Running head: UNIT 3 RESEARCH PROJECT 1

Unit 3 Research Project

Eddie S. Jackson

Kaplan University

IT540: Management of Information Security

Kenneth L. Flick, Ph.D.

10/07/2014

UNIT 3 RESEARCH PROJECT 2

Table of Contents

Abstract…………………….……………………………………………………………….……3

Part I….…………………….……………………………….……..………………………….…4

Host Detail Screen……………………..…………………………………………………….4

BASE Alerts Detail Screen………..………………………………………………….……5

Individual BASE Alert Detail Screen…..…………………………………………….……6

ATTACK RESPONSE on BASE Alert Screen………..……………………………..……7

Part II..….………….……….……………..……….……………………….…………..…….…7

Assessing the Compromised Server……………….………………..…………………….…8

Checking Files……………………………..…………………………………………….…8

Checking Network Activity……………………………………………………………….…9

Checking Possible Vulnerabilities……………..……………………………………….…10

Checking Network Account Activity……………………………………………………...11

Protecting Network Resources…..……………………………………………………….…11

References……………….……………………………………………….………………..…….13

UNIT 3 RESEARCH PROJECT 3

Abstract

The unit three research project presents a two-part assignment that relates to computer forensics,

which encompasses the steps and tools that are required for incident response and attack

prevention. Both parts of the assignment are meant to reinforce the fundamental concepts

associated with forensic science. In Part I, there is a hands-on Snort lab. The Snort lab exercise is

a real-world scenario that allows the student to become familiar with Snort software, and in turn

learn to scan a network stream, capture alerts, and assess specific alert types. In Part II of the

assignment, the student is asked to assess a hypothetical server break-in, and respond in essay

form to a series of questions. These questions are intended to highlight the steps and tools

utilized in network resource protection.

UNIT 3 RESEARCH PROJECT 4

Unit 3 Research Project

Part I

The Jones & Bartlett Lab. In this lab, Snort was used in incident handling. See snapshots

below.

Screen capture of the host detail screen from the Lab #10 SNORT Scan:

UNIT 3 RESEARCH PROJECT 5

Screen capture of the BASE alerts detail screen:

UNIT 3 RESEARCH PROJECT 6

Screen capture of an individual BASE alert detail:

UNIT 3 RESEARCH PROJECT 7

Screen capture of an ATTACK RESPONSE on the BASE alert detail screen:

Part II

The break-in. In the second part of the assignment, there is a hypothetical break-in which

requires a five question assessment. Each question explores the ideas and concepts of computer

forensics.

UNIT 3 RESEARCH PROJECT 8

What are the steps and tools used in assessing a compromised server? When

hackers compromise servers, sometimes there are obvious signs of malicious activity, and

sometimes the exploits are more stealth. In either case, the information security officer, upon

notification that something is wrong with a server, must have a plan for assessing a compromised

server; this plan contains the steps or tools necessary to determine exactly what damaged has

been done to the server. Considering the break-in, the first step the information security officer

should take is verifying that the server has indeed been compromised (Obialero, 2005). This

verification can be a visual inspection of the running processes and network activity using a

process manager; on Microsoft-based operating systems, this is called the task manager

(Microsoft, n.d., para. 1).

A second technique for assessing a compromised server would be to scan the system to

verify the integrity of the files. For example, in Microsoft operating systems, there is a system

file checker (sfc) which can be executed to scan, report, and even repair compromised files

(Microsoft TechNet, n.d. para. 1). If this server is a domain controller running Microsoft’s

Active Directory, and audit access has been defined, the event properties of the object can be

accessed and reviewed in the Event Viewer (Levin, 2007). Finally, other tools such as anti-virus

scanners and malware scanners can also be utilized to scan a server to validate whether or not the

server has been compromised.

Which files would be checked? Of course, knowing exactly which files should be

checked for integrity is critical to the overall assessment of the compromised server. Hackers

target particular areas of an operating; these areas contain the required system files and essential

services. System files are file types that end in DLL, OCX, and EXE. Server services are usually

associated with these file types as well. To check the integrity of files and services, forensic

UNIT 3 RESEARCH PROJECT 9

applications, such as those from NirSoft, can be used to verify integrity. For example, NirSoft’s

RegDllView utility scans registered DLL, OCX, and EXE files. Additionally, RegDllView

returns when the files were registered with the system, and provides a list of files that are no

longer needed (NirSoft, 2014).

