False Positive
An incorrect alarm
False Negative
an incorrectly ignored event
True positive
A correct alarm
True negative
a correctly ignored event
IDS tuning
correct tuning must find crossover rate where false positive rate and false negative rate are equal to maximize effectiveness, since FPR and FNR are inversely related.
Responses to malicious activity
ignore, allow, alert administrator, block
Signature vs. Anomaly Detection
Signature detection: the staple of IDS, make a big list of known malicious activities and watch for them - does not know the intent of the activity, and leads to alerts on administrator action. Requires prior knowledge of the attack
Anomaly detection: dev
Symmetric Cryptography
the encryption and decryption keys are the same. Both the sender and receiver know the key
Asymmetric Cryptography
the encryption and decryption keys are different. The sender knows only the encryption key and the recipient knows only the decryption key. Keypair consisting of public key (freely distributed) and private key (kept secret). Only 2n keys required versus n
Ciphers
mathematical algorithms used to encrypt and/or decrypt information. codes are used for either efficiency or secrecy
Substitution cupher
take each letter and change it into a different letter. Example: the Caesar cypher. symmetric
Digital Signatures
assymetric algorithms can leverage their basic properties to provide non-repudation because only key pairs can encrypt/decrypt each other. They also use hash functions to enforce this. Useful for providing the authenticity of email messages, documents, et
Digital certificates
uses asymmetric cryptography to facilitate the secure exchange of public keys
rely upon the use of trusted certificate authorities. usually used for servers, but can be used by individuals. organization proves its identity to the CA and the CA provides a
creating + verifying digital signature
1. generate message digest
2. encrypt with your private key
3. attack it to the message
1. decrypt with senders public key
2. generate a message difest from the original message
compare the two, match = non-repudiation
DES
symmetric: combines substitution, transposition/permutation into a Feistel function (F). Then it uses that function 16 times around, creating a 56 bit key, providing 72 quadrillion options (encodes 64 bit blocks at a time).
Can be broken. Temporary fix is
Advanced Encryption Standard (AES)
symmetric: uses the Rijindael algorithm with either (18, 192, or 256 bit key)
Non-repudiation
in the context of encryption, provides evidence that the message was sent by who it claims to be sent by. The four goals of cryptography are confidentiality of the message, integrity of the message, non-repudiation of the message, authentication of the me
Hash functions
one way functions that map a variable-length input to a unique, fixed-length output. it is incredibly difficult to find two messages with the same digest. It is impossible to determine the original message from the digest
Digital Currency
...
Network Address Translation (NAT)
A mechanism for converting the internal IP addresses found in packet headers into public IP addresses for transmission over the internet. NAT was developed to allow private networks to use any IP address set without causing collisions or conflicts with pu
Domain Naming System (DNS)
Resolves a human-friendly domain name into its IP address equivalent. In other words, it takes a MAC or hardware address from the permanent physical layer and converts it to a "temporary" logical IP address assigned over the MAC address.
Hypertext Transfer Protocol (HTTP)
Found on application layer, typically on Port 80. This is the protocol used to transmit web page elements from a web server to web browsers
File Transfer Protocol (FTP)
Found on application layer, typically on ports 20 and 21. This is a network application that supports an exchange of files that requires anonymous or specific authentication. Not smart to use this because people can see the data that you are transferring
Simple Mail Transfer Protocol (SMTP)
Application layer protocol, typically on Port 25. This is a protocol used to transmit email messages from a client to an email server and from one email server to another.
Firewall
a network device used to block or filter traffic. Most common perimeter protection device. Creates borders, internal or external. Can be hardware or software. Usually deployed between a private network and a link to the internet. Filter traffic based on a
Intrusion Detection Systems (IDS)
Any combination of hardware and software used to monitor a system/network for malicious activity (e.g. car alarm, smoke detector, burglar alarm, camera system
Intrusion Prevention System (IPS)
similar to detection systems, but provide the ability to drop or stop traffic that is identified as unwanted such as attacks or scans. These devices must be in-line, or must have access to network devices that allow them block or reset traffic (e.g. firew
Subnets
...
Default Gateway
...
OSI vs DoD model
...
Packet Encapsulation
...
