CIST 1601 Information Security Fundamentals

tastefulsaintregisNetworking and Communications

Oct 27, 2013 (3 years and 8 days ago)


CIST 1601 Information Security Fundamentals

Chapter 4 Monitoring Activity and Intrusion Detection

Collected and Compiled

By JD Willard

MCSE, MCSA, Network+,

Microsoft IT Academy Administrator

Computer Information Systems Instructor

Albany Technical College

Monitoring the Network

Recognizing the Different Types of Network Traffic

Novell Protocols

NetWare, a server
based networking environment/operating
system, offers network protocols, services, and applications.
NetWare is susceptible to

attacks. In addition to TCP/IP,
NetWare supports two other proprietary protocols:

Internetwork Packet Exchange (IPX) and Sequenced Packet
Exchange (SPX)
are unique to Novell 4.x and earlier NetWare
networks. Since NetWare 5, NetWare has been able to use TCP/IP as
its only transport protocol. IPX and SPX are fast, efficient, and well
documented. They’re also susceptible to communications
interception using internal monitoring. Microsoft created
, an
compatible protocol that it owns.

NetWare Directory Services (NDS)

manages all the resources in a
network. NDS provides a database of all network objects or

The figure below shows an NDS tree. Notice that the NDS tree treats print
devices, disk volumes, users, and groups as leaf objects, or resources, in the
tree. Earlier versions of NetWare used bindery services; the bindery kept track
of resources on a server
server basis. In the most recent versions of
NetWare, NDS has been expanded and renamed

Monitoring the Network

Recognizing the Different Types of Network Traffic

Microsoft Protocols


The biggest vulnerability with NetBIOS is
that it opens ports for file and print

These ports (which can include 135
through 139 and 445) can be accessed
across the Internet as well as by devices on
the local LAN.


NetBEUI is a

meaning that it can’t be sent across
routers. NetBEUI traffic is easy to intercept
internally using a network sniffer.

WINS Service

Windows Internet Naming Service (WINS)
translates NetBIOS names to TCP/IP
addresses. Because WINS is providing a
service to clients who request information
from it, it’s susceptible to

When left
, it is also available
for remote code execution.

Monitoring the Network

Recognizing the Different Types of Network Traffic

WINS Server
Resolving TCP/IP
address to
NetBIOS Name

Network File System Protocol

Network File System (NFS) is the default file
sharing protocol for Unix systems. NFS allows
a remote user to mount drives on a machine in the network. To be secure, NFS requires
special configuration. NFS is equivalent to Distributed File System (DFS), which tends to
exist outside of the Unix world.

The Apple Protocol

Most manufacturers support AppleTalk, which isn’t intended for secure applications.
Modern Macintosh systems can also use TCP/IP for connections.

Most AppleTalk vulnerabilities are exploitations of programs that offer this service. For
example, there are known vulnerabilities with programs that allow Linux to offer
AppleTalk, but those weaknesses are with the programs themselves and not with
AppleTalk per se.

Monitoring the Network

Recognizing the Different Types of Network Traffic

A remote system
mounting a
drive on a local
machine using

Monitoring Network Systems


can occur on individual systems, on servers, or as a separate component of
the network. The connection used is called a tap. The figure below illustrates some of
the places where a network tap can occur. Each tap location presents a different view of
the network. For effective security, multiple taps are probably needed.

Your system faces both internal and external threats.

Heavy traffic makes it necessary to dedicate personnel to monitoring. Network activity is
also reported in system logs and audit files. It’s a good practice to periodically review
these files. Automated tools make this process more manageable.

Network sniffers and NIDSs are used to monitor network traffic. Network sniffers are
manually oriented, whereas an NIDS can be automated.

Tap locations used
to monitor
network traffic

Reporting (07:32)

Understanding Intrusion


Network Intrusion Detection and Prevention (5:40)

Intrusion detection (ID) is the process of monitoring
events in a system or network to determine if an
intrusion is occurring.

An intrusion is defined as any activity or action that
attempts to undermine or compromise the
confidentiality, integrity, or availability of resources.

An IDS reports and monitors intrusion attempts.

