Josh Hogan

Chapter 7: Intrusion Detection and Prevention Systems, and Other Security Tools

Exercises

1)      A key feature of hybrid IDPS systems is event correlation. After researching event correlation online, define the following terms as they are used in this process: compression, suppression, and generalization.

         IDPS is the intrusion detection prevention system. Obviously, this is used to detect and track intrusions to your system. Compression is when more than one occurrence of the same event occurs, is reduces multiple occurrences of the same event into a single event, by using some sort of counter so that the analyst or the engineer sees only one event. So, this shows the analyst or engineer to see that an event is repeating and is preventing to see each and every instance individually. Suppression allocates a priority for each alarm which is based on priority. If there is a low priority and a higher priority, the lower one is hidden when the higher-level priority still exists. Generalization is a type of grouping. If you have similar events or the same type of events, they can be grouped in one class, and alarms are associated to this superclass rather than associating specific alarms for each event.

5)      Several online passphrase generators available. Locate at least two of them on the internet and try them. What did you observe?

         The two passphrase generator that I chose to look at were http://passwordsgenerator.net/ and https://www.random.org/passwords/. They were both good password generators and did what they were supposed to do. Some observations about the first one was that they have good options like being able to save to a cookie or save locally on your computer. They have a special character options which adds to password strength. The site also has some details on having good practices to protect passwords which is helpful. It generates all sorts of different length passwords but will only generate one password at a time. What I noticed about the second one was some of the same as the other one with some differences. This one can generate up to 100 passwords at the same time. Can generate all sorts of different lengths of passwords. This one doesnít have the ability to add in special characters so password potentially will be weaker. These passwords can range from 6-24 characters in length with the ability to add your own unique identifier to the passphrase.

Case Exercises

1) Do you think Miller is out of options as he pursues his vendetta? If you think he could take additional actions in his effort to damage the SLS network, what are they?

         Yes, I think that Miller is out of options as he pursues his vendetta. Miller tried many things in his pursuit and was unsuccessful. Miller attacked the network using a VPN client and found that the front door was locked. He tried to connect using a dial-up connection and it redirected to the same Radius authentication server used by the VPN led attach failure. He then tried to activate the zombie program that was installed by him on the companyís extranet Quality Assurance server and this strategy failed because of the firewall and control policy. Miller tried to attack the network using NMAP, but his IP address is blocked so that didnít work either. I think he is out of options.

2) Suppose a system administrator at SLS read the details of his case. What steps should he or she take to improve the companyís information security program?

         There are a couple things that the system admin can do to improve the information security program. They could inform company officials to not disclose any sensitive details regarding company information stored in the system. Also, make sure everyone understands all the security policies and procedures that are in place. They could regularly look at and examine the system logs and performance, monitor all traffic to make sure everything is running smooth. They could also make and maintain data backups regularly in case they do get compromised. Ensure all employees who have high security clearances have proper understanding of sensitive materials while also making sure they understand how important strong passwords are. They could make sure all software and applications are up to date and periodically patch them whenever necessary.

3) Consider Millerís hacking attempt in light of the intrusion kill chain described earlier and shown in Figure 7-1. At which phase in the kill chain has SLS countered his vendetta?

         I would say that they had stopped Millerís attack in the first phase which is when he was in Reconnaissance. I would say this because he hadnít actually weaponized anything yet, he was still looking around for open ports so he could see where he wanted to infiltrate the system. Therefore, he never made it passed the Recon stage.

Ethical Decision Making

         I donít know if the action of SLS deleting key files on an attackerís computer is legal or not, but I would say that it is ethical. It is a security precaution. If someone is trying to steal or access your things and you catch them, if you have the ability, you should be able to delete some files because you donít know if they ended up stealing from you or not.

         Once again, it would be ethical for them to ban an entire range of IP addresses as a security measure to protect their data. I would put money that this is legal as well. They need to take all necessary actions against an attacker to save the companies highly sensitive data. This would be ethical and I donít understand why that is in question.

         I think it would still be ethical to block all employees for 10 minutes, even 24 hours if they needed to. It would be an inconvenience and also annoying but if it is a proper security measure to take at the time, then it should be done. There is probably a more tedious but sufficient way to do this, instead of blocking a whole range of IP addresses then nothing. You could block them, then go through the switch and turn on ports that certain employee computers are connected to. Or, if your network is set up with static IP addresses, you would already know what computer has what IP address and it would be easy to block all IPs except the ones for the employees.