Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Spring 2016
Marshall University
March 13, 2016
Each association instantly contributes vigorously on having the most ideal security
for its information. Giving physical security is one of the perspectives an
association keeps up yet in the realm of developing digital violations, associations
are contributing vigorously on having a safe system inside of its premises. One of
the significant dangers to any IT organization is of interruption to its touchy
information. Delicate information can be of any sort as for the kind of association.
Any association with a feeble system is inclined to be assaulted by digital
offenders.
Example of iCloud hacking: personal information of consumers was misused.
Some of the measures to be taken avoid such attacks are:
a) Monitor systems:
All security products are manmade and can fail or be compromised. As with any
other aspect of technology, one should never rely on simply one product or tool.
Enabling logging on your systems is one way to put your organization in a position
to identify problem areas. The problem is, what should be logged? There are some
security standards that can help with this determination. One of these standards is
Page | 1
the Payment Card Industry Data Security Standard (PCI DSS).39 Requirement 10
of the PCI DSS states that organizations must track and monitor access to network
resources and cardholder data. If you simply substitute confidential information
for the phrase cardholder data, this requirement is an excellent approach to a log
management program.
b) Identify and utilize built in security features of the operating system and
applications:
Many organizations and systems administrators state that they cannot create a
secure organization because they have limited resources and simply do not have
the funds to purchase robust security tools. This is a ridiculous approach to security
because all operating systems and many applications include security mechanisms
that require no organizational resources other than time to identify and configure
these tools.
One of the biggest concerns in an organization today is data leaks, which are ways
that confidential information can leave an organization despite robust perimeter
security. USB Flash drives are one cause of data leaks; another is the recovery of
data found in the unallocated clusters of a computers hard drive. Unallocated
clusters, or free space, as it is commonly called, is the area of a hard drive where
the operating system and applications dump their artifacts or residual data.
Although this data is not viewable through the graphical user interface, the data
can easily be identified (and sometimes recovered) using a hex editor such as
WinHex36 or one of the several commercially available computer forensics
programs.
c) Do not forget the basics:
Many organizations spend a great deal of time and money addressing perimeter
defenses and overlook some fundamental security mechanisms, as described here
Change Default Account Passwords
Use Robust passwords
Close unnecessary ports
Page | 3
encryption is created that, with modern computing, creates a cipher that itself is
impossible to break.
Advantages of modern cipher in protecting sensitive information are given below:
Data Integrity: The cryptographic hash capacities are assuming essential part in
guaranteeing the clients about the information honesty
Confidentiality: Encryption strategy can monitor the data and correspondence from
unapproved disclosure and access of data.
Non-repudiation: The advanced mark gives the non-disavowal administration to
make preparations for the question that might emerge because of foreswearing of
passing message by the sender.
Authentication: The cryptographic procedures, for example, MAC and
computerized marks can ensure data against satirizing and phonies
3. (Ch. 3) Intrusion Detection (15 points) - In your own words, briefly summarize
what is a system intrusion; additionally, list three (3) examples of system
intrusions, and for each example how the intrusion can be identified by a
system technician.
Computer hackers are able access the information stored on computers, if these
aren't properly protected. Hackers often do this using automated intruder programs.
These programs usually look for 'Trojans' installed on people's computers.
Examples of System intrusions:
Denial-of-Service Attack
The denial-of-service attack prevents normal use of your computer or network by
valid users.
After gaining access to your network, the attacker can do any of the following:
-Randomize the attention of your internal Information Systems staff so that they do
not see the intrusion immediately, which allows the attacker to make more attacks
during the diversion.
-Send invalid data to applications or network services, which causes abnormal
termination or behavior of the applications or services.
-Flood a computer or the entire network with traffic until a shutdown occurs
because of the overload.
-Block traffic, which results in a loss of access to network resources by authorized
users.
Page | 4
Man-in-the-Middle Attack
As the name indicates, a man-in-the-middle attack occurs when someone between
you and the person with whom you are communicating is actively monitoring,
capturing, and controlling your communication transparently. For example, the
attacker can re-route a data exchange. When computers are communicating at low
levels of the network layer, the computers might not be able to determine with
whom they are exchanging data.
