Tutorial/Practical 3 (Week 4) CP3302/CP5603

Remarks: This tutorial/practical consists of some tutorial-type questions that are chosen from Review Questions in Chapter 4 of the textbook, as well as some practical-type questions that are chosen from: Michael E. Whitman and Herbert J. Mattord, Hands-On Information Security Lab Manual, (third edition), Course Technology, Cengage Learning, USA, 2011. This tutorial/practical may not be completed in the scheduled practical session for this subject. So you are strongly recommended to complete it in your own time (note that students are expected to work 10 hours per week on this subject, including 3 hours of contact time). Due to security issues, you may not be allowed to practise all commands and programs of the practical-type questions with the universitys computers. So, interested students are encouraged to do this section on their own computers (if available). You will not be assessed for utilities/commands that cannot be practised on university computers.

1. (Review Question 1) What is risk management? Why is identication of risks, by listing assets and their vulnerabilities, so important to the risk management process? 2. (Review Question 3) Who is responsible for risk management in an organization? Which community of interest usually takes the lead in information security risk management? 3. (Review Question 4) In risk management strategies, why must periodic review be a part of the process? 4. (Review Question 5) Why do networking components need more examination from an information security perspective than from a systems development perspective? 5. (Review Question 6) What value does an automated asset inventory system have for the risk identication process? 6. (Review Question 8) Which is more important to the systems components classication scheme, that the list be comprehensive or mutually exclusive?

7. (Review Question 9) Whats the dierence between an assets ability to generate revenue and its ability to generate prot? 8. (Review Question 10) What are vulnerabilities and how do you identify them? 9. (Review Question 11) What is competitive disadvantage? Why has it emerged as a factor? 10. (Review Question 12) What are the strategies from controlling risk as described in this chapter? 11. (Review Question 13) Describe the defend strategy. List and describe the three common methods. 12. (Review Question 14) Describe the transfer strategy. Describe how outsourcing can be used for this purpose. 13. (Review Question 15) Describe the mitigate strategy. What three planning approaches are discussed in the text as opportunities to mitigate risk? 14. (Review Question 16) How is an incident response plan dierent from a disaster recovery plan? 15. (Review Question 17) What is risk appetite? Explain why risk appetite varies from organization to organization? 16. (Review Question 18) What is a Cost Benet Analysis? 17. (Review Question 19) What is the denition of single loss expectancy? What is annual loss expectancy?

18. (Review Question 20) What is residual risk?

Lab 3
Materials Required Microsoft Windows XP Professional or Microsoft Windows Vista Business. One or more IP addresses and Domain name System (DNS). A Web Browser Microsoft Internet Explorer or Mozilla Firefox. Sam Spade version 1.14 for Windows it is a freeware utility program. Warning: Misuse of the Sam Spade utility can result in loss of network access privileges, academic probation, suspension or expulsion, and possible prosecution by law enforcement agencies.

Background (The Domain Name System)

The Domain name System (DNS) is a hierarchical and distributed data management tool used to make the connection between word-based domain names and the numeric IP addresses used by hosts on the Internet. DNS allows the lookup of a fully qualied domain name (FQDN) to return the associated IP address; it can also be used for reverse lookup of IP addresses to nd the associated domain names. The typical use of DNS uses a series of local and remote DNS servers with a sequence of lookup steps to perform these lookups or reverse lookups. A complete discussion of the Domain Name System is extremely complex and thus beyond the scope of this lab exercise. For a more detailed discussion refer to RFCs 1034 (Domain Names Concepts And Facilities) and 1035 (Domain Names Implementation and specication). One aspect that should be addressed here is the DNS zone transfer. A zone transfer is a request, usually from a secondary master name server to a primary mater name server, that allows the secondary master to update its DNS database. Unless this process is restricted, it can provide a very detailed set of information about an organizations network to virtually anyone with the ability and desire to access it. The standard method to conduct a DNS query uses Nslookup, a UNIX-based utility created by Andrew Cherenson to query Internet domain name servers. There is an equivalent program available for Windows. Its primary use is identifying IP addresses corresponding to entered domain names and identifying domain names corresponding to entered IP addresses.

Background (DNS Zone Transfer)

DNS zone transfer is an advanced query on a name server asking it for all information it contains about a queried domain name. This works only if the name server is authoritative or responsible for that domain. DNS zone transfers border on improper use of the Internet and as such should be performed with caution. Many name servers disable zone transfer.

Background (Network Reconnaissance)

Network reconnaissance is a broad description for a set of activities designed to map out the size and scope of a network using Internet utilities. This includes the number and addresses of available servers, border routers, and the like. Two of the most common utilities used are ping and traceroute.

Web reconnaissance Using Same Spade

Gathering Web site information with Sam Spade Start the Sam Spade Utility. Enter the IP number or DNS in the text box located in the upper-left corner of the Sam Spade window. On the menu bar, click Tools, and then click Brows web (or select the Web toolbar button from the left toolbar). Click OK after the Open URL dialog box opens. Attempt to identify key pieces of information about the organization from the HTML source code. If you can determine the name of the individual who wrote the code, record it here:

If any are listed, record the addresses of the rst two web sites located outside the target organization referred to in the code:

Record the rst two links to other Web servers located inside the target organization that are referred to in the code:

Record ant CGI scripts pointing to directories containing executable code (such as programs, applications, or other scripts or commands):

Web Crawling with Sam Spade Sam Spade has an advanced tool called web crawler that allows you to perform web reconnaissance. You can use this specialized utility to simultaneously gather information from several interconnected Web pages. If it is not already open, start the Sam Spade utility. Enter the IP number or domain (DNS) address in the text box located in the upper-left corner of the Sam Spade window. On the menu bar, click Tools, and then click Crawl website. As you can see, several options allow the user to brows not only the entered URL, but all subordinate pages, linked pages, hidden form values, images, and the like. Using Web Crawler allows an individual greater capability in rooting out organizational information. To use Web Crawler to nd information you did not discover in your previous review of source code, enter the address in the Crawl all URLs below text box, click the Search Website for option, and then click the following options: -mail addresses, images on other servers, Links to other servers, and Hidden form values. Click OK after the crawl website dialog box opens. Record the rst two e-mail addresses referred to in the code:

Record the rst two images on other servers referred to in the code:

Record the addresses of the rst two web sites located outside the target organization referred to in the code:

Record the rst two hidden form values referred to in the code:

Record the rst two images on the target server referred to in the code:

 Record the rst two links to other Web servers located inside the target organization that are referred to in the code:

Gathering WHOIS Information with Sam Spade Start the Sam Spade utility. Enter the domain name address of interest in the text box located in the upper-left corner. (note: You may need to remove the www. Prex from the address in order for this to function as described.) On the toolbar, click the WHOIS button on the left side of the screen. Record the registrant for your domain name:

Record the primary and secondary name servers for this domain:

Record the Administrative Contact name, address, and phone number for this domain:

Record the Technical Contact name, address, and phone number for this domain:

8. Record the Billing contact name, address, and phone number for this domain (if that information is included in the display):

 In the text box in the upper-left corner, explore each IP address you discovered in earlier steps by entering each number in turn. Note the response provides information on which organization owns the IP address. This provides key information to hackers who seek to identify IP address ranges inside an organization. Note also the listed address range indicated. This is very valuable to a potential hacker. For the addresses, determine the IP address range: