<Carmen Alcivar> NORTHEASTERN UNIVERSITY 360 Huntington Ave, Boston, MA.

LAB ASSIGNMENT 10 – FOUNDATIONS OF INFORMATION ASSURANCE (IA5010)

Contents Lab #9: Performing Packet Capture and Traffic Analysis ............................................................... 2

a. Assessment Sheet ........................................................................................................................ 2 b. Challenge Question ..................................................................................................................... 3 c. Screenshots: ................................................................................................................................ 4

Lab #10: Implementing an Information Systems Security Policy ................................................. 16 a. Assessment Sheet ...................................................................................................................... 16 b. Challenge Question ................................................................................................................... 16 c. Screenshots: .............................................................................................................................. 16

Lab #9: Performing Packet Capture and Traffic Analysis

a. Assessment Sheet Course Name and Number: Foundations of Information Assurance – IA5010 Student Name: <Carmen Alcivar> Instructor Name: Derek Brodeur Lab Due Date: <3/27/16> Lab Assessment Questions & Answers

1. What is the main difference between a virus and a Trojan? A Trojan will masquerade as a seemingly useful program while actually compromising system security and possible acting as a “back door” allowing additional hack tools and access to the system. A standard “virus” is a program that will spread from one computer to another in any variety of means, taking advantage of application or OS vulnerabilities to propagate further and will generally try to stay undetected. Virus:Attaches to an executable file, requires human action to spread. Trojan: Appears useful but damages system, requires human action to run, do not self-replicate. http://www.webopedia.com/DidYouKnow/Internet/virus.asp 2. A virus or malware can impact which of the three tenets of information systems security (confidentiality, integrity, or availability)? In what way?

Trojans and Viruses impact all three tenets of information systems security.

Confidentiality: Malware can grant unauthorized access to the compromised machine and network. Integrity: Malware is able to steal and modify data. Availability: Viruses and malware tend to slow performance and availability to applications and data.

3. Why is it recommended to do an antivirus signature file update before performing an antivirus scan on your computer? Given the fact that virus and malware appear almost every day, usually antivirus vendors update their profiles once or twice a week. So, in order to ensure that systems are covered by the most updated version of antivirus, these such be updated constantly, the antivirus signature should be updated before the scanning.

4. Why might your coworker suggest encrypting an archive file before e-

mailing it? My co-worker’s suggestion on encrypting an archive file before emailing it so this way, if the file is captured by any hacker, they won’t be able to see the content of the file.

5. What kind of network traffic can you filter with the Windows Firewall

with Advanced Security? The Advanced Security feature from the Windows Firewall can filter incoming and outgoing traffic and it can block unauthorized traffic to the local computer. Several types of profiles can be configured based on the types of connection such as if one is connected to a network at the office, or

connected at home, or at a public location, such as the local coffee shop. Using the Advanced Security profiles, network traffic can be filtered based on Active Directory users and group, both source and destination IP addresses, port number, specific programs and services

6. What are typical indicators that your computer system is compromised?

Signs of malware include degraded system performance, unusual services and network traffic, altered or removed system logs, missing or inactive anti-virus, and any number of application anomalies

7. What elements are needed in a workstation domain policy regarding use of antivirus and malicious software prevention tools? Managing system services is an important element in a given organization’s security program. Other elements include (but are not limited to) standardized configurations and settings based on organization-wide security policy definition, a layered security strategy to mitigate the threat from coming or entering into the IT infrastructure, email filtering/quarantining, frequency of anti-virus and malicious software prevention tool updates, as well as operating system and application updates to close known vulnerabilities.

b. Challenge Question 1. True or false: Encrypted files cannot be inspected by an anti-virus program.

Explain your answer. This is true because anti-virus software cannot open encrypted files for scanning.

