Instructor’s Manual Chapter 10 Incident and Disaster Response

Download 107.44 Kb.
Size107.44 Kb.

Instructor’s Manual

Chapter 10

Incident and Disaster Response

Answer Key


Walmart and Hurricane Katrina

1. a) Why was Walmart able to respond quickly?

Walmart was able to respond quickly because it had a disaster preparedness mechanism in place that was well established and operationally proficient. They had detailed business continuity plans, a full time staff, a crises command center, and an economic need to get back into business as soon as possible.

b) List at least three actions that Walmart took that you might not have thought of.

Three actions that Walmart took that students might not have thought of include sending additional security personnel to stores in preparation for possible looting, providing meals, ammunition, etc. to local law enforcement for free, and ordering 40 emergency power generators for stores that lacked them. Additional actions may include:

Walmart sent out bleach and mops to its stores.

Walmart sent ammunition and protective gear to police and relief workers.

Walmart developed a business continuity center that specializes in disaster planning.

Incidents Happen

2. a) Can good planning and protection eliminate security incidents?

No amount of planning can eliminate security incidents, but good planning can provide a baseline to build from in order to recover quickly.

b) Name three terms that successful attacks are commonly called?

Successful attacks are commonly called security incidences, breaches, and compromises.

Incident Severity

3. a) What are the four severity levels of incidents?

The four severity levels of incidents are false alarms, minor incidents, major incidents, and disasters.

b) What is the purpose of a CSIRT?

The purpose of a CSIRT is to respond to severe computer security incidents with impacts that are too large for the on-duty IT staff to handle.

c) From what parts of the firm do its members come?

CSIRT members come from legal, PR, IT, and senior management.

d) What is business continuity?

Business continuity is the maintenance of the day-to-day revenue generating operations of the firm.

e) Who should head the business continuity team?

A senior manager should head the business continuity team.

Speed and Accuracy

4. a) Why is speed of response important?

Speed of response is important because it can reduce damage. The attacker/s will have less time to do damage, and they cannot burrow as deeply into the system and become very difficult to detect. In these ways, speed is necessary for a more complete recovery.

b) Why is accuracy of response important?

Accuracy of response is equally as important as speed. It is a common mistake to act on incorrect assumptions. If the problem is misdiagnosed or the wrong approach is taken, things can get much worse.

c) Define incident response in terms of planning.

Incident response means reacting to incidents according to plan.

d) Why are rehearsals important?

Rehearsals improve speed and accuracy. Rehearsals are critical because no plan is useful until it is tested to find out its faults in implementation.

e) What is a walkthrough or table-top exercise?

A walkthrough or table-top exercise is when managers and other key personnel get together and discuss, step by step, what each will do during an incident. These involve people from many departments.

f) Why is a live test better?

Live tests are better than walkthroughs because live tests reveal subtleties that walkthroughs may miss or may not be able to address.

g) What is the problem with live tests?

The problem with live tests is that they are very expensive.

The Intrusion Response Process for Major Incidents

Detection, Analysis, and Escalation

5. a) Distinguish between detection and analysis.

Detection is learning that an incident has occurred. Analysis is a deeper understanding of the incident needed to determine its potential damage and gather information to begin containment and recovery.

b) Why is good analysis important for the later stages of handling an attack?

When proper analysis is done and gives good information, the company can proceed effectively through later stages of handling an attack.

c) What is escalation?

Escalation means passing the incident up to the CSIRT or business continuity team.


6. a) What is containment?

Containment means stopping the damage.

b) Why is disconnection undesirable?

Disconnection is undesirable because it prevents legitimate business users from getting to a necessary server, which amounts to lost revenue.

c) What is black holing?

Black holing the attacker’s IP address means to drop all future packets from that IP address.

d) Why may it only be a temporary containment solution?

Black holing is usually only effective against attacks from amateur hackers who do not have the resources to use bots or other agents to continue an attack.

e) Why might a company allow an attacker to continue working in the system for a brief period of time?

A company may allow an attacker to continue working in a system for a brief period of time in order to collect data on what the attacker is doing and/or collect evidence for prosecution.

f) Why is this dangerous?

The longer attackers are in a system, the more invisible they become through the deletion of IDS logs, and the more backdoors and other damage the attackers can create.

g) Who should make decisions about letting an attack continue or disconnecting an important system?

Senior business executives should make the decision whether to let an attack continue.


7. a) What are the three major recovery options?

1. Repair during continuing server operation

2. Restoration from backup tapes

3. Total software reinstallation

b) For what two reasons is repair during continuing operation good?

Repair during continuing server operation might be good because doing this on a server with a critical function keeps those services available to users. It also means that no data is lost because there is no need to resort to backup tapes, which only contain information since the last backup.

c) Why may it not work?

