itec 325 final
In the context of VPNs, how can the term "tunnel" be misleading?
"It implies that there is a single cable joining one endpoint to another and that no one but approved uses can send or receive data using that cable" (Whitman, 2013). However, a tunnel is actually virtual between two endpoints and it uses internet based hosts and servers to move data between one network station to the other.
1. What is an XSS attack and how does it work? What are ways to prevent XSS attacks?
A cross side scripting attack is when an attacker uses another website to send a user to a location other than the one they are or expecting or to run code against their browsers to exploit the machine. The attacker can then send the user to a website that appears to be legitimate to steal credentials or execute malicious software against their computer. Some of the ways to prevent this are to not provide untrusted HTML back to the user's web session, or to sanitize the data that is sent back to the user removing special characters to HTML tags that can be used to execute arbitrary code.
1. Name and describe the four steps in collecting digital evidence.
four steps in collecting digital evidence are 1-Acquisitions 3 - evaluation 2-identification 4- admission # Acquisitions It is the process of copying and duplicating or cloning the evidence from the seized digital devices like laptops, SDs , hard disks servers smartphones etc using imaging tools # identification It is the process of identifying the specific items in the acquires evidence before the actual examination process #evaluation The collected evidence is analyzed in depth that provides clues and support for the investigation. orginal media is not analyzed and the clones media is analysed using forensic tools in an reverse i=engineering approach and hashing algorithms. #Admission The collected evidence will be submitted as a report as an admissible which should not be in corrupted form an inadmissible form
1. Watch these two videos on cracking WEP and WPA-PSK. What are your observations about how this process works and the tools used to carry out the attack?
- . For starters, I noticed for both processes he used airmon-ng on BackTrack 5 to get traffic. They then uses airodump-ng with the MAC address and channel which then dumps packets into a file. From here things start to get different. When it comes to WEP, he decided to replay the ARP packets in order to generate more traffic using aireplay. Then for WEP, he used aircrack on the capture file which then attempts to crack the key. If it doesn't crack the first time it automatically restarts trying to crack it again which is great because it can take some time to crack. Once it cracks it, the key shows up. For WPA, after using airmon-ng to generate traffic, it injects deauthentication packets so the host is forced to reconnect. This is used because the goal is to capture the four way handshake. Then he runs a dictionary attack using aircrack. Once it runs it takes some type to test out thousands of keys and finds the right one. Cracking WPA seems a lot quicker which is surprising since it is supposed to be more secure. When trying to crack WEP in the video it seemed to take a long time trying to use aircrack, but when it came to using aircrack for WPA, the video creator stated it only took 3 mins for it to try over 100,000 different keys which is very impressive. They both most of the same commands, but it seems like it was a lot quicker to crack WPA for this man compared to cracking WEP.
Describe several techniques for passive reconnaissance in a penetration test.
- Recon the organization- during this phase the "attacker" attempts to learn as much about the organization and its organization and technical layout as possible. This includes how the organization itself is organized, the way the network is implemented along with the types and versions of services that are hosted on the network. This study source was downloaded by 100000808842875 from CourseHero.com on 09-26-2021 08:44:41 GMT -05:00 https://www.coursehero.com/file/24247743/HW3docx/ This study resource was shared via CourseHero.com Identify and validate vulnerabilities- once the information is gather the "attacker" can then determine what kinds of vulnerabilities and exploits they can use based upon what is running on the network and how it is configured to gain access into the network. They will detail all of these for the final report provided to the organization. Exploitation- the attacker will then exploit one or more weaknesses on the network to gain access. They will then pivot throughout the network gaining more information and access to systems along with potentially creating their own back door access points to get back into the network in the event that one of the vulnerabilities used to originally gain access is remediated. Reporting- a report will be generated to the company about the state of their network which includes all the vectors that were exposed to allow the "attacker" to gain access along with any other vulnerabilities they encounter. This typically also comes with recommendations to resolve these issues. A pen test fits into an overall Infosec plan as a cornerstone of securing the network. If these tests are not performed the organization has no true way of knowing what risks that exist on their network that a malicious attacker could use to gain access to their network for nefarious purposes. This needs to be a reiterating cycle however as not only are organizations networks rarely static and changing which can add vulnerabilities, knew vulnerabilities for existing technology a company has deployed are being found by security researchers all the time
1. How is WPA and WPA2 significantly different from WEP? How does it fix the problems that WEP had?
- WPA and WPA2 offer improved security over WEP by improving the encryption and authentication process. WPA2 is the most secure out of the three and it uses AES-based encryption. WPA uses dynamic keys meaning each user is assigned a key for each session, where WEP uses a static key meaning the same value is used by everyone within the network. Also, when it comes to key distribution, WEP requires each key to be typed in manually, but on WPA it is automatic. Finally, WPA uses 128-bit encryption instead of 40-bit and it uses stronger 802.1X and EAP which improves the authentication drastically compared to WEP.
