Homework answers / question archive / Assessing Information System Vulnerabilities and Risk You are an information assurance management officer (IAMO) at an organization of your choosing

Assessing Information System Vulnerabilities and Risk You are an information assurance management officer (IAMO) at an organization of your choosing

Computer Science

Share With

Assessing Information System Vulnerabilities and Risk You are an information assurance management officer (IAMO) at an organization of your choosing. One morning, as you're getting ready for work, you see an email from Karen, your manager. She asks you to come to her office as soon as you get in. When you arrive to your work, you head straight to Karen's office. “Sorry for the impromptu meeting,” she says, “but we have a bit of an emergency. There's been a security breach at the Office of Personnel Management.” We don't know how this happened, but we need to make sure it doesn't happen again, says Karen. You'll be receiving an email with more information on the security breach. Use this info to assess the information system vulnerabilities of the Office of Personnel Management. At your desk, you open Karen's email. She's given you an OPM report from the Office of the Inspector General, or OIG. You have studied the OPM OIG report and found that the hackers were able to gain access through compromised credentials. The security breach could have been prevented, if the Office of Personnel Management, or OPM, had abided by previous auditing reports and security findings. In addition, access to the databases could have been prevented by implementing various encryption schemas and could have been identified after running regularly scheduled scans of the systems. Karen and the rest of the leadership team want you to compile your findings into a Security Assessment Report, or SAR. You will also create a Risk Assessment Report, or RAR, in which you identify threats, vulnerabilities, risks, and likelihood of exploitation and suggested remediation. Close The security posture of the information systems infrastructure of an organization should be regularly monitored and assessed (including software, hardware, firmware components, governance policies, and implementation of security controls). The monitoring and assessment of the infrastructure and its components, policies, and processes should also account for changes and new procurements in order to stay in step with ever-changing information system technologies. The data breach at the US Office of Personnel Management (OPM) was one of the largest in US government history. It provides a series of lessons learned for other organizations in industry and the public sector. Some failures of security practices, such as lack of diligence with security controls and management of changes to the information systems infrastructure, were cited as contributors to the massive data breach in the OPM Office of the Inspector General's (OIG) Final Audit Report, which can be found in open-source searches. Some of the findings in the report include: weak authentication mechanisms; lack of a plan for life-cycle management of the information systems; lack of a configuration management and change management plan; lack of inventory of systems, servers, databases, and network devices; lack of mature vulnerability scanning tools; lack of valid authorizations for many systems; and lack of plans of action to remedy the findings of previous audits. The breach ultimately resulted in removal of OPM's top leadership. The impact of the breach on the livelihoods of millions of people may never be fully known. There is a critical need for security programs that can assess vulnerabilities and provide mitigations. In this project, there are eight steps, including a lab, that will help you create your final deliverables. The deliverables for this project are as follows: Security Assessment Report (SAR): This should be an eight- to 10-page double-spaced Word document with citations in APA format. The page count does not include figures, diagrams, tables, or citations. Risk Assessment Report (RAR): This report should be a five- to six-page double-spaced Word document with citations in APA format. The page count does not include figures, diagrams, tables, or citations. Lab: In a Word document, share your lab experience and provide screenshots to demonstrate that you performed the lab. Competencies Your work will be evaluated using the competencies listed below. 1.1: Organize document or presentation clearly in a manner that promotes understanding and meets the requirements of the assignment. 1.2: Develop coherent paragraphs or points so that each is internally unified and so that each functions as part of the whole document or presentation. 1.3: Provide sufficient, correctly cited support that substantiates the writer's ideas. 1.4: Tailor communications to the audience. 1.5: Use sentence structure appropriate to the task, message and audience. 1.6: Follow conventions of Standard Written English. 5.2: Knowledge of architectural methodologies used in the design and development of information systems, including the physical structure of a system's internal operations and interactions with other systems and knowledge of standards that either are compliant with or derived from established standards or guidelines. 5.6: Explore and address cybersecurity concerns, promote awareness, best practice, and emerging technology. 7.3: Knowledge of methods and tools used for risk management and mitigation of risk. 8.1: Demonstrate the abilities to detect, identify, and resolve host and network intrusion incidents. 