Questions

I've ran across the following topics over and over in practice questions/books and I seem to get conflicting information.

What do you do when attack is in progress?
I've heard responses of disconnect the system to prevent further attacks and leave system connected to collect information on the attack. In my logical opinion it would be disconnect the system.

Also, what is considered the most accurate biometric technology?
I assume either an Iris or Retina scan?

Thanks all.

Find more posts tagged with

Free for TechExams community: Cybersecurity salary guide

Compare cert salaries and plan your next career move

Button

Comments

Ye Gum Noki

Yeah, I'd unplug it too and "Iris scan" is more accurate than "Retina Scan."

Mr. Ye

Vogon Poet

Depends on the information that is being compromised.
For the test, leave the system connected so you can obtain information about the attack.

Webmaster

It's actually the other way around, retinal scanning is more accurate than iris scanning. "Even the eyes of identical twins are distinct." It has very low false reject rates, and almost zero percent false accept rate. The retina is 'inside' the eye, the bloodvessel in the back, which unlike an iris, are obviously very hard to 'steal'. You could cut out someone's eye for the iris, but because the bloodvessels will drain, the retina in a 'dead' eye is of no use.

Iris scanning is also cheaper and easier, and will likely be used in many commercial applications in the future. Retina scanning however, is expensive, and is more popular for military and extremely secure areas.

Here's are two of the many good resources you can find in our friend google:

www.globalsecurity.org/security/systems/eye_scan.htm

www.answers.com/topic/retina-and-iris-scans

tonydotigr

Thank you!

mrcert2003

You should always maintain connectivity so that you can continouously collect data on the attack.
You should remove all affected systems immediately.

The best scan is retinaScan.

sprkymrk

mrcert2003 wrote:

You should always maintain connectivity so that you can continouously collect data on the attack.
You should remove all affected systems immediately.

How do you maintain connectivity AND remove the affected system immediately? I think you have two opposite opinions in your answer. You wouldn't happen to be a politician would you?

mrcert2003

first of all you remove the machines that have been affected, but you keep the connection alive so you can trace where the packets are coming from.....

And No I hate politics....

I think the question here is how the question on the exam is stated...Example:

Which of the following actions should you perform when an attack is in progress?

well if it's in progress it would be what I stated in my previous post... The key word is in PROGRESS. If the attack i s over then it would be the following:

You should maintain connectivity for a a possible return
Then you should remove the affected systems for immediate evidence collections.

The key word was the attack is OVER....

Hope this clears it up for the person running for office............

keatron

mrcert2003 wrote:

first of all you remove the machines that have been affected, but you keep the connection alive so you can trace where the packets are coming from.....

And No I hate politics....

I think the question here is how the question on the exam is stated...Example:

Which of the following actions should you perform when an attack is in progress?

well if it's in progress it would be what I stated in my previous post... The key word is in PROGRESS. If the attack i s over then it would be the following:

You should maintain connectivity for a a possible return
Then you should remove the affected systems for immediate evidence collections.

The key word was the attack is OVER....

Hope this clears it up for the person running for office............

In some cases, the attack will be extreme enough that the preserve evidence is taken out of the equation. When dealing with forensics, you should almost NEVER use the term ALWAYS. It also depends on the context of the question as well. If you're a forensics person, then obviously evidence preservation is probably most important, whereas if you're an incident response manager, or person responsible for securing top secret government missle plans, then you want that connection severed or failed over to a honeypot or other evasive mechanism ASAP. You can't sit by for 30 minutes and watch the enemy take for example, every credit card and account number a bank owns, then claim the reason you did was to maintain connectivity for evidence collection. Probably get fired. The problem with these kinds of questions is the fact that test vendors are trying to water this profession down and make it simpler than it actually is. Everything in IT Security and Forensics is objective and in shades of gray. This is why so many people struggle with the CISSP, taking it is like walking into a big room that's smothered with shades of gray. And you still see in shades of gray for hours after to sit the exam. To excel in this field you have to be able to use brain power to help you make the right decision when the time comes. You also have to keep in mind that during a security breach, any and every thing you do could be potentially destroying or contaminating evidence (such as moving all affected machines without having proper chain of custody and incident response forms filled out properly while doing the move).

mrcert2003

keatron wrote:

mrcert2003 wrote:

first of all you remove the machines that have been affected, but you keep the connection alive so you can trace where the packets are coming from.....

And No I hate politics....

