Threat Tactics for Enterprise Security
VerifiedAdded on  2022/08/25
|19
|5092
|14
AI Summary
Contribute Materials
Your contribution can guide someone’s learning journey. Share your
documents today.
Running head: NETWORK INTRUSION AND SCAN DETECTION
Network Intrusion and Scan Detection
Name of the Student
Name of the University
Author Note
Network Intrusion and Scan Detection
Name of the Student
Name of the University
Author Note
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
1NETWORK INTRUSION AND SCAN DETECTION
Table of Contents
Question 1 (Detecting reconnaissance)......................................................................................2
i) Data Collection and Scanning.........................................................................................2
ii) Use of the Tools...........................................................................................................4
iii) Strategies to help collect traffic...................................................................................5
Question 2 (Statistical Data collection)......................................................................................6
Session data............................................................................................................................6
Statistical Data.......................................................................................................................7
Tools to Use and Configuration.............................................................................................9
Question 3 (The rest of the business).......................................................................................10
Question 4 (Advanced persistent threats (APTs))....................................................................12
Summary..............................................................................................................................12
References................................................................................................................................15
Table of Contents
Question 1 (Detecting reconnaissance)......................................................................................2
i) Data Collection and Scanning.........................................................................................2
ii) Use of the Tools...........................................................................................................4
iii) Strategies to help collect traffic...................................................................................5
Question 2 (Statistical Data collection)......................................................................................6
Session data............................................................................................................................6
Statistical Data.......................................................................................................................7
Tools to Use and Configuration.............................................................................................9
Question 3 (The rest of the business).......................................................................................10
Question 4 (Advanced persistent threats (APTs))....................................................................12
Summary..............................................................................................................................12
References................................................................................................................................15
2NETWORK INTRUSION AND SCAN DETECTION
Question 1 (Detecting reconnaissance)
i) Data Collection and Scanning
The present network of the client apparently is vulnerable to insider attacks that is
attacks being conducted by rogue staff members or members making us of the internal
network of the company (Cooper 2017). These attacks can include performing
reconnaissance, vulnerability scans, deliberate attempts to disrupt specific services, denial of
service attacks (DoS) attacks. More severe attacks can involve theft of sensitive information
of the organization or the clients and details regarding other staff members (Mugisha and
Zhou 2016). To perform the above mentioned attacks, the members need to detect the
network configuration of the hosts that are up and running at the time as well as the ports that
are open.
As can be observed from the network diagram provided, the internal network of the
organization are already providing connections several number of servers through three
different routers as well as two routers providing connections for servers of specific
departments. This forms a unified and interconnected network structure which is also
connected to a cloud network. This helps organizations in scaling of resources for specific
Question 1 (Detecting reconnaissance)
i) Data Collection and Scanning
The present network of the client apparently is vulnerable to insider attacks that is
attacks being conducted by rogue staff members or members making us of the internal
network of the company (Cooper 2017). These attacks can include performing
reconnaissance, vulnerability scans, deliberate attempts to disrupt specific services, denial of
service attacks (DoS) attacks. More severe attacks can involve theft of sensitive information
of the organization or the clients and details regarding other staff members (Mugisha and
Zhou 2016). To perform the above mentioned attacks, the members need to detect the
network configuration of the hosts that are up and running at the time as well as the ports that
are open.
As can be observed from the network diagram provided, the internal network of the
organization are already providing connections several number of servers through three
different routers as well as two routers providing connections for servers of specific
departments. This forms a unified and interconnected network structure which is also
connected to a cloud network. This helps organizations in scaling of resources for specific
3NETWORK INTRUSION AND SCAN DETECTION
services like web, mail, FTP and other services that are being hosted by the network.
Therefore the attackers would try to collect information regarding the DNS IP address of the
web server, the mailing domain and user account databases. Based on this they will try to
hijack the web or mailing sessions. By knowing the open ports through which the services are
being provided, the members can make use of appropriate commands.
Since all the connections being provided to workstations, printers and servers of a
particular area are being done through the routing devices, it is difficult to isolate the network
connections between one another and helps other members in the network to access network
configuration of any device. The use of switches can help impose VLANs to isolate segments
and use routing commands like Access Control Lists (ACL) to block unauthorized accesses.
Then protocol analysers like Wireshark can be used to the blocked connection attempts and
the source IP address to identify the system being used by the rogue employee and possibly
identify this rogue employee.
Other than this the hardware firewalls offered by the routers can be used to form a
DMZ network through which services of only certain servers and printing devices can be
offered to other systems of various members of the organization. This DMZ or perimeter
network can be setup to implement both Intrusion Detection Systems (IDS) as also Intrusion
Prevention Systems or IPS (Canfora, Pirozzi and Visaggio 2017). An Intrusion Detection
System works by continuously monitors the network traffic and reconnaissance attempts by
unauthorized users, attempts to access information of other devices without permission as
also activities like sniffing, spoofing and social engineering attacks (Noel and Jajodia 2017).
The IDS systems generate alerts for the network administrators and the information provided
helps them take appropriate actions on the networks threats found and the source of attack
identified (Wang 2017). Intrusion Prevention Systems (IPS) work partially similar to IDS
systems but instead of relaying the information to the network administrators and waiting on
services like web, mail, FTP and other services that are being hosted by the network.
Therefore the attackers would try to collect information regarding the DNS IP address of the
web server, the mailing domain and user account databases. Based on this they will try to
hijack the web or mailing sessions. By knowing the open ports through which the services are
being provided, the members can make use of appropriate commands.
Since all the connections being provided to workstations, printers and servers of a
particular area are being done through the routing devices, it is difficult to isolate the network
connections between one another and helps other members in the network to access network
configuration of any device. The use of switches can help impose VLANs to isolate segments
and use routing commands like Access Control Lists (ACL) to block unauthorized accesses.
Then protocol analysers like Wireshark can be used to the blocked connection attempts and
the source IP address to identify the system being used by the rogue employee and possibly
identify this rogue employee.
