Week Nine Assignments
Theme for the Week - Intruders and Malicious Software
Learning Objectives:
• Describe the methods used to detect intrusion detection.
• Design a network infrastructure that provides defense in depth against intruders.
• Create network policies that provide an appropriate level of security while not unduly restricting users or throughput.
• Differentiate between intrusion prevention systems and intrusion detection systems.
• Differentiate between viruses, worms, and other forms of malware.
• Produce a plan for a secure network infrastructure that addresses known malware threats.
• Describe the profile of a Denial of Service Attack.
• Explain how a worm monitor is used to detect the presence of a worm.
Readings:
• Chapters 9 and 10 in your textbook.
This week:
Dealing with intruders and malware is a problem that never goes away and requires constant attention. We can put the best defenses money can buy on the main approaches to our network, while overlooking hidden pathways that lead directly to our most sensitive data. You can never be too smart on these subjects. That is why this lesson is probably the most important one in this course. Our book deals with the theory behind intrusion detection and password management, two important components of a secure network design. However, there is also a practical side to prevention and detection that the book does not cover. We will examine some of the tools that are available during our forum discussion this week.
Malware, short for malicious software, is designed to be installed on computer systems or other devices on your network, often without your knowledge. Its purposes are varied, and usually malicious. Some existing malware programs compromise security, capture user and credit card information, and provide remote control access to intruders.
Malware is usually installed due to some action on the part of a user. For example, if your Internet Explorer security settings are set too low, you can download and install malware simply by visiting some websites.
Preventing malware from entering your system or removing it when prevention fails is of paramount importance because malware can easily be used by intruders to bypass or neutralize security.
There are two important points that need to be made, up front. The first is that prevention and detection are defensive strategies. They are the equivalent of building a fortification and posting sentries. In fact, some of the devices that provide those services (SonicWall, Watchguard, Tripwire, etc) have Medieval sounding names reminiscent of Knights, castles, boiling oil, and catapults. An example of an offensive strategy would be to create a foolproof DNA exam that would identify potential hackers in primary school and exile them to a desert island surrounded by man eating sharks where there are no computers or Internet. We must be defensive because we have no way of going on the offense against attacks that haven't happened yet. However, we can build our defenses. That is being proactive, which leads me to the second point. We must be proactive rather than reactive. Designing prevention and detection into networks saves us from having to say we are sorry when the next attack comes. If we do nothing up-front, we should polish our resumes and practice interviewing for net IT jobs. The first high wind that accompanies an attack will blow us away.
Regarding this week's assignments, I recommend you start with the forum questions. After reading them, progress to the reading while paying particular attention to those concepts that provide answers. Make your initial forum posting early, as that will give you more questions to choose from as well as giving us more time to respond.
Assignment 9_1 (On-line Quiz)
Take this ten question true/false and multiple choice chapter quiz over the reading assignment. Quizzes are a "participation grade," which means that you can retake them as many times as necessary. However, please be aware that low scores are a sign that you need to go back to the reading assignment, slow down, and read more carefully.
You need to take the quiz by the end of the week to earn credit.
Assignment 9_2 (Post to this week's discussion forum)
Read all of the following questions, select one, and post a substantive answer to it on this week's discussion forum in your own words. Please select a question that has not been previously answered by one of your classmates, until all questions have been answered at least once. Once that has been done, you may select any question that has only been answered once. Some of the questions fall outside of the scope of your reading, so be prepared to use other sources to answer them. Once you have submitted your initial post, read each initial post and respond to at least three.
Remember to cite your sources. It is important to note that your posts should be in your own words unless I explicitly state otherwise. Copying an answer directly from the Internet to the discussion forum without citing it is considered plagiarism. Copying and properly citing something from the Internet will not fulfill the requirement to express your initial post in your own words, but could be done in cases where you want to share information with the group that is in addition to your initial forum posting for the week.
1. What types of intrusion detection devices are available and how do they work? Use the Internet and other appropriate sources. Provide examples and prices, if available. (IDP75 by Juniper Networks is a good starting point.)
2. What recommendations would you make regarding a password policy for a secure network? In your answer, address all of the issues that you feel are important, including password length, history, composition, duration, management, storage, and complexity. In your opinion, when should passwords be shared?
3. Would you consider intrusion detection to be a proactive or reactive function? How about intrusion prevention? Explain your answers and also indicate if each would be part of an offensive or defensive strategy.