Man-in-the-middle attacks are like someone assuming your identity in order to
read your message. The person on the other end might believe it is you because the
attacker might be actively replying as you to keep the exchange going and gain
more information. This attack is capable of the same damage as an applicationlayer attack, described later in this section.
Sniffer Attack
A sniffer is an application or device that can read, monitor, and capture network
data exchanges and read network packets. If the packets are not encrypted, a sniffer
provides a full view of the data inside the packet. Even encapsulated (tunneled)
packets can be broken open and read unless they are encrypted and the attacker
does not have access to the key.
Using a sniffer, an attacker can do any of the following:
Analyze your network and gain information to eventually cause your network to
crash or to become corrupted.
Page | 5
Page | 6
5. (Ch. 5) Network Intrusions (15 points) In your own words, briefly describe
what is a network intrusion; additionally, list three (3) examples of network
intrusion attacks, and list three (3) techniques or strategies to defend against
these attacks.
Page | 7
6. (Ch. 26) Intrusion Prevention & Detection Systems (15 points) In your own
words, briefly describe the difference between host-based and network-based
intrusion detection systems; additionally, list two (2) advantages and two (2)
disadvantages of host-vs-network-based solutions.
Page | 8
Host-based intrusion detection system (IDSes) protect just that: the host or
endpoint. This includes workstations, servers, mobile devices and the like. Hostbased IDSes are one of the last layers of defense. They're also one of the best
security controls because they can be fine-tuned to the specific workstation,
application, user role or workflows required.
A network-based IDS often sits on the ingress or egress point(s) of the network to
monitor what's coming and going. Given that a network-based IDS sits further out
on the network, it may not provide enough granular protection to keep everything
in check -- especially for network traffic that's protected by SSL, TLS or SSH.
Advantages of NIDS:
Easy deployment: Deploying such a system is easier, as you will
not have to change your existing infrastructure or system. This is
because such systems are autonomous operating system.
Less cost: These systems can be installed for all the network
segments, so it eliminates the requirement of software at each
host in a network segment lowering down the cost of ownership.
Disadvantages of NIDS:
If you try to cut down False Positives rate, then this can affect NIDS reliability.
Tasks like analyzing and filtering has to be done manually
success and continuity of any organization; list these four (4) components
and briefly summarize how each ensures the security of the organization.
There are some key components that are crucial for the success and continuity of
any organization. These are information assurance, information risk management,
defense in depth, and contingency planning.
Information Assurance: Information assurance is achieved when information and
information systems are protected against attacks through the application of
security services such as availability, integrity, authentication, confidentiality, and
nonrepudiation.
The application of these services should be based on the protect, detect, and react
paradigm. This means that in addition to incorporating protection mechanisms,
organizations need to expect attacks and include attack detection tools and
procedures that allow them to react to and recover from these unexpected attacks.
Information Risk Management: The likelihood of something going wrong and
damaging your organization or information assets. Due to the ramifications of such
risk, an organization should try to reduce the risk to an acceptable level. This
process is known as information risk management. Risk to an organization and its
information assets, similar to threats, comes in many different forms.
Defense in Depth: The principle of defense in depth is that layered security
mechanisms increase security of a system as a whole. If an attack causes one
security mechanism to fail, other mechanisms may still provide the necessary
security to protect the system. This is a process that involves people, technology,
and operations as key components to its success; however, those are only part of
the picture. These organizational layers are difficult to translate into specific
technological layers of defenses, and they leave out areas such as security
monitoring and metrics.
Contingency Planning: Contingency planning is necessary in several ways for an
organization to be sure it can withstand some sort of security breach or disaster.
