Would you recommend using a firewall? Explain.
Firewall is considered as a baseline control for securing the network environment of any enterprise. In general, routers are equipped with built-in firewall, such as Network Address Translation (NAT) or other software based packet filtration. However, a separate hardware based firewall is recommended for small medium enterprise or a global enterprise. Hackers are now using advanced methodologies for penetrating within the network. One of the examples are Advanced Persistent Threats (APT) that uses advanced encryption algorithms and phishing techniques. Once a network is compromised, confidential information such as trade secrets may be leaked and reputation or an organization will be at stake, for instance, banks may lose their clientele or may even become bankrupt if personal information is leaked such as credit card numbers.
Would you recommend using antivirus filtering? Explain.
Antivirus is also considered as a baseline security control that is considered mandatory for a computer network to be protected. The primary purpose of Antivirus is to detect and clean viruses from the system. Antivirus filtration is configured for detecting viruses attached to an E-mail, once the recipient open the attachment within the E-mail, virus files are executed.
Would you recommend an intrusion detection system? Explain.
Previously, firewall and antiviruses were adequate for securing a corporate network from threats and viruses from the World Wide Web. Today, security threats are continuously increasing, as hackers are using advance techniques capable of exploiting even the smallest of vulnerabilities. Intrusion detection systems are now mandatory, as they provide alert messages prior to an attack. These alerts inform the concerned personnel to isolate the infected machines from the network or initiate an action plan to combat against the threat.
When an IDS generates alerts, it can send them to a console in the security center, to a mobile phone, or via e-mail. Discuss the pros and cons of each.
The first major benefit for transmitting these messages is the information about the security breach that is about to happen. Likewise, receiving this information early provides time to the concerned personnel to initiate an action plan, as per the scenario. Moreover, a reliable information channel is preferred, for instance, SMS on cell phone is more relevant, as it is quickly accessible. If these messages are transmitted via email and the employee is not available in office, the information will not be effective. Furthermore, if these messages are accessed via unknown personnel, they can be misused. Hence, the messages generated by IDS must be secure and must be transmitted via reliable and secure medium.
Examine the integrated log file shown in Figure 9-15 of the text.
Identify the stages in this apparent attack, b). For each stage, describe what the attacker seems to be doing.
There are total 3 stages in this attack. The first stage incorporates a password attempt for accessing E-mails. The second stage incorporates a successful login to the SMTP server. The third stage incorporates retrieving emails from the SMTP server to the attacker’s location. The attacker has tried more than one password attempts to login the SMTP server. After gaining access to SMTP server by using the ID: Lee, the hacker deactivated host log entries. Moreover, data is also transferred from TCP.
Decide whether the actions in this stage work at human speed or at a higher speed, indicating an automated attack.
By reviewing the time sequence, it is obvious that it was a dictionary attack on the User Id: LEE. The logs are clearly demonstrating the evidence, as first login attempt was at: 08:45:07:49, the second login attempt was at: 08:45:50:18.
Decide whether the evidence in each stage is suggestive of an attack or conclusive evidence.
Logs in the figure shows that the attacker used a dictionary attack that randomly checked the password, or maybe there is a possibility of guessing the password of the user. Moreover, host logs were also disabled so that there will be no evidence of an unknown host present on the network.
Overall, do you have conclusive evidence of an attack?
There were two wrong attempts on Login ID: Lee. Moreover, host logs were also disabled, as these logs provide information of the hosts present on the network. Furthermore, data was transferred via SMTP as well as TCP.
Do you have conclusive evidence of who committed the attack?
22.214.171.124 As a suspicious IP address that guessed the password or used a random dictionary attack with 40 seconds time interval. After disabling the host logs, data was transferred via SMTP and TCP.
A firm is trying to decide whether to place its backup center in the same city or in a distant city. List the pros and cons of each choice.
The disaster recovery site must not be available in the same geographical region. One advantage is that for testing the disaster recovery site, resources are easy to manage, as the site is located within the same region. However, if a disaster hits one region, for instance, if earthquake occurs, the primary location as well as the disaster recovery site may be damaged. Whereas, if the disaster recovery site is located in geographically different location, risk is minimum.
To get out of taking exams, students occasionally phone in bomb threats just before the exam. Create a plan to deal with such attacks. This should take one single-spaced page. It should be written by you (a policy advisor) for your dean to approve and post in your college.
For dealing with this scenario, federal police helpline or bomb disposal helpline should be informed immediately. The government officials can investigate the originality of the caller and the bomb evidence can be investigated separately by the bomb disposal squad. Moreover, for minimizing the delay of the exam timings, a separate facility needs to be arranges in a safe secondary location that must not be too far away. The secondary location must be within a reach of every student. However, the exams must be delayed for some time in order to investigate the primary facility by bomb disposal squad. If the bomb disposal squad gives 2 hours or above for investigation, the secondary location plan will be executed, all students and their guardians must be informed about the slight change in exam timings along with the secondary location address. If the bomb disposal squad declares no bomb or bomb has been diffused, students of the second shift will conduct the exam on the primary location.
After you restore files following an incident, users complain that some of their data files are missing. What might have happened?
The plan has not addressed the recovery time objective adequately. Secondly, there is a possibility that the backup schedule is at 5:00 PM and the incident takes place on 4:30 PM, eventually the data will be available till yesterday 5:00 PM.