Proxy Servers
an intermediary server. three types: gateway, forward, and reverse. Important to mask identity of clients (Tor or Onion), allow for content filtering, improve performance, offloading SSL work, Cache content, mask servers
Network ACLs
Access control lists: determines what is authorized traffic to pass into and out of a private network. Can operate one of two ways; either all traffic is block, and a specific rule set allows only preapproved traffic in, or all traffic is allowed, and onl
Stateful vs Stateless
Stateful inspection firewalls (dynamic packet filtering firewalls) evaluate the state or the context of network traffic. This way they are able to grant a broader range of access for authorized users and activities and actively watch for and block unautho
Modems
a communications device that covers or modulates between an analog carrier signal and digital information in order to support computer communications of public switched telephone network. Traditional land-line modems have been replaced by digital broad-ba
Denial of Service
...
Distributed Denial of Service
...
Eavesdropping
...
Man-In-The-Middle
...
Spoofing
...
TCP/IP
A protocol stack comprising dozens of individual protocols found in just about every available operating system. Designed for ease of use rather than security, so easy to hack. Can be secured using VPN links. Comprised of UDP and TCP each of which contrai
Transmission Control Protocol (TCP)
A full duplex connection-oriented protocol operating on layer four of the OSI model. Establishes a 3 way handshake process for data transmission where 1) The client sends a SYN (synchronize) flagged packet to the server 2) The server responds with a SYN/A
User Datagram Protocol (UDP)
Operates on layer 4 of the OSI model. A connection-less best effort communications protocol which offers no error detection or correction, does not use sequencing, does not use flow control mechanisms, does not use a preestablished session, and is conside
Datagram Fragmentation
only so much data can be sent in a packet. The data is converted to packets and told what order it should be put back together in.
Fragmentation Attacks
messing with the fragments of data that are sent over or between a network so that packets are either overlapping or their is extra space between them and they are uninterpretable to the receiver.
Ping of Death
Sending a packet of data that is larger than the maximum 65,536 bytes that a normal operating system can receive. The receiver cannot accept or resolve the specially constructed oversized packets and crashes
SYN Flooding
when the server receives the first SYN, it makes an entry in its state table reflecting the half-open connection. an attacker may be able to send a bunch of Syn-Ack back to the original sender, and as long as they don't send another ACK back to the server
DNS Poisoning
the injection of false information into an organization's DNS server? For example, you could trick the Notre Dame DNS server into thinking that you are bankofamerica.com. Basically, trick the server into thinking that you are the authoritative source for
False Positive
An incorrect alarm
False Negative
an incorrectly ignored event
True positive
A correct alarm
True negative
a correctly ignored event
IDS tuning
correct tuning must find crossover rate where false positive rate and false negative rate are equal to maximize effectiveness, since FPR and FNR are inversely related.
Responses to malicious activity
ignore, allow, alert administrator, block
Signature vs. Anomaly Detection
Signature detection: the staple of IDS, make a big list of known malicious activities and watch for them - does not know the intent of the activity, and leads to alerts on administrator action. Requires prior knowledge of the attack
Anomaly detection: dev
Symmetric Cryptography
the encryption and decryption keys are the same. Both the sender and receiver know the key
Asymmetric Cryptography
the encryption and decryption keys are different. The sender knows only the encryption key and the recipient knows only the decryption key. Keypair consisting of public key (freely distributed) and private key (kept secret). Only 2n keys required versus n
Ciphers
mathematical algorithms used to encrypt and/or decrypt information. codes are used for either efficiency or secrecy
Substitution cupher
take each letter and change it into a different letter. Example: the Caesar cypher. symmetric
Digital Signatures
assymetric algorithms can leverage their basic properties to provide non-repudation because only key pairs can encrypt/decrypt each other. They also use hash functions to enforce this. Useful for providing the authenticity of email messages, documents, et
Digital certificates
uses asymmetric cryptography to facilitate the secure exchange of public keys
rely upon the use of trusted certificate authorities. usually used for servers, but can be used by individuals. organization proves its identity to the CA and the CA provides a
creating + verifying digital signature
1. generate message digest
2. encrypt with your private key
3. attack it to the message
1. decrypt with senders public key
2. generate a message difest from the original message
compare the two, match = non-repudiation
DES
symmetric: combines substitution, transposition/permutation into a Feistel function (F). Then it uses that function 16 times around, creating a 56 bit key, providing 72 quadrillion options (encodes 64 bit blocks at a time).
