IDS stands for Intrusion Detection System.
There are primarily two types of IDSs. These are Network based
IDS (NIDS), and Host based IDS (HIDS). If the IDS monitors network
wide communication, it is called Network based IDS, and if the
IDS monitors security on a per host basis, it is called Host
based IDS.
A host based IDS should be place on a host computer
such as a server. Network based IDS is typically placed on a
network device such as a router.
Log Files Explained:
-
Application log: The application log
contains events logged by applications or programs. For
example, a database program might record a file error in
the application log. The developer decides which events
to record.
-
System log: The system log contains
events logged by the Windows 2000 system components. For
example, the failure of a driver or other system component
to load during startup is recorded in the system log. The
event types logged by system components are predetermined.
-
Security log: The security log can record
security events such as valid and invalid logon attempts,
as well as events related to resource use, such as creating,
opening, or deleting files. An administrator can specify
what events are recorded in the security log. For example,
if you have enabled logon auditing, attempts to log on to
the system are recorded in the security log.
-
Antivirus log: Antivirus log analyzer
can process log files from various antivirus packages and
generate dynamic statistics from them, analyzing and reporting
events.
Computer log files can be tampered with
by a hacker to erase any intrusions. Computer logs can be protected
using the following methods:
-
Setting minimal permissions
-
Using separate logging server
-
Encrypting log files
-
Setting log files to append only
-
Storing them on write-once media
Implementing all the above precautions ensures that the log
files are safe from being tampered.
3.7 Implement assessment tools
and techniques to discover security threats and vulnerabilities
Honeypots : Honeypots are designed such
that they appear to be real targets to hackers. That is a hacker
can not distinguish between a real system and a decoy. This
enables lawful action to be taken against the hacker, and securing
the systems at the same time.
Protocol Analyzer And Packet Analyzer (Sniffer) :
These are loaded on a computer and are controlled by the user
in a GUI environment; they capture packets enabling the user
to analyze them and view their contents. Example Network Monitor
Honeynet : honeynet is one or more computers,
servers, or an area of a network; these are used when a single
honeypot is not sufficient. Either way, the individual computer,
or group of servers, will usually not house any important company
information.
Port scanner : port scanner used to find
open ports on multiple computers on the network.
Any software is inherently prone to vulnerabilities. Therefore,
software manufacturers provide updates or patches to the software
from time to time. These updates usually take care of any known
vulnerabilities. Therefore, it is important to apply these updates.
Additional functionality is also one of the reasons for applying
software updates. However, many times, it is not the compelling
reason to apply the updates.
3.8 Within the realm of vulnerability
assessments, explain the proper use of penetration testing versus
vulnerability scanning
Vulnerability testing is part of testing
corporate assets for any particular vulnerability. These may
include:
-
1.Blind testing: Here the hacker doesn't
have a prior knowledge of the network. It is performed from
outside of a network.
-
2.Knowledgeable testing: Here the hacker
has a prior knowledge of the network.
-
3.Internet service testing: It is a
test for vulnerability of Internet services such as web
service.
-
4.Dial-up service testing: Here the
hacker tries to gain access through an organization's remote
access servers.
-
5.Infrastructure testing: Here the infrastructure,
including protocols and services are tested for any vulnerabilities.
-
6. Application testing: The applications
that are running on an organization's servers are tested
here.
Vulnerability assessment is part of an organization's security
architecture.