Unfortunately, it is very difficult to root out all of the Trojan horses, registry entries, rootkits, and other unpleasant surprises planted by an attacker. For a virus or worm attack, there are programs that remove the specific artifacts created by the specific attack. For handcrafted break-ins, however, there is no general detection program, leaving a strong concern that “we may have missed one.”

d) Why is the restoration of data files from backup tapes undesirable?

Restoration of data files from tapes takes a long time and data collected after the last backup will be lost.

e) What are the potential problems with total software reinstallation?

Total software reinstallation does not address lost data since the last backup and the software will have to be re-baselined to proper security, which is a time consuming process.

f) How does having a disk image reduce the problems of total software reinstallation?

Disk imaging reduces the problem of having to re-baseline the system to proper security levels.


8. What are the three rules for apologies?

The three rules for apologies are acknowledge responsibility and harm, explain what happened, and explain what action will be taken to compensate, if any.


9. a) Is it easier to punish employees or to prosecute outside attackers?

It is easier to punish employees than to prosecute outside attackers.

b) Why do companies often not prosecute attackers?

Companies do not often prosecute attackers because prosecutions are expensive, with a low probability of success. There is also the possible loss of reputation from a public prosecution, showing that the company could not prevent the attack in the first place, which is made worse if they lose the case.

c) What is forensics evidence? Contrast what cybercrimes the FBI and local police investigate.

Forensic evidence is evidence that is acceptable for court proceedings. The FBI mostly investigates matters of interstate commerce. Local police investigate violations of local and state laws.

d) Why should both be called?

Both should be called because one or both may have jurisdiction based on the circumstances of the incident.

e) Under what conditions will you need to hire a forensics expert?

In civil lawsuits, the company must use a certified forensics expert to collect data and interpret it in court. If it attempts to collect evidence on its own, the evidence will probably not be permissible in court.

f) Why should you hire a forensics expert rather than doing your own investigation?

A forensic expert should be hired because they are experts in the field and know how best to handle evidence once detected. Also, they are allowed to give interpretative testimony.

g) What is the chain of evidence, and why is documenting it important?

Chain of evidence is the documented history of all transfer of evidence between people and all actions taken to protect the evidence while in each person’s possession. Without this documentation, the evidence may be rejected from being used in court.

Postmortem Evaluation

10. Why should companies undertake a postmortem evaluation after an attack?

Conducting an after-action review allows the company to determine what went wrong or right after an attack in order to improve the response process.

Organization of the CSIRT

11. a) Why should a senior manager head the CSIRT?

Because all security decisions during a major incident are business decisions, a senior manager should head the CSIRT.

b) Why should members of affected line departments be on CSIRT?

Decisions cannot be made intelligently without an understanding of how affected line departments will be impacted.

c) Who is the only person who should speak on behalf of the firm?

The only person who should speak on behalf of a firm should be the PR director.

d) Why should the firm’s legal counsel be on the CSIRT?

The firm’s legal counsel should be on the CSIRT to place actions in the proper legal framework and advise on the legal implications of various actions.

e) Why should a firm’s human resource department be on the CSIRT?

The firms HR department should be on the CSIRT to offer guidance on labor issues and implement sanctions against employees, if required.

Legal Considerations

Criminal versus Civil Law

12. a) What different actions do criminal and civil law deal with?

Criminal law deals with violations of criminal statutes. Civil law deals with interpretations of rights and duties that companies or individuals have relative to each other.

b) How do punishments differ in civil and criminal law?

Criminal punishments include jail time and fines; civil penalties only result in fines and/or orders to a defendant not to take certain actions.

c) Who brings lawsuits in civil and criminal cases?

Prosecutors charge defendants in a criminal case; plaintiffs bring a case against a defendant in a civil case.

d) What is the normal standard for deciding a case in civil and criminal trials?

Criminal trials require proving a defendant’s guilt beyond a reasonable doubt; civil trials require proving a defendant’s liability with a preponderance of the evidence (more than 50%).

e) What is mens rea?

Mens rea is when the prosecutor must prove the defendant was in a certain mental state, such as having the intention to commit the act.

f) In what type of trial is mens rea important?

Mens rea is important in criminal cases.

g) Can a person be tried separately in a criminal trial and later in a civil trial?

Yes, a defendant whose actions violate both criminal and civil rules may be criminally prosecuted by the state and later civilly sued by a victim for monetary damages.


13. a) What is case law?

Decisions based on individual cases set precedents for how laws are interpreted in trials.

b) What are jurisdictions?

Jurisdictions are areas of responsibility within which authorities can make and enforce laws but beyond which they cannot.

c) What is cyberlaw?

