In a minimum of 500 words, look at the killing with keyboards ppt file and answer the following questions in the context of the best practice concepts covered in chapter 11 and the security professional proficiencies covered in chapter 13. Identify what is at risk here, five possible threats, and five vulnerabilities in this scenario. Analyze measures that could be taken to reduce the risks.Best Practices
In Parts I and II we explored NSM theory and some tools for conducting NSM. Part III is
intended for people who manage NSM operations. It presents best practices for assessment, protection, detection, and response, as far as NSM is concerned. While elements of
NSM best practices appear throughout the book, this chapter focuses exclusively on the
mind-set needed to conduct NSM operations. Chapter 12 brings these principles to life
in several case studies.
Chapter 1 introduced the security process in general. In this chapter, I explain the
NSM-specific aspects of each security process step (see Figure 11.1). First, I describe the
benefits of developing a well-defined security policy during assessment. Then I explain
protection with respect to access control, traffic scrubbing, and proxies. Next, detection is
expanded to include collection, identification, validation, and escalation of suspicious
events. I elaborate on response within the context of short-term incident containment
and emergency NSM. Finally, I conclude by returning to the assessment phase by highlighting analyst feedback as a component of planning for the next cycle.
Assessment involves taking steps to ensure the probability of successfully defending an
enterprise. Within the NSM model, assessment means implementing products, people,
and processes most conducive to accurately identifying and mitigating intrusions. Part II
illustrated NSM tools, and Part IV will offer suggestions for training people. This entire
Defined Security Policy
Analyst Feedback
for NSM
Short-Term Incident Containment
Emergency NSM
Access Control
Traffic Scrubbing
Figure 11.1 The security process, expanded for NSM
chapter describes the processes that managers should plan to implement. Supervisors
should remember that it is not possible or preferable to plan the means by which analysts
do their work. Rather, managers should ensure that analysts are given the tools and training they need to identify and mitigate intrusions.
One of the best presents a manager could give an analyst, besides a workstation with dual
21-inch LCD monitors, is a well-defined security policy for the sites being monitored. 1
“Well-defined” means the policy describes the sorts of traffic allowed and/or disallowed
across the organizational boundary. For example, a fairly draconian security policy may
authorize these outbound protocols and destinations:
• Web surfing using HTTP and HTTPS to arbitrary Web servers
• File transfer using FTP to arbitrary FTP servers
• Name resolution using DNS to the site’s DNS servers
1. Deploying dual monitors is less of a joke than it sounds. It’s an incredibly helpful strategy to manage information. Analysts should always keep a primary monitoring console (Sguil, for example) in one workspace.
They can open a Web browser in the second workspace to conduct research on events.
• Mail transfer using SMTP and POP3 to the site’s mail servers
• VPN traffic (perhaps using IPSec or SSL) to the site’s VPN concentrators
To meet the organization’s business goals, the security policy would allow these
inbound protocols to these destinations:
• Web surfing using HTTP and HTTPS to the site’s Web servers
• Name resolution to the site’s DNS servers
• Mail transfer using SMTP to the site’s mail servers
Notice that for each item, both the protocol and the system(s) authorized to use that
protocol are specified. These communications should be handled in a stateful manner,
meaning the response to an inbound VPN connection is allowed.
In the context of this security policy, anything other than the specified protocols is
immediately suspect. In fact, if the policy has been rigorously enforced, the appearance
of any other protocol constitutes an incident. In Chapter 1, I quoted Kevin Mandia and
Chris Prosise to define an incident as any “unlawful, unauthorized, or unacceptable
action that involves a computer system or a computer network.” 2 At the very least, the
appearance of a peer-to-peer protocol like Gnutella would be an “unauthorized” event.
Without a defined security policy, analysts must constantly wonder whether observed
protocols are authorized. Analysts have to resolve questions by contacting site administrators. Once a responsible party validates the use of the protocol, analysts can move on
to the next event. Analysts working without well-defined security policies often define
their own “site profiles” by listing the protocols noted as being acceptable in the past.
Creating and maintaining these lists wastes time better spent detecting intrusions.
NSM does not include protection as a traditional aspect. NSM is not an active component of an access control strategy, and the theory does not encompass intrusion preven-
tion or intrusion protection systems (IPSs). An IPS is an access control device, like a
