CIST 1601 Information Security Fundamentals Chapter 4 Monitoring Activity and Intrusion Detection...

CIST 1601 Information Security FundamentalsChapter 4 Monitoring Activity and Intrusion Detection

Collected and CompiledBy JD WillardMCSE, MCSA, Network+, Microsoft IT Academy AdministratorComputer Information Systems InstructorAlbany Technical College

Monitoring the Network Recognizing the Different Types of Network Traffic

Novell ProtocolsNetWare, a server-based networking environment/operating system, offers network protocols, services, and applications. NetWare is susceptible to DoS attacks. In addition to TCP/IP, NetWare supports two other proprietary protocols:

Internetwork Packet Exchange (IPX) and Sequenced Packet Exchange (SPX) are unique to Novell 4.x and earlier NetWare networks. Since NetWare 5, NetWare has been able to use TCP/IP as its only transport protocol. IPX and SPX are fast, efficient, and well documented. They’re also susceptible to communications interception using internal monitoring. Microsoft created NWLink, an IPX-/SPX-compatible protocol that it owns. NetWare Directory Services (NDS) manages all the resources in a network. NDS provides a database of all network objects or resources.

The figure below shows an NDS tree. Notice that the NDS tree treats print devices, disk volumes, users, and groups as leaf objects, or resources, in the tree. Earlier versions of NetWare used bindery services; the bindery kept track of resources on a server-by-server basis. In the most recent versions of NetWare, NDS has been expanded and renamed eDirectory.


Microsoft ProtocolsNetBIOSThe biggest vulnerability with NetBIOS is that it opens ports for file and print sharing. These ports (which can include 135 through 139 and 445) can be accessed across the Internet as well as by devices on the local LAN.NetBEUINetBEUI is a nonroutable protocol, meaning that it can’t be sent across routers. NetBEUI traffic is easy to intercept internally using a network sniffer. WINS ServiceWindows Internet Naming Service (WINS) translates NetBIOS names to TCP/IP addresses. Because WINS is providing a service to clients who request information from it, it’s susceptible to DoS attacks. When left unpatched, it is also available for remote code execution.


WINS Server Resolving TCP/IP address to NetBIOS Name

Network File System ProtocolNetwork File System (NFS) is the default file-sharing protocol for Unix systems. NFS allows a remote user to mount drives on a machine in the network. To be secure, NFS requires special configuration. NFS is equivalent to Distributed File System (DFS), which tends to exist outside of the Unix world. The Apple ProtocolMost manufacturers support AppleTalk, which isn’t intended for secure applications. Modern Macintosh systems can also use TCP/IP for connections. Most AppleTalk vulnerabilities are exploitations of programs that offer this service. For example, there are known vulnerabilities with programs that allow Linux to offer AppleTalk, but those weaknesses are with the programs themselves and not with AppleTalk per se.


A remote system mounting a drive on a local machine using NFS.

Monitoring Network SystemsMonitoring can occur on individual systems, on servers, or as a separate component of the network. The connection used is called a tap. The figure below illustrates some of the places where a network tap can occur. Each tap location presents a different view of the network. For effective security, multiple taps are probably needed.

Your system faces both internal and external threats.

Heavy traffic makes it necessary to dedicate personnel to monitoring. Network activity is also reported in system logs and audit files. It’s a good practice to periodically review these files. Automated tools make this process more manageable.

Network sniffers and NIDSs are used to monitor network traffic. Network sniffers are manually oriented, whereas an NIDS can be automated.

Tap locations used to monitor network traffic

Reporting (07:32)

http://www.professormesser.com/?p=7118

Understanding Intrusion Detection Systems

Network Intrusion Detection and Prevention (5:40)

Intrusion detection (ID) is the process of monitoring events in a system or network to determine if an intrusion is occurring.

An intrusion is defined as any activity or action that attempts to undermine or compromise the confidentiality, integrity, or availability of resources.

An IDS reports and monitors intrusion attempts.An IDS will announce an event through an alert when suspicious activity is encountered.

