Xiaoling Wu

ITS 370

Ch 7 Homework



1.      A key feature of hybrid IDPS systems is event correlation. After researching event cor- relation online, define the following terms as they are used in this process: compression, suppression, and generalization.

Answer: Compression is the degree to which redundant or inconsequential data can be removed to compress the resulting dataset. Suppression is the ability of a correlation engine to suppress false positive triggers from raising an unwarranted alarm. Generalization is the ability to extrapolate a known exploit signature into a general-purpose alert.

  1. ZoneAlarm is a PC-based firewall and IDPS tool. Visit the product manufacturer at www.zonelabs.com and find the product specification for the IDPS features of ZoneA- larm. Which ZoneAlarm products offer these features?

Answer: ZoneAlarm Pro and ZoneAlarm Security Suite include IDPS features, as of December 2004.


Case Exercises:

Miller Harrison was still working his way through his attack protocol.

Nmap started out as it usually did, by giving the program identification and version num- ber. Then it started reporting back on the first host in the SLS network. It reported all of

the open ports on this server. The program moved on to a second host and began report- ing back the open ports on that system, too. Once it reached the third host, however, it suddenly stopped.

Miller restarted Nmap, using the last host IP as the starting point for the next scan. No response. He opened another command window and tried to ping the first host he had just port-scanned. No luck. He tried to ping the SLS firewall. Nothing. He happened to know the IP address for the SLS edge router. He pinged that and got the same result. He had been blackholed, meaning his IP address had been put on a list of addresses from which the SLS edge router would no longer accept packets. Ironically, the list was his own doing. The IDPS he had been helping SLS configure seemed to be working just fine at the moment. His attempt to hack the SLS network was shut down cold.

Discussion Questions

  1. Do you think Miller is out of options as he pursues his vendetta? If you think he could take additional actions in his effort to damage the SLS network, what are they?

Answer: Since he already tried an insider attack, he could try monitoring the system for a close in attack, hijack attack, contact a previous colleague and attempt a buffer overflow, continue an exploit attack, and or look for a password attack.

  1. Suppose a system administrator at SLS read the details of this case. What steps should he or she take to improve the companyís information security program?


         Clearly establish and enforce all policies and procedures. Your policies and procedures should be thoroughly tested to ensure that they are practical and clear and provide the appropriate level of security.

         Gain management support for security policies and incident handling.

         Routinely assess vulnerabilities in your environment. Assessments should be done by a security specialist with the appropriate clearance to perform these.

         Routinely check all computer systems and network devices to ensure that they have all of the latest patches installed.

         Establish security training programs for both IT staff and end users. The largest vulnerability in any system is the inexperienced user.

         Post security banners that remain users of their responsibilities and restrictions, along with a warning of potential prosecution for violation. These banners make it easier to collect evidence and prosecute attackers. You should obtain legal advice to ensure that the wording of your security banner is appropriate.

         Develop, implement, and enforce a policy requiring strong passwords.

         Routinely monitor and analyze network traffic and system performance.


  1. Consider Millerís hacking attempt in light of the intrusion kill chain described earlier and shown in Figure 7-1. At which phase in the kill chain has SLS countered his vendetta?

Answer: †Kill chain has SLS countered his vendetta on Exploitation phase.


Ethical Decision Making

It seems obvious that Miller is breaking at least a few laws in his attempt at revenge. Suppose that when his scanning efforts had been detected, SLS not only added his IP address to the list of sites banned from connecting to the SLS network, the system also triggered a response to seek out his computer and delete key files on it to disable his operating system.

Would such an action by SLS be ethical? Do you think that action would be legal?

Suppose instead that Miller had written a routine to constantly change his assigned IP address to other addresses used by his ISP. If the SLS intrusion system determined what Miller was doing and then added the entire range of ISP addresses to the banned list, thus stopping any user of the ISP from connecting to the SLS network, would SLSís action be ethical?

What if SLS were part of an industry consortium that shared IP addresses flagged by its IDPS, and all companies in the group blocked all of the ISPís users for 10 minutes? These users would be blocked from accessing perhaps hundreds of company networks. Would that be an ethical response by members of the consortium? What if these users were blocked for 24 hours?

Answer: It would be unethical since Miller could change his IP address and still will have the option to get to their network. The activity would be illegal.