Other than this the hardware firewalls offered by the routers can be used to form a
DMZ network through which services of only certain servers and printing devices can be
offered to other systems of various members of the organization. This DMZ or perimeter
network can be setup to implement both Intrusion Detection Systems (IDS) as also Intrusion
Prevention Systems or IPS (Canfora, Pirozzi and Visaggio 2017). An Intrusion Detection
System works by continuously monitors the network traffic and reconnaissance attempts by
unauthorized users, attempts to access information of other devices without permission as
also activities like sniffing, spoofing and social engineering attacks (Noel and Jajodia 2017).
The IDS systems generate alerts for the network administrators and the information provided
helps them take appropriate actions on the networks threats found and the source of attack
identified (Wang 2017). Intrusion Prevention Systems (IPS) work partially similar to IDS
systems but instead of relaying the information to the network administrators and waiting on
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
4NETWORK INTRUSION AND SCAN DETECTION
the steps to be taken by them, the IPS systems proactively deal with the specific type of
network breach and tries to prevent further damage by blocking the network traffic or
terminates threats immediately.
Hence, implementation of IDS, IPS, VLANs and ACLs are all important as by
gaining network configuration details, the rogue members can know about the domains being
hosted and services being offered (Yeo, Che and Lakkaraju 2017). They will then run
appropriate operating systems like Kali Linux on virtual machines and target these networks.
The list of popular tools they use to do so from this OS are:
ï‚· Nmap
ï‚· Zenmap
ï‚· Metasploit (MSF/Armitage)
ï‚· Social Engineering Toolkit
ii) Use of the Tools
The operating system that attackers from inside the network of the organization
mainly use to conduct the network attacks is Kali Linux (Barrère and Lupu 2017). This is
mostly performed using the Debian version of Linux based distributions. However, the
attackers do not use the OS directly. In general, they make use of Windows based OS
platforms as their main operating system and then run Kali Linux through virtual machines
like VMware or Virtual Box which requires the AVX instruction sets of the CPUs to be
enabled. The while installing the Kali Linux OS on the applications like VMware, they
ensure certain configurations are applied. This involves choosing the specific mirrors through
which they can obtain most of the tools they require to perform the attacks. These mirror
links are listed in the source.list file located in the location /etc/apt/source.list. Sample mirrors
configured in this file can be the following:
the steps to be taken by them, the IPS systems proactively deal with the specific type of
network breach and tries to prevent further damage by blocking the network traffic or
terminates threats immediately.
Hence, implementation of IDS, IPS, VLANs and ACLs are all important as by
gaining network configuration details, the rogue members can know about the domains being
hosted and services being offered (Yeo, Che and Lakkaraju 2017). They will then run
appropriate operating systems like Kali Linux on virtual machines and target these networks.
The list of popular tools they use to do so from this OS are:
ï‚· Nmap
ï‚· Zenmap
ï‚· Metasploit (MSF/Armitage)
ï‚· Social Engineering Toolkit
ii) Use of the Tools
The operating system that attackers from inside the network of the organization
mainly use to conduct the network attacks is Kali Linux (Barrère and Lupu 2017). This is
mostly performed using the Debian version of Linux based distributions. However, the
attackers do not use the OS directly. In general, they make use of Windows based OS
platforms as their main operating system and then run Kali Linux through virtual machines
like VMware or Virtual Box which requires the AVX instruction sets of the CPUs to be
enabled. The while installing the Kali Linux OS on the applications like VMware, they
ensure certain configurations are applied. This involves choosing the specific mirrors through
which they can obtain most of the tools they require to perform the attacks. These mirror
links are listed in the source.list file located in the location /etc/apt/source.list. Sample mirrors
configured in this file can be the following:
5NETWORK INTRUSION AND SCAN DETECTION
deb http://http.kali.org/kali kali-rolling main contrib non-free
# deb-src http://http.kali.org/kali kali-rolling main contrib non-free
The latter mirror link mentioned is used for accessing files from the source package.
Kali Linux is the preferred operating system for attackers as it comes pre-installed with most
of the popular applications for conducting penetration testing and active reconnaissance
activities. One of the key tools mentioned earlier is nmap and as part of the active
reconnaissance activities attackers need to know the IP addresses of the host machines of the
target network (Chan and De Souza 2017). As these attackers are primarily rogue members
conducting insider attacks, they already know about the major network or even the subnets of
specific network segments being used by the company. The nmap configuration command
they can use to identify the IP addresses of the host machines is:
$nmap -sP 192.168.1.0/24
The execution of the command lists the host IP addresses and the latency it took to
identify them. Zenmap is another tool which be of big help as they only need to specify the
network followed by the term nmap and then click on scan. This shows them all the hosts of
the target network, the open ports being used as also the network topology of how the hosts
of the target network are interconnected.
Metasploit is another very useful tool which offers both CUI and GUI interfaces to the
attackers through msf and Armitage respectively. In Armitage, the attack can easily browse
and select nmap scan specify the target network and run the scan. This lists hosts that are up.
Then attackers can use find attacks to add the option of discovering vulnerabilities for each of
the hosts. Based on the vulnerabilities identified the attackers then select the appropriate
exploit from a list suggested to them by the application.
deb http://http.kali.org/kali kali-rolling main contrib non-free
# deb-src http://http.kali.org/kali kali-rolling main contrib non-free
The latter mirror link mentioned is used for accessing files from the source package.
Kali Linux is the preferred operating system for attackers as it comes pre-installed with most
of the popular applications for conducting penetration testing and active reconnaissance
activities. One of the key tools mentioned earlier is nmap and as part of the active
reconnaissance activities attackers need to know the IP addresses of the host machines of the
target network (Chan and De Souza 2017). As these attackers are primarily rogue members
conducting insider attacks, they already know about the major network or even the subnets of
specific network segments being used by the company. The nmap configuration command
they can use to identify the IP addresses of the host machines is:
$nmap -sP 192.168.1.0/24
The execution of the command lists the host IP addresses and the latency it took to
identify them. Zenmap is another tool which be of big help as they only need to specify the
network followed by the term nmap and then click on scan. This shows them all the hosts of
the target network, the open ports being used as also the network topology of how the hosts
of the target network are interconnected.