Detection vs. Prevention (6:06)



An activity is an element of a data source that is of interest to the operator. This is usually a specific occurrence or event.The administrator is the person responsible making decisions about, the deployment and configuration of the IDS, alarm levels, historical logging, and session monitoring capabilities, and determining the appropriate responses to attacks and ensuring that those responses are carried out.An alert is the message from an IDS analyzer that indicates something of interest has happened. An alert is a message from the IDS indicating that an event has occurred. Alerts occur when activities of a certain type exceed a preset threshold. The analyzer is the component that analyzes the data collected by the sensor. The analyzer function uses data sources from sensors to analyze and determine whether an attack is under way. The data source is the raw information used by the IDS to detect suspicious activity. Data sources include audit files, system logs, or current network activity. An event is an occurrence in the data source that indicates a suspicious event. Not every activity ends up as an event, and not every event generates an alert. The event might trigger an alert if a deviation from normal network traffic patterns occurred or if an activity threshold was crossed. The manager is the component that the operator uses to manage the IDS. The manager may be a graphical interface, a real-time traffic screen, or a command-line-driven environment.Notification is the process or method by which the IDS manager makes the operator aware of an alert. This might include a graphic display or an e mail sent ‑to the administrative staff. The operator is the person primarily responsible for the IDS. A sensor collects data from the data source and passes it on to the analyzer. If the analyzer determines that unusual activity has occurred, an alert may be generated.


The components of an IDS working together to provide network monitoring

A signature-based system, also commonly known as misusedetection IDS (MD-IDS), is primarily focused on evaluating attacks based on a known identity, attack signature, or audit trail.

All attack signatures are contained in a signature database. The signature database must be updated to remain effective. The user can examine the signature database, and quickly determine which intrusive activity the misuse detection system is programmed to alert on.

Signature-based systems have an advantage because of their simplicity and their ability to operate online in real time. Other advantages include:

Low number of false positivesDetailed text logsUse of few system resources

Signature-based detection has several limitations, including being based excessively on passive monitoring and the rule sets need constant updating. They can detect only known attacks with identified signatures.


A signature-based IDS in action

False Positives (3:23)


Anomaly-detection IDS (AD-IDS) detects any changes or deviations in network traffic. It is also called statistical anomaly detection. Anomaly detection is analogous to credit card fraud detection. Credit card companies maintain “spending profiles” for their customers. Anomaly detectors work by creating profiles or models on the normal behavior pattern of individual users, hosts, or network connections. There is an initial learning period before anomalies can be detected. Once the baselines are established, anomaly-based monitoring can detect anomalies. Sometimes the baseline is established through a manual process. The classifications of anomaly detection techniques include statistical methods, rule-based methods, distance-based methods, profiling methods, and model-based approaches. Anomaly-based monitoring is useful for detecting these types of attacks:

Protocol and port exploitationNew exploits or buffer overflow attacksDoS attacks based on payloads or volumeNormal network failuresVariants of existing attacks in new environments

Highly secure environments might use complex patterns of behavior analysis, in some cases learning individual patterns of use common to each user profile, so that variations can be identified. One of the disadvantages of anomaly-based IDS is that it generates false positives because the pattern of behavior can vary, or the pattern of behavior is too dynamic to analyze properly.


AD-IDS using expert system technology to evaluate risks

Behavior-based monitoring works by looking at the way certain executable files make your computer behave. It determines whether a program is malicious by inspecting the stream of system calls that the program issues to the operating system. This monitoring method can be used to identify internal misuse by recognizing actions outside of normal access patterns or authorized events occurring outside of normal profile usage, such as the access of protected files during off hours. Behavior-based monitoring is not likely to produce a false alert because you defined non-acceptable behavior. Rules must be in place. If you do not properly define inappropriate behaviors, then attacks can occur. When you define a rule that prevents an e-mail client from executing the cmd.exe command and alerts you when this is attempted, you are using behavior-based monitoring. Behavior-based monitoring advantages include the following: It can identify malware before it is added to signature files, monitor for malware activities, and learn about malware based on previous detection. Behavior-based detection has several limitations, including high incidence of false alarms and slow file checking.


The primary advantage of an network-based IDS (N-IDS) is the low maintenance involved in analyzing traffic in the network. An NIDS is easy and economical to manage because the signatures are not configured on all the hosts in a network segment.