Can be broken. Temporary fix is
Advanced Encryption Standard (AES)
symmetric: uses the Rijindael algorithm with either (18, 192, or 256 bit key)
Non-repudiation
in the context of encryption, provides evidence that the message was sent by who it claims to be sent by. The four goals of cryptography are confidentiality of the message, integrity of the message, non-repudiation of the message, authentication of the me
Hash functions
one way functions that map a variable-length input to a unique, fixed-length output. it is incredibly difficult to find two messages with the same digest. It is impossible to determine the original message from the digest
Digital Currency
...
Network Address Translation (NAT)
A mechanism for converting the internal IP addresses found in packet headers into public IP addresses for transmission over the internet. NAT was developed to allow private networks to use any IP address set without causing collisions or conflicts with pu
Domain Naming System (DNS)
Resolves a human-friendly domain name into its IP address equivalent. In other words, it takes a MAC or hardware address from the permanent physical layer and converts it to a "temporary" logical IP address assigned over the MAC address.
Hypertext Transfer Protocol (HTTP)
Found on application layer, typically on Port 80. This is the protocol used to transmit web page elements from a web server to web browsers
File Transfer Protocol (FTP)
Found on application layer, typically on ports 20 and 21. This is a network application that supports an exchange of files that requires anonymous or specific authentication. Not smart to use this because people can see the data that you are transferring
Simple Mail Transfer Protocol (SMTP)
Application layer protocol, typically on Port 25. This is a protocol used to transmit email messages from a client to an email server and from one email server to another.
Firewall
a network device used to block or filter traffic. Most common perimeter protection device. Creates borders, internal or external. Can be hardware or software. Usually deployed between a private network and a link to the internet. Filter traffic based on a
Intrusion Detection Systems (IDS)
Any combination of hardware and software used to monitor a system/network for malicious activity (e.g. car alarm, smoke detector, burglar alarm, camera system
Intrusion Prevention System (IPS)
similar to detection systems, but provide the ability to drop or stop traffic that is identified as unwanted such as attacks or scans. These devices must be in-line, or must have access to network devices that allow them block or reset traffic (e.g. firew
Subnets
...
Default Gateway
...
OSI vs DoD model
...
Packet Encapsulation
...
Proxy Servers
an intermediary server. three types: gateway, forward, and reverse. Important to mask identity of clients (Tor or Onion), allow for content filtering, improve performance, offloading SSL work, Cache content, mask servers
Network ACLs
Access control lists: determines what is authorized traffic to pass into and out of a private network. Can operate one of two ways; either all traffic is block, and a specific rule set allows only preapproved traffic in, or all traffic is allowed, and onl
Stateful vs Stateless
Stateful inspection firewalls (dynamic packet filtering firewalls) evaluate the state or the context of network traffic. This way they are able to grant a broader range of access for authorized users and activities and actively watch for and block unautho
Modems
a communications device that covers or modulates between an analog carrier signal and digital information in order to support computer communications of public switched telephone network. Traditional land-line modems have been replaced by digital broad-ba
Denial of Service
...
Distributed Denial of Service
...
Eavesdropping
...
Man-In-The-Middle
...
Spoofing
...
TCP/IP
A protocol stack comprising dozens of individual protocols found in just about every available operating system. Designed for ease of use rather than security, so easy to hack. Can be secured using VPN links. Comprised of UDP and TCP each of which contrai
Transmission Control Protocol (TCP)
A full duplex connection-oriented protocol operating on layer four of the OSI model. Establishes a 3 way handshake process for data transmission where 1) The client sends a SYN (synchronize) flagged packet to the server 2) The server responds with a SYN/A
User Datagram Protocol (UDP)
Operates on layer 4 of the OSI model. A connection-less best effort communications protocol which offers no error detection or correction, does not use sequencing, does not use flow control mechanisms, does not use a preestablished session, and is conside
Datagram Fragmentation
only so much data can be sent in a packet. The data is converted to packets and told what order it should be put back together in.
Fragmentation Attacks
messing with the fragments of data that are sent over or between a network so that packets are either overlapping or their is extra space between them and they are uninterpretable to the receiver.
Ping of Death
Sending a packet of data that is larger than the maximum 65,536 bytes that a normal operating system can receive. The receiver cannot accept or resolve the specially constructed oversized packets and crashes
SYN Flooding
when the server receives the first SYN, it makes an entry in its state table reflecting the half-open connection. an attacker may be able to send a bunch of Syn-Ack back to the original sender, and as long as they don't send another ACK back to the server
DNS Poisoning
the injection of false information into an organization's DNS server? For example, you could trick the Notre Dame DNS server into thinking that you are bankofamerica.com. Basically, trick the server into thinking that you are the authoritative source for