An IDS will announce an event through an alert when
suspicious activity is encountered.

Detection vs. Prevention (6:06)


is an element of a data source that is of interest to the operator. This is
usually a specific occurrence or event.


is the person responsible making decisions about, the
deployment and configuration of the IDS, alarm levels, historical logging, and
session monitoring capabilities, and determining the appropriate responses to
attacks and ensuring that those responses are carried out.


is the message from an IDS analyzer that indicates something of interest
has happened. An alert is a message from the IDS indicating that an event has
occurred. Alerts occur when activities of a certain type exceed a preset threshold.


is the component that analyzes the data collected by the sensor.
The analyzer function uses data sources from sensors to analyze and determine
whether an attack is under way.

data source
is the raw information used by the IDS to detect suspicious
activity. Data sources include audit files, system logs, or current network activity.


is an occurrence in the data source that indicates a suspicious event.
Not every activity ends up as an event, and not every event generates an alert.
The event might trigger an alert if a deviation from normal network traffic
patterns occurred or if an activity threshold was crossed.


is the component that the operator uses to manage the IDS. The
manager may be a graphical interface, a real
time traffic screen, or a command
driven environment.


is the process or method by which the IDS manager makes the
operator aware of an alert. This might include a graphic display or an e
mail sent
to the administrative staff.


is the person primarily responsible for the IDS.


collects data from the data source and passes it on to the analyzer. If the
analyzer determines that unusual activity has occurred, an alert may be

Understanding Intrusion


The components of an IDS
working together to provide
network monitoring

based system
, also commonly known as

IDS), is primarily focused
on evaluating attacks based on a known identity,
attack signature, or audit trail.

All attack signatures are contained in a signature
database. The signature database must be updated to
remain effective. The user can examine the signature
database, and quickly determine which intrusive
activity the misuse detection system is programmed
to alert on.

based systems have an advantage because
of their simplicity and their ability to operate online
in real time. Other advantages include:

Low number of false positives

Detailed text logs

Use of few system resources

based detection has several limitations,
including being based excessively on passive
monitoring and the rule sets need constant updating.
They can detect only known attacks with identified

Understanding Intrusion


A signature
based IDS in action

False Positives (3:23)

detection IDS (AD
detects any changes or deviations in network
traffic. It is also called statistical anomaly detection. Anomaly detection is
analogous to credit card fraud detection. Credit card companies maintain
“spending profiles” for their customers.

Anomaly detectors work by creating profiles or models on the normal behavior
pattern of individual users, hosts, or network connections. There is an initial
learning period before anomalies can be detected. Once the baselines are
established, anomaly
based monitoring can detect anomalies. Sometimes the
baseline is established through a manual process.

The classifications of anomaly detection techniques include statistical methods,
based methods, distance
based methods, profiling methods, and model
based approaches.

based monitoring is useful for detecting these types of attacks:

Protocol and port exploitation

New exploits or buffer overflow attacks


attacks based on payloads or volume

Normal network failures

Variants of existing attacks in new environments

Highly secure environments might use complex patterns of behavior analysis, in
some cases learning individual patterns of use common to each user profile, so
that variations can be identified.

One of the disadvantages of anomaly
based IDS is that it generates false positives
because the pattern of behavior can vary, or the pattern of behavior is too
dynamic to analyze properly.

Understanding Intrusion


IDS using expert system technology
to evaluate risks

based monitoring
works by looking at the way certain executable files make
your computer behave. It determines whether a program is malicious by inspecting the
stream of system calls that the program issues to the operating system.

This monitoring method can be used to identify internal misuse by recognizing actions
outside of normal access patterns or authorized events occurring outside of normal
profile usage, such as the access of protected files during off hours.

based monitoring is not likely to produce a false alert because you defined non
acceptable behavior. Rules must be in place. If you do not properly define inappropriate
behaviors, then attacks can occur. When you define a rule that prevents an e
mail client
from executing the cmd.exe command and alerts you when this is attempted, you are
using behavior
based monitoring.

based monitoring advantages include the following: It can identify malware
before it is added to signature files, monitor for malware activities, and learn about
malware based on previous detection.

based detection has several limitations, including high incidence of false alarms
and slow file checking.