If this server is a web server, it is possible that hackers may have compromised the

server through web-based services. A common web server attack is where a hacker uses Cross

Site Scripting, or XSS, to modify server scripts and web pages that will be accessed by other

users (Valentino, n.d.). The specific files that should be checked in an XSS attack are PHP

scripts, session cookies, and other unknown or new scripts on the web server (Acunetix, n.d.).

Likewise, webpages coded in HTML and CSS should be analyzed for any recent changes to their

content.

Where do you check for network activity? While it is crucial to identify which files

may have been compromised in an attack, scanning and monitoring network activity is equally

important. When servers have been compromised, it is common that a hacker will open

communication ports to be able to steal data or maintain open access to the server; unknown

established connections to a server, or other network resource for that matter, can be an obvious

sign of malicious activity. It is the responsibility of the security information officer to assess

network activity and determine whether or not these undesirable lines of communication exist.

There are simple tools such as netstat which can be used for viewing open ports. When using

netstat, there are options for displaying active TCP and UDP connections, Ethernet statistics, and

port numbers. (Microsoft TechNet, n.d.).

A more advanced approach to evaluating network activity would be to utilize packet

analyzers. Packet analyzers can peer into a network communication stream and allow an

UNIT 3 RESEARCH PROJECT 10

information security officer to assess and analyze data at the packet level. These features are

particularly important because source and destination IP addresses can be observed. The reason

this is significant is because when hackers make connections to network resources, their source

address can often be determined from analyzing packets in the bitstream. Similarly, unusual

network traffic, specific ports, as well as user-defined network protocols can be scrutinized for

existing threats (Rouse, n.d.). A popular application for analyzing packets is Wireshark.

Wireshark has features such as saving network activity captures for later examination, setting up

alerts, protocol filters, and support for multiple platforms (Wireshark, n.d.).

Still, there are other methods for evaluating network traffic; for example, firewalls that

have auditing enabled and intrusion detecting systems (IDS). Firewalls normally act as a barrier

of protection between an organization and the outside world–controlling incoming and outgoing

connections–however, firewalls such as the Cisco PIX firewall, can maintain event data and

firewall messages (IBM, n.d.). This stored data, which contains connection information, can be

analyzed in the event of a compromised server; thus offering another method of network activity

assessment. One final technique for monitoring or reviewing network activity is the IDS. An

IDS, such as the Cisco Catalyst 6500 Series Intrusion Detection System (IDSM-2) Module,

offers features that perform analysis across multiple network layers, and even has the ability to

prevent attacks (Cisco, n.d.). It is important to note, no single network monitoring strategy is

perfect; thus implementing a multi-tiered approach to scanning network activity is best practice.

How do you check for possible vulnerabilities? Once network activity has been

scanned, the next step would be to determine possible vulnerabilities. Operating systems are

susceptible to many types of vulnerabilities, such as DLL, OCX, Distributed Component Object

Model (DCOM), and Remote Procedure Call (RPC) exploits (Microsoft TechNet, n.d.). One

UNIT 3 RESEARCH PROJECT 11

method for defining weak spots in these areas is to use the Microsoft Baseline Security Analyzer

(MBSA). The MBSA identifies missing security updates, common misconfigurations, as well as

possible threats due to unknown or modified system DLL and OCX files (Microsoft, n.d.).

Another application that could be used in determining vulnerabilities is Symantec Endpoint

Protection (SEP). SEP is a suite of utilities that offers a plethora of features which include anti-

virus, spam removal, data loss protection, and host integrity (Symantec, n.d.). Additionally, SEP

provides a layered approach to deal with potential threats and performs threat analysis; thus, SEP

provides a best practice strategy for determining if vulnerabilities exists, how to remove them,

and how to prevent future attacks.

How do you track network account activity? After determining exactly what the

vulnerabilities are, tracking network account activity becomes a necessity. Network account

activity includes logging in, logging out, as well as the frequency of accessing network

resources. There are a couple of common methods for a network administrator to track network

activity; one technique is to use Microsoft’s domain-level or local group policy. By accessing the

group policy editor, and navigating to Computer Configuration\Windows Settings\Security

Settings\Local Policies\Audit Policy, the audit account logon events can be configured; the

account logon and logon audit policy should be enabled (Microsoft, n.d.).. Another method for

tracking logon events is to use third party software. ManageEngine sells ADAudit Plus software

that monitors user logins and logouts, generates reports, and has the ability to track a user across

multiple machines (ManageEngine, n.d.). Additionally, the ADAudit Plus software visually

represents the login data, making it much easier to understand and track network account

activity.