firewall. An IDS or NSM sensor is an audit or traffic inspection system. The fact that an
access control device makes decisions at OSI model layer 7 (application content) rather
than layer 3 (IP address) or 4 (port) does not justify changing its name from “firewall” to
2. Kevin Mandia and Chris Prosise, Incident Response and Computer Forensics, 2nd ed. (New York: McGrawHill/Osborne, 2003, p. 12).
B sr
“IPS.” Any device that impedes or otherwise blocks traffic is an access control device,
regardless of how it makes its decision. The term “IPS” was invented by marketing staff
tired of hearing customers ask, “If you can detect it, why can’t you stop it?” The marketers
replaced the detection “D” in IDS with the more proactive protection “P” and gave birth
to the IPS market.
There’s nothing wrong with devices making access control decisions using layer 7 data.
It’s a natural and necessary evolution as more protocols are tunneled within existing protocols. Simple Object Access Protocol (SOAP) over HTTP using port 80 TCP is one
example. If application designers restricted themselves to running separate protocols on
separate ports, network-based access control decisions could largely be made using information from layers 3 and 4. Unfortunately, no amount of engineering is going to put the
multiprotocol genie back into its bottle.
While NSM is not itself a prevention strategy, prevention does help NSM be more
effective. Three protective steps are especially useful: access control (which implements
policy), traffic scrubbing, and proxies.
When access control enforces a well-defined security policy, heaven shines on the NSM
analyst. Earlier we looked at the benefits of a security policy that says what should and
should not be seen on an organization’s network. When access control devices enforce
that policy, unauthorized protocols are prevented from entering or leaving an organization’s network. This strategy allows analysts to focus on the allowed protocols. Instead of
having to watch and interpret hundreds of protocols, analysts can carefully examine a
If analysts identify a protocol not authorized by the security policy, they know the
access control device has failed. This may be the result of malicious action, but it is more
often caused by misconfigurations. I am personally familiar with several intrusions specifically caused by accidental removal of access control rules. During the period when
“shields were dropped,” intruders compromised exposed victims.
When NSM works in conjunction with well-defined security policies and appropriately enforced access control, it offers the purest form of network auditing. Deviations
from policy are easier to identify and resolve. The traffic load on the sensor is decreased if
its field of view is restricted by access control devices. An organization’s bandwidth is
devoted to the protocols that contribute to productivity, not to sharing the latest pirated
movie over a peer-to-peer connection. Intruders have many fewer attack vectors, and
NSM analysts are intently watching those limited channels.
I mentioned packet or traffic scrubbing in Chapter 1 as a form of normalization, or the
process of removing ambiguities in a traffic stream. Chapter 3 briefly expanded on this
idea by mentioning dropping packets with invalid TCP flag combinations. Traffic scrubbing is related to access control, in that scrubbing can sometimes deny traffic that doesn’t
meet accepted norms. Where scrubbing is implemented, traffic will be somewhat easier
to interpret.
Certain “schools” of intrusion detection spend most of their time analyzing odd
packet traces because they don’t collect much beyond packet headers. 3 If unusual packets,
such as IP fragments, are not allowed to traverse the organization’s Internet gateway, they
cannot harm the site. The only justification for analyzing odd traffic is pure research. In
budget-challenged organizations, time is better spent dealing with application content as
shown in transcripts of full content data collected by using NSM techniques.
Traffic scrubbing is another way to make network traffic more deterministic. On some
networks, arbitrary protocols from arbitrary IP addresses are allowed to pass in and out
of the site’s Internet gateway. This sort of freedom helps the intruder and frustrates the
analyst. It is much more difficult to identify malicious traffic when analysts have no idea
what “normal” traffic looks like. Any steps that reduce the traffic variety will improve
NSM detection rates.
Proxies are applications that insert themselves between clients and servers for reasons of
security, monitoring, or performance. A client that wishes to speak to a server first connects to the proxy. If the client’s protocol meets the proxy’s expectations, the proxy connects on behalf of the client to the server. Figure 11.2 depicts this exchange.
For the case of HTTP traffic, a proxy like Nylon or Squid that implements the SOCKS
protocol can be used. 4 From the prevention point of view, the key element of a proxy is its
3. The SHADOW IDS is one system initially focused on analyzing odd headers. It is hosted at http://www.nswc. Beware that a good portion of the “technical analysis” on the site, especially