Understanding Intrusion


The primary advantage of an
based IDS (N

is the low maintenance
involved in analyzing traffic in the network. An NIDS is easy and economical to
manage because the signatures are not configured on all the hosts in a network

Violations of policy, monitoring of all HTTP traffic, and monitoring of all FTP
traffic are examples of the types of information an NIDS is designed to monitor.

An NIDS is not capable of analyzing encrypted information. For example, the
packets that travel through a VPN cannot be analyzed by the NIDS. The lack of
this capability is a primary disadvantage of an NIDS.

The performance of an NIDS can be affected in a switched network environment
because the NIDS will not be able to properly analyze all the traffic that occurs
on the network on which it does not reside.

Two basic types of responses can be formulated at the network level: passive
and active.

Working with a Network
Based IDS

Working with a Network
Based IDS

based IDS (N

to IDS attaches the system to a point in
the network where it can monitor and
report on all network traffic.

Placing the N
IDS in front of the firewall
provides monitoring of all network
traffic going into the network.

Putting the N
IDS behind the firewall
only allows you to see the traffic that
penetrates the firewall.

The best solution to creating a secure
network is to place IDS in front of and
behind the firewall.

The N
IDS can be attached to a switch or
a hub, or it can be attached to a tap.
Intrusion is monitored on the network
segment on which the NIDS is placed,
and not on individual systems.

IDS placement in a network determines what data will
be analyzed

A hub being used to attach the N
IDS to the network

Implementing a Passive Response

passive response
is the most common type of response to
many intrusions and the easiest and cheapest to develop and
implement. A passive threat response does nothing to prevent
the threat or attack, just acknowledges that one is or is about to
happen. The following list includes some passive response


involves gathering sufficient information on the attack to
assist administrators in implementing measures to divert it. Logging
usually involves recording of events and the circumstances under
which they occurred.


involves informing the designated administrator when
a security related event occurred and communicating information on
the event. If the IDS is manned full time, messages can be displayed
on the manager’s console to indicate that the situation is occurring.


basically involves ignoring the attack because the
specific attack will not work. The IDS can make a note of it in a log
and move on to other more pressing business.

Implementing an Active Response

active response
taking an action based on
an attack or threat. An
active response will include
one of the reactions briefly
described here:

Terminating processes or

If a flood attack is detected,
the IDS can cause the
subsystem, such as TCP, to
force resets to all the
sessions that are under way.

IDS instructing TCP to reset all connections

Network configuration

If a certain IP address or a
particular socket or port
is being attacked, the IDS
can instruct a border
router or firewall to reject
any requests or traffic
from that address or
port. This configuration
change can remain in
effect permanently or for
a specified period.

Implementing an Active Response

IDS instructing the firewall to close port 80 for 60
seconds to thwart an IIS attack


A deception active response fools the
attacker into thinking the attack is
succeeding while the system monitors
the activity and potentially redirects
the attacker to a system that is
designed to be broken.

This allows the operator or
administrator to gather data about
how the attack is unfolding and the
techniques being used in the attack.
This process is referred to as sending
them to the

It’s dangerous to allow a hacker to
proceed into your network, even if
you’re monitoring the events.

This approach is frequently used
when law enforcement is gathering
evidence to ensure a successful
prosecution of the attacker.

Implementing an Active Response

A network

deceives an attacker and gathers

Working with a Host
Based IDS

Host Intrusion Detection System (HIDS)
is designed to detect
hacker attacks on a single computer system. HIDS software is
installed on each host that needs IDS capabilities.

Because the HIDS is installed on the local computer, the computer
is completely compromised once a hacker penetrates the HIDS

HIDS can monitor:

Network traffic specific to the host

Checksums of important system files

Ports used by the system or incoming connections

Processes running on the system

HIDS can include filters and antivirus modules.

HIDSs are good at detecting unauthorized file modifications and
user activity.

HIDS runs on a host in the network to:

Monitor communications

Monitor system logs and file systems

Detect suspicious activities, including failed login attempts

A host
based IDS cannot see information within encrypted

To monitor the internal network and external traffic the NIDSs and
HIDs should be used together.