Cyberlaw is any law dealing with information technology.

d) What are the three levels of U.S. federal courts?

The three levels of US federal courts are:

  • 94 U.S. District Courts

  • 13 U.S. Circuit Courts of Appeal

  • The U.S. Supreme Court

e) Which levels can create precedents?

The U.S. Circuit Courts of Appeal and Supreme Court can create precedents.

f) Does federal jurisdiction typically extend to computer crimes that are committed entirely within a state and that do not have a bearing on interstate commerce?

Crimes that are committed entirely within a state do not normally meet federal jurisdiction guidelines.

g) Who is likely to investigate a cybercrime that takes place within a city?

The local police are likely to investigate a cybercrime that takes place within a city.

h) Are international laws regarding cybercrime fairly uniform?

No, they are not. Internationally, cybercrime laws vary widely.

i) Why should companies that do business only within a country be concerned about international cyberlaw?

The laws involving computers are different between countries and are changing rapidly. International law is important for multinational companies and also for companies that deal with customers or suppliers in other countries.

Evidence and Computer Forensics

14. a) Why will courts not admit unreliable evidence?

Courts will not admit unreliable evidence because there is a belief that juries cannot be trusted to evaluate unreliable evidence properly.

b) What is a computer forensics expert?

A computer forensics expert is a professional who is trained to collect and evaluate computer evidence in ways that are likely to be admissible in court.

c) What type of witness is allowed to interpret facts for juries?

Expert witnesses are allowed to interpret facts for juries.

d) Why should companies work with forensics professionals before they have a need for them?

Given the importance of admissibility, companies should use forensics experts when prosecution is anticipated and they should have prior discussions with their chosen forensics experts to understand what may be required.

U.S. Federal Cybercrime Laws

15. a) What section of which title of the U.S. Code prohibits hacking?

18 U.S.C. 1030 is the U.S. Code that prohibits hacking.

b) What other attacks does it prohibit?

It also prohibits DoS and malware attacks.

c) Does it protect all computers?

18 U.S.C. 1030 only protects “protected computers” including government computers, financial institution computers, and any computer used in interstate or foreign commerce or communications.

d) What are damage thresholds?

Damage thresholds are minimum amounts of damage that must occur before attackers are in violation of the law.

e) What types of acts does 18 U.S.C. § 2511 prohibit?

18 U.S.C. 2511 prohibits the interception of electronic messages, both en route and after the message is received and stored, with the exception of e-mail systems owned by a company.

Intrusion Detection Systems (IDSs)

16. a) What is an IDS?

An intrusion detection system (IDS) is software and hardware that captures suspicious network and host activity data in event logs, and provides automatic tools to generate alarms, as well as query and reporting tools to help administrators analyze the data interactively during and after an incident.

b) Is an IDS a preventative, detective, or restorative control?

It is only a detective control. Of course, if attackers believe that they are likely to be caught by an IDS, it may have preventative benefits as well.

c) What are false positives?

False positives in an IDS are known as false alarms.

d) Why are false positives problems for IDSs?

IDSs tend to be ignored if they generate many false positives.

Functions of an IDS

17. a) What are the four functions of IDSs?

The four functions of IDSs are logging, automated analysis, administrator actions, and management.

b) What are the two types of analysis that IDSs usually do?

Two types of analysis IDSs usually perform are attack signature detection and anomaly detection.

c) What types of action did this section mention?

Actions mentioned include alarms and log summary reports with interactive manual log analysis tools.

d) What information should alarms contain?

    Alarms should give the security administrator a description of what the problem is, a way to test the alarm for accuracy, and advice about what action the security administrator should take.

e) What is the purpose of log summary reports?

Log summary reports list various types of suspicious activity. They also indicate threat priority by type of threat or by statistical analysis, indicating high frequency. The purpose of log summary reports is to give IDS administrators notice of threats that aren’t high risk or detected by alarms.

f) Describe interactive log file analysis.

Interactive log file analysis allows administrators to drill down into log files to better understand an ongoing or completed attack, while filtering out irrelevant entries.

Distributed IDSs

18. a) What is the advantage of a distributed IDS?

A distributed IDS can collect data from many devices at a central manager console to allow a security manager to detect a more complex attack.

b) Name the elements in a distributed IDS.

There is a manager, an integrated log file, an agent host IDS, an agent network IDS, and an IDS vendor.

c) Distinguish between the manager and agents.

The agent collects event data and stores them in log files on the monitoring devices. The manager program is responsible for integrating the information from the multiple agents that run on multiple monitoring devices.

d) Distinguish between batch and real-time transfers for event data.

In batch transfers, the agent waits until it has several minutes or several hours of data and then sends a block of log file data to the manager. In real-time transfers, each event’s data goes to the manager immediately.

e) What is the advantage of each type?

