Unit 3 Research Project. Eddie S. Jackson. Kaplan University. IT540: Management of Information Security. Kenneth L. Flick, Ph.D.

Similar documents
Security Consultant Scenario INFO Term Project. Brad S. Brady. Drexel University

IBM Security QRadar SIEM & Fortinet FortiGate / FortiAnalyzer

User Security Education and System Hardening

BUILDING A SECURITY OPERATION CENTER (SOC) ACI-BIT Vancouver, BC. Los Angeles World Airports

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Network Instruments white paper

Chapter 9 Firewalls and Intrusion Prevention Systems

JK0 015 CompTIA E2C Security+ (2008 Edition) Exam

Symantec Endpoint Protection Analyzer Report

Web Application Threats and Vulnerabilities Web Server Hacking and Web Application Vulnerability

SOUTHERN POLYTECHNIC STATE UNIVERSITY. Snort and Wireshark. IT-6873 Lab Manual Exercises. Lucas Varner and Trevor Lewis Fall 2013

FIREWALL POLICY November 2006 TNS POL - 008

Cisco IPS Tuning Overview

HoneyBOT User Guide A Windows based honeypot solution

8. Firewall Design & Implementation

Many network and firewall administrators consider the network firewall at the network edge as their primary defense against all network woes.

Introduction: 1. Daily 360 Website Scanning for Malware

End-user Security Analytics Strengthens Protection with ArcSight

OfficeScan 10 Enterprise Client Firewall Updated: March 9, 2010

TABLE OF CONTENT. Page 2 of 9 INTERNET FIREWALL POLICY

THE OPEN UNIVERSITY OF TANZANIA

How To Protect A Network From Attack From A Hacker (Hbss)

Comparison of Firewall, Intrusion Prevention and Antivirus Technologies

Hosts HARDENING WINDOWS NETWORKS TRAINING

IBM. Vulnerability scanning and best practices

INFORMATION SECURITY TRAINING CATALOG (2015)

SCADA Security Example

COORDINATED THREAT CONTROL

Deploying Firewalls Throughout Your Organization

A Decision Maker s Guide to Securing an IT Infrastructure

Intro to Firewalls. Summary

Maruleng Local Municipality

The Key to Secure Online Financial Transactions

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

Medical Device Security Health Imaging Digital Capture. Security Assessment Report for the Kodak CR V4.1

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Intrusion Detection System Based Network Using SNORT Signatures And WINPCAP

GFI White Paper PCI-DSS compliance and GFI Software products

Our Security. History of IDS Cont d In 1983, Dr. Dorothy Denning and SRI International began working on a government project.

Security Maintenance Practices. IT 4823 Information Security Administration. Patches, Fixes, and Revisions. Hardening Operating Systems

Protecting Your Organisation from Targeted Cyber Intrusion

by New Media Solutions 37 Walnut Street Wellesley, MA p f Avitage IT Infrastructure Security Document

Passing PCI Compliance How to Address the Application Security Mandates

Guideline on Firewall

Banking Security using Honeypot

Global Partner Management Notice

Medical Device Security Health Group Digital Output

How To Connect Log Files To A Log File On A Network With A Network Device (Network) On A Computer Or Network (Network Or Network) On Your Network (For A Network)

SECURITY BEST PRACTICES FOR CISCO PERSONAL ASSISTANT (1.4X)

G/On. Basic Best Practice Reference Guide Version 6. For Public Use. Make Connectivity Easy

Nessus and Antivirus. January 31, 2014 (Revision 4)

Firewalls Overview and Best Practices. White Paper

Medical Device Security Health Imaging Digital Capture. Security Assessment Report for the Kodak Medical Image Manager (MIM) Version 6.1.

