...Assessment Worksheet 97 LAB #7 – ASSESSMENT WORKSHEET Perform a Website and Database Attack by Exploiting Identified Vulnerabilities Course Name and Number: MNE 310 Student Name: Carl Sizemore Instructor Name: Williams Lab Due Date: 8/10/2014 Overview In this lab, you verified and performed a cross-site scripting (XSS) exploit and an SQL injection attack on the test bed Web application and Web server using the Damn Vulnerable Web Application (DVWA) found on the TargetUbuntu01 Linux VM server. You first identified the IP target host, identified known vulnerabilities and exploits, and then attacked the Web application and Web server using XSS and an SQL injection to exploit the Web application using a Web browser and some simple command strings. Lab Assessment Questions & Answers 1. Why is it critical to perform a penetration test on a Web application and a Web server prior to production 7 Perform a Website and Database Attack by Exploiting Identified Vulnerabilities implementation? Penetration testing highlights what a real-world hacker might see if he or she targeted the given organization. The Penetraton test will give a security view in operational context and potential flaws can be discovered so that managment can make decisions about whether to allocated security resources to fix any discover problems. 2. What is a cross-site scripting attack? Explain in your own words. Cross-site scripting enables attackers to inject client-side...
Words: 491 - Pages: 2
...Term Objectives …………………………………………………………………………………….…..5 Midterm Objectives ………………………………………………………………………………………….…6 Deliverables …………………………………………………………………......................................................6 Outputs ……………………………………………………………………………………………………………….…….…..6 Stakeholders ………………………………………………………………………………………………...…….6 Activities …….…………………………………………………………………………………………….………...7 Evaluation Plan ……………………………………………………………………………………………………..……....8 Appendix A: Logic Model ………………..………………………………………………………………….…………...9 Appendix B: References……………………………………………………………………………………………...…10 Introduction & Background Purpose: This purpose of this project is to identify, assess and implement strategies in order to prevent potential workplace hazards from occurring at the North Alberta Pediatric Sleep Clinic situated within the Stollery Children’s Hospital in Edmonton, AB by completing a Hazard Identification, Assessment and Control (HIAC) worksheet. The overall project is outlined in a Logic Model (Appendix A). Overview of Clinic: The North Alberta Pediatric Sleep Clinic, also referred to as the “Sleep Lab”, is an outpatient clinic which cares for children aged 0-18 with sleep disorders. Examples of sleep disorders the clinic handles are sleep walking, night...
Words: 1718 - Pages: 7
...Assessment Worksheet 111 LAB #7 – ASSESSMENT WORKSHEET Relate Windows Encryption and Hashing to Confidentiality and Integrity Course Name and Number: Student Name: Instructor Name: Lab Due Date: Overview This lab demonstrated how hashing tools can be used to ensure message and file transfer integrity and how encryption can be used to maximize confidentiality. Common hashing and encryption tools, including MD5, SHA1, and GnuPG, were used. You used GnuPG to generate both a public and private key and a secret key for encryption only. Lab Assessment Questions & Answers 1. If you and another person want to encrypt messages, should you provide that person with your public 7 Relate Windows Encryption and Hashing to Confidentiality and Integrity key, private key, or both? You should both provide each other with your public keys. 2. What does GPG allow you to do once it is installed? GPG allows you to encrypt and decrypt data and generate public and private keys. 3. Name two different types of encryption supported by GPG for your key. GPG supports symmetric ciphers DES and Blowfish as well as asymmetric ciphers ELGamal and RSA. 112 LAB #7 | Relate Windows Encryption and Hashing to Confidentiality and Integrity 4. What happens when you sign and trust a new key to your keychain? A new private and public key is created with a fingerprint for non repudiation. 5. If a user sends you his/her public key, will he/she be able to decrypt your encrypted...
Words: 472 - Pages: 2
...100 Lab #7 | Implement a VPN Tunnel Between a Microsoft® Server and Microsoft® Client LAB #7 – ASSESSMENT WORKSHEET Implement a VPN Tunnel Between a Microsoft® Server and Microsoft® Client Course Name and Number: Student Name: Instructor Name: Lab Due Date: Overview In this lab, you configured a virtual private network (VPN) tunnel between a Windows server and client computers using RADIUS (Remote Authentication Dial-in User Service) authentication. Lab Assessment Questions & Answers 1. What is the name of the Windows Server 2008 role you need to deploy to provide remote access services to clients? Explain why this service is important in a corporate environment. 2. What was the IP host range that was allocated for the remote VPN client pool? 3. How many encryption settings are available from the remote access server? Which one is best? Which one provides backward compatibility? Assessment Worksheet 4. During a remote access session, how many times is a client asked to provide credentials? Is this an 101 example of multi-factor authentication? Explain. 5. Why is it important to use strong encryption in both authentication and communication protocols? Explain. 6. Name the available authentication methods (protocols) available when configuring the VPN. Which authentication method is considered stronger? Why? 7. What other type of connections are supported by Microsoft® Remote Access services in Server 2008? 7 Implement...