Metasploit is another very useful tool which offers both CUI and GUI interfaces to the
attackers through msf and Armitage respectively. In Armitage, the attack can easily browse
and select nmap scan specify the target network and run the scan. This lists hosts that are up.
Then attackers can use find attacks to add the option of discovering vulnerabilities for each of
the hosts. Based on the vulnerabilities identified the attackers then select the appropriate
exploit from a list suggested to them by the application.
6NETWORK INTRUSION AND SCAN DETECTION
iii) Strategies to help collect traffic
In a network like the one being used by the company, the volume of network traffic is so
high that a variety of measures need to be applied. The network analysts need to define the
events being generated in their network and keep expanding the definition for analyzing
events from all aspects in order to understand why some of the change of events are
unexpected. Such change of events in the network may not always be malicious. Examples of
such benign services can be addition of new services to the network which requires security
rules to be set for protecting the new service. A model of the network behavior needs to be
set up so that the network traffic can be analyzed a on the basis of this networking model and
identify any kind of deviations to the networking traffic. Although many of the changes can
be benign, there can always be malicious changes like scanning of the network, intrusion
attempts or even cross site scripting on web based services. This is why a strategic method of
collecting data about the network traffic is extremely important for companies operating with
large networking infrastructures and offering a variety of connections and services. There are
several applications that can help the network analysts with the monitoring and of network
traffic and analyzing the logs of connection attempts made from one host to another. As
mentioned earlier these applications are called protocol analyzers while systems like IDS can
be configured to detect the changes and anomalies on the network.
Question 2 (Statistical Data collection)
Session data
Networking sessions refer to simple means of storing information about a particular
user by means of unique session IDs assigned to them (Tsudik, Uzun and Wood 2016). This
session data makes it possible to keep information logs and records even when the user
browses through different pages of the company website. The unique session ID for a
iii) Strategies to help collect traffic
In a network like the one being used by the company, the volume of network traffic is so
high that a variety of measures need to be applied. The network analysts need to define the
events being generated in their network and keep expanding the definition for analyzing
events from all aspects in order to understand why some of the change of events are
unexpected. Such change of events in the network may not always be malicious. Examples of
such benign services can be addition of new services to the network which requires security
rules to be set for protecting the new service. A model of the network behavior needs to be
set up so that the network traffic can be analyzed a on the basis of this networking model and
identify any kind of deviations to the networking traffic. Although many of the changes can
be benign, there can always be malicious changes like scanning of the network, intrusion
attempts or even cross site scripting on web based services. This is why a strategic method of
collecting data about the network traffic is extremely important for companies operating with
large networking infrastructures and offering a variety of connections and services. There are
several applications that can help the network analysts with the monitoring and of network
traffic and analyzing the logs of connection attempts made from one host to another. As
mentioned earlier these applications are called protocol analyzers while systems like IDS can
be configured to detect the changes and anomalies on the network.
Question 2 (Statistical Data collection)
Session data
Networking sessions refer to simple means of storing information about a particular
user by means of unique session IDs assigned to them (Tsudik, Uzun and Wood 2016). This
session data makes it possible to keep information logs and records even when the user
browses through different pages of the company website. The unique session ID for a
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
7NETWORK INTRUSION AND SCAN DETECTION
particular user is usually sent to browsers by means of session cookies (Baitha and Vinod
2018). This session ID then helps in retrieving existing data of the specific session. Whenever
a session ID or the respective cookie is not found to be present, the PHP code becomes aware
that a new session requires to be created and thus new session IDs are generated.
A session is thus a summary of conversation among two host devices. It represents the
flow of data, or stream of bilateral network traffic that is exchange of information between
two systems. Thee seven key different elements of a session are:
ï‚· Timestamp
ï‚· Protocol Used
ï‚· IP Address of Source host
ï‚· Ports used by Source host for specific protocols (TCP, SCTP and UDP)
ï‚· IP Address of Destination host
ï‚· Ports used by Destination host
The Snort intrusion detection system is able to identify any kind of suspicious or
malicious activity through performing inspections of the network traffic. Snort conducts
judgement based analysis and accordingly notifies the operator regarding the decision
through generation of specific alerts. The output of the alerts are thus based upon a collect-
inspect-report process. Though this is a good method of generating alerts it consists of a
major flaw. In many of the configurations Snort is never asked to generate reports of the
network traffic if it is considered to be normal. If no such alerting system is present all the
suspicious as well as malicious networking activity can get identified. This is not possible for
several situations specifically when dealing on a packet by packet basis when the network
packets are necessary to be mentioned to the operator. This requires the analysts to maintain a
particular user is usually sent to browsers by means of session cookies (Baitha and Vinod
2018). This session ID then helps in retrieving existing data of the specific session. Whenever
a session ID or the respective cookie is not found to be present, the PHP code becomes aware
that a new session requires to be created and thus new session IDs are generated.
A session is thus a summary of conversation among two host devices. It represents the
flow of data, or stream of bilateral network traffic that is exchange of information between
two systems. Thee seven key different elements of a session are:
ï‚· Timestamp
ï‚· Protocol Used
ï‚· IP Address of Source host
ï‚· Ports used by Source host for specific protocols (TCP, SCTP and UDP)
ï‚· IP Address of Destination host
ï‚· Ports used by Destination host
The Snort intrusion detection system is able to identify any kind of suspicious or
malicious activity through performing inspections of the network traffic. Snort conducts
judgement based analysis and accordingly notifies the operator regarding the decision
through generation of specific alerts. The output of the alerts are thus based upon a collect-
inspect-report process. Though this is a good method of generating alerts it consists of a
major flaw. In many of the configurations Snort is never asked to generate reports of the
network traffic if it is considered to be normal. If no such alerting system is present all the
suspicious as well as malicious networking activity can get identified. This is not possible for
several situations specifically when dealing on a packet by packet basis when the network
packets are necessary to be mentioned to the operator. This requires the analysts to maintain a
8NETWORK INTRUSION AND SCAN DETECTION
log of the network traffic and thorough monitoring of the information to ensure the services
provided that the sessions provide are protected.
Statistical Data
Statistical analysis of network data primarily involves analysis of network streams,
packets or exchange of data over network interconnect between one system and another.
