Q1. Discuss the DoS Analysis
Dos the abbreviation of Denial of Service security attacks. In some cases, it is referred to as the Distributed Denial of Service (DDoS).DoS is an effort to render a resource from a computer inaccessible to its aim recipients. To put it in concise terms, it’s a practice that is carried out by one person or a group of persons whose aim is to prevent a computer service from working effectively, momentarily or in some cases ceasing it functionality. The computer resource aim of the DoS attackers are the provisions of web servers like credit cards and banks.
Ways of Denial of Service attacks
The frequent way that is used is oversupplying the aimed computer resource with communication applications from outside thereby making it not to be in a position to reply to genuine traffic or replies sluggishly so that it can be made ineffective. The computer resource services are rendered ineffective by feeding the computers with data that will make them retune or use its resources so they will no longer perform the intended purpose. The perpetrators can also achieve this by blocking the media through which information is exchanged between the users and the resource service attacked.
Signs of Denial of Service (DoS)
So as to detect DoS attacks earlier, there are various signs whose manifestations imply that there are attacks. Among the signs include: the user being unable to get through to any webpage, ”e-mail bomb” or an upsurge in the quantity of spam e-mails got, inaccessibility of a specific website and network sluggishness in either opening the received files or when accessing other websites. These signs are highlighted courtesy of United States Computer Emergency Readiness Team (US-CERT).
Another way through which the computer resource system can be attacked by perpetrators is by mean code. In this method, the attacker makes it known to the organization that there is a virus that is extending quickly through emails to the internet. The virus uses the weakness of the many of the organization’s servers. In some cases, the worm gets an access to files and infects multiple workstations in an organization.
Q2. (a) How to evaluate a DoS/IDS security analysis
(i) Detection and analysis
DoS attacks can be detected through various methods such as antivirus materials, IDPSs or log analyzers.
Anti-virus, anti-spammers and anti-spyware software: These softwares are built in way that they can detect spiteful codes and give alerts. However, so that they can be effective in detecting the malicious codes, these antispyware and anti-virus software need to be constantly updated. The anti-spam is used is applied to detect spam and to obstruct it from getting to the mail inboxes of the users.
File reliability scanning software: this software gets a cryptographic from each file. If the file is tampered with, the file checking software calculates again using the checksum and there is high capability that the checksum will not be equivalent to the initial total sum. In simple terms, this software uses the calculated and recalculated checksums that if the file is clear of any tampering the initial calculation must match the second recalculation.
Monitoring services: a number of organizations enrol the services of reputed companies such as DNS, Web or FTP to oversee their services that are directed to the public. These overseeing services get to all the files every few minutes and if there are difficulties accessing them they make the concerned company aware by phone calls or emails.
Service, application and operation logs: these logs monitor the company’s crucial data such as accounts and they alert the organization if outside persons access them. These logs are also handy by noting the total scans and then finding out the quantity of the hosts that are scanned in an event.
Network gadget logs: network gadget logs include routers and firewalls and are utilized as the basic bases of signs (Scarfone, 2008). They can still be used to both determine the movement, such an upsurge in the number of trials to gain entry to a specific resource, and also to associate the occurrences that are detected by other devices.
(ii) Containment, eradication and recovery
Containment: the main purpose of containment of a detected and analyzed event is to prevent it from extending to other areas or overpowering the resources. Examples of containment include cutting the connection of both the modem and the network supply or switching off the system. So as to enhance fast and valuable verdict in such situations, there are reasons why measures are undertaken. The reasons are: the importance of preserving the proof, the duration and the duration required to apply the strategy, the accessibility of service, the length of the solution, and the potential destruction and robbery of resources.
Collecting proof and management
The main reason for collecting the proof is to settle down the event since it may entail legal cases. There is great requirement to store the proof. The proof should include: the identification of the data and all the crucial details, the documents and details of the people who gathered the proofs, the locality where the evidence was kept, and the time and date of collection.
Steps for containment
It is recommended that the information which can not be recorded in a folder system be taken like login, the interface configurations of the network and the details of the memory. The organization can make use of the forensics software whereby they point out and get through pieces of files that were either obscured or erased from whatever place. Second, the forensic inspect folder formations, headers and other features so as to figure out the information that is in all the files rather than file added details like .jpg or .doc. Third, the forensics do complicated searches and show in full details all the files of the graphics.
