Chapter 1
A Framework
Name: ___________Tim Simmons______________
E-Mail: ___tim.simmons@us.army.mil; timothy.simmons@freenet.de
Test Your Understanding
2.
a) In the Riptech data, how many times is the average firm attacked each year?
A: at an annual rate of 1,000 times per year.
b) What percent of all firms experienced a highly aggressive attack in the first half of 2002?
A: “Twenty-three percent of all firms examined experienced at least one
sophisticated aggressive attack in the first 6 months of 2002.”
c) Are most attacks targeted at specific firms?
A: No, only 39% of all the attacks where directed at specific firms, the rest
appeared to be random attacks based on the firm’s IP address range.
d) Why are sophisticated aggressive attacks especially dangerous?
A: Because of their sophistication, sophisticated aggressive attacks are 26%
more likely to cause severe damage to networks and computer systems, than
other less sophisticated aggressive attacks.
e) In the SecurityFocus data, how many times is the average firm probed each year?
A: There was an average of 13,000 network scanning probe packets per firm
each year.
f) How many times is the average firm’s website attacked each year?
A: There was an average of 3,000 website attack packet per firm each year.
g) How many times is the average firm subjected to denial-of-service attack packets each year?
Chapter 1: Framework
A: The average firm was subject to 600 denial- of-service attack packets each
year.
h) Which operating systems are attacked frequently?
A: According to this study all popular operating systems are attacked
frequently, although in this study speaks of data that was collected on,
Microsoft Windows, UNIX/LINUX, and Cisco’s OS.
i) In the Honeynet Project data, how quickly were Windows 98 PCs with open shares and
without passwords taken over?
A: According to this project this configuration, which happens to be the
common configuration of most home networks it must have not taken the
attackers much time at all to compromise. These systems were compromised
five times in 4 days.
j) Were LINUX PC servers safe from attack?
A: No, although it took the attackers longer the Red Hat 6.2 LINUX PC
server with default configurations only three days to compromise.
3.
a) Describe the four ways in which tomorrow’s security threats will be worse than
today’s.
A: a. The frequency of attacks is growing – in 2 years we can expect four
times as many incedences.
b. The randomness in victim selection will grow – where earlier attacks
were aimed at specific firms, today’s attacks are equivalent to someone
shooting a gun into a crowd of people.
c. Growing malevolence - the malicious payloads that viruses and worms
carry with them today show a rapidly growing readiness and eagerness to do
damage during attacks.
d. Growing attack automation – viruses and related attacks are not
merely a category of attack. They represent a trend toward attack
automation by the creation of attack robots that spread rapidly using
exploits and approaches formerly used by individual attackers.
b) Should we plan based upon current experiences? Explain.
A: No, although the situation today is bad, today’s threat environment
should not be the basis for planning.
9.
a) What are the goals of both cyberwar and cyberterror?
Page 2
Chapter 1: Framework
A: The goals of both cyberwar and cyberterror are to attack governments or
nongovernmental groups respectively that focus on a country’s IT
infrastructure and its physical infrastructure; in the latter case the attackers
may use computers to assist in the physical attack.
b) Distinguish between cyberwar, cyberterrorism, and amateur information warfare.
A: The difference between cyberwar, cybertorrorism, and amateur
information warfare are the groups that carry them out. Cyberwar and
cyberterrorism will more than likely have better funding and organization,
either through governmental or terrorist organizations. Amateur
information warfare is carried out by individual amateur attackers or small
groups of amateurs.
c) What implications do cyberterror and cyberwar have for corporate IT security planning?
A: Due to the amount of cost of damage caused by information warfare
conducted by individual amateurs that alone was in the billions of dollars;
this should be considered a very large threat and should be given a much
higher priority when it comes to security policy development and planning
(part of PPR).
15.
a) What do firewalls do?
A: Firewalls are designed to keep attacker messages out of the company’s
internal private network while still allowing messages from authorized users
to get through. While examining every packet that enters or leaves a
network, if the firewall detects the signature of an attack message, it drops
the packet. Otherwise the packets are allowed to pass through to the internal
network.
b) What do IDSs do?
