This is my fifth entry on my COMSEC2 learning log and the end of COMSEC2 is near 😥 I know it’s sad but the continuation of COMSEC depends on the person because security is an evolving subject because of possible new attacks and holes that the hackers could exploit. Anyway, we had a Snort activity during our 9th week and it was about how to implement the rules on Snort. Since we already had experience with Snort, all we had to do was to think about the formation of the rule and what are necessary protocols and ports that we should use. The first rule was your basic alert on Outbound Connection. Since the exercise stated that it should be Outbound, we set the protocol to tcp and the outgoing IP address port to 80 which is HTTP specifically. For the next rule that should be created, it should detect a Telnet connection. The port for telnet is 23 so we just copied the Outbound rule then replaced the port number and the message of the alert. The next rule that we should create is a rule that would detect an XMAS scan being conducted. For that rule, we had to research on what consist of an XMAS scan. It contained the flags of: FIN; PSH, URG. The last set of rules we had to create was to detect strings which contained the keywords of INSERT, DELETE, SELECT. This was an important rule because these keywords could be possible SQL queries being conducted. Each of the rules were given specific sid or their ID so that it would uniquely identify the rules in the logs.
After creating all the rules, we ran some initial problems such as having to set up a virtual machine to test the telnet connection and to install Nmap to scan but I thought it was hard; I was wrong and it was a breeze 🙂 . We ran Snort first and executed the attacks, instantly the syslog was getting the logs from Snort. It was awesome!! :)) I saw at the bottom of syslog that there were logs coming in from Snort in real-time. I knew that this was an important lesson to remember and I am going to keep on studying Snort. Thanks for reading! 🙂
In this week, we learned about Snort. It was a refresher subject since we already configured Snort during our course in INFOSEC. Nevertheless, I was still excited because my group was only done at the installation phase of the Snort before, we didn’t really explore much about Snort. But now we had a chance to completely utilize Snort being an Intrusion Detection System or IDS. Sir Justin first explained that what an IDS is for but we all know that it is for detecting suspicious and anomalous traffic that is going on in the network. This could be possible XSS attacks, Denial of Service or DoS attacks, payloads and viruses at work. That is why Snort is important in the network. Snort is the one alerting the administrators of the network of the dangerous attacks that were being executed or being executed. If Snort is not implemented in the network, there are chances that attacks could just slip through the defense without any detection and damage the network itself. We were reminded to where the IDS should be placed. It should be placed behind the firewall or besides it where traffic is coming in the network. It shouldn’t be placed in front of the firewall since it would just detect false positives. Although we studied Snort, my mind that day was thinking about the correlation that we would be implementing and demonstrating. It was the tree correlation that we proposed and it was the combination of alert correlation and event correlation. Alert correlation is about gathering the alerts which are related to each other and total it into one alert. Event correlation is about identifying attacks and try to correlate those attacks with other system to determine if is just a harmless attack on the system. I am excited on building our correlator and I hope it is successful! Thanks for reading 🙂
In the last few weeks we had a busy schedule; projects were piling up, there were some assignments that were needed to be finished and some studying to be done (Glad its all over now 🙂 ) This week, we discussed about our paper which was to be presented to the class before our midterms. This paper was one of the most challenging task for us as a group because we got something that not everyone in the group understood because it was a new word or a new terminology. It was Correlation. Correlation is a technique wherein the logs are compared and filtered out so that only the important logs are left out after the correlation is applied. I was amazed that this kind of technique existed! (WOW). Adrian said to me that this is important in log management because every day, thousands of logs are recorded and sometimes there are some false positives and sometimes there are really important logs on the log servers or where the logs are gathered each day. Sir Justin also explain to us briefly on what correlation is.