A host
based IDS interacting with the operating

Working with NIPS

network intrusion prevention system (NIPS)
detects network intrusion
attempts and controls access to the network for the intruders. A NIPS is
an improvement over an IDS because an IPS actually prevents intrusion.

An inline NIPS works like a Layer 2 bridge. It sits between the systems
that need to be protected and the rest of the network.

NIPS proactively protect machines against damage from attacks that
based technologies cannot detect, as most NIPS solutions have
the ability to look at application layer protocols such as HTTP, FTP, and

When implementing a NIPS, keep in mind that the sensors must be
physically inline to function properly. This adds single point of failure to
the network. A good way to prevent this issue is to use fail
technology. This means that if the device fails, it does not cause a
complete network outage; instead, it acts like a patch cable.



are computer systems designed to be vulnerable points of attack on a separate network away
from the corporate network.

lure a hacker by appearing to be a legitimate server with security
holes that are ripe and ready for exploitation.


simulates a network of vulnerable devices, and have logging and tracing enabled. To attract
hackers, a

has its security level purposefully set quite low, so as to draw attackers to it, and divert
them from the private network.

This security technique is used to allow administrators to observe hackers in action while not exposing vital
network resources.

Law enforcement agencies use

to gather evidence for prosecution.


is most often deployed on the DMZ or screened subnet.

When compared to IDSs and firewalls,

are usually easier to configure and monitor. In addition to
this, IDSs and firewalls collect vast quantities of information while

provide valuable information
on only the specific attack.

Before implementing a
, you need to understand the concepts of enticement and entrapment:


is the process of luring someone into your plan or trap. You might accomplish this by advertising that
you have free software, or you might brag that no one can break into your machine. If you invite someone to try,
you’re enticing them to do something that you want them to do.


is the process of encouraging an individual to perform an unlawful act that they wouldn’t normally
have performed.

While enticement is legally acceptable, entrapment isn’t. You should seek legal advice before you
implement a

on your network.

Understanding Incident Response

An incident is the occurrence of any event
that endangers a system or network.

Incident response
encompasses forensics
(identifying what has occurred) and refers
to the process of
identifying, investigating,
repairing, documenting, and adjusting

to prevent another incident.

It’s a good idea to include the procedures
you’ll generally follow in an incident
response plan (IRP). The IRP outlines what
steps are needed and who is responsible
for deciding how to handle a situation.

chain of custody
tells how the evidence
made it from the crime scene to the
courtroom, including documentation of
how the evidence was collected,
preserved, and analyzed.

Step One: Identifying the Incident

The first step is to identify the incident and determine if it is an incident, or just
a false positive.

A false positive occurs when the software classifies an action as a possible
intrusion when it is actually a nonthreatening action.

When a suspected incident pops up, first responders are those who must
ascertain if it truly is an incident or a false alarm.

When the response team has determined that an incident occurred, the next
step in incident analysis involves considering how to handle it by taking a
comprehensive look at the incident activity to determine the scope, priority,
and threat of the incident.

, involves consulting policies and appropriate management, and
determining how best to conduct an investigation into the incident.

Understanding Incident Response

Step Two: Investigating the Incident

The process of investigating an incident involves searching
logs, files, and any other sources of data about the nature
and scope of the incident.

If possible, you should determine whether this is part of a
larger attack, a random event, or a false positive.

You might find that the incident doesn’t require a response
if it can’t be successful.

Your investigation might conclude that a change in policies
is required to deal with a new type of threat.

Understanding Incident Response

Step Three: Repairing the Damage

In keeping with the severity of the incident, the organization can act to mitigate the
impact of the incident by containing it and eventually restoring operations back to

Most operating systems provide the ability to create a disaster
recovery process using
distribution media or backups of system state files.

In the case of a

attack, a system reboot may be all that is required.

Your operating system manufacturer will typically provide detailed instructions or
documentation on how to restore services in the event of an attack.

Just as every network, regardless of size, should have a firewall, it should

also be protected by antivirus software that is enabled and current.

If a system has been severely compromised it may need to be regenerated from scratch.
In that case, you’re highly advised to do a complete disk format or repartition to ensure
that nothing is lurking on the disk, waiting to infect your network again.

