often and may not be static enough to implement an
effective behavior-based IDS.