1. What are the most notable threats to running a secure WLAN?
- a. Rogue APs, Key cracking, Wardriving, ARP poisoning, and DoS attacks.
What are the recommended practices for running a secure WLAN?
- a. Some recommended practices for running a secure WLAN would be to use multiple authentication methods in order to provide a high level of trust. Another good practice would be to authenticate through a VPN before gaining access to the wired network resources. Lastly, using a wireless IDS could help spot access points, evil twins, wardriving or any other threats.
] Name and describe the two manners in which wireless networks are implemented.
- a. WEP - Wired Equivalent Privacy was an early attempt at securing wireless networks with the 802.11 network protocol. - b. WPA - WIFI Protected Access is also a way to secure wireless networks however it is cryptographically stronger and has improved security compared to WEP.
1. What is WEP, and why is it not considered at all secure for wireless networks?
- a. WEP is one of the ways wireless networks are implemented and they aren't considered secure because of a couple reasons. For one, WEP uses a static key, meaning the same value is used by everyone on the network. Another reason is the encryption is only a 40-bit key unlike a 128-bit key used by WPA. WEP has also been broken by scientists and hackers before showing just how weak it is and why it can't be trusted for a wireless network trying to stay secure.
1. What are the three broad categories of incident indicators? What types of events are considered possible indicators of actual incidents? Probable indicators? Definite indicators?
- three board categories of incidents indicators 1.possinle 2.probable 3.definite There are four types of events are considered possible incidents 1- Presence of unfamiliar files or unexplained files in il logical locations 2- pretense or executions of unknown program or because of unfamiliar program running or program executing 3- unusual consumption of computing recourses memory or hard desk consumption spikes and falls unusual system crashes, system crashing hanging, rebooting or freezing more frequently than usual # activates at unexpected times network traffic levels exceed baseline levels Presence of unexpected new accounts: unlogged new account with root or special privilege Reported attacks verify user technical issues Notification from IDPS must determine it notification real or false positive ---there are five types of events that are considers possible indicators of actual incidents 1- use of abnormal accounts 2- change lot of logs 3- presence of hacker tools 4- notification by partner or beer 5- notification by hacker
1. How is analog information placed on an analog signal? A digital signal?
-As analog signals have a many varying possibilities of values the technology samples the analog source several times during the signal transmission. These samples are then effectively sent across the replay of the connection. As the analog is just a sample of many possible tones in the signal depending on the sourcing rate the signal may lose quality. Digital across an analog line is how modems work, amplitude shift keying, frequency shift keying and phase shift keying are used to convert the digital signal over to an analog line. This additionally can be evidenced on radio stations with phone calls with the analog to digital conversion. The caller sounds distorted in comparison to the speaking in the radio station because the phone line doesn't have as high of a sample rate.
1. A consistent tradeoff in the security field is security versus complexity/usability. WEP and WPA-PSK use "pre-shared keys" to conveniently secure small networks. These keys rarely ever change, making them susceptible to offline dictionary attacks against the passphrase. On the other hand, WPA2 Enterprise overcomes the issue of PSK. Research enterprise WLAN security and describe at least 4 significant advantages. Cite your sources.
-- a. WPA-Enterprise is a security protocol designed for an enterprise network and it is a version of WPA2. It is different from the other WPA2 version known as WPA PSK because of its enhanced security protocols along with improved authentication (WPA2 Enterprise vs. Personal, 2014). One significant advantage is that it doesn't use preshared keys and instead uses 802.1X for authentication and provides dynamic key distribution. Another advantage is WPA2-Enterprise uses RADIUS for the authentication server which allows for centralized authentication services (Lau, 2017). WPA2-Enterprise also offers support for VLANs and NAP (Network Access Protection) which are great tools for an enterprise to have (Geier, 2011). Lastly, WPA2- Enterprise has another advantage which is that it includes Extensible Authentication Protocol (EAP) which was built on a secure public-key encryption system which means that only authorized users can access the network (Wireless Security in the Enterprise, 2018). Geier, E. (2011). "Deploying WPA2-Enterprise Wi-Fi Security in Small Businesses". TechGenix. Retrieved from techgenix.com/deploying-wpa2-enterprise-wi-fi-security-small-businesses/ Lau, N. (2017). WPA2-Enterprise 802.1X/EAP Authentication Process. Wi-Fi Warrior. Retrieved from wifiwarrior.com/2017/04/22/wpa2-enterprise-802-1xeapauthentication process/ Wireless Security in the Enterprise: Deploying WPA2-Enterprise. (2018). Business.com. Retrieved from www.business.com/articles/deployingwpa2-enterprise encryption/
1. Research the ISO/IEC 27000 series standards and the CobiT standards. How are the two similar? How are they different? Compare and contrast the two.
