Lab #9 - Assessment Worksheet
Investigating and Responding to Security Incidents
Course Name and Number: CSS280-1501A-01 Ethical Hacking
Student Name: ***** ******
Instructor Name: ***** ******
Lab Due Date: 2/9/2015
Overview
In this lab, you acted as a member of the incident response team who had been assigned an incident response in the form of a help desk trouble ticket. You followed the phases of a security incident response to investigate the event, contain the malware, eradicate the suspicious files, re-test the system in readiness for returning it to service, and complete a detailed security incident response report in the provided template. You used AVG
…show more content…
You also used the OpenVAS scanning tool to scan the TargetSnort virtual machine to test the Snort configuration and see exactly what circumstances trigger an IDS alert.
Lab Assessment Questions & Answers 1. What is the difference between an IDS and an IPS?
The main difference between one system and the other is the action they take when an attack is detected in its initial phases (network scanning and port scanning). * The Intrusion Detection System (IDS) provides the network with a level of preventive security against any suspicious activity. The IDS achieves this objective through early warnings aimed at systems administrators. However, unlike IPS, it is not designed to block attacks. * An Intrusion Prevention System (IPS) is a device that controls access to IT networks in order to protect systems from attack and abuse. It is designed to inspect attack data and take the corresponding action, blocking it as it is developing and before it succeeds, creating a series of rules in the corporate firewall, for example. 2. Why is it important to perform a network traffic baseline definition analysis?
So the administrator can ensure that the presence, absence, amount, direction,
Reflecting on several previous studies that have been carried out to compare the performance of the two NIDS, indicated Snort to be efficient in various issues. For instance, the comparison of Snort version 2.8.5.2 to Suricata version 1.0.2 was a clear indication of the strength of each system engine when subjected to the protection of the network. Their testbed incorporated the Ubuntu 10.04 which is a Virtual device accommodated on a VMWare Terminal 6.5 virtual setting operating on a 2.8GHz Quad-Core Intel Xeon CPU that had a 3GB RAM. The research was examining the quickness of detection and the accurateness of under changing rates of network and CPU usage (Albin, 2011). The control of the CPU used the Cpulimit with Tepreplay controlling the network bandwidth. The alert signals was accomplished by introducing six unknown malware that was created using the Metaspoilt framework. The results characterized Snort being efficient with system properties as compared to Suricata, but when functioning in a multi-CPU setting Suricata was extra efficient as a result of fewer false negatives
For the purpose of this assignment snort will be used as intrusion detections systems which is an open source IDS, snort has the ability to monitor traffics in real time and packet locking its also inspecting each packets as they enters into the network, Snort can be used as packet sniffer to analyse the network traffic in order to detect any bizarre looking packets or payloads which might have malicious data in it. Snort can also detect payloads attacks against the network or host system including but not limited to stealth port scan, and buffer overflows.
IDS: Integrated delivery system is defined as the network of healthcare organization under the parent organization or company which drives/operates this service business. The purpose of IDS is to facilitate the health related services through the health network for the people health care. The IDS contains either the network of hospitals and physicians or the network of only physicians sometime they contain the HMO component as well. The purpose of the IDS is to reduce the cost of health care and improves the quality of healthcare services.
The IPS and IDS systems will be another addition that will be used to protect the Riordan Manufacturing networks as well. There is a difference between these two systems and it is important to know what each one does. The IPS stand for Intrusion Prevention System. This system is designed to prevent attacks from hitting the network. For the new Riordan network the IPS system that will be implemented is Surefire because use a rule based detection engine known as Snort.
Preventive controls can be as simple as locks and keys to access sensitive areas of a building, clearances to access classified data, or the use of complex passwords with encryption. Detective controls can be as simple as cameras or motion detector systems in a building, or, as complex as a network intrusion detection system (NIDS) on the network. Corrective controls, usually combined with preventive and detective controls, help reduce the damage once a risk has manifested. This can be done by performing regular backups in the event of a system crash. Below is an illustration (Figure 4-1) of the three main types of security
The Intrusion Detection System (IDS) is a protection scheme which collect and analyze audit data for the entire network.