Batch transfer is the least expensive and has the lowest network load, while real-time transfer allows capturing of log files without worrying about attackers deleting log files.

f) What two types of communication must be secure?

Communication between IDS agents and manager should be secure in order to ensure an attacker cannot spoof either and cause mass confusion to the IDS.

Network IDSs (NIDSs)

19. a) At what information do NIDSs look?

NIDSs look at all information traveling through a network.

b) Distinguish between stand-alone NIDSs and switch-based or router-based NIDSs.

Stand-alone NIDSs are boxes located at various points in a network. They read and analyze all network frames that pass by them. They are essentially corporate-owned sniffers. Switch NIDSs and router NIDSs are switches and routers that have IDS software. Typically, these capture data on all ports.

c) What are the strengths of NIDSs?

The strength of NIDSs is that they can see all packets passing through some locations in the network. Often, these packets are highly diagnostic of attacks.

d) What are the two weaknesses of NIDSs?

The two weaknesses of NIDSs are that they leave blind spots on the network where no NIDSs are placed, and they cannot read encrypted data.

Host IDSs

20. a) What is the major attraction of a HIDS?

The main attraction of HIDSs is that they provide highly specific information about what happened on a particular host. This is important for problem diagnosis.

b) What are the two weaknesses of host IDSs?

The two weaknesses of HIDSs are that they have limited views of what is happening on a network because they can only see on a particular host, and they can be compromised if the system is owned by an attacker.

c) List some things at which host operating system monitors look.

Some things host operating system monitors look at are multiple failed logins, creating new accounts, adding new executables that may be attack programs, modifying executables (installing Trojan horses does this), adding registry keys (changes how system works), and changing or deleting system logs and audit files.

Log Files

21. a) Why are integrated log files good?

Integrated log files are good because they are an aggregation of event logs from multiple IDSs.

b) Why are they difficult to create?

They are difficult to create because of format incompatibilities.

c) Explain the time synchronization issue for integrated log files.

If the times on the various IDSs are off by even a few thousandths of a second, it will be extremely difficult to see what is happening at a particular moment in time—especially if the attack is automated and occurs quickly.

d) How do companies achieve time synchronization?

Companies achieve time synchronization using the Network Time Protocol (NTP) service.

e) What is event correlation?

Event correlation is the analysis of suspicious patterns in a series of events across multiple devices.

f) Distinguish between aggregation and event correlation.

Aggregation is the collection of all log files, whereas event correlation requires analysis to determine related attack patterns.

g) Why is analyzing log file data difficult?

Analyzing log file data is difficult because the relevant event exists in much larger event streams than are logged.

h) In Figure 10-19, how long is the delay between the first attempted login and the second?

The delay is 44.28 seconds.

i) Does this indicate that the attack is a human attack or an automated attack?

This is most likely a human attack (based on memory of the logs) because the attack is done in a reasonably human amount of time.

Managing IDSs

22. a) What is precision in an IDS?

Precision in IDS means that the IDS should report all attack events and report as few false alarms as possible.

b) What are false positives, and why are they bad?

False positives are also known as false alarms and are bad because they will outnumber true alarms ten-to-one or even more. In fact, the large number of false positives generated by IDSs is the major problem with IDSs today, causing many firms to stop using them after a trial period.

c) What are false negatives, and why are they bad?

False negatives are failures to report true attack activities. They are bad because they fail to notify the user of a valid attack.

d) How can tuning reduce the number of false positives?

Tuning turns off unnecessary rules, and reduces the severity level of alarms generated by other rules, in order to limit the total number of false positives.

e) What does an IDS do if it cannot process all of the packets it receives?

IDSs that are overwhelmed by packets will simply skip packets and possibly miss a valid, suspicious attack packet.

f) What may happen if a system runs out of storage space?

When the system nears the point of running out of storage space, the IDS will transfer the log file to backup and start a new log file.

g) Why is limiting the size of log files necessary but unfortunate?

Limiting the size of log files is necessary to avoid exceeding storage capacity, and this limits the amount of log file data available for historical analysis.


23. a) What is a honeypot?

A honeypot is a fake server or entire network segment with multiple clients and servers.

b) How can honeypots help companies detect attackers?

Because legitimate users will not access the honeypot network assets, honeypot activities are normally attacker activities.

c) Could a honeypot attract unwanted attention from attackers?

Yes, due to the number of ports being faked, a honeypot could attract additional attention from attackers looking for a specific service, operating system, or port.

Business Continuity Planning

24. a) What do business continuity plans specify?

Business continuity plans specify how a company will maintain or restore core business operations after disasters.

b) Distinguish between business continuity plans and IT disaster recovery plans.

