Jim’s CISSP Notes
Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Back to homepage

6: Security Assessment & Testing

Vulnerability Testing

Vulnerability management

  • flaws in software code can lead to security vulnerabilities

  • vulnerabilty patch process

    1. vendor learns about a vulnerability
    2. developers analyze and develop a patch
    3. vendor releases a patch to customers
    4. customers apply patch

Vulnerability management

  • most orgs have many different components and systems that need patches
  • vulnerability management detects, remediates and reports vulnerabilities

Why manage vulnerabilities?

  • to maintain a secure system
  • to comply w/ org policy
  • to comply w/ regulatory requirements
    • examples
      • PCI DSS requirements
        • quarterly internal and external vulnerability scans
        • new scans after any significant changes
        • use approved scanning vendors (ASV)
        • remediate and rescan until acheiving a clean report
        • FISMA
        • conduct vulnerabiltiy scans regularly
        • analyze scans
        • remediate legitimate vulnerabilities
        • share info w/ other agencies

Types of Scans

  • network

  • application web application

  • orgs should supplement vulnerability scans w/ configuration and log reviews

Identify scan targets

  • need to develop a list of specific systems and devices to scan

  • asset inventory

    • starting point for vulnerability scanning
    • may use org inventory management tools
    • vulnerabilty scanners can also generate system inventories
      • need an asset inventory even if you choose to scan all of your systems
  • Nessus is an example of a vulnerability scanner

  • some scanners can create network maps of discovered assets

Asset scanning priorities

  • impact

    • highest level of data stored, processed and transmitted by the system?
  • likelihood

    • what is the system’s network exposure?
    • what services are exposed?
  • criticality

    • what impact does the system have on business operations?

Scan configuration

  • many things to look at and consider
    • target
      • IP address, IP address range
      • ports
    • scans based on system type
      • confidential, sensitive, etc
    • frequency
      • daily, weekly, etc.
    • safe scanning
    • who to alert
    • reduce false alarms

Scan perspective

Network-based scanning

  • network location affects scan results
    • example
      • scanner in the DMZ will see systems in the DMZ
      • however, the firewall may drop scans going to the network
  • different perspectives are valuable to analysts
    • for example, a scanner in the Internet zone can provide an attacker’s view of an org
  • firewalls, IDS/IPS rules and network segmentation can affect scan results

Host-based scanning

  • installs scanning software on a target device
  • reports vulnerabilities on server
    • looks at configurations, services, installed applications, etc.
  • can provide great insight
  • is more complex
    • software needs to be installed on all servers
    • can be difficult to manage

Credentialed scanning

  • uses passwords to log into systems
  • can then scan w/ logged in account

Analyzing scan reports


  • need to present different info to different audiences
    • more detailed / tech-focused
      • engineers
      • developers
      • admins
    • broad overview
      • business leaders
      • management

Prioritization factors

  • vulnerabily severity
  • system criticality
  • info sensitivity
  • remediation difficulty
  • system exposure

Vulnerabiltiy validation

  • confirm accuracy
    • is it a false positive report?
  • review details of scanner report
  • does the system run the reported OS or application?
  • is the vulnerability a documented exception?

Vulnerability scan outcomes

vulnerability reported vulnerability not reported
exists true positive false negative
doesn’t false positive true ne
exam tip:
there may be questions on exam asking to identify vulnerabilties using these terms.

Correlating scan results

  • should correlate results w/other sources

  • industry standards, best practices, compliance requirements

    • may provide specific guidance
  • info from other sources in the org

    • configuration management systems
    • log repos
    • other data sources
  • trend analysis

    • recurring vulnerability?
      • investigate root cause

Penetration Testing

Pen testing

  • security professionals are placed in the role of an attacker

  • goal is to defeat security controls

  • rules of engagement

    • need to document scope of testing
      • what tools are valid to use
      • what systems can be targeted

Pen test types

  • full knowledge
    aka whitebox
    • attackers have full access to info before starting the test
    • simulates an insider attack
  • partial knowledge
    aka grey box
    • attackers have limited access to info before starting
  • zero knowledge
    aka black box
    • attackers have no access to info about the target
    • simulates an outsider attack