From a statistical aspect various canonical activities and different issues that arises are
required to be addressed and they can cater to areas of differing specialities. In statistical data
vertical depth is achievable through analysis of the problems and pursuit of solutions via this
perspective alone.
The various issues that can arise here are listed below:
ï‚· Mapping of the network
ï‚· Characterization of the network
ï‚· Sampling of the network
ï‚· Network Inference
ï‚· Processes involved
Among the problems listed, the mapping of the network and network characterization mix
with one another pretty well. These involve descriptive statistics about the network and this
comprises of about 2/3rd of the activities performed in this area. Network mapping requires
producing network oriented visualization of the overall digital infrastructure of a company.
Network graphs measure direct declaration of the edge and non-edge status. Generally these
edges get dictated through comparisons of similarity and threshold metrics as also voting
among the routers and I-net.
The general issues that can generate from statistical data analysis can different kinds of
various measurements for example binary. This can influence the quality of information
log of the network traffic and thorough monitoring of the information to ensure the services
provided that the sessions provide are protected.
Statistical Data
Statistical analysis of network data primarily involves analysis of network streams,
packets or exchange of data over network interconnect between one system and another.
From a statistical aspect various canonical activities and different issues that arises are
required to be addressed and they can cater to areas of differing specialities. In statistical data
vertical depth is achievable through analysis of the problems and pursuit of solutions via this
perspective alone.
The various issues that can arise here are listed below:
ï‚· Mapping of the network
ï‚· Characterization of the network
ï‚· Sampling of the network
ï‚· Network Inference
ï‚· Processes involved
Among the problems listed, the mapping of the network and network characterization mix
with one another pretty well. These involve descriptive statistics about the network and this
comprises of about 2/3rd of the activities performed in this area. Network mapping requires
producing network oriented visualization of the overall digital infrastructure of a company.
Network graphs measure direct declaration of the edge and non-edge status. Generally these
edges get dictated through comparisons of similarity and threshold metrics as also voting
among the routers and I-net.
The general issues that can generate from statistical data analysis can different kinds of
various measurements for example binary. This can influence the quality of information
9NETWORK INTRUSION AND SCAN DETECTION
contained by the underlying relation. There are also issues regarding the view of the network
represented by the analogues in spatial statistics about whether it is full or partial. Amount of
samples generated and misses are the other important issues. This is coupled with the
challenges of understanding the relation of data and complex dependencies. This makes an
accurate approach of analysing statistical data extremely important.
Tools to Use and Configuration
As already mentioned earlier, protocol analysers like Wireshark and Microsoft
Message Analyser are exceptional tools for providing detailed logs of information contained
in network packets throughout the traffic of specific network segments and interfaces and the
different activities they correspond to. These tools can also be used to view TCP graphs and
visual representation of the hops involved in the transmission. Therefore these tools along
with the built-in firewall of Windows are enough for the network analysts for monitoring the
network from the software side. On the hardware side systems like IDS need to be
implemented coupled with enabling the firewall services offered by the routers and possibly
using them to setup a DMZ or perimeter network.
For the attackers, most of the tools to use to obtain the session and statistical data
already comes pre-installed within the Kali Linux operating system. For example nmap offers
a long list of commands to obtain the session details of a particular network. These can be
viewed by entering the command nmap –h in the terminal window. Zenmap is another
application that can use nmap commands and a variety of scans to obtain the statistical
information like the network topology of the target network chosen by the attacker. Attackers
can also run InSSIDer which is a free to use application for conducting the process of
wardriving to pick up the vulnerable networks around the campus and office premises of the
organization. It is then the attackers can use the wireless access points (AP) of these
vulnerable wireless networks as rogue APs. The application also provides detailed
contained by the underlying relation. There are also issues regarding the view of the network
represented by the analogues in spatial statistics about whether it is full or partial. Amount of
samples generated and misses are the other important issues. This is coupled with the
challenges of understanding the relation of data and complex dependencies. This makes an
accurate approach of analysing statistical data extremely important.
Tools to Use and Configuration
As already mentioned earlier, protocol analysers like Wireshark and Microsoft
Message Analyser are exceptional tools for providing detailed logs of information contained
in network packets throughout the traffic of specific network segments and interfaces and the
different activities they correspond to. These tools can also be used to view TCP graphs and
visual representation of the hops involved in the transmission. Therefore these tools along
with the built-in firewall of Windows are enough for the network analysts for monitoring the
network from the software side. On the hardware side systems like IDS need to be
implemented coupled with enabling the firewall services offered by the routers and possibly
using them to setup a DMZ or perimeter network.
For the attackers, most of the tools to use to obtain the session and statistical data
already comes pre-installed within the Kali Linux operating system. For example nmap offers
a long list of commands to obtain the session details of a particular network. These can be
viewed by entering the command nmap –h in the terminal window. Zenmap is another
application that can use nmap commands and a variety of scans to obtain the statistical
information like the network topology of the target network chosen by the attacker. Attackers
can also run InSSIDer which is a free to use application for conducting the process of
wardriving to pick up the vulnerable networks around the campus and office premises of the
organization. It is then the attackers can use the wireless access points (AP) of these
vulnerable wireless networks as rogue APs. The application also provides detailed
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
10NETWORK INTRUSION AND SCAN DETECTION
information to attackers regarding the type of security mechanisms and encryption modes
being used by wireless networks so that they can apply suitable exploits to penetrate the
networks.
Question 3 (The rest of the business)
ITSM stands for IT Service Management and is this concept has enabled the
organization in maximizing business values by making use of information technology (IT).
ITSM positions are the IT services that serve as key means for delivering as well as
obtaining value, where internal and external IT service providers work together with the
business customers (in this case the company) while also taking the time and responsibility
for all the risks and associated costs. ITSM functions throughout the entire lifecycle of the
services offered, as per the strategies designs and transitions involved with the live operation.
For ensuring the quality of IT services offered by the company networks can be
sustained, ITSM has established a list of practices, processes which constitute service
management systems. There exists different types of standards such as national, international
and industrial standards for management of IT services, set up of requirements as also good
practices for managing the overall system. The company is recommended to integrate IDS in
their network and hence the ITSM services should be used according to generate the best
result.
