Running head: UNIT 3 RESEARCH PROJECT 1 Unit 3 Research Project Eddie S. Jackson Kaplan University IT540: Management of Information Security Kenneth L. Flick, Ph.D. 10/07/2014
UNIT 3 RESEARCH PROJECT 2 Table of Contents Abstract.. 3 Part I...... 4 Host Detail Screen...4 BASE Alerts Detail Screen... 5 Individual BASE Alert Detail Screen... 6 ATTACK RESPONSE on BASE Alert Screen.... 7 Part II............ 7 Assessing the Compromised Server.... 8 Checking Files... 8 Checking Network Activity. 9 Checking Possible Vulnerabilities... 10 Checking Network Account Activity...11 Protecting Network Resources... 11 References.....13
UNIT 3 RESEARCH PROJECT 3 Abstract The unit three research project presents a two-part assignment that relates to computer forensics, which encompasses the steps and tools that are required for incident response and attack prevention. Both parts of the assignment are meant to reinforce the fundamental concepts associated with forensic science. In Part I, there is a hands-on Snort lab. The Snort lab exercise is a real-world scenario that allows the student to become familiar with Snort software, and in turn learn to scan a network stream, capture alerts, and assess specific alert types. In Part II of the assignment, the student is asked to assess a hypothetical server break-in, and respond in essay form to a series of questions. These questions are intended to highlight the steps and tools utilized in network resource protection.
UNIT 3 RESEARCH PROJECT 4 Unit 3 Research Project Part I The Jones & Bartlett Lab. In this lab, Snort was used in incident handling. See snapshots below. Screen capture of the host detail screen from the Lab #10 SNORT Scan:
UNIT 3 RESEARCH PROJECT 5 Screen capture of the BASE alerts detail screen:
UNIT 3 RESEARCH PROJECT 6 Screen capture of an individual BASE alert detail:
UNIT 3 RESEARCH PROJECT 7 Screen capture of an ATTACK RESPONSE on the BASE alert detail screen: Part II The break-in. In the second part of the assignment, there is a hypothetical break-in which requires a five question assessment. Each question explores the ideas and concepts of computer forensics.
UNIT 3 RESEARCH PROJECT 8 What are the steps and tools used in assessing a compromised server? When hackers compromise servers, sometimes there are obvious signs of malicious activity, and sometimes the exploits are more stealth. In either case, the information security officer, upon notification that something is wrong with a server, must have a plan for assessing a compromised server; this plan contains the steps or tools necessary to determine exactly what damaged has been done to the server. Considering the break-in, the first step the information security officer should take is verifying that the server has indeed been compromised (Obialero, 2005). This verification can be a visual inspection of the running processes and network activity using a process manager; on Microsoft-based operating systems, this is called the task manager (Microsoft, n.d., para. 1). A second technique for assessing a compromised server would be to scan the system to verify the integrity of the files. For example, in Microsoft operating systems, there is a system file checker (sfc) which can be executed to scan, report, and even repair compromised files (Microsoft TechNet, n.d. para. 1). If this server is a domain controller running Microsoft s Active Directory, and audit access has been defined, the event properties of the object can be accessed and reviewed in the Event Viewer (Levin, 2007). Finally, other tools such as anti-virus scanners and malware scanners can also be utilized to scan a server to validate whether or not the server has been compromised. Which files would be checked? Of course, knowing exactly which files should be checked for integrity is critical to the overall assessment of the compromised server. Hackers target particular areas of an operating; these areas contain the required system files and essential services. System files are file types that end in DLL, OCX, and EXE. Server services are usually associated with these file types as well. To check the integrity of files and services, forensic
UNIT 3 RESEARCH PROJECT 9 applications, such as those from NirSoft, can be used to verify integrity. For example, NirSoft s RegDllView utility scans registered DLL, OCX, and EXE files. Additionally, RegDllView returns when the files were registered with the system, and provides a list of files that are no longer needed (NirSoft, 2014). If this server is a web server, it is possible that hackers may have compromised the server through web-based services. A common web server attack is where a hacker uses Cross Site Scripting, or XSS, to modify server scripts and web pages that will be accessed by other users (Valentino, n.d.). The specific files that should be checked in an XSS attack are PHP scripts, session cookies, and other unknown or new scripts on the web server (Acunetix, n.d.). Likewise, webpages coded in HTML and CSS should be analyzed for any recent changes to their content. Where do you check for network activity? While it is crucial to identify which files may have been compromised in an attack, scanning and monitoring network activity is equally important. When servers have been compromised, it is common that a hacker will open communication ports to be able to steal data or maintain open access to the server; unknown established connections to a server, or other network resource for that matter, can be an obvious sign of malicious activity. It is the responsibility of the security information officer to assess network activity and determine whether or not these undesirable lines of communication exist. There are simple tools such as netstat which can be used for viewing open ports. When using netstat, there are options for displaying active TCP and UDP connections, Ethernet statistics, and port numbers. (Microsoft TechNet, n.d.). A more advanced approach to evaluating network activity would be to utilize packet analyzers. Packet analyzers can peer into a network communication stream and allow an