Words: 318 - Pages: 2
...Assessment Worksheet 111 LAB #7 – ASSESSMENT WORKSHEET Relate Windows Encryption and Hashing to Confidentiality and Integrity Course Name and Number: CSIA301 Overview This lab demonstrated how hashing tools can be used to ensure message and file transfer integrity and how encryption can be used to maximize confidentiality. Common hashing and encryption tools, including MD5, SHA1, and GnuPG, were used. You used GnuPG to generate both a public and private key and a secret key for encryption only. Lab Assessment Questions & Answers 1. If you and another person want to encrypt messages, should you provide that person with your public 7 Relate Windows Encryption and Hashing to Confidentiality and Integrity key, private key, or both? In theory you could, but I you are taking the time out to make in the encrypted messages I'm assuming you wouldn't want others to know, but I think you have to provide the person with both you need both to access the messages. 2. What does GPG allow you to do once it is installed? GPG is specifically a command line tool that enables you to encrypt and sign your data and communication and includes a key management system as well as access modules for all kind of public key directories. 3. Name two different types of encryption supported by GPG for your key. 112 LAB #7 | Relate Windows Encryption and Hashing to Confidentiality and Integrity 4. What happens when you sign and trust a new key to your keychain? ...
Words: 442 - Pages: 2
...for IT systems and applications are achievable with efficient and accurate recovery instructions. In this lab, you applied the same concepts of disaster recovery backup procedures and recovery instructions to your own data. You explained how you can lower RTO with proper backup and recovery procedures, defined a process for IT system and application recovery procedures, identified a backup solution for saving your own data, and tested and verified your backups for RTO compliance. Lab Assessment Questions & Answers 1. How do documented backup and recovery procedures help achieve RTO? 2. True or false: To achieve an RTO of 0, you need 100 percent redundant, hot-stand-by infrastructure (that is, IT system, application, data, and so on).   9 Develop Disaster Recovery Backup Procedures and Recovery Instructions 80 Lab #9 | Develop Disaster Recovery Backup Procedures and Recovery Instructions 3. What is most important when considering data backups? 4. What is most important when considering data recovery? 5. What are the risks of using your external e-mail box as a backup and data storage solution? 6. Identify the total amount of time required to recover and install the Lab #1 through Lab #8 Assessment Worksheets and to open the files to verify integrity. (Calculate your timed RTO using your computer clock and your documented instructions.) 7. Did you achieve your RTO? What steps and procedures can you implement to help drive RTO even lower? 8. What...
Words: 358 - Pages: 2
...130 LAB #9 | Construct a Linux Host Firewall and Monitor for IP Traffic LAB #9 – ASSESSMENT SPREADSHEET Construct a Linux Host Firewall and Monitor for IP Traffic Course Name and Number: Student Name: Instructor Name: Lab Due Date: Internal Firewall Policy Definition Configure your “TargetUbuntu02” desktop Linux internal host IP stateful firewall according to the following policy definition. Test and validate your implementation after you configure it based on the policy definition. The following is your Ubuntu internal firewall policy definition: Deny incoming traffic Deny the following specific applications: TFTP Telnet SNMP ICMP FTP Allow the following specific applications under “Advanced” settings: SSH SMTP POP3 HTTPS HTTP Make a screen capture of the changes you made to the configuration and paste it into the text document. Use the File Transfer button to download the text file to your local computer and submit it as part of your deliverables. Assessment Worksheet 131 9 Construct a Linux Host Firewall and Monitor for IP Traffic LAB #9 – ASSESSMENT WORKSHEET Construct a Linux Host Firewall and Monitor for IP Traffic Course Name and Number: Student Name: Instructor Name: Lab Due Date: Overview In this lab, you configured the Gufw Ubuntu host IP stateful firewall as an internal service running on the Linux desktop. By defining what IP traffic is allowed and what IP traffic is denied, you implemented another layer of security in your overall...