8.2: Possess knowledge and skills to categorize, characterize, and prioritize an incident as well as to handle relevant digital evidence approporiately. The project can be written following this format below Student Name: Date: This form provides the same classroom instructions in a checklist form to help students and professors quickly evaluate a submission Project 2: Requires the Following THREE Pieces 1. Security Assessment Report (including relevant findings from Lab) 2. Risk Assessment Report (compile findings from Project 1 & Project 2) 3. Lab Experience Report with Screenshots Project 2 - Evaluation Criteria Grade 1.1: Organize document or presentation clearly in a manner that promotes understanding and meets the requirements of the assignment. 1.2: Develop coherent paragraphs or points so that each is internally unified and so that each functions as part of the whole document or presentation. 1.3: Provide sufficient, correctly cited support that substantiates the writer's ideas. 1.4: Tailor communications to the audience. 1.5: Use sentence structure appropriate to the task, message and audience. 1.6: Follow conventions of Standard Written English. 5.2: Knowledge of architectural methodologies used in the design and development of information systems, including the physical structure of a system's internal operations and interactions with other systems and knowledge of standards that either are compliant with or derived from established standards or guidelines. 5.6: Explore and address cybersecurity concerns, promote awareness, best practice, and emerging technology. 7.3: Knowledge of methods and tools used for risk management and mitigation of risk. 8.1: Demonstrate the abilities to detect, identify, and resolve host and network intrusion incidents. Areas to Imp 1. Security Assessment Report Discuss all topics below. Consider using the topic headers as subheaders to organize your report. Purpose and Scope Based on your scenario (i.e. hypothetical or real), briefly explain why is there a need for this security assessment in your organization (purpose) and explain which components will be assessed (scope). Enterprise Network Diagram Propose a local area network (LAN) and a wide area network (WAN) for the organization, define the systems environment, and incorporate this information in a network diagram. Discuss the security benefits of your chosen network design. Threats 1. Define threat intelligence and explain what kind of threat intelligence is known about the OPM breach. 2. Differentiate between the external threats to the system and the insider threats. 3. Identify where these threats can occur in the previously created diagrams. 4. Review the OIG report on the OPM breach (i.e. a historical fact). Use it to justify the need for a security assessment in order to avoid, in your organization, similar situations. Relate the OPM threat intelligence to your organization. How likely is it that a similar attack will occur at your organization? Identifying Security Issues 1. Provide an analysis of the strength of passwords used by the employees in your organization. 2. Are weak passwords a security issue for your organization? Firewalls and Encryption 1. Determine the role of firewalls and encryption, and auditing 2. RDBMS that could assist in protecting information and monitoring the confidentiality, integrity, and availability of the information in the information systems. Threat Identification 1. Identify the potential hacking actors of these threat attacks on vulnerabilities in networks and information systems and the types of remediation and mitigation techniques available in your industry, and for your organization. 2. Identify the purpose and function of firewalls for organization network systems, and how they address the threats and vulnerabilities you have identified. 3. Also discuss the value of using access control, database transaction and firewall log files. 4. Identify the purpose and function of encryption, as it relates to files and databases and other information assets on the organization's networks. ** Findings and Recommendations 1.Include a section where the findings (i.e. your lab findings) and your recommendations are enumerated. This is an important section of your report, since your feedback/report will help the leadership of your organization allocate the necessary resources to ensure the risks you identified will be mitigated. Each finding should have a corresponding recommendation. E.g. Finding 1. It was found that …. Recommendation 1. It is recommended that …. Finding 2.... Recommendation 2...... Security Assessment Report Feedback 2. Risk Assessment Report Make sure you include a summary of findings from Project 1 & Project 2 Risk and Remediation 1.What is risk and what is remediation? 2. Summarize all the vulnerabilities found in Project 1 and Project 2. List them (e.g. table format) and include: description of each, likelyhood of each event occurring, impact to your organization (e.g. H, M, L), remediation, cost/benefit analysis of remediation for your organization 3. Make sure your RAR includes a compilation of all vulnerabilities/threats identified in the labs for Project 1 and Project 2 (i.e. all OS-related and Network-related vulnerabilities) . 