Randy Rose Prof. Alkadi, Section 9024
Randy Rose
CSEC 610 Final Exam
1. The interesting article referenced below covers topics such as backdoors, corporate espionage,
government fronts, and government spying.
Sanger, D. and N. Perlroth. (2014, March 22). N.S.A. Breached Chinese Servers Seen as Security Threat.
The NY Times. Retrieved from http://nyti.ms/1rcQZRO (The article is also attached in this week’s
Conference.)
a. What would you engineer into your equipment if you were a manufacturer of telecommunications,
computing and/or Internet/intranet systems equipment and you wanted to be able to conduct corporate
espionage and/or help your country or its proxies spy on other countries?
If I were an engineer for an organization such as Huawei and I was interested in corporate or
government espionage, I would include at least three logical data collection, access, and sabotage
techniques. The first thing I would consider installing is keylogging malware, which collect
keystrokes in an effort to capture sensitive data including user and administrator credentials
(Wilhelm & Andress, 2011, p. 210). Having both physical and logical access to the devices would
allow me to install software versions of the keylogger and configure them to send logs back to a
centralized command and control server. The logs could collect a variety of information including
IP and MAC addresses, usernames and passwords, and whole device configurations. A software
keylogger is essentially a piece of malware and is installed and configured in much the same way as
malware (pp. 210-212). The data will have to be encrypted by the device to avoid being detected by
intrusion detection software or deep packet inspecting firewalls, so I will have to build in an
encryption tool. After encryption, it would be best to use a common protocol, such as HTTP or
HTTPS to transfer the data off the network to my command and control server. Using common
protocols will make it more likely that the right ports will already be open on the firewall and will
also make the traffic look less suspicious.
The second thing I would consider installing on my devices is a backdoor. Backdoors allow
attackers “a method of bypassing the normal authentication process” to “carry out our activities
unimpeded” (p.269). To guarantee access, I might actually install multiple backdoors or a single
backdoor that can use multiple ports. It may also be wise to program the backdoor to call home to a
command and control server on occasion just to populate a log entry on my end. This way, I would
know what devices are still active and that I have access to.
The third thing I would install is a rootkit that would be configured to recognize when changes
were made to the system that could negatively impact my access and to create an alternate route.
For example, if my backdoor uses one of three random ports and one or two of those ports is taken
up by another service for some reason, the rootkit will find that conflict and either correct it by
opening a new port for the existing service or a new port for my backdoor. It would also be
programmed to hide any activity that I generate by coming through the backdoor by deleting log
entries, masking PIDs, moving files, etc.
b. Discuss the specific things you as a purchaser of telecommunications, computing and/or
Internet/intranet systems equipment should do to ensure that the equipment meets the security required for
your work and industry during the acquisition phase.
, Randy Rose Prof. Alkadi, Section 9024
Ensuring that equipment meets standards is a difficult task. Most organizations, especially
government organizations, buy commercial-off-the-shelf (COTS) or government-off-the-shelf
(GOTS) products that either cannot be or do not require being tested. If I was buying American or
Canadian equipment, I would buy COTS or GOTS and not bother inspecting it. This might not be
the most secure solution, but at the same time, operating a business is about managing risk, and I
would accept the risk that there was embedded malware in American or Canadian equipment
because I believe it to be low risk and low likelihood. However, if I did not trust the manufacturer
or the country of the manufacturer, I would buy the equipment, install it in a test network that did
not mimic my own and did not contain sensitive information, let it run for a while and watch what
it does, review the logs, and then reverse engineer it as best as I could. One of the reverse
engineering tests I would perform is to fuzz it. Fuzzing involves sending “random, malformed data
as inputs” to the system or software being tested in an attempt to crash it (Conrad, Misener, &
Feldman, 2012, p. 194). Causing systems or software to deliberately crash can reveal system
information that might not normally be seen. For example, a crash may show memory events that
are hidden by the system or by a piece of malware. Speaking of memory, conducting memory
forensics can also nefarious system calls and other significant information, such as timestamps, that
could reveal the ulterior motives of the device.
c. What security hardening procedures would you implement to prevent these intrusions on a daily basis?
Defense-in-depth and situational awareness are essential for all systems, especially those that store
or transport sensitive information. As such, I would have packet-inspecting firewalls with
restrictive access control lists and secure configurations that match those recommended by NIST
and the Center for Internet Security. I would deploy intrusion detection and prevention systems,
such as the Host-Based Security System (HBSS) and network sniffers, such as Snort or OSSEC. I
would keep all high target systems in a DMZ and have an alternate or secondary DMZ to act as a
honeynet. I would have two separate DNS zones, one external and one internal and I would deploy
DNS Security Extensions. I would ensure that all of my systems were taking adequate logs with
time stamps and detailed information. I would have strong, explicit policies and procedures for user
access, disaster recovery, incident response, and continuity of operations. In addition, all essential
staff would be trained in the policies and procedures and know exactly what roles and
responsibilities they were assigned should they be required to assist. All system and third party
patches will be installed following a strict patch management testing and deployment schedule.
Antivirus and IDS/IPS heuristics will be updated daily or more frequently. All privileged users will
have separate accounts and will only use their privileged accounts for administrator functions.
Privileged system accounts will have different credentials than privileged software configuration
accounts, such as Cisco Privileged Exec Mode passwords. Lastly, all user accounts will be
configured following the principle of least privilege and will be closely monitored and audited
regularly to ensure that users only have the access they require to perform their jobs.