-. ISO 27000 is a standard of closed documents created by the International Standards Organization that define polices for running maintaining and securing computer networks. These documents must be purchased for a company to view, enacted and then a separate organization much certify that the company has implanted them to specifications before they can be certified as an ISO 27000 organization. COBIT is also a standard of documents and procedures that provide guidance and best practices for how an organization should maintain operate and deploy their computer systems. However, COBIT is not in of itself a sole standard it also relies on COS, ITL and other guidance as a framework, acting as an overall guide to maintain system integrity and availability
1. What does log management entail?
-. Log management entails define the logs that should be retained, creating a secure centralized location for the logs to be stored and analyzed. Additionally, there should policies around the type of data, who can access the data and how long the data should remain before being purged.
1. Research two of the following network monitoring packages and describe what they do and how they do it: Nagios, ZenOSS, Cacti, or Solarwinds. Specifically address advantages and disadvantages, operating system support, and community support. What is the advantage to using a tool such as this versus manually monitoring?
-. Solarwinds is an enterprise monitoring solution that uses SNMP to connect to and monitor systems. Solarwinds can be used to monitor events off network devices, servers and with some extra work and plugins software applications. However, in my experience Solarwinds is much better at monitoring network devices than at monitoring applications and server health beyond the basics of if the server is up/down, services are running and disk space. Nagios is also a monitoring solution, unlike Solarwinds it is built on open source code, however there is an enterprise version available with support and more advanced features. The advantage of using monitoring software such as this is that you can have all your monitoring in one location. The software can also provide analytical data on the devices as it can store records of device health and utilization over time allowing administrators to track issues over times, predict events based off trending data and receive alerts from the systems when the monitoring software sees something that an administrator has setup alerts on such as a device being down, high CPU utilization or high disk space
1. Research one of the following configuration management packages and describe what it does and how it does it: Chef, Puppet, CFengine. Specifically address advantages and disadvantages, operating system support, and community support. What is the advantage to using a tool such as this versus manual configuration management?
-. Using software such as puppet has a large advantage over manually ensuring configuration management. The systems that are deployed today are more complex than ever with a large number of options, services, and security concerns to be aware of. And even when using simplecheck lists humans building these systems can make mistakes or forget a configuration value bringing a system out of compliance with the configuration policy. Puppet at its core is opensource software that and be freely downloaded and used and there is a large community of users and the enterprise entity Puppet Labs also provides documentation available. However, with the enterprise edition is it possible to get enterprise support and more advanced features from Puppet Labs. The advantages of using puppet is that and it can automate huge amounts of the system deployment processes all against a standard configuration from everything to bare metal systems to containers. Puppet will ensure that the system is configured exactly as specified in the configuration policy and provide notifications or remediates if the system deviates from that configuration. The disadvantage of using a system like puppet is that it does take a decent amount of time up front to learn how puppet works, create packages, and automate deployments and actions, however, once the initial time investment has been made the time saved by Puppet more than makes up for it
1. Briefly describe and contrast LANs, MANs, and WANs.
-A LAN is a relatively small network that is used by an organization to support their local and internal networking requirements in a single geographical location. A WAN is a large networking that covers a large geographic area. A MAN is a network that covers areas such as a county or city, smaller than a WAN but larger than a LAN
What is an after-action review? What are the primary reasons for undertaking one?
-An after action review is a structured review process for analyzing what happened ,why it happened , and how it can be done better by participants . An after action review occurs within a cycle of establishing leaders intent, planning, preparation, action and review.An after action review useful for reflecting upon a project during and after its completion. It is simple but a powerful tool. #primary reasons to take advantage of business requirement to solve business problems to use state of art technology to take advantage of business opportunities.
1. How is digital information placed on onto an analog signal? A digital signal?
-Analog is recorded with 8 bit sample sizes multiple times in the theory that if enough samples are recorded then the digital equivalent will have the same amount of information in it as the analog has. These are then sent across the network. Meanwhile a digital signal only has two possible values, on or off. These values are then sent over the network exactly as sourced with effectively 1's or 0's to the receiving device
Compare and contrast configuration management and change management
-Configuration management is the process of ensuring that the configuration of systems meet the corporate policy and are configured correctly. Different systems can have different types of configuration management but still be within the corporate policy. For example, there may be a base configuration of all servers that must be adhered to, but on top of that configuration there will be a different set of policies on what an IIS server will look like versus an Exchange server. Change management is the process of controlling changes that are performed on these systems. This can either be to resolve a security issue, perform an upgrade or add or remove functionality from a system. The change process involves reviewing the proposed changes and having them approved before implementation.