The set of principles on which ITSM is based upon are focus towards
value and continuous improvements. This not only includes a set of processes but also
involves the cultural mindset for ensuring that the desired outcomes for the network services
of the particular business gets achieved. This includes principles as well as practices of
different methods of management which can be change management in the organization, lean
manufacturing, analysis of systems and management of risks. Since IDS involves generation
information to attackers regarding the type of security mechanisms and encryption modes
being used by wireless networks so that they can apply suitable exploits to penetrate the
networks.
Question 3 (The rest of the business)
ITSM stands for IT Service Management and is this concept has enabled the
organization in maximizing business values by making use of information technology (IT).
ITSM positions are the IT services that serve as key means for delivering as well as
obtaining value, where internal and external IT service providers work together with the
business customers (in this case the company) while also taking the time and responsibility
for all the risks and associated costs. ITSM functions throughout the entire lifecycle of the
services offered, as per the strategies designs and transitions involved with the live operation.
For ensuring the quality of IT services offered by the company networks can be
sustained, ITSM has established a list of practices, processes which constitute service
management systems. There exists different types of standards such as national, international
and industrial standards for management of IT services, set up of requirements as also good
practices for managing the overall system. The company is recommended to integrate IDS in
their network and hence the ITSM services should be used according to generate the best
result.
The set of principles on which ITSM is based upon are focus towards
value and continuous improvements. This not only includes a set of processes but also
involves the cultural mindset for ensuring that the desired outcomes for the network services
of the particular business gets achieved. This includes principles as well as practices of
different methods of management which can be change management in the organization, lean
manufacturing, analysis of systems and management of risks. Since IDS involves generation
11NETWORK INTRUSION AND SCAN DETECTION
of alerts for specific services and changes both benign and malicious, the procedures to deal
with the alerts should be present in the ITSM services implemented.
ITIL frameworks are the most widely accepted and encouraged standard for
knowledge regarding the implementation of ITSM based services (Kumar, Selamat and
Hassan 2018). Through ITIL, the definitions for ITSM based services are given ( Ciesielska
2017). This involves managing and implementation of IT services whose quality meets the
need of the business in particular. It also mentions that IT service management needs to be
performed by means of the IT service vendors via appropriately mixing of people, processes
and IT. ITIL in other words offer best practice frameworks thus providing guidance about the
way the delivery of ITSM should be performed (Cusick 2020). Though there exists multiple
frameworks as also standards for describing the management of IT services, ITIL happens to
be the ideal as well as the most popularly applied and preferred framework across the globe.
Since ITIL has advanced a long way from just delivering services as it can be referred
to ensure that end to end delivery of services is also provided (Orta and Ruiz 2019). The most
up to date framework of ITIL happens to be ITIL 4 which is the best framework the company
should refer to ensure that providing their customers remain to be a key element for the
services that are being offered to them through the value creating process ( Imroz 2019). ITIL
4 focusses on facilitating co-creation of values through Service Value System or SVS via
service relationships. This SVS presents the means by which multiple components and
activities of the company network can be integrated together for such that the company
network is able to facilitate value addition via the IT based services it offers to their
customers. This service value chain is known for the flexibility it offers and needs to be
applied for different method of applications which includes specific teams for ensuring
product focused delivery, Operations among development and IT teams (DevOps) as also IT
support (Zhu, Bass and Champlin-Scharff 2016). The importance of how adaptable the value
of alerts for specific services and changes both benign and malicious, the procedures to deal
with the alerts should be present in the ITSM services implemented.
ITIL frameworks are the most widely accepted and encouraged standard for
knowledge regarding the implementation of ITSM based services (Kumar, Selamat and
Hassan 2018). Through ITIL, the definitions for ITSM based services are given ( Ciesielska
2017). This involves managing and implementation of IT services whose quality meets the
need of the business in particular. It also mentions that IT service management needs to be
performed by means of the IT service vendors via appropriately mixing of people, processes
and IT. ITIL in other words offer best practice frameworks thus providing guidance about the
way the delivery of ITSM should be performed (Cusick 2020). Though there exists multiple
frameworks as also standards for describing the management of IT services, ITIL happens to
be the ideal as well as the most popularly applied and preferred framework across the globe.
Since ITIL has advanced a long way from just delivering services as it can be referred
to ensure that end to end delivery of services is also provided (Orta and Ruiz 2019). The most
up to date framework of ITIL happens to be ITIL 4 which is the best framework the company
should refer to ensure that providing their customers remain to be a key element for the
services that are being offered to them through the value creating process ( Imroz 2019). ITIL
4 focusses on facilitating co-creation of values through Service Value System or SVS via
service relationships. This SVS presents the means by which multiple components and
activities of the company network can be integrated together for such that the company
network is able to facilitate value addition via the IT based services it offers to their
customers. This service value chain is known for the flexibility it offers and needs to be
applied for different method of applications which includes specific teams for ensuring
product focused delivery, Operations among development and IT teams (DevOps) as also IT
support (Zhu, Bass and Champlin-Scharff 2016). The importance of how adaptable the value
12NETWORK INTRUSION AND SCAN DETECTION
chain of the organizations is made for responding to change of demands from various
stakeholders through both effective as well as efficient means. It is primarily because IDS
generates alerts for benign changes to the network also which includes making new services
available for the users and setting security policies to protect it, the company must draft
policies based on the ITIL framework (Iden and Eikebrokk 2017). These policies must be
drafted such that the security policies being configured for the changes detected by the IDS
and how the network analysts deal with the IDS alerts do not negatively affect the value
addition for the intended customers by any means (Ibrahim and Gajin 2017). As per the
suggested use of ITIL to ensure ITSM services it is understood that the Service Value System
part of the ITIL framework is what applies most for importantly for this company (Alqahtani
2017). The particular IT teams who can most possibly be affected are found to be the network
analysts, network administrators and the development team tasked with making the newer
services available.
