Labs for Principles of Information Security 7th Edition by Ace Test Banks

Labs for Principles of Information Security 7th Edition

richard@qwconsultancy.com

1|Pa ge

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 978-0-357-506431; Ethical Considerations in IT and Detecting Phishing Attacks

Hands-On Lab: Ethical Considerations in IT and Detecting Phishing Attacks To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 978-0-357-50643-1; Ethical Considerations in IT and Detecting Phishing Attacks

Table of Contents Objective......................................................................................................................................... 2 Estimated Completion Time ......................................................................................................... 2 Materials Required ........................................................................................................................ 2 Introduction ................................................................................................................................... 2 Ethical Considerations in the Use of Information Security Tools .............................................. 3 Are You a White Hat? ................................................................................................................. 3 The White Hat Agreement ......................................................................................................... 4 (ISC)2 Code of Ethics ................................................................................................................... 5 Self-Reflection and Response ....................................................................................................... 7 Instructor’s Response ................................................................................................................ 7 Detecting and Responding to Phishing Attacks .......................................................................... 8 Legitimate Messages Don’t Request Sensitive Information ................................................... 8 Legitimate Messages Usually Call You by Your Name ........................................................ 9 Legitimate Messages Come from Authentic Domains ......................................................... 10 Legitimate Messages Come from People Who Know How to Spell and Write ................... 11 Legitimate Messages Don’t Force You to a Web Site ............................................................ 12 Legitimate Messages Don’t Include Unsolicited Attachments ............................................. 13 Legitimate Messages Have Links that Match Legitimate URLs ............................................ 13 Legitimate Messages Don’t Create an Artificial Sense of Urgency....................................... 14 Legitimate Messages Display Reliable Names....................................................................... 15 Legitimate Messages Don’t Solicit Money .............................................................................. 16 How You Should Respond to Phishing E-Mails ...................................................................... 18 Test Your Knowledge ........................................................................................................... 19 Instructor’s Response: ............................................................................................................. 26

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 978-0-357-506431; Ethical Considerations in IT and Detecting Phishing Attacks

Objective Upon completion of this activity, you will: • •

have a better understanding of the ethical expectations of IT professionals; and be able to identify several types of social engineering attacks that use phishing techniques.

Estimated Completion Time If you are prepared, you should be able to complete: • •

The Ethical Considerations lab in 15 to 20 minutes. The Phishing E-Mail lab in 60 to 75 minutes.

Materials Required Completion of this lab does not require any software to be installed and configured on your computer.

Introduction This module does not include a “hands-on” project to develop specific skills. Instead, it discusses two topics that will be useful for the projects you perform in the later modules. You will first learn about the ethical dimension of using information security tools and techniques that many consider to be from the “dark side.” Social engineering is a term to describe malicious actions that exploit human psychology to gain access to sensitive information or money. Attackers manipulate people through dishonest social interactions and exploit the human tendency to trust to gather valuable information. Phishing is a popular form of social engineering attack in which an attacker provides what appears to be a legitimate communication (usually e-mail), but it contains hidden or embedded code that redirects the reply to a third-party site to extract personal or confidential information. The best defense against e-mail phishing attacks is user awareness. Many organizations now filter employee e-mail using commercial products, but even the best of these products will not stop every phishing e-mail. Having an alert workforce and a trained service support staff are also required. In the second part of this lab, you will begin by reading about the indicators that an e-mail is actually a phishing attack. Next, you will assume the role of a help-desk analyst who is responding to alerts from users that have received suspicious e-mails. [return to top]

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 978-0-357-506431; Ethical Considerations in IT and Detecting Phishing Attacks

Ethical Considerations in the Use of Information Security Tools Using some of the “tools of the trade” in information security might lead students (and their instructors) to use software and techniques that are designed to break the rules and allow bad acts to occur. Because each academic community sets certain standards, you need to be aware of how they might apply in your specific circumstances. Conformance to standards and exhibiting ethical behavior is required to ensure the unhindered pursuit of knowledge and the free exchange of ideas. Academic integrity means that you respect the right of other individuals to express their views and opinions, and that you, as a student or faculty member, do not engage in plagiarism, cheating, illegal access, misuse or destruction of college property, or the falsification of college records or academic work. As a member of the academic community, and as a future InfoSec or IT professional, you are expected to adhere to standards of ethical behavior. You are expected to read and follow your institution’s code of conduct, which usually is found in your student handbook. You need to be aware that if you violate these standards, you will be subject to penalties outlined in your institution’s student conduct and academic integrity procedures. These penalties likely range from grade penalties to permanent expulsion. Your instructor may require you to read the white hat agreement and code of ethics that follow. Your instructor might also ask you to sign a form acknowledging that you agree to abide by these ethical standards while you are a student. Your agreement would indicate that you understand the ethical behavior expected of you as part of an academic community, and that you understand the consequences of violating those standards. For those of you in InfoSec or cybersecurity programs, the standard is even higher, given that you will be a guardian of an organization’s data in the future.

Are You a White Hat? As part of this course, you may be exposed to systems, tools, and techniques related to information security. With proper use, these components allow a security administrator or technician to better understand vulnerabilities and the security precautions used to defend an organization’s information assets. Misuse of these components, either intentionally or accidentally, can result in breaches of security, damage to data, or other undesirable results. Because the labs in this book will sometimes be carried out in a public network that is used by people for real work, you must agree to the following before you can participate. If you are unwilling to sign this agreement, your instructor may not allow you to participate in the projects.

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 978-0-357-506431; Ethical Considerations in IT and Detecting Phishing Attacks

The White Hat Agreement If you have questions about any of the following guidelines, please contact your instructor. This document may be changed from time to time by your instructor, who will notify you of such changes and may ask you to reaffirm your understanding and agreement. 1. Just because you can do something doesn’t mean you should. 2. As you engage in projects, you will be granted access to tools and training that have the potential to do harm even when they are used to determine or investigate the security of an information system. Use these tools with care and consideration of their impact, and only in the ways specified by your instructor. 3. If any question arises in your mind about whether you can or should perform an activity or use a tool in a particular way, stop and ask your instructor for clarification. In information security, it is most definitely NOT easier to ask for forgiveness than for permission. 4. You are only allowed to use the tools and exercises if you are currently registered for a grade in the course. An instructor always has the right to ask students for appropriate identification if necessary. 5. Any instance of suspected misconduct, any illegal or unauthorized use of tools or exercises, or any action construed as being outside the guidelines of the course syllabus and instruction will be investigated by the instructor and may result in severe academic and/or legal penalties. Being a student does not exempt you from consequences if you commit a crime. 6. All students are expected to follow the (ISC)2 code of ethics, which is available at www.isc2.org/ethics and included later in this document. 7. By acknowledging this agreement, you confirm that you will: •

Only perform the actions specified by the course instructor for using security tools on assigned systems.

•

Report any findings to the course instructor or in specified reporting formats without disclosing them to anyone else.

•

Maintain the confidentiality of any private information learned through course exercises.

•

Manage assigned course accounts and resources with the understanding that their contents may be viewed by others.

•

Hold harmless the course instructor and your academic institution for any consequences or actions if you use course content outside the physical or virtual confines of the specified laboratory or classroom.

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 978-0-357-506431; Ethical Considerations in IT and Detecting Phishing Attacks

•

Abide by the computing policies of your academic institution and by all laws governing the use of computer resources on campus.

8. By acknowledging this agreement, you confirm that you will not: •

Attempt to gain access to a system, attempt to increase privileges on any system, or access any data without proper authorization.

•

Disclose any information that you discover as a direct or indirect result of this course exercise.

•

Take actions that will modify or deny access to any system, data, or service except those to which administrative control has been delegated to you.

•

Attempt to perform any actions or use utilities presented in the laboratory outside the confines and structure of the projects or classroom.

•

Use any security vulnerabilities beyond the target accounts in the course or beyond the duration of the course exercise.

•

Pursue any legal action against the course instructor or the university for any consequences or actions if you use what you learn in the course outside the physical or virtual confines of the laboratory or classroom.

9. You will abide by the following code of ethics: Safety of the commonwealth, duty to our principles, and to each other requires that we adhere, and be seen to adhere, to the highest ethical standards of behavior.

(ISC)2 Code of Ethics Protect society, the common good, necessary public trust and confidence, and the infrastructure. •

Promote and preserve public trust and confidence in information and systems.

•

Promote the understanding and acceptance of prudent information security measures.

•

Preserve and strengthen the integrity of the public infrastructure.

•

Discourage unsafe practice.

Act honorably, honestly, justly, responsibly, and legally. •

Tell the truth; make all stakeholders aware of your actions on a timely basis.

•

Observe all contracts and agreements, express or implied.

•

Treat all constituents fairly. In resolving conflicts, consider public safety and duties to principles, individuals, and the profession in that order.

•

Give prudent advice; avoid raising unnecessary alarm or giving unwarranted comfort. Take care to be truthful, objective, cautious, and within your competence.

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 978-0-357-506431; Ethical Considerations in IT and Detecting Phishing Attacks

•

When resolving differing laws in different jurisdictions, give preference to the laws of the jurisdiction in which you render your service.

Provide diligent and competent service. •

Preserve the value of systems, applications, and information.

•

Respect the trust and privileges granted to you.

•

Avoid conflicts of interest or the appearance thereof.

•

Render only those services for which you are fully competent and qualified.

Advance and protect the profession. •

Sponsor for professional advancement those best qualified. All other things being equal, prefer those who are certified and who adhere to these canons.

•

Avoid professional association with those whose practices or reputation might diminish the profession.

•

Take care not to injure the reputation of other professionals through malice or indifference.

•

Maintain your competence; keep your skills and knowledge current. Give generously of your time and knowledge in training others.

The ISC2 code of ethics is available from www.isc2.org/ethics.

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 978-0-357-506431; Ethical Considerations in IT and Detecting Phishing Attacks

Self-Reflection and Response In the space below, write a brief statement indicating your intention to abide by the ethics codes spelled out in this lab.

Instructor’s Response

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 978-0-357-506431; Ethical Considerations in IT and Detecting Phishing Attacks

Detecting and Responding to Phishing Attacks The following questions indicate some of the telltale signs of phishing attacks. In general, you should ask yourself these questions for each e-mail you receive: • • • • • • • •

Does the message ask for sensitive information, such as account numbers, passwords, or even your birthday? Does the message use your correct name and refer to other details accurately? Does the address look authentic? Are there misspelled words and improper grammar? Does the message force you to a web site? Does the message have an attachment you are not expecting? Do links in the message fail to match the visible URL? Does the message request that you send money?

Each of these questions is explained with examples in the following sections.

Legitimate Messages Don’t Request Sensitive Information If you receive an unsolicited e-mail that appears to be from an official institution and the message includes a functional link or attachment, it’s a scam. Most companies do not send e-mail asking for passwords, credit card information, credit scores, or tax numbers, nor do they send log-in links. If a company needs information, you will usually be asked to visit its web site or mobile app, but you should not need a special e-mail link—after all, you do business with the company already.

Figure L01-1 Global Pay Phishing E-Mail In Figure L01-1, notice the unsolicited web link attachment. Also, look at the generic salutation at the beginning (“Dear customer”). Such greetings are discussed next.

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 978-0-357-506431; Ethical Considerations in IT and Detecting Phishing Attacks

Legitimate Messages Usually Call You by Your Name Phishing e-mails typically use generic salutations such as “Dear valued member,” “Dear account holder,” or “Dear customer.” If a company you deal with actually required information about your account, the e-mail would refer to you by name and would probably direct you to contact the company via phone, a phone app, or the official company web site. However, some hackers simply avoid a salutation altogether. This is especially common with advertisements. In the phishing e-mail shown in Figure L01-2, everything is nearly perfect. So, how would you spot it as suspicious?

Figure L01-2 Hotels.com Phishing E-Mail The example in Figure L01-2 is very convincing, but the fact that the message has the recipient’s name spelled correctly does not make it legitimate. The clue that the message is not legitimate is indicated by the e-mail domain, as you will learn next.

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 978-0-357-506431; Ethical Considerations in IT and Detecting Phishing Attacks

Legitimate Messages Come from Authentic Domains Don’t just check the name of the person who sent you the e-mail. Check the e-mail address by hovering your mouse over the contents of the From line. Make sure there have been no alterations, such as additional numbers or letters. For example, be suspicious if the e-mail address appears to be michelle@paypal.com but is michelle@paypal23.com when you hover the mouse over the From line. This isn’t a foolproof method of demonstrating fraud, however. Some companies make use of varied domains to send e-mails, and some smaller companies use third-party e-mail providers.

Figure L01-3 Costco Phishing E-Mail In the example shown in Figure L01-3, the Costco logo is just a bit off. To see the actual logo, you can go to https://costco.com. Do you see the difference? Also, note the “From” field is from a different business: “cbcbuilding.com” rather than “costco.com” Also, note that most companies use the https:// service in their URLs. If the “s” is missing, dig a little deeper.

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 978-0-357-506431; Ethical Considerations in IT and Detecting Phishing Attacks

Legitimate Messages Come from People Who Know How to Spell and Write Possibly the easiest way to recognize a suspicious e-mail is through its use of bad grammar and misspelled words. An e-mail from a legitimate organization is usually well written. Look at this example:

Figure L01-4 Best Buy Phishing E-Mail In addition to the generic salutation in Figure L01-4, the grammar gaffes and extra spaces are a good clue that something is wrong—for example, note the sentence that begins “Please fill this form.” Also, notice the “17” that appears in the middle of the next sentence for no reason.

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 978-0-357-506431; Ethical Considerations in IT and Detecting Phishing Attacks

Legitimate Messages Don’t Force You to a Web Site Phishing e-mails are sometimes coded so that the entire message is a graphic image tagged as a hyperlink. Clicking anywhere in the e-mail will open a fake Web page or download malware, ransomware, or spam to your computer. For this reason, you must be careful and deliberate when performing analysis on suspect e-mails. If you click or activate the attachment, it can infect your system. You will need tools to render the attachment or headers harmless without activating the trap. Right clicking your mouse and using basic tools can be very helpful.

Figure L01-5 USPS Phishing E-Mail The entire e-mail shown in Figure L01-5 was sent as an image tagged as a single hyperlink. If a recipient clicked anywhere in the e-mail, a malicious attack would be initiated. You can guard against this by hovering your mouse cursor over the message to see if a link address preview appears. You can also see the spelling and grammar errors in the body of the “Notification.”

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 978-0-357-506431; Ethical Considerations in IT and Detecting Phishing Attacks

Legitimate Messages Don’t Include Unsolicited Attachments Unsolicited e-mails that contain any type of attachment should make you suspicious. Typically, authentic institutions do not randomly send you e-mail with attachments, but instead direct you to download documents or files from their secured web site. Like many of the other tips in this lab, this method isn’t foolproof. Companies that already have your e-mail address sometimes send you information, such as a white paper, that may require a download. In that case, be on the lookout for high-risk attachment file types, such as .exe, .scr, and .zip. Even .pdf and .docx files are suspicious. If you think the e-mail might be legitimate but you have doubts, contact the sender directly using information obtained from a source other than the e-mail.

Figure L01-6 ePayment Phishing E-Mail Before you wonder what’s in the .zip file attached in Figure L01-6, remember that curiosity killed the cat.

Legitimate Messages Have Links that Match Legitimate URLs If an e-mail appears to be suspicious, take precautions with any web links in the message. Make a habit to always double-check URLs. If the link in the text isn't identical to the URL displayed when you hover the mouse cursor over the link, that's a sure sign you will be taken to a site you don’t want to visit. If a hyperlink’s URL doesn’t seem correct or doesn’t match the context of the e-mail, don’t trust it. Instead, use your web browser to find the company’s authentic web site. To help ensure security, hover your mouse over an embedded link (without clicking!), confirm that it begins with https://, and consider whether the rest of the link looks like what you might expect.

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 978-0-357-506431; Ethical Considerations in IT and Detecting Phishing Attacks

Figure L01-7 Nokia Phishing E-Mail Although the preceding message looks convincing, Nokia wouldn't actually send a "Save your stuff" e-mail from info@news.nokia.com. A mouse flyover of the link would show a domain you should not trust.

Legitimate Messages Don’t Create an Artificial Sense of Urgency Scammers know that most of us procrastinate and then have to get things done in a hurry so many phishing attempts request that we act now before it’s too late. Scammers also understand that crises in the workplace are common and must be handled quickly. Unfortunately, hurrying creates a greater chance of making mistakes and bad choices. When you take time to think about something, you are much more likely to notice things that don’t seem quite right. For instance, when you receive an unexpected e-mail from a major company, maybe you’ll think twice and realize that the organization has never contacted you via e-mail. Maybe you’ll receive what appears to be a frantic e-mail from a co-worker and realize that he simply would have called you in case of an actual emergency.

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 978-0-357-506431; Ethical Considerations in IT and Detecting Phishing Attacks

A common workplace scam is to pretend that a problem has arisen with a commonly used service or account, such as that with a bank or credit card company an organization uses. Any actual problems with such accounts would cause an immediate inconvenience. Criminals know we’re likely to drop everything if our boss e-mails us with a vital request, especially when other senior colleagues are supposedly waiting for us to act. A typical example looks like Figure L01-8.

Figure L01-8 Mobile Phishing E-Mail

Legitimate Messages Display Reliable Names A favorite phishing tactic among cybercriminals is to spoof the display name of an e-mail, just like robocalling telemarketers can spoof your phone’s caller ID. For example, if a fraudster wanted to impersonate your bank, the top of the e-mail message might look like Figure L01-9. Check out the domain name (in the example, accounts@secure.com) to see if it matches the display name (My Bank).

Figure L01-5 Secure.com Phishing E-Mail

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 978-0-357-506431; Ethical Considerations in IT and Detecting Phishing Attacks

Legitimate Messages Don’t Solicit Money Many successful phishing attacks create a false sense of urgency or appeal to a person’s greed. One type of scam that attempts to exploit greed is the advance fee fraud, which uses confidence tricks and is much older than e-mail. This approach typically involves promising the victim a significant share of a valuable prize, a desired business objective, or a sum of money in return for a small, up-front payment. This payment is needed to obtain the larger sum—hence the name “advance fee fraud.” One of the best-known frauds is the Nigerian 4-1-9 scam, which has been around for a long time. Originally conducted via phone, fax, and traditional mail, this scam invites victims to send a small amount of money with the promise of receiving a much larger sum in return. The development of e-mail has made it much easier for scammers to reach new victims. The best-known source of these e-mail scams is Nigeria, although they can originate from anywhere. In Nigeria, the e-mails have become a significant source of income for some, although section 4-1-9 of the Nigerian legal code prohibits them (hence the name). A typical Nigerian 4-1-9 scam begins with a potential victim opening a letter or e-mail that’s purportedly from a famous person or an exiled politician. The person may claim to be from a place that’s currently in the news, possibly because of a recent civil disturbance. The message explains that, due to political instability or the death of a relative, a significant amount of money is trapped in some form of escrow account. The message goes on to explain that if the reader could send just a small amount of cash, it will pay the fee needed to access the account. In return for their trust and generosity, the reader is promised a large percentage of the money that’s locked away. If the reader does decide to send money, more requests will follow. According to subsequent e-mails sent by the scammer, unexpected costs are often discovered, such as increased taxes or bribes to officials. The scammers will continue to ask for money as long as the victim sends it. Needless to say, victims will never receive a payout, regardless of how much money they send. A variant of the 4-1-9 attack involves vendors that supposedly sell products or rent accommodations online. A fraudster first identifies a company from a foreign country that offers to buy a product, rent a property, or contract a service. The fraudster then sends the victim a fake check or international money order for a much greater amount than the item or activity is worth, along with an explanation for why they cannot pay a smaller amount. The fraudster asks the victim to deposit the money in a personal bank account and then transfer the overage back to the fraudster. Later, of course, the victim discovers the swindle and that the original “payment” was fake.

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 978-0-357-506431; Ethical Considerations in IT and Detecting Phishing Attacks

These types of scams have some common traits: • • • • •

The message (usually an e-mail) is unexpected. You don’t know the sender. There is a long, sad story about why the sender needs your help to access money. You are asked to help by transferring funds. A large payment is offered in exchange for assistance.

The examples of advance fee fraud are many and varied; they include investment proposals, lottery winnings, and online dating scams. The example shown in Figure L01-10 is fairly typical.

Figure L01-10 UAE World Expo Phishing E-Mail

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 978-0-357-506431; Ethical Considerations in IT and Detecting Phishing Attacks

How You Should Respond to Phishing E-Mails The easiest response to suspected phishing e-mails is to delete them. Most larger organizations have automated filters in place to catch phishing attempts. Most companies also offer staff assistance to deal with such e-mail, and offer an account like abuse@yourcompany.com where you can send suspicious messages. Many organizations have a web resource that explains examples of current phishing messages that are making the rounds; this resource helps users stay abreast of emerging threats in social engineering. At Kennesaw State University in Georgia, the resource is called the phishmarket. You can see it at https://uits.kennesaw.edu/ocs/phish-market/index.php. When dealing with suspicious e-mail, the best advice is to be skeptical. Phishers are good at what they do. Many malicious e-mails include convincing brand logos, persuasive language, and a seemingly valid e-mail address. However, if an e-mail message looks even remotely suspicious, do not open it. If the message seems too important to ignore and you cannot easily toss it away, try to follow up using resources you can find that are NOT in the e-mail. Go to the sender’s web site or call the colleague who allegedly sent you the attachment or urgent request. If the original message was valid and urgent, the sender will appreciate your follow-up. You should report fraudulent e-mail and other types of social engineering attacks. If you work for a company, contact the help desk or the information security team. For suspicious e-mails sent to your personal account, your e-mail provider or ISP may be able to help you. After evaluation, the company’s technical support team should follow up to ensure that the e-mail was deleted, and no losses occurred. If you fall victim to a phishing attack, get help as soon as possible because lost time can factor into the ability to recover losses. If the attack involved a bank or a credit card company, or if you have an identity protection service (like LifeLock), get them involved as soon as you can. When dealing with phishing attacks, it does not matter if your organization has the most secure security system in the world. It takes only one untrained employee to be fooled and give away data your organization has worked hard to protect. Make sure that you and your co-workers understand the examples illustrated in this lab so you can detect the telltale signs of a phishing attempt.

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 978-0-357-506431; Ethical Considerations in IT and Detecting Phishing Attacks

Test Your Knowledge Now let’s test your knowledge. Imagine that you are a help-desk analyst reading your organization’s abuse e-mail account as co-workers send in suspicious messages. Look at each of the following messages and then determine whether you think they are legitimate or suspicious. Print out the answer page at the end of the lab for recording your answers. For each suspicious message, explain why you think it fails the “smell test.” Here is a handy list you can use when evaluating each of the following example e-mails: • • • • • • • •

The message asks for sensitive information. The message does not contain your correct name; other details are incorrect as well. The address does not look authentic. There are misspelled words and improper grammar. The message forces you to a web page. The message has an attachment that is not expected. Links in the message seem suspicious. The message requests that you send money.

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 978-0-357-506431; Ethical Considerations in IT and Detecting Phishing Attacks

Example 1

Example 2

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 978-0-357-506431; Ethical Considerations in IT and Detecting Phishing Attacks

Example 3

Example 4

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 978-0-357-506431; Ethical Considerations in IT and Detecting Phishing Attacks

Example 5

Example 6

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 978-0-357-506431; Ethical Considerations in IT and Detecting Phishing Attacks

Example 7

Example 8

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 978-0-357-506431; Ethical Considerations in IT and Detecting Phishing Attacks

Example 9

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 978-0-357-506431; Ethical Considerations in IT and Detecting Phishing Attacks

Example 10

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 978-0-357-506431; Ethical Considerations in IT and Detecting Phishing Attacks

Phishing Email Responses Email Example 1 Example 2 Example 3 Example 4 Example 5 Example 6 Example 7 Example 8 Example 9 Example 10

Trustworthy (T) or Suspicious (S)

Reason

Instructor’s Response:

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Web Browser Security

Hands-On Lab: Web Browser Security To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Web Browser Security

Table of Contents Introduction ................................................................................................................................... 2 Objective ..................................................................................................................................... 2 Estimated Completion Time ...................................................................................................... 2 Materials Required..................................................................................................................... 2 Minimum System Configuration ............................................................................................... 2 Web Browser Security for Google Chrome ................................................................................. 2 Autofill ......................................................................................................................................... 3 Safety Check ............................................................................................................................... 7 Privacy and Security ................................................................................................................... 9 Incognito Browsing .................................................................................................................. 13 Web Browser Security for Mozilla Firefox ................................................................................. 14 Protections Dashboard............................................................................................................ 15 Privacy and Security ................................................................................................................. 17 Private Window Browsing ....................................................................................................... 22 Web Browser Security for Microsoft Edge ................................................................................. 23 Profiles ...................................................................................................................................... 25 Privacy, Search and Services ................................................................................................... 27 Family Safety ............................................................................................................................ 30 InPrivate Window Browsing .................................................................................................... 31 Web Browser Security for Apple Safari ...................................................................................... 32 Self-Reflection and Response ..................................................................................................... 34 Instructor’s Response .............................................................................................................. 34

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Web Browser Security

Introduction This module describes how to configure the security and privacy features of several popular web browsers to minimize the probability of unwanted disclosures or exploits. Modern web browsers are some of the most used tools to access remote information. Organizations develop complex web sites to share information with their customers and suppliers, and internal site to share information with employees. While the examination of all the features of the various available web browsers is beyond the scope of this lab exercise, we will look at some of the more common security features and settings of the more common browsers. Note: if you are performing these labs on organizational equipment, like computers in a university lab or at a business, some of these options may not be available. All may be performed on your personal computer or laptop.

Objective Upon completion of this activity, the student will be able to: •

Review and configure the security and privacy settings in the most popular web browsers.

Estimated Completion Time If you are prepared, you should be able to complete: •

The Web Browser Security and Privacy labs in 1 to 1.5 hours.

Materials Required Access to the named web browsers.

Minimum System Configuration Completion of this lab requires that the user have the appropriate rights and privileges to modify software on the local system.

Web Browser Security for Google Chrome The first web browser discussed is Google Chrome (https://www.google.com/chrome/), shown in Figure L02-4.

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Web Browser Security

Figure L02- 1 Google Chrome Website 1. Download the Google Chrome browser by going to https://google.com/chrome above and clicking the Download Chrome button. Follow the on-screen prompts, until the software has installed. 2. Access the Google Chrome settings by clicking the Customize and Control Google Chrome button (looks like a vertical ellipse) beneath the close window button in the upper right corner, or type chrome://settings/ in the URL field. On this screen are several settings important to security, including AutoFill, Passwords, Payment Methods, Safety Checks and Privacy & Security.

Autofill The first set of options to investigation are in the Autofill section, as shown in Figure L02-5. Here the user can configure the browser’s ability to remember Passwords, Payment Methods, and Addresses for the user.

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Web Browser Security

Figure L02-2 Google Chrome Settings 3. Click the Passwords menu option shown in Figure L02-2. You should see the options shown in Figure L02-3. If you are sharing a computer with anyone else, even a family member, you should disable both the Offer to save passwords and AutoSignin options, by clicking on the slider to the right of the option to the left. Similarly, if you are using a computer owned by an organization, and not by you, you should disable these options. On your personal systems, you can log into Google Chrome and it will sync your settings across multiple computers. This is fine if you remember to log out of Google Chrome before logging out of the computer system. Use caution with this feature as someone else using the computer could have access to your credentials.

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Web Browser Security

Figure L02-3 Google Chrome Passwords Settings 4. If you have been using Google Chrome for some time, and storing system credentials in the browser, you may want to periodically check your credentials (usernames and passwords). Hackers work to compromise systems and steal credentials. They then sell or share this information on “the dark web”. Google scans the dark web and allows you to see if one of your system credentials have been found there. Click the Check passwords button to review your credentials. 5. As shown in Figure L02-4, Google Chrome will let you know when there is a problem with your stored credentials, including those with passwords that Chrome views as “weak”. You will have the option to chance any password Chrome has flagged for your review by clicking on the Change password button beside the account credentials shown. If there were any compromised passwords, they would be listed above the Weak passwords section.

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Web Browser Security

Figure L02-4 Google Chrome Check Passwords Results 6. Return to the Settings menu by selecting the left arrow next to the Settings menu title, or the back arrow next to the URL field. 7. Select Payment methods in the Autofill field. As shown in Figure L02-5, Google Chrome can remember your commonly used payment methods. You should use extreme caution when allowing Chrome to do this, as this would allow anyone else using the system to use your payment methods. Chrome does require you to validate the use of a payment card by entering the security code on the reverse, however if someone saw you using a card, they may have remembered that information, and thus could shop with your credit.

Figure L02-5 Google Chrome Payment Methods Settings

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Web Browser Security

8. For systems you share with others, or which belong to an organization, it is recommended that you disable the Save and fill payment methods and Allow sites to check if you have payment methods saved options by sliding the button to the right of the options to the left. Any payment methods saved will be listed at the bottom of this menu and can be accessed there. 9. Return to the Settings menu by selecting the left arrow next to the Settings menu title, or the back arrow next to the URL field. 10. Click on the Addresses and more option under Autofill. As shown in Figure LM01-9, here you can allow Google Chrome to remember key addresses, much the same as passwords and payment methods. Again, disable this option on shared systems, or systems owned by an organization.

Figure L02-6 Google Chrome Addresses and more Settings 11. Return to the Settings menu by selecting the left arrow next to the Settings menu title, or the back arrow next to the URL field.

Safety Check The next area to examine is the Safety Check menu, shown in Figure L02-7. Just like the Password check in the previous section, this function will determine if there are any issues with your Google Chrome.

Figure L02- 7 Google Chrome Safety Check 12. Click on the Check now button to run the Safety check. Figure L02-8 shows a sample results screen.

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Web Browser Security

Figure L02- 8 Google Chrome Safety Check Results 13. Review and resolve any issues identified by clicking the corresponding button to the right of the menu option. If you did not resolve all issues with Google Chrome managed passwords, you will have the option to fix those here as well, by clicking the Review button. 14. If your system is not currently using Safe browsing, select the Manage button and select the options that best suits your preferences. At a minimum you should select Standard protection under Safe Browsing. Enhanced protection is the best option, however it does send browsing data to Google, as illustrated in Figure L02-9. 15. There are additional options under Advanced you may specify. If available select Use secure DNS. There are also options to manage your certificates and implement the Google Advanced Protection Program here. The GAPP program allows you to implement multi-factor authentication for your Google browser, requiring the use of specifical software on your phone or a hardware token to authenticate your Google login. Visit https://landing.google.com/advancedprotection/ if you want to learn more about the GAPP program. 16. Also available under Safety check is Extensions management. Extensions are addons for Google Chrome to provide additional functionality. Some however may introduce new vulnerabilities. If you have any issues with extensions in your version of Chrome, the option to resolve those will appear here (See Figure L02-8 above). 17. Return to the Settings page by using the back option again.

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Web Browser Security

Figure L02-9 Google Chrome Safe Browsing Settings

Privacy and Security Back at the Settings screen, the next section is Privacy and Security. As shown in Figure L0210, here you can clear your browsing data, cookies and adjust other security features.

Figure L02-1 Google Chrome Privacy and Security Settings

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Web Browser Security

18. Click on Clear browsing data. Here you can specify whether you want to clear your browsing history, cookies and cached images and files from your browser. Periodically you may experience issues using a piece of software that caches files on your system. Clearing your browsing data by checking the options shown in Figure L02-11 and clicking the Clear data button will give you a fresh start and force your browser to download all new web content. If you are not logged in to Google, this action will only clear the cached information on the local machine. If you are logged in, it will clear this information for all systems you are logged into, as the data is stored and synced by Chrome. 19. You can specify how much data to clear by using the pull-down box next to Time range. Use this option to select All time, if not already selected and click Clear Data.

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Web Browser Security

Figure L02-2 Google Chrome Clear Browsing Data Settings 20. Click the Cookies and other site data option. As shown in Figure L02-12, here you can specify which Cookies to allow to be stored on your system. While you can block all cookies, you would quickly find issues trying to access some web sites. At a minimum, it is recommended you select the option Block third-party cookies in Incognito, as shown in the Figure, although you may decide to select Block thirdparty cookies to provide more privacy. To change your options, simply click on the radio button (circle) to the left of the desired option.

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Web Browser Security

Figure L02-3 Google Chrome Cookies and Other Site Data Settings 21. Further down this screen you can view all cookies currently stored on your system by selecting the See all cookies and site data option. This allows you to selectively delete the cookies from one vendor by clicking on the trash can icon shown in Figure L02-13.

Figure L02-43 Google Chrome View Cookies 22. You can also add specific sites to whitelist (allow) or blacklist (deny) their access to your cookies use, if you choose to allow all or block all in the previous step. You can also specify certain sites to dump their cookies (and no others). 23. Return to the settings page using the back arrows. 24. The Security menu option takes you back to the Safe Browsing options. 25. Click the Site Settings menu option. As shown in Figure L02-14, here you can specify the permission associated with the use of your system for specific sites. This is commonly used to allow or deny the use of location information (for pizza

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Web Browser Security

delivery!), your camera, and your microphone (for web conferencing). It also allows you to specify permissions for notifications (popup reminders). Review the options available and adjust to your preferences.

Figure L02-5 Google Chrome Permissions Settings 26. The Additional content settings menu allows you to specify things like the preferred software to play sounds and open images and PDFs. It also allows you to blacklist certain sites with misleading or offensive ads.

Incognito Browsing 27. While there are other settings and options in Google Chrome, these are the dominant settings related to privacy and security. There is one other feature of interest, especially if you’re using a shared computer. Incognito browsing involves the use of a specifical instance of the browser to prevent the retention of history and cookies (if selected). The easiest way to start an incognito browser session is to right click on the Chrome icon or menu option and select New incognito window. Do so now. 28. As shown in Figure L02-15, this gives you an increased level of privacy over the standard browser. Keep in mind that this simply protects you from retained data on the local system, it does not screen you from systems that monitor network use, such as the organization or university’s IT department, or the internet service provider.

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Web Browser Security

Figure L02-65 Google Chrome Incognito Browsing

Web Browser Security for Mozilla Firefox Mozilla’s Firefox browser has many of the same features as other browsers. Firefox can be downloaded from https://www.mozilla.org/en-US/, selecting the Firefox browsers option in the top menu, as shown in Figure L02-16.

Figure L02-76 Mozilla Firefox

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Web Browser Security

1. If you do not have Mozilla Firefox installed, go to the URL listed above and follow the instructions to download and install. Then start Firefox. 2. To access the security and privacy options in Firefox, first click on the menu button (three parallel lines in upper left corner under the Close button).

Protections Dashboard 3. The first security option we’ll look at is the Protections Dashboard. To access the Protections Dashboard on the shield icon in the address bar when visiting a web page or you can accessed it by entering the text "about:protections" into the address bar. As shown in Figure L02-17, you can see the first security feature is the Enhanced Tracking Protection. This is always on, so it’s just a report of how Firefox is working to protect you from online tracking software. Also on this menu is the offer to sign up for Breach alerts with Firefox Monitor. This is currently free but requires a Firefox account (also free). Like Google Chrome, signing into your Firefox browser allows you to sync your settings across multiple systems. Firefox monitor (Shown in Figure L02-18) will alert you if it finds your credentials (based on your e-mail address) in a compromised system.

Figure L02-17 Mozilla Firefox Protections Dashboard

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Web Browser Security

Figure L02-18 Mozilla Firefox Monitor 4. At the bottom of this screen is the Password Management feature, shown in Figure L02-19, which allows you to manage stored passwords in Firefox. Click the Manage Passwords button.

Figure L02- 19 Mozilla Firefox Password Management

5. This opens the Firefox Lockwise feature, used to manage your passwords on various web sites, as shown in Figure L02-20. Here you can edit and remove any stored passwords for your Firefox account, if logged in, or on the local system only, if not. Lockwise can also be directly accessed through the menu by selecting Logins and Passwords.

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Web Browser Security

Figure L02-80 Mozilla Firefox Lockwise

Privacy and Security 6. Open the menu and select Options. Here you can specify general Firefox settings. In the left menu, select Privacy & Security. As shown in Figure L02-21, here you can specify the level of tracking allowed. At a minimum, you should ensure your system is set to Standard. While there is no lower setting available, someone may have created a custom configuration which allows fewer security features and protections. If you desire, you can set your system(s) to Strict, providing increased protection.

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Web Browser Security

Figure L02-91 Mozilla Firefox Browser Privacy Settings 7. Further down this page, you have the options to clear and manage Cookies, Logins and Passwords, Forms and Autofills, History, and the Address Bar as shown in Figure L02-22.

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Web Browser Security

Figure L02-102 Mozilla Firefox Cookies and Site Data Settings

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Web Browser Security

8. Click Clear Data under Cookies and Site Data. When prompted, select both Cookies and Site Data and Cached Web Content, and click the Clear button. 9. Next, click Clear History under History. Select Everything in the Time range to clear pull down menu, and check all boxes under History and Data. Then click OK. 10. While most of these are self-explanatory, one feature deserves additional attention. The Primary Password is a feature that allows additional protection for systems used by multiple users, allowing the secure use of saved credentials. If this feature is enabled by checking the box to the left of the option, each session (new web browser) will prompt you for a “Primary Password” to use the saved password functions. This will prevent someone from using a shared system and then taking advantage of saved credentials. The Primary password is typically your Firefox account password. You are also prompted for this password if you try to add, remove, or edit stored passwords. 11. Review each of these options and enter the settings that you desire. 12. Further down on this screen are the Permissions settings for specific applications, as shown in Figure L02-23. Here you can specify which applications can use which features such as your location, the web camera, and microphone.

Figure L02-113 Mozilla Firefox Permissions Settings 13. Also located in the options menu is the specification for Firefox Data Collection and Use, shown in Figure L02-24, which provides specific criteria which you can select to craft what data, if any, you allow Mozilla to collect and use.

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Web Browser Security

Figure L02-124 Mozilla Firefox Data Collection and Use Settings 14. The last set of options in this menu are the Security features not covered elsewhere. Here you can Block dangerous and deceptive content, review your certificates, and specify the use of HTTPS (HTTP Secure) protocol. Ensure the minimum levels of security by reviewing your settings and making sure they are at least as secure as the ones shown in Figure L02-25.

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Web Browser Security

Figure L02-135 Mozilla Firefox Security Settings

Private Window Browsing 15. Users can create anonymous browsing windows by right clicking the Mozilla Firefox icon and selecting New Private Window. This window, shown in Figure L02-26, allows the user to avoid saving passwords, cookies, and browsing history while in a private window. It allows the user to access any stored materials from normal browsing but will not save any new materials. Again, private windows do not block your information from an organization’s IT department or the Internet Service Provider.

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Web Browser Security

Figure L02-26 Mozilla Firefox Private Window Browsing While there are many other options you can configure for Mozilla Firefox, these are the primary security and privacy features.

Web Browser Security for Microsoft Edge Microsoft Edge is the newest browser from Microsoft, provided with its Windows operating systems. Edge replaces the venerable (and vulnerable) Microsoft Internet Explorer. Like other browsers, Edge can sync settings between systems if the user creates an account with Microsoft and logs in. 1. Microsoft Edge can be downloaded from https://www.microsoft.com/en-us/edge, as shown in Figure L02-27, although it most likely is already installed if you are using a Windows operating system like Windows 10.

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Web Browser Security

Figure L02-27 Microsoft Edge 2. The first set of security and privacy features are accessed by selecting the menu (the ellipsis in the upper left corner under the close button), then selecting Settings. As Figure L02-28 shows, options are listed on the left, with configuration on the right.

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Web Browser Security

Figure L02-28 Microsoft Edge Settings

Profiles 3. Select Profiles (if not already selected). The profiles section, shown in Figure L02-29, allows quick access to sync functions, password management, and retained payment preferences.

Figure L02-29 Microsoft Edge Your Profile Settings

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Web Browser Security

4. Click Passwords. As shown in Figure L02-30, here you can specify whether to allow Edge to save passwords for you, sign in automatically and provide a “reveal passwords” button so you can determine if you entered a password correctly. If you are using a shared computer, ensure these options are turned off.

Figure L02-140 Microsoft Edge Profiles/Passwords Settings 5. Click the back arrow next to Profiles / Passwords in the right side of the window, to return to the Your profile page. Next, click the Payment info option. As shown in Figure L02-31, here you can allow the saving and use of payment information and manage saved payment information like credit and debit cards, or online payment account. If you have already added a payment card, you can edit its attributes. On shared systems, ensure this option is disabled by clicking the blue oval with a white dot in it, located to the right of the option. Once it is off, the oval will turn white, with a black dot on the left side.

Figure L02-151 Microsoft Edge Profiles/Payment Info Settings

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Web Browser Security

Privacy, Search and Services 6. Click the Privacy, search and services option on the left side of the Settings menu. As shown in Figure L02-32, here you can specify one of three options for your Tracking prevention settings. At a minimum, you should select the Balanced option. You can also review blocked trackers by clicking that option beneath the three boxes and specify exceptions for trackers. Review these options now.

Figure L02-16 Microsoft Edge Tracking Prevention Settings 7. Scroll down the Privacy, search, and settings menu on the right. The next section allows you to Clear your browsing data, and to specify what is cleared. Click the Choose what to clear button. Figure L02-33 shows the Clear browsing data area of the menu, while Figure L02-34 shows the option available once you click the Choose what to clear (there are two versions of this window as the second shows the additional options when scrolling down).

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Web Browser Security

Figure L02-173 Microsoft Edge Clear Browsing Data Selection

Figure L02-184 Microsoft Edge Clear Browsing Data Settings 8. Select All time in the Time range pull down window, then check all of the option boxes and click Clear now to completely clear Microsoft Edge’s browsing data. You can also select Choose what to clear every time you close the browser to configure Edge to clear its cached data each time you close the browser. 9. The next areas of interest are Privacy, Required diagnostic data, and Optional diagnostic data, located in the next sections after Clear browser data. The Privacy options allow you to specify whether your system allows sites to check if you have payment methods stored in Edge, as shown in Figure L02-35. Shared systems should enable Send “Do Not Track” requests and disable the payment methods option.

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Web Browser Security

Figure L02- 195 Microsoft Edge Privacy and Diagnostic Data Settings 10. To see what data Edge is collecting and reporting to Microsoft, you must click the Windows diagnostic data setting hyperlink shown at the bottom of Figure L02-38. If this is the first time you are doing this you will have to allow this action in the popup window that follows. You will find yourself at the Diagnostics & feedback setting. Review these options carefully to ensure you are comfortable with their current settings. Make changes as needed. You can also select Delete under Delete diagnostic data to purge data already collected and sent to Microsoft. This also deletes the data from their systems. 11. Figure L02-36 shows the Security menu options, including the ability to manage certificates.

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Web Browser Security

Figure L02-206 Microsoft Edge Security Settings 12. It also includes the Microsoft Defender SmartScreen, which can block malicious content and web sites, in conjunction with the Microsoft Defender antimalware application. This sometimes-annoying popup, shown in Figure L02-37, will stop suspicious programs. It may give you the option to “run anyway” in which case you should be sure the application is safe before running. Clicking on the More info option when encountering the pop-up can help you decide whether to do so or not.

Figure L02-37 Microsoft Defender SmartScreen

Family Safety 13. A feature that is relatively unique to Microsoft browsers is the Family safety options. Select Family safety in the left side menu of the Settings window. As shown in Figure L02-38, you can enable this to create accounts for underage children to restrict their online access, report their browsing habits, and filter inappropriate web sites.

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Web Browser Security

Figure L02-38 Microsoft Edge Family Safety

InPrivate Window Browsing 14. Users can create anonymous browsing windows by right clicking the Microsoft Edge icon and selecting New InPrivate Window. This window, shown in Figure L02-39, allows the user to avoid saving passwords, cookies, and browsing history while in a private window. It allows the user to access any stored materials from normal browsing but will not save any new materials. Again, private windows do not block your information from an organization’s IT department or the Internet Service Provider.

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Web Browser Security

Figure L02-39 Microsoft Edge InPrivate Browsing While there are many other options you can configure for Microsoft Edge, these are the primary security and privacy features.

Web Browser Security for Apple Safari While we won’t go into detail about the security features of Apple’s Safari browser, it is available from https://www.apple.com/safari/, and contains many of the same features demonstrated in the other browsers noted. Apple Safari only runs on Apple Mac and other iOS devices like the iPad and iPhone. On mobile devices, much of the browser configuration is managed through the Device configuration rather than an options menu within Safari. Safari also has a Private browsing mode like other browsers.

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Web Browser Security

Figure L02-40 Apple Safari Which browser(s) did you improve the security and privacy for? (Check all that you performed.)    

Google Chrome Mozilla Firefox Microsoft Edge Apple Safari

Were you able to access all the security and privacy features of the browsers you used? Yes No (explain what you could not revise)

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Web Browser Security

Self-Reflection and Response Which browser(s) did you improve the security and privacy for? (Check all that you performed.)     

Google Chrome Mozilla Firefox Microsoft Edge Apple Safari

Were you able to access all the security and privacy features of the browsers you used?  

Yes No (explain what you could not revise)

Do you feel more equipped to make your browser experience more secure?  

Yes No

Please explain:

Instructor’s Response

Hands-on Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Malware Defense

Hands-On Lab: Malware Defense To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Malware Defense

Table of Contents Introduction ................................................................................................................................... 2 Objective ..................................................................................................................................... 2 Estimated Completion Time ...................................................................................................... 2 Materials Required..................................................................................................................... 2 Minimum System Configuration ............................................................................................... 2 Downloading Clam AV ............................................................................................................... 3 Installing AVG ............................................................................................................................. 3 Scanning the Local System with AVG ....................................................................................... 5 Installing ClamAV to a USB device ............................................................................................ 5 YARA Rules in Information Security .......................................................................................... 7 Installing Spybot S&D............................................................................................................. 8 Scanning the Local Drive with Spybot S&D .......................................................................... 9 Enabling Windows Security ..................................................................................................... 17 Windows Security Options and Operations ........................................................................... 17 Self-Reflection and Response ..................................................................................................... 21 Instructor’s Response .............................................................................................................. 21

Hands-on Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Malware Defense

Introduction Malicious software (a.k.a. malware) has been an ever-present concern even before the recent explosion of networked devices known as Internet of Things. In this lab, you will explore a few options that are available to deal with the threat of viruses and other malware.

Objective Upon completion of this activity, the student will be able to: • • • •

Understand the basic setup and use of an open-source AV product. Install and use Clam AV on a Windows system. Using a USB storage device create a portable AV scanner. Understand what a YARA file is and how it is used.

These activities will help you complete future labs in this course.

Estimated Completion Time If you are prepared, you should be able to complete: •

The Anti-virus/Malware labs in 1 to 1.5 hours, depending on the complexity of the computer being scanned.

Materials Required Students will need their: • • •

laptop or desktop computer. USB device 8GB in size that can be formatted. Two downloads from Clam AV web site.

Minimum System Configuration To complete the labs included, it is recommended that you operate them from a computer system (desktop or laptop) that is running Windows 10 and has: • • • • •

Intel i5 or better CPU 8 GB RAM (minimum) - 16 GB RAM (recommended) 1 TB Hard Drive with at least 250 GB free (minimum) - 350 GB free (recommended) Microsoft Windows 10 or latest version 8 Gb USB storage device

Hands-on Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Malware Defense

Virus and Malware Prevention with Clam AV This lab will be using Clam AV to introduce a standard open-source multiplatform signature-based antivirus engine. Clam AV runs on Windows, Linux, BSD, Solaris, and Macintosh operating systems. Clam AV also has multiple projects and tools based around the source code. Clam Av uses a virus database for managing signature and is extensible with YARA rules. We cover YARA rules further along in the lab. More information on Clam AV can be found in their documentation.

Downloading Clam AV 1. Open your preferred web browser and navigate to https://www.clamav.net/downloads#otherversions 2. This should present on the Alternate Versions of ClamAV downloads web page. I am testing on Windows 10 system 64-bit system. I will need to download the *portable.zip file and the .exe file shown in Figure L03-1. At the time of testing, clamav-0.103.2 is the latest version. Choose the latest version available.

Figure L03-1 ClamAv dowload site Win64

Installing AVG 3. Using Windows Explorer, go to the location the file was downloaded and double click it or double click the downloaded file from your web browser. 4. Follow the instructions to install Clam AV. Use the defaults provided. You may need to authorize the execution of the program if you get a Windows pop-up asking for permission.

Hands-on Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Malware Defense

5. You will need to open a PowerShell Command Line Interface (CLI) in order to complete the installation. In the Windows Search Bar, type PowerShell, navigate your mouse over the application in the menu, right click, and select “Run as administrator”. 6. Change to the Clam AV installation directory by typing: a. cd "c:\program files\clamav". 7. In the PowerShell window preform the following commands. a. copy .\conf_examples\freshclam.conf.sample .\freshclam.conf b. copy .\conf_examples\clamd.conf.sample .\clamd.conf

Figure L03-2 PowerShell commands for ClamAV 8. Next, we will run the write.exe command. This will open the specific conf file (short for config) in WordPad and allow us to delete the line that says “Example” as shown in Figure 3. a. Write.exe .\freshclam.conf b. Save the file and close WordPad 9. Repeat the same procedure for clamd.conf a. Write.exe .\clamd.conf b. Save the file and close WordPad

Figure L03.3 Delete "Example" from the conf file

Hands-on Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Malware Defense

10. Next, update the ClamAV Database. In the PowerShell window run: a. .\freshclam.exe 11. Provide a screen shot of your Power Shell window showing a successful update to Clam AV.

Scanning the Local System with AVG 12. Now that Clam AV is installed on the system and the virus database is updated, we will perform a scan of the c: drive or [root] drive. In the PowerShell windows type: a. .\clamscan.exe “C:\Windows” -r (This will take some time to run) b. The PowerShell screen should start to scroll showing the files that have been scanned and if the files are OK or malicious as seen in Figure L03-5.

Figure L03-4 ClamAV scanning files 13. Provide a Screen shot of the PowerShell window showing a completed scan.

Installing ClamAV to a USB device The next section we will the portable version of ClamAV and install it on a USB drive. This is a useful tool to have if an analyst needs to scan systems that can’t have active antivirus installed or are separated from the internet. 14. Insert your 4Gb or larger USB device. You should backup and relocate any files that you need to keep that are present om the device. 15. Using Windows Explorer, go to the location the file, “*portable.zip” was downloaded and double click it in the default Zip Application. 16. Extract the folder contained in the “*portable.zip” file to the USB device. We are using 7zip in the example shown in figure L03-6.

Hands-on Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Malware Defense

Figure L03-5 Using 7zip to extract the zip file 17. Now we perform the same procedure we did above to prepare ClamAV. Open up or return to your PowerShell window opened with administrative privileges. Navigate to the USB drive using cd <drive_letter>:\ (i.e. cd g:\) 18. Type pwd in the PowerShell window to verify you’re on the root of your USB device. 19. In the PowerShell window, perform the following commands. a. copy .\conf_examples\freshclam.conf.sample .\freshclam.conf b. copy .\conf_examples\clamd.conf.sample .\clamd.conf

Figure L03-6 PowerShell commands on USB device 20. Next, we will run the write.exe command. This will open the specific conf file (short for config) in WordPad and allow us to delete the line that says “Example” as shown in Figure 3. a. Write.exe .\freshclam.conf. b. Save the file and close WordPad. 21. Repeat the same procedure for clamd.conf. a. Write.exe .\clamd.conf . b. Save the file and close WordPad.

Hands-on Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Malware Defense

22. Next, update the ClamAV Database. In the PowerShell window, run: a. .\freshclam.exe 23. Save a screen shot of the update performed on the USB device.

YARA Rules in Information Security Composing a YARA Rule for use in ClamAV is beyond the scope of this lab. However, it is important to talk about how YARA rules are used in information security and more specifically malware research and detection. YARA Rules are tools used primarily for malware research and detection. It was originally developed by Victor Alvarez of Virus Total. These are rules used to scan files, memory images, or network traffic looking for textual or binary patterns that match known malware samples. YARA rules use strings and Boolean expressions to apply different conditions as well as a modified form of PERL regular expressions. YARA Rules basically allows analyst to react write custom rules and updates for multiple information security platforms at one time. These can be very useful when an IR analyst has discovered an indicator of compromise for a malware and wants generate a rule to alert on the presence of that malware. As an example, A YARA rule written to detect a bad string in a file can also be applied to a tool like volatility.exe and used to scan a memory image for the same malicious strings. Rules that are well written and tested can be applied for detection in IDS/IPS devices monitoring network traffic as well as next generation firewalls.

Figure L03-7 YARA Rule Example In Figure L03 8 is an example of simple example of a YARA Rule. The rule name is “silent_banker”, it looks for three specific strings ($a,$b,$c) and it will alert if it finds any of

Hands-on Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Malware Defense

those three strings based on the condition statement. When finished with this lab, uninstall AVG, and reboot the computer.

Malware Detection with Spybot Search & Destroy Another leading free anti-malware tools available today is Spybot Search & Destroy. Unlike traditional antivirus/anti-malware software, Spybot S&D is on demand, meaning it doesn’t run all the time, monitoring your systems. If you purchase the upgraded version of Spybot + AV, it will provide real-time anti-virus protection. The free version, however, does not provide AV support. Begin by checking to see if Spybot S&D has already been installed on your system. 1. Click the Windows Start button and scroll down the list of installed applications that appears on the right. Look for Spybot S&D. If it is installed, skip the installation process that follows.

Installing Spybot S&D 2. Using a Web browser, go to https://www.safer-networking.org/download/. 3. Select one of the Safer-Networking Ltd. Mirror sites to download the software, as shown in Figure L03-9. noting the location where the.exe is stored (note your version may be labeled differently). Note you may find a newer version than this.

Figure L03-9 Spybot Download Locations 4. Using Windows Explorer, go to the location the file was downloaded and double click the .exe file, or click on the link at the bottom of your web browser to install Spybot S&D. Follow the instructions on the screen to complete the installation, selecting the “more control” option when prompted. Accept the agreements and specify the installation location. Then specify Spybot (without anti-virus) as this © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.

Hands-on Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Malware Defense

requires a purchased subscription. Next, click through the remaining windows until Spybot installs. 5. The last step is to specify the startup options as shown in Figure L03-10.

Figure L03-10 Spybot setup Wizard options

Scanning the Local Drive with Spybot S&D 6. Once Spybot is started (See Figure L03-11), it should automatically update.

Hands-on Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Malware Defense

Figure L03-11 Spybot Start Center 7. Click the Associated Tasks menu at the top of Spybot and select Settings. As shown in Figure L03-12, here you can specify a number of configuration options. Spend a few minutes familiarizing yourself with these options.

Hands-on Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Malware Defense

Figure L03-12 Spybot Settings Menu 8. One key feature of this menu is the ability to schedule a scan, rather than having to do it manually. On the Schedule tab, you would select Add if no scan is currently scheduled. As shown in Figure L03-13, the software has automatically set up a scan for the example system for the first of every month at 12:30 am. If you want to change this, you click the Edit button and make any needed changes.

Hands-on Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Malware Defense

Figure L03-13 Spybot Schedule Scan example 9. Click the Associated Tasks menu at the top of Spybot and select Systems Scan. You should see a window similar to Figure L03-14 appear. Make sure your settings match those in Figure L03-14 and click Start a Scan in the left side menu.

Hands-on Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Malware Defense

Figure L03-14 Spybot System Scan Menu 10. Let the application run. Note it may take several minutes for the scan to finish, depending on the size and number of your system’s hard drives. It took approximately 17 minutes on the system used for this example, which had several multi-terabyte drives, each with hundreds of gigabytes of data. 11. Spybot will scan your system for specific malware attacks that an AV program might overlook, including spyware monitoring software, startup tools and rootkits. You can see what malware is being scanned for at the bottom of the System Scan window. Some organizations may intentionally install employee-monitoring software, so check with our supervisor if you’re using this on an office computer. Once the scan has finished, review the results. You may see pages of tracking cookies, stored temporary files, and possibly even malware in the results, as shown in Figure L03-15.

Hands-on Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Malware Defense

Figure L03-15 Spybot Scan Results 12. You can save your scan log by Save scan log… in the System scan menu on the left. 13. If you want to fix the issues identified by Spybot, leave all the items checked in the right pane and click the Fix selected button at the bottom. If you only want to fix selected items, uncheck those you do not want to fix. 14. Some options available in Spybot include Immunization and Quarantine, under the Associated Tasks menu. Immunization updates a Windows host file noting web sites that contain malware. It also prevents the storage of cookies on the system and blocks the installation of spyware from known sources. Quarantine allows the user to override the software and restore a file that Spybot thinks is malware. Most Malware/AV software will automatically quarantine or delete files they think are malicious. However, sometimes a file isn’t really malware, but is easily mistaken for it. (Search for the term “EICAR testfile” for an example). If you have a file that gets quarantined, you can select this menu option and restore the file.

Hands-on Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Malware Defense

15. You can generate a report of your results by selecting Associated Tasks then Report Creator, as shown in Figure L03-16. Spybot will walk you through the process.

Figure L03-16 Spybot Report Creator 16. If you installed this on your personal system, you can leave it installed. Otherwise, ask your instructor if they want you to uninstall the software.

Hands-on Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Malware Defense

Virus and Malware Prevention with Windows Security If you’re running a current Windows OS, like Windows 10, you have a free anti-virus application installed. Windows Security (formerly known as Windows Defender Security Center) is installed by default. It will be disabled if you’re running a third-party application, but in the absence of another application, it can provide protection. Begin by checking to see if Windows Security is active on your system. If you are using a computer in your university’s lab or in a commercial office, you may not be able to perform all of the labs below, but can still review the settings and watch the indicate videos. 1. Click the Windows Start button and scroll down the list of installed applications that appears on the right. Look for Windows Security. Click on the link. If it is active, you will see a screen like Figure L03-17 and can skip the installation process that follows.

Figure L03-16 Windows Security

Hands-on Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Malware Defense

Enabling Windows Security 2. The only way to enable Windows Security is to uninstall all other versions of antivirus/anti-malware. If you are performing these labs on your personal computer, you may want to ensure no other AV software is installed. New computers may have trial versions of AV software installed. If you don’t plan to renew those applications, uninstall them, and open Windows Security.

Windows Security Options and Operations 1. If Windows security is not already started, type Windows Security in the Taskbar search field, and click on the link that appears. The front page shown in Figure L0316 above should have a green check mark or the words “no action needed’ for the top six menu options. The good news is that the majority of this application is automated, if you have it set up properly. If you don’t have a green check mark on the boxes, you will need to check that link and follow the prompts to activate that portion of the application. 2. Click the Virus & threat protection menu on the left, or the icon in the top left corner of the right side of the menu. You should see the screen shown in Figure L03-17 below.

Figure L06-17 Window Security Virus & Threat Protection

Hands-on Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Malware Defense

3. First learn a little more about Windows Defender Antivirus by clicking the link in the upper left corner titled “Learn more about Virus and threat protection.” This will take you to a Windows community web site where there are several videos about Windows Security and Windows Defender. Watch the following videos: a. Windows Security: The dashboard for device protections https://community.windows.com/en-us/videos/windows-security-thedashboard-for-device-protections/e_Z2bk7Cp1g?from=search b. Virus & threat protection: Keep Defender antivirus at full strength https://community.windows.com/en-us/videos/keep-your-pc-moresecure-with-windows-security-updates/YmIitr4eJ8E?from=search c. Windows Defender team: Make security easier https://community.windows.com/en-us/videos/windows-defenderteam-make-security-easier/vuduNkegxb8?from=search 4. Click the button labeled Quick scan. his will scan your core Windows files. It only takes a few minutes. 5. If you want a more thorough scan, click the Scan options menu below the Quick scan button. As shown in Figure L03-18, you can perform a full scan, custom scan, or offline scan.

Figure L06-18 Windows Defender Scan Options

Hands-on Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Malware Defense

6. Click the back arrow at the top left of the Windows Security window. The Allowed threats option gives you the option to provide an exception for a particular file you know is safe, but Windows Defender keeps deleting. 7. Click the Protection history menu option. Here you can see what actions Windows Defender has taken over the past few days, as shown in Figure L03-19. If you have a long list, the Filters button allows you to sort and filter the threats shown.

Figure L06-19 Windows Defender Protection History 8. Click the back arrow to go back to the Virus & threat protection menu. Look at the Virus & threat protection updates. Is your version up to date? If it isn’t, you can click the Check for updates link to access the Protection updates menu shown in Figure L03-20 below. If your system isn’t up to date with a “Last update” date within the last week, click the Check for updates button on the Protection updates menu.

Hands-on Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Malware Defense

Figure L06-20 Window Security Protection updates 9. The last option we’ll examine is the Ransomware Protection. If you are using a personal computer to perform these labs, and have access to Microsoft OneDrive you can set up protected space on the OneDrive to allow you to recover key files in case your computer is locked or encrypted by Ransomware. Never pay the ransom! Click the Manage ransomware protection link to view the options shown in Figure L06-21.

Figure L06-21 Windows Security Ransomware protection 10. Close the Windows Security window.

Hands-on Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Malware Defense

Self-Reflection and Response Please share your experiences in installing the antivirus software program.

Did your scan reveal any malware operating on your computer? If yes, please describe.

Were you able to install and run SpyBot Search and Destroy? If yes, describe the results of your scan.

Please share your experiences in using the Windows AntiVirus solution. Did it find malware undiscovered by the earlier programs?

Instructor’s Response

Hands-on Lab: Installing Security Onion Whitman and Mattord, Principles of Incident Response and Disaster Recovery, Third Edition, 2022, 978-0-357-508329; Module 4: Incident Response: Planning

Objective Upon completion of this activity, you will have successfully created your own virtual machine to help you complete future labs in this course.

Estimated Completion Time If you are prepared, you should be able to complete this lab in 40 to 60 minutes.

Materials Required The following software must be installed and configured on your workstation before you begin the steps of the procedure later in this lab: •

Microsoft Windows 10, or another operating system version as specified by the lab instructor

•

VMware Workstation 16.X Player (or newer version) from www.vmware.com/products/workstation-player.html

This lab also requires that the following software be downloaded and that the installation file be locally available: •

Security Onion 2.3.70 (or similar version) from https://github.com/Security-OnionSolutions/security-onion/blob/master/Verify_ISO.md

You will also need the following information from your instructor to configure Security Onion. If you are installing Security Onion in a home lab, determine the values yourself and record them in the table: Data you will need

Record the value provided by your instructor

A static IPv4 address assigned to your computer The subnet mask to use on your local network The IPv4 address of your local network gateway The IPv4 address of your DNS server The local DNS search domain name The network address of a network that Security Onion will monitor Information on creating an e-mail address for the administrator account Information on creating a password for the administrator account Allowed addresses that can access Security Onion

Note that Security Onion collects and records network traffic. Ensure that you have permission to do so before continuing with this lab. If you need more information on Security Onion, go to https://docs.securityonion.net/en/latest/analyst-vm.html#.

Introduction In this project, you will set up a virtual system that runs Security Onion, an open-source intrusion detection and network monitoring application. You will use Security Onion in several future hands-on labs, so it’s important to get the application set up and running. To complete the process, you will need to download the software as an ISO file from the Security Onion link provided earlier in the Materials Required section. You should download the file prior to beginning the steps in the next section; the file is large and might take some time for most of you to download. After you download the security-onion2.3.0.iso file, you will use it to build your virtual image using the procedure that follows. If you go to the Internet to locate this image and find that the specific version number is no longer available, the current stable build should probably work for your needs. However, you may notice some differences between the build and the figures included in the following steps. You will build the virtual image using a product called VMware Workstation Player, a virtualization application that is provided at no cost for personal and educational use. This tutorial assumes that your computer has already had VMware Workstation Player installed and configured; those instructions are not provided here. Installing and configuring VMware Workstation Player is a relatively simple task. This tutorial also assumes that you are using the 16.X version of VMware Workstation Player. Other versions will likely work, including the current stable build, although you may notice differences between the interface and the instructions that follow. The Security Onion ISO file contains the CentOS 7 operating system, so you do not have to download or install an operating system prior to beginning this project. [return to top]

Installing Security Onion 1. Start VMware Workstation Player and click the Create a new Virtual Machine link. This will bring up the Welcome screen with two choices. Please select the Custom (advanced) radial button and click Next. 2. Choose the Virtual Hardware Compatibility. This allows you to choose what hardware compatibility versions of VMware the new machine is built to emulate. Accept the default and then click Next. 3. Choose the Installer disc image file (iso) option and click Browse. 4. When the navigation window opens, navigate to the folder where you saved the Security Onion ISO file, select the file, and then click Open. 5. When the navigation window closes, click Next. 6. In the Select a Guest Operating System window, click the Linux button, select CentOS 7 64 bit in the Version menu, and then click Next. 7. Give your virtual image a name, such as “Security Onion for IRDR.” Verify the location your want to keep the virtual machine. (Hint: there should be enough room to store the system) 8. Select the number of Processors and Cores for the virtual machine. Security Onion 2.3 requires a minimum of 2 processors. Click the drop-down arrow next to “Number of Processors” and select 2. (Note: As a safeguard, it is recommended you never give a virtual machine more than half of the available Processors or Cores. It can cause the host system to become unresponsive.) Then click Next to continue. 9. Set the amount of Memory for the system. The minimum recommended is 4 GB. Use the slider button on the left side or the text box in the upper right-hand side to set the Memory to 4096 MB. 10. Select the type of network for the system. Your professor should provide this. For my example, I will use “bridge networking”. These labs should also work with NAT networking. Click next to continue. 11. Select the I/O Controller Type, Use “LSI Logic (Recommended)” and then click Next. 12. Select a Disk Type: use “SCSI (Recommended)" and then click Next. 13. Select a Disk: Please select “Create a new virtual disk” ‘and click Next to continue. 14. Set the maximum disk size to 200 GB. Do not change the default option, “Split virtual disk into multiple files.” Click Next. 15. Next it will ask you to specify the disk file to use. This will have a default name. Leave it default or change the value. Click Next to continue. 16. Click Finish to complete the configuration of features in your virtual system.

17. To power on your virtual machine, click the Play virtual machine link. 18. If you are asked to download VMWare Tools for Linux, select Remind Me Later. 19. When the startup menu appears, as shown in Figure 4-1, Use your mouse click on the virtual machine desktop. Use the arrow down key to select Install Security Onion 2.3.0 in basic graphics mode on the Linux desktop and press Enter.

Figure 4-1 Security Onion startup menu 20. The operating system (OS) begins to load as the guest virtual OS. A warning screen like the one in Figure 4-2 appears and asks you to type “yes” to proceed. Enter yes and press Enter.

Figure 4-2 Security Onion warning before installation & Administrator account setup 21. Enter a username for the administrator account (i.e., soadmin, does not need to be an email address) and press Enter. 22. Enter a password for the administrator account, press Enter, verify the password for the administrator account, and press Enter again. The installer begins. 23. When you see the “Initial Install Complete” message in the console, press Enter to reboot. Press Enter again. The system reboots and goes through several load screens. 24. Next, the computer boots to a terminal window, as shown in Figure 4-3. Enter the administrator username and appropriate password when prompted.

Figure 4-3 Security Onion username and password 25. The Security Onion Setup console screen appears. “Would you like to continue?” Make sure <YES> is highlighted and press Enter.

26. This launches the Security Onion Setup. It will ask you to “Select an option”, “Install” or “Configure Network”, Highlight “Install”, press the Tab key to highlight <OK>. Press Enter to continue.

Figure 4-4 Security Onion Setup – Install Configure Network 27. You have five setup options, as shown in Figure 4-5. Press the down arrow until the cursor is next to IMPORT, press the space bar to select the IMPORT option (*), and press the Tab key to highlight <OK>. Press Enter to continue.

Figure 4-5 Security Onion setup options 28. A license agreement will appear for the Elastic Stack, this is a core component of Security Onion. Please type all capital letters “AGREE”, press TAB to highlight <OK>. Press Enter to continue.

Figure 4-6 Elastic Static License Agreement 29. Enter an appropriate hostname (for example, “securityonion-irdr”) in the highlighted area. Press Tab to highlight <OK> and then press Enter to continue. If you use a unique host name, skip the next step and proceed with step 32. 30. If the default name “securityonion” is used it will generate a warning: “to prevent host conflicts”. If you are on an isolated system, then you may press Tab until you highlight <Use Anyway>, otherwise choose <Change> and provide a unique hostname or use one provided by the instructor.

Figure 4-7 Hostname Default Warning 31. Choose the appropriate network interface card (NIC) from which you plan to manage the virtual machine, as shown in Figure 4-8. Note that the interface name on your system may be different. Use the up and down arrows to move the cursor and then press the space bar to select the interface your instructor has specified. Press Tab to highlight <OK> and then press Enter to continue.

Figure 4-8 Security Onion network interface selection 32. Choose the STATIC option for the management NIC’s IPv4 address, as shown in Figure 4-9, then highlight <OK> and press Enter to continue.

Figure 4-9 Security Onion management interface option 33. Enter an appropriate IP address and subnet assigned to your computer (provided by your instructor in the format shown in Figure 4-10) or determined by you on a home system. This should be in a CIDR notation where the first component is the IP address and after the slash denotes the subnet mask used; 172.16.99.66/24. Highlight <OK> and press Enter to continue.

Figure 4-10 Security Onion local system IP address and Subnet in CIDR notation © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.

34. Enter the correct local network gateway IP address for your network, as provided by your instructor. Highlight <OK> and press Enter to continue. 35. Enter a DNS server address to use for name resolution services, as provided by your instructor. Many people use the Google DNS address, which is 8.8.8.8 or 8.8.4.4. Highlight <OK> and press Enter to continue.

Figure 4-11 DNS search domain 36. Enter your DNS search domain name (Your local domain name). You can leave this field at the default setting unless given different directions by your instructor. Press Tab to Highlight <OK> and press Enter to continue. 37. Security Onion Setup will now initialize networking. Press Enter to continue. 38. The administrator is then asked to choose if this install has Internet access or is Airgap? Some information on networks is so sensitive that Internet access is not allowed. Security tools still need operate in this environment. For this lab please select “Standard”, Press Tab to highlight <OK>. Press Enter to continue.

Figure 4-12 Internet Access

39. The administrator will be asked “How would you like to connect to the Internet?” Please choose the Direct option here unless you have been provided different instructions. If you are using a Proxy, your instructor will need to provide that. Highlight <OK> and press Enter to continue.

Figure 4 -13 Internet Connection Type 40. This will initiate a pre-flight check of the OS. When it is finished, enter the network address that your version of Security Onion is assigned to monitor, as given by your instructor. The default setting is to use the RFC 1918 addresses for 10.0.0.0/8, 192.168.0.0/16, or 172.16.0.0/12. Highlight <OK> and press Enter to continue.

Figure 4-14 The network Security Onion should monitor. 41. Next, you are asked to enter an e-mail address to create an administrator for the Web account. Your instructor will tell you which address to use; highlight <OK> and press Enter to continue. 42. Enter and confirm a password for the Web administrator account you just created.

43. Choose the interface method for the Web interface, as shown in Figure 4-10. Leave this setting at the default value of “IP,” then press Tab to highlight <OK> and press Enter to continue.

Figure 4-15 Security Onion Web interface access method 44. “Would you like to configure ntp servers?”, highlight <NO> and press Enter to continue unless instructed otherwise. This will use the preconfigured NTP servers for setting the system clock.

Figure 4-16 Configure the NTP servers. 45. When asked how the console will operate, answer the question about whether to allow access to the Web tools by highlighting <NO> and pressing Enter, unless you have been provided alternate instructions. This runs a script so-allow that opens port 80 and 443 on the Security Onion firewall to allow remote access via web browser. Students can run “sudo so-allow” from a bash prompt and achieve the same results post installation.

46. You are then prompted with a summary screen of the Security Onion option that have been selected. Your screen should look similar to figure 4-17 below but may be different based on the environment settings. Verify your settings. Press Tab to highlight <Yes> and press Enter to continue. This initiates the next phase of the install and can take some time to complete.

Figure 4-17 Security Onion setup summary 47. The Security Onion Setup should continue and start to load the required packages. This may take some time to complete. When it is finished you will see figure 4-18. Press Enter to reboot.

Figure 4-18 Finished IMPORT Installation

48. After the reboot, a terminal screen appears and asks for login credentials. Type the administrator username you set up during the OS installation and press Enter. Type the correct password when prompted and press Enter. •

At the command prompt that appears, type sudo so-analyst-install and press Enter.

•

When prompted, type the password for the administrator account and press Enter.

49. In reply to the warning that this process will create permanent changes to the system, type yes and press Enter. The installation of the analyst workstation begins. 50. When the installation is finished, you should see a screen like that in Figure 4-19.

Figure 4-19 Installation complete 51. Press Enter to reboot. The system should restart and present a graphical user login. Enter the administrator email username you provided earlier and click Next. 52. Enter the password for the administrator email account you created earlier and click the Sign in button. 53. You should see a desktop like that shown in Figure 4-20. Security Onion is now installed. Tell your instructor that the installation is ready to use.

Figure 4-20 Security Onion

Reflection: In 100 - 150 words, describe any problems you encoutnered installing Security Onion. Were you able to resolve these issues? What steps did you take?

Instructor’s Response:

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 978-0-357-506431; Backup and Recovery and File Integrity Monitoring

Hands-On Lab: Backup and Recovery and File Integrity Monitoring To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 978-0-357-50643-1; Backup and Recovery and File Integrity Monitoring

Table of Contents Introduction ................................................................................................................................... 2 Objective ..................................................................................................................................... 2 Estimated Completion Time ...................................................................................................... 2 Materials Required..................................................................................................................... 2 Minimum System Configuration ............................................................................................... 2 Overview of PC Data Backup and Recovery ................................................................................ 3 Microsoft Windows 10 ............................................................................................................... 3 Apple macOS .............................................................................................................................. 4 Linux ............................................................................................................................................ 4 Simple File Integrity Monitoring with PowerShell Get-FileHash............................................. 5 Accessing PowerShell............................................................................................................. 5 Using PowerShell Get-FileHash Utility .................................................................................. 6 Using Word to Compare Two PowerShell Get-FileHash Output Files................................ 7 Simple File Integrity Monitoring with HashCalc....................................................................... 9 Download/Install HashCalc ................................................................................................... 9 Using HashCalc to Calculate Hashes .................................................................................. 10 Using Maresware Hash64 and Hashcmp to Monitor File Integrity ...................................... 13 Downloading Hash64 and Hashcmp .................................................................................. 13 Using Hash64 to Calculate File Hashes .............................................................................. 14 Using Hashcmp to Compare File Hashes ........................................................................... 15 Self-Reflection and Response ..................................................................................................... 16 Instructor’s Response .............................................................................................................. 16

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 978-0-357-506431; Backup and Recovery and File Integrity Monitoring

Introduction The most significant action you can take to improve the resilience and survivability of your computer system is to create a robust and tested backup process. In this lab, you will explore the process of making a backup copy of a computer system. The lab discusses how to set up regular system and data backups for a Windows, Apple, and Linux OS. If you are using a different OS, the process should be relatively similar. You can use a web browser or your OS’s help files to locate the steps for your specific OS. Next, we will examine the process of determining if a file has changed, whether as a result of a backup and restore or as part of an attack.

Objective Upon completion of this activity, you will be able to: • •

Describe backup and recovery processes and will be aware of basic backup activities using Windows 10 or another desktop operating system (OS). Perform file integrity monitoring using file hash values.

Estimated Completion Time If you are prepared, you should be able to complete all tasks in this lab in 15 to 20 minutes. Backup and recovery tasks may take longer if you have a large drive with an extensive amount of data to back up.

Materials Required Completion of this lab requires the following software to be installed and configured on your personal computer: •

Microsoft Windows 10, or another operating system version specified by the lab instructor.

•

Windows PowerShell enabled on the system.

•

HashCalc from https://www.slavasoft.com/download.htm, and hash.exe and hashcmp.exe from Maresware downloaded as part of the second set of labs.

To perform and store actual system and data backups, you will need an internal hard drive or external USB drive not currently used on your system. The lab instructions make use of Microsoft Word.

Minimum System Configuration To complete the labs included, it is recommended that you operate them from a computer system (desktop or laptop) that is running Windows 10 and has: •

Intel i5 or better CPU

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 978-0-357-506431; Backup and Recovery and File Integrity Monitoring

• • •

8 GB RAM (minimum) - 16 GB RAM (recommended) 1 TB Hard Drive with at least 250 GB free (minimum) - 350 GB free (recommended) Microsoft Windows 10 or latest version

[return to top]

Overview of PC Data Backup and Recovery Several good tutorials are available online that demonstrate the use of backup and recovery procedures. Rather than replicate their work, this lab simply points to those tutorials. As a future IT or security professional, it is important that you “walk the walk” as well as “talk the talk.” In other words, you must be responsible for providing security for yourself as well as for others. Given the widespread availability of low-cost cloud storage and high-capacity external USB drives, there is no excuse for losing key files. Quite a few cloud backup services are available: • • • • •

Carbonite (www.carbonite.com) Dropbox (www.dropbox.com) Microsoft (through OneDrive at www.onedrive.live.com) Apple (through iCloud at www.apple/icloud) Google (through Google Drive at www.google.com/drive/)

Several of these vendors have space they provide at no cost once you establish an account with them. All of the preceding vendors provide additional services and larger storage capacities with a paid subscription. For example, Dropbox offers 2 GB of storage for free. Dropbox works by allowing you to create file folders in Windows Explorer (for Windows systems). The folders you create and the files in them are stored on your local system and then synchronized with Dropbox cloud storage. You can install Dropbox on multiple computers, allowing synchronization among the computers and multiple users.

Microsoft Windows 10 For local data backup and recovery, including system backups, Microsoft uses a feature called “Back up using File History.” You can locate it by typing “Backup” in the Windows search bar. This feature allows traditional backups and recovery using local or networked drives. Review each of the documents listed below and perform a test backup using the instructions provided. •

•

The Windows support page that describes backup and recovery using the Windows 10 File History feature is available at https://support.microsoft.com/enus/help/4027408/windows-10-backup-and-restore. A related article on Microsoft’s support site discusses recovery options under Windows 10: https://support.microsoft.com/en-us/help/12415/windows-10-recovery-

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 978-0-357-506431; Backup and Recovery and File Integrity Monitoring

•

options. Windows Central (www.windowscentral.com), a popular user help site, provides an article titled “How to use Windows 10 File History to back up data” at www.windowscentral.com/how-use-file-history-back-your-files.

Many more excellent online tutorials discuss Windows backup and recovery. If the preceding links do not provide satisfactory instructions, use a web browser to search for others.

Apple macOS Like Windows, Apple provides backup and recovery instructions for its users. Between iCloud and the “Time Machine” built-in backup utility, Apple users have a number of options. • •

Apple’s support site provides instructions for backing a Mac up to a Time Machine backup: https://support.apple.com/en-us/HT201250. Apple’s support site also provides instructions for restoring a Mac from a Time Machine backup: https://support.apple.com/en-us/HT203981.

Linux Linux users may have to conduct some research to learn how their version of Linux performs backups. Some parts of the process will depend on the type of file system that’s installed (for example, Ext3 or Ext4). Web resources like the following link provide instructions for performing command-line backups using external USB drives: •

How-To Geek (www.howtogeek.com), a popular user support site, provides the following article that demonstrates how to perform Linux backups using the rsync utility: www.howtogeek.com/427480/how-to-back-up-your-linux-system/.

[return to top]

File Integrity Monitoring What is file integrity monitoring? Simply put, it’s the evaluation of a file to see if it has changed. This is the foundation of backup and recovery file validation and commonly used in host intrusion detection and prevention systems. For backup and recovery, we calculate the hash of a file before we back it up, and then compare that hash to the hash of the file once it’s restored. If the two are the same, the file is valid and unchanged. If the hashes have changed, then something went wrong. Most network systems do something similar when they transmit a file – using something called a checksum. This is the same basic practice.

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 978-0-357-506431; Backup and Recovery and File Integrity Monitoring

In host IDPS, the system can calculate the hash of all key files that should not change. It then periodically calculates new hashes and compares the two. If the hash has changed, then the file has changed and the HIDPS notifies an administrator to look to see if an update was performed, or whether an attacker has modified the file. Any changes to the file will result in changed hash values. In this lab, we’ll look at a simple way you can use common Windows tools to perform a simple file hash and comparison.

Simple File Integrity Monitoring with PowerShell Get-FileHash In this lab, we will calculate the hash values of a number of files, and then use Microsoft Word to compare a before and after. For the first part of this exercise, we will use the built-in Windows utility PowerShell.

Accessing PowerShell 1. Before we start this lab, on a USB drive or student directory you can access during the lab, create a folder called hashtest. n that folder create two more subfolders called docs and hashes, as shown in Figure L05-1.

Figure L05-1 hashtest folders 2. Next, find and save a few files to the docs folder to use in the exercise. It doesn’t matter what they are as long as you can edit at least one of them. In my example, I’ve downloaded several NIST Special publication PDFs and a .txt file I can edit called important_information.txt. 3. Next start PowerShell by right clicking the Windows Start button, then selecting Windows PowerShell. You should see the Windows PowerShell window open as shown in Figure L05-2.

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 978-0-357-506431; Backup and Recovery and File Integrity Monitoring

Figure L05-2 Windows PowerShell

Using PowerShell Get-FileHash Utility 4. The PowerShell Utility Get-FileHash (described here: https://docs.microsoft.com/enus/powershell/module/microsoft.powershell.utility/getfilehash?view=powershell-7.1) provides a way to calculate the Hash value using a number of different algorithms. Our example will use the default SHA256. Other options and parameters are described in the above Microsoft document. 5. Navigate to the hashtest folder you created. Then type the following command: Get-FileHash d:\hashtest\docs\*.* (replacing d: with the path to your hashtest folder) and hit Enter. You should see a list of the files contained in your docs directory and their hash values. This information is only placed on the PowerShell windows right now.

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 978-0-357-506431; Backup and Recovery and File Integrity Monitoring

Figure L05- 3 Get-FileHash Results 6. To copy the results to a file, type the same command with the following modifications: Get-FileHash d:\hashtest\docs\*.* > d:\hashtest\hashes\hash1.txt (replacing d: with the path to your hashtest folder) and hit Enter. 7. You won’t see much happen as the system redirects the output to the text file you specify. Using Windows Explorer, navigate to your hashtest/hashes directory and look. You should see a text file: hash1.txt. Double click to open it. It should be identical to the results you saw on your screen.

Using Word to Compare Two PowerShell Get-FileHash Output Files 8. Our next step is to change one of the files and then use Get-FileHash to calculate another hash text file, and then use Word to compare the two to see if we can detect the changes. Open one of the files you saved and make a few changes. It only takes a single change to end up with a different hash. Save your changes and then run the previous PowerShell command sending the output to a different text file as follows: Get-FileHash d:\hashtest\docs\*.* > d:\hashtest\hashes\hash2.txt (replacing d: with the path to your hashtest folder) and hit Enter. (As a shortcut in PowerShell, you can use the up arrow to scroll through your previous commands and then change them). 9. Look in your hashtest/hashes folder. You should see two text files now: hash1.txt and hash2.txt. 10. Open Microsoft Word, and then open both text files in Word. If Word prompts you with a File Conversion window, just select Unicode, and click OK. 11. Click the Review menu tab at the top of one of the text files in Word, then, click the Compare drop-down button. First set up the output windows by selecting Show Source Documents and then selecting Show Both. 12. Next click the Compare button again and select the Compare… command in the menu to open the Compare Documents dialog box.

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 978-0-357-506431; Backup and Recovery and File Integrity Monitoring

13. Under Original document, select hash1.txt. It should be available since you have the file opened. If not, navigate to the hashtest/hashes folder and select it. 14. Next, under Revised document, select hash2.txt, and click OK. 15. Word will open a new document with any differences flagged as shown in Figure L05-4. In your document, you should see a red bar beside the file you changed.

Figure L05-4 Word Comparison of hash text files 16. The original document and revised document appear at the right side of the screen. The compared document appears in the center of the screen. Any revisions appear in the “Revisions” pane at the left side of the screen. Here you see one entry for “author deleted” and one for “author inserted.” This means the two hash values in the two documents are different. You can do this with hundreds of file hash values and the process will not only detect changed hash values but also new or missing files.

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 978-0-357-506431; Backup and Recovery and File Integrity Monitoring

Simple File Integrity Monitoring with HashCalc In this lab, students will calculate multiple hash values using a freely available program from SlavaSoft.

Download/Install HashCalc 1. Using a web browser, go to https://www.slavasoft.com/ and select the Downloads option in the top menu at the bottom of this page, shown in Figure L05-5.

Figure L05-5 lavaSoft Downloads Page 2. At the bottom of the page, click the download links for HashCalc 2.02. 3. Save the downloaded zip file to your hashtest directory where you can execute it. Once you extract the file from its zip containers, you will need to install the HashCalc. 4. Double click the HashCalc setup.exe. When prompted accept the agreement. Install it to your hashtest directory, using the options provided. When the install finishes, it should start HashCalc automatically, as shown below.

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 978-0-357-506431; Backup and Recovery and File Integrity Monitoring

Figure L05-6 SlavaSoft HashCalc

Using HashCalc to Calculate Hashes 5. HashCalc is a tool that can calculate the value of a file or a data string using multiple algorithms simultaneously. Begin by selecting the … button to the right of the data field and navigating up to your docs folder. Select a document you can edit and click Open, as shown in Figure L05-7 below.

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 978-0-357-506431; Backup and Recovery and File Integrity Monitoring

Figure L05-7 SlavaSoft HashCalc selecting file 6. Next check all the boxes to on the left of HashCalc, and then click the Calculate button at the bottom as shown here in Figure L05-8. HashCalc creates the hash values using all these different algorithms.

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 978-0-357-506431; Backup and Recovery and File Integrity Monitoring

Figure L05-8 SlavaSoft HashCalc results 7. Close the HashCalc utility when finished.

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 978-0-357-506431; Backup and Recovery and File Integrity Monitoring

Using Maresware Hash64 and Hashcmp to Monitor File Integrity While HashCalc does a great job of calculating single hash values, we need more functionality to do a file integrity check, especially with multiple files. We can use two utilities from Dan Mare’s “MaresWare.” Dan Mares is a long renowned expert in Computer Forensics and has recently made some of his utilities free to download.

Downloading Hash64 and Hashcmp 1. Using a web browser, go to http://www.dmares.com/maresware/gk.htm. Scroll down to Hash and click the Get the 64-bit .exe link at the bottom, as shown in Figure L05-9. (Do NOT select Get the 32 bit .exe). Save the file to your hashtest directory. You can view help for Hash here: http://www.dmares.com/maresware/html/hash.htm.

Figure L05-9 MaresWare Hash utility download 2. Scroll down to Hashcmp and click the Get the 32 bit .exe link at the bottom, as shown in Figure L05-10. Save the file to your hashtest directory. You can view help for Hashcmp here: http://www.dmares.com/maresware/html/hashcmp.htm.

Figure L05-10 MaresWare Hashcmp utility download

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 978-0-357-506431; Backup and Recovery and File Integrity Monitoring

Using Hash64 to Calculate File Hashes 3. Neither of these are installed utilities, as they both run directly from the .exe. We’ll begin by using the hash command line tool to calculate the hash of one of our files. Hash.exe can do the same things as the PowerShell version, calculating the hash of a single file or entire folder of files. You could calculate the hash values of your entire hard drive if you chose to do so. Open a command window by typing cmd in the Windows task bar search field. Navigate to your hashtest directory and type the following command: hash64 -p d:\hashtest\docs\ -256. This will give us both the MD5 and SHA-256 hashes for all files in our docs directory, as shown below in Figure L05-11.

Figure L05-11 Mareware hash64 results 4. We can redirect this output to a file for future comparison by adding the Windows redirect: hash64 -p d:\hashtest\docs\ -256 > d:\hashtest\hashes\mareshash.txt (substituting your folder locations for d: here). You should be able to verify the output file in your hashes folder as shown below in Figure L05-12.

Figure L05-12 Mareware Hash64 text output

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 978-0-357-506431; Backup and Recovery and File Integrity Monitoring

Using Hashcmp to Compare File Hashes 5. Now it’s time for the second part, the comparison. First open one of the files in your docs directory and change it. Then run the previous command again, directing your output to a second file like this: hash64 -p d:\hashtest\docs\ -256 > d:\hashtest\hashes\mareshash2.txt (substituting your folder locations for d: here). 6. Now type the following command: hashcmp d:\hashtest\hashes\mareshash.txt d:\hashtest\hashes\mareshash2.txt (substitute your directory information for d. as before). You should see a message that there was a difference found between the files in the two hash output files as shown in Figure L05-13.

Figure L05-13 7. This is a clear indication that the two files are different. Why they are different is a different task entirely. You could automate the entire process in a batch file accomplishing the following: • First you would run a hash to output on a specified folder of files. • Then you would develop a .bat (batch) program to run a hash on the same folder directing the output to a new file, and then run hashcmp to compare the new hash output file to the old. This would essentially be a host intrusion detection process, where you detect changed files in the target directory.

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 978-0-357-506431; Backup and Recovery and File Integrity Monitoring

Self-Reflection and Response Have you chosen to make a backup copy of your computer system? In the space below, explain why or why not. What steps did you take (or will you take in the future) to research and implement your method?

Can you think of another reason, not mentioned in the lab, for using the File Integrity monitor featers found in PowerShell? Describe how you might use it.

Were you able to install and use the hashing tools from MaresWare? What was your experience using these tools?

Instructor’s Response

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; OS Processes and Services

Hands-On Lab: OS Processes and Services To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; OS Processes and Services

Table of Contents Introduction ................................................................................................................................... 2 Objective ..................................................................................................................................... 2 Estimated Completion Time ...................................................................................................... 2 Materials Required..................................................................................................................... 2 Minimum System Configuration ............................................................................................... 2 Windows Process Assessment ..................................................................................................... 3 Reviewing Windows Processes with Task Manager ................................................................ 3 Opening Task Manager .......................................................................................................... 3 Reviewing Windows Processes with Task Manager ............................................................ 3 Reviewing Windows Processes with Process Explorer ........................................................... 9 Windows Service Assessment .................................................................................................... 11 Opening Task Manager ........................................................................................................... 11 Reviewing Windows Services with Task Manager ................................................................. 11 Active Processes and Services Assessment with msconfig .................................................. 15 Opening msconfig ................................................................................................................ 15 Reviewing Windows Services .............................................................................................. 16 Service Assessment with Performance and Resource Monitor ........................................... 17 Using the Performance Tab ................................................................................................ 17 Opening Resource Monitor ................................................................................................. 19 Using Resource Monitor ...................................................................................................... 20 Self-Reflection and Response ..................................................................................................... 22 Instructor’s Response .............................................................................................................. 22

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; OS Processes and Services

Introduction Part of the job of the information security function is to detect when things are not working as expected, specifically when we have technology that may have been compromised or corrupted so that it cannot be trusted to handle our information without risk of breach of confidentiality, integrity, or availability. While there are many complex tools available that can assist us in detecting unusual activity on a computer, we can also perform some routine evaluations ourselves to detect whether a system has an issue that warrants further investigation. This lab will discuss the utilities available in Windows 10 that allow the user and administrators of the system to review, identify, and resolve potential issues with running processes and services, and with the current operations of the system

Objective Upon completion of this activity, the student will be able to: • • •

Review available and enabled OS services. Review available and enabled OS processes. Review current system resource utilization.

These activities will help you complete future labs in this course.

Estimated Completion Time If you are prepared, you should be able to complete this lab in 60-90 minutes.

Materials Required Completion of this lab requires the following software to be installed and configured on your personal computer: •

Microsoft Windows 10, or another operating system version specified by the lab instructor.

Minimum System Configuration To complete the labs included, it is recommended that you operate them from a computer system (desktop or laptop) that is running Windows 10 and has: • • • •

Intel i5 or better CPU 8 GB RAM (minimum) - 16 GB RAM (recommended) 1 TB Hard Drive with at least 250 GB free (minimum) - 350 GB free (recommended) Microsoft Windows 10 or latest version

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; OS Processes and Services

Windows Process Assessment It is important to know what programs and applications are running processes on your system, to be able to detect when a program is malfunctioning, or an application is running that you didn’t authorize. There are several utilities available to allow the user to review the running processes. Once you can review these processes you can determine which are legitimate and which are not.

Reviewing Windows Processes with Task Manager One of the first utilities that is integral to Microsoft Windows is the Task Manager, a tool that is native to Microsoft Windows.

Opening Task Manager 1. There are a number of ways to access the Windows Task Manager. a. In the Windows search bar, type Task Manager and click the app. b. Right click on the Windows Start button and select Task Manager. c. Select the Ctrl + Alt + Del keys and select Task Manager. d. You can also select the Ctrl + Shift + Esc keys. Choose one of these ways and open the Task Manager.

Reviewing Windows Processes with Task Manager 2. Once open, the default view in Task Manager shows the running processes active on this system. If your view does not look like Figure L06-1 below, click on the More details option at the bottom. You may also need to expand the window by dragging on the right edge to see additional columns.

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; OS Processes and Services

Figure L06-1 Windows Task Manager 3. Processes are instances of a program or application that are current running on the system. As indicated in Figure L06-1, there are currently many processes associated with Google Chrome running on the example system. You can examine each process individually by clicking the arrow to the left of the process, as shown in Figure L06-2. Each process consumes resources, although inactive processes consume less. The first thing to examine when your system becomes sluggish is whether you have too many processes running, whether they are active or not. In Task Manager, processes are grouped into Applications (programs), Background Processes, and Windows Processes.

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; OS Processes and Services

Figure L06-2 Multiple Google Chrome Processes 4. You can select an individual process and end it by clicking on the process and then clicking on the End task button at the bottom. This is especially useful when a process/program becomes unresponsive. You can also view additional details by selecting the process, right clicking, and selecting details, or by simply selecting the Details tab in the top menu. Look at the details of several processes now. 5. It is important to become familiar with the processes a computer is running by examining this list from time to time. You can learn more about a process by letting Windows look it up for you on the web. Select any process, right click on it, and select Search Online. See Figure L06-3 for an example.

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; OS Processes and Services

Figure L06-3 Process Right Click Menu 6. This will allow you to learn more about the process, in case you don’t recognize it. You can also view the properties of the process in the same menu. Examples of the properties window and its corresponding details tab are shown in Figure L06-4.

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; OS Processes and Services

Figure L06-4 Microsoft Word Process Properties and Details 7. The biggest challenge in managing processes are the numerous processes run on your behalf by the operating system. Scroll down in your list of processes, and you’ll see a group called Windows processes. In that group you’ll see many instances of Service Host – Window’s tool for running services connected to dynamic link libraries (DLL) – resources to support your computer use. The details of these components of the operating system are beyond this lab. There are a number of online references that can help you understand this better. We recommend “HowTo Geek: https://www.howtogeek.com/. 8. If you want to document the running processes for future reference, you can use a Command window or PowerShell: a. Open a command window by typing cmd in the window search bar and press Enter. Then type tasklist at the prompt and press Enter. You’ll get a long list on your screen with some basic information as shown in Figure L065. To redirect this to a file, repeat the command adding a redirect – tasklist > processes.txt and press Enter. This will copy the screen output to a text file.

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; OS Processes and Services

Figure L06-5 Command prompt display of Windows processes b. You can do the same thing with the PowerShell command. Open a PowerShell session by right clicking the Windows Start button on the left side of the task bar and selecting Windows PowerShell. In the PowerShell window, type Get-process and press Enter. Again, you can redirect this to a file by typing Get-process > processes.txt and pressing Enter.

Figure L06-6 Windows PowerShell Get-process command and results

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; OS Processes and Services

Reviewing Windows Processes with Process Explorer Microsoft has a special utility you can use to learn more about a process, specifically about what resources a process has open. If you’ve ever tried to close a file and received an error message that the file is open or in use, but can’t find an associated application, a process may have it locked as in use. Download Process Explorer 9. First ask your instructor if Process Explorer is already installed. If not, go to https://docs.microsoft.com/en-us/sysinternals/downloads/process-explorer and click on the Download Process Explorer link at the top of the page. Save the zip file to your local drive and then extract the files to a location you can access. 10. Double click the proceexp64.exe file and accept the license agreement. Process Explorer will start as shown in Figure L06-7.

Figure L06-7 Sysinternals Process Explorer

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; OS Processes and Services

11. To view a process’ threads (parts of a process) with Process Explorer, select a process and open the process properties by clicking on the process, right click to open a menu, and then select the Properties menu item. Then click on the Threads tab. As shown in Figure L06-8, you’ll see any threads associated with that process. Note the threads are numbered with an ID (TID) and not named.

Figure L06-8 Threads associated with a process 12. Here you can see CPU consumption and other information. This information is also color coded with new threads highlighted in green, and threads that exit highlighted in red.

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; OS Processes and Services

Windows Service Assessment The Windows Task Manager can also be used to examine services. Services are processes that run in the background and don’t directly interact with the user or the desktop.

Opening Task Manager 1. If you don’t have the Task Manager running already, open it now using one of the following methods: a. In the Windows search bar, type Task Manager and click the app. b. Right click on the Windows Start button and select Task Manager. c. Select Ctrl + Alt + Del keys and select Task Manager.

Reviewing Windows Services with Task Manager 2. Once Task Manager is open, select the Services tab at the top. As shown in Figure L06-9, services are listed alphabetically, including a brief description and their status as running or stopped. Since services run in the background, if you don’t review the list, you may never know what is running on your system.

Figure L06-9 Task Manager Services 3. Just like you could with Processes, you can learn more about a particular service by selecting it and looking at its menu. Right click one of the services running on your system and select Details. This brings you back to the Details tab, where both processes and services are listed with additional information.

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; OS Processes and Services

4. Go back to the Services tab, and right click the service again, this time selecting Search online. This will open a web browser with a search on that particular service, allowing you to better understand the service. 5. If you want to document the running services for future reference, you can use a Command window or PowerShell, just like you did with Processes: a. Open a command window by typing cmd in the window search bar and press Enter. Then type net start at the prompt and press Enter. You’ll get a long list on your screen of just the services that are started and running, as shown in Figure L06-10. To redirect this to a file, repeat the command adding a redirect – net start > services.txt and press Enter. This will copy the screen output to a text file.

Figure L06-10 Command prompt display of started Windows services b. You can do the same thing with the PowerShell command. Open a PowerShell session by right clicking the Windows Start button on the left side of the task bar and selecting Windows PowerShell. In the PowerShell window, type Get-service and press Enter. Unlike the command window, PowerShell includes all services and their status as stopped or running. Again, you can redirect this to a file by typing Get-service > processes.txt and pressing Enter.

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; OS Processes and Services

Figure L06-11 Windows PowerShell Get-service command and results 6. If you wanted to stop a running service or start a service that is stopped, you can do so from the Task Manager. Back at the Task Manager, right click a service, and select Open Services. This opens the Services MMC, as shown in Figure L06-12. As shown in Figure L06-13, if you right click a service in the Services MMC, you open a menu allowing you to change the status of a service and look at its properties.

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; OS Processes and Services

Figure L06-12 WIndows Services MMC

Figure L06-13 Windows Service Sub-menu

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; OS Processes and Services

The properties include its dependencies on other services, drivers, etc. (see Figure L06-14.) Review the properties on a few services to become more familiar with this information.

Figure L06-14 Service Properties Screen

Active Processes and Services Assessment with msconfig Windows System Configuration Utility, better known as msconfig, is a utility used to troubleshoot issues with a windows system. It includes service information, just like task manager, but also includes information on system boot and other useful information.

Opening msconfig 1. In the Windows task bar search field, type msconfig and press Enter. You should see the Systems Configuration utility as shown in Figure L06-15.

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; OS Processes and Services

Figure L06-15 Windows System Configuration Utility (msconfig)

Reviewing Windows Services 2. Click on the Services tab. This tab shows much of the same information shown in Task Manager and Services MMC, as shown in Figure L06-16. From this tab, you can directly enable or disable (start or stop) multiple services at once, by unchecking (to stop) or checking (to start) the services and clicking the Apply button. Since these can have an unwanted impact on the function of your system, it is not recommended unless you know a service to be malicious.

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; OS Processes and Services

Service Assessment with Performance and Resource Monitor The last utilities we’ll look at are the Windows Task Manager Performance tab and the Windows Resource Monitor.

Using the Performance Tab 1. Open your Windows Task Manager as described in a previous lab assignment. Select the Performance tab. Here you will see an overview of how your system is using its resources like the Central Processing Unit (CPU), Memory, Drives and Internet connection, as well as Graphical Processing Unit (GPU), as shown in Figure L06-16. You can select the different categories on the left side of the utility to review each. You can also hover your mouse over parts of the screen to see additional information (See Figure L06-17). However, this still doesn’t provide a lot of detail. For that we’ll need the Resource Monitor.

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; OS Processes and Services

Figure L06-16 Windows Task Manager Performance Tab

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; OS Processes and Services

Figure L06-17 Task Manager Performance Tab additional information

Opening Resource Monitor 1. There are several ways to open the Resource monitor: a. Select the Open Resource Monitor link at the bottom of the Task Manager Performance tab, as shown in Figure L06-16 and -17 above. b. Type Resource Monitor in the Windows task bar search field and then click on the app. c. Click the Windows Start button, then, select All Apps, then Windows Administrative Tools, then Resource Monitor. d. Open the msconfig utility as described previously, and select Resource Monitor from the Tools tab. Resource Monitor will open, as illustrated in Figure L06-18.

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; OS Processes and Services

Figure L06-18 Windows Resource Monitor

Using Resource Monitor 2. As you can see in Figure L06-18 above, Resource Monitor provides a lot more detail than the Task Manager Performance tab does. The processes and services that are running are shown in the CPU window at the top. Each can be right clicked to reveal a sub-menu, allowing stopping, and Searching Online for more information. Select a few entries and use the Search Online feature to examine in more detail.

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; OS Processes and Services

3. Below the CPU window are entries for Disk (drive), Network, and Memory. If one of these categories doesn’t have anything below it, click on the down arrow button. That should “unhide” the entries for that category. On the right side of the Resource Monitor are several graphical representations of systems use. Some power users like to keep this running on their desktop, just to see what applications are demanding the most systems resources. High resource use could be an indicator of something unwanted, especially if you’re not actively engaging in a program that you would expect to have this impact, like watching a streaming video, playing an online computer game, or opening 62 Google Chrome tabs. Applications that are sending and receiving data, when you’re not active online, can also indicate the presence of applications that might be stealing your information, or they could just be your backup program, Dropbox or Microsoft OneDrive updating synchronized records. It’s important for you to get familiar with what SHOULD occur in the normal course of using your system, to make it easier for you to detect what SHOULD NOT occur.

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; OS Processes and Services

Self-Reflection and Response What is the difference between a process and a service in the Windows operating system?

Can you think of why you would need to be able to determine which processes are running on your Windows computer?

Can you think of why you would need to be able to determine which services are running on your Windows computer?

Instructor’s Response

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Log Management & Security

Hands-On Lab: Log Management & Security To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Log Management & Security

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Log Management & Security

Introduction Computer systems do many things and accomplish many complex tasks very quickly. Sometimes things go wrong inside the system and sometime things happen that the system does not expect. When these things happen, the computer will record the event to a computer log – a record of events and activities that occur on a system. Some logs are routine, noting when users log in and access certain resources. Others are security-related, with unexpected activities and potential intrusions. In this lab, students will examine the default logs present in a standard Windows operating system. Since the modern Microsoft Windows user OS, like Windows 10 is based on the same underlying architecture as Microsoft’s server systems, this knowledge can be scaled to understand the actions of commercial servers as well as end-user systems.

Objective Upon completion of this activity, the student will be able to: •

Access and review the various logs present in a Windows 10 computer.

Estimated Completion Time If you are prepared, you should be able to complete: •

The log management lab in 30 minutes to 1 hour.

Materials Required Completion of this lab requires a standard Windows 10 installation.

Minimum System Configuration To complete the labs included, it is recommended that you operate them from a computer system (desktop or laptop) that is running Windows 10 and has: • • • •

Intel i5 or better CPU 8 GB RAM (minimum) - 16 GB RAM (recommended) 1 TB Hard Drive with at least 250 GB free (minimum) - 350 GB free (recommended) Microsoft Windows 10 or latest version

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Log Management & Security

Log Security Issues with Event Viewer To review the logs in a Windows OS-based computer, you will use the Event Viewer utility. While some specialized servers have their own log system, Event Viewer is used for most Windows platforms. “Event Viewer displays these types of events: • • •

•

Error: A significant problem, such as loss of data or loss of functionality. For example, if a service fails to load during startup, an error will be logged. Warning: An event that is not necessarily significant, but may indicate a possible future problem. For example, when disk space is low, a warning will be logged. Information: An event that describes the successful operation of an application, driver, or service. For example, when a network driver loads successfully, an Information event will be logged. Success Audit: An audited security access attempt that succeeds. For example, a user's successful attempt to log on to the system will be logged as a Success Audit event. Failure Audit: An audited security access attempt that fails. For example, if a user tries to access a network drive and fails, the attempt will be logged as a Failure Audit event.

The Event Log service starts automatically when you start Windows. Application and System logs can be viewed by all users, but Security logs are accessible only to administrators.”1

Opening Command Window (CMD) and Determine Local IP Address 1. Open the Event Viewer using one of the following methods: a. Right click on the Windows Start button and select Control Panel. Next select System & Security, then double-click Administrative tools. Finally, double-click Event Viewer. b. Type Event Viewer in the Windows Task bar search field, and click on the app. c. Hold the Windows key, and press R to open the run field and type eventvwr (or eventvwr.msc) and select OK. 2. Once Event Viewer has started, you should see the default view shown in Figure L071.

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Log Management & Security

Figure L07-1 Windows Event Viewer

Using Event Viewer 3. Once Event Viewer is running, select the Windows Log entry in the left pane. Here you will see the five default operating systems logs associated with most windows systems, shown in Figure L07-2. Specialized services like SQL servers and Domain controllers have additional logs.

Figure L07-2 Event Viewer Windows Logs

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Log Management & Security

4. Select Application in the left pane. The center of Event Viewer will display the various entries the system has recorded. The Level of each entry was discussed in the Introduction to this lab. Scroll down your list and look for one entry of each type: Information, Warning, and Error. As shown in Figure L07-3, once you select an entry, the details are displayed in the bottom center box.

Figure L07-3 Event Viewer Application Log 5. Select Security in the left pane. Again, the center of Event Viewer will display the various entries the system has recorded. You will most likely see many “Audit Success” entries, representing when a user or application accesses the system successfully. Scroll down your list and look for any Audit Failure entries, like the one shown in Figure L07-4. If you find multiple Audit failures, you may have detected someone trying to guess the password for the system, or it may just be a user that is not paying attention to their typing. Consistent failures should always be investigated.

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Log Management & Security

Figure L07-4 Event Viewer Security Log Audit Failure 6. Select Setup in the left pane. Again, the center of Event Viewer will display the various entries the system has recorded. If you’ve updated Windows and there were issues, they’ll be logged here. 7. Select System in the left pane. Here issues with the operating system are recorded. For example, the system in Figure L07-5 has an issue updating the drivers associated with an HP printer. Issues here are usually referred to the helpdesk unless you are the helpdesk. Scroll through this list and look for any Errors.

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Log Management & Security

Figure L07-5 Event Viewer System Log 8. The Forwarded Events log documents log entries that were forwarded to an outside resource, like a dedicated log server. Log servers can collect information from multiple systems and look for patterns that could indicate a systematic problem, or an attacker looking at multiple systems for a vulnerability that would allow them access. 9. In the left pane, click on Applications and Services Logs. While Windows Logs show operating system-focused events, here you see specialized logs for installed applications, and utilities like Internet Explorer, Microsoft Office applications and Windows PowerShell. Take a few minutes and scroll through the entries in these logs.

Assigning Tasks to Logs and Events 10. An interesting feature of the Event Viewer is its ability to perform a special task if there is an entry to a particular log, or a recurrent of a particular message. Back in the Event Viewer, look in the bottom right corner. Here are several tools an administrator can use to improve their ability to manage the logs. Click on the Windows Security Log. Then In the upper right menu, select Attach a Task to this Log…, indicated by the arrow in Figure L07-6.

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Log Management & Security

Figure L07-6 Event Viewer Actions Menu 11. As shown in Figure L07-7, this brings up the Create Basic Task Wizard, where you can name this Task. You would normally start by naming this task. We won’t be saving this task, so the information you put in isn’t important. Click the Next > button.

Figure L07-7 Event Viewer Create Basic Task Wizard For Log, step 1 12. In the next window, you would accept the default settings, as this particular task does not allow additional information. If your system does, it may have a different configuration than the example computer. © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Log Management & Security

Figure L07-8 Event Viewer Create Basic Task Wizard For Log, step two 13. Click the Next > button to go to the next step, where you will specify the action to be taken when this log has a new entry (See Figure L07-9). The system can Start a specific program, send you an e-mail, or display a pop-up message on the screen.

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Log Management & Security

Figure L07-9 Event Viewer Create Basic Task Wizard for Log, step three 14. Unless this is your personal computer and you want to activate this task, click Cancel. 15. You can also assign a task to a specific event. Back in the Security log, scroll down to an Audit Failure event. If you were the administrator for this computer and wanted to be notified if another Audit Failure associated with this, you would click Attach Task To This Event option indicated by the arrow in Figure L07-10 below.

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Log Management & Security

Figure L07-10 Event Viewer Attach Task to This Event 16. The process from here forward, as shown in Figure L07-11 is the same as the previous “Attach a Task”. You would name it, assign an action, then save it. Click Cancel when you’ve reviewed these steps.

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Log Management & Security

Figure L07-10 Event Viewer Create Basic Task Wizard for Entry

Cleaning and Managing Event Viewer Logs 17. If you find your system has tens of thousands of entries like the example system, you may want to periodically delete the archived log files. While they’re typically small – this system’s Event Viewer logs were only 227.5 KB, it’s not a bad idea to keep the file small if you want to review it later. To clean up ALL Log files, select File then Options from the Event Viewer menu at the top of the window. 18. As shown In Figure L07-12, here you can simply click the Delete Files button to empty out the log.

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Log Management & Security

Figure L07-11 Event Viewer Disk Cleanup 19. To clean up a specific log, right click the name of the log in the left view and select Clear Log, as shown in Figure L07-13.

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Log Management & Security

Figure L07-12 Selected Log Menu Options 20. If you’d rather save the entries in your logs, there are two ways to do this. If you want to save an entire log, you would use the menu from Figure L07-13 above, and select Save All Events As… which will open a Save File window and prompt you for a name. The default option saves the logs in a proprietary format (Event Files .evtx), although you can change this to XML (.xml), Text (.txt) or CSV (Comma Separated)(.csv) to allow review in a more user-friendly format. 21. If you just want to save a subset of a log’s entries, you can select those files by clicking on the first entry, holding the shift (to select sequential entries) or Control (to select individual entries) key, right clicking, and selecting Save Selected Events… from the menu, as shown in Figure L07-14.

Figure L07-13 Selected Events Menu Options

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Log Management & Security

Researching Events The last task you would perform should you find an anomaly in a log is to research it. This essentially involves web searches, looking at reputable sites for more information on a particular error. 1. Scroll back through the Windows logs and identify a number of Audit Failures, Warnings, and Errors. Then open a web browser and type the name of the error, and any Event ID that is associated with it. 2. At first you may have difficulty finding a reputable resource to help you. There are some support sites like https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/default. aspx, that have searchable encyclopediad of Windows Event Viewer ID codes, as shown in Figure L07-12 below. Go to this site now.

Figure L07-14 Ultimate Windows Security from Ultimate IT Security 3. Here you can scroll down the list and find the Windows Security Log Event ID from our example system (4625) and learn more about it. While this entry was rather obvious, and performed just for this lab, there are probably entries in your system that aren’t so obvious. Scroll down and select one of the Event IDs.

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Log Management & Security

4. As shown in Figure L07-13, you can now find out more about the error, and even browser related links. Feel free to review several other log entries, and familiarize yourself with the process of researching these events. One day you’ll have a system issue and need to perform these steps to determine if the entry is malicious or a system or user error.

Figure L07-15 Ultimate Windows Security Entry for Event ID 4625.

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Log Management & Security

Self-Reflection and Response What are some of the reasns you would need to look at the Windows System Log?

Breifly describe how you might manage the growth in the size of system log files. Why would you need to keep copies of log files?

How long do you think system logs shold be retained?

Instructor’s Response

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Log Management & Security

Resources 1

How to use Event Viewer in Windows, https://kb.blackbaud.com/knowledgebase/articles/Article/75433

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Footprinting, Scanning, and Enumeration

Hands-On Lab: Footprinting, Scanning, and Enumeration To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Footprinting, Scanning, and Enumeration

Table of Contents Introduction ................................................................................................................................... 2 Objective......................................................................................................................................... 2 Estimated Completion Time ......................................................................................................... 2 Materials Required ........................................................................................................................ 2 Minimum System Configuration .................................................................................................. 2 Network Reconnaissance with Command Line Tools ............................................................. 3 Opening Command Window (CMD) ..................................................................................... 3 Using nslookup ....................................................................................................................... 3 Using ping ............................................................................................................................... 5 Using traceroute..................................................................................................................... 7 Web Reconnaissance with Web Browsers ............................................................................... 9 Opening Web site in Web Browser (CMD) ........................................................................... 9 Using page source .................................................................................................................. 9 Using Inspect ........................................................................................................................ 10 Using Whois .......................................................................................................................... 11 Using Other Web Resources ............................................................................................... 14 Scanning with Nmap ................................................................................................................ 14 Download and Install Nmap................................................................................................ 14 Use Nmap ............................................................................................................................. 16 Self-Reflection and Response ..................................................................................................... 21 Instructor’s Response .............................................................................................................. 21

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Footprinting, Scanning, and Enumeration

Introduction In this set of labs, students learn how attackers perform reconnaissance on potential targets using a variety of tools to perform what is known as “Footprinting.” This process includes both researching information from printed resources as well as gathering facts that can be collected from online resources and through social engineering efforts.

Objective Upon completion of this activity, the student will be able to: • •

Identify network addresses associated with an organization. Identify the systems associated with the network addresses.

These activities will help you complete future labs in this course.

Estimated Completion Time If students are prepared, they should be able to complete this lab in 40 to 60 minutes. **** Evan, please track your time and suggest better times for this lab ******

Materials Required This lab can be used from any Windows computer system where the user is authenticated with the appropriate rights and privileges to modify the targeted software on the system being used. Lab-based computer systems often have these privileges locked. Students will need to be able to invoke and run Windows PowerShell.

Minimum System Configuration To complete the labs included, it is recommended that you operate them from a computer system (desktop or laptop) that is running Windows 10 and has: • • • •

Intel i5 or better CPU 8 GB RAM (minimum) - 16 GB RAM (recommended) 1 TB Hard Drive with at least 250 GB free (minimum) - 350 GB free (recommended) Microsoft Windows 10 or latest version

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Footprinting, Scanning, and Enumeration

Network Reconnaissance with Command Line Tools This lab uses utilities available in most operating systems. Many of these tools – like nslookup, ping, traceroute, and whois are command-line tools designed to assist network and systems administrators in debugging connections and systems. In the wrong hands, they provide information on the availability and identity of systems that can be used to exploit them.

Opening Command Window (CMD) 1. Open a command window by typing cmd in the window search bar and press Enter. You can also run these command from Windows Powershell.

Using nslookup 2. Type nslookup /?. You should see the help menu for nslookup.

Figure L08-1 nslookup help menu 3. Interactive mode nslookup puts the user in a session with the DNS system, whereas “just look up” just provides a response. Type nslookup cengage.com and press Enter. You should see a response like Figure L08-2, which gives you a) your DNS server and b) the IP address for the DNS server for Cengage. Repeat for your university’s domain (e.g. stateuniv.edu). For the Microsoft tech document, visit https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windowsxp/bb490721(v=technet.10)?redirectedfrom=MSDN.

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Footprinting, Scanning, and Enumeration

Figure L08-2 nslookup for cengage.com 4. The same action can be performed using the web site at nslookup.io (See Figure L08-3. As some systems may be configured to prohibit nslookups, this may be a better alternative. The web site also will provide name server (NS) and mail server (MX) records, among others. Repeat your previous searches using this web site. 5. As nslookup gives you some fundamental information about the IP address range associated with a particular organization, the attacker may verify availability of identified servers using ping or may move to a more detailed, yet equally available service – traceroute and whois.

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Footprinting, Scanning, and Enumeration

Figure L08-3 nslookup.io

Using ping Ping is a systems utility designed to confirm the availability of a server. It was named for the sound made by sonar systems. Note that ping may be disabled on servers – at least on their public interfaces - as it is a tool commonly used as the basis for attacker tools and exploits. 6. In your command window, type ping /? and press Enter. Your results should be like Figure L08-4, with the basic command structure and available options.

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Footprinting, Scanning, and Enumeration

Figure L08-4 ping /? 7. Ping works with either domain names or IP addresses. In your command window, type ping cengage.com and press Enter. You should receive a number of successful pings including the time in milliseconds it takes for the ICMP echo request to travel to the Cengage server and return. (Note: for computer gamers, pings are often used to find a gaming server closer to the gamer allowing quicker response and better performance!). If you were a systems administrator trying to figure out why you can not communicate with a particular system, ping is very useful as you can experiment with different troubleshooting techniques.

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Footprinting, Scanning, and Enumeration

Figure L08-5 ping cengage.com results You will notice in the previous example that the ping only used four messages before stopping. If you needed ping to continue non-stop, you would use the -t option which would continue until you enter Ctrl + C to stop it. Attackers use ping to see if the system is up and responding to requests, which would then allow them to move to other tools to begin to collect additional information.

Using traceroute Traceroute provides a listing of all of the intermediate servers and networking devices between the user and the target. Again, either IP addresses or DNS names may be used to perform a traceroute. 8. In your command window, type tracert /? and press Enter. You should see results like Figure L08-6.

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Footprinting, Scanning, and Enumeration

Figure L08-6 tracert /? 9. Next, type tracert cengage.com and press Enter. This may take a minute as each “hop” between your system and Cengage’s server responds. As you can see from Figure L08-7, when a specific node doesn’t respond in time (times out), you get an asterix (*) rather than a value. The traceroute continues, however, until you get to the destination. (Note the gray box is to conceal the author’s home networks).

Figure L08-7 tracert cengage.com results

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Footprinting, Scanning, and Enumeration

10. You can see how the series of tools provides more and more information on the target and its networks and systems. If the target system was inside the organization’s network, and the network wasn’t properly configured, the traceroute would include network addresses of internal systems. From here we go to webbased resources.

Web Reconnaissance with Web Browsers This lab uses a function built into certain web browsers and web sites to support the development of web pages and the assignment of web addresses.

Opening Web site in Web Browser (CMD) 1. In your browser search bar, go to www.cengage.com and press Enter.

Using page source 2. Right click on the web page and select View Page Source (note: this is the same command in Chrome, Firefox, and Edge). 3. If you are using Google Chrome, check the Line wrap box at the top. You should see results similar to Figure L08-8.

Figure L08-8 cengage.com view page source results 4. It may be startling to realize you can view the HTML code on most web pages. In the early days of web site design, the web developer would put a good deal of

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Footprinting, Scanning, and Enumeration

background information in the comments section of the HTML code, including their name, title, phone number, and address, so that if someone found an issue they would know who to contact. Even today, organizations may put information in that they really don’t mean for the average user to be able to view. Attackers will look at this code for clues as to the type of web service, software, operating system, etc. Modern web design emphasizes removing any unnecessary information in the html code to minimize the chance that it can be used to assist an attacker. 5. Scroll down through the code and look for any information that you think an attacker might find useful. Repeat this exercise for your school’s home page.

Using Inspect 6. Most web browsers have additional tools to assist in web-site development for web developers and unfortunately for attackers will allow them to experiment with the web site code. Using your browser, on the cengage.com home page right click and select inspect. You should see results like Figure L08-9.

Figure L08-9 Google Chrome inspect cengage.com results

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Footprinting, Scanning, and Enumeration

7. Using this tool, you can change the HTML code and observe the results. Since the editing only takes place on your system, it doesn’t constitute hacking. A talented attacker could, however, experiment to see what they can learn from manipulating the code.

Using Whois Whois is another network service designed to provide information contained in the Internet’s online databases, like the DNS database and IP registries. Like the other tools, it’s useful to help system and network administrators to troubleshoot problems. Also, like other tools, it can be used by attackers to learn more about an organization’s systems before attempting to directly access them. 8. In the web browser, go to www.internic.net. As shown in Figure L08-10, InterNIC is a public database to provide information on domain and IP registrations.

Figure L08-10 interNIC.net 9. Select the Whois menu option at the top. This will redirect you https://lookup.icann.org/ as shown in Figure L08-11. ICANN is the non-profit Internet Corporation for Assigned Names and Numbers, responsible for © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Footprinting, Scanning, and Enumeration

coordinating the databases that manage internet IP addresses and URL names.

Figure L08-11 ICANN.org 10. Type cengage.com in the space provided for Domain Names and press the Lookup button. You may have to click to accept the terms of the site in a popup to continue. Scrolling down you should see the information shown in Figure L08-12. Here you will find some of the information previously viewed on the name servers, and domain registration information, among others.

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Footprinting, Scanning, and Enumeration

Figure L08-12 icann.org cengage.com lookup results 11. At the bottom, you can expand the Raw Registry RDAP Response and the Raw Registrar RDAP Response to see the raw data of the various responses. You may notice that several fields have the term “REDACTED FOR PRIVACY: Object redacted due to authorization.” This means the system has been set up to hide some information that could assist attackers. This is a relatively new update to the lookup function. Previously the system would provide a list of all of the IP address ranges and other data associated with the lookup target. If you can’t get what you want here, you may be able to get it from another site.

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Footprinting, Scanning, and Enumeration

Using Other Web Resources There are many other internet resources that can be used to find out an organization’s IP address range. A quick web search finds ip-netblocks.whiosxmlapi.com/lookup. There are many others. 12. Using your web browser, go to ip-netblocks.whiosxmlapi.com/lookup (or other similar web site), enter cengage.com into the lookup. You should see results like Figure L08-12, which found 56 separate IP address ranges for Cengage.

Figure L08-13 WhoisXMLAPI cengage.com results 13. An attacker could then use these address ranges in other, more sophisticated tools to begin probing the target’s systems to determine more about them. However, a) do not do this, and b) this concludes the “footprinting” section of the lab. Having started with just a domain name, you now know about the target’s DNS server, Name Servers, Mail Servers, and all of the IP address ranges that are assigned to the organization.

Scanning with Nmap In this lab, students will scan a network to discovery all systems and then inventory their operating systems and services. Systems administrators use Nmap regularly, however so do attackers. Due to its free and open-source nature, it is a tool of choice for those who don’t wish to expend the funds for an expensive commercial competitor.

Download and Install Nmap 1. Begin by checking to see if Nmap has already been installed. If not, use a web browser and go to https://nmap.org/. There are many resources here beyond what this lab will entail, including a complete installation guide, documents, and

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Footprinting, Scanning, and Enumeration

references. 2. Click on the Download link on the left. For this lab, you will be downloading both Nmap and Zenmap – the graphical front end for Nmap. Nmap itself is a command line utility. For our purposes, the Zenmap GUI will make our tasks easier. Scroll down to the Microsoft Windows binaries section shown in Figure L08-14 and click the link next to Latest stable release self-installer: in our case nmap-7.91setup.exe. You may see a newer edition as Nmap is regularly updated and supported. Save the file to a directory you can easily access later.

3. Figure L08-14 Nmap download information 4. Once the download has finished, double click the .exe to install, and agree to the License Agreement. 5. Accept the default settings in Choose Components and click Next >. 6. Specify the directory Nmap will install to and click Install. 7. You will be required to accept another License Agreement for Npcap (packet

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Footprinting, Scanning, and Enumeration

capture utility) at this point, then specify installation options. We recommend accepting the defaults, unless you plan to scan a wireless network, in which case you can add that option. Click Install again. 8. Click Next once completed, then Finish. 9. Nmap will finalize overall installation, select Next >, accept the Shortcuts by clicking Next > again, then click Finish one more time.

Use Nmap Do NOT use Nmap on a network that you do not have explicit permission to scan. Legally you may only scan a network that a) you own, b) you have permission from the systems owner to scan, and c) all users on that system know they may be scanned and have consented to such a scan. Normally the organization owns the network, the CEO or their designated representative (e.g. the CIO) gives permission, and all users acknowledge the need to scan the system in their annual security briefing – and sign a document acknowledge this (along with a list of other necessary activities). Failure to follow these instructions can result in a loss of Internet Services by your ISP, and/or legal ramification. Again, do NOT simply enter a target address and begin scanning. All examples are provided on a privately owned network by the system owner, with full knowledge by all users. The Nmap user’s guide is located at https://nmap.org/book/man.html. Portions of the book “The Official Nmap Project Guide to Network Discovery and Security Scanning” by Gordon “Fyodor” Lyon, are available at https://nmap.org/book/toc.html. • The portion of the book pertaining to Zenmap are located at https://nmap.org/book/zenmap.html. 10. Start Nmap by double clicking the Nmap-Zenmap desktop icon or selecting it from the Windows menu. The Zenmap GUI will begin as shown in Figure L08-15 below. • •

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Footprinting, Scanning, and Enumeration

Figure L08-15 Nmap Zenmap Interface 11. The first thing you should note is the Command window which shows the command line for nmap with the default options. You can look up these options at: https://nmap.org/book/man-briefoptions.html. 12. Begin with a ping scan, which will simply ping all addresses in the assigned range. Select Ping scan in the pull-down menu next to Profile. 13. Next, specify the system(s) or network(s) by entering the IP address in the Target: field. The example network is a Class C address in the 10.X.X.X private networking class. The entry in the example is 10.0.0.0 /8 which tells the system that a) it’s an IPv4 address, b) it’s multiple systems on a network segment and c) the right-most 8 bits are the host address, and the rest are the network address. Since all the systems on this network are in this range (10.0.0.1 to 10.0.0.253) this simplifies the scan. Enter your assigned address range in this format: a. IP address if one system b. IP address and the CIDR extension e.g. /8 for multiple systems on a network

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Footprinting, Scanning, and Enumeration

Note: you can also use hyphenated ranges (e.g. 10.0.0.1-253) See https://nmap.org/book/man-target-specification.html for additional specifications. 14. Click Scan. Since this is a relatively simple scan, the response should be quick. As shown in Figure L08-16, you will see the MAC and IP addresses for any hosts the system detects. (Note: Since MAC addresses are hard coded to specific and identifiable devices, they’ve been redacted in the example.)

Figure L08-16 Sample Nmap Ping Scan results 15. As is obvious from this example, the scanned network is a home network, with

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Footprinting, Scanning, and Enumeration

several networked technologies. The “Internet of Things” has resulted in an explosion of networked technologies, which must be protected as well. These networked devices may be exploited by an attacker resulting in unwanted breaches of privacy and loss of personal information. 16. Set the value in the Profile: field with Quick scan plus and click Scan. This will take longer than the previous scan (several minutes) but will provide more detailed information. It is generally recommended NOT to use the Intense scan as there is a chance the scan can cause the scanned system to crash. 17. As you can see from Figure L08-17, you now get detailed information on the OS (as far as Nmap can determine) and open and available ports (color coded no less). The two systems shown are in fact a managed Cisco network switch, and a Dell Windows 7 PC. 18. When finished with the lab, close the Zenmap window. Uninstall if promoted by your instructor.

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Footprinting, Scanning, and Enumeration

Figure L08-16 Nmap Quick scan plus results

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Footprinting, Scanning, and Enumeration

Self-Reflection and Response Some of the activties in this lab were flagged as being considered potentially hostile unless you have permission to do them. Why would a company want to keep network users from using thse tpye of tools?

Can you think of reasons why you would need to be able to determine who controls a web address or web site?

What are some reasons you may want to use nmap on your own network?

Instructor’s Response

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; AlienVault OSSIM

Hands-On Lab: AlienVault OSSIM To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; AlienVault OSSIM

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; AlienVault OSSIM

Introduction Many organizations have come to rely on security information and event management (SIEM) as a central element to empower a security operations center (SOC) to identify and react to the many events, incidents, and attacks against their information systems. SIEM’s roots are in the UNIX syslog approach to log file aggregation; for years, organizations and security professionals have sought ways to leverage existing systems and have them work together to maintain situation awareness, identify noteworthy issues, and enable response to adverse events. A SIEM system supports threat detection and informs many aspects of threat intelligence. It is also instrumental in managing aspects of compliance and vulnerability management. It often plays a pivotal role in an organization’s security incident management through data collection and analysis by enabling near real-time and historical analysis of security events. It integrates data from multiple sources, including local events and contextual data sources. SIEM systems are derived from legacy log file monitoring systems and procedures. AlienVault OSSIM (Open Source SIEM) provides a feature-rich, open source tool complete with event collection, normalization, and correlation. The software was created by security engineers because few open-source products were available to serve a critical need. AlienVault OSSIM addresses the challenges faced by security professionals with a unified platform that provides essential security capabilities, including the following: • • • • •

Asset discovery Vulnerability assessment Intrusion detection Behavioral monitoring SIEM event correlation

The OSSIM environment shown in Figure L09-1 would be a typical setup in a corporate setting. In this example, a sensor is used to collect multiple data sources. It then organizes the data through filtering, classification, and normalization before the information is sent to the OSSIM server. This type of deployment is typical because it allows the enterprise to do the following: 1. Place the sensors close to the source of data to speed up processing. 2. Offload the processing between the two system components to prevent overloading. Note the various types of processes performed and information collected at the sensor. The sensor is responsible for network scanning, NetFlow collection, log collection, host intrusion detection system (HIDS) collection, and raw network traffic captures (NIDS). Once these data sources are collected and processed based on the setup, they will be forwarded to the OSSIM server for further enrichment based on the policies and rules that have been

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; AlienVault OSSIM

applied. These policies and rules should place context around events and allow the collected data to be interpreted more accurately.

Figure L09-1 OSSIM functional blocks (Source: https://cybersecurity.att.com/forms/webcast-thank-you/getting-started-with-ossim) This lab uses a proof of concept (POC) deployment in a virtual environment that combines the server and sensor in a single system. This setup is fine for purposes of the lab but should never be deployed in an enterprise environment except for testing.

Objective Upon completion of this activity, you will be much more knowledgeable about the AlienVault OSSIM software and how to install, configure, and operate it. You will use the software more extensively in a subsequent lab.

Estimated Completion Time If you are prepared, you should be able to complete this lab in 2-3 hours.

Materials Required Completion of this lab requires the following software to be installed and configured on your workstation prior to beginning the procedure steps: •

Microsoft Windows 10, or another operating system version as specified by the lab instructor

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; AlienVault OSSIM

•

VMware Workstation 16 Player (or similar version)

•

Internet access to download the specified software

Minimum System Configuration To complete the labs included, it is recommended that you operate them from a computer system (desktop or laptop) that is running Windows 10 and has: • • • •

Intel i5 or better CPU 8 GB RAM (minimum) - 16 GB RAM (recommended) 1 TB Hard Drive with at least 250 GB free (minimum) - 350 GB free (recommended) Microsoft Windows 10 or latest version

Data From Your Instructor Your course instructor or lab supervisor will provide these details: Data A static IPv4 address assigned to their virtual OSSIM system The subnet mask to use on the local network The IPv4 address of the local network gateway The IPv4 address of the DNS server Root password (Created during installation) Local time zone (Chosen during setup)

Value:

Administrator password (Chosen during setup and used through Web access)

Setting up AlienVault OSSIM Work through the steps in the following sections to install and explore the AlienVault OSSIM software.

Downloading and Installing VMware Workstation 16 Player In the following steps, you will download and install a virtual host platform. If your lab instructor has provided you with instructions to use another version or another application, please follow those instructions. 1. Use a web browser to search for “VMware Workstation 16 Player download”. Locate the download link and download the free installer for your computer operating system. Run the installer allowing the permissions for it to be installed as it progresses. You may be asked to reboot your computer.

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; AlienVault OSSIM

Downloading and Installing AlienVault OSSIM In the following steps, you will download AlienVault OSSIM, install it, and perform initial configuration setup for the software. 2. Go to https://cybersecurity.att.com/products/ossim and click the blue Download AlienVault OSSIM ISO button. After you have downloaded the AlienVault OSSIM ISO file, you will install it to your virtual machine. 3. Start VMware Workstation Player and click the Create a new Virtual Machine link. 4. Choose the Installer disc image file (iso) option and click Browse. 5. When the navigation window opens, navigate to the folder where you saved the OSSIM ISO file, select the file, and then click Open. 6. When the navigation window closes, click Next. 7. In the Select a Guest Operating System window, click the Linux button, select Debian OS instance in the Version menu, and then click Next. 8. Give your virtual image a name, such as “OSSIM.” 9. Verify that the location is correct. If it is not, select the desired location. 10. Click Next. 11. Set the maximum disk size to 500 GB. Do not change the default option, “Split virtual disk into multiple files.” Click Next. 12. Click Customize Hardware. 13. In the left pane of the window, click Memory. Change the “Memory for this virtual machine” value in the right pane to 8192 MB. 14. Next, in the left pane, click Network Adapter, change the Network connection setting from NAT to Bridged, and then click Close. 15. Click Finish to complete the configuration of features in your virtual system. 16. To power on your virtual machine, click the Play virtual machine link. 17. If you are asked to download VMWare Tools for Linux, select Remind Me Later. 18. If you are using VMware Workstation as the host virtual machine, here is a recap of the needed parameters: • Operating System (OS): Linux Debian 8 x 64 • Processors: 2 CPUs • Memory: 8 GB • Hard Drive: 500 GB (thin provisioned) • CD-ROM: ISO File—point to the OSSIM ISO file you downloaded • Network Interface Cards (NICs): Add three more NICs for a total of 4 NICs 19. When you have created the VM guest instance and initiated the Debian OS instance, select Power on in your virtual machine environment to launch the OS installation. In the installation screen shown in Figure L09-2, select Install AlienVault OSSIM (64 Bit)

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; AlienVault OSSIM

and press Enter.

Figure L09-2 AlienVault OSSIM installation screen 20. The installation will take you through a series of setup options. Select appropriate options for the following settings. (The options used for testing are in parentheses.) • • •

Select Language: (English) Select Location: (United States) Keymap to use: (American English)

The installation then loads the necessary components and detects hardware settings. 21. Next, configure the network by assigning the following settings. (Your instructor may provide these addresses to you.) •

Choose the primary network interface. There should be four options; use ETH0 for the primary interface.

•

IP Address: Select an IP address on the network that you have been assigned by your instructor. If using your own network, choose an address that is not in use.

•

Netmask: Usually 255.255.255.0

•

Gateway: The IP address for the network router/gateway (for example, 192.168.1.1)

•

DNS Server Address: Usually the network router/gateway

The IP address you provide will be the Web address you use to access the Web user interface (UI) for AlienVault OSSIM later in this lab. Note: Record these addresses for future reference. 22. The installer will have you set up the root password. This will be used for the root login account in the AlienVault OSSIM OS. A separate account will be set up for console access. Record your OS password. 23. When prompted, set up your time zone.

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; AlienVault OSSIM

The installation proceeds. It could take 35 minutes or longer, depending on machine resources.

Starting AlienVault OSSIM When the installation has finished and the system has rebooted, you should see a login screen like the one in Figure L09-3.

Figure L09-3 Login screen that appears after installation 1. Log in to the system by using the root account and entering the password you designated during OS setup in the preceding section. In the upper-left corner of the next screen, you should see the IP address assigned during installation (see Figure L09-4). The OSSIM console should display several options, but no further configuration should be required from this screen.

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; AlienVault OSSIM

Figure L09-4 AlienVault login management screen

Web UI Access The next step is to access the Web UI and set up your administrator account for console access. 1. Open your web browser. In the navigation bar, enter the IP address you selected earlier in the setup process. If the browser displays a connection privacy warning, click Advanced and then click Proceed to <the IP address you entered>. You should see the page shown in Figure L09-5.

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; AlienVault OSSIM

Figure L09-5 Administrator account creation 2. Create an administrator account on the Welcome page by filling in all the fields that have an asterisk (*) next to the field names. The username should be “admin.” 3. When you have completed the screen shown in Figure L09-5, a login screen appears. Log in to the system using admin as the username and the password created in the preceding screen. 4. Click Login to enter the Web UI. The program’s Getting Started Wizard appears, as shown in Figure L09-6.

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; AlienVault OSSIM

Figure L09-6 AlienVault OSSIM Getting Started Wizard 5. Take a screen shot of this screen to submit to your instructor to show completion of the setup. 6. In the lower-left corner of the window, click Skip AlienVault Wizard. The system is ready to use.

Configuring and Using AlienVault OSSIM 1. If it isn’t already running, start the AlienVault OSSIM server in the virtual environment that was installed in the Module 7 lab. The system might take a few minutes to start completely. When the system is running, the virtual machine should display a login prompt, as shown in Figure L09-7.

Figure L09-7 AlienVault login prompt 2. Open a web browser on the local machine and navigate to the IP address you used in the previous lab by entering https:// followed by the IP address. A login screen should

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; AlienVault OSSIM

appear. If the browser displays a connection privacy warning, click Advanced and then click Proceed to <the IP address you entered>. 3. Log in through the web browser using admin as the username and the password you used previously. 4. When you first log in to OSSIM via a web browser, the OSSIM Getting Started Wizard appears. This wizard is the easiest way to get a system up and running. You will not use the wizard in this lab but note that it provides the easiest way to configure multiple network interfaces for the OSSIM. Figure L09-8 shows how multiple network interfaces may be configured for various components of the SIEM system.

Figure L09-8 Network interfaces The primary interface eth0 will be the management interface; this interface was set up during the initial installation in the previous lab. The IP address is the same one you used to log in through the web browser. Another IP address is used to collect log files for ingestion. In this case, administrators can forward syslog files from a firewall or other devices of interest to OSSIM using that IP address. Also, two network cards are configured for network monitoring. The interfaces would either collect raw packet data (sniff) or be connected to a device that sniffs network traffic, like a terminal access point (TAP). To collect this information, the network cards must be in promiscuous mode. Monitoring network traffic at this level requires special permissions from the network owner; in a virtual environment, it also requires a special configuration in VMware. 5. If the OSSIM Getting Started Wizard does appear, click Skip AlienVault Wizard in the lower-left corner. 6. Take a moment to examine the next screen that appears (see Figure L09-9). The top part of the screen displays who is logged in, the IP address the system is using, the internal system e-mail, a Settings menu, a Support menu, and a logout option. The Support menu provides a wealth of information about OSSIM setup and use. The next part of the screen displays five tabs—Dashboards, Analysis, Environment, Reports, and Configuration—that can be used to configure, monitor, and report on the environment.

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; AlienVault OSSIM

Figure L09-9 AlienVault OSSIM dashboard 7. AlienVault OSSIM is designed to interface with the AlienVault OTX (open threat exchange). This service includes both free and paid subscriptions that provide opensource intelligence (OSINT) to Alien Vault OSSIM and can provide information and further context around malicious traffic and alerts in the environment. Analysts can sign up for this service, but it is not required in order to complete the lab assignment. If an analyst signs up, he or she will receive an API key that can be applied to OSSIM to allow OTX to interface with the system. Click the Configuration tab and then click Open Threat Exchange, as shown in Figure L09-10. You can add the API key and choose whether you want to share information with OTX from your environment. If you have registered for an account with OTX, you can add the key here or register and get a key.

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; AlienVault OSSIM

Figure L09-10 AlienVault OSSIM open threat exchange 8. The next step is to define your network and perform an asset discovery. Click the Environment tab, click Assets & Groups, and then click the Networks tab, as shown in Figure L09-11.

Figure L09-11 AlienVault OSSIM Environment tab 9. You should have your network defined via CIDR notation in this tab. If you need to add a network, click the Add Network button on the right side of the page. You should see the window shown in Figure L09-12. For example, to capture a 192.168.1.0 network, you should enter 192.168.1.0/24; for the full range, enter 192.168.0.0/16. Other metadata can also be added, such as asset value, which allows for more emphasis to be placed on higher-value network assets (1 is the lowest value and 5 is the highest).

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; AlienVault OSSIM

Figure L09-12 AlienVault OSSIM new network entry 10. Still in the Assets & Groups menu, click Schedule Scan to see a list of scans set up in OSSIM. (Note that OSSIM uses Nmap for scanning and asset discovery.) To create a new scan, click Schedule New Scan on the right side of the window. The window shown in Figure L09-13 appears. Provide a name, sensor, targets to scan, scan type, timing template, and scan frequency. The Nmap tool will begin to scan when these settings are saved.