A: Like a firewall, an IDS reads each arriving or outgoing packet looking for
attack signatures. However, it takes no action on the packets it examines
beyond storing copies of packets for later forensic analysis and warning the
network administrator.
c) Why must servers be hardened?
A: Because of the known vulnerabilities of default configurations hackers are
given a playing field in which they could very well damage the entire network
if those known vulnerabilities are not closed and security patches are not
installed that fix those problems.
d) What are known vulnerabilities?
Page 3
Chapter 1: Framework
A: Known vulnerabilities are those vulnerabilities that exist in lots of PC
configurations which are installed with default settings and that are known
to exist by the attackers.
e) How are they addressed?
A: Properly setting up servers by “hardening” them and ensuring that the
latest security patches are installed rapidly when they come out.
f) What probably is the single most important thing that companies can do to improve their
security?
A: Patching host software with the latest patches.
21.
a) Why is misconfiguration easy to do?
A: Misconfiguration is easy to do because with firewalls and other security
tool configurations are tricky and somewhat difficult. It is important and
critical that this be done very meticulously.
b) Why is it necessary to update firewalls and other protections?
A: Because the threats never stays the same and change constantly. So it is
important to make sure that the security tools that you are using are not only
configured correctly but also updated regularly.
c) What do security audits do?
A: The configuration of security tools are so complicated that security audits,
which are intentional attacks to test these security features to make sure that
they are working.
d) Why are security audits necessary?
A: Because of the amount of misconfigurations and other failures that are
encountered by these intentional attacks. This gives the IT specialist and
system administrators a chance to fix or patch any leaks in the security
system.
Thought Questions
1.
Why do you think most people focus on security technology rather than on corporate
security management?
A: Too many people rely on technology to do the tough jobs for them these
days. After all isn’t that what is says on the product’s packaging, “Once
installed you are safe from …. Attacks.”
2.
The Riptech and SecurityFocus data indicate that the average firm is attacked thousands
of times per year. Yet only a moderate percentage of people who responded to the
CSI/FBI survey reported incidents. Explain this apparent inconsistency.
Page 4
Chapter 1: Framework
A: I think it is because of the way the data was collected. In the CSI/FBI
survey many attacks are not detected in the average firm. On the other hand
the Riptech and SecurityFocus data were collected there data from the log
files produced by the firewalls when they drop suspect attack packets. It is
only right that Riptech and SecurityFocus have a more accurate account of
the attacks that happen at any given time.
3.
Create three corporate security policies. These policies should be specific. Otherwise,
there would be ambiguity in their application.
A: That is true, it is very easy to misinterpret what is written in some policies
when they are not very specific. They should be dummy-proof.
4.
After the September 11 disaster, National Guard troops were stationed at U.S. airport
checkpoints. In Pennsylvania, at least, the troops were not allowed to load their weapons,
and loading them would take several seconds. What were the risks involved in loading
weapons versus leaving weapons unloaded?
A: Load the Weapons: The worst thing that could have happened would
have been an accidental discharge – which is known to happen.
Leave the Weapons unloaded: These precious seconds could make a
difference when having to react quickly to any situation.
5.
During the height of the September 11, 2001 crisis, a hacker group called Yihat (Youth
Intelligent Hackers Against Terrorism) broke into a Saudi Arabian bank and hacked a
server to seek evidence that terrorists were using the bank. They copied at least a
spreadsheet file. The group’s goal was not to harm the bank but to look for terrorists. The
bank used no firewall and configured the server for easy outside access. Comment on
this.
A: At first it sounds like a bank that I will never use. But looking closely it
looks more than just a bank with a terrible system administrator/analyst. It
looks as if this type of outside access is condoned. Maybe this bank was
allowing this type of access either because they had no real online banking
systems that allow some type of read only access, or it was allowing terrorist
the way to use as much money as they needed for the funding of Jihad.
Troubleshooting Question
1.
You put a firewall between your company and the Internet.
a) Argue for putting the IDS on the Internet side of the firewall.
b) Argue for putting the IDS on the side of your firewall going to the internal network.
Page 5