  • discovery phase

    • recon
      • gather information about the organization through various means
        • whois
        • company website
        • social engineering
    • OSINT
    • footprinting
      • map the network (nmap)
      • ICMP ping sweeps
      • DNS zone transfers
    • wardriving
    • warflying
  • attack phase

    • gain access
    • escalate privileges
    • system browsing - lateral movement
    • installing additional tools
    • additional discovery throughout the phase
  • cleanup phase

    • restore system to previous state
    • uninstall software

Pivoting and persistence

  • pivot
    • after exploiting a vulnerability in a system
    • use system as a base to attack other systems on the network
  • persistence
    • after exploiting a vulnerability
    • installation of tool on the system that allows future access to system/network
      • sometime can even be used after vulnerabilities are fixed

Breach and Attack Simulation (BAS)

  • system that automates pen testing
  • injects threat indicators on to systems and networks
    • suspicious logs, files, etc.
  • system doesn’t wage an attack, just leaves traces of one
    • tests security controls

Ethical disclosure

  • aometimes we discover new undocumented vulnerabilites during our work
    • this is powerful and dangerous
    • Uncle Ben: “with great power, comes great responsibility”

Zero day vulnerability

  • new vulnerability w/ no public knowledge

    • no patch because unknown
  • window of vulnerability

    • time between discovery and successful patch

Vulnerability disclosure options

  • keep knowledge secret and use for personal use or sale

  • share privately w/ vendor

    • w/o public pressure, vendor might not fix
      • bad press for admitting their is a bug
  • share publicly w/ security community

  • responsible disclosure

    • share privately w/ vendor
    • provide deadline
      • vendor can fix before deadline
      • afterwards, if vulnerability not fixed, it will be publically disclosed

Bug bounties

  • opens security testing to the public

    • encourages attackers to report vulnerabilities in a responsible manner
      • often rewards reported vulnerabilities
    • allows orgs to harness attackers for good
  • vendors can be used

    • can be fully-mananged by the vendor or self-managed by the org
  • increases strength of security defenses

Cybersecurity exercises

  • exercises that are team-based competitions
  • similar to pen testing
    • identifies vulnerabilities
  • also provides individuals w/ experience
    • attacking and defending


  • red team
    • attacks systems
  • blue team
    • defends systems
  • white team
    • observers
    • judge competitors
    • ensure that rules of engagement are being followed
  • purple team
    • combine knowledge gained by red and blue teams
    • merged team during lessons learned / AAR
    • walks through steps taken


  • capture-the-flag events are a popular exercise

  • sandboxing

    • orgs can set up separate environments for cybersecurity exercises
    • limits the possibility of damage to production systems

Log Reviews

Logging security information

Log and data sources

  • network / netflow
  • DNS logs
  • system logs
  • application logs
  • authentication logs
  • other sources
    • VoIP
    • dump files
    • vulnerability scans and reports


  • standard logging format

  • components

    • header (timestamp, source address)
    • facility (source of the message on the sending system)
    • severity (importance values of 0–7)
    • message (details of the alert)
  • severity levels

    • admins can set based on levels
      0 emergency
      1 alert
      2 critical
      3 error
      4 warning
      5 notice
      6 informal
      7 debug
  • standard logging on Unix/Linus distros

  • versions

    • syslog
      • original version
      • rarely used
  • syslog-ng

    • 1998
    • added security and delivery enhancements
  • rsyslog

    • 2004
    • added further enhancements
  • journalctl

    • uses a binary format


  • log retention needs to balance out security and cost

    • necessary for security investigations
    • all has a cost for storage and maintaining systems
  • tagging

    • helps w/ searching, filtering and analysis
    • adds metadata about systems, users, locations, etc.
  • NXLog

    • centralizes management of log sources
    • Linux, Windows, etc.