4. Why is it easier for insiders to attack your system than it is for outsiders and how can you design in protection for your network that includes insiders?
5. How can you configure a network to enforce its own intrusion detection and protection policies using automation? Provide some examples.
6. What hardware devices, software packages, or services are available that provide network profiling? Where would you locate them in your network and how would they be configured. Hint: You could start with Network Sentry by Bradford Networks or SECODE IDS/IPS 24/7 - Network Profiling.
7. What is a Bloom filter, how does it work, and where does it fit in the scheme of overall network security? Include in your answer an explanation of the term probabilistic techniques.
8. In your opinion, when do we need intrusion detection and when don't we? Since this is really more than an opinion question, you need to back up your opinion with supporting information.
9. Why are distributed intrusion detection systems needed? It would seem to me that if we can detect an intruder at one machine we can block for all. I think this is just an effort on the part of some high priced security consultants to make money. What do you think?
10. Most of you are familiar with the story about the Emperor's new clothes. If you substitute "network intrusion detection/prevention system" for "clothes", the story would still work (those systems cost a kingly sum and some kid is yelling, "You don't have any protection.") How can we know that we are not buying vaporware and that we are actually getting our money's worth? Worse yet, could criminals be marketing them to us so that they can gain access to our networks?
11. What is a virus, what does it do, and how does it propagate? Provide an example of a well-known virus.
12. How would you protect your network against a virus attack? You need to be specific in your solution.
13. What is a worm, what does it do, and how does it propagate? Provide an example of a well-known worm.
14. How would you protect your network against a worm attack?
15. How can you lower your vulnerability to attack by malware from sources outside of your local network?
16. How can you lower your vulnerability to attack by malware from sources inside your local network?
17. What would be your strategy to protect secret data stored on a network that was accessed by inside users?
18. What measures would you take to enable the use of USB 2.0 drives in your network while providing protection from the malware they might carry?
19. Once you have removed malware from a computer on your network, how can you be sure all traces of it are gone?
20. What defense would you use against a denial of service attack to a secure network?
Our trivia question for the week: What is code talking and how was it used in World War 2?
General Posting Guidelines (for participation): Postings are counted as participation for the week. Make sure all postings for this week's assignments are posted to this week's discussion forum. You must post at least two substantive messages to get minimum credit for participation (a 'C' grade). Two messages on different days gets a 'B' for participation - more postings (including answering other questions) get more credit. To qualify for an 'A' grade, you must post at least three critical thinking messages on three different days. Postings on the last day of the lesson will not count for credit since other students will not have sufficient time to respond or participate in your discussion. Post early and often. Don't wait until the last minute!
Assignment 9_3
Pick one of the two scenarios below for your weekly paper assignment.
(1) In your role as security consultant, you just installed an intrusion detection system (IDS) for a customer that provides Web services. The customer calls you to complain that the new device is randomly blocking his customers from accessing their services. In fact, two of them have threatened to move their business elsewhere unless the problem is fixed in the next four hours. What would you do to rectify the situation? Based on what you have read and learned about intrusion detection systems, formulate an approach to solving this problem. Summarize your approach in an executive presentation of 8-12 PowerPoint slides. Put any additional information in the Notes section of each slide. You may use any appropriate source for this assignment. Remember to cite your sources.
(2) Companies like Symantec, McAffee, Trend Micro, Kaspersky, etc. provide enterprise-level malware protection. Choose a major anti-virus company and familiarize yourself with their product line. Using what you learned from your research and this week's reading assignment, create an executive presentation of 8-12 PowerPoint slides on the product and on how you would install an enterprise malware solution on a hypothetical network with 50 Windows servers and 2000 Windows 7 computers. Provide sufficient detail about hardware devices and software and where they would be installed. Create a high-level Visio diagram to accompany your proposal that shows the layout of your software. It is not necessary to diagram your complete network, just a high level representation of it. For example, you could represent the 2000 Windows 7 computers with one Icon labeled Windows 7 Workstations (2000). However, if you include a security appliance that provides malware protection, it should be included as a separate icon. Also, indicate location of software components (clients, servers, databases, management tools, etc) on your diagram, as well.
Save your solution to a file named CYBR515 Assignment 9_3 , and attach it to this assignment.
Assignment 9.4 Milestone 4 (Due next week)
You should devote some time to the Milestone 4 submission for your semester project this week. The next set of deliverables are due on the last day of Week 10. Get started as soon as you can to avoid the last minute rush.
