This is my fifth entry on my COMSEC2 learning log and the end of COMSEC2 is near 😥 I know it’s sad but the continuation of COMSEC depends on the person because security is an evolving subject because of possible new attacks and holes that the hackers could exploit. Anyway, we had a Snort activity during our 9th week and it was about how to implement the rules on Snort. Since we already had experience with Snort, all we had to do was to think about the formation of the rule and what are necessary protocols and ports that we should use. The first rule was your basic alert on Outbound Connection. Since the exercise stated that it should be Outbound, we set the protocol to tcp and the outgoing IP address port to 80 which is HTTP specifically. For the next rule that should be created, it should detect a Telnet connection. The port for telnet is 23 so we just copied the Outbound rule then replaced the port number and the message of the alert. The next rule that we should create is a rule that would detect an XMAS scan being conducted. For that rule, we had to research on what consist of an XMAS scan. It contained the flags of: FIN; PSH, URG. The last set of rules we had to create was to detect strings which contained the keywords of INSERT, DELETE, SELECT. This was an important rule because these keywords could be possible SQL queries being conducted. Each of the rules were given specific sid or their ID so that it would uniquely identify the rules in the logs.
After creating all the rules, we ran some initial problems such as having to set up a virtual machine to test the telnet connection and to install Nmap to scan but I thought it was hard; I was wrong and it was a breeze 🙂 . We ran Snort first and executed the attacks, instantly the syslog was getting the logs from Snort. It was awesome!! :)) I saw at the bottom of syslog that there were logs coming in from Snort in real-time. I knew that this was an important lesson to remember and I am going to keep on studying Snort. Thanks for reading! 🙂
In this week, we learned about Snort. It was a refresher subject since we already configured Snort during our course in INFOSEC. Nevertheless, I was still excited because my group was only done at the installation phase of the Snort before, we didn’t really explore much about Snort. But now we had a chance to completely utilize Snort being an Intrusion Detection System or IDS. Sir Justin first explained that what an IDS is for but we all know that it is for detecting suspicious and anomalous traffic that is going on in the network. This could be possible XSS attacks, Denial of Service or DoS attacks, payloads and viruses at work. That is why Snort is important in the network. Snort is the one alerting the administrators of the network of the dangerous attacks that were being executed or being executed. If Snort is not implemented in the network, there are chances that attacks could just slip through the defense without any detection and damage the network itself. We were reminded to where the IDS should be placed. It should be placed behind the firewall or besides it where traffic is coming in the network. It shouldn’t be placed in front of the firewall since it would just detect false positives. Although we studied Snort, my mind that day was thinking about the correlation that we would be implementing and demonstrating. It was the tree correlation that we proposed and it was the combination of alert correlation and event correlation. Alert correlation is about gathering the alerts which are related to each other and total it into one alert. Event correlation is about identifying attacks and try to correlate those attacks with other system to determine if is just a harmless attack on the system. I am excited on building our correlator and I hope it is successful! Thanks for reading 🙂
In the last few weeks we had a busy schedule; projects were piling up, there were some assignments that were needed to be finished and some studying to be done (Glad its all over now 🙂 ) This week, we discussed about our paper which was to be presented to the class before our midterms. This paper was one of the most challenging task for us as a group because we got something that not everyone in the group understood because it was a new word or a new terminology. It was Correlation. Correlation is a technique wherein the logs are compared and filtered out so that only the important logs are left out after the correlation is applied. I was amazed that this kind of technique existed! (WOW). Adrian said to me that this is important in log management because every day, thousands of logs are recorded and sometimes there are some false positives and sometimes there are really important logs on the log servers or where the logs are gathered each day. Sir Justin also explain to us briefly on what correlation is.
For me, it’s a new term and hearing the word correlation makes me want to discover and research more about it! I know it will be useful and I am certain that there are more explanations about correlation from other researches. Just like Sir Justin’s paper, they indicated that there should be log consolidation and event management into SIEM. It just goes to show you how important correlation is to a log management system. Earlier this day, was the day of our presentation and we were so nervous because we were about to report in front of the whole class! And Sir Pineda said that if we didn’t have the right answer for each of our blockmates’ question, we get a deduction (was so scared of this HAHAHAHA) but it turned out to be just a joke!!! Hahahaha Long story short, we were able to portray to the class what correlation is and how helpful it is to the IDS or any monitoring system 🙂 Thanks for reading!!!
This week we continued our discussion about BCP or also known as Business Continuity Planning. Basically, this topic is related to a plan which states that if ever a disaster occurred, how would the business survive and continue its operations. Unlike the DRP which is the Disaster Recovery Plan that focuses on the safety of the people or the employees of the company, the BCP wants still run and maintain the business. In this topic, we have some computations about how much would it cost to implement a Business Continuity Planning and how much would the company lose if a disaster occur.
In our activity, we continued the computations about the Case Study that was given to us. Well at first, I was confused on what we were going to do, because in the example there are a lot of values given and I don’t what I will going to do first if it is ALE, SLE etc. But before the nigh ended, we already finished the activity.
So what is the purpose of studying this Business Continuity Planning and Disaster Recovery Plan? For me, Business Continuity Planning is useful since if we were to graduate (naks) and we were ask to design a plan where in the company could survive even if there are many existing risk out there. With BCP for the company, they would be prepare if the disaster occurred. If a Disaster Recovery Plan is implemented for the company, there is an assurance that the employees are safe and sound.
Our recent discussion is about Legal Investigation and Computer Forensics, which we already discussed in INVESTI Class. I forgot some of the terms that we discussed. But honestly, this topics was one of my favorite topics because it is very interesting to learn about Investigation thingy whether it is related to Digital Forensics or not. One thing that always put in my mind was the Computer Forensics Methodology because it is the most important when you’re conducting an investigation when you’re in a Forensic Team.
Last two weeks, we had discussed our first topic in this course which is the “Risk Management”. When I heard about risk, I think about something wrong or something bad that was happened. I’m glad that our first topic this term is not really hard to understand.
When we talked about Risk Management, it simply focuses on risk analysis and mitigation. First I think you need to be familiarize in security concepts which are the CIA – Confidentiality, Integrity and Availability. These are very important security concepts that are being used as a basis for any security. With CIA or Confidentiality, Integrity and Availability in mind, attacks and unwanted forces could be prevented. Well, most of the terms we’ve discussed here in Risk Management was discussed in our INFOSEC Class, that’s why it is easier to us to catch up in this topic. Next is the, I AAA or Identification, Authentication, Authorization and Accountability protects the system because someone unwanted could bypass and enter the system if this is not implemented properly. Identification states that you are claiming something, while Authentication double checks if what you are saying is true.
One of my favorite part in this topic was the computation of Risk Analysis and when we are going to rank about what risk should be prioritized the most. Risk Analysis is not only important but also very useful when you are trying to maximize the given resources for the risk management. Let’s say that a certain company hired you to do a risk analysis and you should give them options on what to do on these risks. Since there are limitless combinations of risk existing, it’s from this point that risk analysis and risk calculation is useful and important. With risk analysis, you could prioritized certain risk and with risk calculation you could prove that the risk is a danger to the company. With such techniques used in the industry, many companies are now safe from some risk but not all of them
In our first group activity, all of us was able to cooperate and participate in our case study, it we finished it early yay! It shows that all of us in our group was really understand what we’ve discussed. This topic will be a great help for us. Not only for the sake to pass the subject but to really understand it by heart 😛 that will be used in our future jobs/ works! Yipee!!