Words: 665 - Pages: 3
...Assessment Worksheet Applying OWASP to a Web Security Assessment Course Name and Number: _____________________________________________________ Student Name: ________________________________________________________________ Instructor Name: ______________________________________________________________ Lab Due Date: ________________________________________________________________ Overview In this lab, you explored the Open Web Application Security Project (OWASP) Web site and reviewed its Web application test methodology. You studied the standards and guides published by this project and summarized your findings. Finally, you drafted a Web Application Test Plan based on the information you gained in your OWASP research. Lab Assessment Questions & Answers 1. Identify the four recognized business functions and each security practice of OpenSAMM. 1) Governance 2) Construction 3) Verification 4) Deployment 2. Identify and describe the four maturity levels for security practices in SAMM. 1) Implicit starting point representing the activities in the Practice being unfulfilled 2) Initial understanding and ad hoc provision of Security Practice 3) Increase efficiency and/or effectiveness of the Security Practice 4) Comprehensive mastery of the Security Practice at scale 3. What are some activities an organization could perform for the security practice of Threat Assessment? Threat Assessment involves accurately identifying and characterizing potential attacks...
Words: 574 - Pages: 3
...Design CIS 534 - Advanced Network Security Design 2 Table of Contents Toolwire Lab 1:Analyzing IP Protocols with Wireshark ........................................................................ 6 Introduction ............................................................................................................................................. 6 Learning Objectives ................................................................................................................................ 6 Tools and Software ................................................................................................................................. 7 Deliverables ............................................................................................................................................. 7 Evaluation Criteria and Rubrics ........................................................................................................... 7 Hands-On Steps ....................................................................................................................................... 8 Part 1: Exploring Wireshark ............................................................................................................... 8 Part 2: Analyzing Wireshark Capture Information .......................................................................... 12 Lab #1 - Assessment Worksheet .........................................................................................
Words: 48147 - Pages: 193
...Week 3 Laboratory Week 3 Lab Part 1: Automate Digital Evidence Discovery Using Paraben’s P2 Commander Learning Objectives and Outcomes Upon completing this lab, students will be able to complete the following tasks: * Open an existing case file using P2 Commander * Analyze the data in the image and the files saved in the case * Sort and identify evidence file types in a case using Paraben's P2 Commander forensic tool * Use P2 Commander to identify information for potential evidence contained in chat logs such as Skype chat * Analyze the contents of user profiles and data using the P2 Commander browser Week 3 Lab Part 1 - Assessment Worksheet Overview View the Demo Lab available in the Practice section of Learning Space Unit 5 and then answer the questions below. The video will demonstrate the use of Paraben's P2 Commander and outline the different forensics capabilities of the tool. Lab Assessment Questions & Answers 1. When talking about Information Security, what does the 'CIA' stands for? CIA in information security stands for confidentiality, integrity and availability. 2. When would it be a good practice to classify data? It would be a good practice to classify data when you need to extract files from a hard drive or system for investigating in order to accurately organize the findings. 3. What is Security classification? Security classification is the security level assigned to a government document, file...
Words: 635 - Pages: 3
...108 Lab #8 | Design a Layered Security Strategy for an IP Network Infrastructure Lab #8 – aSSESSmENT WORkSHEET Design a Layered Security Strategy for an IP Network Infrastructure Course Name and Number: Student Name: Instructor Name: Lab Due Date: Overview In this lab, you designed a layered security strategy, similar to the seven domains of a typical IT infrastructure, for the Cisco Mock IT infrastructure shown in Figure 8.2. You based your design on a set of functional and technical requirements. You also provided a written functional overview and description of how your security strategy meets the defined requirements. Lab Assessment Questions & Answers 1. Explain why a layered security strategy helps mitigate risk and threats both external and internal. 2. Why is it a good idea to put shared servers and services on a DMZ when both internal and external users need access? Assessment Worksheet 3. What recommendations do you have for the future e-commerce server and deployment in regard to 109 physical location and backend security for privacy data and credit card data? 4. What recommendations do you have to secure the server farm from unauthorized access? 5. If the organization implemented wireless LAN (WLAN) technology, what would you recommend regarding the use of VPNs or encryption within the internal network when accessing the server farm? 6. What is the purpose of a proxy server on a DMZ? 7. What is the purpose of an IDS/IPS...