2. You learned in the lab that AVG, and similar anti-virus programs, cannot scan for viruses within a zipped file. Research best practices for handling archive files in a network environment and make recommendations for ensuring integrity of the data stored on the network. Files can be scanned before being zipped. This way we can ensure those have been securely treated before compression. Also, after compression, those can be encrypted. In order to manage data stored in the network, it is necessary to identify data to be archived and to have deletion policies including data lifecycle management consideration. The archiving policy should include the criteria for archiving data and making considerations for each data type. Mechanisms of archiving should be identified, type of media to be used, duration of storage and who will have access to it.

http://www.ibm.com/support/knowledgecenter/SSMLQ4_8.1.0/com.ibm.nex.optimd.install.doc/apxD_Security/opinstall-c-archive_file_security.html

https://docs.oracle.com/cd/B12037_01/network.101/b10777/protnet.htm http://searchstorage.techtarget.com/feature/Data-archiving-best-practices-Policies-planning-and-products

3. Research Widows services. Using the screen captures you made in Part 2 of the

lab, identify at least three services that could be disabled safely. Explain your choices. Windows Time: if your computer doesn’t have access to the Internet then you

don’t need to update the system time from online servers. You can safely disable this service. But if you do, then this service will keep your system time accurate. Safe setting: Manual;

Certificate Propagation: if you don’t use SmartCards (sometimes used in large organizations), it is safe to disable this service. Safe setting: Manual;

Microsoft iSCSI Initiator Service: iSCSI is an abbreviation for Internet Small Computer System Interface - an IP-based storage networking standard for linking data storage facilities. It allows client computers to access data over long distances on remote data centers, by using existing infrastructure (ex. over LAN, Internet). iSCSI devices are disks, tapes, CDs, and other storage devices on another networked computer that you can connect to. Sometimes these storage devices are part of a network called a storage area network (SAN). Unless you need to connect to iSCSI devices, it is safe to disable this service. Safe setting: Manual;

http://www.digitalcitizen.life/which-windows-services-are-safe-disable-when

c. Screenshots: Part 1: [Deliverable Lab Step 23]: a screen shot showing the contents of the Virus Vault

[Deliverable Lab Step 26] a screen capture showing the empty Virus Vault

Part 2: [Deliverable Lab Step 3] a screen capture showing the complete list of services on the Extended tab (the default view)

[Deliverable Lab Step 5] a screen capture showing the complete list of services on the Standard tab

\ [Deliverable Lab Step 10] a screen capture showing the updated list of services on the Extended tab

Part 3: [Deliverable Lab Step 7] a screen capture showing the Enabled column for the File and Printer Sharing (Echo Request – ICMPv4-In) rule

[Deliverable Lab Step 15] a screen capture showing the new FileZilla Server rule

Lab #10: Implementing an Information Systems Security Policy

a. Assessment Sheet Course Name and Number: Foundations of Information Assurance – IA5010 Student Name: <Carmen Alcivar> Instructor Name: Derek Brodeur Lab Due Date: <3/27/16> Lab Assessment Questions & Answers

1. What is the correct command syntax to force GPO settings? a. /force GPO b. gpupdate /now c. gpupdate /force (answer) d. policyupdate /force

2. Why is it important to set a strict password policy as part of your security template?

A Strict password policy is the first step to implement a comprehensive security program. Weak passwords allow unauthorized access to networks and everything within such as sensitive documents, proprietary code, and accounting files stored on it. A strong policy itself is not enough. Policies should be accompanied with continuous monitoring for login success and failures in order to detect mischief on the network. An overabundance of failures from a particular user account can indicate a brute force attack. At the same time, successful accesses at odd times are suspicious especially when a staff is on vacation.

3. Why is it important to bring standalone systems into the Domain? Standalone systems must be brought into the Active Directory domain to help with good password management practices and to prevent unauthorized access to network resources.

4. What was the command line syntax to connect as the root user to 172.30.0.11 using PuTTY? putty root@172.30.0.11 -pw toor

5. Name five different Windows password policies? · Users must change passwords every 30 days · Users may not reuse any of the last 5 passwords · Passwords may be reset at any time · Password must be a minimum of 10 characters · Password must meet basic complexity · Enforce Domain Policy over Organizational Unit Policy · Users must be “locked out” for 10 minutes, after failing to log in 3 times

in a row · All login successes and failures must be logged

b. Challenge Question c. Screenshots:

Part 1: [Deliverable Lab Step 29]: a screen shot showing the newly configured Domain password policies

[Deliverable Lab Step 36] a screen shot showing the configured Account Lockout Policies

Part 3: [Deliverable Lab Step 33] screen capture that shows the whomai command results. It is showing current directory