Assignment 1 1.1 Answer: a. The system will have to assure confidentiality if it is being used to publish corporate

proprietary material. b. The system will have to assure integrity if it is being used to laws or regulations. c. The system will have to assure availability if it is being used to publish a daily paper.

1.2 Phishing Report [20 points]

The term phishing originated from similarities between phishing scams and the activity of

fishing: scammers would try to lure "fish" (victims) from a sea of potential victims (Reid, 2009). The

"ph" substitution for "f" most likely came from the phreaking community of early telephone system

hackers, some of whom possibly also engaged in phishing scams ("History of Phishing", n.d.). The first

recorded use of the term happened in 1996 in a Usenet group called alt.online-service.america-online.

Phishing is effective because it's much easier to disguise the intentions of the attacker through

online interactions than through physical interactions. There are many techniques in phishing scams,

but usually the method of attack is to deceive the victims into revealing sensitive information by either

typing in their credentials themselves (e.g. via a phishing site) or to open an infected link or a

document attached within an email. The victims, and by extension, companies who employ the victims

are susceptible to a wide variety of threats whose vectors of attack involve visiting links and opening

documents. The list of possible threats includes but is not limited to, spyware, keyloggers, trojans, and

identity theft ("What is phishing?", n.d.).

There are many ways to reduce users' susceptibility of phishing attacks, some are explained in

the list below ("10 Ways", n.d.)("How to Prevent", n.d.),

I) Check emails carefullyMany phishing scams are carried out through email. The user can reduce the likelihood of

falling for a phishing scam by carefully reading the email and all links and documents attached

within. Signs that usually raise red flags in an email are generic greetings (sir/madam instead

of your name), fictional personnel in a legitimate company, and misleading links

(www.facebook.com actually takes you to www.scam.com. or www.facebook.scam.com).

II) Be careful when giving out personal information

Many phishing emails will direct the victim to a perfect replica of a legitimate login page,

prompting the victim to enter his or her financial or personal credentials that are then sent into

the hands of the attacker. A good rule is to never enter sensitive information into forms on

pages linked from an email. If the user needs to login, he or she should type the URL of the

desired webpage directly into the browser.

III) Check-in with online accounts (and change passwords) regularly

Frequently monitoring your online accounts will allow a faster response to phishing if you

are already a victim. Changing passwords regularly will prevent attackers from easily

compromising your accounts with old passwords.

IV) Use protective software (anti-phishing, anti-malware, and anti-virus software)

Anti-phishing software has information about a large number of existing phishing websites

and warn the user to stay away from these links or block access to these websites altogether.

Anti-malware and anti-virus software can protect the user from accessing infected documents

or launching malicious programs that are often attached to phishing emails, or if a malicious

program is already launched, block the attack ("Anti-Phishing Software", n.d.).

References

10 Ways to Avoid Phishing Scams, (n.d.). Retrieved Sep 30, 2013,from http://www.phishing.org/scams/avoid-phishinq/

Anti-Phishing Software, (n.d.). Retrieved Sep 30, 2013,from http://www.phishinq.org/resources/anti-phishing-software/

History of Phishing. (n.d.). Retrieved Sep 30, 2013,from http://www.phishing.org/history-of-phishinq/

How to Prevent Phishing Scams, (n.d.). Retrieved Sep 30, 2013,from http://www.phishing.org/scams/prevent-phishing/

Reid, C.E. (2009). Retrieved Sep 30, 2013,from http://www.allspammedup.com/2009/02/history-of-phishinq/

What is phishing?. (n.d.). Retrieved Sep 30, 2013,from http://www.securelist.com/en/threats/spam?chapter=85

1.3 Information Security Program/Department at York University [15 points]In this question, your task is to identify which (if any) of the three Info. Sec. organizationalmodels, previously discussed in class, apply to York University:a) Info. Sec. under IT;b) Info. Sec. under Administrative Services;c) Info. Sec. under Risk Management?

York University's Information Security department is under the York University InformationTechnology department (UIT).

