Josh Waring

ITS 370 Hmwk #7

Shin Ping Tucker



1)     Define the following terms as they are use in event correlation:

Compression: takes multiple [similar] events, and removes redundancies or duplicate information and reports it as a single event

Suppression: allows the system to prioritize alarms/notifications based on the severity of the event

Generalization: associates multiple events to one higher-level problem (ie, multiple port failures may be attributed to one problem—a bad router)


5) Several online passphrase generators are available.  Locate at least two on the internet and try them.  What did you observe? This site generates a passphrase that is four to five words long and separated by spaces.  This makes it easier to remember than a password, but still fairly secure.  The site also includes examples of bad passwords and the time it takes to crack them. This site allows greater customization than the above one, and lets the user set the minimum and maximum word length, random capitalization and length of the numbers inserted between words (note that this site uses numbers instead of spaces between the words).


Case Exercises-Discussion Questions

1)     Do you think Miller is out of options? If he could take more actions, what are they?

I don’t think Miller is out of options—he can try changing his IP address by connecting to a different network, and then continue to attempt to find vulnerabilities from there. If he continues to be “blackholed”, he can use a VPN to switch his IP around until he [possibly] discovers a vulnerability he can exploit.

2)     If a system admin at SLS reads these details of the case, what steps should they take to improve the company’s infosec program?

The system admin should ensure all servers are secure, regardless of the data they contain (the QA server was protected by the firewall, but could have been vulnerable due to malware residing on the host).  The system admin should also ensure that the servers don’t respond to ping request that aren’t absolutely necessary, as this is an easy way to footprint a system.  Lastly, the admin should ensure system design and information is kept confidential, and that future employees aren’t able to steal it from the company.

3)     Consider Miller’s hacking attempt in light of the intrusion kill chain described earlier and shown in Figure 7-1.  At which phase in the kill chain has SLS countered his vendetta?

I think Miller was blocked at the Command and Control (C2) step, as he was able to install a back door into the system (which is the previous step), but he was not able to gain control of the system remotely.


Case Exercises-Ethical Decision Making

I do not think it would be ethical or legal for SLS to target Miller’s computer in response to his scanning their network.  While I think it would be ok for them to trace the scans and record the data associated with the source, I don’t think they should actually cause damage or access Miller’s computer.

I think that if SLS added all IP addresses from a specific ISP to a banlist it would be extremely inconvenient for customers using that ISP who might want to access the SLS site.  That being said, if SLS is simply blocking attempts to access their internal servers, I think a [temporary] blacklist of all IP addresses associated with an ISP would be appropriate while SLS resolves the issue.

If SLS was part of a larger consortium that blocked users from accessing a multitude of websites, I think that would be unethical as the users might really need to access those other sites.  If none of the sites were “critical” to people’s well-being, then I think it would be ok to block the ISP’s IP addresses for ten minutes.  However, I feel 24hrs is too long and could cause irreparable damage to the ISP’s reputation.