4. Devise a high-level plan of action with intermin milestones (POAM) Risk Assessment Report Feedback 3. Lab Experience Report Your report should include: 1. Respond to lab questions associated with each Wireshark file provided 2. Respond to Nmap questions associated to both target machines 3. Answer questions related to OS Fingerprinting 4. Include experience associated to multiple host and network scanning 5. Provide screenshots of key results associated with items listed above 6. Ensure a summary of your results is included in your SAR. Add these findings to the RAR analysis. Lab Experience Report Feedback Course Resource Print Network Analysis Lab (Nmap and Wireshark) Assignment Rules This lab assignment should be completed individually. Your professor and classmates can be a resource if you need help, but you are required to complete the assignment independently. Do not plagiarize by copying content from the internet or other sources. Lab procedures and results need to be documented and included in your deliverables. Provide screenshots where necessary to support your work. Assignment Objectives Use vulnerability tools to analyze Windows and Linux operating systems in a networked environment. Use manuals and general guidance to generate a vulnerability report. Identify open ports, blank passwords, and other vulnerabilities of the IT system. Based on the automatically generated reports, write a security assessment report (SAR) and risk assessment report (RAR). Competencies: vulnerability assessments, security assessment, and risk assessment. Lab Overview As you perform this lab, you will reinforce the concepts learned in the classroom. The purpose of this lab is to gain hands-on experience running vulnerability tools that can help detect potential weaknesses in a system. In a previous project, you used OpenVAS; however, in this lab, you will use Nmap and Wireshark. You should have already learned the functionality of these tools as you studied the content within the steps in your classroom. You will use the vulnerability tools (Nmap and Wireshark) within the virtual lab environment to analyze Windows and Linux OS vulnerability. These tools are installed in the virtual machines (VMs) within the labs. Course note: In labs and related screenshots, any instructions that apply to CST 610 also apply to DFC 610. Virtual Lab Topology The virtual lab environment has four lab virtual machines (VMs) in this course, which are connected as depicted in the schematic diagram. Two of the machines run Linux operating system (OS), while the other two run Windows OS. Types of VMs in This Lab VM # VM Name OS Type VM Type VM1 NIXATK01 Linux Attacker Machine VM2 NIXTGT01 Linux Target Machine VM3 WINATK01 Windows Attacker Machine VM4 WINTGT01 Windows Target Machine Note: [1] There are two target VMs and two attackers VMs. [2] There are two internal IPv4 subnets for VMs. The lab topology is shown below. Part A (left side) of the schematic diagram is the virtual lab topology indicating how the VMs are laid out in the dedicated local area network (LAN); Part B (right side) consists of a hypothetical core network connection to the internet. The schematic diagram/layout of the connected VMs of the virtual lab setup. The diagram at left labeled Virtual Lab Environment shows Windows target and attacker VMs on the left and Linux target and attacker VMs on the right. The left diagram is labeled "A Dedicated LAN of the Virtual Labs" and text also includes details of addresses for "Internal Subnets for VMs (CIDR Blocks). An arrow labeled "Internal LAN" connects to the diagram on the right, labeled Enterprise Core Network Architecture, shows a DMZ Network on top and a Core Network on bottom. In the center, three DMZ servers have firewalls on either side. One path beyond the left firewall leads to a multilayer switch router; a path beyond the right firewall is labeled External WAN and leads to an icon for internet/cloud. Below in the Core Network, four icons for servers are listed: database, FTP, file, and application as part of the LAN/WAN network connection. Also pictured are icons for a switch, routers and servers, workstations, VoIP and smartphone, wireless access point, printer, and laptop. There are also icons to collect anomalous traffic such as a honeypot and a detection/trap station. As shown in the diagram, there are two internal subnets: The 10.11.0.0/16 (or 10.11.5.0/24) subnet is used to connect to your allocated VMs The 192.168.0.0/16 (or 192.168.10.0/24) subnet is used for the VMs to communicate among themselves The following is a list of specific examples of IPv4 addresses for the VMs that you are likely to encounter based on the subnets: 10.11.5.2, 10.11.5.10, 10.11.5.45, 192.168.10.1, 192.168.10.20, 192.168.10.6, etc. Use the required VM and/or applications or software tools, which are provided in the Lab Resources section, to complete this lab. Important Lab Information Appendix A contains all the detailed lab instructions. After reading the information in this section, use Appendix A to perform the lab exercises. Familiarize yourself with the resources provided in the Lab Resources section of this document. You will find helpful open-source links that will help you understand the tools you will use in this lab. Connect to the lab environment following the instructions provided in the “ Virtual Labs" document linked from a box within the project steps in your classroom. Let your instructor know if you cannot locate the instructions. You may also contact the lab support team if you need general technical support with the virtual lab environment and associated lab exercises. After you have successfully connected to the lab environment, proceed to the next step to run the tools associated with this project. Run Wireshark Follow the instructions provided in Section I of Appendix A. Review the open-source links for Wireshark in the Lab Resources to understand this tool and interpret its results Run Nmap. Follow the instructions provided in Section II of Appendix A. Review the open-source links for Nmap in the Lab Resources to understand this tool and interpret its results. Compile your findings and incorporate them into your deliverables for this project. Lab Resources Application Websites Wireshark https://www.wireshark.org/download.html Nmap http://www.insecure.org/nmap Application Documentation Wireshark http://www.eecs.yorku.ca/course_archive/2011-12/F/3213/Project/guide.pdf https://www.wireshark.org/download/docs/user-guide.pdf Nmap