StudyDaddy Science Exploration of Intrusion Detection Systems Lab Assignment 2 Prepared for: Professor Thomas Richardson Cyber Security 630 Prepared by: Gabriel Daniels...

Exploration of Intrusion Detection Systems Lab Assignment 2 Prepared for: Professor Thomas Richardson Cyber Security 630 Prepared by: Gabriel Daniels...

Exploration of Intrusion Detection Systems Lab Assignment 2










Prepared for:

Professor Thomas Richardson

Cyber Security 630





Prepared by: Gabriel Daniels

University of Maryland University College

March 2nd 2012


Table of Contents

I. Synopsis....................……………………………………………….3

II. Lab Questions and Answers...............................................................4

XI. Appendices………………………………………………………..14

















  1. Synopsis

The focal point of this week lab assignment and exercise was on Intrusion Detection Systems (IDS). The intrusion detection systems that we explore were Snort and Wireshark. According to our case study “Snort is a free, open source network intrusion detection and prevention system capable of performing real-time traffic analysis and packet logging on IP networks” (http://www.snort.org/snort). . On the other hand Wireshark is “Wireshark® is a network protocol analyzer. It lets you capture and interactively browse the traffic running on a computer network” (http://www.wireshark.org/faq.html#sec1 ). As we know network security is a complex and systematic project. The intrusion detection system is the first line of defense against network security. Snort is a famous intrusion detection system in the field of open source software. It is widely used in the intrusion prevention and detection domain in the world. In this paper, we explain how Snort implements the intrusion detection, which includes building the compiling environment and analyzing the work-flow and rule tree.


Lab Questions and Answers

1) Focus on the overall “security assessment” risk rating that appears at the top of your report. Considering what security measures you (or the computer owner) have undertaken for your computer, does the assessment surprise you? Why or why not? What measures should you plan to undertake if the green checkmark did not appear?

Answer: The overall security assessment of my personal computer was severe risk (one or more critical checks failed). Yes, this assessment surprised me because I installed firewall that are meant to be protect my machine from viruses and other attacks, my computer is password protected, and I do not open emails from people I do not know. I have been under the assumption that my computer was well protected. Some measures that I plan to undertake for green checkmarks that did not appear are a) improve my passwords strengths, b) keep my computer updated with the latest updates, c) create a passwords expiration mechanism which will allow my security settings to be more secure and d) and never open any spam emails because they could lead to viruses on my computer. Safe home computing practices are essential in safeguarding my computer systems because “with over one billion people with access to the Internet, individual home computer users represent a significant point of weakness in achieving the security of the cyber infrastructure” (Anderson, pg 613). To further elaborate, home computing should be safe because many home computers have very important files and information stored on them.

2) a. What does MBSA do to check for weak local account passwords?

b. Why is it important to have a strong password on local user accounts especially in a corporate environment?

c. Explain why it is important to have a password expiration policy set.

Answer: a) MBSA enumerates Windows user account password and test its strengths and weaknesses. For example, if you do not have a password expiration policy setting on your passwords will usually indicate to MBSA that you have weak password protection.

b) It is important to have strong password on local user accounts especially in a corporate environment because many important information are kept on corporate computers that if leak could be detrimental to company’s profitability. Strong passwords ensure that information’s are protected from hackers and other malicious activities.

c) It is important to have a password expiration policy set because it ensures that passwords are regularly updated which prevents hackers easily being able to break your password. The more you change your password, the harder it is for it to be broken.

3) Malware can affect a computer in multiple ways. Having automatic updates turned off, not allowing Windows to update, and disabling the Windows firewall and setting exceptions in the Windows firewall are all tell-tale signs of this. Explain

a. how malware is able to accomplish this, and

b. also what type of malware could be used.

Please be as specific and fact-based as possible regarding types of malware using credible references to support your answers. (Answer must be APA compliant)

Answer: a) Malware is very dangerous to computer operating systems. Computers are constantly at risk from infection by malware including viruses, worms, Trojans, rootkits, dialers and spyware. If viruses are mischief, malware is mayhem. Malware doesn’t just want to disrupt your network; it wants your keystrokes, logins, passwords, address book, data, and credit card information. Malware is not going away any time soon. Malware is growing, developing, constantly evolving. Malware is becoming more difficult to detect, and even harder to remove. Malware is capable of accomplishing having your automatic updates turned off, not allowing Windows to update etc because most malwares are implanted in everyday software that we used so they are able to penetrate operating systems from within. Kinable’s article “Malware Classification based on Call Graph Clustering” elaborates on how easy it is for malware to take control of a computer operating and systems and detect when he says “each day, anti-virus companies receive tens of thousands samples of potentially harmful executables. Many of the malicious samples are variations of previously encountered malware, created by their authors to evade pattern-based detection. Dealing with these large amounts of data requires robust, automatic detection approaches” (Kinable, pg 15). To further elaborate, malware producers are creating more powerful malware and are ahead of IT professionals who are trying to prevent them.

b) Types of malware that could be used are a) includes computer viruses, b)worms, c) Trojan horses, d) spyware, e)dishonest adware, f) scareware, g) crimeware, h) most rootkits, and other malicious and unwanted software or program.

