unit 3 research project eddie s. jackson kaplan university it540: management...
TRANSCRIPT
Running head: UNIT 3 RESEARCH PROJECT 1
Unit 3 Research Project
Eddie S. Jackson
Kaplan University
IT540: Management of Information Security
Kenneth L. Flick, Ph.D.
10/07/2014
UNIT 3 RESEARCH PROJECT 2
Table of Contents
Abstract…………………….……………………………………………………………….……3
Part I….…………………….……………………………….……..………………………….…4
Host Detail Screen……………………..…………………………………………………….4
BASE Alerts Detail Screen………..………………………………………………….……5
Individual BASE Alert Detail Screen…..…………………………………………….……6
ATTACK RESPONSE on BASE Alert Screen………..……………………………..……7
Part II..….………….……….……………..……….……………………….…………..…….…7
Assessing the Compromised Server……………….………………..…………………….…8
Checking Files……………………………..…………………………………………….…8
Checking Network Activity……………………………………………………………….…9
Checking Possible Vulnerabilities……………..……………………………………….…10
Checking Network Account Activity……………………………………………………...11
Protecting Network Resources…..……………………………………………………….…11
References……………….……………………………………………….………………..…….13
UNIT 3 RESEARCH PROJECT 3
Abstract
The unit three research project presents a two-part assignment that relates to computer forensics,
which encompasses the steps and tools that are required for incident response and attack
prevention. Both parts of the assignment are meant to reinforce the fundamental concepts
associated with forensic science. In Part I, there is a hands-on Snort lab. The Snort lab exercise is
a real-world scenario that allows the student to become familiar with Snort software, and in turn
learn to scan a network stream, capture alerts, and assess specific alert types. In Part II of the
assignment, the student is asked to assess a hypothetical server break-in, and respond in essay
form to a series of questions. These questions are intended to highlight the steps and tools
utilized in network resource protection.
UNIT 3 RESEARCH PROJECT 4
Unit 3 Research Project
Part I
The Jones & Bartlett Lab. In this lab, Snort was used in incident handling. See snapshots
below.
Screen capture of the host detail screen from the Lab #10 SNORT Scan:
UNIT 3 RESEARCH PROJECT 5
Screen capture of the BASE alerts detail screen:
UNIT 3 RESEARCH PROJECT 6
Screen capture of an individual BASE alert detail:
UNIT 3 RESEARCH PROJECT 7
Screen capture of an ATTACK RESPONSE on the BASE alert detail screen:
Part II
The break-in. In the second part of the assignment, there is a hypothetical break-in which
requires a five question assessment. Each question explores the ideas and concepts of computer
forensics.
UNIT 3 RESEARCH PROJECT 8
What are the steps and tools used in assessing a compromised server? When
hackers compromise servers, sometimes there are obvious signs of malicious activity, and
sometimes the exploits are more stealth. In either case, the information security officer, upon
notification that something is wrong with a server, must have a plan for assessing a compromised
server; this plan contains the steps or tools necessary to determine exactly what damaged has
been done to the server. Considering the break-in, the first step the information security officer
should take is verifying that the server has indeed been compromised (Obialero, 2005). This
verification can be a visual inspection of the running processes and network activity using a
process manager; on Microsoft-based operating systems, this is called the task manager
(Microsoft, n.d., para. 1).
A second technique for assessing a compromised server would be to scan the system to
verify the integrity of the files. For example, in Microsoft operating systems, there is a system
file checker (sfc) which can be executed to scan, report, and even repair compromised files
(Microsoft TechNet, n.d. para. 1). If this server is a domain controller running Microsoft’s
Active Directory, and audit access has been defined, the event properties of the object can be
accessed and reviewed in the Event Viewer (Levin, 2007). Finally, other tools such as anti-virus
scanners and malware scanners can also be utilized to scan a server to validate whether or not the
server has been compromised.
Which files would be checked? Of course, knowing exactly which files should be
checked for integrity is critical to the overall assessment of the compromised server. Hackers
target particular areas of an operating; these areas contain the required system files and essential
services. System files are file types that end in DLL, OCX, and EXE. Server services are usually
associated with these file types as well. To check the integrity of files and services, forensic
UNIT 3 RESEARCH PROJECT 9
applications, such as those from NirSoft, can be used to verify integrity. For example, NirSoft’s
RegDllView utility scans registered DLL, OCX, and EXE files. Additionally, RegDllView
returns when the files were registered with the system, and provides a list of files that are no
longer needed (NirSoft, 2014).