York Atlas Phone and E-rnail Directory

Office of the Chief Information Officer, University Information Technology (UiT)

Personnel

Gaarce, Bob Chief Information OfficerBray, Micfiele Administrative OfficerDeiia-Roasa, Andrea Executive OfficerRowiev, Peter L. Director. Applications and IntegrationRussei. Christopher Director. ICT Infrastructure 8, Information Security OfficerSaEmi. MoftU Director, Service ManagementBadai. Nadlne BudgetAssistantDaCosta. LudNg Administrative CoordinatorDonnelly. Liidnda Administrative CoordinatorJaaeiKs, Joan Administrative CoordinatorKxvrjk, Ronnv Office Administrator and Technician

Related Departments 6PSr ' r^^v

University Information Technology fIJiT*

; —- Office of the Chief Information Officer, University Information Technology (UiT)

| ICT Infrastructure. UIT

\s and integration. UiT

I Information Security-, UiT

? Ciientsoiutions and Services. UiT

'•— Enterprise Data '/v'srehouse and. Data Management, UiT

In addition, answer the following:• What is the name of York's Information Security Officer?Christopher Russei.

• What are your general comments about the Information Security model employed at York?Name one key advantage and one key disadvantage of this model.

The advantage of having IT security under general IT would be the ease of communicationbetween the IT security department and its parent department since the personnel of bothdepartments are technically proficient in IT.

The key disadvantage is related to the scope of the IT Security department's influence. Sincethe security department is localized within the general IT department, this creates a relatively localizedinfluence of IT security policies to within the IT department. Compare the approach of having the ITsecurity department under administrative services, in which case the policies, guidelines, andprocedures implemented by IT Security would be relatively more global (i.e. implemented across alldepartments of the university as a part of general administration).

1.4 Security Policy [4 points]A senior trader (Joe) had left a brokerage (BB-Co) and was hired by a competing brokerage(CC-Co). Shortly thereafter, BB-Co lost two clients who said they were moving to a competingfirm; their personal data files disappeared mysteriously from the company's database. Inaddition, a year-end recommendations report that the senior trader had been preparing wasreleased two weeks early by the competing brokerage.The security policy that is currently implemented at BB-Co states the following: "On termination,employees shall surrender any laptop, disks, or computer manuals they have in theirpossession, and they shall not take with them any hardware or software when they leave theoffice. "What change would you make to the existing policy so that security is improved after employeesare terminated?

The problem here is two-fold.Firstly, Joe was able to access and remove clients' personal data files from BB-Co's database

after he left the company. This means that Joe still had administrative privileges on the database evenafter his departure. The shortcoming of the current policy is that it did not state that any accessprivileges of the employee to company resources shall be removed on termination.

Secondly, Joe took with him a year-end recommendations report to the competing company.The report would not be considered as "any laptop, disks, or computer manuals" nor is it "anyhardware or software". The report would be considered data or confidential information. The policyshould then also state the surrender of any data or confidential information upon termination, similarly,employees shall not take with them any data or confidential information (in addition to hardware orsoftware) when they leave the office.

Part II - Practical Questions

1. IPCONFIG:

1.a) scree nshot of the obtain by performing 'ipconfig /al/'on your computer;

Node Type « . . .IP Boutins EnabledWINS Pi-ox-) EnabledDNS Suffix Search List

hernet adapter Local Area Gonnectio

Connection-specific DDescription . . . . . . .Physical Address. . . . .DHCP Enabledftutoconfiguration EnabledLink-local IPv6 Address .IPv4 AddressSubnet MasJt , . . , „ . .Lease ObtainedLease Expires ......Default GatewayDHCP SeruerDHCP»6 IAIBDHCFut Client BUI». . . .

