SSCP Systems Security Certified Practitioner All-in-One Exam Guide, Second Edition by Darril Gibson
Author:Darril Gibson
Language: eng
Format: epub
Publisher: McGraw-Hill Education LLC
Published: 2016-03-14T16:00:00+00:00
EXAM TIP An alert provides notification of a potential adverse event. Personnel analyze the event to determine if it is an incident. An alert can be a false positive, which isn’t an incident.
An IDS often triggers an alert when an event reaches a specific threshold. As an example, consider a port scan attack, where an attacker attempts to scan a system’s ports to identify open ports. If the scan detects that port 80 is open, the attacker knows that the system is probably a web server running HyperText Transport Protocol (HTTP) because port 80 is the well-known port for HTTP. A port scan will scan a list of ports and record what ports elicited a response (and were open) and what ports did not elicit a response.
If a remote system scans one port, that is probably not an attack. However, if an unknown external system scans all 1,024 well-known ports in a 60-minute period, it is very likely an attack.
Here’s a trick question. If one port scan in an hour is not an attack, and 1,024 port scans in an hour is an attack, what is the lowest number between 1 and 1,024 that most likely indicates an attack? In other words, what should you set the threshold to so that the IDS detects a port scan attack?
There just isn’t a good answer to that question. Port scanners allow attackers to randomize the ports they scan and set delays between queries. If the attacker sets the delay to five minutes, the scanner does 12 port scans in an hour. If you set the threshold to 15, your system would be under attack but the IDS would not detect it.
In contrast, if you configure the threshold to 2 so that the IDS sends an alert if it detects two port scans in a hour, it will probably create many false positives. Your IDS will be known as the IDS that cries wolf and administrators will ignore it. Many administrators consider a threshold of two port scans in a minute to be too low because it will create so many false positives.
When choosing a number for this type of threshold, administrators recognize that the IDS will probably generate some false positives. They would rather see some false positives than configure the threshold so high that the IDS doesn’t detect attacks in progress.
Download
This site does not store any files on its server. We only index and link to content provided by other sites. Please contact the content providers to delete copyright contents if any and email us, we'll remove relevant links or contents immediately.
| Cryptography | Encryption |
| Hacking | Network Security |
| Privacy & Online Safety | Security Certifications |
| Viruses |
Effective Threat Investigation for SOC Analysts by Yahia Mostafa;(5852)
Practical Memory Forensics by Svetlana Ostrovskaya & Oleg Skulkin(5544)
Machine Learning Security Principles by John Paul Mueller(5521)
Attacking and Exploiting Modern Web Applications by Simone Onofri & Donato Onofri(5193)
Operationalizing Threat Intelligence by Kyle Wilhoit & Joseph Opacki(5181)
Solidity Programming Essentials by Ritesh Modi(3635)
Microsoft 365 Security, Compliance, and Identity Administration by Peter Rising(3270)
Mastering Python for Networking and Security by José Manuel Ortega(3232)
Mastering Azure Security by Mustafa Toroman and Tom Janetscheck(3227)
Future Crimes by Marc Goodman(3221)
Blockchain Basics by Daniel Drescher(3189)
Operationalizing Threat Intelligence by Joseph Opacki Kyle Wilhoit(2983)
Mobile App Reverse Engineering by Abhinav Mishra(2786)
Learn Computer Forensics - Second Edition by William Oettinger(2780)
Mastering Bitcoin: Programming the Open Blockchain by Andreas M. Antonopoulos(2747)
From CIA to APT: An Introduction to Cyber Security by Edward G. Amoroso & Matthew E. Amoroso(2680)
The Code Book by Simon Singh(2613)
The Art Of Deception by Kevin Mitnick(2504)
Incident Response with Threat Intelligence by Roberto Martínez(2477)
