4.9. Exam Essentials

Be able to identify and describe the two types of intrusion detection systems in use.

The two types of IDSs in use are host-based (HIDS) and network-based (NIDS). Host-based IDS works strictly on the system on which it's installed. Network-based IDS monitors the entire network.

Be able to identify and explain the terms and functions in an IDS environment.

These terms include activity, administrator, alert, analyzer, data source, event, manager, notification, operator, and sensor. For simplicity's sake, some of these systems are combined in IDSs, but they're all functions that must be performed to be effective.

Know the difference between an active response and a passive response.

An active response allows an IDS to manage resources in the network if an incident occurs. Passive responses involve notification and reporting of attacks or suspicious activities.

Be able to explain the purpose of a honeypot.

A honeypot is a system that is intended to be used to gather information or designed to be broken. Honeypot systems are used to gather evidence in an investigation and to study attack strategies.

Know the aspects needed to form an effective incident response.

The stages of an incident response are identification, investigation, repair, and documentation. Communication and escalation plans are also part of an effective incident response approach. The process and methods used to respond to incidents should be developed into an incident response plan that can be used as a guideline for all incident response activities.

Know the protocols and components of a wireless system.

The backbone of most wireless systems is WAP. WAP can use the WEP protocol to provide security in a wireless environment. WTLS is the security layer of WAP. WAP and TCP/IP perform similarly.

Know the capabilities and limitations of the 802.11x network standards.

The current standards for wireless protocols are 802.11, 802.11a, 802.11b, and 802.11g. The 802.11n standard is undergoing review and isn't yet a formal standard.

Know the vulnerabilities of wireless networks.

The primary method of gaining information about a wireless network is a site survey. Site surveys can be accomplished with a PC and an 802.11 card. Wireless networks are subject to the same attacks as wired networks.

Know the capabilities and security issues associated with instant messaging.

IM is a rapidly growing interactive communications capability on the Internet. IM is susceptible to sniffing, jamming, and viruses. Never assume that an IM session is confidential. Viruses can be sent using attachments in IM, just as with e-mail. Antivirus software can help filter for known viruses.

Know the limits of the 8.3 naming convention.

Early PC systems used a standard naming convention for files called the 8.3 format. This format allowed for only eight characters to be used for the filename and three characters for the file type or extension.