https://nmap.org/book/man.html Appendix A (Lab Instructions) I. Wireshark Wireshark—a network protocol analyzer—is an open-source tool for capturing and analyzing network traffic or network packets. The tool can also be used for network troubleshooting, protocol development, and other similar tasks. Overview of the Wireshark User Interface The Wireshark user interface (UI) contains three main sections: the packet list pane, the packet details pane, and the packet bytes pane. Packet List Pane: This pane is located at the top of the user interface and displays all active packets captured with Wireshark. Notice that each line or row is assigned a specific number. This number is the packet number in the capture file and does not change. When a packet is selected in the top pane, corresponding details appear in the other panes: packet details and packet bytes/status. Wireshark Packet Details Wireshark Section Subitem Explanation Packet List No. sequentially assigned packet number Time indicates the timestamp when a packet was captured Source indicates where the packet originated Destination indicates where the packet was sent Protocol specifies the protocols involved (e.g., TCP, UDP, FTP) Length measures the packet length in bytes Info provides additional details about the packet Packet Details Pane: This pane, located in the middle, displays the protocols and associated fields of the selected packet in a collapsed format. Each frame, protocol, or detail in each row can be expanded in the form of plus sign ("+") or right arrow symbol (">") to display additional details. You can set filters, based on protocol type, by right-clicking on the desired item within this pane. Packet Bytes/Status Pane: This pane, located at the bottom, displays the raw data of the selected packet from the packet list pane in a hexadecimal dump format. This is useful in identifying suspicious packet contents, as some content will be easily viewed in ordinary ASCII characters. For this lab, use the Wireshark program installed in WINATK01 Windows VM. Familiarize yourself with the open-source links for Wireshark provided in Lab Resources to learn more about this tool. . Overview: For this lab, you will analyze five Wireshark files (provided to you). Download these files from the Resources page by following the steps below: Double-click and open the Lab Resources folder from the desktop of the WINATK01 VM. Double-click on the Resources link in the Lab Resources folder. Click and download the "PCAPFiles.zip" file under Project 2 file. After downloading and extracting the content of the PCAPFiles.zip file to a folder, locate the PCAP files and place them in a location within WINATK01 where you can find them. Note: Wireshark files have the extension of ".pcap." The five files you are going to analyze are as follows: mysql_complete.pcap HTTP.pcap ospf simple password authentication.pcap telnet.pcap gmail.pcapng.pcap As you analyze the results of each file, consider the following questions: What are the unique pairs of IP addresses that are communicating with one another, based on the source and destination addresses in the top frame of the Wireshark user interface? For each unique pair of IP addresses communicating, what protocols are being used as indicated by Wireshark? What source and destination port numbers are being used? Click on a packet line in the top pane and open the Transmission Control Protocol (TCP) in the middle pane to identify the port numbers (Src Port and Dst Port) for each unique pair of IP addresses communicating with each unique protocol being used (such as TCP or HTTP). Screenshot of Wireshark in the Virtual Labs highlighting the Transmission Control Protocol and associated ports. What are the MAC addresses for each of the unique pair of machines that are communicating with one another? Note: This can be seen in the middle frame of the Wireshark user interface on the line for the Ethernet II layer. What plaintext information (if any) can you find in any of the packets in the upper frame of the Wireshark user interface? Note: Check the packet bytes pane, located at the bottom, which displays the raw data of the selected packet in a hexadecimal view. Refer to the Wireshark user guide as needed. Network Packet Analysis Using Wireshark From the desktop of the WINATK01 VM, navigate to the Applications folder (Lab Resources > Applications), and then locate and launch Wireshark, using its shortcut. Note: You might receive a warning that a software update is available. Click Remind me later. Double-click on Ethernet 2 to start capturing the network traffic. Screenshot of the Wireshark Capture window within Virtual Labs highlighting the Ethernet 2 button. Since you are going to analyze Wireshark files that have already been captured, you need to stop this initial capture. Stop running the current capture by clicking on the red square located in the upper left corner of the user interface as shown below. Proceed to Step 4 to load the first .pcap file. Screenshot of a Wireshark capture in Virtual Labs with the red square at the upper left corner of the screen indicated to stop the current capture. Source: Wireshark, Load the first captured pcap file provided to you (as explained in the overview) Screenshot of Wireshark in the Virtual Labs highlighting the first captured .pcap file in the lab. Source: Wireshark, Analyze the output of the file considering the questions provided in the overview. Repeat Steps 4 and 5 until you have analyzed the five files. Note your findings. II. Nmap Nmap is a security scanner used to discover hosts and services on a computer network. Based on network conditions, it sends packets with specific information to the target host device and then evaluates the responses. To hack into a computer system, an attacker must target a