Questions
tonydotigr
Member Posts: 129
in Security+
I've ran across the following topics over and over in practice questions/books and I seem to get conflicting information.
What do you do when attack is in progress?
I've heard responses of disconnect the system to prevent further attacks and leave system connected to collect information on the attack. In my logical opinion it would be disconnect the system.
Also, what is considered the most accurate biometric technology?
I assume either an Iris or Retina scan?
Thanks all.
What do you do when attack is in progress?
I've heard responses of disconnect the system to prevent further attacks and leave system connected to collect information on the attack. In my logical opinion it would be disconnect the system.
Also, what is considered the most accurate biometric technology?
I assume either an Iris or Retina scan?
Thanks all.
Comments
Mr. Ye
For the test, leave the system connected so you can obtain information about the attack.
Iris scanning is also cheaper and easier, and will likely be used in many commercial applications in the future. Retina scanning however, is expensive, and is more popular for military and extremely secure areas.
Here's are two of the many good resources you can find in our friend google:
You should remove all affected systems immediately.
The best scan is retinaScan.
How do you maintain connectivity AND remove the affected system immediately? I think you have two opposite opinions in your answer. You wouldn't happen to be a politician would you?
And No I hate politics....
I think the question here is how the question on the exam is stated...Example:
Which of the following actions should you perform when an attack is in progress?
well if it's in progress it would be what I stated in my previous post... The key word is in PROGRESS. If the attack i s over then it would be the following:
You should maintain connectivity for a a possible return
Then you should remove the affected systems for immediate evidence collections.
The key word was the attack is OVER....
Hope this clears it up for the person running for office............
In some cases, the attack will be extreme enough that the preserve evidence is taken out of the equation. When dealing with forensics, you should almost NEVER use the term ALWAYS. It also depends on the context of the question as well. If you're a forensics person, then obviously evidence preservation is probably most important, whereas if you're an incident response manager, or person responsible for securing top secret government missle plans, then you want that connection severed or failed over to a honeypot or other evasive mechanism ASAP. You can't sit by for 30 minutes and watch the enemy take for example, every credit card and account number a bank owns, then claim the reason you did was to maintain connectivity for evidence collection. Probably get fired. The problem with these kinds of questions is the fact that test vendors are trying to water this profession down and make it simpler than it actually is. Everything in IT Security and Forensics is objective and in shades of gray. This is why so many people struggle with the CISSP, taking it is like walking into a big room that's smothered with shades of gray. And you still see in shades of gray for hours after to sit the exam. To excel in this field you have to be able to use brain power to help you make the right decision when the time comes. You also have to keep in mind that during a security breach, any and every thing you do could be potentially destroying or contaminating evidence (such as moving all affected machines without having proper chain of custody and incident response forms filled out properly while doing the move).
Great information THANK YOU....
Good question...I guess it all depends. I love these types of questions
M.B.A. (Technology Management)
Remember - if you shut the system down you lose what is in volatile memory.
FIM website of the year 2007
M.B.A. (Technology Management)
FIM website of the year 2007
Now if you have an incident response team at the ready (a guy like Keatron) then by all means let the experts do their job. But if the choice is to let the intruder hang out while you figure out who to call or simply unplug the network cable, then I vote for unplugging the network cable. Any logic bomb that is set to go off when network connectivity is broken is way too risky for the intruder. He wants to keep your system owned, not lose it due to a network blip or a reboot for normal updates (which also kills connectivity) that admins are likely to perform in routine maintenance.
Since you haven't seen one doesn't mean it doesn't exist or isn't possible to create. I'm thinking like an intruder. If you disconnect me, I will make sure everything is erased to cover my tracks. I am almost POSITIVE there are logic bombs or simple code to do this, and I'm sure it is used extensively by intruders who does things and not get noticed. The worst threats are the threats not publicized or noticed.
EDIT: I just spoke with my cousin who took the CEH course and they went over this type of logic bomb. There are ways to defend against it, but there are many different versions out there and the one's that aren't known are the dangerous as we all know. He said that during the course they actually tested it out. The one that they used didn't erase the hard drive, but just erased all logs, files specified in the code, etc. Pretty neat he said. He didn't give me a name for it, but it was one of the many things his instructor showed and demonstrated to the class at New Horizons.
M.B.A. (Technology Management)
BTW - I have seen many logic bombs, but most of them have been in labs and not in the wild. Heck, my instructor even wrote one that would delete all the logs when the administrator logged on to the machine
FIM website of the year 2007
Okay...I totally understand!! It seems you and others think that I would keep network connectivity. I think out of the box a whole lot and try to come up with as many possibilities and scenarios as possible. If you read my post above, I end it with it all depends and that I love these types of questions. If someone wants a straight answer from me, I would disconnect the attacker. Although this is my straight answer, others have went with this answer in this thread, so I thought I'd throw in a twist or another side to it. That is all!! Like Keatron said, their is a lot of gray in network security. Some things could be a textbook answer, but going textbook with a wrench thrown in the mix could make things even worst.
Again...I love these types of questions
M.B.A. (Technology Management)
Forum Admin at www.techexams.net
--
LinkedIn: www.linkedin.com/in/jamesdmurray
Twitter: www.twitter.com/jdmurray
There's been lots of discussion about this and you are exactly right. The problem is IPS implementations usually indiscriminately perform a defined action given a certain condition or activity. Not only that, just like IDS systems, IPS are prone to false positives, but in it's case the end result of those false positives can forensically can be devastating. While most IPS systems are NOT forensics-friendly (don't make the mistake of listening to the vendors), most can be implemented in a fashion that will minimize forensic impact. Sadly, this is almost never done. People have the misconception that if they spend 100k on the latest and greatest IPS, it takes care of everything, and the vendor will usually sell you on this idea. It's becoming a known practice to use poorly implemented IPS systems to cover tracks or at least skew the "footprints in the sand" to the point that they don't look human anymore. Right now, the answer is to design your IPS solution around the same rules of evidence that we teach individuals in forensics. I often get the question, "if IPS does what IDS does plus take action, why even bother with an IDS"; And one main reason is the discussion we're having right now.