For me, it’s a new term and hearing the word correlation makes me want to discover and research more about it! I know it will be useful and I am certain that there are more explanations about correlation from other researches. Just like Sir Justin’s paper, they indicated that there should be log consolidation and event management into SIEM. It just goes to show you how important correlation is to a log management system. Earlier this day, was the day of our presentation and we were so nervous because we were about to report in front of the whole class! And Sir Pineda said that if we didn’t have the right answer for each of our blockmates’ question, we get a deduction (was so scared of this HAHAHAHA) but it turned out to be just a joke!!! Hahahaha Long story short, we were able to portray to the class what correlation is and how helpful it is to the IDS or any monitoring system 🙂 Thanks for reading!!!
This week we continued our discussion about BCP or also known as Business Continuity Planning. Basically, this topic is related to a plan which states that if ever a disaster occurred, how would the business survive and continue its operations. Unlike the DRP which is the Disaster Recovery Plan that focuses on the safety of the people or the employees of the company, the BCP wants still run and maintain the business. In this topic, we have some computations about how much would it cost to implement a Business Continuity Planning and how much would the company lose if a disaster occur.
In our activity, we continued the computations about the Case Study that was given to us. Well at first, I was confused on what we were going to do, because in the example there are a lot of values given and I don’t what I will going to do first if it is ALE, SLE etc. But before the nigh ended, we already finished the activity.
So what is the purpose of studying this Business Continuity Planning and Disaster Recovery Plan? For me, Business Continuity Planning is useful since if we were to graduate (naks) and we were ask to design a plan where in the company could survive even if there are many existing risk out there. With BCP for the company, they would be prepare if the disaster occurred. If a Disaster Recovery Plan is implemented for the company, there is an assurance that the employees are safe and sound.
Our recent discussion is about Legal Investigation and Computer Forensics, which we already discussed in INVESTI Class. I forgot some of the terms that we discussed. But honestly, this topics was one of my favorite topics because it is very interesting to learn about Investigation thingy whether it is related to Digital Forensics or not. One thing that always put in my mind was the Computer Forensics Methodology because it is the most important when you’re conducting an investigation when you’re in a Forensic Team.
Last two weeks, we had discussed our first topic in this course which is the “Risk Management”. When I heard about risk, I think about something wrong or something bad that was happened. I’m glad that our first topic this term is not really hard to understand.
When we talked about Risk Management, it simply focuses on risk analysis and mitigation. First I think you need to be familiarize in security concepts which are the CIA – Confidentiality, Integrity and Availability. These are very important security concepts that are being used as a basis for any security. With CIA or Confidentiality, Integrity and Availability in mind, attacks and unwanted forces could be prevented. Well, most of the terms we’ve discussed here in Risk Management was discussed in our INFOSEC Class, that’s why it is easier to us to catch up in this topic. Next is the, I AAA or Identification, Authentication, Authorization and Accountability protects the system because someone unwanted could bypass and enter the system if this is not implemented properly. Identification states that you are claiming something, while Authentication double checks if what you are saying is true.
One of my favorite part in this topic was the computation of Risk Analysis and when we are going to rank about what risk should be prioritized the most. Risk Analysis is not only important but also very useful when you are trying to maximize the given resources for the risk management. Let’s say that a certain company hired you to do a risk analysis and you should give them options on what to do on these risks. Since there are limitless combinations of risk existing, it’s from this point that risk analysis and risk calculation is useful and important. With risk analysis, you could prioritized certain risk and with risk calculation you could prove that the risk is a danger to the company. With such techniques used in the industry, many companies are now safe from some risk but not all of them
In our first group activity, all of us was able to cooperate and participate in our case study, it we finished it early yay! It shows that all of us in our group was really understand what we’ve discussed. This topic will be a great help for us. Not only for the sake to pass the subject but to really understand it by heart 😛 that will be used in our future jobs/ works! Yipee!!