How do you protect network resources? Lastly, it is critical to formulate an overall

UNIT 3 RESEARCH PROJECT 12

strategy to protect network resources. Some of the best methods for protecting the resources on

the network have already been highlighted. For instance, network resources need to be protected

against outside attacks; it is best practice to install a firewall to control, audit, and report on

incoming and outgoing connections. Secondly, an IDS will provide the added benefit of being

able perform threat analysis and generate alerts on suspicious network activity. Likewise, every

network should be protected against viruses, worms, and spam. This is where implementing an

enterprise-based solution, such as SEP, becomes critical to maintaining the integrity of network

resources. Finally, one essential component for protecting network resources is an updates and

patching server. Update servers, such as Windows Server Update Services (WSUS), allow

system administrators to centrally manage which security updates, system updates, and patches

get deployed to workstations and servers throughout the enterprise (Microsoft TechNet, n.d.).

The reason it is important to consistently update and patch machines on the network is to

maintain the highest levels of operating system integrity. Ultimately, no one piece of technology

can fully protect all network resources; thus, implementing multiple layers of technology

throughout the enterprise has become best practice.

UNIT 3 RESEARCH PROJECT 13

References

Acunetix. (n.d.). Cross-site Scripting (XSS) Attack. What is cross-site scripting? Retrieved from

https://www.acunetix.com/websitesecurity/cross-site-scripting/

Cisco. (n.d.). Cisco Catalyst 6500 Series Intrusion Detection System (IDSM-2) Module.

Retrieved from http://www.cisco.com/c/en/us/products/interfaces-modules/catalyst-

6500-series-intrusion-detection-system-idsm-2-services-module/index.html

IBM. (n.d.). Configuring auditing for Cisco PIX firewall. Retrieved from http://www-

01.ibm.com/support/knowledgecenter/SSSN2Y_1.0.0/com.ibm.itcim.doc/tcim85_install

197.html%23cspxfw

Levin, Alik. (2007/4/1). File access auditing - I am not afraid of GPO. Retrieved from

http://blogs.msdn.com/b/alikl/archive/2007/04/01/file-access-auditing-i-am-not-afraid-

of-gpo.aspx

Microsoft. (n.d.). Audit logon events. Retrieved from http://technet.microsoft.com/en-

us/library/cc976395.aspx

Microsoft. (n.d.). Microsoft Baseline Security Analyzer 2.3 (for IT professionals). Retrieved

from http://www.microsoft.com/en-us/download/details.aspx?id=7558

Microsoft. (n.d.). What is task manager? Retrieved from http://windows.microsoft.com/en-

us/windows-vista/what-is-task-manager

Microsoft TechNet. (n.d.). Best practices for mitigating RPC and DCOM vulnerabilities.

Retrieved from http://technet.microsoft.com/en-us/library/dd632946.aspx

Microsoft TechNet. (n.d.). Netstat. Retrieved from http://technet.microsoft.com/en-

us/library/bb490947.aspx

UNIT 3 RESEARCH PROJECT 14

Microsoft TechNet. (n.d.). System file checker. Retrieved from http://technet.microsoft.com/en-

us/library/bb491008.aspx

Microsoft TechNet. (n.d.). Windows Server Update Services. Retrieved from

http://technet.microsoft.com/en-us/windowsserver/bb332157.aspx

NirSoft. (2014). RegDllView v1.58 - View registered dll/ocx/exe files on your system and

register DLL files from Explorer. Retrieved from http://www.nirsoft.net/utils/

registered_dll_view.html

Obialero, Roberto. (2005). Forensic analysis of a compromised intranet server. Retrieved from

http://www.sans.org/reading-room/whitepapers/forensics/forensic-analysis-

compromised-intranet-server-1652

Rouse, Margaret. (n.d.). Network analyzer (protocol analyzer or packet analyzer). Retrieved

from http://searchnetworking.techtarget.com/definition/network-analyzer

Symantec. (n.d.). Symantec Endpoint Protection. Retrieved from http://www.symantec.com/

endpoint-protection

Valentino, Vishnu. (n.d.). Basic hacking via Cross Site Scripting (XSS) – The logic. Retrieved

from http://www.hacking-tutorial.com/hacking-tutorial/basic-hacking-via-cross-site-

scripting-xss-the-logic/#sthash.tLAYK0Y7.dpbs

Whitman, Michael E., & Mattord, Herbert J. (2011). Principles of Information Security. 4th

edition. Independence, KY: Cengage.

Wireshark. (n.d.). Wireshark frequently asked questions. Retrieved from https://www.wireshark.

org/faq.html#q1.1