Module 5: Handling Network Security Incident Flashcards
What is a denial-of-service attack (DoS)
A network security incident where intended authorized users are prevented from using system, network, or applications.
TRUE or FALSE: Physically damaging the cables and other resources are a form of DoS
TRUE
It prevents authorized users from using the network
What is the difference between DDoS and DoS attacks
DDoS is where a single system is attacked by a large number of infected machines over the Internet. DoS is normally done by a single machine flooding the network
What are the two steps in performing a DDoS attack
- Building an attack network (Getting zombies)
* Launching attack on a target system (Using malicious programs in infected systems)
How can you tell if a DoS attack is occuring to a host or network service
- User reports system unavailability
- Undefined connection loss
- Alerts from NIDS & HIDS
- Increased network bandwidth
- A host having a number of connections
- Asymmetric network traffic pattern
- Unprecedented log entries of firewall and router
- Data packets with abnormal source addresses
How can Internet Service Provider (ISP) be used to help handling network based DoS attacks
ISP’s maintain traffic logs and after checking the logs during the DoS they can trace the source of attack
TRUE or FALSE: There is a foolproof solution against DoS attack.
FALSE
What are the major DoS response strategies
- Absorb the attack
- Degrade services
- Shut down the services
What steps can you use to prevent a DoS incident
- Configuring firewall rules to block traffic
- Filter ICMP traffic
- Block the non-critical services such as echo
- Close unnecessary ports
- Block unassigned IP address ranges
TRUE or FALSE: It is generally not possible to prevent DoS by blocking a few source IP addresses.
TRUE
What is classified as unauthorized access incidents
Gaining of illegal access to resources without authorization
How do attackers gain unauthorized access
- Exploiting vulnerabilities in OS or software application
- Steal user authentication credentials
- Using social engineering tricks
- Insider threats
Which team do you need to discuss with should an unauthorized access incident happens
The Network Security Admins
What needs to happen to the passwords in the event of an unauthorized access incident
The passwords need to change
To help with network security what might help prevent an unauthorized access incident
- Arrange network to block suspicious traffic
- Secure all the remote access
- Put any public service in a DMZ
- Use private IP addresses for internal use
To help with host security what might help prevent an unauthorized access incident
- Perform vulnerability assessments
- Disable unnecessary services
- Least privileges
- Install host-based firewall
- Auto lock idle screens and log off before leaving
- Verify permission settings
How might you contain or stop unauthorized access
- Isolate the affected systems (get them off the network)
- Disable the affected service (such as OWA for Gulfstream)
- Restrict the attacker entering into the environment (Blocking the incoming connection)
- Disable the user accounts used in an attack
- Enhance physical security measures
TRUE or FALSE: As a recommendation for handling the unauthorized access incidents, we as an organization should establish the password security policy such that users change their passwords regularly
TRUE
What is an Inappropriate Usage Incident
When a user’s actions violate the acceptable computing use policies
TRUE or FALSE: Downloading porn is not a violation of the inappropriate usage policy
FALSE
TRUE or FALSE: Sending spam mails which promote the personal business is not a violation of the inappropriate usage policy
FALSE
TRUE or FALSE: Sending email(s) to a third party with the spoofed source email address from the company is a violation of the inappropriate usage policy
TRUE
TRUE or FALSE: Performing the DoS attack against any other organization using the company resources is a violation of the inappropriate usage policy
TRUE
What are three indications of unauthorized service usage, access to appropriate materials, and attack against external party that are used to detect these inappropriate usage incidents
- Alert from IDS
- Report of the user/Reports from the outside party
- Log entries of the application, network, and hosts
TRUE or FALSE: Creation of the new files or directories with abnormal names are an indication of unauthorized service usage
TRUE
Who should be consulted when handling inappropriate usage incidents
HR and Legal
How can incident handler register the log of user activities such as FTP commands, web requests, and email headers
Through proxies and application logs or by some network-based IDPS sensors
When all else fails what is the one most appropriate action taken to prevent inappropriate usage incidents
Increasing the awareness among the users for appropriate behavior
TRUE or FALSE: Consider limiting outbound connections that use encrypted protocols such as SSH, HTTPS, and IPsec to help prevent an inappropriate usage incident
TRUE
The user can use the proxy server for downloading illegal material from websites since the connection is encrypted. Network security controls cannot determine the nature of the activity.
What is the most important action to be performed in a case of inappropriate usage incidents
Acquiring the evidence
TRUE or FALSE: Normally containment, eradication, or recovery actions are required for the inappropriate usage incidents
FALSE
What actions are considered helpful in an inappropriate usage incident
Delete the objectionable materials or to uninstall unauthorized software
What is a multiple component incident
A combination of two or more attacks in a system
TRUE or FALSE: Multiple component incidents are easy to analyze
FALSE
It is often too difficult for the handler to understand that the incident is composed of several stages
What should the incident handling team do after the containment strategy to stop multiple component incidents
They should not stop determining the incident after getting any signs of the component about the incident
What are the 3 recommendations suggested to handle multiple component incidents
- Use centralized logging and event correlation software
- At first control the initial incident then search for the signs of other component
- Individually prioritize incident components to be handled
In a DDoS attack, attackers first infect multiple systems which are known as
Zombies
What is not considered a multiple component incident
- An insider intentionally deleting files from a workstation
- An attacker using email with malicious code to infect internal work station
- An attacker redirecting user to a malicious website and infects his system with Trojan
- An attacker infecting a machine to launch a DDoS attack
An insider intentionally deleting files from a workstation