Medical Device Security Health Imaging Digital Capture. Security Assessment Report for the Kodak Capture Link Server V1.00

Medical Device Security Health Imaging Digital Capture. Security Assessment Report for the Kodak DR V2.0

Description: Objective: Attending students will learn:

Firewalls and Software Updates

SECURITY PATCH MANAGEMENT INSTALLATION POLICY AND PROCEDURES

PTSv2 in pills: The Best First for Beginners who want to become Penetration Testers. Self-paced, online, flexible access

Second-generation (GenII) honeypots

JK0-022 CompTIA Academic/E2C Security+ Certification Exam CompTIA

IBM Protocol Analysis Module

WatchGuard Technologies, Inc. 505 Fifth Avenue South Suite 500, Seattle, WA

13 Ways Through A Firewall

VULNERABILITY ASSESSMENT WHITEPAPER INTRODUCTION, IMPLEMENTATION AND TECHNOLOGY DISCUSSION

Guidance Regarding Skype and Other P2P VoIP Solutions

Web application security Executive brief Managing a growing threat: an executive s guide to Web application security.

Course Title: Penetration Testing: Security Analysis

Industrial Security for Process Automation

Attacks from the Inside

Getting Started. Symantec Client Security. About Symantec Client Security. How to get started

From Network Security To Content Filtering

Ovation Security Center Data Sheet

AN OVERVIEW OF VULNERABILITY SCANNERS

SAFE-T RSACCESS REPLACEMENT FOR MICROSOFT FOREFRONT UNIFIED ACCESS GATEWAY (UAG)

Ovation Security Center Data Sheet

How to build and use a Honeypot. Ralph Edward Sutton, Jr. DTEC 6873 Section 01

WHITE PAPER. Best Practices for Securing Remote and Mobile Devices

Getting Ahead of Malware

A Prevention & Notification System By Using Firewall. Log Data. Pilan Lin

Reporting and Incident Management for Firewalls

Redhawk Network Security, LLC Layton Ave., Suite One, Bend, OR

IBM Managed Security Services Vulnerability Scanning:

Hack Proofing Your Organization

Web App Security Audit Services

Firewall Cracking and Security By: Lukasz Majowicz Dr. Stefan Robila 12/15/08

Cyber Security in Taiwan's Government Institutions: From APT To. Investigation Policies

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

Where every interaction matters.

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

Created By: 2009 Windows Server Security Best Practices Committee. Revised By: 2014 Windows Server Security Best Practices Committee

Microsoft Software Update Services and Managed Symantec Anti-virus. Michael Satut TSS/Crown IT Support

Cautela Labs Cloud Agile. Secured.

Symantec Protection Suite Enterprise Edition for Servers Complete and high performance protection where you need it

How To Prevent Hacker Attacks With Network Behavior Analysis

New Zealand National Cyber Security Centre

Plugging Network Security Holes using NetFlow. Loopholes in todays network security solutions and how NetFlow can help

Web Application Security 101

Transcription:

Running head: UNIT 3 RESEARCH PROJECT 1 Unit 3 Research Project Eddie S. Jackson Kaplan University IT540: Management of Information Security Kenneth L. Flick, Ph.D. 10/07/2014

UNIT 3 RESEARCH PROJECT 2 Table of Contents Abstract.. 3 Part I...... 4 Host Detail Screen...4 BASE Alerts Detail Screen... 5 Individual BASE Alert Detail Screen... 6 ATTACK RESPONSE on BASE Alert Screen.... 7 Part II............ 7 Assessing the Compromised Server.... 8 Checking Files... 8 Checking Network Activity. 9 Checking Possible Vulnerabilities... 10 Checking Network Account Activity...11 Protecting Network Resources... 11 References.....13

UNIT 3 RESEARCH PROJECT 3 Abstract The unit three research project presents a two-part assignment that relates to computer forensics, which encompasses the steps and tools that are required for incident response and attack prevention. Both parts of the assignment are meant to reinforce the fundamental concepts associated with forensic science. In Part I, there is a hands-on Snort lab. The Snort lab exercise is a real-world scenario that allows the student to become familiar with Snort software, and in turn learn to scan a network stream, capture alerts, and assess specific alert types. In Part II of the assignment, the student is asked to assess a hypothetical server break-in, and respond in essay form to a series of questions. These questions are intended to highlight the steps and tools utilized in network resource protection.