DNS ServersNetBIOS owe*1

Tunnel adapter isatap.phub.

phub.net.cable.rogers.con

Media State -Connection-specific DNS SuDescription „ , . . . , .Physical AddressDHCP EnabledAutoconfiguration Enabled

phub.net .cable .rogers ,cr;Healtek PGIe GBE Fanily ControllerB4-3B-7E-18-83-1DYesVesfe8B=:a8ab:93a&:9814:3:U<l;:il<Freferri!d>192.168.0.1BS<Preferred>255.2SS.2S5.BSunday, September 29, 2013 10:3-1:58 OHMonday, Septenber 30, 2813 3:18:02 PM192.168.0.1192.168,0,12487903988B-Bi-BB-ei-18-7A-B6-38-D4-3JD-7E-18-83-lD

192.168.B.IEnabled

Media disconnectedphub.net .cable .i-oyers.coMicrosoft ISATftP Adaptere0-08-B0-0a-0a-8B-00-EBNoVes

ConnectiosT-cpecifie DNS Suf f iDescriptionPhysical AddressDHCP EnabledAutoconfiguration Enabled . .IPu6 Address

red)Link-local IPufi Address - . .Default Gateway . .NetBIOS ouei- Tcnin. .

Teredo Tunneling Pseudo-Interface0B-ee-80-BB-0e-80-8H-EeNo¥e=2aei:fl:'Jd3S:6abd:341n:21Se:9cHb:fic6f <Pi-ef

feC0::341a:21Se:9c0b:6cGFxl3<Prefe:

1.b) answers to questions 1 - 4.

1. What is the practical difference between an IP address and a physical (MAC) address ?An IP address represents the location of a device within an IP network. It is used in all

communications between the device and other devices inside and outside the network.However, IP addresses are not necessarily globally unique. A MAC address is a globallyunique identifier assigned to each network device/interface.

2. What is the "Default Gateway?"The default gateway is the device that connects your host to external networks. E.g. a

router that connects computers in a LAN to the Internet.

3. What do DNS servers do ?DNS (Domain Name Service) servers translate the human-readable domain and host

names into IP addresses. This saves human users the trouble of trying to memorize IPaddresses when attempting to access networked resources.

4. What is a subnet mask? •A subnet mask separates the IP address into network and host addresses. Performing a

logical AND operation on the subnet mask and the IP will yield the host portion of the IPaddress. Subnet masks are used in subnetting, which breaks an IP network into smallersubnetworks for organizational or security purposes.

2. PING2. a) screens hot of the output that you obtain by performing 'ping www.utah.edu';

Pinging iniw.utah.edu [155.¥7.137.SSJ with 32 bytes of daRe pi si Fron 155.97.137.55: bytcs-32 tine-71ns TTL=240Reply fron 155.97.137.55: bytes=32 tirae=6Sras ITL=24§Reply fron 155.97.137.55: bytes=32 tirae-SBias IIL-240Reply fron 1S5.97.137.55: bjites=32 tinie=65es TTL=24B

Ping statistics for 155.97.137.55:Packets: Sent :" 4, Jk'ceiued ••"• 4, Lost ": 0 <0x losiO,

approximate round trip tines in nilli-seeonds:Min ~ =•• ::

2.b) answers to questions 1-4.

1. Why does it send 4 packets ?4 is the default setting in Windows command prompt. Compare this with the ping utility in

Linux that usually defaults to continuous pings until the user ends the process.

2. WhatisaTTL?TTL (Time To Live) defines the maximum number of "hops" an IP packet can take before

expiring. A hop is defined as passing through a router. Ping uses a default TTL of 255 onWindows 7, which is decremented by 1 when the packet passes through a router. In thescreenshot above, the packets took 15 hops to get to www.utah.edu (255-240=15).

3. How do packets get lost?Some ways that packets could get lost are signal degradation over the network medium,

packet drop due to network congestion, or faulty hardware.

4. Does each hostname have an IP address assigned to it?Yes, otherwise the host becomes unreachable through an IP network.