2.4.7 Rapid intrusion detection and response procedures: KIU should have mechanisms in place to reduce the risk of undetected system intrusions. Computing systems are never perfectly secure. When a security failure occurs and an attacker is "in" the institution's system, only rapid detection and reaction can minimize any damage that might occur. Techniques used to identify intrusions include intrusion detection systems (IDS) for the network and individual servers (i.e., host computer), automated log correlation and analysis, and the identification and analysis of operational
Other considerations to take to make sure that network intrusion is detected and/mitigated is by constantly monitoring the network for any anomalies and having an alert/notification system. Alert and notification system will allow for the organizations incident response team/plan to be activated and take necessary steps to isolate the incident, contain, and take necessary action to resolve the issue.
These proposals and systems suggestions can minimize the vulnerabilities associated with any compromises or intrusions within the network. Deploying an intrusion detection system is an essential security strategy for monitoring a network information system for abnormal or authorized activity. An intrusion detection system (IDS) is set of tools which monitor a network topology by providing a system administrator with the overall picture of how the system is being utilized. Executing an IDS will make a difference in creating a defense in depth architecture to be more compelling in recognizing any form of malicious activities. The capacity of the IDS is to monitor and survey the network traffic without affecting network activity. IDS tools gather information and analyzes it against a pre-characterized manage set, and against a set of known assault 'marks'. The IDS can scan port numbers and to determine if any breaches or attacks are occurring (Kuipers,
IDPS technology uses a lot of different methods to detect attacks. Signature-based, anomaly-based, and stateful protocol analysis. Most IDPS technology use multiple methods either separately or together to broaden and have better accuracy detection. The simplest detection method is signature-based because it corresponds to a known attack or type of attack. Signature based detection is the process of comparing observed events with known signatures of attacks to help identify possible attacks. Detection technologies only implementing signature-based attacks will be ineffective at detecting day-zero attacks.
The computer networks should be made secure such that the hackers could not access the interior of the network. This should be achieved through the strong authentication, antivirus software, firewalls, and intrusion detection systems.
In the budget preparation phase during the planning process, neutralizing attacks enables the organization to reduce cost by minimizing the number of cyber-attacks, developing preventing mechanisms for known threat for instance creating a signature to detect an intrusion and blocking the attacks from holding a network for example at the firewall. Also, the quality of the software and hardware devices is vital in the prevention of cyber-attacks. Accordingly it also helps in reducing the vulnerabilities the devices are exposed to in the course of all their operations.
While the role of reaction has traditionally been assumed by the system or network manager, we start by programming the IDS which operate online and in real time to behave either reactively or proactively to assure that fraud has become under control. So, reactive means to point and respond to the detection of an intrusion by, for example, terminating the suspect process, disconnecting the offending user, or modifying a router filter list. Secondly, a proactive— would not wait to flag an intrusion, nonetheless would instead take pre-emptive countermeasures; it might, for example, actively interrogate all existing user processes, perhaps using counterfeit Trojan utilities, and terminate
The goal of intrusion detection is to monitor network assets, detect anomalous behavior, and identify misuse within a network (Ashoor, Gore, 2011). An intrusion detection system (IDS) is a device or software application that monitors network system activities for malicious activity or policy violations and produces reports to a management station (Kashyap, Agrawal, Pandey, Keshri, 2013), additionally there are three types of IDS:
As we evolve through time the technology evolves with us. With our accomplishment in technology we reached beyond our imagination, some things which our ancestors would only dream on having. But while the technology can be used for good deeds some want to take advantage of it and gain personal profits. So, countermeasures were created for defending against them. The system security is a defence mechanism projection against illegal access in a User’s/Owner’s computer or other technology gadgets that contain personal information without the Owner being aware. The system security covers Networking Protection which is an accidental downloading of software codes like computer viruses, spam, worms, Trojan horses, logic bombs, spyware, and adware, that create an annoyance, steals, harms or alters data or cripple system capacities. In the meantime, it also covers Physical Protection preventing others to steal or access your personal gadgets. Programs for protection have been created for a long time and are still being created for the cause of fighting the threatening programs. The battle of anti-threatening