Among the important steps required to make sure an organization is protected and
able to respond to a security breach or disaster are business impact analysis,
incident response planning, disaster recovery planning, and business continuity
planning. These contingency plans are interrelated in several ways and need to stay
that way so that a response team can change from one to the other seamlessly if
there is a need. Business processes and asserts follow a clear strategy to recover
from interruption in these reasons:
Page | 10
(Ch. 59) System Security (10 points) In your own works describe what is
the purpose of a systems security plan; list three (3) important aspects of
system security and briefly explain how the implementation of each
improves the security of systems.
Page | 11
Information only has value if it is correct. Information that has been tampered with
could prove costly. For example, if you were sending an online money transfer for
$100, but the information was tampered in such a way that you actually sent
$10,000, it could prove to be very costly for you.
As with data confidentiality, cryptography plays a very major role in ensuring data
integrity. Commonly used methods to protect data integrity includes hashing the
data you receive and comparing it with the hash of the original message. However,
this means that the hash of the original data must be provided to you in a secure
fashion. More convenient methods would be to use existing schemes such as GPG
to digitally sign the data.
c) Availability: Availability of information refers to ensuring that authorized
parties are able to access the information when needed.
Information only has value if the right people can access it at the right times.
Denying access to information has become a very common attack nowadays.
Almost every week you can find news about high profile websites being taken
down by DDoS attacks. The primary aim of DDoS attacks is to deny users of the
website access to the resources of the website. Such downtime can be very costly.
Other factors that could lead to lack of availability to important information may
include accidents such as power outages or natural disasters such as floods.
How does one ensure data availability? Backup is key. Regularly doing off-site
backups can limit the damage caused by damage to hard drives or natural disasters.
For information services that is highly critical, redundancy might be appropriate.
Having a off-site location ready to restore services in case anything happens to
your primary data centers will heavily reduce the downtime in case of anything
happens.
9. (Ch. 60) Securing the Infrastructure (15 points) Summarize the functions of
both the infrastructure switch and a router; compare and contrast how these
Page | 12
functions are different. Additionally, list three (3) types of attacks against the
infrastructure network and include their impact on security; finally list two (2)
countermeasures against these attacks.
Definition
Page | 13
Router
A router is a networking
device that connects a
local network to other
local networks. At the
Distribution Layer of the
network, routers direct
traffic and perform other
functions critical to
efficient network
operation
Switch
A network switch is a
computer networking
device that is used to
connect many devices
together on a computer
network. A switch is
considered more advanced
than a hub because a
switch will on send msg to
device that needs or
request it
Bandwidth sharing
Bandwidth sharing is
Dynamic (Enables either
static or dynamic
bandwidth sharing for
modular cable interfaces.
The default percent-value
is 0. The percent-value
range is 1-96.)
Uses IP addresses
Used for
Device Type
Networking device
Table
Store IP address in
Routing table and
maintain address at its
own.
Transmission Type
Layer
Routing decision
Page | 14
intruders almost always hide their tracks by disguising the process and cleaning up
the log files.
The best countermeasure against sniffing is end-to-end or user-to-user encryption.
Mapping (Eavesdropping)
Before attacking a network, attackers would like to know the IP address of
machines on the network, the operating systems they use, and the services that they
offer. With this information, their attacks can be more focused and are less likely to
cause alarm. The process of gathering this information is known as mapping.
In general, the majority of network communications occur in an unsecured or
"clear text" format, which allows an attacker who has gained access to data paths
in your network to "listen in" or interpret the traffic. When an attacker is
eavesdropping on your communications, it is referred to as sniffing or snooping.
The ability of an eavesdropper to monitor the network is generally the biggest
security problem that administrators face in an enterprise.
Counter measures are strong encryption services that are based on cryptography
only. Otherwise your data can be read by others as it traverses the network.
based on different PHY layer designs. It is the job of the PHY layer to translate
between digital bits as represented on a computing device and the analog signals
crossing the specific physical medium used by the PHY. This translation is a
physics exercise.
To send a message, the PHY layer module encodes each bit of each message from
the sending device as a media-specific signal or wave form, representing the bit
value 1 or 0. Once encoded, the signal propagates along the medium from the
sender to the receiver. The PHY layer module at the receiver decodes the medium
specific signal back into a bit. There are often special symbols representing such
things as the frame start and frame end symbols, and training symbols to
synchronize the receiver with the transmitter. These special symbols provide
control only and are distinct from the symbols representing bits. Wave forms
different from the defined symbols are undefined and discarded by the receiver.