ITIL still continues to evolve as the knowledge framework and the core publications
gets amended based upon case study, guidance present, paper based discussions and
supplementary contents (Verlaine, Jureta and Faulkner 2016). This is helping companies in
address the evolving best practices and mechanisms like DevOps and helping practitioners in
combining ITIL with other options like COBIT and IT4IT (Akershoek 2016). Therefore the
company is recommended to always refer to the latest framework available.
Question 4 (Advanced persistent threats (APTs))
Summary
The effectiveness of the security measures suggested to the company completely
revolves around how well they are able to implement the Intrusion Detection System (IDS)
and Intrusion Prevention System (IPS). The implementation of an IDS system is never a
chain of the organizations is made for responding to change of demands from various
stakeholders through both effective as well as efficient means. It is primarily because IDS
generates alerts for benign changes to the network also which includes making new services
available for the users and setting security policies to protect it, the company must draft
policies based on the ITIL framework (Iden and Eikebrokk 2017). These policies must be
drafted such that the security policies being configured for the changes detected by the IDS
and how the network analysts deal with the IDS alerts do not negatively affect the value
addition for the intended customers by any means (Ibrahim and Gajin 2017). As per the
suggested use of ITIL to ensure ITSM services it is understood that the Service Value System
part of the ITIL framework is what applies most for importantly for this company (Alqahtani
2017). The particular IT teams who can most possibly be affected are found to be the network
analysts, network administrators and the development team tasked with making the newer
services available.
ITIL still continues to evolve as the knowledge framework and the core publications
gets amended based upon case study, guidance present, paper based discussions and
supplementary contents (Verlaine, Jureta and Faulkner 2016). This is helping companies in
address the evolving best practices and mechanisms like DevOps and helping practitioners in
combining ITIL with other options like COBIT and IT4IT (Akershoek 2016). Therefore the
company is recommended to always refer to the latest framework available.
Question 4 (Advanced persistent threats (APTs))
Summary
The effectiveness of the security measures suggested to the company completely
revolves around how well they are able to implement the Intrusion Detection System (IDS)
and Intrusion Prevention System (IPS). The implementation of an IDS system is never a
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
13NETWORK INTRUSION AND SCAN DETECTION
straight forward process. Here the rules and specifications for detecting the nature of changes
to the networks directly depend on how the services being provided to customers can get
impacted. It is because of these rules and specification there can arise a variety of false
positives and false negatives. The false positives will lead to the IPS blocking traffic to
genuine services while false negatives will allow attackers and malicious services to grow
their presence throughout the network.
The different types of testing that needs to be conducted therefore includes smoke
testing, system testing and user acceptance testing (UAT) (Loss, Ciriello and Cito 2019). For
this the company needs to summarize the business and functional requirements and develop a
test plan and test scenario. Based on this the test cases need to be designed. It must be noted
that to ensure security and effectiveness the test cases must include negative test cases also so
no services are found vulnerable and left exploitable for the attacker.
The testers through whom the testing process needs to be conducted must include
people with knowledge on networking, IT administration, operating Linux based operating
systems, as well as conducting penetration tests themselves. There should different testing
groups present for testing each network segment in particular for each department in each
building of the company as also a group for testing the overall network preferably present at
the HQ. These testers are expected perform the test once the full-fledged services are being
hosted by the company network along with all the suggested security measures in place.
Since the testers are expected to have thorough knowledge about networking and
operating in Linux based operating systems, the company should verify the testers possess
two important certifications (Quisumbing, L.A., 2019). These certifications in particular are
the CCNA certification for network and Red Hat certification for Linux (Khan, Davis and
straight forward process. Here the rules and specifications for detecting the nature of changes
to the networks directly depend on how the services being provided to customers can get
impacted. It is because of these rules and specification there can arise a variety of false
positives and false negatives. The false positives will lead to the IPS blocking traffic to
genuine services while false negatives will allow attackers and malicious services to grow
their presence throughout the network.
The different types of testing that needs to be conducted therefore includes smoke
testing, system testing and user acceptance testing (UAT) (Loss, Ciriello and Cito 2019). For
this the company needs to summarize the business and functional requirements and develop a
test plan and test scenario. Based on this the test cases need to be designed. It must be noted
that to ensure security and effectiveness the test cases must include negative test cases also so
no services are found vulnerable and left exploitable for the attacker.
The testers through whom the testing process needs to be conducted must include
people with knowledge on networking, IT administration, operating Linux based operating
systems, as well as conducting penetration tests themselves. There should different testing
groups present for testing each network segment in particular for each department in each
building of the company as also a group for testing the overall network preferably present at
the HQ. These testers are expected perform the test once the full-fledged services are being
hosted by the company network along with all the suggested security measures in place.
Since the testers are expected to have thorough knowledge about networking and
operating in Linux based operating systems, the company should verify the testers possess
two important certifications (Quisumbing, L.A., 2019). These certifications in particular are
the CCNA certification for network and Red Hat certification for Linux (Khan, Davis and
14NETWORK INTRUSION AND SCAN DETECTION
Behr 2016). The company should not just stop there but also check that the testers are able to
make practical use of the knowledge gained from these certifications.
Advanced Persistent Threats or APT refers to a broad term to represent network
attacks in which an intruder or a group of them successfully establishes long-term
unauthorized presence on the network in hope of collecting highly sensitive information
(Ahmad et al. 2019). The consequences can lead to leak of intellectual property, sensitive
information, sabotage and hijacking of website (Marchetti et al. 2016). The only ways to
prevent APT from existing in the company network is careful monitoring of network traffic,
whitelisting of domains and applications, access control rules and patching applications and
OS with latest security hotfixes (Ghafir et al. 2018).
When attackers attempt to execute an APT attack, the process requires considerably more
resources than any of the usual web application attacks (Zou et al. 2020). Here the attacker/s
are experience in performing cybercrime activities and generally also possess sufficient
financial backing. APT attacks can also be government funded and can be used as weapons
for cyber warfare.
Behr 2016). The company should not just stop there but also check that the testers are able to
make practical use of the knowledge gained from these certifications.
