Assignment

Part 1: Snort Rule Analysis.

Examine the following Snort rule, designed to detect attempts by an organization's employees to access a gambling website in violation of acceptable use policy. This rule is syntactically valid and will produce alerts when a user visits the Powerball lottery website with a web browser. With an eye towards minimizing false positives, identify five ways the rule could be improved to more specifically target employees accessing the Powerball website.

Improvements:

Part 2: Short Answer Questions.

1. Define and differentiate false positive and false negative. Which is worse, and why? Give one example of each, drawn from any context that demonstrates your understanding of the terms.

2. Explain the following Snort rule. What sort of attack is it intended to detect? What network traffic pattern information is it looking for?

3. What are the key differences between user-centric and target-centric monitoring in behavioral data forensics? Is one perspective preferred over the other? If so, what are some of the advantages of the preferred choice, or disadvantages of the non-preferred choice?

4. Write a rule using Snort syntax to detect an internal user executing a Windows "tracert" command to identify the network path to an external destination. Identify what changes, if any, and revise/rewrite the rule to make it work effectively for a Unix/Linux "traceroute".

5. Most network IDS tools are designed to optimize performance analyzing traffic using a variety of protocols specific to TCP/IP wired networks. Describe at least two intrusion detection scenarios where other, specialized types of intrusion monitoring and analysis are called for (that is, where typical NIDS like Snort are not appropriate or effective), explaining what limitations exist in conventional NIDS that make them insufficient to provide effective intrusion detection in the environments corresponding to these scenarios.

6. What is a multi-event signature? Provide at least two examples of multi-event signature activities or patterns that might be monitored with an intrusion detection system.

7. What are the operational requirements necessary to perform anomaly-based intrusion detection? How does the information gathered about network traffic by anomaly-based IDS tools differ from the information gathered by signature-based NIDS?

8. Many people perceive intrusion detection to be a constant, all-the-time security function. Identify and describe at least two "part-time" intrusion detection operational models, and for each give an example of a usage scenario that would call for part-time monitoring.

9. Are organizations legally obligated to use intrusion detection capabilities? Why or why not?

10. Imagine you are tasked with monitoring network communication in an organization that uses encrypted transmission channels. What are the limitations of using intrusion detection systems in this environment? What methods would you employ to accomplish this task?

Part 3: Essay Questions. Maximum length: 3 double-spaced pages each, excluding references.

1. In 2003, a well-publicized report from IT analyst firm Gartner predicted that the market for stand-alone IDS tools would soon disappear and urged Gartner clients to cease investing in IDS tools in favor of firewalls. Clearly, this prediction has not come true, due in part to significant increases in the technological capability, processing speed, and accuracy of IDS tools in the more than 15 years since the erroneous prediction.

Contemporary enterprises have a wide array of network and platform security tools from which to choose, and as we have seen in this course there is substantial overlap in the capabilities of different categories of tools such as firewalls, IDS, anti-malware, vulnerability scanners, and so forth. What factors would exert the most influence on an organization and lead it to choose to implement IDS technology? In your response please identify potential benefits of IDS, potential drawbacks, and any considerations about an organization's operating environment that might drive its decision.

2. Beginning about 10 years ago, the U.S. Department of Homeland Security established programs intended to expand the government's intrusion detection capabilities, in particular citing a need to move to mandatory real-time intrusion detection for federal government networks. The current manifestation of this goal is the Einstein program, which is now in widespread use across the government and received some negative (and partly inaccurate) publicity in early reports of the large-scale data breach announced in 2015 involving systems operated by the U.S. Office of Personnel Management. [The current administration has de-emphasized this and other security initiatives promoted by the previous administration. See the brief description of Initiative #3 of the Comprehensive National Cybersecurity Initiative.]

Using what we have learned in this course and your own knowledge of IDS operational models, requirements, and other characteristics associated with selecting and using the most appropriate types of intrusion detection and prevention, what is your response to the government's approach of trying to implement comprehensive intrusion detection and prevention for all network traffic to or from U.S. government agencies? What are some of the key obstacles faced in rolling out an intrusion detection capability of this sort? Identify and describe at least three challenges that DHS should consider with its Einstein deployment.

Format your assignment according to the following formatting requirements:

1. The answer should be typed, double spaced, using Times New Roman font (size 12), with one-inch margins on all sides.

2. The response also includes a cover page containing the title of the assignment, the student's name, the course title, and the date. The cover page is not included in the required page length.

3. Also include a reference page. The Citations and references should follow APA format. The reference page is not included in the required page length.