It is possible for the encoding step at the transmitting PHY layer module to fail, for
a signal to be lost or corrupted while it crosses the medium, and for the decoding
step to fail at the receiving PHY layer module. It is the responsibility of higher
layers to detect and recover from these potential failures.
b) The MAC layer: Determines when to send and receive frame
The MAC module is the application that uses and controls a particular PHY
layer module. A MAC layer is always designed in tandem with a specific PHY (or
vice versa), so a PHY_MAC pair together is often referred to as the data link layer.
MAC is an acronym for media access control. As its name suggests, the MAC
layer module determines when to send and receive frames, which are messages
encoded in a media-specific format. The job of the MAC is to pass frames over a
link between the MAC layer modules on different systems. It is further useful to
distinguish physical links and virtual links. A physical link is a direct point-to-point
channel between the MAC layers in two endpoint devices. A virtual link can be
thought of as a shared medium to which more than two devices can connect at the
same time. There are no physical endpoints per se; the medium acts as though it is
multiplexing links between each pair of attached devices. Some media such as
modern Ethernet are implemented as physical point-to-point links but act more like
virtual links in that more than a single destination is reachable via the link. This is
accomplished by MAC layer switching, which is also called bridging.
Timing requirements for coordination among communicating MAC layer modules
make it difficult to build worldwide networks based on MAC layer switching,
however. Mobile devices such as smart phones, laptops, and notepads also make
large-scale bridging difficult, since these devices can shift their attachment points
to the network, thus invalidating the data structures used by switches to effect
Page | 17
switching. Finally, some media such as Wi-Fi (IEEE 802.11) are shared or
broadcast media. In a shared medium all devices can access the channel, and the
MAC design must specify an access control policy that the MAC enforces; this
behavior is what gives the MAC layer its name. Ethernet was originally a shared
medium, but evolved into its present switched point-to point structure in order to
simplify medium access control.
c) The Network layer: Represents messages in a media-independent
manner. Forwards messages between various MAC layer modules
representing different links
The purpose of the network layer module is to represent messages in a mediaindependent manner and to forward them between various MAC layer modules
representing different links. The media-independent message format is called an
Internet Protocol, or IP, datagram. The network layer implements the IP layer and
is the lowest layer of the Internet architecture per se.
The network layer provides a vital forwarding function that works even for a
worldwide network like the Internet. It is impractical to form a link directly
between each communicating system on the planet. Indeed, the cabling costs alone
are prohibitive no one wants billions, or even dozens, of cables connecting their
computer to other computersand too many MAC1PHY interfaces can quickly
exhaust the power budget for a single computing system. Hence, each machine is
attached by a small number of links to other devices, and some of the machines
with multiple links comprise a switching fabric.
d)The Transport layer: Implemented by TCP and similar protocols
Creates and manages two-way channel instances between communication
endpoints
Supports arbitrary length message delivery
The transport layer is implemented by TCP and similar protocols. Not all transport
protocols provide the same level of service as TCP, but a description of TCP will
suffice to help us understand the issues addressed by the transport layer. The
transport layer provides a multitude of functions.
First, the transport layer creates and manages instances of two-way channels
between communication endpoints.
These channels are called connections. Each connection represents a virtual
endpoint between a pair of communication endpoints. A connection is named by a
pair of IP addresses and port numbers. Two devices can support simultaneous
connections using different port numbers for each connection. It is common to
differentiate applications on the same host through the use of port numbers.
Page | 18
11.(Ch. 14) Local Area Network Security (15 points) Network security threats
can be placed into one of two (2) different categories; list these categories
and provide one (1) example of each category of threat.