Violations of policy, monitoring of all HTTP traffic, and monitoring of all FTP traffic are examples of the types of information an NIDS is designed to monitor. An NIDS is not capable of analyzing encrypted information. For example, the packets that travel through a VPN cannot be analyzed by the NIDS. The lack of this capability is a primary disadvantage of an NIDS. The performance of an NIDS can be affected in a switched network environment because the NIDS will not be able to properly analyze all the traffic that occurs on the network on which it does not reside.

Two basic types of responses can be formulated at the network level: passive and active.

Working with a Network-Based IDS

Working with a Network-Based IDSA network-based IDS (N-IDS) approach to IDS attaches the system to a point in the network where it can monitor and report on all network traffic.

Placing the N-IDS in front of the firewall provides monitoring of all network traffic going into the network. Putting the N-IDS behind the firewall only allows you to see the traffic that penetrates the firewall. The best solution to creating a secure network is to place IDS in front of and behind the firewall. The N-IDS can be attached to a switch or a hub, or it can be attached to a tap. Intrusion is monitored on the network segment on which the NIDS is placed, and not on individual systems.

N-IDS placement in a network determines what data will be analyzed

A hub being used to attach the N-IDS to the network

Implementing a Passive ResponseA passive response is the most common type of response to many intrusions and the easiest and cheapest to develop and implement. A passive threat response does nothing to prevent the threat or attack, just acknowledges that one is or is about to happen. The following list includes some passive response strategies:

Logging involves gathering sufficient information on the attack to assist administrators in implementing measures to divert it. Logging usually involves recording of events and the circumstances under which they occurred. Notification involves informing the designated administrator when a security related event occurred and communicating information on the event. If the IDS is manned full time, messages can be displayed on the manager’s console to indicate that the situation is occurring. Shunning basically involves ignoring the attack because the specific attack will not work. The IDS can make a note of it in a log and move on to other more pressing business.

Implementing an Active Response An active response involves taking an action based on an attack or threat. An active response will include one of the reactions briefly described here:Terminating processes or sessions If a flood attack is detected, the IDS can cause the subsystem, such as TCP, to force resets to all the sessions that are under way.

IDS instructing TCP to reset all connections

Network configuration changes If a certain IP address or a particular socket or port is being attacked, the IDS can instruct a border router or firewall to reject any requests or traffic from that address or port. This configuration change can remain in effect permanently or for a specified period.

Implementing an Active Response

IDS instructing the firewall to close port 80 for 60 seconds to thwart an IIS attack

Deception A deception active response fools the attacker into thinking the attack is succeeding while the system monitors the activity and potentially redirects the attacker to a system that is designed to be broken. This allows the operator or administrator to gather data about how the attack is unfolding and the techniques being used in the attack. This process is referred to as sending them to the honeypot.It’s dangerous to allow a hacker to proceed into your network, even if you’re monitoring the events. This approach is frequently used when law enforcement is gathering evidence to ensure a successful prosecution of the attacker.

Implementing an Active Response

A network honeypot deceives an attacker and gathers intelligence

Working with a Host-Based IDSA Host Intrusion Detection System (HIDS) is designed to detect hacker attacks on a single computer system. HIDS software is installed on each host that needs IDS capabilities. Because the HIDS is installed on the local computer, the computer is completely compromised once a hacker penetrates the HIDS software. HIDS can monitor:

Network traffic specific to the hostChecksums of important system filesPorts used by the system or incoming connectionsProcesses running on the system

HIDS can include filters and antivirus modules.

HIDSs are good at detecting unauthorized file modifications and user activity.

HIDS runs on a host in the network to:Monitor communicationsMonitor system logs and file systemsDetect suspicious activities, including failed login attempts

A host-based IDS cannot see information within encrypted tunnels. To monitor the internal network and external traffic the NIDSs and HIDs should be used together.

A host-based IDS interacting with the operating system

Working with NIPSA network intrusion prevention system (NIPS) detects network intrusion attempts and controls access to the network for the intruders. A NIPS is an improvement over an IDS because an IPS actually prevents intrusion. An inline NIPS works like a Layer 2 bridge. It sits between the systems that need to be protected and the rest of the network.