in the “coordinated.ppt” presentation, describes benign traffic as being evidence of”distributed attacks.”
4. Visit the Nylon home page at SOCKS 5 is defined by RFC 1928 at
http://w” 928.html. Rajeev Kumar wrote an article on using Squid as a reverse proxy
server, “Firewalling HTTP Traffic Using Reverse Squid Proxy,” for the February 2004 issu e of Sys Admin
magazine. It is archived at http;/ /Yt’WvY,rajeevnet,com/hacks_hints/sccurity/rev-squid-proxy.htm l.
. 1005799479:1005800739(1260) ack 923376691 win 8820 (DF)
14:04:06.476878 >
P 1260:2520(1260) ack 1 win 8820 (DF)
14:04:06.478430 >
P 2520:3780(1260) ack 1 win 8820 (OF)
14:04:06.490597 >
. ack 2520 win 17640 (OF)
14:04:06.587621 . 20960 >
P 5040:6300(1260) ack 1 win 8820 (OF)
75 packets received by filter
0 packets dropped by kernel
While this filter excludes ARP as desired, other IP protocols that could be a problem are
also ignored. In August 2002 the Honeynet Project posted a “Challenge of the Month”
describing an intruder’s use of IP protocol I I (Network Voice Protocol, or nvp in output)
for communications with his back door. 10 IP protocol 11 can be carried on the Internet just
as IP protocols 1 (ICMP), 6 (TCP), 17 (UDP), 50 (IPSec Encapsulating Security Protocol,
or ESP), and 51 (IPSec Authentication Header) are transported now. 11 The intruder compromised a victim and communicated with it through the use of a specially built program
that communicated by using IP protocol 11. The Ethereal decode displayed in Figure 11.6
shows how the traffic appeared. The portion of the IP header that specifies the encapsulated
protocol is highlighted. Here it shows OxOb, which is the hexadecimal representation of decimal value 11.
10 . Read the challenge at Note that the Snort log file was not available at the specified location at the time of this writing, but it was included in a 58MB archive available at
http:/ / misc/files/ so tm. tar.gz.
11. A full IP protocol list is maintained at http ://
@ snort-07180H01.log -Elhℜ
File E~it
Oesli 11mP 7 ( 41 fi hyrP~ nn wi r P, ,nti hyr p s , ~rirurPrJ)
ElEt hernet II, s r c: 00 :5 0:56 :01: oo:oo . Dst: 00:50: )6:dc:13:a2
B! nt e rnet l”rotoc ol, S:rc Addr : 94. 0 .146 . 98 (94 . 0.146.98), Ost Addr: 172. 16. 18~.2 (172.1 6 .183.2)
version: 4
Hea der l e ngt h: 20 bytes
Ell Di ffe r e ntia,:ed services Fiel d: OxOO (DSCP OxOO: Default; ECN : OxOO)
Tot al Leng,:h: 4 O:O:Dl:EC:F5:8D
type:Ox800 len:Ox5D2 -> 68.48.139 . 48 UDP TTL:109 TOS:OxO ID:18522
Iplen:20 Dgmlen:1476 MF
Frag Offset: OxOOOO
Frag Size: Ox05B0
0 ……… ( ……………. . …… {Z …….. 0 ….. g … k.) .. 3 .. 7 .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Online Pharmacy
……… .
. . . . Confidential
.. : ……. : … No Prescription Required … .
. . Upon approval, our US licensed physicians will review your req
uest and issue a prescription .. for your medication. The prescrip
tion will be reviewed and filled by a US Licensed Pharmacist . . an
d then shipped discreetly to your doorstep …….. . ..
… p .. c
.. ,i’ .. L . k .. ,tlDO
.0.2 … . 3 . . . ( …
:fz: : …… 0.
.. f . .. 4 . … tJ rK.
00 IIO Oil ()(J Oil Oil Oil DO
C. . . . . . .
00 00 Od 00 00 00 00 00
. , .. . • ••• •• , •• •
…… P~ id Survc
y< . .. . . _ ....... . .. Home w or ker . . . 60 64 20 53 7> 72 76 65
(i, ,7 000018
Gf n ub
7Z oo 00 00
02 00 O
°TT ······-·
gg~g U:IB1EEBHNEE_._
j Reset IAppty !(The mes5sge being sent (messenger.message).5313 bytes
– – – – ————OOourque
bnuu11 JP.
ES, 1
ES. t
rllt ICl!s – – – – SJIIP_S1rcam4: l’iMAP Fing~rp ri11t Sta1cful DctcClion
SCAII 11n111p TCr
•&•-“‘•••n..i: NM.AP XMAS s, •• 111, Ss.,.n
GPIP st,o•mi: NMJP f lnf1Yrp rh1t Stateful Detocilon
SCAII rlfn-ap IU’
~1•P-~•••1n4: NMAP XMAS St••lth Sr.nn
SJIIJl_slrea ,114: liMAP Fi119e1p li nl Stolo, ru l Do,le~!ie n
SCJN nrn-ap TCP
spp_strean,,I: NNAI’ XMAS Stealth Scan
17~70 tin.4R. il:19.40
I OrAI lnr:nming r.n 1u1P.ctinn 11.t1P.mp1 port 7?77 T(J)
RPC ponmap llstlng TCP 111
3’87 6B.48.139 .48
6 POLICY FTP anonymous login wncm pl
mg,J 18f1Jf!£fl■mlllll JIOLll.’i I 11 1 a nm,y,nous logi n affem pt
r,;: s how flacket Dato
Shw nul e ww,-1.snn.or9
Src NamG:
D”1 IP:
RewP.”‘ellNS Whoi~ On,e,y: .- N,me
Srr.11? r
ll51 IP

Purchase answer to see full

Why Choose Us

  • 100% non-plagiarized Papers
  • 24/7 /365 Service Available
  • Affordable Prices
  • Any Paper, Urgency, and Subject
  • Will complete your papers in 6 hours
  • On-time Delivery
  • Money-back and Privacy guarantees
  • Unlimited Amendments upon request
  • Satisfaction guarantee

How it Works

  • Click on the “Place Order” tab at the top menu or “Order Now” icon at the bottom and a new page will appear with an order form to be filled.
  • Fill in your paper’s requirements in the "PAPER DETAILS" section.
  • Fill in your paper’s academic level, deadline, and the required number of pages from the drop-down menus.
  • Click “CREATE ACCOUNT & SIGN IN” to enter your registration details and get an account with us for record-keeping and then, click on “PROCEED TO CHECKOUT” at the bottom of the page.
  • From there, the payment sections will show, follow the guided payment process and your order will be available for our writing team to work on it.