Advanced Persistent Threats or APT refers to a broad term to represent network
attacks in which an intruder or a group of them successfully establishes long-term
unauthorized presence on the network in hope of collecting highly sensitive information
(Ahmad et al. 2019). The consequences can lead to leak of intellectual property, sensitive
information, sabotage and hijacking of website (Marchetti et al. 2016). The only ways to
prevent APT from existing in the company network is careful monitoring of network traffic,
whitelisting of domains and applications, access control rules and patching applications and
OS with latest security hotfixes (Ghafir et al. 2018).
When attackers attempt to execute an APT attack, the process requires considerably more
resources than any of the usual web application attacks (Zou et al. 2020). Here the attacker/s
are experience in performing cybercrime activities and generally also possess sufficient
financial backing. APT attacks can also be government funded and can be used as weapons
for cyber warfare.
15NETWORK INTRUSION AND SCAN DETECTION
References
Ahmad, A., Webb, J., Desouza, K.C. and Boorman, J., 2019. Strategically-motivated
advanced persistent threat: Definition, process, tactics and a disinformation model of
counterattack. Computers & Security.
Akershoek, R., 2016. It4it for Managing the Business of it. Van Haren Publishing.
Alqahtani, A.S., 2017. Critical Success Factors In Implementing ITIL in the Ministry of
Education in Saudi Arabia: An Exploratory Study. International journal of advanced
computer science and applications, 8(4), pp.230-240.
Baitha, A.K. and Vinod, S., 2018. Session Hijacking and Prevention
Technique. International Journal of Engineering & Technology, 7(2.6), pp.193-198.
Barrère, M. and Lupu, E.C., 2017, October. Naggen: A network attack graph generation tool
—IEEE CNS 17 poster. In 2017 IEEE Conference on Communications and Network Security
(CNS) (pp. 378-379). IEEE.
Canfora, G., Pirozzi, A. and Visaggio, A., 2017. s2ipt: A Lightweight Network Intrusion
Detection/Prevention System based on IPtables. In SECRYPT (pp. 462-467).
Chan, K.F.P. and De Souza, P., 2017. Transforming network simulation data to semantic data
for network attack planning. In ICMLG 2017 5th International Conference on Management
Leadership and Governance. Academic Conferences and Publishing Limited (p. 74).
Ciesielska, M., 2017. Implementation of ITIL Service Lifecycle in small and medium-sized
enterprises of Polish ICT sector. Information Systems in Management, 6.
Cooper, A., 2017. Experiments with Applying Artificial Immune System in Network Attack
Detection.
References
Ahmad, A., Webb, J., Desouza, K.C. and Boorman, J., 2019. Strategically-motivated
advanced persistent threat: Definition, process, tactics and a disinformation model of
counterattack. Computers & Security.
Akershoek, R., 2016. It4it for Managing the Business of it. Van Haren Publishing.
Alqahtani, A.S., 2017. Critical Success Factors In Implementing ITIL in the Ministry of
Education in Saudi Arabia: An Exploratory Study. International journal of advanced
computer science and applications, 8(4), pp.230-240.
Baitha, A.K. and Vinod, S., 2018. Session Hijacking and Prevention
Technique. International Journal of Engineering & Technology, 7(2.6), pp.193-198.
Barrère, M. and Lupu, E.C., 2017, October. Naggen: A network attack graph generation tool
—IEEE CNS 17 poster. In 2017 IEEE Conference on Communications and Network Security
(CNS) (pp. 378-379). IEEE.
Canfora, G., Pirozzi, A. and Visaggio, A., 2017. s2ipt: A Lightweight Network Intrusion
Detection/Prevention System based on IPtables. In SECRYPT (pp. 462-467).
Chan, K.F.P. and De Souza, P., 2017. Transforming network simulation data to semantic data
for network attack planning. In ICMLG 2017 5th International Conference on Management
Leadership and Governance. Academic Conferences and Publishing Limited (p. 74).
Ciesielska, M., 2017. Implementation of ITIL Service Lifecycle in small and medium-sized
enterprises of Polish ICT sector. Information Systems in Management, 6.
Cooper, A., 2017. Experiments with Applying Artificial Immune System in Network Attack
Detection.
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
16NETWORK INTRUSION AND SCAN DETECTION
Cusick, J.J., 2020. Business Value of ITSM. Requirement or Mirage?. arXiv preprint
arXiv:2001.00219.
Ghafir, I., Hammoudeh, M., Prenosil, V., Han, L., Hegarty, R., Rabie, K. and Aparicio-
Navarro, F.J., 2018. Detection of advanced persistent threat using machine-learning
correlation analysis. Future Generation Computer Systems, 89, pp.349-359.
Ibrahim, J. and Gajin, S., 2017. SDN-based intrusion detection system. Infoteh Jahorina, 16,
pp.621-624.
Iden, J. and Eikebrokk, T.R., 2017. The adoption of ITIL in the Nordic Countries: exploring
regional differences.
Imroz, S.M., 2019. A Qualitative Case Study Identifying Metrics for ITIL Request
Fulfillment Process: Perspectives of an Information Technology Service Provider
Group. Journal of Organizational Psychology, 19(4).
Khan, T.U.R., Davis, P. and Behr, F.J., 2016. a Framework for AN Open Source Geospatial
Certification Model. The International Archives of Photogrammetry, Remote Sensing and
Spatial Information Sciences, 41, p.57.
Kumar, S., Selamat, H. and Hassan, N.H., 2018. A Review of Information Technology
Service Management (ITSM) Framework for Financial Regulatory Body. Open International
Journal of Informatics (OIJI), pp.33-34.
Loss, S., Ciriello, R.F. and Cito, J., 2019, May. Beware of disengaged user acceptance in
testing software-as-a-service. In 2019 IEEE/ACM 41st International Conference on Software
Engineering: Companion Proceedings (ICSE-Companion) (pp. 298-299). IEEE.
Cusick, J.J., 2020. Business Value of ITSM. Requirement or Mirage?. arXiv preprint
arXiv:2001.00219.
Ghafir, I., Hammoudeh, M., Prenosil, V., Han, L., Hegarty, R., Rabie, K. and Aparicio-
Navarro, F.J., 2018. Detection of advanced persistent threat using machine-learning
correlation analysis. Future Generation Computer Systems, 89, pp.349-359.