I think the question here is how the question on the exam is stated...Example:

Which of the following actions should you perform when an attack is in progress?

well if it's in progress it would be what I stated in my previous post... The key word is in PROGRESS. If the attack i s over then it would be the following:

You should maintain connectivity for a a possible return
Then you should remove the affected systems for immediate evidence collections.

The key word was the attack is OVER....

Hope this clears it up for the person running for office............

In some cases, the attack will be extreme enough that the preserve evidence is taken out of the equation. When dealing with forensics, you should almost NEVER use the term ALWAYS. It also depdends on the context of the question as well. If you're a forensics person, then obviously evidence preservation is probably most important, whereas if you're an incident response manager, or person responsible for securing top secret government missle plans, then you want that connecting severed or failed over to a honeypot or other evasive mechanism ASAP. You can't sit by for 30 minutes and watch the enemy take for example, every credit card and account number a bank owns, then claim the reason you did was to maintain connectivity for evidence collection. Probably get fired. The problem with these kinds of questions is the fact that test vendors are trying to water this profession down and make it simpler than it actually is. Everything in IT Security and Forensics is objective and in shades of gray. This is why so many people struggle with the CISSP, taking it is like walking into a big room that's smothered with shades of gray. And you still see in shades of gray for hours after to sit the exam. To excel in this field you have to be able to use brain power to help you make the right decision when the time comes. You also have to keep in mind that during a security breach, any and every thing you do could be potentially destroying or contaminating evidence (such as moving all affected machines without having proper chain of custody and incident response forms filled out properly while doing the move).

Great information THANK YOU....

tonydotigr

Thanks for the additional input all, great stuff!

famosbrown

yeah...this is kind of a crazy and situational question. I'm studying for the Security+ now as well,a nd I've thought about this same question too. You might want to disconnect the attacker, but he might have implanted a logic bomb to go off when network connectivity is cutoff. If he spots you or think he has been found out, he may do even more damage. I think diverting him to a honeypot would be a great idea, but if he doesn't bite or thinks that he has been found out, he could unleash even more critters.

Good question...I guess it all depends. I love these types of questions

RussS

I think the first thing to remember here is that basically if you have a compromised machine .... Pull the NETWORK cable ASAP. While there is the train of thought that famosbrown uses about a logic bomb that is minimal compared to the havoc leaving something running can cause. When a compromise situation occurs there is usually enough on the machine to do forensic research on as long as it is not shut down. As a personal preference I like to get a live Ghost image immediately onto another drive to allow me to play with that and not taint or corrupt anything if needed by enforcement agencies.

Remember - if you shut the system down you lose what is in volatile memory.

famosbrown

Or that logic bomb could be set to erase everything when the connectivity is broken, which will cause a loss of everything anyway.

RussS

famosbrown wrote:

Or that logic bomb could be set to erase everything when the connectivity is broken, which will cause a loss of everything anyway.

I've never seen a logic bomb that will cause loss of everything when connectivity is broken - and I have seen more than a few logic bombs.

sprkymrk

I have to agree with Russ. Worrying about a possible logic bomb while you've got a known intruder is the computer equivalent to not calling the police to evict a burglar from your home because he may break something in leaving.

Now if you have an incident response team at the ready (a guy like Keatron) then by all means let the experts do their job. But if the choice is to let the intruder hang out while you figure out who to call or simply unplug the network cable, then I vote for unplugging the network cable. Any logic bomb that is set to go off when network connectivity is broken is way too risky for the intruder. He wants to keep your system owned, not lose it due to a network blip or a reboot for normal updates (which also kills connectivity) that admins are likely to perform in routine maintenance.

famosbrown

RussS wrote:

famosbrown wrote:

Or that logic bomb could be set to erase everything when the connectivity is broken, which will cause a loss of everything anyway.

I've never seen a logic bomb that will cause loss of everything when connectivity is broken - and I have seen more than a few logic bombs.

Since you haven't seen one doesn't mean it doesn't exist or isn't possible to create. I'm thinking like an intruder. If you disconnect me, I will make sure everything is erased to cover my tracks. I am almost POSITIVE there are logic bombs or simple code to do this, and I'm sure it is used extensively by intruders who does things and not get noticed. The worst threats are the threats not publicized or noticed.

EDIT: I just spoke with my cousin who took the CEH course and they went over this type of logic bomb. There are ways to defend against it, but there are many different versions out there and the one's that aren't known are the dangerous as we all know. He said that during the course they actually tested it out. The one that they used didn't erase the hard drive, but just erased all logs, files specified in the code, etc. Pretty neat he said. He didn't give me a name for it, but it was one of the many things his instructor showed and demonstrated to the class at New Horizons.