This is my last entry for the COMSEC1 Learning Log 😦 This maybe the last entry for this subject but I know we’re going to have another learning log in our COMSEC2 :)) I just hope that Sir Justin is our COMSEC2 professor next term because there is a possibility that another professor would take the COMSEC2 subject. I like Sir Justin’s way of teaching because not only the lessons are full of knowledge, but also he demonstrates to us on how to use the tools that are needed in our course. I learned many things from this course; Auto It, which lets the user to create a script that would automate some programs in Windows. Reconnaissance, gathering information about the target. Nmap, a useful tool to use in port scanning and network scanning, and also many other tools that we’ve tried and discussed during the period of this course.
After this two weeks, we learned about Gaining access and Maintaining access. Gaining access means that you try to access your target’s system. This could be done by trying numerous techniques to bypass the system. These techniques could be the following: guessing the password, using a keylogger to capture the password, and other methods that could help extract the password information from the user. After gaining access, there are some steps to follow to maintain access of the system. This is important because if the user wants to access the system in another given time, he/she should follow these steps so that he/she could still use the system. The first step is to elevate the privilege of the user’s account once you’ve gain access. The reason is that some features may be disabled on the normal user level and some features require administrator intervention so that the feature could proceed. After the user is turned into an administrator level account, the next step is to disable the firewall of the computer. With the firewall disabled, the attacker could now communicate with the bypassed system in any given time. At first, I thought that extracting the password from the users was difficult but after some demonstration from Sir Justin, I saw that there is an application where in it could extract the contents of the password file, and the name of the tool is pwdump. We tested pwdump on a Windows XP based computer and it successfully extracted the password hashes of the user accounts on Windows. I was excited to see the results and I wanted to do the next step which was converting the hash values of the password into readable output. Cool right? :))
Using john the ripper, a password cracker, uses the technique of hashing a guessed string of letters and numbers that could be the possible password into a hash value and then comparing it to the hash value of the password extracted from the password file. It repeats the process until it successfully matches the correct hashing value to the password hashed value. After this subject, I guess I’ll still explore more about the tools being used in the computer security section. Now that I have a Kali Linux running in my virtual machine, I could explore the different tools inside Kali. Even though our subject is about to end, I don’t know what awaits us in our COMSEC2 class because what we’ve discussed here in our COMSEC1 class is just a part of a much larger definition of security in computers. I can’t wait!! 🙂 Thanks for reading 🙂
This time we had a new lesson about Understanding Hard Disks and File Systems. I don’t even know that this lesson will be part of our Investigation when we handle computer parts and physical part. This is important because to avoid any tampering of the evidence since the slightest touch or the mishandling of the device may result to damages. I also learned about the parts and how the hard drive works 😛 One of its part is Platter, as I’ve read it is a magnetic or ceramic disk that control or hold the actual data. The other one is the Track where in track numbering happens. Track Numbering begins at Track 0 then moves towards then goes to the center of the platter. And in the part of the hard drive there’s what we call the Sector, which is the smallest physical part. There’s also a cluster which is the smallest allocation naman. Wait there’s also a Slack Space, which refers to the free space on the cluster basta siya yung naleleft behind tsaka matatanggal lang yon pag inoverwrite pati idisk wipe ganern. In addition to what I’ve read in computerhope.com, Slack space is important form of evidence in the field of forensic investigation because slack space can contain relevant information about a suspect that a prosecutor can use in a trial. So that’s just a part of what we’ve discussed! 😉
In addition to this entry, I just want to share about our Final Project!!! WOOOOOO FINALLY WE’RE DONE! Our project is about BeEF (Browser Exploitation Framework) Ang cool niya swear! #FeelingHacker Well, I will not further discuss it because I included it on my last entry! 😉 I also liked group of Salazar’s Final Project because it’s a Social Engineering Tool wher in you could launch many different kinds of attacks like Spear Phishing, Creating a Payload and listener and Arduino Based Attack Vector (WOW Flexible 😛 ) etc…
One thing that I noticed about myself is that I have weakness that I need to conquer (lol), I’m afraid to talk and recite on class L I always think that my answers are wrong. (I’m too shy to answer what my prof is asking) But honestly when I’m not in class I always wanted to try everything that is related to security and hacking! Need to face your fears Joanna.…..