Understanding Incident Response

Step Four: Documenting and Reporting the Response

You should document the steps you take to identify, detect, and repair
the system or network .

It is important to accurately determine the cause of each incident so that
it can be fully contained and the exploited vulnerabilities can be
mitigated to prevent similar incidents from occurring in the future.

Many help
desk software systems provide detailed methods you can use
to record procedures and steps.

You should also report the incident to the law and/or CERT
) so that others can be aware of the type of attack and
help look for proactive measures to prevent this from happening again.

You might also want to inform the software or system manufacturer.

Understanding Incident Response

Step Five: Adjusting Procedures

After an incident has been successfully managed, revisit the
procedures and policies in place in your organization to
determine what changes, if any, need to be made.

The following questions might be included in a policy or
procedure manual:

How did the policies work or not work in this situation?

What did we learn about the situation that was new?

What should we do differently next time?

These simple questions can help you adjust procedures. This
process is called a postmortem, the equivalent of an autopsy.

Understanding Incident Response

Working with Wireless Systems

Wireless transport layer security (WTLS) is the security layer for wireless connections
that use the wireless access protocol (WAP). Wireless Application Protocol (WAP)

is an
open international standard for applications that use wireless communication.

WTLS provides authentication, encryption, and data integrity for wireless devices in the
WAP environment.. WTLS provides reasonable security for mobile devices, and it’s being
widely implemented in wireless devices.

WAP provides the functional equivalent of TCP/IP for wireless devices. Many devices,
including newer cell phones and PDAs, include support for WTLS as part of their
networking protocol capabilities.

WTLS as part of the WAP

IEEE 802.11x Wireless Protocols

The 802.11 standard specifies the technologies that are used for wireless LANs.

The Institute of Electrical and Electronics Engineers (IEEE) developed the 802.11

802.1x transmissions generate detectable radio
frequency signals in all directions


standard defines wireless LANs transmitting at 1Mbps or 2Mbps

bandwidths using the 2.4GHz frequency spectrum and using either frequency

spread spectrum (FHSS) or direct
sequence spread spectrum (DSSS) for data encoding.


standard provides wireless LAN bandwidth of up to 54Mbps in the 5GHz
frequency spectrum. The 802.11a uses orthogonal frequency division multiplexing
(OFDM) for encoding.


standard provides for bandwidths of up to 11Mbps in the 2.4GHz frequency
spectrum. This standard is also called Wi
Fi or 802.11 high rate. The 802.11b standard
uses only DSSS for encoding.


standard provides for bandwidths of up to 54Mbps in the 2.4GHz frequency


standard provides for bandwidths of up to 300Mbps in the 5GHz

frequency spectrum (it can also communicate at 2.4GHz for compatibility). It offers
higher speed and a frequency with less interference.

sequence spread spectrum (DSSS)
transmits a signal that is a combination of an
artificial and a real signal.

DSSS accomplishes communication by adding the data to a higher speed transmission.
The higher speed transmission contains redundant information to ensure data accuracy.
Each packet can then be reconstructed in the event of a disruption.

The receiving end utilizes the additional signal to maintain the integrity of the real signal
when interference is experienced. Both ends must agree upon the method for
generating the signal.

DSSS offers superior range, the ability to block interference, and a transmission rate of 11

hopping spread spectrum (FHSS)
accomplishes communication by hopping
the transmission over a range of predefined frequencies. The changing or hopping is
synchronized between both ends and appears to be a single transmission channel to
both ends. FHSS signals are difficult for malicious users to pick up.

Orthogonal Frequency
Division Multiplexing (OFDM)
is a modulation scheme used with
networks in the IEEE 802.11a standard. ODFM accomplishes communication by breaking
the data into

and transmitting them simultaneously. These transmissions
occur on different frequencies or

IEEE 802.11x Wireless Protocols

Wireless Application Protocol (WAP)
is the technology designed for use with wireless devices. WAP
functions are equivalent to TCP/IP functions in that they’re trying to serve the same purpose for wireless

The gateway converts information back and forth between HTTP and WAP as well as encodes and decodes
between the security protocols. If the interconnection between the WAP server and the Internet isn’t
encrypted, packets between the devices may be intercepted, creating a potential vulnerability. This
vulnerability is called a gap in the WAP.