Business continuity plans specify how a company, as a whole, will maintain or restore core business operations after disasters. Disaster recovery plans are geared only toward IT functions after a disaster.

Principles of Business Continuity Management

25. a) What four protections can firms provide for people during an emergency?

Four protections are evacuation plans and drills, not allowing people to go back inside, accounting for all members, and counseling after a disaster.

b) Why is accounting for all personnel important? (The answer is not in the text.)

Accounting for all personnel is important because it shows that the company believes in its employees, takes care of them, and demonstrates corporate citizenship.

c) Why does human cognition in crises call for extensive pre-planning and rehearsal?

Human cognition in crises is stifled; only extensive preplanning and practice provides a decent chance of proper human action during a crisis.

d) Why is it necessary not to make plans and processes for crisis recovery too rigid?

Avoiding rigidity is key because each crisis will be somewhat unique and require flexibility to address unexpected conditions.

e) Why do communication systems tend to break down during crises?

Communication systems tend to rely on electrical power, which usually does not survive long during crises.

Business Process Analysis

26. a) List the four steps in business process analysis?

Identification of business processes and interrelationships

Prioritization of business processes

Specification of resource needs

Specification of actions and sequences

b) Explain why each is important.

Identification of business processes and their interrelationships is important because all business processes must be identified and understood in order to move to the next step.

Prioritization of business processes is important because it helps the firm restore the most important functions of the business first.

Specifying resource needs is important and necessary when there are disruptions during and after the disaster.

Specifying actions and sequences is important because it will get the job done.

Testing and Updating the Plan

27. a) Why are business continuity plans more difficult to test than incident response plans?

The processes involved in incident response plans are complex, but business continuity response processes are far more complex and therefore far more difficult to test.

b) Why is frequent plan updating important?

Frequent plan updating is important because business conditions change constantly and because businesses reorganize constantly.

c) Why must companies update contact information even more frequently?

The people holding specific roles changes very frequently.

d) For what two reasons is a business continuity staff necessary?

The reason a business continuity staff is necessary is because there is constant updating and the staff will act as the operational manager when there is a disaster.

IT Disaster Recovery

28. a) What is IT disaster recovery?

IT disaster recovery looks specifically at the technical aspects of how a company can get IT back into operation using backup facilities.

b) Why is it a business concern?

IT disaster recovery is a business concern because decisions that seem purely technical may have major implications for the business that IT professionals may not accept and should not have the authority to make.

Types of Backup Facilities

29. a) What are the main alternatives for backup sites?

The main alternatives for backup sites are hot sites, cold sites, and continuous data protection (CDP).

b) What is the strength of each?

Hot sites have everything ready to go in an emergency and have little down time. Cold sites offer the physical facilities to support a backup site, but do not have the equipment in place that a hot site does; this is cheaper than a hot site. As its name suggests, CDP provides continuous data protection with instantaneous recovery.

c) What problem or problems does each raise?

Hot sites are very expensive, cold sites take significant time to procure and install needed equipment and software, and CDP sites usually cannot handle duties of both sites and must prioritize applications.

d) Why is CDP necessary?

CDP is necessary if any down time will significantly impact the business, which it almost always will.

Office PCs

30. What three things should a firm do about disaster recovery planning for office PCs?

When recovery planning for office PCs, a company should first do a backup of everything. Then the firm should get in touch with computer vendors to preorder for new office PCs. Finally, a firm should find a good working environment in which to use the office PCs, especially if the previous office is damaged.

Restoration of Data and Programs

31. a) What must be done to restore data at a backup site via tapes?

First, the backup tapes must be delivered to the backup site; then the backup site must have the proper equipment to do the restoration.

b) How does this change if a firm uses continuous data protection?

With CDP, the backup site already has the proper equipment and data, so recovery is instantaneous.

Testing the IT Disaster Recovery Plan



Thought Questions

1. You are advising a small company. a) Would you recommend using a firewall? Explain.

Advise the company to use a firewall because firewalls are part of intrusion prevention, which is designed to prevent or block any malicious activity into the network. Implementation of this may be long and expensive, but it is well worth it, depending on the type of data and information the company wants to protect and keep safe.

b) Would you recommend using antivirus filtering? Explain.

Yes. Antivirus filtering is very necessary for a company to implement because it is one of the things that will protect a system from outside attacks. Also, because a company can’t fully regulate the Internet browsing activities of its employees, antivirus filtering can help protect against this as well. This is also something that doesn’t take much time to do and is relatively inexpensive.

c) Would you recommend an intrusion detection system? Explain.

For a small company, an IDS would probably be too difficult to manage.

