1. Do a Web search for "cyber kill chain in breach responses.

" Look for an article that

points out weaknesses in using the cyber kill chain. What are the one or two deficiencies
of the cyber kill chain that are pointed out in the article?

- I discovered an article titled "The Cyber Kill Chain Model: Is It Still Relevant?" on the
SANS Institute website after searching for "cyber kill chain in breach responses" online.
The article highlights the cyber kill chain model's two main drawbacks.
- Firstly, the article argues that the cyber kill chain model is too focused on the attacker's
actions and not enough on the defender's response.The model assumes attackers will
follow a predictable path after gaining network access, disregarding the fact that
defenders can impede their progress by identifying and retaliating to their activities at any
stage of the kill chain. The article suggests that instead of concentrating solely on trying
to stop attacks from moving through the kill chain, organisations should instead
concentrate more on creating effective response strategies.
- Secondly, the article notes that the cyber kill chain model is based on a linear progression
of stages, which may not accurately reflect how attackers actually operate. In reality,
attackers may move back and forth between different stages of the kill chain or skip
certain stages altogether. This means that organizations may miss important indicators of
compromise if they are only looking for activity that fits within the predefined stages of
the kill chain.

2. Do a Web search on "honeypots" and "honeynets." Search for "honeypot versus

honeynet." How are they different? List three reasons why making your own honeypot
or honeynet might be a bad idea.

- Honeypots and honeynets are both cybersecurity mechanisms used to detect and deflect
cyber attacks ,honeypot is a decoy system that is designed to attract attackers and divert
their attention from the actual target. It is a single computer or network that appears to be
vulnerable and contains fake data, files, and applications,Honeynets are networks of
honeypots symbiotically interacting to simulate a real network environment. It consists of
multiple interconnected honeypots that are used to monitor and analyze the behavior of
attackers.
- The main difference between honeypots and honeynets is their scope. Honeypots are
limited in scope as they only provide information about attacks on a single system. In
contrast, honeynets provide a broader view of the attacker's behavior as they can monitor
attacks on multiple systems within a network.
- Another difference between honeypots and honeynets is their complexity. Honeypots are
relatively simple to set up and maintain as they only require one system. In contrast,
honeynets are more complex as they require multiple systems to be interconnected and
managed.

© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web 1
site, in whole or in part.
 - Lastly, honeypots are passive in nature, meaning they only collect information about
attacks but do not take any action against them. In contrast, honeynets can actively
respond to attacks by blocking or redirecting them.
- Building your own honeypot or honeynet may not be a good idea, in spite of the fact that
it may seem like a good idea:
o :Legal issues: Running a honeypot or honeynet can potentially violate laws
related to entrapment, unauthorized access, and data privacy. You can be held
responsible for any damage caused by the attacker lured into attacking your
system.
o : Resource-intensive: Setting up and maintaining a honeypot or honeynet requires
significant resources in terms of time, money, and expertise. Individuals and small
organisations cannot be allowed to invest in such a system.
o :A bad sense of security: Honeypots and honeynets may be useful as a source of
information on attackers' behaviour, but they should not become the only defence
mechanism. Attackers can easily bypass honeypots and honeynets if they are not
properly configured and secured.

3. Using Table 6-2 below, do a Web search on a few of the port numbers known to be used
by hacker programs, such as Sub-7, Midnight Commander, and WinCrash. What
significant information did you find in your search? Why should the information security
manager be concerned about these hacker programs? What can he or she do to protect
against them?

Sub-7 is Remote Administration Tools RAT, which became famous for being a Hacking
Tool. Such programs may introduce unauthorised access to computer systems, data leaks,

© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web 2
site, in whole or in part.
 theft or misuse of confidential information.Additionally, malicious programs like
WinCrash can cause system crashes and instability, primarily exploiting vulnerabilities
rather than communicating over a network. These programmes should be addressed by
the IT security managers in view of their potential for unauthorised access and system
instability.

To protect against these threats, information security managers should implement

network segmentation, deploy intrusion detection/prevention systems (IDS/IPS),
configure firewalls and port filtering, regularly patch and update systems and software,
conduct employee awareness and training, implement strong access controls, and develop
and regularly update an incident response plan. To proactively protect against hacker
programs and other emerging risks, information security managers need to be kept up to
date with the most recent threats, trends or best practices in cybersecurity.

4. Using the list of possible, probable, and definite indicators of an incident, draft a
recommendation to assist a typical end user in identifying these indicators.
Alternatively, using a graphics package such as PowerPoint, create a poster to make the
user aware of the key indicators.

- Depending on the type of incident, different indicators of that incident may be possible,
probable, or definite. To spot a potential incident, end users can keep an eye out for a few
common indicators.
- A sign of a cyber attack could be unexpected network activities, such as slow Internet
speed, excessive disconnections or unauthorized access to networks' resources.
- 2.Suspicious Emails: End users should be wary of suspicious emails that contain
attachments or links from unknown senders.These emails might include malicious
software or phishing links that jeopardise the system's security.
- 3.Unauthorized Access: Unauthorized access to system or data indicates a security breach
if the end user discovers it.
- They should immediately report any such activity to their IT department.
- 4.Weird system behavior: strange behaviour such as multiple crashes, popup windows or
errors may indicate a malware infection.
- 5.Physical Security Breaches: Physical security breaches such as stolen laptops or
unauthorized access to restricted areas can also be indicators of a security incident.

© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web 3
site, in whole or in part.