Wired Equivalent Privacy (WEP)
is a standard for wireless devices that encrypts data to provide data security.
WEP is vulnerable due to weaknesses in the way the encryption algorithms are employed. It can potentially
be cracked in as few as five minutes using available PC software. This makes WEP one of the more vulnerable
protocols available for security.

Fi Protected Access (WPA) and Wi
Fi Protected Access 2 (WPA2)
technologies were designed to
address the core problems with WEP. These technologies implement the 802.11i standard. The difference
between WPA and WPA2 is that the WPA implements most of 802.11i in order to be able to communicate
with older wireless cards, while WPA2 implements the full standard and is not compatible with older cards.

WPA2 is currently the highest standard for Wi
Fi communication security.

IEEE 802.11x Wireless Protocols

WEP and WPA (4:30)

Wireless Vulnerabilities to Know

Wireless systems are vulnerable to all the attacks that wired networks are
vulnerable to. However, because these protocols use radio frequency signals for
data emanation, they can be easily intercepted. To intercept 802.11x traffic, all
you need is a PC with an appropriate 802.11x card installed.

Without the use of a mandated encryption standard, data transmitted over an
802.1x wireless link may be passed in clear form. Additional forms of encryption
may be implemented, such as WEP and AES, but transport encryption
mechanisms suffer from the fact that a determined listener can obtain enough
traffic data to calculate the encoding key in use.

Wireless networks often announce their
service set identifier (SSID)
to allow
mobile devices to discover available WAPs. Turning off this broadcast can
reduce the vulnerability of a broadcast packet sniffer readily identifying a WAP.
Turning off SSID broadcast should be considered a “best practice,” along with
conducting the site survey, selecting channels not already in use in the area,
requiring WPA2 (or newer) encryption, and restricting access to a known list of
Fi MAC addresses where possible.

MAC Filtering and SSID Management (3:20)

site survey
is the process of monitoring a wireless network using a
computer, wireless controller, and analysis software. Site surveys
generally produce information on the types of systems in use, the
protocols in use, and other critical information.

You should periodically complete a site survey to ensure that no
unauthorized wireless access points are established.

You will also want to perform a site survey before implementing any
WLAN solution. This is particularly important in wireless networks
spanning multiple buildings or open natural areas, where imposing
structures and tree growth may affect network access in key areas.

Site surveys are easily accomplished and hard to detect.

To protect against unauthorized site surveys, change the default SSID and
disable SSID broadcasts. Upon discovering a WAP using a site survey,
physically locate the device and disconnect it.

War driving
is the act of driving about with a laptop looking for wireless
LANs in a geographic area announcing their SSID broadcasts and WEP

Wireless Vulnerabilities to Know




When a client attempts to contact a
wireless access point (AP),
the AP authenticates the
client through a basic challenge
response method, and then provides connectivity to a
wired network or servers.

Because the client request is an

open broadcast, it is possible for a
hijacker to act as an access point to the client, and as a client to the true network access
point, allowing the hijacker to follow all data transactions with the ability to modify,
insert, or delete packets at will. By implementing a
rogue AP

with stronger signal
strength than more remote permanent installations, the attacker can cause a wireless
client to preferentially connect to their own stronger nearby connection using the
wireless device’s standard roaming handoff mechanism.

Blue jacking
is an attack that sends unsolicited messages over a Bluetooth connection. It
can be considered spamming in a Bluetooth environment. Mobile devices equipped for
Bluetooth short
range wireless connectivity, such as laptops, cell phones, and PDAs, are

Attackers use blue jacking to generate messages that appear to be from the device itself.
This leads users to follow prompts and establish an open Bluetooth connection to the
attacker’s device. Once paired with the attacker’s device, the user’s data becomes
available for unauthorized access, modification, or deletion, which is an attack referred
to as

Wireless Vulnerabilities to Know

Rogue Access Points and Evil Twins (5:21)




Understanding Instant


Instant messaging (IM)
has become a hugely popular application on the
Internet. Millions of users use instant messaging.

America Online and Microsoft provide IM services to their subscribers.

IM users can send photos, play network games, conduct chats, send e
mail, and
even have IM conferences.

Clients use software to connect to IM servers to communicate. These servers
might be synchronized worldwide to allow instantaneous communications
between any two users in the world.

Clients connecting
to an IM server
system similar to
the ones used by
Microsoft and

Understanding IM Vulnerabilities


is the process of intentionally disrupting communications in an IM session.
Jamming is a loosely defined term, and it refers to any intentional disruption that isn’t a


IM users are highly susceptible to malicious code attacks such as worms, viruses, and
Trojan horses. Ensure that IM users have up
date antivirus software installed.

Most IM systems allow broadcasts. The broadcasting capability allows an attacker to
potentially send a “bait message” to millions of people simultaneously. The acronym

has even been added recently to the vernacular to describe spam over instant

An IM user complaining that his system is unresponsive and about a million web browser
windows have opened on his screen has just encountered an application

attack. This type of attack is common and isn’t usually fatal, but it’s very annoying. Your
user should restart his system, verify that the website didn’t transmit a virus, and stay
away from broadcasted websites.

IM systems allow unsuspecting users to download files that may contain viruses. Due to
a weakness in the file extension naming conventions, a file that appears to have one
extension may actually have another extension. For example, the file

would appear in many applications as account.doc, but it’s actually a Visual Basic script
and could contain malicious code.

Working with 8.3 File Naming

8.3 format
allows eight characters
for the filename and three characters
for the file type or extension. Certain file
extensions tell the operating system to
immediately start executing a file (for
example, .bat, .com, and .exe).

Windows hides the file extension from
the user.

If a file type is indicated the system
automatically opens the program that
has been registered to be associated
with the file.

If the file is an executable or a script, it
will start executing using the
appropriate language or command
processor. If this file is a Trojan horse, a
worm, or some other form of malicious
code, the system has potentially been

Common Executable File Types That PC Systems Use

Understanding Protocol Analyzers

Protocol Analyzers (2:35)

protocol analyzer
provides information regarding traffic flow and
statistical information for your network. It is used to capture network
traffic and generate statistics for creating reports.

A protocol analyzer is a software utility used on a hub, a switch
supervisory port, or inline with network connectivity to allow the
analysis of network communications. Individual protocols, specific
endpoints, or sequential access attempts may be identified using this

A protocol analyzer is also referred to as a
network analyzer

Windows Server operating systems come with a protocol analyzer called
Network Monitor.

Understanding Signal Analysis and


The terms
signal analysis
signal intelligence
refer to capturing and analyzing electronic signals. The purpose is to
identify and evaluate the enemy, identify and track communications patterns, and identify what types of technologies are
being used to send them.


involves identifying your network and its security posture.

is done using multiple sources of
information to determine what systems you may be using.


involves a hacker using a lookup tool (such as NSLOOKUP) to gain access to your DNS server.


obtains the active blueprint of an organization’s infrastructure and security profile. It includes using the




is the process of gathering data about your network configuration and determining which systems are live.
Hackers will use scanning programs to look for paths to systems in your network.

A port
software utility will scan a single machine or a range of IP addresses, checking for a response on service
ports. Port scanners are useful in creating an inventory of services hosted on networked systems.

A vulnerability scanner
is a software utility that will scan a range of IP addresses, testing for the presence of known
vulnerabilities in software configuration and accessible services. Unlike port scanners, which only test for the availability


services, vulnerability scanners may check for the particular version or patch level of a service to determine its level of


is a software utility used to conduct network assessments over a range of IP addresses. It compiles a
listing of all systems and network hardware present within a network segment, which can be used to identify single points
of failure, conduct a network inventory, and create graphical details suitable for reporting on network configurations.

Penetration testing
, scanning, and enumerating.

Scanning identifies active computers, ports, and services. It includes using the Ping,
, and


Enumerating involves compiling the information from the scanning phase and identifying target systems. During this phase, act

and group accounts are obtained using DNS queries, NBT scans, and the


The End