NIPS proactively protect machines against damage from attacks that signature-based technologies cannot detect, as most NIPS solutions have the ability to look at application layer protocols such as HTTP, FTP, and SMTP. When implementing a NIPS, keep in mind that the sensors must be physically inline to function properly. This adds single point of failure to the network. A good way to prevent this issue is to use fail-open technology. This means that if the device fails, it does not cause a complete network outage; instead, it acts like a patch cable.

Utilizing HoneypotsHoneypots are computer systems designed to be vulnerable points of attack on a separate network away from the corporate network. Honeypots lure a hacker by appearing to be a legitimate server with security holes that are ripe and ready for exploitation.

A honeypot simulates a network of vulnerable devices, and have logging and tracing enabled. To attract hackers, a honeypot has its security level purposefully set quite low, so as to draw attackers to it, and divert them from the private network.

This security technique is used to allow administrators to observe hackers in action while not exposing vital network resources.

Law enforcement agencies use honeypots to gather evidence for prosecution.

A honeypot is most often deployed on the DMZ or screened subnet. When compared to IDSs and firewalls, honeypots are usually easier to configure and monitor. In addition to this, IDSs and firewalls collect vast quantities of information while honeypots provide valuable information on only the specific attack.

Before implementing a honeypot, you need to understand the concepts of enticement and entrapment: Enticement is the process of luring someone into your plan or trap. You might accomplish this by advertising that you have free software, or you might brag that no one can break into your machine. If you invite someone to try, you’re enticing them to do something that you want them to do. Entrapment is the process of encouraging an individual to perform an unlawful act that they wouldn’t normally have performed.

While enticement is legally acceptable, entrapment isn’t. You should seek legal advice before you implement a honeypot on your network.

Understanding Incident ResponseAn incident is the occurrence of any event that endangers a system or network.

Incident response encompasses forensics (identifying what has occurred) and refers to the process of identifying, investigating, repairing, documenting, and adjusting procedures to prevent another incident.

It’s a good idea to include the procedures you’ll generally follow in an incident response plan (IRP). The IRP outlines what steps are needed and who is responsible for deciding how to handle a situation.

A chain of custody tells how the evidence made it from the crime scene to the courtroom, including documentation of how the evidence was collected, preserved, and analyzed.

Step One: Identifying the Incident

The first step is to identify the incident and determine if it is an incident, or just a false positive.

A false positive occurs when the software classifies an action as a possible intrusion when it is actually a nonthreatening action.

When a suspected incident pops up, first responders are those who must ascertain if it truly is an incident or a false alarm.

When the response team has determined that an incident occurred, the next step in incident analysis involves considering how to handle it by taking a comprehensive look at the incident activity to determine the scope, priority, and threat of the incident.

Escalation, involves consulting policies and appropriate management, and determining how best to conduct an investigation into the incident.

Understanding Incident Response

Step Two: Investigating the Incident

The process of investigating an incident involves searching logs, files, and any other sources of data about the nature and scope of the incident.

If possible, you should determine whether this is part of a larger attack, a random event, or a false positive.

You might find that the incident doesn’t require a response if it can’t be successful.

Your investigation might conclude that a change in policies is required to deal with a new type of threat.


Step Three: Repairing the Damage

In keeping with the severity of the incident, the organization can act to mitigate the impact of the incident by containing it and eventually restoring operations back to normal.

Most operating systems provide the ability to create a disaster-recovery process using distribution media or backups of system state files.

In the case of a DoS attack, a system reboot may be all that is required.

Your operating system manufacturer will typically provide detailed instructions or documentation on how to restore services in the event of an attack.

Just as every network, regardless of size, should have a firewall, it should also be protected by antivirus software that is enabled and current.

If a system has been severely compromised it may need to be regenerated from scratch. In that case, you’re highly advised to do a complete disk format or repartition to ensure that nothing is lurking on the disk, waiting to infect your network again.


Step Four: Documenting and Reporting the Response

You should document the steps you take to identify, detect, and repair the system or network .

It is important to accurately determine the cause of each incident so that it can be fully contained and the exploited vulnerabilities can be mitigated to prevent similar incidents from occurring in the future.