1. What is a hash function and what is it used for?
-Has functions take a string of characters and create value that signifies the original value. Hashes are useful because they can take a string of characters of different lengths and create a standard length of the string inputted, effectively making a fingerprint of the string or file. This can then be used for comparison to validate the data has not been modified. This is common for downloading ISO's to verify that the ISO is complete or hasn't been modified. This is also the proper way to store passwords as creating a hash in a one-way tool. A password can make a hash but the hash cannot be decrypted to make a password. Though it is possible to brute force hashes via a rainbow table and compare known entries against the hash value and determine what the password was. However, computing all possible iterations of hashes is a very intensive operation depending on the type of hashing algorithm used, even more so if the hash has been salted.
1. What are the two meanings of "auditing" in this section?
-In this section auditing is used to describe a self-review of the network environment done periodically by and organization, and the second way to recording and reviewing of events that occur on the network.
1. List the benefits of locating a firewall on the perimeter of a network.
-It monitors each packet coming into the network. It prevents organizations with lots of sensitive data from the outside networks and any attackers by filtering out anything dangerous. It can restrict access to the network when it comes to unauthorized traffic. It also can prevent malicious traffic from leaving the network in order to prevent any malware from attacking other organizations. Usually firewalls are at the perimeter.
Describe, in your own words, the mechanism for establishing a HTTPS connection
-Once an HTTP session is established between an endpoint and a sever the endpoint will request an encrypted session. The server will then accept this request, sign a response with the private key it owns and send it to the endpoint along with what kinds of ciphers and protocols the server will support. The client and server will then select the most secure cipher and protocol that both support and will initialize an encrypted connection between the devices.
1. ] How does the Public Key Infrastructure (PKI) protect information?
-PKI is a system of ensuring that the certificates a site or service are providing are legitimate. The way this works is that a large trust organization as Comodo holds a root certificate authority, they then use this root certificate to sign certificates for other companies such as GoDaddy. When GoDaddy sells a certificate, they sign the certificate from their intermediate CA. There is now a certificate chain that goes from Comodo to GoDaddy to the certificate the customer buys that validate the owner of the certificate, that it belongs to the site and the certificate is legitimate. Users are also able to check these root and intermediate certificate authorities to validate that all the certificates in the chain are still valid.
What is SMTP used for? What are some common attacks against SMTP servers?
-SMTP is the Simple Mail Transport Protocol. It is used between mail servers to send and receive email across the internet or local network. Some common attacks against SMTP servers is breaching them and gaining admin rights over the mail server to gain access to the mail that flows through it or stored within it. Spammers and phishers will also use poorly or unsecured SMTP servers to spoof and send mail from them in attempt to get around spam filtering rules.
Briefly list and describe each of the network logical topologies. What is the difference between a logical and physical topology?
-Star and Bus are the two primary logical topologies. A star topology consists of a central node that the edge devices send communication to, the central device then sends this information back out to the other nodes in the topology. A bus topology has each node sending information to another node with each node taking turns. The difference between a physical and network topology is that a logical topology is more of an overview and how in theory the network
Name and describe three error detection and/or correction techniques used in network transmissions.
-Stop-And-Wait ARQ, packets, and thus errors, are handled one at a time. Each packet it sent over the network and until the receiving device sends back an ACK of the successful packet the next packet is not sent. If a ACK is not received, then the original packet is retransmitted. This repeats until all packets have been sent. Go-Back-N ARQ, multiple packets are sent at once, the number of which is determined between the two communicating devices, then the sender waits for an ACK of those packets. If there is a failure on any packet that packet and any after it in the set, then are all retransmitted even if the others were received successfully. This then repeats for the next set of packets. Selective Repeat ARQ, in this model only the failed packets are retransmitted instead of an entire string after one bad packet.
1. What is the fundamental difference between symmetric and asymmetric encryption?
-Symmetric encryption requires that both the encrypting party and the decrypting party have access to the same private key to access the encrypted data. This is troublesome because securely sharing private keys is difficult for many uses. Asymmetric encryption uses a private/public key pair. The private key is used to encrypt the information and only the creator of the information requires the private key. Then the receiver uses the public key that matches the private key to decrypt the information. This is how HTTPS functions.
1. Why is the size of a key important in cryptography?
-The large the key size the more secure the encryption is, assuming it doesn't have any known vulnerabilities. Having a larger key makes it harder, or even impossible to brute force the encryption. For example, I have enough processing power in my home lab to brute force a 56bit key quickly, however a 256-bit key would take more than my lifetime
] List and briefly describe the three basic operations involved in encryption. Explain why repeated use of the /same/ operation is no stronger than just using it once (give an example), but yet combining two or more different methods is extremely powerful.
