Sec+lab.

book Page 1 Tuesday, June 15, 2004 4:59 PM

LAB 1

EXAMINING SECURITY THREATS AND VULNERABILITIES

This lab contains the following exercises and activities:

Exercise 1-1: Identifying Types of Attackers That Might Attack a Network Exercise 1-2: Identifying Threats, Vulnerabilities, and Defenses Against Attacks Exercise 1-3: Calculating Risk Exercise 1-4: Classifying Attacks and Identifying Defensive Measures Exercise 1-5: Applying Basic Security Guidelines Lab Review Questions Lab Challenge 1-1: Comparing Qualitative and Quantitative Risk Analysis

After completing this lab, you will be able to

Identify types of attackers. Identify threats to a network, vulnerabilities of a network, and defensive measures that network security personnel can take to defend against attacks. Determine security risks. Classify attacks. Identify possible defenses to network attacks. Apply basic security guidelines.

Estimated completion time: 85 minutes

Sec+lab.book Page 2 Tuesday, June 15, 2004 4:59 PM

LAB 1:

EXAMINING SECURITY THREATS AND VULNERABILITIES

SCENARIO
Contoso Pharmaceuticals manufactures prescription drugs for a worldwide market. It has 18,000 employees in offices throughout the world. The company hosts its own Web servers for public Internet information and extranet transactions with customers. Despite growing into a large company over the years, Contoso has never had an organized plan for designing its network. As a result, the security structure of the network is inconsistent and, in some places, nonexistent. The Chief Information Officer (CIO) has directed the security department to explore the ways that the network could be attacked. You have been assigned to a team that will brainstorm about potential threats and vulnerabilities to the network. You will also suggest defense strategies that the company can take to secure the network. You will then present your suggestions and recommendations to a senior management committee (the rest of the class).

EXERCISE 1-1: IDENTIFYING TYPES OF ATTACKERS WHO MIGHT ATTACK A NETWORK

Estimated completion time: 10 minutes In this exercise, you will work together as a class to discuss the types of attackers who pose a threat to Contoso Pharmaceuticals. In five minutes, list all people who might want to attack Contoso and what their motivation might be.
______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________

Sec+lab.book Page 3 Tuesday, June 15, 2004 4:59 PM

LAB 1:

EXAMINING SECURITY THREATS AND VULNERABILITIES

EXERCISE 1-2: IDENTIFYING THREATS, VULNERABILITIES, AND DEFENSES AGAINST ATTACKS

Estimated completion time: 20 minutes In this exercise, you will work in small groups. Each group should select one of the attackers listed in Exercise 1-1, Identifying Types of Attackers Who Might Attack a Network. Then, using the instructions below, complete the table on page 4.
1. In the first column, list all the threats that this type of attacker poses. 2. In the second column, list the vulnerabilities that would allow the attack to occur. 3. In the third column, list the defensive measures that Contoso should take. Select from the following list of defensive measures for your entries in the third column of your table.
Defensive Measure Description

Account security Antivirus software

Create accounts only when needed, grant minimal permissions to get the job done, and remove access when it is no longer required. Use applications that automatically remove malicious software such as viruses, worms, and Trojan horses. Keep antivirus software updated to respond to new threats. Monitor the activities of services, users, and administrators to verify compliance with security policies. Archive and review log files. Use a digital signature. For example, use a digital signature to ensure the integrity of data or verify the identity of a sender. Obscure information so it cannot be understood by an unauthorized person. Install and properly configure a firewall to control and monitor inbound and outbound traffic. Use IDS to alert network administrators of activity resembling known attacks. Choose passwords that are difficult to guess or break. Change passwords frequently, but not too frequently or users will use unsafe ways to remember passwords. Require unique passwords that follow appropriate standards for complexity and length. Audit for compliance with password security. Know what is installed on your system by default. Use the security features built into your applications. Make sure they are configured for the maximum allowable security. Follow the best practices recommended by the manufacturer.

