1. One of the biggest legal clients of Snow, Sleet, and Hale is an energy company that runs an oil pipeline across the Alaskan wilderness. Recently, a group of anti-globalization protesters traveled cross-country to a remote part of the pipeline and sabotaged it, then made the resulting oil spill public. Snow, Sleet, and Hale are handling the lawsuit against the protest group for property damage and cleanup costs. At the same time, they are trying to press criminal charges and handle the public relations disaster while the energy company cleans up the oil spill. Because of the law firm's involvement and public exposure in this case, protesters from various anti-globalization groups around the world have started attacking the law firm's servers. You have just noticed this activity. What do you think the protesters' goals are in attacking the systems? Based on my assumption, I’d suspect that the purpose behind the attack of the law firm’s servers is meant to destroy/manipulate evidence that could lead to the prosecution of the protesters for the damage they have done to the pipeline. A more accurate determination could likely be made based on identifying what type of attack was being initiated (i.e. DDoS, spoofing attack, routing attack, etc.). Is it too late to use a security-auditing tool?
No. I believe security auditing tools can greatly assist in analyzing the traffic to determine whether it poses a threat to the network.
What possible attacks or vulnerabilities are you most concerned about? My greatest concern would be a vulnerability that would allow for the intruder to gain root access (such as a stack overflow). If the intruder were to gain root access to the network they would possess the ability to manipulate the network/data as they pleased. Another major concern would be the possibility of internal employee assisting the protesting group in accessing internal resources. Which concern you the least?
Although any form of attack should be considered a threat, I suppose I’d be least concerned with an attack such as a Smurfing attack through the exploitation of ICMP to send echo packets. This type of attack should be fairly easy to identify and prevent. What actions might you take with your network configurations, services, or daily practices to help you weather this attack? I would first attempt to identify the method of attack, secure any vulnerabilities (i.e. apply software updates, disable unnecessary ports and or services, remove known default passwords from installed products, etc.). I would recommend the use of a penetration tool such as SATAN to assist in identifying all possible vulnerabilities that could easily be identified by potential hackers utilizing the same tools against the firm’s network.
How long would you remain in "siege mode"?
I would in siege mode until a complete assessment had been conducted of the past and/or ongoing attacks, all identified vulnerabilities had been addressed and any additional resources (firewalls, routers, IDSs, etc.) had been put in place and configured. What are the main costs and disadvantages of operating in constant expectation of a serious attack? Consider the benefits and disadvantages to you as system administrator as well as monetary costs to the firm, and to end users on the firm's networks. The costs would be dependent on the severity of the potential attacks and could range from as little as a minor inconvenience on the part of the employees (implementing more stringent passwords, limiting access to previously accessible resources, slowness of the network, etc.) to excessive network restrictions and financial expenditures to the organization for my services and resources to reduce vulnerability to potential attacks.
2. One of the legal secretaries in the Fairbanks office is a secret supporter of the largest anti-globalization protest group. Though he doesn't participate in the demonstrations for...