UNIT 3 RESEARCH PROJECT 10 information security officer to assess and analyze data at the packet level. These features are particularly important because source and destination IP addresses can be observed. The reason this is significant is because when hackers make connections to network resources, their source address can often be determined from analyzing packets in the bitstream. Similarly, unusual network traffic, specific ports, as well as user-defined network protocols can be scrutinized for existing threats (Rouse, n.d.). A popular application for analyzing packets is Wireshark. Wireshark has features such as saving network activity captures for later examination, setting up alerts, protocol filters, and support for multiple platforms (Wireshark, n.d.). Still, there are other methods for evaluating network traffic; for example, firewalls that have auditing enabled and intrusion detecting systems (IDS). Firewalls normally act as a barrier of protection between an organization and the outside world controlling incoming and outgoing connections however, firewalls such as the Cisco PIX firewall, can maintain event data and firewall messages (IBM, n.d.). This stored data, which contains connection information, can be analyzed in the event of a compromised server; thus offering another method of network activity assessment. One final technique for monitoring or reviewing network activity is the IDS. An IDS, such as the Cisco Catalyst 6500 Series Intrusion Detection System (IDSM-2) Module, offers features that perform analysis across multiple network layers, and even has the ability to prevent attacks (Cisco, n.d.). It is important to note, no single network monitoring strategy is perfect; thus implementing a multi-tiered approach to scanning network activity is best practice. How do you check for possible vulnerabilities? Once network activity has been scanned, the next step would be to determine possible vulnerabilities. Operating systems are susceptible to many types of vulnerabilities, such as DLL, OCX, Distributed Component Object Model (DCOM), and Remote Procedure Call (RPC) exploits (Microsoft TechNet, n.d.). One
UNIT 3 RESEARCH PROJECT 11 method for defining weak spots in these areas is to use the Microsoft Baseline Security Analyzer (MBSA). The MBSA identifies missing security updates, common misconfigurations, as well as possible threats due to unknown or modified system DLL and OCX files (Microsoft, n.d.). Another application that could be used in determining vulnerabilities is Symantec Endpoint Protection (SEP). SEP is a suite of utilities that offers a plethora of features which include antivirus, spam removal, data loss protection, and host integrity (Symantec, n.d.). Additionally, SEP provides a layered approach to deal with potential threats and performs threat analysis; thus, SEP provides a best practice strategy for determining if vulnerabilities exists, how to remove them, and how to prevent future attacks. How do you track network account activity? After determining exactly what the vulnerabilities are, tracking network account activity becomes a necessity. Network account activity includes logging in, logging out, as well as the frequency of accessing network resources. There are a couple of common methods for a network administrator to track network activity; one technique is to use Microsoft s domain-level or local group policy. By accessing the group policy editor, and navigating to Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy, the audit account logon events can be configured; the account logon and logon audit policy should be enabled (Microsoft, n.d.).. Another method for tracking logon events is to use third party software. ManageEngine sells ADAudit Plus software that monitors user logins and logouts, generates reports, and has the ability to track a user across multiple machines (ManageEngine, n.d.). Additionally, the ADAudit Plus software visually represents the login data, making it much easier to understand and track network account activity. How do you protect network resources? Lastly, it is critical to formulate an overall
UNIT 3 RESEARCH PROJECT 12 strategy to protect network resources. Some of the best methods for protecting the resources on the network have already been highlighted. For instance, network resources need to be protected against outside attacks; it is best practice to install a firewall to control, audit, and report on incoming and outgoing connections. Secondly, an IDS will provide the added benefit of being able perform threat analysis and generate alerts on suspicious network activity. Likewise, every network should be protected against viruses, worms, and spam. This is where implementing an enterprise-based solution, such as SEP, becomes critical to maintaining the integrity of network resources. Finally, one essential component for protecting network resources is an updates and patching server. Update servers, such as Windows Server Update Services (WSUS), allow system administrators to centrally manage which security updates, system updates, and patches get deployed to workstations and servers throughout the enterprise (Microsoft TechNet, n.d.). The reason it is important to consistently update and patch machines on the network is to maintain the highest levels of operating system integrity. Ultimately, no one piece of technology can fully protect all network resources; thus, implementing multiple layers of technology throughout the enterprise has become best practice.