If this server is a web server, it is possible that hackers may have compromised the
server through web-based services. A common web server attack is where a hacker uses Cross
Site Scripting, or XSS, to modify server scripts and web pages that will be accessed by other
users (Valentino, n.d.). The specific files that should be checked in an XSS attack are PHP
scripts, session cookies, and other unknown or new scripts on the web server (Acunetix, n.d.).
Likewise, webpages coded in HTML and CSS should be analyzed for any recent changes to their
content.
Where do you check for network activity? While it is crucial to identify which files
may have been compromised in an attack, scanning and monitoring network activity is equally
important. When servers have been compromised, it is common that a hacker will open
communication ports to be able to steal data or maintain open access to the server; unknown
established connections to a server, or other network resource for that matter, can be an obvious
sign of malicious activity. It is the responsibility of the security information officer to assess
network activity and determine whether or not these undesirable lines of communication exist.
There are simple tools such as netstat which can be used for viewing open ports. When using
netstat, there are options for displaying active TCP and UDP connections, Ethernet statistics, and
port numbers. (Microsoft TechNet, n.d.).
A more advanced approach to evaluating network activity would be to utilize packet
analyzers. Packet analyzers can peer into a network communication stream and allow an
UNIT 3 RESEARCH PROJECT 10
information security officer to assess and analyze data at the packet level. These features are
particularly important because source and destination IP addresses can be observed. The reason
this is significant is because when hackers make connections to network resources, their source
address can often be determined from analyzing packets in the bitstream. Similarly, unusual
network traffic, specific ports, as well as user-defined network protocols can be scrutinized for
existing threats (Rouse, n.d.). A popular application for analyzing packets is Wireshark.
Wireshark has features such as saving network activity captures for later examination, setting up
alerts, protocol filters, and support for multiple platforms (Wireshark, n.d.).
Still, there are other methods for evaluating network traffic; for example, firewalls that
have auditing enabled and intrusion detecting systems (IDS). Firewalls normally act as a barrier
of protection between an organization and the outside world–controlling incoming and outgoing
connections–however, firewalls such as the Cisco PIX firewall, can maintain event data and
firewall messages (IBM, n.d.). This stored data, which contains connection information, can be
analyzed in the event of a compromised server; thus offering another method of network activity
assessment. One final technique for monitoring or reviewing network activity is the IDS. An
IDS, such as the Cisco Catalyst 6500 Series Intrusion Detection System (IDSM-2) Module,
offers features that perform analysis across multiple network layers, and even has the ability to
prevent attacks (Cisco, n.d.). It is important to note, no single network monitoring strategy is
perfect; thus implementing a multi-tiered approach to scanning network activity is best practice.
How do you check for possible vulnerabilities? Once network activity has been
scanned, the next step would be to determine possible vulnerabilities. Operating systems are
susceptible to many types of vulnerabilities, such as DLL, OCX, Distributed Component Object
Model (DCOM), and Remote Procedure Call (RPC) exploits (Microsoft TechNet, n.d.). One
UNIT 3 RESEARCH PROJECT 11
method for defining weak spots in these areas is to use the Microsoft Baseline Security Analyzer
(MBSA). The MBSA identifies missing security updates, common misconfigurations, as well as
possible threats due to unknown or modified system DLL and OCX files (Microsoft, n.d.).
Another application that could be used in determining vulnerabilities is Symantec Endpoint
Protection (SEP). SEP is a suite of utilities that offers a plethora of features which include anti-
virus, spam removal, data loss protection, and host integrity (Symantec, n.d.). Additionally, SEP
provides a layered approach to deal with potential threats and performs threat analysis; thus, SEP
provides a best practice strategy for determining if vulnerabilities exists, how to remove them,
and how to prevent future attacks.
How do you track network account activity? After determining exactly what the
vulnerabilities are, tracking network account activity becomes a necessity. Network account
activity includes logging in, logging out, as well as the frequency of accessing network
resources. There are a couple of common methods for a network administrator to track network
activity; one technique is to use Microsoft’s domain-level or local group policy. By accessing the
group policy editor, and navigating to Computer Configuration\Windows Settings\Security
Settings\Local Policies\Audit Policy, the audit account logon events can be configured; the
account logon and logon audit policy should be enabled (Microsoft, n.d.).. Another method for
tracking logon events is to use third party software. ManageEngine sells ADAudit Plus software
that monitors user logins and logouts, generates reports, and has the ability to track a user across
multiple machines (ManageEngine, n.d.). Additionally, the ADAudit Plus software visually
represents the login data, making it much easier to understand and track network account
activity.