machine and identify on which ports the machine is listening. The attacker can sweep networks and locate vulnerable targets using scanners such as Nmap. Nmap also uses TCP stack fingerprinting to accurately determine the type of system being scanned. During this exercise, you will use the Windows VM, WINATK01, to scan two other systems such as WINTGT01 (Windows VM) and NIXTGT01 (Linux VM). In addition to the command-line interface, Nmap scans can be performed using Zenmap, which provides a graphical user interface for Nmap. Zenmap is also installed on the WINATK01 Windows VM. Note: Be sure to turn on both VMs before running the scan. Network Scanning Using Nmap Navigate to the Zenmap application (WINATK01 > Desktop>Lab Resources > Applications), and then locate and launch Zenmap. Port Scanning Scan for open ports on the Windows target VM, WINTGT01, using the command (nmap -Pn) as shown in the Command field of the interface. To perform the Nmap port scan targeting the WINTGT01, type nmap –Pn WINTGT01 in the Command field of the interface and press Enter. After correctly typing this command in the Command field, the Target field should be automatically populated with the correct target hostname or IP address). Based on the output, answer the following questions: What can you say about the results? How many ports are reported by the scan? How many ports are opened? . The Target field, Profile field, and Command fields are highlighted. What can you say about the host details in the screenshot below? Comment on the data of interest in your findings. Source: Zenmap Repeat the previous step to do port scanning for the second target system, NIXTGT01. Operating System Fingerprinting In this part of the lab, you will perform a fingerprint scan and study the results. To perform the scan, type nmap –sS –O –v WINTGT01 and press Enter in the Command field to detect the operating system (-O) of WINTGT01 with plenty of details (-v). This launches a stealth SYN scan against the host machine that is up. It also tries to determine what operating system is running on a host that is up and running. What can you say about the results? How many ports are exposed or opened? Fingerprint scan results from Zenmap , showing port results. The Command line of nmap –sS –O –v WINTGT01 is highlighted. Repeat Step 5 to perform the test for the second target system NIXTGT01. Scanning Multiple Hosts You can scan multiple IP addresses instead of just one host, (i.e., WINTGT01 or NIXTGT01). Note: This lab environment is set up to use dynamic IP addresses instead of static IP addresses. Therefore, the assigned IP addresses to your specific lab VMs are likely to be different from what you see in the screenshots below. As a result, make sure you are using the IP addresses assigned to your Lab Resources as allocated in Lab Broker. Type nmap -sP 192.168.10.0 192.168.10.0 192.168.10.0 192.168.10.0 and press Enter to do a ping scan of those selected host IP addresses. Notice the list of IP addresses of the hosts in the screenshot below. Scanning a Network Alternatively, you can scan a subnet instead of just one host, (i.e., WINTGT01 or NIXTGT01). Now type nmap –O -v 192.168.10.0/24 and press Enter to scan the entire 192.168.10.0/24 network, and to detect the operating system (-O) of the network with plenty of details (-v). Below are screenshots showing the outputs for host IP addresses, 192.168.10.1, 192.168.10.2, and 192.168.10.4: This ends the lab. Close all applications and exit the virtual lab. Ensure that you compile your findings in your report for submission. Project 2: Assessing Information System Vulnerabilities and Risk Step 3: Scan the Network You will now investigate network traffic and the security of the network and information system infrastructure overall. Past network data has been logged and stored, as collected by a network analyzer tool such as Wireshark. Explore the tutorials and user guides to learn more about the tools to monitor and analyze network activities you will use. You will perform a network analysis of the Wireshark files provided to you in Workspace and assess the network posture and any vulnerability or suspicious information you are able to obtain. You will identify any suspicious activities on the network through port scanning and other techniques. Include this information in your SAR. Complete This Lab Project 2: Assessing Information System Vulnerabilities and Risk Step 8: Creating the SAR and RAR Your research and your Workspace exercise have led you to this moment: creating your SAR and RAR. Consider what you have learned in the previous steps as you create your reports for leadership. Prepare a Security Assessment Report (SAR) with the following sections: 1. Purpose 2. Organization 3. Scope 4. Methodology 5. Data 6. Results 7. Findings The final SAR does not have to stay within this framework and can be designed to fulfill the goal of the security assessment. Prepare a risk assessment report (RAR) with information on the threats, vulnerabilities, likelihood of exploitation of security weaknesses, impact assessments for exploitation of security weaknesses, remediation, and cost/benefit analyses of remediation. Devise a high-level plan of action with interim milestones (POAM) in a system methodology to remedy your findings. Include this high-level plan in the RAR. Summarize the results you obtained from the OpenVAS vulnerability assessment tool in your report.The deliverables for this project are as follows: 1. Security Assessment Report (SAR): This should be an eightto 10-page double-spaced Word document with citations in APA format. The page count does not include figures, diagrams, tables, or citations. 2. Risk Assessment Report (RAR): This report should be a fiveto six-page double-spaced Word document with citations in APA format. The page count does not include figures, diagrams, tables, or citations. 