Question

​​​​​​​Use as much detail as possible.

1. Compare and contrast port scanning and ping sweeps.
2. What is the best practice to employ to mitigate malware effects on a machine?

Answer 1

Ping: Ping is a tool commonly used to find the status of a host on a network. Ping is based on the ICMP protocol. When a Ping process request is sent out as an ICMP echo to the target host, it replies with an ICMP echo reply.
Ping Sweep: Ping sweep is a technique that can be used to find out which hosts are alive in a network for a defined IP range. Network admins who allow ICMP are vulnerable to ICMP based attacks.

A ping sweep allows a hacker to check on which computers are active and being used. A port scan searches for open ports which can be used to breach a network. 

There are ways to protect ourselves against these methods of hacking. 

Ping sweeps have a few different effects on a network. A ping sweep allows a hacker to view the active computers in a network, and can also give him a list of existing IP addresses within the company.

This is dangerous. If his target computer has access to a database or a server, he can have control of the whole network. He will have access to all of our information and can expose it at his will. Ping sweeps can also slow down our network, due to having many requests being sent out. 

The worst part about it is that we are vulnerable. If a ping sweep was successful, then it means that we weren’t protected. Ping sweeps have been used for a while now, and they are slower than more current methods. This means that we must find a way to secure our network.

Port scans are dangerous. Ports scans are used to see if there are any open ports in which a hacker can use to check if a port is open.

It allows them to much more easily break in a steal what they want. Leaving open doors only makes it easier for an unethical worker, or even a spy to go into a network and take our private information. This can include any financial information, employee information, and client information. Think about the impact that a network breach had on the retail store, Target. 

A firewall helps block these attacks by preventing any outside IP addresses from accessing the network. You can use the firewall to disable ICMP packets which blocks requests from a ping sweep.

Practices for stopping malware threats on a machine: 

* Keep browser plug-ins patched. Attacks have moved to the browser and the plug-in applications that make the browser so much more useful. It's critical that attackers not be able to use Microsoft Internet Explorer or Adobe Reader/Acrobat/Flash vulnerabilities to get onto a system. Use each vendor's auto update or software distribution tools to install patches as soon as they become available.

* Block P2P usage. The simplest method for distributing malware is hidden inside files to be shared on peer-to-peer (P2P) networks. Create and enforce a no-P2P policy, including home usage of a company machine. Enforce the policy at the gateway and/or desktop, for example, by blocking the main executable file of an unwanted application.

* Turn off Windows AutoRun (AutoPlay). Stop Conficker, Downadup and other network based worms from jumping from USB keys and network drives without changing company polices on Open Shares. Get specific details on this tip from Symantec and from Microsoft.

* Turn on enhanced security in Adobe Reader. Protect your machines from attacks hidden in PDF files by hardening Adobe Reader. Learn more about using the enhanced security settings available in Reader.

* Limit the use of network shares (mapped drives). Worms love to spread via networked drives. Unless there is a strong business requirement, close mapped drives. If possible limit permissions to read-only rather than read-write.

* Review mail security and gateway blocking effectiveness. Catching threats before they get to the desktop can be done with effective mail and Web security scanning. Check that you have a mail security solution which updates frequently to detect the latest bad sender IPs, spam and malware threats at the mail gateway. Consider implementing a Web security solution that will protect your organization against Web 2.0 threats, including malicious URLs and malware.

* Review your security content distribution schedule. Antivirus signatures are released multiple times a day and IPS content roughly on a weekly basis or as needed. If possible, take advantage of these updates or at least update machines that are frequently infected.

* Protect smartphones and other mobile devices. According to RSA, the top cybercrime trend for 2011 is mobile malware and the exploitation of mobile phones to commit fraud. It seems that every employee with a smartphone or tablet PC wants to access the network to get to company e-mail or other applications. Remember that these devices can introduce malware into your network just as easily as an unprotected PC can. For tips on safeguarding these types of mobile devices, see How to manage consumer devices on your network and Lock down your mobile handheld devices for ultimate security.

* Use tools that go beyond antivirus. While there's still a role for antivirus products, they aren't as effective as they used to be, largely because the threats have evolved to circumvent antivirus software. Many threats today are Web based. A tool like the Intrusion Prevention System (IPS) in Symantec Endpoint Protection stops threats before they can infiltrate a machine. For example, IPS stops vulnerability exploits, drive-by downloads and fake antivirus installation.

* Change your tool's default settings. Get the most out of your chosen tool by improving its default settings. Only a few setting changes can make a big improvement to your security. (Get tips on optimizing Symantec Endpoint Protection.)

* Implement application control rules to block specific threats. Tools such as Symantec Endpoint Protection's application and device control can be used to stop a specific file, block P2P network use or protect critical files and registry entries.

* Educate users. Most malware attacks use social engineering. Education can be highly effective in stopping them. Your users don't need to be security experts. Asking them to follow these four rules can help keep them protected:

• Only click through to trusted sources when conducting searches, especially on topics with high attention.

• Never update "media player," "codec," or "Flash" when promoted by a site hosting videos or not affiliated with that application.

• Do not use P2P applications on business machines and be cautious on home machines as well.

• Do not click on links or attachments in spam e-mail or in e-mail messages from sources you don't know or trust.

* Educate yourself. Here are some additional resources from Symantec to keep you up-to-date on the latest security threats: knowledge base articles, Security Response blogs, Symantec Connect, and the Internet Security Threat Report. Featured postings to these sources include

• Overview of Misleading Applications 

• P2P Blocking 

• SEO Poisoning