Ibrahim, J. and Gajin, S., 2017. SDN-based intrusion detection system. Infoteh Jahorina, 16,
pp.621-624.
Iden, J. and Eikebrokk, T.R., 2017. The adoption of ITIL in the Nordic Countries: exploring
regional differences.
Imroz, S.M., 2019. A Qualitative Case Study Identifying Metrics for ITIL Request
Fulfillment Process: Perspectives of an Information Technology Service Provider
Group. Journal of Organizational Psychology, 19(4).
Khan, T.U.R., Davis, P. and Behr, F.J., 2016. a Framework for AN Open Source Geospatial
Certification Model. The International Archives of Photogrammetry, Remote Sensing and
Spatial Information Sciences, 41, p.57.
Kumar, S., Selamat, H. and Hassan, N.H., 2018. A Review of Information Technology
Service Management (ITSM) Framework for Financial Regulatory Body. Open International
Journal of Informatics (OIJI), pp.33-34.
Loss, S., Ciriello, R.F. and Cito, J., 2019, May. Beware of disengaged user acceptance in
testing software-as-a-service. In 2019 IEEE/ACM 41st International Conference on Software
Engineering: Companion Proceedings (ICSE-Companion) (pp. 298-299). IEEE.
17NETWORK INTRUSION AND SCAN DETECTION
Marchetti, M., Pierazzi, F., Colajanni, M. and Guido, A., 2016. Analysis of high volumes of
network traffic for advanced persistent threat detection. Computer Networks, 109, pp.127-
141.
Mugisha, S. and Zhou, H.J., 2016. Identifying optimal targets of network attack by belief
propagation. Physical Review E, 94(1), p.012305.
Noel, S. and Jajodia, S., 2017. A suite of metrics for network attack graph analytics.
In Network Security Metrics (pp. 141-176). Springer, Cham.
Orta, E. and Ruiz, M., 2019. Met4ITIL: A process management and simulation-based method
for implementing ITIL. Computer Standards & Interfaces, 61, pp.1-19.
Quisumbing, L.A., 2019. Predicting Student Performance in a Computer Network
Certification Program: using the J48 Algorithm. Indian Journal of Science and
Technology, 12, p.24.
Tsudik, G., Uzun, E. and Wood, C.A., 2016, January. Ac3n: Anonymous communication in
content-centric networking. In 2016 13th IEEE Annual Consumer Communications &
Networking Conference (CCNC) (pp. 988-991). IEEE.
Verlaine, B., Jureta, I. and Faulkner, S., 2016, May. How Can ITIL and Agile Project
Management Coexist?. In International Conference on Exploring Services Science (pp. 327-
342). Springer, Cham.
Wang, L., 2017. Big Data in intrusion detection systems and intrusion prevention systems. J
Comput Netw, 4(1), pp.48-55.
Yeo, L.H., Che, X. and Lakkaraju, S., 2017. Understanding Modern Intrusion Detection
Systems: A Survey. arXiv preprint arXiv:1708.07174.
Marchetti, M., Pierazzi, F., Colajanni, M. and Guido, A., 2016. Analysis of high volumes of
network traffic for advanced persistent threat detection. Computer Networks, 109, pp.127-
141.
Mugisha, S. and Zhou, H.J., 2016. Identifying optimal targets of network attack by belief
propagation. Physical Review E, 94(1), p.012305.
Noel, S. and Jajodia, S., 2017. A suite of metrics for network attack graph analytics.
In Network Security Metrics (pp. 141-176). Springer, Cham.
Orta, E. and Ruiz, M., 2019. Met4ITIL: A process management and simulation-based method
for implementing ITIL. Computer Standards & Interfaces, 61, pp.1-19.
Quisumbing, L.A., 2019. Predicting Student Performance in a Computer Network
Certification Program: using the J48 Algorithm. Indian Journal of Science and
Technology, 12, p.24.
Tsudik, G., Uzun, E. and Wood, C.A., 2016, January. Ac3n: Anonymous communication in
content-centric networking. In 2016 13th IEEE Annual Consumer Communications &
Networking Conference (CCNC) (pp. 988-991). IEEE.
Verlaine, B., Jureta, I. and Faulkner, S., 2016, May. How Can ITIL and Agile Project
Management Coexist?. In International Conference on Exploring Services Science (pp. 327-
342). Springer, Cham.
Wang, L., 2017. Big Data in intrusion detection systems and intrusion prevention systems. J
Comput Netw, 4(1), pp.48-55.
Yeo, L.H., Che, X. and Lakkaraju, S., 2017. Understanding Modern Intrusion Detection
Systems: A Survey. arXiv preprint arXiv:1708.07174.
18NETWORK INTRUSION AND SCAN DETECTION
Zhu, L., Bass, L. and Champlin-Scharff, G., 2016. DevOps and its practices. IEEE
Software, 33(3), pp.32-34.
Zou, Q., Singhal, A., Sun, X. and Liu, P., 2020, March. Automatic Recognition of Advanced
Persistent Threat Tactics for Enterprise Security. In Proceedings of the Sixth International
Workshop on Security and Privacy Analytics (pp. 43-52).
Zhu, L., Bass, L. and Champlin-Scharff, G., 2016. DevOps and its practices. IEEE
Software, 33(3), pp.32-34.
Zou, Q., Singhal, A., Sun, X. and Liu, P., 2020, March. Automatic Recognition of Advanced
Persistent Threat Tactics for Enterprise Security. In Proceedings of the Sixth International
Workshop on Security and Privacy Analytics (pp. 43-52).
1 out of 19
Related Documents
![[object Object]](/_next/image/?url=%2F_next%2Fstatic%2Fmedia%2Flogo.6d15ce61.png&w=640&q=75){kind=small}
Your All-in-One AI-Powered Toolkit for Academic Success.
 +13062052269
info@desklib.com
Available 24*7 on WhatsApp / Email
![[object Object]](/_next/static/media/star-bottom.7253800d.svg)
Unlock your academic potential
© 2024  |  Zucol Services PVT LTD  |  All rights reserved.