It540: Secure Computer Network

Secure computer network data

Carl Williams Jr.

Kaplan University

Management of Information Security

IT540

Dr.  K

October 10, 2015

Secure computer network data

Abstract

Unit III of IT540 is a two part assignment.  In Part I, Securing the Network with an Intrusion Detection System (IDS). Capturing screenshots in Part2, Step 19; Part3 Steps 3, 5, and 7.  This exercise is a Snort lab, a scenario so students can become familiar with Snort Software. Part II of the assignment consists of five questions for the student to answer. The questions are to reinforce what the lab showed us with questions highlighted the steps and tools utilized in network protection.

PART I

Part 1: Jones & Bartlett Lab 10: Securing the Network with an Intrusion Detection System (IDS).

Screen Capture  of the Filtered Results

[pic 1]

Alerts Identified by Snort (10/11/2015)

[pic 2]

Abnormal/Unusual Sessions I dentified by Snort

[pic 3]

TFTP GET passwd details Screen Capture

[pic 4]

PART II

Hypothetical Break-In

Q1.   Listed steps that would be taken and utilities that would be used to determine what servers were compromised.

The steps taken when a server has been compromised as the Information Security Office has been notified should act by putting in place the plan for the compromise.  This plan can have the tools and the steps necessary to make a determination of the damage committed. The logs should be checked looking at the command history and the log files in /var/logs.  Look at the file dates, permissions (777) and sizes for anything unusual.  Check cron jobs,  a very popular way for hackers to come back on a system; look for unusual jobs.  Of course use an anti-virus or malware programs to scan and check for compromisation ("Compromised Servers,"  Dec 21, 2012).

There are tools available to when checking a compromised server.  One of the tools that can be used  are VirusTotal is a free online virus scanning service that analyzes files and URLs. This site identify's worms, trojans, viruses or other malicious content detected by website scanners or antivirus engines ("VirusTotal ," n.d.).

Q2: Properly lists files that would be checked, and utilities that would be utilized for the determination.

It's essential to have a list of files to check and utilities when a system has been compromised.  Files to be checked are .ddl, exe, ocx and system binaries are files that you should be checked.  A toolkit/utility to use is that is free called Live Forensic Tool (LFT) that consists of trusted files and tools that can be used for Computer Forensics on Windows computers. As part of the toolkit NirSoft's which include EseInfo, HashMyFiles, CurrProcess, and FoldersReport ("LFT," n.d.).  

If the web server is attacked files that need to be checked should be HTML or CSS files in the case, there have been changes.  Check PHP files that can be used and various web pages used by users. Looking for changes that may have been made to scripts or unknown or new scripts on the web server. Monitor critical systems files with a program called Tripwire a Host Intrusion Detection System (HIDS) ("TripWire," n.d.).

Q3. List included where to check for network account activity. You should also list what the indicators are for attempted network access.

When checking for network activity several files to look for network activity would be the server and application logs. The server logs should be checked looking at the command history and the log files in /var/logs.  Look at the file dates, permissions (777) and sizes for anything unusual.  Check cron jobs,  a very popular way for hackers to come back on a system; look for unusual jobs.  Checking the network traffic using packet analyzers to gather information about users and devices to a connected network.  Useful when an attacker intends to spoof the network.  Wireshark is a useful and popular application for packet analyzing across various platforms.  Firewalls with auditing enabled and Intrusion Detecting Devices can be used to evaluate network traffic.  Another alternative at a cheap cost is netstat,  a simple tool for analyzing open ports. Running a nestat -an will list the listening sockets on the server could reveal any backdoors or errant services.  Microsoft Active Directory with logon auditing enabled by use of domain controllers.  The AD logs will have IP address information, usernames and time of logon to the system (Delaney, 2011).

Q4. Indicated how to check for possible vulnerabilities that could be exploited.

Vulnerabilities or weak spots within the an organization's network can be exploited by a security breach.  These risks need to be identified and addressed before a breach.   Lack of updates on a system is a vulnerability that can provide loss of data,  hours or days of downtime along with that time and personal associated to bring the system back online.  There are possible vulnerabilities to consider in the following table. As a system administrator the left column has vunerabilites and the right column has what to consider to prevent the issue.