Module 5: Handling Network Security Incident

Question 1

What is a denial-of-service attack (DoS)

Answer 1

A network security incident where intended authorized users are prevented from using system, network, or applications.

Question 2

TRUE or FALSE: Physically damaging the cables and other resources are a form of DoS

Answer 2

TRUE

It prevents authorized users from using the network

Question 3

What is the difference between DDoS and DoS attacks

Answer 3

DDoS is where a single system is attacked by a large number of infected machines over the Internet. DoS is normally done by a single machine flooding the network

Question 4

What are the two steps in performing a DDoS attack

Answer 4

• Building an attack network (Getting zombies)

* Launching attack on a target system (Using malicious programs in infected systems)

Question 5

How can you tell if a DoS attack is occuring to a host or network service

Answer 5

• User reports system unavailability
• Undefined connection loss
• Alerts from NIDS & HIDS
• Increased network bandwidth
• A host having a number of connections
• Asymmetric network traffic pattern
• Unprecedented log entries of firewall and router
• Data packets with abnormal source addresses

Question 6

How can Internet Service Provider (ISP) be used to help handling network based DoS attacks

Answer 6

ISP’s maintain traffic logs and after checking the logs during the DoS they can trace the source of attack

Question 7

TRUE or FALSE: There is a foolproof solution against DoS attack.

Answer 7

FALSE

Question 8

What are the major DoS response strategies

Answer 8

• Absorb the attack
• Degrade services
• Shut down the services

Question 9

What steps can you use to prevent a DoS incident

Answer 9

• Configuring firewall rules to block traffic
• Filter ICMP traffic
• Block the non-critical services such as echo
• Close unnecessary ports
• Block unassigned IP address ranges

Question 10

TRUE or FALSE: It is generally not possible to prevent DoS by blocking a few source IP addresses.

Answer 10

TRUE

Question 11

What is classified as unauthorized access incidents

Answer 11

Gaining of illegal access to resources without authorization

Question 12

How do attackers gain unauthorized access

Answer 12

• Exploiting vulnerabilities in OS or software application
• Steal user authentication credentials
• Using social engineering tricks
• Insider threats

Question 13

Which team do you need to discuss with should an unauthorized access incident happens

Answer 13

The Network Security Admins

Question 14

What needs to happen to the passwords in the event of an unauthorized access incident

Answer 14

The passwords need to change

Question 15

To help with network security what might help prevent an unauthorized access incident

Answer 15

• Arrange network to block suspicious traffic
• Secure all the remote access
• Put any public service in a DMZ
• Use private IP addresses for internal use

Question 16

To help with host security what might help prevent an unauthorized access incident

Answer 16

• Perform vulnerability assessments
• Disable unnecessary services
• Least privileges
• Install host-based firewall
• Auto lock idle screens and log off before leaving
• Verify permission settings

Question 17

How might you contain or stop unauthorized access

Answer 17

• Isolate the affected systems (get them off the network)
• Disable the affected service (such as OWA for Gulfstream)
• Restrict the attacker entering into the environment (Blocking the incoming connection)
• Disable the user accounts used in an attack
• Enhance physical security measures

Question 18

TRUE or FALSE: As a recommendation for handling the unauthorized access incidents, we as an organization should establish the password security policy such that users change their passwords regularly

Answer 18

TRUE

Question 19

What is an Inappropriate Usage Incident

Answer 19

When a user’s actions violate the acceptable computing use policies

Question 20

TRUE or FALSE: Downloading porn is not a violation of the inappropriate usage policy

Answer 20

FALSE

Question 21

TRUE or FALSE: Sending spam mails which promote the personal business is not a violation of the inappropriate usage policy

Answer 21

FALSE

Question 22

TRUE or FALSE: Sending email(s) to a third party with the spoofed source email address from the company is a violation of the inappropriate usage policy

Answer 22

TRUE

Question 23

TRUE or FALSE: Performing the DoS attack against any other organization using the company resources is a violation of the inappropriate usage policy

Answer 23

TRUE

Question 24

What are three indications of unauthorized service usage, access to appropriate materials, and attack against external party that are used to detect these inappropriate usage incidents

Answer 24

• Alert from IDS
• Report of the user/Reports from the outside party
• Log entries of the application, network, and hosts

Question 25

TRUE or FALSE: Creation of the new files or directories with abnormal names are an indication of unauthorized service usage

Answer 25

TRUE

Question 26

Who should be consulted when handling inappropriate usage incidents

Answer 26

HR and Legal

Question 27

How can incident handler register the log of user activities such as FTP commands, web requests, and email headers

Answer 27

Through proxies and application logs or by some network-based IDPS sensors

Question 28

When all else fails what is the one most appropriate action taken to prevent inappropriate usage incidents

Answer 28

Increasing the awareness among the users for appropriate behavior

Question 29

TRUE or FALSE: Consider limiting outbound connections that use encrypted protocols such as SSH, HTTPS, and IPsec to help prevent an inappropriate usage incident

Answer 29

TRUE

The user can use the proxy server for downloading illegal material from websites since the connection is encrypted. Network security controls cannot determine the nature of the activity.

Question 30

What is the most important action to be performed in a case of inappropriate usage incidents

Answer 30

Acquiring the evidence

Question 31

TRUE or FALSE: Normally containment, eradication, or recovery actions are required for the inappropriate usage incidents

Answer 31

FALSE

Question 32

What actions are considered helpful in an inappropriate usage incident

Answer 32

Delete the objectionable materials or to uninstall unauthorized software

Question 33

What is a multiple component incident

Answer 33

A combination of two or more attacks in a system

Question 34

TRUE or FALSE: Multiple component incidents are easy to analyze

Answer 34

FALSE

It is often too difficult for the handler to understand that the incident is composed of several stages

Question 35

What should the incident handling team do after the containment strategy to stop multiple component incidents

Answer 35

They should not stop determining the incident after getting any signs of the component about the incident

Question 36

What are the 3 recommendations suggested to handle multiple component incidents

Answer 36

• Use centralized logging and event correlation software
• At first control the initial incident then search for the signs of other component
• Individually prioritize incident components to be handled

Question 37

In a DDoS attack, attackers first infect multiple systems which are known as

Answer 37

Zombies

Question 38

What is not considered a multiple component incident

• An insider intentionally deleting files from a workstation
• An attacker using email with malicious code to infect internal work station
• An attacker redirecting user to a malicious website and infects his system with Trojan
• An attacker infecting a machine to launch a DDoS attack

Answer 38

An insider intentionally deleting files from a workstation