4) On local machines (home) computers, it is traditionally acceptable to have Windows automatically update the system with patches. In a corporate environment, typically system administrators will set domain computers to manually install updates. Through this process, the administrators will decide if a patch is necessary for their environment’s standard operation expectancy (SOE). Typically they would use Windows Server Update Services (WSUS) to push out the updates to the computers, which is a highly time consuming process.

Conficker is one of the most recent examples of an infection that leveraged a vulnerability that could have been avoided through a patch had already been released. Yet, it spread like wildfire, infecting millions of corporate environments.

a. Explain what Conficker is, which systems were vulnerable, which vulnerability it exploited, which Microsoft patch fixed the vulnerability, and the reason(s) that it is necessary to test new patches as they are released. Please be as specific and fact-based as possible regarding types of malware using credible references to support your answer. (Answer must be APA compliant)

b) How would MBSA be used to detect the missing patch in a corporate environment?

Answer: The infection of Conficker was devastating to Microsoft and its operating systems. Conficker, or Downup, was a computer worm that which purpose was to disrupt Microsoft Windows operating system and it was first detected in November 2008. It uses flaws in Windows software and dictionary attacks on administrator passwords to propagate while forming a botnet. Conficker infected many windows operating systems and spread rapidly becoming the world’s largest computer worm infection since the 2003 SQL Slammer, with more than seven million government, business and home computers in over 200 countries infected. The worm has been unusually difficult to counter because of its combined use of many advanced malware techniques. Philip Porras’s article entitled “Reflections on Conficker: An insider's view of the analysis and implications of the Conficker conundrum” describes Conficker as “the name applied to a sequence of malicious software. It initially exploited a flaw in Microsoft software, but has undergone significant evolution since then (versions A through E thus far)” (Porras, pg 23). The first variant of Conficker, discovered in early November 2008, propagated through the Internet by exploiting vulnerability in a network service (MS08-067) on Windows 2000, Windows XP, Windows Vista, Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2 Beta. Microsoft released an out of band patch which close this vulnerability because the damage had already been done.

b) MBSA could be used to detect missing patch in a corporate environment by employing it as a patch management systems. According to the Microsoft website, “Patch management is a circular process and must be ongoing” (http://msdn.microsoft.com/en-us/library/ff647981.aspx). MBSA can be used as a developed and automated patch management system which will detect, assess, acquire, test, and deploy and maintain. IT professionals working in the corporate environment could use it to implement these steps and prevent any malicious attacks.

5) If you were preparing the next version of MBSA, what new feature would you add? Why?

Answer: Some new feature that I would add to the next version of MBSA are as follow: a) eliminate the conflicts that it sometimes has with Windows updates b) make sure that there are no workarounds that it cannot detect c) eliminate the manual fixes components with patches to install d) add a component that allows the program to not only scan your computer but fix it simultaneously and e) include it on the software compact discs for windows operating systems. These are just few of the improvements that I would include in an updated version of MBSA. It is worth noting that “when it comes to looking at developer tools, add-ons and environments for the Windows platform, it’s important to note that Microsoft casts a long shadow. As the source of all the software and many of the tools, Microsoft has had the luxury of deciding what’s important” (Tittel, pg 22). It is essential to note that Microsoft could easily make these vital changes and significantly improve MBSA because they control the software marketplace and their products upgrades.

VII. Appendices

Anderson, C. L., & Agarwal, R. (2010). Practicing Safe Computing: A Multimethod Empirical Examination of Home Computer User Security Behavioral Intentions. MIS Quarterly, 34(3), 613-A15. Retrieved from EBSCOhost.

Porras, P. P. (2009). Reflections on Conficker: An insider's view of the analysis and implications of the Conficker conundrum. COMMUNICATIONS- ACM, 52(10), 23-24. Retrieved from EBSCOhost

Kinable, J., & Kostakis, O. (2010). Malware Classification based on Call Graph Clustering. Retrieved from EBSCOhost.

Tittel, E. (2005). Behind the Scenes: Microsoft Developer Solutions. Certification Magazine, 7(3), 22-65. Retrieved from EBSCOhost

http://msdn.microsoft.com/en-us/library/ff647981.aspx

Have a similar question?

Continue to edit or attach image(s).

  • Fast and convenient

    Fast and convenient

    Simply post your question and get it answered by professional tutor within 30 minutes. It's as simple as that!

  • Any topic, any difficulty

    Any topic, any difficulty

    We've got thousands of tutors in different areas of study who are willing to help you with any kind of academic assignment, be it a math homework or an article.

  • 100% Satisfied Students

    100% Satisfied Students

    Join 3,4 million+ members who are already getting homework help from StudyDaddy!