Davonte Brown

Unit 5 assignment 1
7-16-2014
NT2580: Unit 5 Testing and Monitoring Se!rit" #ontro$s
Networ% end&oints and networ% devies 'ave di(erent se!rit" onsiderations and
im&$iations) * !ser wor%station im&$ies ertain se!rit" iss!es t'at remain in t'e
!ser domain w'i$e networ% im&$iations remain &art o+ t'e ,*N or ,*N-to--*N
domain) .owever/ d!ring t'e o!rse o+ investigating an intr!sion/ "o! ma" 'ave to
so!re data +rom $ogs %e&t in ro!ting devies and end-!ser s"stems)
Suppose an attacker intrudes upon one of your servers. How do you reconstruct the events of a crime?
Log files are the first place to check for administrative issues and security activity. Log files help you put
together a timeline of events surrounding everything from a performance problem to a security incident.
You can also identify bad system or network activities by observing anomalies from baseline behavior or
identifying certain suspicious actions. Testing ensures that your control and monitoring facilities work as
intended and maintain proper operation. Monitoring ensures that you capture evidence when your testing
procedures fail to eamine all possibilities or legitimate behavior permits unauthori!ed activity.
Identify at least two types of security events and baseline anomalies that might indicate
suspicious activity.
"lways consider that even legitimate traffic can be used in illegitimate ways# and sometimes# legitimate
traffic can appear illegitimate. $rotected services can be attacked from the inside or accessed eternally
through loopholes in firewall rules. %ulnerabilities may remain unidentified by intrusion detection system
&'(S) or intrusion prevention system &'$S) signatures and evade detection. Monitoring helps you capture
pieces of the pu!!le that creates a timeline of events.
Think on the following lines to answer this assignment*
How do you obtain a baseline of system or network behavior?
+hat is an anomaly in relation to baseline behavior?
+hy might certain anomalies be worth investigating?
How can traffic have patterns that signify known attacks?
+hat do log files help you learn that filtering systems overlook?
0 1TT 2d!ationa$ Servies 3age 1
Davonte Brown
Unit 5 assignment 1
7-16-2014
NT2580: Unit 5 Testing and Monitoring Se!rit" #ontro$s
+hy can legitimate traffic sometimes seem suspicious?
$olicy violations and security breaches take many forms# and not all of them are obvious. You might have
a policy that specifies a certain minimum password length but fails to enforce proper compleity allowing
passwords to be easily guessed.
From the following list of end-user policy violations and security breaches, select three breaches
and identify strategies to control and monitor each event to mitigate risk and minimize exposure:
" user made unauthori!ed use of network resources by attacking network entities.
,pen network drive shares allow storage privileges to outside users.
Sensitive laptop data is unencrypted and susceptible to physical theft.
-emote users do not have recent patches or current updates.
Legitimate traffic bearing a malicious payload eploits network services.
"n invalid protocol header disrupts a critical network service.
-emovable storage drives introduce malware filtered only when crossing the network.
$redictable passwords meet minimum length re.uirements but remain easily guessable.
/ad router permissions allow attackers to modify configurations or disrupt traffic.
eliverables:
$lease write a one to two page paper in Microsoft +ord# 01 point font# Times 2ew -oman. $lease
include a properly formatted cover page# and a reference page citing your sources utili!ing "$" 3
formatting.
0 1TT 2d!ationa$ Servies 3age 2
Davonte Brown
Unit 5 assignment 1
7-16-2014
NT2580: Unit 5 Testing and Monitoring Se!rit" #ontro$s
In the simplest terms, a network performance baseline is a set of metrics used in network
performance monitoring to define the normal working conditions of an enterprise network
infrastructure. Engineers use network performance baselines for comparison to catch changes in
traffic that could indicate a problem. Setting a network baseline also provides early indicators
that application and network demands are pushing near the available capacity, giving the
networking team the opportunity to plan for upgrades. Aligning network performance
baselines with existing network service-level agreements S!As" can help the I# organi$ation
stay within capacity parameters and identify problem areas that are falling out of compliance.
#he network monitoring challenge for engineers, however, is to define what is normal for their
organi$ation%s infrastructure. &hile building up your inventory of network devices to monitor, be
sure to include both physical and virtual devices on your list. &ith the current trends in appliance
and server virtuali$ation, virtual switches switches" and virtuali$ed application accelerators are
important considerations when looking at network performance. Serving as network ports within
the environment, switches enable virtual machines to communicate with each other without
having to traverse physical network adapters.