3. Lab: In a Word document, share your lab experience and provide screenshots to demonstrate that you performed the lab. Submit your deliverables below. Transcript Operating Systems Vulnerabilities Congratulations. You are the newly appointed lead cybersecurity engineer with your company in the oil and natural gas sector. This is a senior-level position. You were hired two months ago based on your successful cybersecurity experience with a previous employer. Your technical knowledge of cybersecurity is solid. However, you have a lot to learn about this company's culture, processes, and IT funding decisions, which are made by higher management. You have recently come across numerous anomalies and incidents leading to security breaches. The incidents took place separately, and it has not been determined if they were caused by a single source or multiple related sources. First, a month ago, a set of three corporate database servers crashed suddenly. Then, a week ago, anomalies were found in the configuration of certain server and router systems of your company. You immediately recognized that something with your IT resources was not right. You suspect that someone, or some group, has been regularly accessing your user account and conducting unauthorized configuration changes. You meet with your leadership to discuss the vulnerabilities. They would like you to provide a security assessment report, or SAR, on the state of the operating systems within the organization. You're also tasked with creating a nontechnical narrated presentation summarizing your thoughts. The organization uses multiple operating systems that are Microsoft-based and Linux-based. You will have to understand these technologies for vulnerability scanning using the tools that work best for the systems in the corporate network. You know that identity management will increase the security of the overall information systems infrastructure for the company. You also know that with a good identity management system, the security and productivity benefits will outweigh costs incurred. This is the argument you must make to the stakeholders. Close Project 1: Operating Systems Vulnerabilities (Windows and Linux) Start HereStep 1: Define the OSStep 2: Review OS VulnerabilitiesStep 3: Prepare for the Vulnerability ScanStep 4: Review Vulnerability Assessment Tools for OS and ApplicationsStep 5: Create the Security Assessment ReportStep 6: Develop the Presentation Project 2: Assessing Information System Vulnerabilities and Risk Project 3: Threat Analysis and Exploitation Project 4: Cryptography Project 5: Digital Forensics Analysis Project 1: Operating Systems Vulnerabilities (Windows and Linux) Start Here Transcript The operating system (OS) of an information system contains the software that executes the critical functions of the information system. The OS manages the computer's memory, processes, and all of its software and hardware. It allows different programs to run simultaneously and access the computer's memory, central processing unit, and storage. The OS coordinates all of these activities and ensures that sufficient resources are allocated. These are the fundamental processes of the information system, and if they are violated by a security breach or exploited vulnerability, that could have a significant impact on the organization. Security for operating systems means protecting the OS components from attacks that could cause deletion, modification, or destruction of the operating system. Threats to an OS could include a breach of confidential information, unauthorized modification of data, or unauthorized destruction of data. It is the job of the cybersecurity engineer to understand the operations and vulnerabilities of the OS (for any type of OS), and to provide mitigation, remediation, and defense against threats that would expose those vulnerabilities or attack the OS. As you assess your company’s systems, you will likely uncover gaps and errors. These may reveal mistakes that people at the company have made which might embarrass or anger those involved. However, the trust placed in you means that you have a responsibility to report your findings fully and accurately so that you can reduce or eliminate the risk of future unauthorized access. So be fair and follow industry standards, but have the courage to be a force for positive change in your company’s cybersecurity efforts. There are six steps that will help you create your final deliverables. The deliverables for this project are as follows: 1. Security Assessment Report (SAR): This report should be a seven- to eight-page double-spaced Word document with citations in APA format. The page count does not include figures, diagrams, tables, or citations. 2. Nontechnical presentation: This is a set of eight to 10 PowerPoint slides for upper management that summarizes your thoughts regarding the findings in your SAR. 3. In a Word document, share your lab experience and provide screenshots to demonstrate that you performed the lab. Competencies Your work will be evaluated using the competencies listed below. • 1.1: Organize document or presentation clearly in a manner that promotes understanding and meets the requirements of the assignment. • 2.3: Evaluate the information in a logical and organized manner to determine its value and relevance to the problem. • 5.4: Identify potential threats to operating systems and the security features necessary to guard against them. Linux machine Windows machine Project 1: Operating Systems Vulnerabilities (Windows and Linux) Step 4: Review Vulnerability Assessment Tools for OS and Applications Vulnerability assessment is scanning a network for known security weaknesses. Vulnerability scanners are