Words: 314 - Pages: 2
...Week 1 Lab Part 1 - Assessment Worksheet Assess the Impact on Access Controls for a Regulatory Case Study Overview Watch the Demo Lab in the Week 1 Learning Space Unit 1, and answer the questions below. The lab demonstrates creating an Active Directory domain as well as user and group objects within the new domain. Directories will be created and permissions assigned based on the required access control as defined in the matrix. Group Policy Objects will also be created and linked to Objects within the domain to enforce security settings. Lab Assessment Questions & Answers 1. What does DACL stand for and what does it mean? Discretionary access control List (DACL) is a type of access control defined by the Trusted Computer System Evaluation Criteria "as a means of restricting access to objects based on the identity of subjects and/or groups to which they belong 2. Why would you add permissions to a group instead of the individual? It is more resourceful and less time consuming. 3. List at least 3 different types of access control permissions available in Windows. Full Control, Modify, Execute, Read, Write 4. What are the least permissions that you need in order to view the contents of a folder? Read, so the user has access to any file on the system that they are entitled to, but they are not able to make any changes. 5. What are other available Password Policy options that could be enforce to improve security? ...
Words: 1093 - Pages: 5
...Assessment Worksheet 91 LaB #6 – aSSESSmENt WORKSHEEt Perform Business Continuity Implementation Planning Course Name and Number: Student Name: Instructor Name: lab due date: 6 Perform Business Continuity Implementation Planning Overview In this lab, you were asked to begin the business continuity planning process for an e-commerce company, Online Goodies. You reviewed the key business functions and a prioritized list of impacted IT systems, applications, and data provided by your supervisor. You also compared the components of the major documentation required by the business continuity planning process: risk analysis, business impact analysis, business continuity plan, disaster recovery plan, and the business continuity implementation plan. Lab Assessment Questions & Answers 1. What is the difference between a risk analysis (RA) and a business impact analysis (BIA)? Risk analysis is often identifying the potential threats and the associated vulnerabilities to the organizations .Risk analysis doesn’t view the organization from the mission critical Business Process point of view. BIA the organization from the impact that is going to occur for an organization if the critical business processes are interrupted or tampered 2. What is the difference between a disaster recovery plan (DRP) and a business continuity plan (BCP)? Disaster recovery plan is have a full access to recover any lost data or essentials after a disaster while the business continuity...
Words: 681 - Pages: 3
...JONES & BARTLETT LEARNING INFORMATION SYSTEMS SECURITY & ASSURANCE SERIES LABORATORY MANUAL TO ACCOMPANY Security Strategies in Windows Platforms and Applications 1E REVISED 38542_FMxx.indd i 9/5/12 10:48 AM World Headquarters Jones & Bartlett Learning 5 Wall Street Burlington, MA 01803 978-443-5000 info@jblearning.com www.jblearning.com Jones & Bartlett Learning books and products are available through most bookstores and online booksellers. To contact Jones & Bartlett Learning directly, call 800-832-0034, fax 978-443-8000, or visit our website, www.jblearning.com. Substantial discounts on bulk quantities of Jones & Bartlett Learning publications are available to corporations, professional associations, and other qualified organizations. For details and specific discount information, contact the special sales department at Jones & Bartlett Learning via the above contact information or send an email to specialsales@jblearning.com. Copyright © 2013 by Jones & Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. No part of the material protected by this copyright may be reproduced or utilized in any form, electronic or mechanical, including photocopying, recording, or by any information storage and retrieval system, without written permission from the copyright owner. The Laboratory Manual to accompany Security Strategies in Windowa Platforms and Applications is an independent publication and has not been authorized, sponsored, or otherwise...
Words: 25969 - Pages: 104
...Week 1 Lab Part 1: Assess the Impact on Access Controls for a Regulatory Case Study Learning Objectives and Outcomes Upon completing this lab, students will be able to complete the following tasks: 1. Configure user accounts and access controls in a Windows Server according to role-based access implementation 2. Configure user account credentials as defined policy, and access right permissions for each user 3. Create and administer Group Policy Objects for the management of Windows Active Directory Domain machines within the IT infrastructure 4. Apply the correct Group Policy Object definitions per requirements defined by policies and access right permissions for users 5. Assign and manage access privileges as requested in the case study to apply the recommended and required security controls for the user accounts Week 1 Lab Part 1 - Assessment Worksheet Assess the Impact on Access Controls for a Regulatory Case Study Overview Watch the Demo Lab in the Week 1 Learning Space Unit 1, and answer the questions below. The lab demonstrates creating an Active Directory domain as well as user and group objects within the new domain. Directories will be created and permissions assigned based on the required access control as defined in the matrix. Group Policy Objects will also be created and linked to Objects within the domain to enforce security settings. Lab Assessment Questions & Answers 1. What does DACL stand for and what...
Words: 1428 - Pages: 6