(1) Disruptive type: Most LANs are designed as collapsed backbone networks
using a layer-2 or layer-3 switch. If a switch or a router were to fail due to
power failure, a segment or the entire network may cease to function until
the power is restored. In some case, the network failure may be due to a
virus attack on the secondary storage, thus leading to loss of data
Example: Fire, Flood, Earthquake
(2) Unauthorized access type: This access type can be internal (employee) or
external (intruder), a person who would attempt to break into resources such
as database, file, and email or web servers that they have no permission to
access. Banks, financial institutions, major corporations, and major retail
businesses employ data networks to process customer transactions and store
customer information and any other relevant data. Before the birth of the
Internet Age, interim-situational transactions were secured because the
networks were not accessible to intruders or the general public.
Example: spyware, Adware
12.(Ch. 13) Intranet Security (15 points) In your own words, briefly; describe
the security challenges created by employee-use of mobile technologies such
as tablets and smartphones additionally, list three (3) technical and/or
administrative controls to mitigate these challenges.
turn can bypass the company firewall to enter the company network to wreak
havoc.
C. Social media risksBy definition, mobile devices are designed in such a way
that they can easily access social media sites, which are the new target for malware
propagating exploits.
These issues can be approached and dealt with by using a solid set of technical as
well as administrative controls:
I. . Establish a customized corporate usage policy for mobile devicesThis
policy/procedure must be signed by new hires at orientation and by all
employees who ask for access to the corporate VPN using mobile devices
(even personal ones). This should ideally be in the form of a contract and
should be signed by the employee before a portion of the employees device
storage is partitioned for access and storage of corporate data. Normally,
there should be yearly training highlighting the dos and donts of using
mobile devices in accessing a corporate VPN. The first thing emphasized in
this training should be how to secure company data using passwords.
II.
Establish a policy for reporting theft or misplacement This policy
should identify at the very least how quickly one should report thefts of
mobile devices containing company data and how quickly remote wipe
should be implemented. The policy can optionally detail how the mobile
devices feature (app) enabling location of the misplaced stolen device will
proceed.
III. Establish a well-tested SSL VPN for remote accessReputed vendors
having experience with mobile device VPN clients should be chosen. The
quality, functionality, adaptability of usage (and proven reputation) of the
VPN clients should be key in determining the choice of the vendor. The
advantage of an SSL VPN compared to IPsec or L2TP for mobile usage is
well known. The SSL VPNs should be capable of supporting two-factor
authentication using hardware tokens. For example, Ciscos Cisco
AnyConnect Secure Mobility Client and Junipers,Junos Pulse App are
free app downloads available within the Apple iTunes App store. Other VPN
vendors will also have these apps available, and they can be tested to see
how smooth and functional the access process is.
IV. Establish inbound and outbound malware scanningInbound scanning
should occur for obvious reasons, but outbound scanning should also be
scanned in case the companys email servers become SPAM relays and get
blacklisted on sites such as Lashback or get blocked to external sites by
force.
Page | 21
V.
VI.
13.(Ch. 15) Wireless Security (15 points) List the two (2) main classifications of
wireless networks. Provide two (2) examples of each classification of these
networks. In your own words, describe the major architectural differences
between these two classifications. Finally, what is a common security service
(hint think chapter 2) and give an example of how this service is utilized by
clients of each wireless network classification to ensure authentication,
confidentiality, and integrity of their data transmissions
To reduce power consumption and reuse the limited radio spectrum resources, a
cellular network was formed. Cell size is one of the factors in channel reuse rate.
Basically channel reuse rate in smaller cell size is higher than the channel reuse
rate in bigger cell size. A cellular architecture would then present a challenge to the
frequent handover procedure to the smaller cell size would usually induce a higher
hand-off frequency. In addition to cellular network an adhoc network is another
network architecture for wireless networks. The adhoc network is non
infrastructure network in which nodes can access services from one another
regardless where they are. The main difference between a cellular environment and
adhoc network is that the adhoc method has no infrastructure allowing nodes to
communicate with one another at anytime and anywhere.
Extra Credit (5 points): Complete the following equation which quantitatively
measures the
impact of a security breach:
Page | 24