software tools designed to provide an automated method for conducting vulnerability scans across an entire network that may run into hundreds or even thousands of machines. According to ECCouncil (2018), vulnerability scanners can help identify the following types of weaknesses: • the OS version running on computers or devices • IP and Transmission Control Protocol/User Datagram Protocol (TCP/UDP) ports that are listening • applications installed on computers • accounts with weak passwords • files and folders with weak permissions • default services and applications that might have to be uninstalled • mistakes in the security configuration of common applications • computers exposed to known or publicly reported vulnerabilities Additionally, vulnerability scanners can be used to help predict the effectiveness of countermeasures (security controls) and to test the effectiveness of those controls in the production network. Further, vulnerability scanners also have limitations, primarily in that they are only as effective as the supporting databases and/or plug-ins at a point in time. Large, automated vulnerability scanning suites also require maintenance, tuning, and frequent updates to be able to detect new vulnerabilities. Finally, scanning engines are prone to both false positives and negatives. That is where you as the cybersecurity professional will apply your deep knowledge of the environment, network, and applications in use. Two common vulnerability scanners used in industry are the free Open Source scanner OpenVAS, and the commercial tool, Nessus. In this lab, you will use OpenVAS. Select the following links to learn more about OpenVAS and computer networks: • OpenVAS • Computer Networks Your leadership will want to understand the capabilities of the OpenVAS scanner, so you will need to include that information in your Security Assessment Report (SAR). Use the tool’s built-in checks to complete the lab. For details on accessing the lab, see the "Complete This Lab" box below. Use OpenVAS to complete the following: For the Windows OS: 1. Determine if Windows administrative vulnerabilities are present. 2. Determine if weak passwords are being used on Windows accounts. 3. Report which security updates are required on each individual system. 4. The tool provides a dynamic assessment of missing security updates. Scan one or more computers by domain, IP address range, or other groupings. 5. Once complete, provide a detailed report and recommendations on how to make your system a more secure working environment. In this case, the OpenVAS tool will create and store individual XML security reports for each computer scanned and will display the reports in the graphical user interface in HTML. For the Linux OS: 1. Determine if Linux vulnerabilities are present. 2. Determine if weak passwords are being used on Linux systems. 3. Determine which security updates are required for the Linux systems. 4. The tool provides a dynamic assessment of missing security updates. Scan one or more computers by domain, IP address range, or other groupings. 5. Once complete, provide a detailed report and recommendations on how to make your system a more secure working environment. Knowledge acquired from this Workspace exercise will help your company's client organizations secure the computer networks' resources and protect corporate data from being stolen. Validate and record the benefits of using these types of tools. You will include this in the SAR. References EC-Council (2018). Certified Ethical Hacker (CEH) Version 10 eBook (Volumes 1 through 4). [VitalSource Bookshelf]. Retrieved from https://bookshelf.vitalsource.com/#/books/97816356719 19 Complete This Lab Course Resource Print Vulnerability Assessment Tools for Operating Systems and Applications (OpenVAS) Assignment Rules • This lab assignment should be completed individually. Your professor and classmates can be a resource if you need help, but you are required to complete the assignment independently. • Do not plagiarize by copying content from the internet or other sources. • Lab procedures and results need to be documented as part of your submission. • Provide screenshots where necessary to support your work. Assignment Objectives • Use open-source vulnerability tools to analyze Windows and Linux systems. • Identify vulnerabilities of the information technology (IT) systems. • Based on the automatic generated reports and information provided in the classroom steps, develop a security assessment report (SAR). Competencies: vulnerability assessments, risk assessment, risk rating, and threat identification. Lab Overview The main purpose of this lab is to gain hands-on experience running vulnerability tools that help determine potential weaknesses in a system and understand the concepts in the classroom. OpenVAS is used to identify vulnerabilities in a Windows and Linux-based operating system. Before proceeding, revisit the information provided in the classroom that cites items you will need to include in your SAR. You will use the Virtual lab environment to access OpenVAS. This tool is already installed on virtual machines (VMs). Course note: In labs and related screenshots, any instructions that apply to CST 610 also apply to DFC 610. Lab Topology The virtual lab environment has four lab virtual machines (VMs) in this course, which are connected as depicted in the schematic diagram that will follow. Two of the machines run the Linux operating system (OS), while the other two run Windows OS. Types of VMs in This Lab VM # VM Name VM1 NIXATK01 VM2 NIXTGT01 VM3 WINATK01 VM4 WINTGT01 Note: [1] There are two target VMs and two attacker VMs. [2] There are two internal IPv4 subnets for VMs. OS Type Linux Linux Windows Windows VM Type Attacker Machine Target Machine Attacker Machine Target