Fall 2019

Instructions

The test is worth 25% of your grade for the course. It is scored on the basis of 100 points for the exam.

For the short answer section, bear in mind that a clear concise response that directly answers the question asked is always preferable to providing large volumes of potentially relevant information in the hope that the “right” answer will somehow be included. Please be sure to read each question carefully to be sure you know what is being asked so that you can answer the question completely.

When composing your answers to the essay questions, be thorough. Each essay asks you to consider multiple ideas and to actually address more than one subordinate questions, so make sure your answers are complete. Be sure to identify any assumptions you are making in developing your answers, and describe how your answer would change if the assumptions were different.

While composing your answers to the essay questions, be very careful to cite your sources. It is easy to get careless and forget to footnote a source. Remember, failure to cite sources constitutes an academic integrity violation. Use APA style for citations and references.

In preparing your exam for submission, please follow these instructions precisely:

1. Use this document as a template, i.e., fill in your answers in the indicated locations.

2. Modify the header to show your name.

Part 1: Snort Rule Analysis. (5 responses at 2 points each)

Examine the following Snort rule, designed to detect attempts by an organization’s employees to access a gambling website in violation of acceptable use policy. This rule is syntactically valid and will produce alerts when a user visits the Powerball lottery website with a web browser. With an eye towards minimizing false positives, identify five ways the rule could be improved to more specifically target employees accessing the Powerball website.

alert ip any any -> $EXTERNAL_NET any (msg:”Acceptable use violation – Gambling – Powerball”; flow:stateless; content:”powerball”; nocase; sid:3333333; rev:1;)

Improvements:

Part 3: Short Answer Questions. (10 questions at 5 points each)

1. Define and differentiate false positive and false negative. Which is worse, and why? Give one example of each, drawn from any context that demonstrates your understanding of the terms.

Answer:

2. Explain the following Snort rule. What sort of attack is it intended to detect? What network traffic pattern information is it looking for?

alert ip any any -> any any (msg:”BAD-TRAFFIC same SRC/DST”; sameip; reference:bugtraq,2666; reference:cve,1999-0016; reference:url,www.cert.org/advisories/CA-1997-28.html; classtype:bad-unknown; sid:527; rev:8;)

Answer:

3. What are the key differences between user-centric and target-centric monitoring in behavioral data forensics? Is one perspective preferred over the other? If so, what are some of the advantages of the preferred choice, or disadvantages of the non-preferred choice?

Answer:

4. Write a rule using Snort syntax to detect an internal user executing a Windows “tracert” command to identify the network path to an external destination. Identify what changes, if any, and revise/rewrite the rule to make it work effectively for a Unix/Linux “traceroute”.

Answer:

5. Most network IDS tools are designed to optimize performance analyzing traffic using a variety of protocols specific to TCP/IP wired networks. Describe at least two intrusion detection scenarios where other, specialized types of intrusion monitoring and analysis are called for (that is, where typical NIDS like Snort are not appropriate or effective), explaining what limitations exist in conventional NIDS that make them insufficient to provide effective intrusion detection in the environments corresponding to these scenarios.

Answer:

6. What is a multi-event signature? Provide at least two examples of multi-event signature activities or patterns that might be monitored with an intrusion detection system.

Answer:

7. What are the operational requirements necessary to perform anomaly-based intrusion detection? How does the information gathered about network traffic by anomaly-based IDS tools differ from the information gathered by signature-based NIDS?

Answer:

8. Many people perceive intrusion detection to be a constant, all-the-time security function. Identify and describe at least two “part-time” intrusion detection operational models, and for each give an example of a usage scenario that would call for part-time monitoring.

Answer:

9. Are organizations legally obligated to use intrusion detection capabilities? Why or why not?

Answer:

10. Imagine you are tasked with monitoring network communication in an organization that uses encrypted transmission channels. What are the limitations of using intrusion detection systems in this environment? What methods would you employ to accomplish this task?

Answer:

Part 4: Essay Questions. Maximum length: 3 double-spaced pages each, excluding references. (Two questions at 15 points each)

1. In 2003, a well-publicized report from IT analyst firm Gartner predicted that the market for stand-alone IDS tools would soon disappear and urged Gartner clients to cease investing in IDS tools in favor of firewalls. Clearly, this prediction has not come true, due in part to significant increases in the technological capability, processing speed, and accuracy of IDS tools in the more than 15 years since the erroneous prediction.

Contemporary enterprises have a wide array of network and platform security tools from which to choose, and as we have seen in this course there is substantial overlap in the capabilities of different categories of tools such as firewalls, IDS, anti-malware, vulnerability scanners, and so forth. What factors would exert the most influence on an organization and lead it to choose to implement IDS technology? In your response please identify potential benefits of IDS, potential drawbacks, and any considerations about an organization’s operating environment that might drive its decision.

2. Beginning about 10 years ago, the U.S. Department of Homeland Security established programs intended to expand the government’s intrusion detection capabilities, in particular citing a need to move to mandatory real-time intrusion detection for federal government networks. The current manifestation of this goal is the Einstein program, which is now in widespread use across the government and received some negative (and partly inaccurate) publicity in early reports of the large-scale data breach announced in 2015 involving systems operated by the U.S. Office of Personnel Management. [The current administration has de-emphasized this and other security initiatives promoted by the previous administration. See the brief description of Initiative #3 of the Comprehensive National Cybersecurity Initiative (http://nsarchive.gwu.edu/NSAEBB/NSAEBB424/docs/Cyber-034.pdf).]

Using what we have learned in this course and your own knowledge of IDS operational models, requirements, and other characteristics associated with selecting and using the most appropriate types of intrusion detection and prevention, what is your response to the government’s approach of trying to implement comprehensive intrusion detection and prevention for all network traffic to or from U.S. government agencies? What are some of the key obstacles faced in rolling out an intrusion detection capability of this sort? Identify and describe at least three (3) challenges that DHS should consider with its Einstein deployment.