Many help-desk software systems provide detailed methods you can use to record procedures and steps.

You should also report the incident to the law and/or CERT (www.cert.org) so that others can be aware of the type of attack and help look for proactive measures to prevent this from happening again.

You might also want to inform the software or system manufacturer.


http://www.cert.org/

Step Five: Adjusting Procedures

After an incident has been successfully managed, revisit the procedures and policies in place in your organization to determine what changes, if any, need to be made.

The following questions might be included in a policy or procedure manual:

How did the policies work or not work in this situation? What did we learn about the situation that was new?What should we do differently next time?

These simple questions can help you adjust procedures. This process is called a postmortem, the equivalent of an autopsy.


Working with Wireless SystemsWireless transport layer security (WTLS) is the security layer for wireless connections that use the wireless access protocol (WAP). Wireless Application Protocol (WAP) is an open international standard for applications that use wireless communication.

WTLS provides authentication, encryption, and data integrity for wireless devices in the WAP environment.. WTLS provides reasonable security for mobile devices, and it’s being widely implemented in wireless devices. WAP provides the functional equivalent of TCP/IP for wireless devices. Many devices, including newer cell phones and PDAs, include support for WTLS as part of their networking protocol capabilities.

WTLS as part of the WAP environment

IEEE 802.11x Wireless ProtocolsThe 802.11 standard specifies the technologies that are used for wireless LANs.The Institute of Electrical and Electronics Engineers (IEEE) developed the 802.11 standard.802.1x transmissions generate detectable radio-frequency signals in all directions

The 802.11 standard defines wireless LANs transmitting at 1Mbps or 2Mbps bandwidths using the 2.4GHz frequency spectrum and using either frequency-hopping spread spectrum (FHSS) or direct-sequence spread spectrum (DSSS) for data encoding.

The 802.11a standard provides wireless LAN bandwidth of up to 54Mbps in the 5GHz frequency spectrum. The 802.11a uses orthogonal frequency division multiplexing (OFDM) for encoding.

The 802.11b standard provides for bandwidths of up to 11Mbps in the 2.4GHz frequency spectrum. This standard is also called Wi-Fi or 802.11 high rate. The 802.11b standard uses only DSSS for encoding.

The 802.11g standard provides for bandwidths of up to 54Mbps in the 2.4GHz frequency spectrum.

The 802.11n standard provides for bandwidths of up to 300Mbps in the 5GHz frequency spectrum (it can also communicate at 2.4GHz for compatibility). It offers higher speed and a frequency with less interference.

Direct-sequence spread spectrum (DSSS) transmits a signal that is a combination of an artificial and a real signal. DSSS accomplishes communication by adding the data to a higher speed transmission. The higher speed transmission contains redundant information to ensure data accuracy. Each packet can then be reconstructed in the event of a disruption.The receiving end utilizes the additional signal to maintain the integrity of the real signal when interference is experienced. Both ends must agree upon the method for generating the signal.DSSS offers superior range, the ability to block interference, and a transmission rate of 11 Mbps.

Frequency-hopping spread spectrum (FHSS) accomplishes communication by hopping the transmission over a range of predefined frequencies. The changing or hopping is synchronized between both ends and appears to be a single transmission channel to both ends. FHSS signals are difficult for malicious users to pick up. Orthogonal Frequency-Division Multiplexing (OFDM) is a modulation scheme used with networks in the IEEE 802.11a standard. ODFM accomplishes communication by breaking the data into subsignals and transmitting them simultaneously. These transmissions occur on different frequencies or subbands.

IEEE 802.11x Wireless Protocols

The Wireless Application Protocol (WAP) is the technology designed for use with wireless devices. WAP functions are equivalent to TCP/IP functions in that they’re trying to serve the same purpose for wireless devices. The gateway converts information back and forth between HTTP and WAP as well as encodes and decodes between the security protocols. If the interconnection between the WAP server and the Internet isn’t encrypted, packets between the devices may be intercepted, creating a potential vulnerability. This vulnerability is called a gap in the WAP.

