SSCP Systems Security Certified Practitioner All-in-One Exam Guide, Second Edition by Darril Gibson
Author:Darril Gibson
Language: eng
Format: epub
Publisher: McGraw-Hill Education LLC
Published: 2016-03-14T16:00:00+00:00
EXAM TIP An alert provides notification of a potential adverse event. Personnel analyze the event to determine if it is an incident. An alert can be a false positive, which isn’t an incident.
An IDS often triggers an alert when an event reaches a specific threshold. As an example, consider a port scan attack, where an attacker attempts to scan a system’s ports to identify open ports. If the scan detects that port 80 is open, the attacker knows that the system is probably a web server running HyperText Transport Protocol (HTTP) because port 80 is the well-known port for HTTP. A port scan will scan a list of ports and record what ports elicited a response (and were open) and what ports did not elicit a response.
If a remote system scans one port, that is probably not an attack. However, if an unknown external system scans all 1,024 well-known ports in a 60-minute period, it is very likely an attack.
Here’s a trick question. If one port scan in an hour is not an attack, and 1,024 port scans in an hour is an attack, what is the lowest number between 1 and 1,024 that most likely indicates an attack? In other words, what should you set the threshold to so that the IDS detects a port scan attack?
There just isn’t a good answer to that question. Port scanners allow attackers to randomize the ports they scan and set delays between queries. If the attacker sets the delay to five minutes, the scanner does 12 port scans in an hour. If you set the threshold to 15, your system would be under attack but the IDS would not detect it.
In contrast, if you configure the threshold to 2 so that the IDS sends an alert if it detects two port scans in a hour, it will probably create many false positives. Your IDS will be known as the IDS that cries wolf and administrators will ignore it. Many administrators consider a threshold of two port scans in a minute to be too low because it will create so many false positives.
When choosing a number for this type of threshold, administrators recognize that the IDS will probably generate some false positives. They would rather see some false positives than configure the threshold so high that the IDS doesn’t detect attacks in progress.
Download
This site does not store any files on its server. We only index and link to content provided by other sites. Please contact the content providers to delete copyright contents if any and email us, we'll remove relevant links or contents immediately.
| Cryptography | Encryption |
| Hacking | Network Security |
| Privacy & Online Safety | Security Certifications |
| Viruses |
Future Crimes by Marc Goodman(2997)
Mastering Python for Networking and Security by José Manuel Ortega(2937)
Blockchain Basics by Daniel Drescher(2883)
Mastering Bitcoin: Programming the Open Blockchain by Andreas M. Antonopoulos(2504)
From CIA to APT: An Introduction to Cyber Security by Edward G. Amoroso & Matthew E. Amoroso(2478)
The Art Of Deception by Kevin Mitnick(2292)
Practical Threat Detection Engineering by Megan Roddie & Jason Deyalsingh & Gary J. Katz(2267)
The Code Book by Simon Singh(2202)
Effective Threat Investigation for SOC Analysts by Yahia Mostafa;(2143)
DarkMarket by Misha Glenny(1844)
Wireless Hacking 101 by Karina Astudillo(1842)
Applied Network Security by Arthur Salmon & Michael McLafferty & Warun Levesque(1838)
Hands-On AWS Penetration Testing with Kali Linux by Benjamin Caudill & Karl Gilbert(1829)
Machine Learning Security Principles by John Paul Mueller(1822)
Practical Memory Forensics by Svetlana Ostrovskaya & Oleg Skulkin(1822)
Mobile Forensics Cookbook by Igor Mikhaylov(1809)
Serious Cryptography: A Practical Introduction to Modern Encryption by Aumasson Jean-Philippe(1802)
Solidity Programming Essentials by Ritesh Modi(1757)
Bulletproof Android: Practical Advice for Building Secure Apps (Developer's Library) by Godfrey Nolan(1667)