-Using the same operating more than once does not provide any more security over doing it once because the same key would be used to sign the encryption so if the key is compromised the second round provides no benefit as the same key was used. Additionally, if there is some vulnerability in the encryption, that can be exploited it once again would apply to the second action. By mixing encryption methods then the multiple encryption options can provide cover for any issues that may be occurring in the other. The basic operations involved are symmetric encryption, using the same private key to both encrypt and decrypt the information. Asymmetric encryption which uses a private/public keypair to perform encryption and finally hash algorithms which create effectively a one-way encryption of values to create a signature of the data to verify it has not been modified.
What differentiates black-hat and white-hat "hackers?"
-What hat and black hat hackers are very similar and use mostly the same tools and techniques to achieve their goals. The primary difference is motivation for their activities. A black hat is driven by nefarious means, they either want to steal information, money or resources, or to just cause destruction or denial of service attacks for various reasons. A white hat uses their skills to find vulnerabilities or exploits to better the security of a device, or company. They find and document these issues and provide them to the company running the network or the vendor of a product so that these organizations can patch and fix these issues.
1. Describe the components of an incident response plan.
1.preparation 2 identification 3 containment 4 recovery 5.lesson learned
1. How does a signature-based IDPS differ from a behavior-based IDPS?
A signature-based IDPS looks at network traffic and looks for patterns that match signatures, meaning attack patterns that are well known. Behavior-based IDPS looks at traffic and sees what is normal activity. This is then able to compare network traffic to "normal activity" on the network and if it exceeds what is considered "normal" it lets the administrator know. So when it comes to signature based, it only looks at patterns that could match well known signatures that are common since many attacks have clear and distinct signatures. However, when it comes to behavior-based it only looks at traffic for a specific network and only compares traffic to other people's traffic within that network.
1. What are the major steps in a business impact analysis? Briefly describe what happens in each step.
Business impact analysis is the process of identifying which processes are the most important for the ongoing success of the business and understanding, analyzing the business interruptions --Major steps in BIA - interacting with management Explain objectives of BIA and the plans of BIA on its implementation to the management and seek their help and support - BIA scope of identification Identify the BIA's scope and the interview the subject matter experts who work in each business unit and it process -identify operating parameters Identify the operating parameters of the BIA such as 1- What data to be collected 2- 2- Categorizing financial and non-financial impacts 3- 3- assigning weightage to those categories - schedule BIA interviews Schedule BIA interviews for the specific hours to discuss with each stakeholder who is involved in the process and the potential impact when the process are disrupted - conduct BIA interviews Conduct the interview in the prescribed specific hours with the questions already prepared with an objective to understand the critical process, system , applications , key dependencies -Share the completed BIA for reviews Share the completed BIA which has the recorded statement with the participants for reviews resvison -Data analysis Data collected during the interviews has to be analyzed and assessed which are critical from the process and business unit perspective. Final step is to prepare the BIA report and share it to the management, the report should contain everything (overview of the BIA process - key finding - rank the critical issues in the business - action plan - conclusion)
1. Describe the effects of cryptography on the practice of digital forensics.
Digital forensics solves crime performed using electronic device and computers by investigating and producing digital evidence against criminals. The use of cryptography and its techniques in digital forensics is widely increasing.When a hard drive is completely encrypted the digital forensics investigators have difficulty in finding the stored data .Cryptanalysis is a decryption technique that helps to retrieve encrypted data and is useful for digital forensics
1. What are some ways to harden a web server?
Ensure the webserver and the OS it is running on is fully upgraded and patched. Always configure everything to have the least amount of privileges required for everything to operate. Follow best practices for password complexity, login attempts.
1. How do firewalls affect network penetration testing? Why?
Firewalls affect the scanning step because with scanning you need to determine if a host is available, but with a firewalls are often set to block an ICMP which makes it so people can't ping whether or not a server is alive.
1. What is LDAP used for? What are the common attacks against LDAP servers?
LDAP is used to perform authentication requests between endpoints and centralized authentication servers. Authentication requests are sent securely between the endpoint and the auth server and back to determine if an account has permissions to access resources on the network. Some common attacks are to perform LDAP injection attacks against services that no not sanitize the input. Allowing attackers run code that will grant or modify other account permissions
1. From a security perspective, which is least desirable, a false positive or a false negative alarm? Why?
Least desirable would be a false negative alarm because this is when an IDPS fails to react to an attack which would defeat the purpose of the IDPS since it is used to detect these attacks. A false positive alarm is when an IDPS mistakes normal traffic for an attack. From a security perspective, an organization would much rather have the IDPS react to network traffic and try to find malicious traffic rather then it not react at all and let an attack get through, which is why a false negative alarm would be less desirable.
1. What is Linux's centralized logging facility? How does it work?
Linux systems have Syslog as a centralized logging mechanism. This is part of the OS that any other system or package on the device can use for logging purposes rather than having its own separate logging procedure. Syslog can even be used to send logs and retain logs from other systems to create a centralized logging server.