SIEM (security information and event management)

  • AI can help w/ security data overload
  • has access to logs across the org
  • performs log correlation
    • example: might gather logs from firewall, web server and database, which can be used to see trands

Core functions

  • central secure collection point for logs
    • all systems send logs to SIEM
  • source of AI
    • detects patterns that other systems might miss


  • provide a centralized view of security info
  • can generate alerts
  • facilitate in trand analysis
    • can build graphs, etc.
  • offer adjustible sensitivity

SOAR (security orchestration and automated response)

  • super SIEM

  • can use playbooks and runbooks to have automated responses to security events

  • playbooks

    • process-focused response to security events
      • includes human and automated responses
  • runbooks

    • automated responses to security events
      • executes immediately
      • can aid human investigators

Code Testing

Code review

  • use peer analysis to assess code

Fagan inspection

  • planning

    • leader prepares for code review
      • prepares materials
      • identifies participants
      • schedules review
  • overview

    • leader assigns roles to participants
    • provides overview of software
  • preparation

    • participants review code individually
      • make note of issues
  • meeting

    • formal meeting w/ participants
    • developers discuss defects
  • rework

    • developers correct defects
  • followup

    • leadership confirms that defects are fixed
  • most orgs use a much less formal process

Code tests

  • use technology to test software

Static testing

  • uses automated technology to analyze code for errors
  • doesn’t run code
  • like an automated version of a code review

Dynamic testing

  • automated testing that actually executes code

  • verifies that the code is functioning correctly

  • synthetic transaction

    • developers supply inputs to code w/ known expected outputs
code reviews, static testing and dynamic testing are complementary.
they are not competing, and can be used together.\

Fuzz testing

  • software testing technique that feed many different input values into a program
  • attempts to cause unpredictable states ot unauthorized access

Input sources

  • developer-supplied input

  • developer-supplied script that generates input

  • generation fuzzing

    • fuzz testing app generates random input
  • mutation fuzzing

    • fuzz testing app analyzes real input and generates input from that
  • remember to avoid looking like a hacker

    • fuzz testing should only be done w/ permission

Interface testing

  • conplex systems need to rely on multiple independent components
  • these need standardized interfaces to connect between different systems

API (application code interface)

  • defines interactions between systems

  • must be tested

    • systems using APIs are often business critical
    • APIs can introduce serious security problems
  • UIs and physical interfaces should be tested too

Misuse case testing

  • evaluates software from an attackers point of view

  • software often expects users to behave normally

  • attacker will not behave normally, will attempt to break the “rules” of software

  • teams should brainstorm to develop misuse cases

    • should bring in developers not working on software to gain a fresh perspective
  • misuse case examples

    • unexpected input
      • size and type
    • missing input
    • injection attacks
    • unavailable funds
      • for example, attempts to deposit -$500 into an account

Test coverage analysis

  • percentage of software that has been tested

  • computing test coverage

    • test coverage = cases tested ÷ total cases
  • variables

    • use cases
      • checking all use cases for the software
  • functions

    • checking that all functions in the code have been tested
  • lines of code

    • making sure all lines of code have been tested
  • conditional branching

    • checking each IF branch w/ true and false conditions
  • automated test packages can compute test coverage

    • can identify areas of untested code

Business Continuity

Business continuity planning

  • core responsibility of cybersec professionals
  • controls are designed to keep business running in the face of adversity
  • sometimes called COOP (continuity of operations plan)
  • primary control for maintaining availability

Define scope

  • what business activities should be covered?
  • what systems should be covered?
  • what controls should be considered?

Business impact analysis

  • goal

    • identify and prioritize risk
  • results

    • list of risks and ALE
  • BCP in the cloud is a partnership between the org. and cloud provider

Business continuity controls

  • redundancy protects against a failure of a single component

  • single point of failure (SPOF) analysis

    • identifies and removes SPOF

      • examples:
        • web server → replace w/ cluster
        • firewall → add another for high availability pair
    • continues until cost of addressing risk outweighs benefits of implementing fix

    • analysis should consider multiple risks

    • remember to perform succession planning for staff as well

      • who would replace someone if they left?