Auditing Digital signature Encryption Firewall ID (intrusion detection) [also IDS, intrusion detection system] Password security

Proper configuration

Sec+lab.book Page 4 Tuesday, June 15, 2004 4:59 PM

LAB 1:

EXAMINING SECURITY THREATS AND VULNERABILITIES

Defensive Measure

Description

Physical security

Restrict physical access to any of the following components: hardware; software; firmware; data media, such as disks, backup tapes, and Zip drives. Control entry to buildings and rooms by locks or access cards. Dont use untrusted systems. Create a tested standard for configuring all computers of a specific type. Test and apply different baselines for different resources, such as a secure e-mail server, Web server, file server, or desktop computer. Verify that the system maintains a secure configuration. Create documents that specify all security policies. Use technology to enforce security policies whenever possible. Apply software updates to fix known problems with operating systems or applications. Problems with software can allow attackers to bypass security controls. Train users to follow safe computing practices.

Secure baseline

Security policies Software updates

User education

Attacker:

Threat

Vulnerability

Defense Against the Attack

Sec+lab.book Page 5 Tuesday, June 15, 2004 4:59 PM

LAB 1:

EXAMINING SECURITY THREATS AND VULNERABILITIES

Threat

Vulnerability

Defense Against the Attack

4. When all groups are finished, present your attack scenarios to the other students in the class as though they were a senior management committee.
QUESTION What is the difference between a threat and a vulnerability?

EXERCISE 1-3: CALCULATING RISK

Estimated completion time: 15 minutes In this exercise, you will work with the group you formed for the previous exercise to perform a quantitative risk analysis to justify the use of antivirus software for a branch office of Contoso Pharmaceuticals. The branch office needs a direct connection to the Internet so that employees can better perform work-related tasks, such as research on competitors products. Management is concerned that a direct connection to the Internet will expose the branch office to an increased threat from viruses.
Use the following information to justify the purchase of antivirus software for the branch office:

Number of computer workstations: 200 Cost of antivirus licenses for all workstations: $4,000.00 Estimated amount of time to install antivirus software on each workstation: 0.5 hours Average hourly wage of IT support personnel: $20.00 per hour Average estimated loss of productivity (in hours) for each user when a workstation is infected with a virus: 2.5 hours Estimated monetary loss for each lost hour of productivity: $35.00 Estimated percentage of workstations affected by a significant virus outbreak before the virus is contained (exposure factor): 65 percent Estimated probability that a significant virus outbreak will occur at least once a year in the branch office (annualized rate of occurrence): 75 percent

Sec+lab.book Page 6 Tuesday, June 15, 2004 4:59 PM

LAB 1:

EXAMINING SECURITY THREATS AND VULNERABILITIES

Complete the following steps to perform a quantitative analysis of the risk. In the following formulas, you must express percentages as a decimal value between 0 and 1; for example, 85% = 0.85. 1. Calculate the single loss expectancy (SLE), using the following formula: asset value x exposure factor = SLE. To determine the asset value, consider the amount of monetary loss, such as labor costs, that would occur if the virus had to be cleaned from the workstation. You do not have any data on the value of data that might be lost, so you should not consider it for this exercise. To determine the exposure factor, consider how many workstations are likely to be affected before the virus is contained. 2. Calculate the annualized loss expectancy (ALE), using the following formula: SLE x annualized rate of occurrence (ARO) = ALE. The ALE is simply a way of estimating the loss that could occur on a yearly basis if no defensive measures were put in place. 3. Calculate the cost/benefit of antivirus software, using the following formula: ALE cost of antivirus software implementation = cost/benefit. In this step, you are determining whether the cost of implementing a countermeasure is less than or greater than the cost of the asset. If the cost of the countermeasure is less than the loss that would occur in the event of a realized threat, the argument for implementing it is clear. To determine the cost of implementing the countermeasure, you need to take into account the cost of software licenses, labor costs, and other relevant factors. In this case, the only data you have relates to the software license and labor costs. 4. Present your findings to the class, using the results from the previous calculations to justify the purchase of antivirus software.
QUESTION This exercise demonstrates a quantitative risk analysis. Is this the only kind of analysis you can or should perform to assess risk? If not, what other kind of risk analysis can you perform? QUESTION The quantitative analysis in this exercise makes only a limited number of assumptions about the kind of loss that would occur if the branch office were infected by a virus. What other kinds of loss should you include in the quantitative risk analysis of a potential virus infection?

