FCS_Unit_4_Notes

Intrusion Detection and Prevention

4.1 Intrusion

Intrusion in the context of cybersecurity refers to any unauthorized access or compromise of a computer system, network, or application. Cyber intrusions can take various forms, and they are typically carried out by individuals or groups with malicious intent, such as hackers, cybercriminals, or state-sponsored actors. The goal of an intrusion is often to gain unauthorized access, steal sensitive information, disrupt normal operations, or compromise the integrity of systems.

4.2 Physical Theft

Physical theft in the context of cybersecurity refers to the unauthorized physical acquisition or removal of computing devices, storage media, or other physical assets that contain sensitive information. While cybersecurity often focuses on digital threats, physical theft remains a tangible risk that can lead to data breaches, unauthorized access, or other security incidents. Here are key aspects related to physical theft and measures to mitigate this risk:

Types of Physical Theft:

1. Device Theft:
   • Description:Stealing computers, laptops, smartphones, tablets, or other devices that store sensitive information.
   • Risk:Unauthorized access to data, potential exposure of sensitive information, and the loss of valuable hardware.
2. Storage Media Theft:
   • Description:Stealing external hard drives, USB flash drives, or other storage devices containing critical data.
   • Risk:Loss of data, potential exposure of sensitive information, and compromised integrity if data is tampered with.
3. Paper Documents:
   • Description:Physical theft of documents, printouts, or files containing sensitive information.
   • Risk:Unauthorized access to confidential information, potential identity theft, or exposure of proprietary data.
4. Server or Networking Equipment Theft:
   • Description:Stealing servers, routers, switches, or other networking equipment.
   • Risk:Disruption of services, potential data loss, and compromised network security.

4.3 Abuse of Privileges

Abuse of privileges in cybersecurity refers to the misuse or exploitation of authorized access, rights, or privileges within a computer system, network, or application. This type of insider threat involves individuals with legitimate access intentionally using their privileges for unauthorized or malicious activities. Abuse of privileges can lead to security breaches, data leaks, and other significant cybersecurity incidents.

Types of Privilege Abuse in Cybersecurity:

1. Unauthorized Access:
   • Description:Exploiting legitimate access rights to gain unauthorized access to sensitive systems, data, or resources.
2. Data Theft or Exfiltration:
   • Description:Using privileged access to steal, copy, or transfer sensitive data for personal gain or malicious purposes.
3. System Compromise:
   • Description:Leveraging administrative privileges to compromise systems, install malware, or manipulate configurations.
4. Insider Trading:
   • Description:Utilizing non-public information obtained through privileged access for personal financial gain, such as stock trading.
5. Sabotage or Destruction:
   • Description:Deliberately causing harm to systems, data, or operations through unauthorized actions.

4.4 Unauthorized Access by Outsider

Intruders gain access to a system or network without proper authorization. This could involve exploiting vulnerabilities, using stolen credentials, or bypassing authentication mechanisms.

4.5 Malware infection

Malicious software (malware) is introduced into a system to compromise its functionality, steal data, or provide unauthorized access. Examples include viruses, worms, trojans, ransomware, and spyware.

4.6 Intrusion detection and Prevention Techniques

Intrusion Detection Systems (IDS):

IDS monitors network or system activities for signs of malicious behavior and raises alerts or takes actions to mitigate potential threats.

Firewalls:

Firewalls act as a barrier between a trusted internal network and untrusted external networks, blocking unauthorized access and mitigating the impact of intrusion attempts.

Antivirus Software:

Antivirus programs detect and remove malicious software to prevent it from compromising the integrity of systems or stealing sensitive data.

Security Information and Event Management (SIEM):

SIEM systems collect and analyze log data from various sources to identify and respond to security incidents, including intrusions.

Access Controls:

Implementing strong access controls, including proper user authentication and authorization mechanisms, helps prevent unauthorized access to systems and data.

Regular Software Updates and Patching:

Keeping software, operating systems, and applications up-to-date with the latest security patches helps close known vulnerabilities that could be exploited in an intrusion.

Encryption:

Encrypting sensitive data during transmission and storage adds an extra layer of protection, making it more difficult for intruders to access or manipulate the information.

User Education and Training:

Educating users about cybersecurity best practices, including recognizing phishing attempts and practicing safe online behavior, helps prevent intrusions resulting from human error.

4.7 Anti-Malware software

Anti-malware software, also known as antivirus software, is a crucial component of cybersecurity designed to detect, prevent, and remove malicious software (malware) from computer systems. Malware includes various types of malicious programs, such as viruses, worms, trojan horses, ransomware, spyware, adware, and other forms of harmful software that can compromise the security and functionality of a computer or network.