High availability and fault tolerance

High availability

  • multiple systems protect against a service failure

Fault tolerance

  • protect services against disruption from small failures

Load balancing

  • spreads demand across systems

Common failure sources

  • power supplies

    • moving parts (fans, etc.)
    • high failure rates
    • can be redundant
      • two PSUs on one server
    • data centers can use multiple power suppliers
  • storage

    • RAID
      • RAID-1: stores same data on two disks
      • RAID-5 data striping with parity, 3+ disks
      • RAID provides fault tolerance, it is not a backup plan
  • networking

    • multiple ISPs
    • NIC teaming
    • redundant networking
    • multi-path networking (especially storage)

Redundancy through diversity

  • use diverse…
    • technologies
    • vendors
    • cryptography
    • security controls

Disaster Recovery Planning

Disaster recovery

  • business continuity plans can fail sometimes

  • DR is the capability to restore normal operations as soon as possible

  • DR is a subset of business continuity

  • triggered by disasters

    • environmental, or
    • man-made

Initial Response

  • contain damage caused by the incident
  • recover whatever capabilies may be immediately restored
  • includes a variety of duties
    • depend on the nature of the disaster
  • employee responsibilities can drastically change during disaster recovery
    • team members should recieve regular training on their responsibities

Disaster communications

  • initial activation of the DR team

  • regular status updates

  • tactical communications

  • after danger passes, move to an assessment stage

Disaster recovery metrics

  • RTO (recovery time objective)
    • maximum acceptable amount of time it should take to recover a service after a disaster
  • RPO (recovery point objective)
    • maximum acceptable time period of data that can be lost after a disaster
  • RSL (recovery service level)
    • acceptable percentage of service available during a disaster
  • after developing a plan, execute it

  • disaster recovery only ends when the org is operating back in its primary environment


  • one of the most important portions of a recovery plan
  • act as a data safety net


  • tape backup
    • old and slow, but still in use
  • disk-to-disk
  • cloud backup
    • provides geo-diversity
    • cloud service may also create their own backups

Full backups

  • include a complete copy of all data
  • snapshots and images are also a type of full backup

Differential backups

  • includes all data modified since the last full backup

Incremental backups

  • includes all data modified since the last full backup or incremental backup

Restoring backups

  • can take some time

    • for largescale restoration and/or recovery efforts, the order of restoration is important
    • org should prioritize the recovery of critical assets
  • non-persistance

    • allows us to back up only unique data
    • i.e. don’t need to backup copies of Windows system files for every server, just the data on the server
  • backups aren’t only used for massive disaseters

    • configuration problems may be fixed be reverting to last good known states
    • backups can be used to revert accidental changes to systems
  • live boot media

    • allows for recovery from devices w/ corrupt OSes

Disaster recovery sites


  • hot site
    • fully operational data center
    • stocked w/ equipment and data
    • available w/in minutes
    • very expensive
  • cold site
    • empty data center
    • stocked w/ basic equipment (network, power, server racks, etc.)
    • available in weeks or a month
    • relatively inexpensive
  • warm site
    • stocked w/ necessary equipment
    • not maintained in parallel w/ production environment
    • available in hours or days
    • similar expense to a hot site
  • consider using alternate business processes in DR plans when considering DR sites
    • example: temporarily using paper records, etc.

Offsite storage

  • geographically distant from main operations
  • provide site resliency
  • manual transfer or site replication via SAN or VM
  • may use online or offline backups

Testing BC/DR plans

Disaster recovery testing goals

  • validates that the plan works
  • identifies needed plan updates and weaknesses


  • read-through

    • team members review the DRP individually
  • walk-through
    tabletop exercise

    • teams gather for a review, and talk through the plan
  • simulation

    • teams gather and go through a practice secenario
  • parallel

    • activate the DRP
    • doesn’t switch over operations to the DR site
  • full interruption

    • activates the DRP
    • switches over operations to the DR site
    • can be very disruptive to the business
  • testing strategies frequently use a combination of all test types


  • formal review after a BC or DR event

  • should be conducted after _every_BD or DR event

    • even if the even was successful


  • executive summary

    • provides a background into the event
    • should be broad enough for anyone to understand
  • detailed summary