RussS

famosbrown - I am not anywhere near Keatrons level but I am the guy my boss calls on when we have a client with a compromised system. I will take the chance of a logic bomb and have the network cable pulled because that will give me the best chance of doing forensics. Usually when a compromised system is found there is a need for me to involve the police after I have secured things and their team has a similar train of thought to mine.

BTW - I have seen many logic bombs, but most of them have been in labs and not in the wild. Heck, my instructor even wrote one that would delete all the logs when the administrator logged on to the machine

famosbrown

RussS wrote:

famosbrown - I am not anywhere near Keatrons level but I am the guy my boss calls on when we have a client with a compromised system. I will take the chance of a logic bomb and have the network cable pulled because that will give me the best chance of doing forensics. Usually when a compromised system is found there is a need for me to involve the police after I have secured things and their team has a similar train of thought to mine.

BTW - I have seen many logic bombs, but most of them have been in labs and not in the wild. Heck, my instructor even wrote one that would delete all the logs when the administrator logged on to the machine

Okay...I totally understand!! It seems you and others think that I would keep network connectivity. I think out of the box a whole lot and try to come up with as many possibilities and scenarios as possible. If you read my post above, I end it with it all depends and that I love these types of questions. If someone wants a straight answer from me, I would disconnect the attacker. Although this is my straight answer, others have went with this answer in this thread, so I thought I'd throw in a twist or another side to it. That is all!! Like Keatron said, their is a lot of gray in network security. Some things could be a textbook answer, but going textbook with a wrench thrown in the mix could make things even worst.

Again...I love these types of questions

keatron

Bottom line is this; Either choice is a huge risk. This is why you have to quickly evaluate all the information before you and make the best decision based on that. It often comes down to what's most important in your forensic or incident response program in this particular compromise; Volatile information or information stored on the hard drive. And better yet, is this something that you're going to take through for prosecution of the guilty party if you catch him. If so, then it's another can of worms. Do you shut down the system (properly), do you just disconnect the power? It's often overlooked, but "properly" shutting down, destroys tons of evidence (especially concerning a Windows kernel). If you don't believe it, download filemon and diskmon from sysinternals (it'll be Microsoft now actually). Once you do this, run both of them (and nothing else). Set them to log information to a file. Now execute a shutdown sequence (start>>shutdown). When it's done and you're booted back up, take a look at the log and see all the activity initiated as a result of the shutdown. You think Windows is a busy OS when running, you'll be amazed at how busy it is when it's shutting down. The best way to deal with all of these scenarios (at least in the real world) is have the appropriate mechanisms in place to start with, that way when something happens, you have a good idea of what to do, and you have some automated processes doing what they do to help out (snort, syslogging, etc.). DO NOT depend on the Windows event log. If you're not syslogging to another location (or at least another data store other than the hosts store), you're in for some trouble.

JDMurray

keatron, is there such thing as a "forensics-friendly" Intrusion Prevention System? It would seem like an IPS (HIPS or NIPS) has the potential for really messing up the "footprints in the sand" of any host or network intrusion attempt. I understand that what an IPS does is based on the rules it is given, but does an IPS' operation give any consideration to the possible need of collecting evidence?

keatron

jdmurray wrote:

keatron, is there such thing as a "forensics-friendly" Intrusion Prevention System? It would seem like an IPS (HIPS or NIPS) has the potential for really messing up the "footprints in the sand" of any host or network intrusion attempt. I understand that what an IPS does is based on the rules it is given, but does an IPS' operation give any consideration to the possible need of collecting evidence?

There's been lots of discussion about this and you are exactly right. The problem is IPS implementations usually indiscriminately perform a defined action given a certain condition or activity. Not only that, just like IDS systems, IPS are prone to false positives, but in it's case the end result of those false positives can forensically can be devastating. While most IPS systems are NOT forensics-friendly (don't make the mistake of listening to the vendors), most can be implemented in a fashion that will minimize forensic impact. Sadly, this is almost never done. People have the misconception that if they spend 100k on the latest and greatest IPS, it takes care of everything, and the vendor will usually sell you on this idea. It's becoming a known practice to use poorly implemented IPS systems to cover tracks or at least skew the "footprints in the sand" to the point that they don't look human anymore. Right now, the answer is to design your IPS solution around the same rules of evidence that we teach individuals in forensics. I often get the question, "if IPS does what IDS does plus take action, why even bother with an IDS"; And one main reason is the discussion we're having right now.