Wired Equivalent Privacy (WEP) is a standard for wireless devices that encrypts data to provide data security. WEP is vulnerable due to weaknesses in the way the encryption algorithms are employed. It can potentially be cracked in as few as five minutes using available PC software. This makes WEP one of the more vulnerable protocols available for security. The Wi-Fi Protected Access (WPA) and Wi-Fi Protected Access 2 (WPA2) technologies were designed to address the core problems with WEP. These technologies implement the 802.11i standard. The difference between WPA and WPA2 is that the WPA implements most of 802.11i in order to be able to communicate with older wireless cards, while WPA2 implements the full standard and is not compatible with older cards.WPA2 is currently the highest standard for Wi-Fi communication security.

IEEE 802.11x Wireless Protocols

WEP and WPA (4:30)


Wireless Vulnerabilities to KnowWireless systems are vulnerable to all the attacks that wired networks are vulnerable to. However, because these protocols use radio frequency signals for data emanation, they can be easily intercepted. To intercept 802.11x traffic, all you need is a PC with an appropriate 802.11x card installed. Without the use of a mandated encryption standard, data transmitted over an 802.1x wireless link may be passed in clear form. Additional forms of encryption may be implemented, such as WEP and AES, but transport encryption mechanisms suffer from the fact that a determined listener can obtain enough traffic data to calculate the encoding key in use. Wireless networks often announce their service set identifier (SSID) to allow mobile devices to discover available WAPs. Turning off this broadcast can reduce the vulnerability of a broadcast packet sniffer readily identifying a WAP. Turning off SSID broadcast should be considered a “best practice,” along with conducting the site survey, selecting channels not already in use in the area, requiring WPA2 (or newer) encryption, and restricting access to a known list of Wi-Fi MAC addresses where possible.

MAC Filtering and SSID Management (3:20)


A site survey is the process of monitoring a wireless network using a computer, wireless controller, and analysis software. Site surveys generally produce information on the types of systems in use, the protocols in use, and other critical information. You should periodically complete a site survey to ensure that no unauthorized wireless access points are established.You will also want to perform a site survey before implementing any WLAN solution. This is particularly important in wireless networks spanning multiple buildings or open natural areas, where imposing structures and tree growth may affect network access in key areas.Site surveys are easily accomplished and hard to detect.To protect against unauthorized site surveys, change the default SSID and disable SSID broadcasts. Upon discovering a WAP using a site survey, physically locate the device and disconnect it. War driving is the act of driving about with a laptop looking for wireless LANs in a geographic area announcing their SSID broadcasts and WEP keys.

Wireless Vulnerabilities to Know

Wardriving and Warchalking (4:22)





When a client attempts to contact a wireless access point (AP), the AP authenticates the client through a basic challenge-response method, and then provides connectivity to a wired network or servers.

Because the client request is an omnidirectional open broadcast, it is possible for a hijacker to act as an access point to the client, and as a client to the true network access point, allowing the hijacker to follow all data transactions with the ability to modify, insert, or delete packets at will. By implementing a rogue AP with stronger signal strength than more remote permanent installations, the attacker can cause a wireless client to preferentially connect to their own stronger nearby connection using the wireless device’s standard roaming handoff mechanism. Blue jacking is an attack that sends unsolicited messages over a Bluetooth connection. It can be considered spamming in a Bluetooth environment. Mobile devices equipped for Bluetooth short-range wireless connectivity, such as laptops, cell phones, and PDAs, are vulnerable.Attackers use blue jacking to generate messages that appear to be from the device itself. This leads users to follow prompts and establish an open Bluetooth connection to the attacker’s device. Once paired with the attacker’s device, the user’s data becomes available for unauthorized access, modification, or deletion, which is an attack referred to as bluesnarfing.

Wireless Vulnerabilities to Know

Rogue Access Points and Evil Twins (5:21)

Bluejacking and Bluesnarfing (5:44)






Understanding Instant Messaging’s Features

Instant messaging (IM) has become a hugely popular application on the Internet. Millions of users use instant messaging.

America Online and Microsoft provide IM services to their subscribers. IM users can send photos, play network games, conduct chats, send e mail, and even ‑have IM conferences.

Clients use software to connect to IM servers to communicate. These servers might be synchronized worldwide to allow instantaneous communications between any two users in the world.