    • should answer all key questions about the event
      • who was involved?
      • what contributed to the success/failure of the BC/DR?
      • when did it happen?
      • why was the BCP or DRP activated?
      • etc
  • lessons learned

    • what to start?
    • what to stop?
    • what to continue?
  • conclusion

    • include next steps

Assessing Security Procedures

Security process data

  • management and operational controls supplement technical controls

  • unlike technical controls, theses aren’t automatically logged by systems

  • security process data

    • records about management controls
  • security process records should be maintained consistently

    • backups
    • user access reviews
    • training
    • etc.
  • should use consistent, repeatable processes for gathering security info

Management review and approval

Management reviews

  • act as a check-and-balance
  • double check to verify accuracy and compliance
  • create a culture of oversight
    • harder to commit malicious acts when you know that reviews happen regularly

Privileged user action reviews

  • privileged users can override normal security controls
  • this needs careful management oversight
  • should vet and authorize
  • reviews may be a 100% check or a random sampling, depending on the size of the org

Account management reviews

  • mangers verify that…
    • each user account aligns w/ a current employee
    • permissions assigned are appropriate for each employee’s role
    • changes made since the last review were authorized and documented

Security metrics

  • used to evaluate the effectiveness of a security program
  • should be defined in advance

KPIs (key performance indicators)

  • demonstrate the success of a security program

  • present a historical look on security

  • example

    • ITIL KPIs
      • decrease in breaches
      • decrease in breach impact
      • increase in strong SLAs
      • number of new controls
      • etc.

KRIs (key risk indicators)

  • predict the likelihood of a future security issue happening

  • presents a forward look on security

  • example

    • ISACA KRI Criteria
      • business impact
      • effort to implement, measure and support
      • reliability
      • sensitivity

Assessments and audits

  • verify that security controls function properly

  • evaluates security controls

  • provides a report

  • should always begin with a planning process

    • outlines scope of engagement
    • timeline for completion
    • expected deliverables
    • reduces the likelihood of misunderstandings later
  • assessments vs. audits

    • assessment
      • usually requested internally
        • IT staff, management, etc.
    • audit
      • often imposed by external requirements
        • board of directors, regulators, etc.
  • auditor types

    • internal auditors
      • work for the org
      • report independently from area being audited
      • work at the request of org. leadership
  • external auditors

    • independent firms
    • work at the request of external groups (board, regulators)
  • third party

    • government agencies or industry groups
    • perform regulatory audits
  • audits should always have clearly defined scopes

  • user access reviews

    • validate rights and permissions of users’ accounts
  • gap analysis

    • provides a roadmap of future work
    • provides a list of controls that are missing or not functioning

Control management

  • orgs must perform routine management of controls

  • orgs should test security controls regularly

    • routine and automated
  • almost every rule has an exception

    • orgs should have a process to request exceptions
    • orgs should also have a process to approve exceptions
  • compensating controls

    • mitigate the risk caused by exceptions

Vulnerability Assessments and Penetration Testing

  • vulnerability assessment
    • not always technical
      • physical
      • administrative
      • logical
    • identify weaknesses
    • passive
      • not attempting an exploit
  • penetration testing
    • ethical hacking to validate discovered weaknesses
    • red team (attacking team) vs. blue team (defending team)
  • NIST SP 800-42 Guideline on Security Testing

Vulnerability Scanning

  • identifies
    • active hosts
    • active ports and services
    • applications
    • OSes
    • vulnerabilities with associated OSes and applications
    • misconfigured
  • tests compliance with host application usage and security policies
  • establishes a foundation for the pen test

Attack Methodology

  1. Recon
    • gather information about the organization through various means
      • whois
      • company website
      • social engineering
  2. Footprinting
    • map the network (nmap)
    • ICMP ping sweeps
    • DNS zone transfers
  3. Fingerprinting
    • identify host information
    • perform port scans
  4. Vulnerability Assessment
    • identify weaknesses in system configurations
    • discover unpatched software
  5. Attack!
    • penetration
    • privilege escalation
      • “Run as…”
      • SU
    • install rootkits
      • collection of tools to maintain access
        • backdoor software
        • can update kernel of OS
        • difficult to detect
    • cover tracks
      • trojaned programs: attacker replaces default utilities with ones that masquerade as system utilities… that don’t identify backdoor software
      • log scrubbers

