Tutorial/Practical 3 (Week 4) CP3302/CP5603

Remarks:

This tutorial/practical consists of some tutorial-type questions that are chosen from ReviewQuestions in Chapter 4 of the textbook, as well as some practical-type questions that arechosen from:Michael E. Whitman and Herbert J. Mattord, Hands-On Information Security Lab Manual,(third edition), Course Technology, Cengage Learning, USA, 2011.

This tutorial/practical may not be completed in the scheduled practical session for this sub-ject. So you are strongly recommended to complete it in your own time (note that studentsare expected to work 10 hours per week on this subject, including 3 hours of contact time).

Due to security issues, you may not be allowed to practise all commands and programs ofthe practical-type questions with the universitys computers. So, interested students areencouraged to do this section on their own computers (if available). You will not be assessedfor utilities/commands that cannot be practised on university computers.

1. (Review Question 1)What is risk management?Why is identification of risks, by listing assets and their vulnerabilities, so important to therisk management process?

2. (Review Question 3)Who is responsible for risk management in an organization?Which community of interest usually takes the lead in information security risk management?

3. (Review Question 4)In risk management strategies, why must periodic review be a part of the process?

4. (Review Question 5)Why do networking components need more examination from an information security per-spective than from a systems development perspective?

5. (Review Question 6)What value does an automated asset inventory system have for the risk identification process?

6. (Review Question 8)Which is more important to the systems components classification scheme, that the list becomprehensive or mutually exclusive?

1

7. (Review Question 9)Whats the difference between an assets ability to generate revenue and its ability to generateprofit?

8. (Review Question 10)What are vulnerabilities and how do you identify them?

9. (Review Question 11)What is competitive disadvantage?Why has it emerged as a factor?

10. (Review Question 12)What are the strategies from controlling risk as described in this chapter?

11. (Review Question 13)Describe the defend strategy. List and describe the three common methods.

12. (Review Question 14)Describe the transfer strategy. Describe how outsourcing can be used for this purpose.

13. (Review Question 15)Describe the mitigate strategy. What three planning approaches are discussed in the text asopportunities to mitigate risk?

14. (Review Question 16)How is an incident response plan different from a disaster recovery plan?

15. (Review Question 17)What is risk appetite?Explain why risk appetite varies from organization to organization?

16. (Review Question 18)What is a Cost Benefit Analysis?

17. (Review Question 19)What is the definition of single loss expectancy?What is annual loss expectancy?

2

18. (Review Question 20)What is residual risk?

Lab 3

Materials Required

Microsoft Windows XP Professional or Microsoft Windows Vista Business. One or more IP addresses and Domain name System (DNS). A Web Browser Microsoft Internet Explorer or Mozilla Firefox. Sam Spade version 1.14 for Windows it is a freeware utility program.

Warning: Misuse of the Sam Spade utility can result in loss of network access privileges, academicprobation, suspension or expulsion, and possible prosecution by law enforcement agencies.

Background (The Domain Name System)

The Domain name System (DNS) is a hierarchical and distributed data management tool usedto make the connection between word-based domain names and the numeric IP addresses usedby hosts on the Internet. DNS allows the lookup of a fully qualified domain name (FQDN) toreturn the associated IP address; it can also be used for reverse lookup of IP addresses to find theassociated domain names. The typical use of DNS uses a series of local and remote DNS serverswith a sequence of lookup steps to perform these lookups or reverse lookups.

A complete discussion of the Domain Name System is extremely complex and thus beyond thescope of this lab exercise. For a more detailed discussion refer to RFCs 1034 (Domain NamesConcepts And Facilities) and 1035 (Domain Names Implementation and specification).

One aspect that should be addressed here is the DNS zone transfer. A zone transfer is arequest, usually from a secondary master name server to a primary mater name server, that allowsthe secondary master to update its DNS database. Unless this process is restricted, it can providea very detailed set of information about an organizations network to virtually anyone with theability and desire to access it.

The standard method to conduct a DNS query uses Nslookup, a UNIX-based utility createdby Andrew Cherenson to query Internet domain name servers. There is an equivalent programavailable for Windows. Its primary use is identifying IP addresses corresponding to entered domainnames and identifying domain names corresponding to entered IP addresses.

Background (DNS Zone Transfer)

DNS zone transfer is an advanced query on a name server asking it for all information it containsabout a queried domain name. This works only if the name server is authoritative or responsiblefor that domain. DNS zone transfers border on improper use of the Internet and as such should beperformed with caution. Many name servers disable zone transfer.

3

Background (Network Reconnaissance)

Network reconnaissance is a broad description for a set of activities designed to map out the sizeand scope of a network using Internet utilities. This includes the number and addresses of availableservers, border routers, and the like. Two of the most common utilities used are ping and traceroute.

Web reconnaissance Using Same Spade

Gathering Web site information with Sam Spade

Start the Sam Spade Utility. Enter the IP number or DNS in the text box located in the upper-left corner of the Sam

Spade window.

On the menu bar, click Tools, and then click Brows web (or select the Web toolbar buttonfrom the left toolbar).

Click OK after the Open URL dialog box opens. Attempt to identify key pieces of information about the organization from the HTML source

code.

If you can determine the name of the individual who wrote the code, record it here:

If any are listed, record the addresses of the first two web sites located outside the targetorganization referred to in the code:

Record the first two links to other Web servers located inside the target organization that arereferred to in the code:

Record ant CGI scripts pointing to directories containing executable code (such as programs,applications, or other scripts or commands):

4

Web Crawling with Sam Spade

Sam Spade has an advanced tool called web crawler that allows you to perform web recon-naissance. You can use this specialized utility to simultaneously gather information from severalinterconnected Web pages.

If it is not already open, start the Sam Spade utility. Enter the IP number or domain (DNS) address in the text box located in the upper-left corner

of the Sam Spade window.

On the menu bar, click Tools, and then click Crawl website. As you can see, several optionsallow the user to brows not only the entered URL, but all subordinate pages, linked pages,hidden form values, images, and the like. Using Web Crawler allows an individual greatercapability in rooting out organizational information.

To use Web Crawler to find information you did not discover in your previous review ofsource code, enter the address in the Crawl all URLs below text box, click the SearchWebsite for option, and then click the following options: -mail addresses, images onother servers, Links to other servers, and Hidden form values. Click OK after thecrawl website dialog box opens.

Record the first two e-mail addresses referred to in the code:

Record the first two images on other servers referred to in the code:

Record the addresses of the first two web sites located outside the target organization referredto in the code:

Record the first two hidden form values referred to in the code:

Record the first two images on the target server referred to in the code:

5

Record the first two links to other Web servers located inside the target organization that arereferred to in the code:

Gathering WHOIS Information with Sam Spade

Start the Sam Spade utility. Enter the domain name address of interest in the text box located in the upper-left corner.

(note: You may need to remove the www. Prefix from the address in order for this to functionas described.)

On the toolbar, click the WHOIS button on the left side of the screen. Record the registrant for your domain name:

Record the primary and secondary name servers for this domain:

Record the Administrative Contact name, address, and phone number for this domain:

Record the Technical Contact name, address, and phone number for this domain:

8. Record the Billing contact name, address, and phone number for this domain (if thatinformation is included in the display):

6

In the text box in the upper-left corner, explore each IP address you discovered in earliersteps by entering each number in turn. Note the response provides information on whichorganization owns the IP address. This provides key information to hackers who seek toidentify IP address ranges inside an organization. Note also the listed address range indicated.This is very valuable to a potential hacker.

For the addresses, determine the IP address range:

7