2. When IDSs generate alerts, it can send them to a console in the security center, to a mobile phone, or via e-mail. Discuss the pros and cons of each.

Putting an alarm on the manager console screen is not effective at nights or on weekends if no one will be at the console.

Mobile phone warnings will reach the security administrator, but only very high-probability attacks should be signaled this way or the security administrator will throw the mobile away.

E-mail also is not good for instant announcements. E-mail is best if the security administrator checks e-mail frequently, but during attacks, e-mail cannot be trusted because the e-mail system may be compromised.

3. Examine the integrated log file shown in Figure 10-19. a) Identify the stages in this apparent attack.

Lines 1 – 8

Lines 9 – 11

Lines 13 – 16

Lines 17 – 21

b) For each stage, describe what the attacker seems to be doing.

Lines 1 – 8: Human attacker attempting and finally succeeding in logging into account Lee on

Lines 9 – 11: Compromised computer opens a TFTP connection to transfer files from suspect host, possibly downloading hacker toolkit

Lines 13 – 16: Compromised host communicating with another suspect host, possibly sending data retrieved by hacker software or downloading new hacker programs to exploit the compromised host

Lines 17 – 21: Compromised host scanning computes on the 60.0.1.x network, looking for HTTP services for possible exploitation

c) Decide whether the actions in this stage work at human speed or at a higher speed, indicating an automated attack.

Lines 1 – 8: Speed appears to be human driven

Lines 9 – 11: Speed appears to be human driven

Lines 13 – 16: Speed appears to be human driven

Lines 17 – 21: Speed appears to be machine driven

d) Decide whether the evidence in each stage is suggestive of an attack or conclusive evidence.

Lines 1 – 8: Suggestive of an attack, but not conclusive. Need to know more about the Lee account and who might be using it.

Lines 9 – 11: This is conclusive; do not expect any legitimate user to open TFTP connections to an outside host.

Lines 13 – 16: Suggestive, but not conclusive, as we don’t know what data is being transferred.

Lines 17 – 21: Conclusive – this is an obvious port 80 scan by a machine.

e) Overall, do you have conclusive evidence of an attack?

Yes, there is conclusive evidence that an attack has taken place, based primarily upon the TFTP and HTTP port scanning.

f) Do you have conclusive evidence of who committed the attack?

The attacks were committed by a person or a program on However, the evidence that took over the Lee account is not strong. Trying to log in three times is not that uncommon. On the other hand, the attack occurred right after the Lee account login.

4. A firm is trying to decide whether to place its backup center in the same city or in a distant city. List the pros and cons of each choice.

  • Same city pros:

    • Shorter distance between sites means cheaper costs for the dedicated bandwidth required for CDP-type backup.

    • Shorter distance for IT personnel to travel to get cold or hot backup site functional in shortest amount of time

  • Same city cons

    • Major environmental disaster coud possibly take out both primary and backup sites

    • Even if the backup site is available, it may not be safe to have personnel travel to backup site due to inclement environmental conditions

  • Distant city pros:

    • Chance that an environmental disaster occurs at both primary and secondary site simultaneously is hopefully very slim

  • Distant city cons:

    • Less visibility of conditions at hot or cold site at time of disaster at primary site may make switching to backup site take longer

    • Higher cost in transferring data (CDP), material (computers and backup tapes) and personnel to backup site

    • May be unable to get knowledgeable personnel from primary site to backup location quickly in order to facilitate cutover

5. To get out of taking exams, students occasionally phone in bomb threats just before the exam. Create a plan to deal with such attacks. This should take one single-spaced page. It should be written by you (a policy advisor) for your dean to approve and post in your college.

  • Actions to be taken before the term begins:

    • Each teacher should decide on an alternate place to meet in case there is a bomb threat. The alternate place should be written into the syllabus. This removes the motivation to call in a bomb threat.

  • Actions to be taken by recipient of bomb threat (assuming it’s a phone call):

    • Remain calm and attempt to obtain as much information as possible from the caller. Ask the caller to repeat the message and record every word.

    • If the caller does not indicate the location of the bomb or time of detonation, ask for this information. Note if the caller appears familiar with the buildings.

    • Listen closely to the voice of the caller to determine voice quality, sex, age, accents, or words used repeatedly. If the caller is talkative, ask questions to try to ascertain the caller’s name and/or location.

    • Note background noises that could indicate the location of the caller.

    • If bomb threat is made via electronic means, save the information and provide it immediately to campus security for investigation.

  • After the threat is received:

    • Immediately call Campus Security.

    • Notify your immediate supervisor that you have received a bomb threat and have called security. Do not state the nature of the call to anyone else.

    • Complete the university’s Bomb Threat Checklist. Remain at your location until the security officer arrives. The officer will interview you regarding the call and review the checklist.

