1.      A key feature of hybrid IDPS systems is event correlation. After researching event correlation online, define the following terms as they are used in this process: compression, suppression, and generalization.

Event correlation is designed to monitor the network. Compression reduces things from happening over and over. If it finds redundancy with something it will remove it from happening again. Suppression suppresses false alarms from happening that could interrupt the system. Generalization is give a general purpose alert to a corrupt signature on the network.

4.   Use the internet to search for ďlive DVD security toolkit.Ē Read a few web sites to learn about this class of tools and their capabilities. Write a brief description of a live DVD security toolkit.

                   The security toolkits available provide many different tools and utilities that can be downloaded and used on the toolkit. The toolkit is able to provide the user with a web interface to use the tools to perform task online.

Case Exercises

1.       Do you think Miller is out of options as he pursues his vendetta? If you think he could take additional actions in his effort to damage the SLS network, what are they?

Yes, Miller is out of options when it comes to his vendetta. An additional action he could take would be to try it again on a different network, maybe a faster network.

2.       Suppose a system administrator at SLS read the details of this case. What steps should he or she take to improve the companyís information security program?

Policies should be implemented to prevent this from happening. They should be tested and revised if needed. There also needs to be an assessment of risk areas of the company. Identifying the risks shows where security needs to be improved.

3.       Consider Millerís hacking attempt in light of the intrusion kill chain described earlier and shown in Figure 7-1. At which phase in the kill chain has SLS countered his vendetta?

Miller was on a VPN and the companies VPN found the closed door and redirected him. The companies firewall also countered his programs attempt to hack into the network.

Ethical Decision Making

Suppose that when his scanning efforts had been detected, SLS not only added his IP address to the list of sites banned from connecting to the SLS network, the system also triggered a response to seek out his computer and delete key files on it to disable his operating system. Would such an action by SLS be ethical? Do you think that action would be legal?

This action would not be legal or ethical. Doing something wrong, because someone did something wrong to you, doesnít make it right. Miller was in the wrong and will face consequences for his actions and will be put on lists.

Suppose instead that Miller had written a routine to constantly change his assigned IP address to other addresses used by his ISP. If the SLS intrusion system determined what Miller was doing and then added the entire range of ISP addresses to the banned list, thus stopping any user of the ISP from connecting to the SLS network, would SLSís action be ethical?

No, this would not be ethical. The other users have every right to be on that network, Miller is the only one that is banned. The other users of the ISP are not involved.

What if SLS were part of an industry consortium that shared IP addresses flagged by its IDPS, and all companies in the group blocked all of the ISPís users for 10 minutes? These users would be blocked from accessing perhaps hundreds of company networks. Would that be an ethical response by members of the consortium? What if these users were blocked for 24 hours?

It would not be an ethical response. This would only be hurting them and the consortium. If the users were blocked for 24 hours this would have a big impact on the companies involved. They could have services offline for more than 24 hours. This would hurt their reputation.