1. What is active intrusion prevention, and how does it differ from passive?
Passive intrusion prevention would consist of writing policies and installing countermeasures like firewalls in order to prevent an attacker from gaining entry. Active intrusion prevention is different because it implements active countermeasures to stop the attack. For example, LaBrea is an active countermeasure tool that acts as a vulnerable computer by taking an unused IP address on the network and allowing the attacker to complete the TCP/IP connection, and then once this happens it holds the connection open in order to slow down the attacks and alert the administrator about the attacks. Passive tries to come up with countermeasures beforehand, while active uses these countermeasures in real time to stop attackers
1. ] What is a monitoring (or SPAN [switched port analyzer]) port? What is it used for?
SPAN is a method of monitoring network traffic and it is usually used with NIDPS when placed near a hub or switch in order for it to view all traffic and use it to identify any attacks or suspicious activity.
1. What is SQL injection and how does it work? What are some recommended methods to combat SQL injection?
SQL injection is when an attacker will add SQL code to a services input, as the backend application accepts the input the SQL code will then be ran as the application. This can lead to the total breach of the system and the data contained within it. Some common methods of to combat SQL injection is to ensure that data inputted into the service is sanitized in a way that injecting SQL statements into forms will not lead to them being executed. The simplest method of this is not allowing forms to accept information that start with SQL escape characters. More advanced sanitization analyses the inputted data verifying it is not malicious in nature and is the type of information expected to be inputted based upon the function of the service input and ignoring the input if it does not match expectations.
1. Research the open-source IDPS called "Snort." Write a summary of how Snort fits within the concepts presented this week (e.g. network vs. host, signature vs. behavior, detection vs. prevention, etc.) If a small office wanted to configure Snort for its use, how would you suggest implementing it? Where would it be on the network? How would you configure alerts or responses? I expect several detailed paragraphs and perhaps a diagram for this answer. Cite your sources.
Snort is an open source IDP and has been around for two decades now, but recently Cisco purchased it. It has been known as one of the greatest pieces of open source software. Snort has three main modes: sniffer, packet logger, and network intrusion detection. Snort sensors do not need to integrate with your server infrastructure because they should be viewed as applications like a router (Asknew, 2005). This is a host-based IDPS and behavior based as well. I would suggest it be implemented by using sensors all over the network to protect each server and switch. Host-based is very reliable and most organizations can find an optimal location to put the sensors so the footprints can overlap (Whitman, 2013). It would make sense to alerts the administrator whenever there's a file attributes change, new files are created, or existing files are deleted. As you can see in the diagram above there are Snort sensors all over the network near switches and servers in order to monitor activity on each host. Snort can also monitor logs for predefined events and attacks. Iit can maintain its files even if a hacker tries to cover their tracks (Whitman, 2013).
1. List and describe the components of contingency planning.
The components of contingency planning: · Business impact analysis (BIA) · Incident response plan (IR plan) · Disaster recovery plan (DR plan) · Business continuity plan (BC plan) Business Impact Analysis (BIA): It is introductory activity to both risk management and for contingency planning. It helps the organization in determining which business operation and information systems are the most crucial to the success of the organization. Incident Response Plan (IRP): It focuses on the instant response to an event. Any unexpected event is treated as an incident; unless and until responsible teams think it to be a disaster. Disaster Recovery Plan (DRP): It focuses on the reinstating the operation at the primary incident. Business Continuity Plan (BCP): It focuses simultaneously with the DR plan. It also enables the business to continue at an alternate location, until the organization is able to restart operations at its primary location or pick a new primary location
1. What are some ways to prevent authentication or session vulnerabilities.
The first step is to determine what services are critical to the business. These are the services that the business needs at a minimum to maintain operating and generating revenue. Once this list of services has been established all resources required to maintain these services must be identified so these resources can be protected and available in the event of an incident or disaster. Finally, the priorities of what services and resources need to be restored in what order to match the goals of maintaining business processes.
1. What are the common types of attacks against DNS servers?
Typically, there are four teams involved in contingency planning and operations. Firstly, there is the CP Management Team. This team exists to govern and coordinate the overall CP process by developing the plans that will be enacted, analyzing the systems involved and the treats that are existing and determining the impact to the business. Secondly the incident response team exists to develop test and executes plans to resolve any incident that the business may face and resolving them. Next the disaster recovery team is there and acts much like the incident response team but are focused on a physical disaster at a location and bringing up services at the DR site and restoring services to the impacted site as quickly as possible. Finally, the business community team develops test and executes plans to maintained business functionality in the event of an incident or disaster, off site if necessary.