How do you protect network resources? Lastly, it is critical to formulate an overall
UNIT 3 RESEARCH PROJECT 12
strategy to protect network resources. Some of the best methods for protecting the resources on
the network have already been highlighted. For instance, network resources need to be protected
against outside attacks; it is best practice to install a firewall to control, audit, and report on
incoming and outgoing connections. Secondly, an IDS will provide the added benefit of being
able perform threat analysis and generate alerts on suspicious network activity. Likewise, every
network should be protected against viruses, worms, and spam. This is where implementing an
enterprise-based solution, such as SEP, becomes critical to maintaining the integrity of network
resources. Finally, one essential component for protecting network resources is an updates and
patching server. Update servers, such as Windows Server Update Services (WSUS), allow
system administrators to centrally manage which security updates, system updates, and patches
get deployed to workstations and servers throughout the enterprise (Microsoft TechNet, n.d.).
The reason it is important to consistently update and patch machines on the network is to
maintain the highest levels of operating system integrity. Ultimately, no one piece of technology
can fully protect all network resources; thus, implementing multiple layers of technology
throughout the enterprise has become best practice.
UNIT 3 RESEARCH PROJECT 13
References
Acunetix. (n.d.). Cross-site Scripting (XSS) Attack. What is cross-site scripting? Retrieved from
https://www.acunetix.com/websitesecurity/cross-site-scripting/
Cisco. (n.d.). Cisco Catalyst 6500 Series Intrusion Detection System (IDSM-2) Module.
Retrieved from http://www.cisco.com/c/en/us/products/interfaces-modules/catalyst-
6500-series-intrusion-detection-system-idsm-2-services-module/index.html
IBM. (n.d.). Configuring auditing for Cisco PIX firewall. Retrieved from http://www-
01.ibm.com/support/knowledgecenter/SSSN2Y_1.0.0/com.ibm.itcim.doc/tcim85_install
197.html%23cspxfw
Levin, Alik. (2007/4/1). File access auditing - I am not afraid of GPO. Retrieved from
http://blogs.msdn.com/b/alikl/archive/2007/04/01/file-access-auditing-i-am-not-afraid-
of-gpo.aspx
Microsoft. (n.d.). Audit logon events. Retrieved from http://technet.microsoft.com/en-
us/library/cc976395.aspx
Microsoft. (n.d.). Microsoft Baseline Security Analyzer 2.3 (for IT professionals). Retrieved
from http://www.microsoft.com/en-us/download/details.aspx?id=7558
Microsoft. (n.d.). What is task manager? Retrieved from http://windows.microsoft.com/en-
us/windows-vista/what-is-task-manager
Microsoft TechNet. (n.d.). Best practices for mitigating RPC and DCOM vulnerabilities.
Retrieved from http://technet.microsoft.com/en-us/library/dd632946.aspx
Microsoft TechNet. (n.d.). Netstat. Retrieved from http://technet.microsoft.com/en-
us/library/bb490947.aspx
UNIT 3 RESEARCH PROJECT 14
Microsoft TechNet. (n.d.). System file checker. Retrieved from http://technet.microsoft.com/en-
us/library/bb491008.aspx
Microsoft TechNet. (n.d.). Windows Server Update Services. Retrieved from
http://technet.microsoft.com/en-us/windowsserver/bb332157.aspx
NirSoft. (2014). RegDllView v1.58 - View registered dll/ocx/exe files on your system and
register DLL files from Explorer. Retrieved from http://www.nirsoft.net/utils/
registered_dll_view.html
Obialero, Roberto. (2005). Forensic analysis of a compromised intranet server. Retrieved from
http://www.sans.org/reading-room/whitepapers/forensics/forensic-analysis-
compromised-intranet-server-1652
Rouse, Margaret. (n.d.). Network analyzer (protocol analyzer or packet analyzer). Retrieved
from http://searchnetworking.techtarget.com/definition/network-analyzer
Symantec. (n.d.). Symantec Endpoint Protection. Retrieved from http://www.symantec.com/
endpoint-protection
Valentino, Vishnu. (n.d.). Basic hacking via Cross Site Scripting (XSS) – The logic. Retrieved
from http://www.hacking-tutorial.com/hacking-tutorial/basic-hacking-via-cross-site-
scripting-xss-the-logic/#sthash.tLAYK0Y7.dpbs
Whitman, Michael E., & Mattord, Herbert J. (2011). Principles of Information Security. 4th
edition. Independence, KY: Cengage.
Wireshark. (n.d.). Wireshark frequently asked questions. Retrieved from https://www.wireshark.
org/faq.html#q1.1