Randy Rose
CSEC 610 Final Exam
1. The interesting article referenced below covers topics such as backdoors, corporate espionage,
government fronts, and government spying.
Sanger, D. and N. Perlroth. (2014, March 22). N.S.A. Breached Chinese Servers Seen as Security Threat.
The NY Times. Retrieved from http://nyti.ms/1rcQZRO (The article is also attached in this week’s
Conference.)
a. What would you engineer into your equipment if you were a manufacturer of telecommunications,
computing and/or Internet/intranet systems equipment and you wanted to be able to conduct corporate
espionage and/or help your country or its proxies spy on other countries?
If I were an engineer for an organization such as Huawei and I was interested in corporate or
government espionage, I would include at least three logical data collection, access, and sabotage
techniques. The first thing I would consider installing is keylogging malware, which collect
keystrokes in an effort to capture sensitive data including user and administrator credentials
(Wilhelm & Andress, 2011, p. 210). Having both physical and logical access to the devices would
allow me to install software versions of the keylogger and configure them to send logs back to a
centralized command and control server. The logs could collect a variety of information including
IP and MAC addresses, usernames and passwords, and whole device configurations. A software
keylogger is essentially a piece of malware and is installed and configured in much the same way as
malware (pp. 210-212). The data will have to be encrypted by the device to avoid being detected by
intrusion detection software or deep packet inspecting firewalls, so I will have to build in an
encryption tool. After encryption, it would be best to use a common protocol, such as HTTP or
HTTPS to transfer the data off the network to my command and control server. Using common
protocols will make it more likely that the right ports will already be open on the firewall and will
also make the traffic look less suspicious.
The second thing I would consider installing on my devices is a backdoor. Backdoors allow
attackers “a method of bypassing the normal authentication process” to “carry out our activities
unimpeded” (p.269). To guarantee access, I might actually install multiple backdoors or a single
backdoor that can use multiple ports. It may also be wise to program the backdoor to call home to a
command and control server on occasion just to populate a log entry on my end. This way, I would
know what devices are still active and that I have access to.
The third thing I would install is a rootkit that would be configured to recognize when changes
were made to the system that could negatively impact my access and to create an alternate route.
For example, if my backdoor uses one of three random ports and one or two of those ports is taken
up by another service for some reason, the rootkit will find that conflict and either correct it by
opening a new port for the existing service or a new port for my backdoor. It would also be
programmed to hide any activity that I generate by coming through the backdoor by deleting log
entries, masking PIDs, moving files, etc.
b. Discuss the specific things you as a purchaser of telecommunications, computing and/or
Internet/intranet systems equipment should do to ensure that the equipment meets the security required for
your work and industry during the acquisition phase.
, Randy Rose Prof. Alkadi, Section 9024
Ensuring that equipment meets standards is a difficult task. Most organizations, especially
government organizations, buy commercial-off-the-shelf (COTS) or government-off-the-shelf
(GOTS) products that either cannot be or do not require being tested. If I was buying American or
Canadian equipment, I would buy COTS or GOTS and not bother inspecting it. This might not be
the most secure solution, but at the same time, operating a business is about managing risk, and I
would accept the risk that there was embedded malware in American or Canadian equipment
because I believe it to be low risk and low likelihood. However, if I did not trust the manufacturer
or the country of the manufacturer, I would buy the equipment, install it in a test network that did
not mimic my own and did not contain sensitive information, let it run for a while and watch what
it does, review the logs, and then reverse engineer it as best as I could. One of the reverse
engineering tests I would perform is to fuzz it. Fuzzing involves sending “random, malformed data
as inputs” to the system or software being tested in an attempt to crash it (Conrad, Misener, &
Feldman, 2012, p. 194). Causing systems or software to deliberately crash can reveal system
information that might not normally be seen. For example, a crash may show memory events that
are hidden by the system or by a piece of malware. Speaking of memory, conducting memory
forensics can also nefarious system calls and other significant information, such as timestamps, that
could reveal the ulterior motives of the device.
c. What security hardening procedures would you implement to prevent these intrusions on a daily basis?
Defense-in-depth and situational awareness are essential for all systems, especially those that store
or transport sensitive information. As such, I would have packet-inspecting firewalls with
restrictive access control lists and secure configurations that match those recommended by NIST
and the Center for Internet Security. I would deploy intrusion detection and prevention systems,
such as the Host-Based Security System (HBSS) and network sniffers, such as Snort or OSSEC. I
would keep all high target systems in a DMZ and have an alternate or secondary DMZ to act as a
honeynet. I would have two separate DNS zones, one external and one internal and I would deploy
DNS Security Extensions. I would ensure that all of my systems were taking adequate logs with
time stamps and detailed information. I would have strong, explicit policies and procedures for user
access, disaster recovery, incident response, and continuity of operations. In addition, all essential
staff would be trained in the policies and procedures and know exactly what roles and
responsibilities they were assigned should they be required to assist. All system and third party
patches will be installed following a strict patch management testing and deployment schedule.
Antivirus and IDS/IPS heuristics will be updated daily or more frequently. All privileged users will
have separate accounts and will only use their privileged accounts for administrator functions.
Privileged system accounts will have different credentials than privileged software configuration
accounts, such as Cisco Privileged Exec Mode passwords. Lastly, all user accounts will be
configured following the principle of least privilege and will be closely monitored and audited
regularly to ensure that users only have the access they require to perform their jobs.
