3.6 Analyze and differentiate among types of mitigation and deterrent techniques
The process of securing a computer system is called Hardening. There are several things that one need to remember for hardening a PC. These include:
Removing non-essential programs, and services. These may provide back-doors for an attacker.
Installing an anti-virus package, and a spyware remover
Removing unnecessary protocols. If you are using only TCP/IP (required for connecting to the Internet), keep that protocol and remove all other protocols.
Disable guest account
Rename Administrator account
Enable auditing, so that you can view any logon attempts.
Installing latest patches, and service packs to operating system, and software.
A few techniques used by IDS (Intrusion Detection Systems) include the following:
Anomaly detection : Anomaly detection method establishes a baseline of normal usage patterns, and anything that widely deviates from the baseline is investigated for possible intrusion. An example of this would be if a user logs on and off of a machine 10 times a day instead of the normal once or twice a day.
Signature detection : Signature detection uses specifically known patterns of unauthorized behavior to predict and detect subsequent similar attempts. These specific patterns are called signatures.
Target monitoring :Target monitoring systems do not actively search for anomalies or misuse, but instead look for the modification of specified files.
Stealth probes
IDS stands for Intrusion Detection System. There are primarily two types of IDSs. These are Network based IDS (NIDS), and Host based IDS (HIDS). If the IDS monitors network wide communication, it is called Network based IDS, and if the IDS monitors security on a per host basis, it is called Host based IDS.
A host based IDS should be place on a host computer such as a server. Network based IDS is typically placed on a network device such as a router.
Application log: The application log contains events logged by applications or programs. For example, a database program might record a file error in the application log. The developer decides which events to record.
System log: The system log contains events logged by the Windows 2000 system components. For example, the failure of a driver or other system component to load during startup is recorded in the system log. The event types logged by system components are predetermined.
Security log: The security log can record security events such as valid and invalid logon attempts, as well as events related to resource use, such as creating, opening, or deleting files. An administrator can specify what events are recorded in the security log. For example, if you have enabled logon auditing, attempts to log on to the system are recorded in the security log.
Antivirus log: Antivirus log analyzer can process log files from various antivirus packages and generate dynamic statistics from them, analyzing and reporting events.
Computer log files can be tampered with by a hacker to erase any intrusions. Computer logs can be protected using the following methods:
Setting minimal permissions
Using separate logging server
Encrypting log files
Setting log files to append only
Storing them on write-once media
3.7 Implement assessment tools and techniques to discover security threats and vulnerabilities
Honeypots: Honeypots are designed such that they appear to be real targets to hackers. That is a hacker can not distinguish between a real system and a decoy. This enables lawful action to be taken against the hacker, and securing the systems at the same time.
Protocol Analyzer And Packet Analyzer (Sniffer): These are loaded on a computer and are controlled by the user in a GUI environment; they capture packets enabling the user to analyze them and view their contents. Example Network Monitor
Honeynet: honeynet is one or more computers, servers, or an area of a network; these are used when a single honeypot is not sufficient. Either way, the individual computer, or group of servers, will usually not house any important company information.
Port scanner: port scanner used to find open ports on multiple computers on the network.
Software Updates: Any software is inherently prone to vulnerabilities. Therefore, software manufacturers provide updates or patches to the software from time to time. These updates usually take care of any known vulnerabilities. Therefore, it is important to apply these updates. Additional functionality is also one of the reasons for applying software updates. However, many times, it is not the compelling reason to apply the updates.
3.8 Within the realm of vulnerability assessments, explain the proper use of penetration testing versus vulnerability scanning
Vulnerability testing is part of testing corporate assets for any particular vulnerability. These may include:
Blind testing: Here the hacker doesn’t have a prior knowledge of the network. It is performed from outside of a network.
Knowledgeable testing: Here the hacker has a prior knowledge of the network.
Internet service testing: It is a test for vulnerability of Internet services such as web service.
Dial-up service testing: Here the hacker tries to gain access through an organization’s remote access servers.
Infrastructure testing: Here the infrastructure, including protocols and services are tested for any vulnerabilities.
Application testing: The applications that are running on an organization’s servers are tested here.
Copyright © Anand Software and Training Private Limited.