Eradication and Recovery
The aim of eradication is to erase all elements of an event such as deleting the destructive codes or halting the tampered with accounts of the user. The steps that are taken include: reconstruction of the systems afresh, resetting the access passwords, installing firewall access boundaries or margin router access manage systems.
Post incident recovery
After attacks have occurred, it is vital for the organization to conduct meetings that transcend the boundaries of the work teams and the entire organization so as to come up with a way that can be used to share the data. However, those meetings should be attended selectively. The information given by the participants of the meeting makes the fodder that will used to educate the fresh team members through putting to them how much experienced team members solve similar events.
Similar post-recovery incident is to make up a description of every event than can be used for future reference. Building up a time-event report that include log information from the systems can come handy when legal matters can be undertaken or when surveying the value of the destruction incurred such as losing valuable software and folder files, the cost used in resolving the services and the destruction that has been done to the hardware systems
Q2. (i) Steps of network security maintenance by the employees
“An ounce of prevention is worth a pound of cure,” so goes an old saying. To prevent damage of unprecedented damage in terms of the restoration money or the damage of the hardware systems, there are various steps that the employees can take to enhance network security. Some of this ways include: always using antivirus, scanning or antispyware software before opening received emails; reviewing the processes that run on the computer resource systems so as to that they are not illegitimate; auditing both the sole host logs and those that are that are got from the firewalls, email servers since they are some of the medium that the destructive codes use to reach the web resource; always doing port scans so as to thwart off any Trojan horse or any ports that may be eavesdropping; and reorganizing network and the detection software so as to figure out the intrusion connected processes.
The employees can also be pushed to be overseeing and response habits of the computer resources. The employees should also be trained to be conscious of the protocols and the steps that involve the best way to use the computer services such as network and application. The employees in the department of the IT should be educated in a way that they can networks and computer applications in regard to the security measures of the company.
Analysing what could have happened at the hospital
The fact that the suspended nurse had accessibility to the hospital; it could be that she had been assisted by her computer expert husband in cracking the code of the firewall to have access to the hospital’s insurance. Similarly, her husband to have accessed the documents from the outside if the hospital administration staff had not turned on the Network Intrusion Detection System. Perhaps to explain this better, there is the need to describe what the function of the NIDS is: it tries to monitor and shield the computer resource system from attempts of intrusion by unauthorised intruders. If the clinic had been equipped with that system, possibly it could have prevented the intrusion of either the direct intrusion of the nurse or the indirect intrusion of her husband. If any case the NIDS had been turned off, then it couldn’t have shielded the resource system.
Another way that the clinic could have secured the documents is through protection of the firewall password. Even though the password could be copied, the clinic could have reinforced it to make it work efficiently. Since the systems come with administrative passwords, an intruder could have acquainted himself with the default passwords and accessed the computer. The clinic could have also chosen the passwords which are hard to speculate.
(iii) A Memo
TO: Simon Simmons, Supervisor Better Health Clinic.
FROM: James Brown, Network Supervisor
DATE: June 22nd 2011
SUBJECT: Recommendation of the clinic updating IDS or acquiring one a new IDS
IDS are a system that oversees the network traffic and looks out for dubious activities and warns the network administrator. In some cases, the IDS come handy as it can obstruct a dubious user from having an entry to the network.
As a network expert with an experience of ten years, I would recommend that the clinic either updating the current IDS or acquire a new one. The main aim of updating the IDS is because many new malwares are developed over and over again. These new malwares attack with much vigour than the old ones. What is amazing is that they not only attack the resources but also try to attack the IDS itself. They attackers do this by introducing new signatures that can not be detected by the old IDS. Old IDS can not be in a position to detect these new malwares but thank the developers since the IDS are improved that are more effective than the previous ones.
The quantity and complexity of the intrusions that are detected by the IDS change over time. New IDS systems need to be configurable so that they can include new intrusion signatures and also equipped with new detection techniques. The reason for the updating of the IDS or the installation new ones is to have those have new detection techniques match that of the attackers.
Scarfone, K. (2008). Computer Security. Computer Security Incident Handling Guide , 147.