Testing Guidelines

  • why test?
    • risk analysis
    • certification
    • accreditation
    • security architecture
    • policy development
  • develop a cohesive, well-planned and operational security testing program

Penetration Test Considerations

  • three basic requirements
    • meet with senior management to determine the goal of the assessment
    • document the rules of engagement
    • get sign off from senior management
  • major issue
    • could disrupt productivity and production systems
  • overall purpose
    • determine system’s ability to withstand an attack
    • determine effectiveness of the current security measures
  • testers should…
    • determine effectiveness of safeguards
    • identify areas to improve
    • NOT suggest remediation steps
      • this violates separation of duties!
      • testers only test!

Rules of Engagement

  • the following should be identified
    • specific IP addresses / ranges to be tested
      • restricted hosts (i.e. the CEO’s laptop)
    • list of acceptable testing techniques
    • times for testing
    • PoCs for pen test team, targeted systems admins, network admins
    • measures to prevent law enforcement acting on false alarms
    • how information gathered should be handled

Types of Tests

  • physical
  • administrative
  • technical


  • don’t rely on a single method
    • get creative
  • path of least resistance
    • start with users
  • break the rules
    • even if the company follows rules, procedures, policies… hackers don’t have to!
    • attempt the unexpected
  • don’t rely on high tech tools
  • stealth may be required
  • don’t damage systems or data
  • don’t overlook small weaknesses while looking for a big one
  • have a toolkit ready

Network Scanning

  • list of active hosts
  • network services
    • ICMP
    • TCP, UDP
  • port scanner
    • nmap
    • fingerprinting
    • banner grabbing

Password Cracking

  • goal is to identify weak ones
  • passwords are generally stored / transmitted as a hash
  • password cracking requires capture of passwords hases
    • hashes can be intercepted on the wire, or
    • hashes can be retrieved from a target system

Password Cracking Techniques

  • dictionary attack: uses a list of passwords in a file (not a literal dictionary)
  • bruteforce: systematically going through all combinations of characters
  • hybrid: a combination of using bruteforce and a dictionary
  • LanMan password hashes
  • theoretically, all passwords are crackable
  • rainbow tables:

Rogue Infrastructure

  • basics
    • unauthorized DHCP server can be used to redirect hosts to a rogue DNS server
    • rogue DNS server can redirect traffic to spoofed hosts
    • DNS zone transfer information contains a lot of information about a network and its configuration
  • countermeasures
    • secure physical access to the network
    • require DHCP servers to require authentication
    • use DHCP reservations and MAC addresses to control IP address assignment
    • secure DNS zone transfers only to specific hosts

War Dialing

  • goal is to find modems
    • provide a way of bypassing most—if not all—security measures
  • attacker dials large blocks of phone numbers looking for a modem
  • countermeasures
    • removal, if possible, if not…
    • block inbound calls to modem
    • keep remote access server phone number out of normal office numbers
      • think: all campus numbers are 393-xxxx, pick 229-xxxx for modem

Corrective Actions

  • investigate and disconnect unauthorized hosts
  • disable / remove unnecessary and vulnerable services
  • modify vulnerable hosts
    • restrict access to vulnerable services to limited number of hosts
  • modify firewalls to restrict access to vulnerable services
  • upgrade / patch vulnerable systems
  • deploy countermeasures
  • improve configuration management program and procedures
  • assign staff to:
    • monitor vulnerability alerts / emails
    • examine if applicable to environment
    • make appropriate changes to system
  • modify security procedures and architecture
  • remember: all of the above must happen by going through change management!