UNIT 3 RESEARCH PROJECT 13 References Acunetix. (n.d.). Cross-site Scripting (XSS) Attack. What is cross-site scripting? Retrieved from https://www.acunetix.com/websitesecurity/cross-site-scripting/ Cisco. (n.d.). Cisco Catalyst 6500 Series Intrusion Detection System (IDSM-2) Module. Retrieved from http://www.cisco.com/c/en/us/products/interfaces-modules/catalyst- 6500-series-intrusion-detection-system-idsm-2-services-module/index.html IBM. (n.d.). Configuring auditing for Cisco PIX firewall. Retrieved from http://www- 01.ibm.com/support/knowledgecenter/SSSN2Y_1.0.0/com.ibm.itcim.doc/tcim85_install 197.html%23cspxfw Levin, Alik. (2007/4/1). File access auditing - I am not afraid of GPO. Retrieved from http://blogs.msdn.com/b/alikl/archive/2007/04/01/file-access-auditing-i-am-not-afraidof-gpo.aspx Microsoft. (n.d.). Audit logon events. Retrieved from http://technet.microsoft.com/enus/library/cc976395.aspx Microsoft. (n.d.). Microsoft Baseline Security Analyzer 2.3 (for IT professionals). Retrieved from http://www.microsoft.com/en-us/download/details.aspx?id=7558 Microsoft. (n.d.). What is task manager? Retrieved from http://windows.microsoft.com/enus/windows-vista/what-is-task-manager Microsoft TechNet. (n.d.). Best practices for mitigating RPC and DCOM vulnerabilities. Retrieved from http://technet.microsoft.com/en-us/library/dd632946.aspx Microsoft TechNet. (n.d.). Netstat. Retrieved from http://technet.microsoft.com/enus/library/bb490947.aspx
UNIT 3 RESEARCH PROJECT 14 Microsoft TechNet. (n.d.). System file checker. Retrieved from http://technet.microsoft.com/enus/library/bb491008.aspx Microsoft TechNet. (n.d.). Windows Server Update Services. Retrieved from http://technet.microsoft.com/en-us/windowsserver/bb332157.aspx NirSoft. (2014). RegDllView v1.58 - View registered dll/ocx/exe files on your system and register DLL files from Explorer. Retrieved from http://www.nirsoft.net/utils/ registered_dll_view.html Obialero, Roberto. (2005). Forensic analysis of a compromised intranet server. Retrieved from http://www.sans.org/reading-room/whitepapers/forensics/forensic-analysiscompromised-intranet-server-1652 Rouse, Margaret. (n.d.). Network analyzer (protocol analyzer or packet analyzer). Retrieved from http://searchnetworking.techtarget.com/definition/network-analyzer Symantec. (n.d.). Symantec Endpoint Protection. Retrieved from http://www.symantec.com/ endpoint-protection Valentino, Vishnu. (n.d.). Basic hacking via Cross Site Scripting (XSS) The logic. Retrieved from http://www.hacking-tutorial.com/hacking-tutorial/basic-hacking-via-cross-sitescripting-xss-the-logic/#sthash.tlayk0y7.dpbs Whitman, Michael E., & Mattord, Herbert J. (2011). Principles of Information Security. 4th edition. Independence, KY: Cengage. Wireshark. (n.d.). Wireshark frequently asked questions. Retrieved from https://www.wireshark. org/faq.html#q1.1