LAB 1
Exercise 1-1: Identifying Types of Attackers That Might Attack a Network Exercise 1-2: Identifying Threats, Vulnerabilities, and Defenses Against Attacks Exercise 1-3: Calculating Risk Exercise 1-4: Classifying Attacks and Identifying Defensive Measures Exercise 1-5: Applying Basic Security Guidelines Lab Review Questions Lab Challenge 1-1: Comparing Qualitative and Quantitative Risk Analysis
Identify types of attackers. Identify threats to a network, vulnerabilities of a network, and defensive measures that network security personnel can take to defend against attacks. Determine security risks. Classify attacks. Identify possible defenses to network attacks. Apply basic security guidelines.
LAB 1:
SCENARIO
Contoso Pharmaceuticals manufactures prescription drugs for a worldwide market. It has 18,000 employees in offices throughout the world. The company hosts its own Web servers for public Internet information and extranet transactions with customers. Despite growing into a large company over the years, Contoso has never had an organized plan for designing its network. As a result, the security structure of the network is inconsistent and, in some places, nonexistent. The Chief Information Officer (CIO) has directed the security department to explore the ways that the network could be attacked. You have been assigned to a team that will brainstorm about potential threats and vulnerabilities to the network. You will also suggest defense strategies that the company can take to secure the network. You will then present your suggestions and recommendations to a senior management committee (the rest of the class).
LAB 1:
Create accounts only when needed, grant minimal permissions to get the job done, and remove access when it is no longer required. Use applications that automatically remove malicious software such as viruses, worms, and Trojan horses. Keep antivirus software updated to respond to new threats. Monitor the activities of services, users, and administrators to verify compliance with security policies. Archive and review log files. Use a digital signature. For example, use a digital signature to ensure the integrity of data or verify the identity of a sender. Obscure information so it cannot be understood by an unauthorized person. Install and properly configure a firewall to control and monitor inbound and outbound traffic. Use IDS to alert network administrators of activity resembling known attacks. Choose passwords that are difficult to guess or break. Change passwords frequently, but not too frequently or users will use unsafe ways to remember passwords. Require unique passwords that follow appropriate standards for complexity and length. Audit for compliance with password security. Know what is installed on your system by default. Use the security features built into your applications. Make sure they are configured for the maximum allowable security. Follow the best practices recommended by the manufacturer.
Auditing Digital signature Encryption Firewall ID (intrusion detection) [also IDS, intrusion detection system] Password security
Proper configuration
LAB 1:
Defensive Measure
Description
Physical security
Restrict physical access to any of the following components: hardware; software; firmware; data media, such as disks, backup tapes, and Zip drives. Control entry to buildings and rooms by locks or access cards. Dont use untrusted systems. Create a tested standard for configuring all computers of a specific type. Test and apply different baselines for different resources, such as a secure e-mail server, Web server, file server, or desktop computer. Verify that the system maintains a secure configuration. Create documents that specify all security policies. Use technology to enforce security policies whenever possible. Apply software updates to fix known problems with operating systems or applications. Problems with software can allow attackers to bypass security controls. Train users to follow safe computing practices.
Secure baseline
User education
Attacker:
Threat
Vulnerability
LAB 1:
Threat
Vulnerability
4. When all groups are finished, present your attack scenarios to the other students in the class as though they were a senior management committee.
QUESTION What is the difference between a threat and a vulnerability?
Number of computer workstations: 200 Cost of antivirus licenses for all workstations: $4,000.00 Estimated amount of time to install antivirus software on each workstation: 0.5 hours Average hourly wage of IT support personnel: $20.00 per hour Average estimated loss of productivity (in hours) for each user when a workstation is infected with a virus: 2.5 hours Estimated monetary loss for each lost hour of productivity: $35.00 Estimated percentage of workstations affected by a significant virus outbreak before the virus is contained (exposure factor): 65 percent Estimated probability that a significant virus outbreak will occur at least once a year in the branch office (annualized rate of occurrence): 75 percent
LAB 1:
Complete the following steps to perform a quantitative analysis of the risk. In the following formulas, you must express percentages as a decimal value between 0 and 1; for example, 85% = 0.85. 1. Calculate the single loss expectancy (SLE), using the following formula: asset value x exposure factor = SLE. To determine the asset value, consider the amount of monetary loss, such as labor costs, that would occur if the virus had to be cleaned from the workstation. You do not have any data on the value of data that might be lost, so you should not consider it for this exercise. To determine the exposure factor, consider how many workstations are likely to be affected before the virus is contained. 2. Calculate the annualized loss expectancy (ALE), using the following formula: SLE x annualized rate of occurrence (ARO) = ALE. The ALE is simply a way of estimating the loss that could occur on a yearly basis if no defensive measures were put in place. 3. Calculate the cost/benefit of antivirus software, using the following formula: ALE cost of antivirus software implementation = cost/benefit. In this step, you are determining whether the cost of implementing a countermeasure is less than or greater than the cost of the asset. If the cost of the countermeasure is less than the loss that would occur in the event of a realized threat, the argument for implementing it is clear. To determine the cost of implementing the countermeasure, you need to take into account the cost of software licenses, labor costs, and other relevant factors. In this case, the only data you have relates to the software license and labor costs. 4. Present your findings to the class, using the results from the previous calculations to justify the purchase of antivirus software.
QUESTION This exercise demonstrates a quantitative risk analysis. Is this the only kind of analysis you can or should perform to assess risk? If not, what other kind of risk analysis can you perform? QUESTION The quantitative analysis in this exercise makes only a limited number of assumptions about the kind of loss that would occur if the branch office were infected by a virus. What other kinds of loss should you include in the quantitative risk analysis of a potential virus infection?
LAB 1:
Buffer overflow
The amount of data is larger than the holding Software patch; area, or buffer, that the program sets aside for proper configuration incoming data. When the data is placed into the computers memory, it might overwrite other data.
Web defacing
Physical
A computer program that appears to have a benign or useful function, but that in fact is used for malicious purposes. An attack that prevents a system from performing its intended service.
Spoofing
Social engineering
LAB 1:
Attack Type
Description
Defensive Measures
A computer program that spreads from computer to computer through some installation vector, such as an executable attachment in an e-mail message. A passive attack that monitors network communications, usually as a preparatory step to an active attack.
QUESTION Worms are often referred to as a kind of virus. However, worms differ from true viruses in one important aspect. In what way do worms differ from true computer viruses?
LAB 1:
and actual cost of countermeasures, as you learned in Exercise 1-3, Calculating Risk. In contrast, a qualitative risk analysis attempts to assess risk and the effectiveness of countermeasures based on informed opinion, sometimes using surveys that ask respondents to rank the seriousness of risk and effectiveness of countermeasures. A qualitative risk analysis can take many forms. For example, it can ask respondents to submit anonymous written comments that are later compiled for analysis.