A common "work from home" scenario lets remote users install VPN software on their personal computers and connect to corporate resources. As a security professional, what kinds of additional concerns would you have when allowing employees to connect via VPN? How would you address those concerns? Frame your answer in terms of the McCumber cube.
When it comes to a work from home scenario, there is always a risk that only approved users can access the VPN to facilitate point-to-point communication over a secure line with the organization. Using the McCumber cube the goal would be confidentiality through transmission through technology. This means that in order to keep sensitive data safe when transferring it from the personal computer to the organization they would have to use firewalls and antivirus software. They would also implement an extranet and intranet inorder to create an extension of the corporate network, while also keeping it restricted to employees.
1. When does packet filtering offer an advantage over other security methods, such as proxy services?
a. Packet filtering protects right from the start and monitors ALL incoming packet headers and can filter packets based on the header information like the destination or source address.
1. How does a network-based IDPS differ from a host-based IDPS?
a network-based IDPS (NIDPS) monitors activity throughout the network segment and focuses on protecting network information assets. it resides on a network segment. A host-based IDPS is different because it resides on one computer or server (the host), and only monitors the activity on that system. A NIDPS is programed to look for any activity that resembles an attack and then alerts the administrators. A host-based IDPS looks at the files and data stored on the host or server its on and if it detects any changes it alerts the administrators. A NIDPS can usually detect more types of attacks than a hostbased IDPS, however the configuration and maintenance is more complex compared to a host-based IDPS too.
1. What are the advantages and disadvantages of hub-and-spoke VPN configurations?
a. Advantages are that all the records of the SAs in the VPN are kept in the router which means computers just need to connect to the central server instead of needed to connect to other machines like in the mesh configuration. This is an advantage because it makes it far easier to increase the size of the VPN. b. However, because all communications flow into and out of the central router, it can slow down communications, especially if the branch offices are located on a different part of the world. Another disadvantage is the central router needs double the bandwidth of other connections in the VPN because it needs to handle both inbound and outbound traffic. This is a disadvantage because it can cost several thousand dollars per month which can take a toll on an organization.
1. What are the advantages and disadvantages of mesh VPN configurations?
a. An advantage is that because each participate in the VPN has an approved relationship, it allows it to become more secure and they call this a Security Association (SA). When configuring a VPN you have to specifically identify each of these participates to others within the VPN because before establishing a connection, the VPN checks the routing table to see whether or not the other participants have an SA with it. b. This VPN configuration also comes with some disadvantages however. When it comes to a fast growing network it can become difficult to continuously update every VPN device whenever a new host is added
1. What are some of the considerations to be taken into account when capturing network traffic?
a. It could be illegal if you don't have permission from the network owner to use a sniffer. b. The computer has to be on the right network segment that you want to capture traffic from c. a sniffer cant deciper encrypted traffic
1. Name and describe the two basic functions of a firewall?
a. Packet Filtering- Checks each packet coming in and determines whether or not it is allowed passage based on the security policy rules established. b. Application Proxy- Breaks the IP flow between the network being protected and the network outside
Compare and contrast the four architectural implementations for firewalls.
a. Packet-Filtering Routers - Configure routers to reject any packets the organization does not allow into the network. This seems very simple and effective especially since most organizations with internet connection already have routers at the perimeter, but some of the drawbacks are a lack of auditing and a lack of strong authentication. b. Screened Host Firewalls - This uses packet-filtering routers that was explained above, but it is combined with a seperate firewall. This helps because it minimizes the load on the internal proxy and the network traffic. c. Dual-Homed Host Firewalls - Uses two NICs, one connected to the external network and the other connected to the internal network. This means all data must physically go through the firewall in order to move from the external and internal network. It also uses NAT which gives an additional layer of security from any external attackers. d. Screened Subnet Firewalls - This architecture is used today and it uses a DMZ, demilitarized zone. This basically means if a connections from the outside or from an untrusted network are routed into an external filtering routing and then to the DMZ. Connections are only allowed by the DMZ into the trusted internal network. The goal of the screened subnet is to protect the DMZ from the outside and untrusted networks and it limits the access from external connections in order to protect the internal network.
Compare and contrast stateful and stateless firewalls
a. Stateless - ignores the state of the connection between the internal and external computers and blocks or allows packets only based on the information in the header. However, this can become a problem with IP spoofing. b. Stateful - Examines the data and the state of the connection between the internal and external computers. It uses the connection state to make a decision on whether to allow or deny the traffic. However, this additional processing needed to manage packets can make it vulnerable to DDoS attacks. c. Both have their advantages, for example stateless is a lot quicker since it doesn't need extra time to process each packet and stateful inspects the data and the connection to make a thorough decision on whether it should allow the traffic. But with these advantages they both have disadvantages that can lead to some serious problems. IP spoofing can change a packets header to make it look like it came from a different, more trustworthy ip address and when it comes to how thorough stateful can be, this also makes a DDoS attack is very possible because by sending many external packets at one time it could greatly slow down the firewall.