UNIT 3 RESEARCH PROJECT 4 Unit 3 Research Project Part I The Jones & Bartlett Lab. In this lab, Snort was used in incident handling. See snapshots below. Screen capture of the host detail screen from the Lab #10 SNORT Scan:

UNIT 3 RESEARCH PROJECT 5 Screen capture of the BASE alerts detail screen:

UNIT 3 RESEARCH PROJECT 6 Screen capture of an individual BASE alert detail:

UNIT 3 RESEARCH PROJECT 7 Screen capture of an ATTACK RESPONSE on the BASE alert detail screen: Part II The break-in. In the second part of the assignment, there is a hypothetical break-in which requires a five question assessment. Each question explores the ideas and concepts of computer forensics.

UNIT 3 RESEARCH PROJECT 8 What are the steps and tools used in assessing a compromised server? When hackers compromise servers, sometimes there are obvious signs of malicious activity, and sometimes the exploits are more stealth. In either case, the information security officer, upon notification that something is wrong with a server, must have a plan for assessing a compromised server; this plan contains the steps or tools necessary to determine exactly what damaged has been done to the server. Considering the break-in, the first step the information security officer should take is verifying that the server has indeed been compromised (Obialero, 2005). This verification can be a visual inspection of the running processes and network activity using a process manager; on Microsoft-based operating systems, this is called the task manager (Microsoft, n.d., para. 1). A second technique for assessing a compromised server would be to scan the system to verify the integrity of the files. For example, in Microsoft operating systems, there is a system file checker (sfc) which can be executed to scan, report, and even repair compromised files (Microsoft TechNet, n.d. para. 1). If this server is a domain controller running Microsoft s Active Directory, and audit access has been defined, the event properties of the object can be accessed and reviewed in the Event Viewer (Levin, 2007). Finally, other tools such as anti-virus scanners and malware scanners can also be utilized to scan a server to validate whether or not the server has been compromised. Which files would be checked? Of course, knowing exactly which files should be checked for integrity is critical to the overall assessment of the compromised server. Hackers target particular areas of an operating; these areas contain the required system files and essential services. System files are file types that end in DLL, OCX, and EXE. Server services are usually associated with these file types as well. To check the integrity of files and services, forensic

UNIT 3 RESEARCH PROJECT 9 applications, such as those from NirSoft, can be used to verify integrity. For example, NirSoft s RegDllView utility scans registered DLL, OCX, and EXE files. Additionally, RegDllView returns when the files were registered with the system, and provides a list of files that are no longer needed (NirSoft, 2014). If this server is a web server, it is possible that hackers may have compromised the server through web-based services. A common web server attack is where a hacker uses Cross Site Scripting, or XSS, to modify server scripts and web pages that will be accessed by other users (Valentino, n.d.). The specific files that should be checked in an XSS attack are PHP scripts, session cookies, and other unknown or new scripts on the web server (Acunetix, n.d.). Likewise, webpages coded in HTML and CSS should be analyzed for any recent changes to their content. Where do you check for network activity? While it is crucial to identify which files may have been compromised in an attack, scanning and monitoring network activity is equally important. When servers have been compromised, it is common that a hacker will open communication ports to be able to steal data or maintain open access to the server; unknown established connections to a server, or other network resource for that matter, can be an obvious sign of malicious activity. It is the responsibility of the security information officer to assess network activity and determine whether or not these undesirable lines of communication exist. There are simple tools such as netstat which can be used for viewing open ports. When using netstat, there are options for displaying active TCP and UDP connections, Ethernet statistics, and port numbers. (Microsoft TechNet, n.d.). A more advanced approach to evaluating network activity would be to utilize packet analyzers. Packet analyzers can peer into a network communication stream and allow an