Sec+lab.book Page 7 Tuesday, June 15, 2004 4:59 PM

LAB 1:

EXAMINING SECURITY THREATS AND VULNERABILITIES

EXERCISE 1-4: CLASSIFYING ATTACKS AND IDENTIFYING DEFENSIVE MEASURES

Estimated completion time: 20 minutes In this exercise, you will work with your group to complete the empty cells in the following table. To complete the Defensive Measures column, use the information provided in the table for Exercise 1-2, Identifying Threats, Vulnerabilities, and Defenses Against Attacks. Be prepared to explain how you might implement any of the defensive measures you suggest. The first row of the table has been completed as an example.
Attack Type Description Defensive Measures

Buffer overflow

The amount of data is larger than the holding Software patch; area, or buffer, that the program sets aside for proper configuration incoming data. When the data is placed into the computers memory, it might overwrite other data.

Web defacing

Physical

A computer program that appears to have a benign or useful function, but that in fact is used for malicious purposes. An attack that prevents a system from performing its intended service.

Spoofing

Social engineering

Sec+lab.book Page 8 Tuesday, June 15, 2004 4:59 PM

LAB 1:

EXAMINING SECURITY THREATS AND VULNERABILITIES

Attack Type

Description

Defensive Measures

A computer program that spreads from computer to computer through some installation vector, such as an executable attachment in an e-mail message. A passive attack that monitors network communications, usually as a preparatory step to an active attack.

QUESTION Worms are often referred to as a kind of virus. However, worms differ from true viruses in one important aspect. In what way do worms differ from true computer viruses?

EXERCISE 1-5: APPLYING BASIC SECURITY GUIDELINES

Estimated completion time: 20 minutes Read the scenario below, and then with your group prepare a brief presentation that addresses the weaknesses of the proposal in the scenario according to the four fundamental security guidelines: physical security, trust, privilege level, and documentation. Be prepared to present your findings to the class.
One of the branch offices of Contoso Pharmaceuticals has made a brief proposal for implementing a wireless network to use in meeting rooms and to allow greater mobility for internal laptop users. The IT manager at the branch office is aware that wireless networks are vulnerable to eavesdropping and unauthorized third-party access to the LAN. To mitigate these vulnerabilities, he is proposing that all wireless signals be encrypted using a static Wired Equivalent Privacy (WEP) key that will be distributed to all users on a monthly basis via e-mail. Users will configure their own wireless devices to use the current WEP key. Instructions for configuring WEP keys on the laptops will be included with the e-mail. The proposal states that all wireless network interface cards (NICs) will be configured to use DHCP to make it easier for users to configure their wireless devices, Your manager has asked you to evaluate the proposal and report to her on its merits. You need to assess the proposal according to the fundamental security guidelines for physical security, trust, privilege level, and documentation.

Sec+lab.book Page 9 Tuesday, June 15, 2004 4:59 PM

LAB 1:

EXAMINING SECURITY THREATS AND VULNERABILITIES

LAB REVIEW QUESTIONS

1. What is the relationship between a risk, a threat, and a vulnerability? 2. What is the difference between a passive attack and an active attack? 3. What is generally the most effective way to deal with passive attacks: prevent them, or detect and stop them? 4. What do social engineering attacks target: computers, users, applications, or networks? 5. What do spoofing attacks target: computers, users, applications, or networks?

LAB CHALLENGE 1-1: COMPARING QUALITATIVE AND QUANTITATIVE RISK ANALYSIS

Estimated completion time: 20 minutes You are a security administrator for Contoso Pharmaceuticals. Your manager has asked you to make recommendations on the format and process for a new risk analysis that she wants to recommend that the company perform. Specifically, your manager wants you to assess the pros and cons of quantitative and qualitative risk analysis before she presents her plan to executive management. With your group, list the pros and cons of quantitative and qualitative risk analysis and be prepared to present this list to the class for general discussion.
NOTE A quantitative risk analysis uses objective metrics, such as asset values

and actual cost of countermeasures, as you learned in Exercise 1-3, Calculating Risk. In contrast, a qualitative risk analysis attempts to assess risk and the effectiveness of countermeasures based on informed opinion, sometimes using surveys that ask respondents to rank the seriousness of risk and effectiveness of countermeasures. A qualitative risk analysis can take many forms. For example, it can ask respondents to submit anonymous written comments that are later compiled for analysis.

Sec+lab.book Page 10 Tuesday, June 15, 2004 4:59 PM