1. Pick two of the three AAA services (Kerberos, TACACS+, RADIUS) and research their features. Construct a comparison table based on the major characteristics of AAA for them.
a. TACACS+ is a set of authentication protocols that are the latest and strongest version developed by Cisco Systems. A firewall or router doesn't have to handle dial-in user authentication because it provides centralized authentication. TACACS+ uses TCP and is able to separate authentication, authorization and auditing as independent functions. It also supports full packet encryption between client and server, and passwords may be encrypted within the database. This is why TACACS+ is usually considered to provide a higher level of security than RADIUS. b. b. RADIUS is a common protocol and more widely supported than TACACS+. RADIUS is a dial-in authentication that uses UDP. Unlike TACACS+, it only encrypts passwords, and since it leaves authentication packets unencrypted it makes them vulnerable to attacks from packet sniffers. It also isn't able to separate authentication, authorization, and auditing because it combines authentication and authorization. c. TACACS+ RADIUS provides centralized authentication dial-in authentication Uses TCP Uses UDP able to separate authentication, authorization, and auditing as independent functions l eaves any information besides passwords unencrypted. supports full packet encryption Widely supported compared to TACACS+ between client and server. considered to have a higher level of security vulnerable to attacks from packet sniffers
1. Download and install VIStumbler (http://sourceforge.net/projects/vistumbler/) on a laptop machine. Drive slowly around your neighborhood for 15 to 20 minutes to locate as many access points as possible. Using some screen shots and data analysis, show:
a. The map of your driving route and the income level of the neighborhood (Google Maps is a good source for the former and Zillow is a good source for the latter). b. A screen shot of some of the output of your wardriving in VIstumbler. c. An analysis of how many people are running open or severely compromised security on their wireless networks. d. What manufacturers were represented among the SSIDs you saw? e. What was the distribution of channels used for the access points?
1. What is meant by "two factor authentication?" Describe three real-world (i.e. not related specifically to IT although IT may be involved) examples of two-factor authentication.
a. Two factor authentication means using two different forms of confirmation for the proposed identity. b. One example of this would be using a debit card at a store. you need the right combination of numbers thats on the card, and then you need your pin number as well. This would be two different forms in order to confirm the purchase. c. Another example would be trying to log into a social media account on your phone and once you put in the correct username and password, the app sends a 6 digit code to your phone number which you have to type into the app before gaining access into the account. The password is the first factor, and then the 6 digit code would be the other. d. Another example would be when going to get a state ID I needed to bring my passport, or any type of picture ID, and my social security card. This is needed to confirm the person getting this identification card isn't stealing someone else's identity. The picture ID would be the first form, and the social security card would be the second.
1. Watch this video on BeEF (the Browser Exploitation Framework) for remotely attacking a web browser via XSS: http://www.youtube.com/watch?v=utPBQOZS_TU. Also, do some research into BeEF (http://beefproject.com/).
a. What are your observations about how this process works and the tools used to carry out the attack? b. Who must take steps to prevent a browser from being exploited by XSS? c. Since BeEF hooks to Metasploit, is there any safe way to use the web today? Explain.
1. How is local authentication different from centralized authentication? How are they similar?
a. in centralized authentication a client makes a request to the authentication server which then authorizes the client to the application server and then the application server trusts the authentication server and delivers the requested services to the client. In centralized authentication the client must trust the authentication server holds the correct information about the user, and then the application must trust the authentication server is doing a correct job by identifying the user correctly. In local authentication there isn't an authentication server and instead the application prompts the user for a username and password in order to make the user authenticated. There is no "middle-man" and the application does the authentication on its own. b. They are similar because they both work once a client tries to access an application. They both require some type of authentication of the users identity where it is from the authentication server, or the application itself.
1. ] Define intrusion detection, intrusion prevention, and incident response. How are the three ideas related to one another?
a. intrusion detection - procedures and systems that identify system intrusions. b. intrusion prevention - activities that prevent an intrusion from gaining entry. c. incident response - how an organization takes action whenever an intrusion is detected d. All of these ideas are important for an organization to have in order to protect themselves from hackers trying to steal their sensitive data, and in an instance if there is an intrusion what actions they should take. You need to first detect whenever there is a system intrusion and from that an organization must take action and try to prevent the intrusion. However, if the intrusion successfully gains entry, the organization needs to have a set of actions to take in order to minimize the damage and return operations to normal as quickly as possible. One this happens, they then try to find how the attacker gained access and try to stop it from occurring in the future through intrusion prevention
1. What is the primary goal of digital forensics?
primary goal of digital forensics: Extracting evidence from computers or other digital devices Usually involves extracting the contents of files and interpreting their meaning