Clients connecting to an IM server system similar to the ones used by Microsoft and AOL

Understanding IM VulnerabilitiesJamming is the process of intentionally disrupting communications in an IM session. Jamming is a loosely defined term, and it refers to any intentional disruption that isn’t a DoS attack. IM users are highly susceptible to malicious code attacks such as worms, viruses, and Trojan horses. Ensure that IM users have up-to-date antivirus software installed. Most IM systems allow broadcasts. The broadcasting capability allows an attacker to potentially send a “bait message” to millions of people simultaneously. The acronym SPIM has even been added recently to the vernacular to describe spam over instant messaging. An IM user complaining that his system is unresponsive and about a million web browser windows have opened on his screen has just encountered an application-level DoS attack. This type of attack is common and isn’t usually fatal, but it’s very annoying. Your user should restart his system, verify that the website didn’t transmit a virus, and stay away from broadcasted websites. IM systems allow unsuspecting users to download files that may contain viruses. Due to a weakness in the file extension naming conventions, a file that appears to have one extension may actually have another extension. For example, the file account.doc.vbs would appear in many applications as account.doc, but it’s actually a Visual Basic script and could contain malicious code.

Working with 8.3 File NamingThe 8.3 format allows eight characters for the filename and three characters for the file type or extension. Certain file extensions tell the operating system to immediately start executing a file (for example, .bat, .com, and .exe).

Windows hides the file extension from the user.

If a file type is indicated the system automatically opens the program that has been registered to be associated with the file.

If the file is an executable or a script, it will start executing using the appropriate language or command processor. If this file is a Trojan horse, a worm, or some other form of malicious code, the system has potentially been compromised.

Common Executable File Types That PC Systems Use

Understanding Protocol AnalyzersProtocol Analyzers (2:35)

A protocol analyzer provides information regarding traffic flow and statistical information for your network. It is used to capture network traffic and generate statistics for creating reports. A protocol analyzer is a software utility used on a hub, a switch supervisory port, or inline with network connectivity to allow the analysis of network communications. Individual protocols, specific endpoints, or sequential access attempts may be identified using this utility. A protocol analyzer is also referred to as a network analyzer or packet sniffer. Windows Server operating systems come with a protocol analyzer called Network Monitor.


Understanding Signal Analysis and Intelligence

The terms signal analysis and signal intelligence refer to capturing and analyzing electronic signals. The purpose is to identify and evaluate the enemy, identify and track communications patterns, and identify what types of technologies are being used to send them.

Footprinting involves identifying your network and its security posture. Footprinting is done using multiple sources of information to determine what systems you may be using.DNS footprinting involves a hacker using a lookup tool (such as NSLOOKUP) to gain access to your DNS server.Footprinting obtains the active blueprint of an organization’s infrastructure and security profile. It includes using the WhoIs and NsLookup tools. Scanning is the process of gathering data about your network configuration and determining which systems are live. Hackers will use scanning programs to look for paths to systems in your network. A port-scanning software utility will scan a single machine or a range of IP addresses, checking for a response on service ports. Port scanners are useful in creating an inventory of services hosted on networked systems. A vulnerability scanner is a software utility that will scan a range of IP addresses, testing for the presence of known vulnerabilities in software configuration and accessible services. Unlike port scanners, which only test for the availability of services, vulnerability scanners may check for the particular version or patch level of a service to determine its level of vulnerability. A network mapper is a software utility used to conduct network assessments over a range of IP addresses. It compiles a listing of all systems and network hardware present within a network segment, which can be used to identify single points of failure, conduct a network inventory, and create graphical details suitable for reporting on network configurations. Penetration testing involves footprinting, scanning, and enumerating.

Scanning identifies active computers, ports, and services. It includes using the Ping, Nmap, and TraceRt tools. Enumerating involves compiling the information from the scanning phase and identifying target systems. During this phase, actual user and group accounts are obtained using DNS queries, NBT scans, and the snmputil tool.

The End

CIST 1601 Information Security Fundamentals Chapter 4 Monitoring Activity and Intrusion Detection...

Documents

Transcript of CIST 1601 Information Security Fundamentals Chapter 4 Monitoring Activity and Intrusion Detection...