UNIT 3 RESEARCH PROJECT 10 information security officer to assess and analyze data at the packet level. These features are particularly important because source and destination IP addresses can be observed. The reason this is significant is because when hackers make connections to network resources, their source address can often be determined from analyzing packets in the bitstream. Similarly, unusual network traffic, specific ports, as well as user-defined network protocols can be scrutinized for existing threats (Rouse, n.d.). A popular application for analyzing packets is Wireshark. Wireshark has features such as saving network activity captures for later examination, setting up alerts, protocol filters, and support for multiple platforms (Wireshark, n.d.). Still, there are other methods for evaluating network traffic; for example, firewalls that have auditing enabled and intrusion detecting systems (IDS). Firewalls normally act as a barrier of protection between an organization and the outside world controlling incoming and outgoing connections however, firewalls such as the Cisco PIX firewall, can maintain event data and firewall messages (IBM, n.d.). This stored data, which contains connection information, can be analyzed in the event of a compromised server; thus offering another method of network activity assessment. One final technique for monitoring or reviewing network activity is the IDS. An IDS, such as the Cisco Catalyst 6500 Series Intrusion Detection System (IDSM-2) Module, offers features that perform analysis across multiple network layers, and even has the ability to prevent attacks (Cisco, n.d.). It is important to note, no single network monitoring strategy is perfect; thus implementing a multi-tiered approach to scanning network activity is best practice. How do you check for possible vulnerabilities? Once network activity has been scanned, the next step would be to determine possible vulnerabilities. Operating systems are susceptible to many types of vulnerabilities, such as DLL, OCX, Distributed Component Object Model (DCOM), and Remote Procedure Call (RPC) exploits (Microsoft TechNet, n.d.). One

UNIT 3 RESEARCH PROJECT 11 method for defining weak spots in these areas is to use the Microsoft Baseline Security Analyzer (MBSA). The MBSA identifies missing security updates, common misconfigurations, as well as possible threats due to unknown or modified system DLL and OCX files (Microsoft, n.d.). Another application that could be used in determining vulnerabilities is Symantec Endpoint Protection (SEP). SEP is a suite of utilities that offers a plethora of features which include antivirus, spam removal, data loss protection, and host integrity (Symantec, n.d.). Additionally, SEP provides a layered approach to deal with potential threats and performs threat analysis; thus, SEP provides a best practice strategy for determining if vulnerabilities exists, how to remove them, and how to prevent future attacks. How do you track network account activity? After determining exactly what the vulnerabilities are, tracking network account activity becomes a necessity. Network account activity includes logging in, logging out, as well as the frequency of accessing network resources. There are a couple of common methods for a network administrator to track network activity; one technique is to use Microsoft s domain-level or local group policy. By accessing the group policy editor, and navigating to Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy, the audit account logon events can be configured; the account logon and logon audit policy should be enabled (Microsoft, n.d.).. Another method for tracking logon events is to use third party software. ManageEngine sells ADAudit Plus software that monitors user logins and logouts, generates reports, and has the ability to track a user across multiple machines (ManageEngine, n.d.). Additionally, the ADAudit Plus software visually represents the login data, making it much easier to understand and track network account activity. How do you protect network resources? Lastly, it is critical to formulate an overall

UNIT 3 RESEARCH PROJECT 12 strategy to protect network resources. Some of the best methods for protecting the resources on the network have already been highlighted. For instance, network resources need to be protected against outside attacks; it is best practice to install a firewall to control, audit, and report on incoming and outgoing connections. Secondly, an IDS will provide the added benefit of being able perform threat analysis and generate alerts on suspicious network activity. Likewise, every network should be protected against viruses, worms, and spam. This is where implementing an enterprise-based solution, such as SEP, becomes critical to maintaining the integrity of network resources. Finally, one essential component for protecting network resources is an updates and patching server. Update servers, such as Windows Server Update Services (WSUS), allow system administrators to centrally manage which security updates, system updates, and patches get deployed to workstations and servers throughout the enterprise (Microsoft TechNet, n.d.). The reason it is important to consistently update and patch machines on the network is to maintain the highest levels of operating system integrity. Ultimately, no one piece of technology can fully protect all network resources; thus, implementing multiple layers of technology throughout the enterprise has become best practice.