Watching Network Traffic

Traffic Analysis

  • aka side channel analysis
  • watch traffic and its patterns to try to determine if something is happening

Traffic Padding

  • generating extra network traffic to make traffic analysis harder
  • attempts to keep traffic consistent so no information can be gained

Protocol Analyzers

  • aka sniffer

  • promiscuous mode - on NIC on the system that acts as a sniffer

  • bridging/switching can affect packet capture

  • port span / port mirroring mode: port on a switch acts like a hub — all traffic goes out it

  • sniffer + analysis engine = intrusion detection system

Intrusion Detection Systems

  • tool in a layered security model
  • purpose is to:
    • identify suspicious activity
    • log activity
    • respond (alert admins)
    • needs a NIC in promiscuous mode
    • needs a port with port span/mirroring enabled to view traffic on the switch

IDS Categories

  • Host Intrusion Detection System (HIDS) — host-based
  • Network Intrusion Detection System (NIDS) — network-based


  • sensor: data collector
    • on the network segment (NIDS)
    • on the host (HIDS)
  • analysis engine: analyzes data from the sensor and determines if there is suspicious activity on the network/host
  • signature database: used by the analysis engine. defines signatures of previous known attacks
  • UI and reports: way that the system is used by admins

    Host Intrusion Detection Systems (HIDS)

    • things that a HIDS can look at:
      • logins
      • system log / audit files
      • application log / audit files
      • file activity
      • configuration file changes
      • process stops / starts
      • use of certain applications
      • CPU use
      • network traffic
    • advantages
      • can be application and OS specific — might have information/knowledge of latests attacks that can occur against that application or OS
      • can look at decrypted data (network traffic is often encrypted)
    • disadvantages
      • only protects one machine
      • uses system resources
      • can’t see what’s on other machines in the organization / network
      • scalability
      • HIDS can be disabled, rendering it useless

    Network Intrusion Detection Systems (NIDS)

    • placed in the DMZ of a network
    • looks at:
      • source / destination IP addresses
      • source / destination port #s
      • protocol
      • data content
    • often will look for:
      • DoS attacks
      • port scans
      • malicous content
      • vulnerability tests
      • tunneling
      • bruteforce attacks
    • can also look for violations of an organization’s network policy (ex. instant messaging, streaming video)
    • disadvantages
      • data must be unencrypted to be analyzed
        • many protocols are encrypted
      • switches need to have port spanning/mirroring on the port the NIDS is on
      • if on the perimeter of a network, can miss things internally
      • must be able to handle lots of data quickly
      • cannot see what’s going on on servers and hosts directly

IDSes vs. IPSes

  • IDS: passive
  • IPS: active
    • can activate firewall rules dynamically
    • can shut down TCP traffic

Analysis Engines

Pattern Matching

  • aka signature-based
  • most network attacks have a distinct signature
  • signature-based NIDSs have a database of known signature
  • alert on traffic/conditions that match known signature in database
  • concerns
    • need to pay for signature database from vendor
    • need to keep application and signature database up-to-date
    • no protection from zero day attacks

Profile Matching

  • aka anomoly, behavior, heuristic
  • looks for changes in “normal” behavior on the network
  • learns after observing for days/weeks to create a baseline of what is “normal”
  • alerts for things out of the ordinary compared to the baseline
  • advantages
    • can possibly detect zero day attacks
    • can detect behavioral changes that might not be a technical attack (i.e. someone preparing to embezzle funds)
  • disadvantages
    • can produce false positives
      • which get ignored (boy who cried wolf)
    • engines require a skilled analyst to tweak and hone in

IDS Bypass Methods

Evasion Attacks

  • fly under the radar
  • make many small attacks from multiple directions
  • salami attack

Insertion Attack

  • add meaningless info (without modifying te payload) to a known payload
  • geared towards signature-based IDSes


  • depoyment
    • pseudo-flaw: a loophole added to OSes or applications to entice and trap an intruder
    • sacrificial lamb on a network
    • admins hope to catch intruders on the honeypot system instead of their production applications / systems
    • enticing because of open ports and vulnerable services
  • remember enticement vs. entrapment

Padded Cells

  • concept used in programming
    • a sandbox is created with separate memory and storage for an application to use
    • similar to a virtual machine
  • also used by IDSes
    • intruder is moved to a padded cell without their knowledge
    • simulated environment keeps intruder at bay and occupied
    • intruder leaves production systems alone
  • aka: self-mutating honeypot, tarpit