Assignment 2
CSIS 4010 Computer Security
Fall 2021
Due date: 10/02/2021 11:59PM ET
1. Text reading
Chapters 6 11
2. Textbook questions (75 points)
Chapter 6
Review questions:
6.1 What are three broad mechanisms that malware can use to propagate?
6.5 What mechanisms can a virus use to conceal itself?
6.11 What is the difference between a backdoor, a bot, a keylogger, spyware, and a rootkit? Can they all be present in the same malware?
Problems:
6.2 The question arises as to whether it is possible to develop a program that can analyze a piece of software to determine if it is a virus. Consider that we have a program D that is supposed to be able to do that. That is, for any program P, if we run D(P), the result returned is TRUE (P is a virus) or FALSE (P is not a virus). Now consider the following program:
In the preceding program, infect-executable is a module that scans memory for executable programs and replicates itself in those programs. Determine if D can correctly decide whether CV is a virus.
Chapter 7
Review questions:
7.2 What type of resources are targeted by DoS attacks?
7.7 Define a distributed denial-of-service (DDoS) attack.
7.13 What defenses are possible against TCP SYN spoofing attacks?
Chapter 8
Review questions:
8.1 List and briefly define four classes of intruders.
8.4 Describe the three logical components of an IDS.
8.10 What is the difference between anomaly detection and signature or heuristic intrusion detection?
Problems:
8.4 One of the non-payload options in Snort is flow. This option distinguishes between clients and servers. This option can be used to specify a match only for packets flowing in one direction (client to server or vice-versa) and can specify a match only on established TCP connections. Consider the following Snort rule:
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg: ORACLE drop table attempt:; flow: to_server, established; content: drop table_name; nocase; classtype: protocol-command-decode;)
a. What does this rule do?
b. Comment on the significance of this rule if the Snort devices is placed inside or outside of the external firewall.
Chapter 9
Review questions:
9.5 What is the difference between a packet filtering firewall and a stateful inspection firewall? 9.11 What is a DMZ network and what types of systems would you expect to find on such networks?
Problems:
9.4 Table 9.5 shows a sample of a packet filter firewall ruleset for an imaginary network of IP addresses that range from 192.168.1.0 to 192.168.1.254. Describe the effect of each rule.
Chapter 10
Review questions:
10.3 What are the possible consequences of a buffer overflow occurring?
10.5 What types of programming languages are vulnerable to buffer overflows?
10.11 What are the two broad categories of defenses against buffer overflows?
Chapter 11
Review questions:
11.5 State the similarities and differences between command injection and SQL injection attacks.
11.10 List several software security concerns associated with writing safe program code.
Problems:
11.9 Examine the current values of all environment variables on a system you use. If possible, determine the use for some of these values. Determine how to change the values both temporarily for a single process and its children, and permanently for all subsequent logins on the system.
3. Practical Assignment: (25 points)
This practical assignment is intended for you to get familiar with some of the current security tools. These tools are powerful and are widely used in the security community. You may find some of the tools useful in protecting your own computer as well as computing resources within your organization. Special attention should be paid in choosing some of the tools and instructions should be followed.
1) Visit the website Top 125 Network Security Tools ( http://sectools.org/ ). Choose a tool from the vulnerability scanner category ( https://sectools.org/tag/vuln – scanners/ ). The use of an open-source tool is highly encouraged.
2) It is required that you install and run the tool in an enclosed network environment or use it on your personal computer ONLY. An enclosed network environment means a non-operational networked system without any physical connection to other working computing environments (e.g., the Internet). Special attention should be paid when you use network scanners, sniffers, hacking tools or password crackers because their usage may violate an organizations security policies or compromise other computing resources. It is therefore your own responsibility to guarantee that the running of security tool(s) does not violate your organizations regulations, procedures, policies, and/or local, state and federal laws.
3) Follow the instructions to configure and run the tool you chose.
4) Write a brief report (2-3 pages, single-spaced, not counting figures/tables or quotations used). In your report, answer the following questions in your own words (please do not copy/paste from a tutorial or other online materials).
a) What is the functionality of the tool?
b) What is the actual running environment (software and hardware) of the tool?
c) How will you evaluate the tool based on your own experience?
d) In what aspects could the tool be improved?
5) Take a screenshot (usually by pressing Shift + PrintScreen) during the running of the tool and paste it in your lab report. In your lab report you can provide as many screenshots as you want and/or other output to show you have actually run the tool.
Your report will be evaluated based on its technical depth, critical thinking, and
comprehensiveness/soundness of the discussion. You are encouraged to reference publications from the academia or the industry to expand the discussion. Please follow the APA format for all citations and references.
Recent Comments