Benefits of Anti-Malware Software:

1. Threat Prevention:
   • Benefit:Protects against a wide range of malware threats, preventing them from infiltrating and compromising systems.
2. Data Protection:
   • Benefit:Safeguards sensitive data by preventing unauthorized access or theft by malware.
3. System Performance:
   • Benefit:Helps maintain system performance by identifying and removing resource-intensive or disruptive malware.
4. Web Browsing Safety:
   • Benefit:Enhances web browsing safety by blocking access to malicious websites and preventing the download of malicious content.
5. Email Security:
   • Benefit:Secures email communications by scanning attachments and links for potential malware threats.
6. Continuous Updates:
   • Benefit:Ensures that the software remains effective against new and evolving malware threats through regular updates.

4.8 Network based Intrusion detection Systems

Network-based Intrusion Detection Systems (NIDS) are security tools designed to monitor and analyze network traffic for signs of malicious activity or security threats. These systems play a crucial role in identifying and responding to potential cyber threats in real-time. Here are key aspects related to network-based Intrusion Detection Systems:

Key Features of NIDS:

1. Packet Capture:
   • Description:NIDS capture and analyze packets flowing through the network to inspect the content, headers, and other relevant information.
2. Signature-Based Detection:
   • Description:NIDS use predefined signatures or patterns of known attacks to identify and alert on malicious activity.
3. Anomaly-Based Detection:
   • Description:NIDS analyze network behavior to establish a baseline and raise alerts when deviations from normal patterns occur, indicating potential attacks.
4. Deep Packet Inspection:
   • Description:NIDS inspect the content of packets at a deep level, looking for specific attributes or anomalies that may indicate malicious activity.
5. Protocol Analysis:
   • Description:NIDS examine network protocols to detect deviations or misuse that may indicate an attack.
6. Session Monitoring:
   • Description:NIDS track and monitor network sessions to identify unusual or suspicious patterns of communication.

4.9 Network based Intrusion Prevention Systems

Network-based Intrusion Prevention Systems (NIPS) are security solutions designed to actively identify, block, or mitigate potential threats within a network. NIPS build upon the capabilities of Intrusion Detection Systems (IDS) by not only detecting malicious activity but also taking automated actions to prevent the detected threats from causing harm. Here are key aspects related to network-based Intrusion Prevention Systems:

Key Features of NIPS:

1. Signature-Based Detection:
   • Description:NIPS use predefined signatures or patterns of known attacks to identify and block malicious activity.
2. Anomaly-Based Detection:
   • Description:NIPS analyze network behavior to establish a baseline and take action when deviations from normal patterns are detected.
3. Real-time Packet Inspection:
   • Description:NIPS inspect network packets in real-time to identify and block malicious content or activity.
4. Deep Packet Inspection:
   • Description:NIPS examine the content of packets at a deep level to detect specific attributes or anomalies associated with known threats.
5. Protocol Analysis:
   • Description:NIPS analyze network protocols to identify and block deviations or misuse that may indicate an attack.
6. Blocking and Mitigation Actions:
   • Description:NIPS actively block or mitigate identified threats by taking actions such as dropping malicious packets, resetting connections, or blocking malicious IP addresses.

4.10 Host based Intrusion prevention Systems

Host-based Intrusion Prevention Systems (HIPS) are security solutions designed to protect individual computer systems or hosts from various forms of cyber threats and attacks. Unlike network-based intrusion prevention systems (NIPS) that operate at the network level, HIPS are installed directly on individual devices, such as servers, workstations, or endpoints.

Types of HIDS:

Host-Based Intrusion Detection Systems can be broken into two main categories based on how they are deployed:

• Agent-based HIDS: An agent-based HIDS relies on software agents that are installed on each host to collect information from the host. This is a “heavier-weight” approach because running agents on hosts increases the resource utilization of the hosts.
• Agentless HIDS: With an agentless HIDS, information from hosts is collected without relying on agents, such as by streaming the data over the network. This type of HIDS is more complex to implement, and agentless HIDS sometimes can’t access as much data as agent-based solutions, but the agentless approach offers the benefit of consuming fewer resources.

HIDS components

No matter which type of HIDS you deploy, your HIDS solution will typically include three main components:

• Data collectors: Using either agents or an agentless approach, your HIDS deploys sensors that collect data from hosts.
• Data storage: After being collected, the data is usually aggregated and stored in a central location. The data is retained at least as long as is necessary to analyze it, although organizations may also choose to keep the data on hand so they can reference it at a later time if desired.
• Analytics engine: The HIDS uses an analytics engine to process and evaluate the various data sources that it collects. The purpose of analytics is to look for patterns or anomalies, then assess the likelihood that they are the result of security risks or attacks.