  • Evacuation:

    • Based on recommendations from Campus Security and/or HPD, the appropriate university designee will determine if an evacuation is necessary and coordinate the evacuation of threatened buildings. Do not evacuate until told to do so by security, as evacuation routes may be unsafe. Follow security instructions. Move to the designated evacuation location stated in the evacuation plan.

    • Campus Security will not allow anyone to enter a suspected building except authorized personnel. The Campus Security Director will decide when re-entry is permitted.

    • Supervisors will account for all personnel and teachers will attempt to account for all students in class at the time of evacuation. Admissions will prepare to contact all students known to have classes in the affected building, in case of emergency.

  • Search procedures:

    • Campus Security will be in charge of the search. The search will be conducted by Campus Security personnel only.

    • Under no circumstances should faculty, staff, or students touch or move a suspected bomb. Notify the security officer in charge of the search in your location of any suspicious objects.

  • Those found guilty of false or real bomb threats will be expelled from the university in accordance with current university bylaws and prosecuted under state and federal laws.

6. After you restore files following an incident, users complain that some of their data files are missing. What might have happened?

Users did not save their files to the file server and they were lost in the incident.

Backup tapes do not include data since last backup, and their files may not have been backed up.

The backup may not have been done properly. Restoration tests should be done to see if there is a problem.

Hands-on Projects

NOTE: Screenshots and IP addresses for individual students will vary.
</span><b>Project 1</b> <br /> <br />

HoneyBOT® is a simple honeypot for beginners to use. Honeypots can give you a good idea of how many people are probing your machine for weaknesses. Without a honeypot, you may not be able to tell if anyone is scanning your machine.

In this example, you will use your Web browser to generate some entries in HoneyBOT. You will try to make FTP and HTTP connections with your own computer. The honeypot will record the IP address of the remote machine that is scanning your computer and each port that was scanned.

1. Download HoneyBOT from

2. Click on the Download link in the left-hand menu.

3. Click on the appropriate "here" link to download the latest version of HoneyBOT.

4. Click Save.

5. Select your downloads folder.

6. Browse to your downloads folder.

7. Double-Click HoneyBOT_018.exe. (The version number may be different as newer releases become available.)

8. Click Run, Next, I Accept, Next, Next, and Next.

9. Check Create desktop icon.

10. Click Next, Install, and Finish.

11. Press the Start button or click File, and Start.

12. HoneyBOT may ask you to select an adapter if you have multiple NICs in your computer; select your current IP address. (It could be a non-routable IP that starts with "192.168" or it could be a typical IP address.)

13. Click OK.

14. Take a screenshot showing the total number of sockets loaded in the bottom status bar.

15. Click Start.

16. Open a Web browser and go to FTP://[Your IP Address]. (Replace Your IP Address with the IP address that is being used by HoneyBOT. In this example, it was

17. When prompted for a username, enter your first name.

18. Enter your last name for the password. (Entering your first and last name as username and password will record them in the HoneyBOT log. You don't really have an FTP server running. It's being "faked" by HoneyBOT.)

19. Open a Web browser and go to HTTP://[Your IP Address]. (Replace Your IP Address with the IP address that is being used by HoneyBOT.)

20. Return to HoneyBOT and take a screenshot.

21. Double-click on one of the entries with the local port listing 21. (The remote IP and local IP should be the same.)

22. Take a screenshot of the HoneyBOT log entry showing your first and last name being used to access an FTP server.

</span><b>Project 2</b> <br /> <br />

Recuva® is a useful program by Piriform® that will scan the empty memory space on your computer to see if there are any files that can be recovered. It can also securely delete files so they cannot be recovered.

Most users errantly believe that data is gone forever when they empty it from the Recycle Bin. This is incorrect. It merely marks the space as open to be written over if another file needs to be stored. Your operating system writes over these open spaces and subsequently “damages” the previously deleted file.

1. Download Recuva from

2. Click Download from

3. Click Download Latest Version.

4. Click Save.

5. If the program doesn’t automatically open, browse to your download folder.

6. Run the installation program.

7. Select Run, Ok, Next, I Agree, Install, and Finish.

8. Click Start, Programs, Recuva, and Recuva (or you can double-click the Recuva desktop icon).

9. Select the drive from which you want to recover files. (Your C: drive will work, but it will take longer to complete the scan. The scan will complete much more quickly on a USB drive.)

10. Click Scan.

11. After the scan completes, click on any of the recovered files listed with a graphic extension (e.g., .jpg or .bmp) until you see a picture on the right-hand side of the screen.