3. TRACER!3. a) screenshot of the output you obtain by performing 'tracert www.utah.edu':

[155.97,137.55]

-*s DHone.pliub.net .cable .roges 7.23.116.1

ns 69.63.242.161ns so-i-2-8.gu82 ,mtn)<.jyhub.n

ns 69.63.248.8Vns tea-7-B-ii .cr.r?.l.jfkfIS .atl

ns be2860.cei-21.v-j;FM<l2 .atlas.

ns be2116. npd21 - ord0.1. at las.

ns te0-2-0-4.npd22.nc iBl.atl

r21.slc01-atlas.coge

38.104.174.66140.197.253.23140.197.253.23uof u--ibr-ebc .we£'.•> -801park-wA(i.199.104.93.193ci*parj<-wi*iebc . n1SS.99.139.158155.97.137.S5

.net [205.124.249.1181et.titali.edu [199.104.93.218]

utali.edu tl5S.S9.ia

[race conplete.

3.b) answers to questions 1-4.

1. How many computers do you go through each time you click on a Web site?At least two (the router of your local area network and the router for the website's

network). You also might visit the DNS server and most likely more routers between yourdevice and the destination if there is enough geographical separation.

2. Why are some links slower than others ?Some reasons for slower links are overused link, slower medium, overloaded router, or a

long hop (e.g. one that crosses an ocean)

3. Who owns all those computers/routers that route the packets?The principal data routes (Internet backbone) between large networks are owned by the

government and large commercial or academic institutions with high capacity network centres.Telecommunication service providers also own a large number of backbone routers.

4. How does the tracert program actually work?The Windows implementation of tracert sends out ICMP echo request packets to the

destination. Each router along the route must decrease the ICMP packet's TTL by at least 1and return an ICMP Time Exceeded message if the packet's TTL is reduced to 0. By sendingpackets with increasing TTL (starting from 1) and recording the routers that returned TimeExceeded messages, tracert can build a list of routers that the packet must pass through until itreaches the destination, which responds with an ICMP Echo Reply message.

4. NETSTAT4. a) screenshot of the output 'ou obtain by performing 'netstat' on your computer;

4.b) answers to questions 1-4.

1. How can netstat help you track the information coming in and out of your computer?Netstat identifies all open ports and with the -b switch also identifies the program that is

opening each port.

2. How can netstat help you diagnose network problems ?Netstat displays the state of a TCP connection (such as CLOSED, ESTABLISHED, and

TIMED_WAIT) that can be used to debug problems such as a server closing a connectionprematurely or a socket not being closed when it should be. Netstat also provides informationthat can be used to determine if a program is enabled/disabled, how many clients/servers areconnected, etc.

3. How would the routing table (netstat -r) be useful?The metrics for each route gives the user a good idea of how the router would route

packets to minimize cost since higher metrics equal higher routing cost.

4. Why would someone need different statistics for IP, IPv6, ICMP, TCP, UDP, etc. ?This might be helpful if you were running your own web service and wanted to monitor the

types of traffic that come through your servers sorted by protocol.

5. NSLOOKUP5.a) screenshot of the output you obtain by performing 'nslookup www.cnn.com'on your computer;

192. 1KB. 0.1

. , .: 157.166.249.181S7. 16ft. 24V. .111.57.166.248.10157.166.248.11

5.b) answers to questions 1-4.

1. Why are there multiple IP addresses associated with a single domain name?Large corporations might have domains that resolve to multiple IP addresses as a part of

DNS-based load balancing, where the DNS server would alternate the host IP address forsuccessive name resolution requests.

2. Why did Nslookup query fiber1.utah.edu instead of querying www.cnn.com directly?Fiberl .utah.edu is the default DNS server for the host shown in the example, nslookup

will attempt to resolve the hostname using the default server first.

3. How could someone use Nslookup in an unethical manner?Nslookup offers attackers a lot of valuable information. For example, if an attacker wants

to exploit a mail server vulnerability, he/she can start with looking up the IP address(es) of themail server(s) by searching for mail exchange DNS records of the company (by typing settype=mx within nslookup).

4. How do domain names and IP addresses get registered?Domain names and their corresponding IP address can be registered with a domain name

registrar (registrars provide domain names and maintain DNS servers). These records are thencopied to the authoritative name servers for the particular top level domain.