1. Identify at least two types of security events and baseline anomalies that mi

Question

1. Identify at least two types of security events and baseline anomalies that might indicate suspicious activity.

2. Given the following list of end-user policy violations and security breaches, select three of the below and identify strategies to control and monitor each event to mitigate risk and minimize exposure.

- A user made unauthorized use of network resources by attacking network entities.

- Open network drive shares allow storage privileges to outside users.

- Sensitive laptop data is unencrypted and susceptible to physical theft.

- Remote users do not have recent patches or current updates.

- Legitimate traffic bearing a malicious payload exploits network services.

- An invalid protocol header disrupts a critical network service.

- Removable storage drives introduce malware filtered only when crossing the network.

- Predictable passwords meet minimum length requirements but remain easily guessable.

- Bad router permissions allow attackers to modify configurations or disrupt traffic.

* Please keep the answer short and straight forward. Don't make it too long. Thanks!

Explanation / Answer

1) The two types of security events and baseline anomalies that might indicate suspicious activity are:

a) Different traffic patterns can be considered as red alerts. Specifically, a sudden increase in the overall traffic i.e., a sudden raise in the number of bad or malformed packets. When large numbers of packets received by a router or a firewall's egress filters where its function is to prevent spoofed packets from leaving the network but in this case if the filter receives them then the source of this traffic request needs to be identified, because that's a clear sign that machines on the network have been compromised. Unscheduled restarting of servers may sometimes indicate they are compromised. The event logs of the servers for failed logons and other security-related events would indicate suspicious activity.

b) Security event log - Failure Audit events that are recorded in the Security event log (the security event log file which is 'SecEvent.evt' is located in the %systemroot%System32config directory, details operations that have not completed successfully. Failed user logon attempts would be examples of Failure Audit events and would be recorded in the security event logs if logon audits were enabled. Correlating security event information, an appropriate personnel can analyze this central repository to identify violations or external attacks. This repository is also as a tool to detect attacks and address vulnerabilities. Basically, security event logs shows any attempted violations of policies.

Removing/editing/deleting/clearing the security event logs - Security event logs are not meant and should not be deleted/cleared without a proper authorization. If it is delted, then it is mostly an evident that there has been a suspicious activity.

2) Strategies to control and monitor each event to mitigate risk and minimize exposure for the below three end-user policy violations and security breaches:

a) Sensitive laptop data is unencrypted and susceptible to physical theft.:

Solutions:

* Strong passwords for laptop accounts should be used.
* The privacy and security settings of the laptop should be changed as per business requirements.
* The laptop should be locked to prevent attacks from stealing it.
* One should keep the laptop close to his/her hand.
* The laptop must be kept out of theives' sight.
* Choose an less expensive/attractive carrying case to hold the laptop.
* One should label and tag the laptop and all other accessories accordingly.
* All the employees should be educated of their responsibility of their or company's laptop.
* Security cable should be attached to the laptop.
* Laptop should have safes or physical lock on it.
* The user can have motion sensors and alarms so in case either the user or the laptop is moved from each other beyond a certain distance the alarm is triggered.

To safeguard the data:

* A BIOS password should be setup.
* A login password should be setup.
* File systems should be encrypted.
* Encryption of the individual data themselves should be followed.
* Biometric authentication mechanisms should be used.
* Tracing and Tracking facility should be used to execute commands remotely to the stolen laptop when it is online so the actual owner can delete all of the important information saved on the hard drives.
* Password should be protected (not revealed).
* A minimal amount of data should be stored in the Laptop.
* Storing all the data in the cloud online on the Internet is advisable.

b) Predictable passwords meet minimum length requirements but remain easily guessable. -

* Use strong passwords for device accounts and Wi-Fi networks.
* Default passwords should be changed.
* A stronger encryption method should be used when setting up Wi-Fi networks such as WPA2.
* The privacy and security settings of the device should be modified as per business requirements.
* Strong passwords should be enforced.
* User should change the default passwords.

c) Bad router permissions allow attackers to modify configurations or disrupt traffic. -

* The permissions should be set up so attackers cannot login and access the routers.
* If the routers are attacked the administrators should login to the router page and change them back and should setup firewalls with relevant ports and protocols and change the permissions as well.
* Modify the privacy and security settings of the router to your needs.
* Use strong passwords for router accounts and Wi-Fi networks.
* Do a research on the vendor’s device security measures.
* Features that are not being used should be disabled.
* Do use SSL/TLS-encrypted connections for communication.
* Enforce the user to change default passwords.

Related Questions

Navigate

• Browse (All)
• Browse 1
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.