&hile switches speed inter-server communication, they don%t enable a network monitoring tool
to report these paths or receive application performance data. 'ortunately, the networking
industry has recogni$ed the problem and is working to improve the situation, either with more
intelligent switches or through virtual server standards such as (irtual Ethernet )ort Aggregator
0 1TT 2d!ationa$ Servies 3age 4
Davonte Brown
Unit 5 assignment 1
7-16-2014
NT2580: Unit 5 Testing and Monitoring Se!rit" #ontro$s
(E)A", which would enable exposure of virtuali$ed network traffic to traditional network
monitoring tools. *etwork behavior anomaly detection *+A," is the continuous monitoring of
a proprietary network for unusual events or trends. *+A, is an integral part of network behavior
analysis *+A", which offers security in addition to that provided by traditional anti-threat
applications such as firewalls, antivirus software and spyware-detection software. An *+A,
program tracks critical network characteristics in real time and generates an alarm if a strange
event or trend is detected that could indicate the presence of a threat. !arge-scale examples of
such characteristics include traffic volume, bandwidth use and protocol use.
An NBAD program can also monitor the behavior of individual network subscribers. In
order for NBAD to be optimally effective, a baseline of normal network or user
behavior must be established over a period of time. Once certain parameters have
been defined as normal, any departure from one or more of them is flagged as
anomalous. NBAD should be used in addition to conventional firewalls and
applications for the detection of malware. ome vendors have begun to recogni!e
this fact by including NBA"NBAD programs as integral parts of their network
security packages. Abstract
-rgani$ations rely on valid data to make informed decisions. &hen data integrity is
compromised, the veracity of the decision-making process is likewise threatened. ,etecting data
anomalies and defects is an important step in understanding and improving data .uality.
0 1TT 2d!ationa$ Servies 3age 4
Davonte Brown
Unit 5 assignment 1
7-16-2014
NT2580: Unit 5 Testing and Monitoring Se!rit" #ontro$s
#he study described in this report investigated statistical anomaly detection techni.ues for
identifying potential errors associated with the accuracy of .uantitative earned value
management E(/" data values reported by government contractors to the ,epartment of
,efense.
#his research demonstrated the effectiveness of various statistical techni.ues for discovering
.uantitative data anomalies. #he following tests were found to be effective when used for E(/
variables that represent cumulative values0 1rubbs2 test, 3oster test, box plot, autoregressive
integrated moving average A3I/A", and the control chart for individuals. 'or variables related
to contract values, the moving range control chart, moving range techni.ue, A3I/A, and #urkey
box plot were e.ually effective for identifying anomalies in the data. -ne or more of these
techni.ues could be used to evaluate data at the point of entry to prevent data errors from being
embedded and then propagated in downstream analyses. A number of recommendations
regarding future work in this area are proposed in this report.
Every http re.uest submitted as part of this exploit contains many http headers. Although the
exact number and value of these headers could be varied by an attacker, the particular version of
the exploit which was used in the 4556 ,A3)A evaluation sent http 1E# re.uests with the
header %7ser-Agent0 Sioux8r8n9 repeated 4:::: times in each re.uest. #he actual content of the
header is not important for the exploit the exploit is only dependent on the fact that http re.uest
contains many headers. A typical http re.uest contains twenty or fewer headers, so the 4::::
0 1TT 2d!ationa$ Servies 3age 5
Davonte Brown
Unit 5 assignment 1
7-16-2014
NT2580: Unit 5 Testing and Monitoring Se!rit" #ontro$s
headers used by this exploit are .uite anomalous. #he attack could be detected by analy$ing the
A3) protocol, and observing that for a given rap who-has re.uest the machine performing the
attack consistently responds with the wrong often completely bogus" machine-level address. A
*eptune attack can be distinguished from normal network traffic by looking for a number of
simultaneous S;* packets destined for a particular machine that are coming from an
unreachable host.
A host-based intrusion detection system can monitor the si$e of the top connection data
structure and alert a user if this data structure nears its si$e limit. An attempted )ing of ,eath can
be identified by noting the si$e of all I</) packets and flagging those that are longer than =>:::
bytes. +ecause this attack consists of abuse of a perfectly legal action, an intrusion detection
system that is trying to detect a process table attack will need to use somewhat sub?ective criteria
for identifying the attack. #he only clue that such an attack is occurring is an %unusually% large
number of connections active on a particular port. 7nfortunately %unusual% is different for every
host, but for most machines, hundreds of connections to the finger port would certainly constitute
unusual behavior. &hat do log files help you learn that filtering systems overlook@ It helps you if
you have a good password and to know the background of the computer. &hy can legitimate
traffic sometimes seem suspicious@
It can be suspicious because you have to be safe on the files you open because it can have a
virus. #hat was my essay hope you en?oyed.
0 1TT 2d!ationa$ Servies 3age 6
Davonte Brown
Unit 5 assignment 1
7-16-2014
NT2580: Unit 5 Testing and Monitoring Se!rit" #ontro$s
http0AAsearchnetworking.techtarget.comABow-to-set-a-network-performance-baseline-for-
network-monitoring.
http0AAsearchsecurity.techtarget.comAdefinitionAnetwork-behavior-anomaly-detection
http0AAresources.sei.cmu.eduAlibraryAasset-view.cfm@assetidC4::DE
http0AAwww.ll.mit.eduAmissionAcommunicationsAcyberA<S#corporaAidevalAdocsAattack,+.html
0 1TT 2d!ationa$ Servies 3age 7