Chapter 7. Intrusions, Attacks, and Countermeasures

OBJECTIVES

This chapter covers the following TruSecure-specified objectives for the TICSA exam:

Identify and explain basic malicious code threats and common defensive mechanisms.

• This exam objective ensures that you have an understanding of the specific malicious code threats that exist in modern computing environments. Knowledge of the offensive mechanisms used by malicious individuals is essential to the construction and maintenance of effective defense mechanisms.

Describe, recognize, or select good intrusion detection methodologies, applications and disaster recovery, and forensic practices.

• The second objective covered in this chapter ensures that you're familiar with the appropriate procedures to follow after a security incident takes place. It's important to have a good understanding of the technical and legal implications of your actions to ensure that you do not destroy or taint potential sources of evidence.

OUTLINE

Introduction 216

Attack Methods and Countermeasures 216

Malicious Code 216

Viruses 217

Worms 219

Trojan Horses 220

Logic Bombs 220

Countermeasures 221

Buffer Overflow Attacks 222

CGI and Web Code 222

Operating System Components 223

Countermeasures 223

Denial-of-Service Attacks 224

Smurf 224

SYN Floods 225

Land 226

Teardrop 226

Countermeasures 228

Network Reconnaissance 229

IP Sweep 229

Port Scans 229

Signature Detection 230

Countermeasures 231

Hacker Tools 232

Dictionary Attacks 232

Network Sniffers 233

Back Doors 233

Rootkits 234

Security Toolkits 234

Countermeasures 235

Physical/Human Attacks 236

Dumpster Diving 236

Fake System Administrators 236

Physical Assault 237

Countermeasures 237

Incident Basics 238

Types of Incidents 239

General Incident-Handling Principles 239

Identify the CIRT Team 239

Declare an Incident 239

Contain the Incident 240

Eradicate the Problem 240

Recover the Affected System(s) 240

Review the Lessons Learned 240

Handling Specific Incidents 241

Web Server Attacks 241

Virus Attacks 241

Firewall or IDS Alerts 242

Unauthorized Modification of Files 242

Unauthorized Application Execution 242

Computer Data Forensics 242

The Investigative Process 243

Collecting Evidence 243

Limitations of Evidence Collection 244

Maintaining the Chain of Evidence 245

Procedures for Analyzing Evidence 245

Reporting the Findings to Prosecutors 245

STUDY STRATEGIES

• The TICSA exam may contain detailed questions on some of the more common malicious code threats (such as worms, viruses, and Trojan horses). When you're studying these sections, pay particular attention to the definitions and review the Key Terms at the end of the chapter prior to taking the exam.

• It's not likely that you'll see questions asking you to provide detailed explanations of specific vulnerabilities in the TCP/IP protocol (such as SYN flooding and Smurf attacks). However, you may find exam items that describe an exploit and ask you to provide an appropriate countermeasure. Therefore, when you're reviewing these sections, don't simply attempt to memorize the specific attacks presented in this book—take the time to understand the theory behind the attacks. This helps you develop threat-analysis skills that will assist you both on the TICSA exam and in real life.