UNIT 3 RESEARCH PROJECT 13 References Acunetix. (n.d.). Cross-site Scripting (XSS) Attack. What is cross-site scripting? Retrieved from https://www.acunetix.com/websitesecurity/cross-site-scripting/ Cisco. (n.d.). Cisco Catalyst 6500 Series Intrusion Detection System (IDSM-2) Module. Retrieved from http://www.cisco.com/c/en/us/products/interfaces-modules/catalyst- 6500-series-intrusion-detection-system-idsm-2-services-module/index.html IBM. (n.d.). Configuring auditing for Cisco PIX firewall. Retrieved from http://www- 01.ibm.com/support/knowledgecenter/SSSN2Y_1.0.0/com.ibm.itcim.doc/tcim85_install 197.html%23cspxfw Levin, Alik. (2007/4/1). File access auditing - I am not afraid of GPO. Retrieved from http://blogs.msdn.com/b/alikl/archive/2007/04/01/file-access-auditing-i-am-not-afraidof-gpo.aspx Microsoft. (n.d.). Audit logon events. Retrieved from http://technet.microsoft.com/enus/library/cc976395.aspx Microsoft. (n.d.). Microsoft Baseline Security Analyzer 2.3 (for IT professionals). Retrieved from http://www.microsoft.com/en-us/download/details.aspx?id=7558 Microsoft. (n.d.). What is task manager? Retrieved from http://windows.microsoft.com/enus/windows-vista/what-is-task-manager Microsoft TechNet. (n.d.). Best practices for mitigating RPC and DCOM vulnerabilities. Retrieved from http://technet.microsoft.com/en-us/library/dd632946.aspx Microsoft TechNet. (n.d.). Netstat. Retrieved from http://technet.microsoft.com/enus/library/bb490947.aspx

UNIT 3 RESEARCH PROJECT 14 Microsoft TechNet. (n.d.). System file checker. Retrieved from http://technet.microsoft.com/enus/library/bb491008.aspx Microsoft TechNet. (n.d.). Windows Server Update Services. Retrieved from http://technet.microsoft.com/en-us/windowsserver/bb332157.aspx NirSoft. (2014). RegDllView v1.58 - View registered dll/ocx/exe files on your system and register DLL files from Explorer. Retrieved from http://www.nirsoft.net/utils/ registered_dll_view.html Obialero, Roberto. (2005). Forensic analysis of a compromised intranet server. Retrieved from http://www.sans.org/reading-room/whitepapers/forensics/forensic-analysiscompromised-intranet-server-1652 Rouse, Margaret. (n.d.). Network analyzer (protocol analyzer or packet analyzer). Retrieved from http://searchnetworking.techtarget.com/definition/network-analyzer Symantec. (n.d.). Symantec Endpoint Protection. Retrieved from http://www.symantec.com/ endpoint-protection Valentino, Vishnu. (n.d.). Basic hacking via Cross Site Scripting (XSS) The logic. Retrieved from http://www.hacking-tutorial.com/hacking-tutorial/basic-hacking-via-cross-sitescripting-xss-the-logic/#sthash.tlayk0y7.dpbs Whitman, Michael E., & Mattord, Herbert J. (2011). Principles of Information Security. 4th edition. Independence, KY: Cengage. Wireshark. (n.d.). Wireshark frequently asked questions. Retrieved from https://www.wireshark. org/faq.html#q1.1

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information