Machine The lab topology is shown below. Part A (left side) of the schematic diagram is the virtual lab topology indicating how the VMs are laid out in the dedicated local area network (LAN); Part B (right side) consists of a hypothetical core network connection to the internet. As shown in the diagram, there are two internal subnets: 1. The 10.11.0.0/16 (or 10.11.5.0/24) subnet is used to connect to your allocated VMs. 2. The 192.168.0.0/16 (or 192.168.10.0/24) subnet is used for the VMs to communicate among themselves. The following is a list of specific examples of IPv4 addresses for the VMs that you are likely to encounter based on the subnets: 10.11.5.2, 10.11.5.10, 10.11.5.45, 192.168.10.1, 192.168.10.20, 192.168.10.6, etc. Note: For safety, legal, and ethical concerns about the potential for misuse of some software tools when performing the lab, students' access to the internet from the Virtual Lab Environment is blocked. Use the required VM and/or applications or software tools, which are provided in the Lab Resources section, to complete this lab. Important Lab Information • Step-by-step lab instructions are provided below. After reading the information in this section, follow the directions to perform the lab exercises. • Familiarize yourself with the resources provided in the Lab Resources section of this document. You will find helpful open-source links that help you understand the tools you will use in this lab. • Connect to the lab environment following the instructions provided in the Virtual Labs" document linked from a box within the project steps in your classroom. You will use NIXATK01 to run OpenVAS. To run this tool, carefully read and follow the step-by-step instructions provided below. The following information is required to be in your SAR based on the OpenVAS results. • Determine if vulnerabilities are present in your Linux and Windows system. • Determine if weak passwords or encryptions are being used on Linux systems. Compile your findings and incorporate them into your deliverables for this project. Lab Resources • Lab Credentials • OpenVAS Website o http://www.openvas.org/ • Additional OpenVAS resources o https://www.kali.org/penetration-testing/openvasvulnerability-scanning/ o https://nsrc.org/workshops/2012/ternet-nsrc/rawattachment/wiki/AgendaTrack1/exercisesopenvas.pdf Step-by-Step Instructions Connect to NIXATK01. Click Yes on Verify host authenticity screen and log in. Source: Linux, UMGC Virtual Labs The IP address of the target Windows and Linux VMs are needed to run the scan. The Ping command is one of the fastest ways to determine the IP address. In terminal windows, type the following commands: ping NIXTGT01 ping WINTGT01 Source: Linux, UMGC Virtual Labs You might get different IP addresses for both VMs. Next, you will access the OpenVAS Web interface running on port number 9392 of your Linux VM, NIXATK01. Type the following URL in the address bar of a web browser within the lab VM: https://127.0.0.1:9392 Note: A shortcut to the OpenVAS interface has also been created and placed in the Lab Resources folder located on the desktop of your Linux VM. You may use this shortcut to automatically launch a browser and access OpenVAS. If you get an error, ensure that you are using the browser within the lab VM as indicated by the screenshot below. Source: Linux, Virtual Labs You will be prompted with a screen that asks for a security exception. Allow the security exception by clicking the Advanced button. Source: Google, Virtual Labs Confirm the exception by clicking Proceed to 127.0.0.1 (unsafe). Source: Google, Virtual Labs After allowing the security exception, the OpenVAS login interface will appear to allow you to log in. Source: OpenVAS, UMGC Virtual Labs Log in to OpenVAS using the following credentials: Once logged in, familiarize yourself with the user interface, starting with the dashboard. Source: OpenVAS, Virtual Labs Source: OpenVAS, Virtual Labs From the Scans menu, click Task to be taken to the task management dashboard. Source: OpenVAS, Virtual Labs Observe the three icons in the upper left corner related to creating and managing tasks. The first icon is the Help icon (question mark). The second is the Wizard icon (wand) and the third is the New Task icon (star). Source: OpenVAS, Virtual Labs Click the Help icon to learn about the different aspects of task management available. Source: OpenVAS, Virtual Labs The Wizard and New Task icons allow you to create, save, and run tasks. Click the Wizard icon to initiate the process of a new scan. Source: OpenVAS, Virtual Labs When prompted on the task Wizard window, enter the IP address or hostname of the target VM to scan in place of the default loopback IP address, 127.0.0.1. Source: OpenVAS, Virtual Labs In the following example, you will enter the IP address of the NIXTGT01 VM that you had noted by running the Ping command earlier, 192.168.10.2, and start scanning that VM. Source: OpenVAS, Virtual Labs Notice the status of the scan at the bottom of the page as seen below. Source: OpenVAS, Virtual Labs Observe the scan progress. By default, the page refreshes every 30 seconds. Source: OpenVAS, Virtual Labs Once the scan is completed, the Status column will display a Done button. Source: OpenVAS, Click the Done button to display the scan results. The detected vulnerabilities will be listed in the Vulnerability column. Source: OpenVAS, Click each listed vulnerability to see detailed information compiled for it about its impact and potential solution. Repeat the above steps to scan the Windows VM, WINTGT01, and include your findings in your final report as indicated in the project steps in the classroom. This ends the lab. Close all open applications and exit the virtual lab. Be sure to include your findings in your report for submission.