12. Take a screenshot.

13. Click on the Info tab to see the details for the file.

14. Take a screenshot.

15. Check one of the recoverable graphic files. (Even some of the “unrecoverable” files are actually recoverable.)

16. Click Recover.

17. Save it to your desktop.

18. Open the picture you recovered.

19. Take a screenshot.

Project Thought Questions

  1. What impact would more open ports have on the ability of your honeypot to attract hackers?

Having more ports open may attract certain hackers. Some hackers look for certain open ports. Some larger servers have many different services running, so hackers look for those machines with many open ports.

  1. Can hackers tell that you have a honeypot running?

Yes, some hackers may be able to tell that you have a honeypot running based on certain responses given by your honeypot. Since extradition to another country is unlikely, they may not care too much. However, they might want to avoid spending too much time on your machine if they think your computer is just faking all ports.

  1. Do they have honeypots for spammers to keep them from harvesting e-mails from your webpages?

Yes, there are honeypots for spammers. It’s against the law to “harvest” e-mails from any webpage. Security professionals are starting to use different e-mail notation to stop harvesting programs. Instead of posting their e-mail address as, they will post it as “john dot doe at company dot com” or a variation thereof.

  1. Do you think law enforcement agencies (e.g., CIA, FBI, NSA, etc.) in the United States run honeypots to track criminal behavior?

Yes, they have many different honeypots and IDSs running. They watch criminal behavior very closely and know who is doing what. They watch certain blocks of IP addresses very closely. They even know who is producing viruses and malware. They have big budgets and pretty smart people. It’s a good idea to just stay away from government computers.

  1. Would this work on your cell phone if it were connected to your computer?

Yes, this will recover data on any device that shows up as a drive. If your phone has this ability, then you can recover lost data/pictures. You can also purchase hardware and software from Paraben that is specifically designed to recover data from mobile devices.

  1. What effect does the “condition” of the file have on its ability to be recovered?

Some files have been written over and are only partially recoverable. Some files may have been written over many times and are not recoverable. You may have to take an image of that part of your hard drive and examine the files directly.

  1. What other recovery options does Recuva come with?

This program comes with multilingual support. It will look at both logical and physical drives. It will look in hidden system drives and do a deep scan. It will also show you the information about the file and the detailed file contents.

  1. Does Recuva have the ability to find a deleted file by its specific file name?

Yes, you can search by a specific file name.

Case Discussion Questions

1. Why are merchants usually responsible for merchandise purchased with stolen credit cards?

Merchants are usually responsible for dollar losses related to stolen credit cards as part of their contract with their credit card company. Making merchants liable for losses makes them very weary to accept stolen credit cards.

2. What is the most common way to detect corporate fraud? Why?

Occupational fraud is more likely to be detected by a tip than by any other method. The majority of tips reporting fraud come from employees of the victim organization.

3. Which forms of fraud are the most common? Why?

Asset misappropriation schemes are by far the most common type of occupational fraud, comprising 87% of the cases reported. They are also the least costly form of fraud, with a median loss of $120,000.

4. Which forms of fraud are the most costly? Why?

Financial statement fraud schemes make up just 8% of the cases, but cause the greatest median loss at $1 million. Corruption schemes fall in the middle, occurring in just over one-third of reported cases and causing a median loss of $250,000. Financial statement fraud cases have the potential to inflict much larger damages due to the nature of the fraud.

5. Why does a perpetrator’s level of authority in the organization, or time working for the organization, affect the average amount of money stolen?

Perpetrators with higher levels of authority and longer tenure with the organization tend to cause much larger losses. They may have greater responsibility over larger assets, be better able to conceal their fraud, be more motivated to commit the fraud, be more knowledgeable about the corporation’s procedures (to avoid getting caught), and may be able to coerce/co-opt subordinates into the fraud scheme.

6. Why are banking and financial services, government and public administration, and manufacturing sectors the most commonly targeted?

These are industries that deal with large budgets, lucrative contracts, and large sums of liquid money. They provide very attractive targets for fraudsters.

7. Why are workers in accounting, operations, sales, executive/upper management, customer service, and purchasing functions most likely to commit fraud?

These workers have access to the systems, personnel, and paperwork to be able to commit the fraud. They also likely have a higher level of knowledge about how internal systems might be manipulated.

8. What are some “red flags” that a person might be involved in fraudulent activities?

Red flags discussed in the report include living beyond one’s means (36% of cases), financial difficulties (27%), unusually close association with vendors or customers (19%), and excessive control issues (18%).

Perspective Questions

1. What was the most surprising thing you learned in this chapter?

Student answers will differ.

2. What was the most difficult material in this chapter for you?

Student answers will differ.

Copyright © 2015 Pearson Education, Inc.

Download 107.44 Kb.

Share with your friends:

The database is protected by copyright © 2023
send message

    Main page