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; AlienVault OSSIM

Figure L09-13 AlienVault OSSIM new asset scan 11. To see what assets have been discovered, click the Assets tab under the Assets & Groups menu. You can also click the Add Assets button on the right side of the screen to add more assets. Figure L09-14 shows the New Asset window.

Figure L09-14 Adding new assets 12. Next, you configure a vulnerability scan for the environment. Click the Environment tab at the top of the screen and then select the Vulnerabilities menu. OSSIM uses the Open VAS vulnerability scanner. 13. When scanning for vulnerabilities, it is preferred to use valid credentials, but not required. You can skip this step, but note that an analyst could click the Settings button on the right side of the screen and then enter a credential set into the system, as shown in Figure L09-15. For example, an analyst could enter credentials for one Windows system and scan one system in the environment.

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; AlienVault OSSIM

Figure L09-15 New credentials entry in AlienVault OSSIM 14. Still under Vulnerabilities, click the Scan Jobs tab and then click the New Scan Job button on the left side of the screen. Provide a job name, select a sensor, choose the default profile, and schedule the scan to occur immediately. You can also choose particular assets to scan from the tree on the lower-right side of the screen, as shown in Figure L09-16. Click Save when you finish. The scan should start in a minute or so. Be patient; it will take a while to complete.

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; AlienVault OSSIM

Figure L09-16 Creating a scan job in AlienVault OSSIM 15. Once the vulnerability scan is complete, click the Overview tab to see the scan results. Figure L09-17 shows an example of information from a vulnerability scan. OSSIM provides a view of the overall vulnerabilities in the environment and a list of vulnerabilities found for each machine. Reports are available in HTML, PDF, and CSV format.

Figure L09-17 AlienVault OSSIM scan results 16. This lab comes with a report from a Windows 7 system that should clarify what the scanning tool can do. Open the LM8-Vulnerability-AV-OSSIM-ScanResult.pdf file and review the report. 17. Next, you will review the network intrusion detection system (NIDS). Click the Configuration tab and select Deployment from the menu to see the window shown in Figure L09-18. This window provides detailed information about system status, RAM usage, CPU usage, and new updates that are available.

Commented [MW1]: Find, copy and renumber

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; AlienVault OSSIM

Figure L09-18 AlienVault OSSIM Configuration tab 18. To get a more detailed view of the current system, click the spyglass icon indicated by the arrow in Figure L09-18. (Do not click the trash can icon.) The detailed view of the system status page is shown in Figure L09-19. Current RAM and CPU usage is displayed in addition to the assigned values of network cards and how much traffic they are receiving. You can use this view to check that NIDS devices are receiving traffic.

Figure L09-19 AlienVault OSSIM system status view

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; AlienVault OSSIM

19. OSSIM also has a host intrusion detection system (HIDS) component and several versions of agents ready to deploy. Click the Environment tab again and select Assets & Groups from the menu. Examine the individual devices on the resulting page, as shown in Figure L09-20. OSSIM shows whether an HIDS agent has been deployed to each device. Select the spyglass icon next to Not Deployed to open the Assets Details page.

Figure L09-20 HIDS status 20. On the right side of the window, click the Action button and then choose the last option, Deploy HIDS Agent. 21. The Deploy HIDS window appears. Enter the correct username and password for the selected system, and enter the domain name if the system is within an enterprise. An HIDS agent will be deployed, although the process will take a few minutes. When the agent has finished installing without error, you can check the target system files under C:\Program File (x86)\ossec-agent\ to confirm the installation. If you see the directory, you can look for a file named win32ui.exe and launch the application. Compare your results to those in Figure L09-21 to see if the installed service is running. If the ossecagent directory is missing, a manual installation is required.

Figure L09-21 Deploying HIDS agent credentials in AlienVault OSSIM

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; AlienVault OSSIM

You have completed the basic setup routines for AlienVault OSSIM. However, there are many more functions to consider when working in an enterprise environment. For example, you did not learn about specific plug-ins for other devices that assist in processing incoming data, such as logs. 22. When the SIEM system is processing the required data, you can go to the area of the software where analysts will spend most of their time. In the OSSIM console, click the Analysis tab and then choose Security Events (SIEM) from the menu to see the window shown in Figure L09-22.

Figure L09-22 AlienVault OSSIM Analysis tab 23. Note the various drop-down menus and ways to look at the information from the SIEM system. There are multiple ways to track down events. There are prebuilt time filters on the left side of the screen as well as custom dates and times that you can set. The bottom of the screen presents individual events as they are processed. The Data Sources menu includes multiple options for sorting events, most notably from HIDSs and NIDSs, as shown in Figure L09-23.

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; AlienVault OSSIM

Figure L09-23 AlienVault OSSIM data sources 24. An analyst can also click an event of interest to see more details about it. Scroll down to the bottom of the detailed event view (Figure L09-24) to see the raw event log that generated it (Figure L09-25).

Figure L09-24 AlienVault OSSIM event details

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; AlienVault OSSIM

Figure L09-25 AlienVault OSSIM raw log file You have completed a basic walk-through of the OSSIM console and its configuration. Many more components, plug-ins, and modifications can be added to tune the OSSIM system for better reporting and performance. Consolidating the large amounts of data required in an enterprise is always complicated. The more accurate the SIEM system’s reporting is, the less time is wasted tracking down meaningless alerts.

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; AlienVault OSSIM

Self-Reflection and Response Attach the screen shot taken at completionof OSSIM setup or insert it here. Were you able to complete the setup, configuration, and use of OSSIM?

If you were not able to complete the setup and configuration, explain what went wrong.

Instructor’s Response

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Image Analysis Using Autopsy

Hands-On Lab: Image Analysis Using Autopsy To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Image Analysis Using Autopsy

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Image Analysis Using Autopsy

Introduction In this project, you will use Autopsy, the open-source digital forensics analysis tool (www.autopsy.com). Autopsy includes case management features, supports various types of file analysis, and allows searching and sorting of allocated, unallocated, and hidden files. Autopsy is a GUI front end for The Sleuth Kit, which is available at https://sourceforge.net/projects/sleuthkit. You do not need to download The Sleuth Kit separately. For more information on Autopsy, you can go to https://hub.packtpub.com/digitalforensics-using-autopsy/.

Objective Upon completion of this activity, you will be able to perform basic drive image analysis using the Autopsy software package.

Estimated Completion Time If you are prepared, you should be able to complete this lab in 45 to 70 minutes.

Materials Required Completion of this lab requires the following software to be installed and configured on your workstation: • • •

Microsoft Windows 10, or another operating system version as specified by the lab instructor Autopsy version 4.17 (or similar version) The suspectdrive.img file provided with this lab on a USB drive, local folder, or accessible network share

Image Analysis Using Autopsy This lab is separated into three parts: • • •

Downloading and installing Autopsy Importing a suspect image file Examining the suspect image file with Autopsy

Downloading and Installing Autopsy 1. Download the correct version of Autopsy from www.autopsy.com/download/. This lab uses the Windows 64-bit version 4.17 for demonstration. 2. Run the Autopsy.msi file. 3. In the Welcome to the Autopsy Setup Wizard, click Next.

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Image Analysis Using Autopsy

4. Get the installation path from your instructor, specify this path in the Select Installation Folder window, and click Next. 5. Click Install. 6. If Windows prompts you about a User Account Control permission, click Yes. 7. Click Finish when the Completing the Autopsy Setup Wizard window appears. Autopsy should now be fully installed.

Importing a Suspect Image File Using Autopsy 1. Start Autopsy. If this is the first time the installation has been used, you may be prompted to enable the central repository. Click Yes. 2. Click New Case. 3. In the New Case Information window, enter the Case Name. Your instructor may provide details for this portion of the lab; otherwise, enter R Lawne Investigation as the Case Name. 4. Specify a unique folder for the case files by clicking the Browse button and selecting or creating a folder. You can also enter a folder name in the Base Directory field. 5. Leave the Case Type field as Single User and click Next. 6. For the Case number, use a number provided by your instructor or make one up yourself. 7. Enter the remaining information in the appropriate fields. 8. Click Finish when you have entered the information. The software generates the appropriate files and displays the Add Data Source window, as shown in Figure L10-1.

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Image Analysis Using Autopsy

Figure L10-1 Autopsy’s Add Data Source window 9. As Step 1 of the procedure listed on the left side of Figure L10-1, click the Disk Image or VM File button to add the image file provided by your instructor. Click Next. 10. As Step 2 (Select Data Source) in the Add Data Source window, click Browse next to the Path field and navigate to the suspectdrive.img file on your system or USB drive. If your instructor has provided this file to you on an external drive or network location, save it to a USB drive and copy the file to the case folder you specified earlier. You may need to leave the Autopsy window for a moment to move the file to a location you can access. When Autopsy has accessed the file, it will copy the file to the folder you specified earlier. 11. Make sure the Time Zone value is correct in the window. 12. In an actual investigation, you would enter the hash values for the .img file into the fields provided for entry into your case records. Figure L10-2 shows these values calculated with the HashCalc tool from SlavaSoft; this tool is available from www.slavasoft.com/hashcalc/. If your instructor wants you to do so, you can download and run the tool, copying the hash values to Autopsy.

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Image Analysis Using Autopsy

Figure L10-2 HashCalc values for suspectdrive.img 13. Click Next. 14. As Step 3 (Configure Ingest Modules) in the Add Data Source window, simply click Next. 15. Step 4 (Add Data Source) in the window should indicate that the “Data source has been added to the local database. Files are being analyzed.” Click Finish to complete the import.

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Image Analysis Using Autopsy

Examining the Suspect Image File Using Autopsy Normally, an investigation would begin with alleged misconduct or criminal activity against a suspect. Forensic investigators would legally seize all computer media and image them so that analysis would not risk modifying the original evidence. The image files can then be copied and analyzed with tools like Autopsy, FTK, or Encase. The analysis of these tools would be framed with instructions for what a prosecutor or defense attorney is looking for, such as “Any files, communications, or other computerbased information associated with X, as well as any other clearly illegal or unauthorized activity.” If a forensic investigator were looking for evidence related to embezzlement in a corporate case but found evidence of other crimes, the evidence could be used to expand any legal charges against the suspect. (Technically, investigators look for items of evidentiary value, not evidence. Only when the information is entered into a legal proceeding does it become evidence. In the case of Richard S. Lawne, the suspect is accused of teaching inappropriate content in a school. 1. Restart Autopsy, if necessary, and select the case created in the previous steps. Your system layout should look similar to that in Figure L10-3.

Figure L10-3 Autopsy after image import 2. In the left pane of the window, click the plus sign next to Data Sources, and then click the suspectdrive.img filename. You can resize the window shown to more easily view the files in the upper-right pane. You should see a listing of items contained in the image, as shown in Figure L10-4.

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Image Analysis Using Autopsy

Figure L10-4 Contents of suspectdrive.img Several file types are automatically identified by Autopsy. It finds hidden files and deleted files on the imaged drive. 3. In the left pane of the window under the Views menu, click the plus sign next to File Types. Next, under File Types, click the plus sign next to Extension and then click Images. The window shows all undeleted graphics contained in the imaged drive. If you click in the list on the right side of Figure L10-4, the display will look like that in Figure L10-5.

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Image Analysis Using Autopsy

Figure L10-5 Analysis using Autopsy 4. Click the plus sign next to the Deleted Files option on the left side of the window, and then click the All option. You see all files that were deleted but are still intact on the suspect’s drive. Scroll through the various images. Can you guess what Richard S. Lawne is accused of? 5. If you were the investigator, you could “tag” files that you felt were related to the charges or represented new crimes. Autopsy will add these files to the case file. To tag files and add them to the case file, select the file in the upper-right pane, right-click the file, select Add File Tag, and then specify which tag you want to assign (see Figure L106).

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Image Analysis Using Autopsy

Figure L10-6 Adding a file tag 6. In the Add File Tag submenu, you could select a follow-up tag for information you think is related but you need to investigate further, or you could select a definitive tag by clicking Tag and Comment. In the window that appears, you can specify the tag type and enter comments, as shown in Figure L10-7.

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Image Analysis Using Autopsy

Figure L10-7 Select Tag option 7. Go ahead and tag a few files. Afterward, notice that the tagged files are easily accessible at the bottom of the left menu under the Tags option. This allows you to revisit the images in later sessions. 8. You can extract files from the image by right-clicking the filename in the upper-left pane and selecting Extract. In the Save window that appears, you can specify where to save the extracted file. 9. Click the Discovery menu at the top of the Autopsy window. The Discovery feature allows you to search the image with specific parameters, such as file type, file size, and commonality. Specify the following parameters by checking the box next to each field and selecting the indicated options. Next, click Search. • • • •

Images File Size: XSmall, Small, and Medium Data Source: suspectdrive.img Past Occurrences: Common, Rare, and Unique

10. The files found in the search appear in a new window, as shown in Figure L10-8. 11. A real investigation could involve dozens of imaged drives and thousands of files and images that must be reviewed and determined to be relevant or not. Select and tag all files that support the charges that Richard S. Lawne is teaching evolution. If you suspect that a file is relevant but you’re not sure, use the Follow Up tag shown in Figure L10-7. If you are confident that a file provides evidence Lawne is teaching evolution, use the Notable tag.

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Image Analysis Using Autopsy

Figure L10-8 Discovery Editor search results 12. After you have tagged all suspicious items, select the Generate Report menu at the top of the Autopsy window. 13. Specify HTML Report, enter Richard S. Lawne Investigation as the Header, enter your name as the Footer, and then click Next. 14. Ensure that suspectdrive.img is selected in the “Select which data source(s) to include” window. 15. Ensure that All Tagged Results is selected in the Configure Report window, and then click Finish. 16. Click Close when the report has been generated. 17. The report is available in the left menu, at the bottom under Reports. Open this menu and double-click the file. Open the file in the web browser of your choice. Your instructor may want you to print the file to a PDF or save it to an external drive before submitting it.

Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Image Analysis Using Autopsy

Self-Reflection and Response Attach the final report. Were you able to complete the setup, configuration, and use of Autopsy?

If you were not able to complete the setup and configuration, explain what went wrong.

Instructor’s Response

Instructor’s Manual for Hands-On Labs: Whitman and Mattord, Principles of Information Security, Seventh Edition

Instructor’s Manual for Hands-On Labs Whitman and Mattord, Principles of Information Security, Seventh Edition

Table of Contents Introduction ................................................................................................................................... 2 Module 1: Ethical Considerations in IT and Detecting Phishing Attacks ................................... 3 Module 2: Web Browser Security ................................................................................................. 5 Module 3: Malware Defense ......................................................................................................... 6 Module 4: Windows Password Management .............................................................................. 7 Module 5: Backup and Recovery and File Integrity Monitoring ................................................. 8 Module 6: OS Processes and Services ......................................................................................... 9 Module 7: Log Management & Security..................................................................................... 10 Module 8: Footprinting, Scanning & Enumeration ................................................................... 11 Module 9: AlienVault OSSIM ....................................................................................................... 12 Module 10: Image Analysis Using Autopsy ................................................................................ 14

Instructor’s Manual for Hands-On Labs: Whitman and Mattord, Principles of Information Security, Seventh Edition

Introduction Welcome to the instructor’s manual for the labs that support Principles of Information Security, 7th edition.

Recommended Usage of Lab Modules There is no direct linkage between the labs provided and the textbook. To provide such a linkage would result in multiple labs for some textbook modules and none for others. Instead there are 10 lab modules provided, many with multiple sub-labs that instructors can use to select and structure as suitable for your classes. It is recommended that instructors read through the labs and corresponding instructors guides carefully and determine what resources and coordination are needed on their part before assigning them to the student. The students may have access to the labs themselves but may not have access to the guidelines that assist the instructors in getting ready for the labs. In general, the labs start relatively easy and slowly progress in difficulty. None require the purchase of software and may be performed at home or in a university computer lab with a few exceptions. The labs provided includes some of the “why” the software is useful, as well as the “how” to use them. None are designed to make experts of the students but fall in the category of “familiarization”. When complete, students can confidently tell a potential employer, for example, “yes, I’ve used Nmap”. We recommend that before instructors assign the lab to the students they give them an overview of the purpose of the lab, and what the students should derive from the experience. It is also recommended that instructors clearly specify what deliverables, if any, are expected. Each lab includes a simple set of questions, which, when completed, demonstrate the student has completed the lab. Instructors may wish to supplement these assessments, requiring screenshots, or providing additional or replacement questions. Instructors are also encouraged to expand upon these labs, adding more complexity or details as they see fit. There are also many other open-source, or freeware, software applications available. These labs simply choose some of the easier ways to access applications, in many case, those functions of operating systems and web browsers that can be used to emphasize key security aspects of personal and organizational end-user computing.

Recommended System Requirements These labs take advantage of the flexibility provided by virtual machine environments. Students should have access to a workstation or laptop with at least four cores, although two cores and two threads would also work. Student computers should also have 8 GB of RAM, a minimum of a 1-TB hard drive, and USB 3.0. These labs were tested using a Microsoft Surface device with an Intel i5 processor, 8 GB of RAM, and a 128-GB hard drive with an external USB 3.1 TB solid-state drive for virtual machine storage.

Instructor’s Manual for Hands-On Labs: Whitman and Mattord, Principles of Information Security, Seventh Edition

Module 1: Ethical Considerations in IT and Detecting Phishing Attacks Purpose of Lab Module Upon completion of this activity, students will have a better understanding of the ethical expectations of IT professionals, and be able to identify several types of social engineering attacks that use phishing techniques.

Estimated Completion Time If students are prepared, they should be able to complete these assignments 75 to 95 minutes.

Infrastructure Comments No additional infrastructure required.

Data Provided to Students No additional information required for this lab.

Rubrics and Evaluation The Ethics Considerations in IT exercises has a self-reflection exercise. The Detecting Phishing Attacks includes written response pages. Students receive a point apiece for identifying each of the following elements in the 10 example e-mails listed in the “Test Your Knowledge” section of the lab. Example 1 1 Point 1 Point 1 Point Example 2 1 Point 1 Point 1 Point 1 Point Example 3 1 Point Example 4 1 Point 1 Point 1 Point Example 5

Dropbox Transfer The message does not use a correct name; other details are also incorrect. The address does not look authentic. The message has an unexpected attachment. Congratulations you have won The message does not use a correct name; other details are also incorrect. The address does not look authentic. There are misspelled words and improper grammar. The message has an unexpected attachment. Bears Moving Co Booking Confirmation This is a legitimate e-mail. Sextortion E-mail The address does not look authentic. There are misspelled words and improper grammar. The message wants you to send money. Payment Advice Notification

Instructor’s Manual for Hands-On Labs: Whitman and Mattord, Principles of Information Security, Seventh Edition

1 Point 1 Point 1 Point Example 6 1 Point 1 Point 1 Point 1 Point Example 7 1 Point 1 Point 1 Point 1 Point Example 8 1 Point 1 Point 1 Point 1 Point 1 Point Example 9 1 Point 1 Point 1 Point 1 Point 1 Point Example 10 1 Point 1 Point 1 Point

The message does not use a correct name; other details are also incorrect. The address does not look authentic. The message has an unexpected attachmen.t I Send The Money To Your Name See Payment Copy In Attach The message does not use a correct name; other details are also incorrect. The address does not look authentic. There are misspelled words and improper grammar. The message has an unexpected attachment. Please I Need Ur Help!! The message does not use a correct name; other details are also incorrect. The address does not look authentic. There are misspelled words and improper grammar. The message wants you to send money. FDIC The message asks for sensitive information. The message does not use a correct name; other details are also incorrect. The address does not look authentic. There are misspelled words and improper grammar. Links in the message seem suspicious. Dear Friend The message asks for sensitive information. The message does not use a correct name; other details are also incorrect. The address does not look authentic. There are misspelled words and improper grammar. The message wants you to send money. Norton LifeLock The message does not use a correct name; other details are also incorrect. The address does not look authentic. There are misspelled words and improper grammar.

[return to top]

Instructor’s Manual for Hands-On Labs: Whitman and Mattord, Principles of Information Security, Seventh Edition

Module 2: Web Browser Security Purpose of Lab Module Upon completion of this activity, students will be able to review and configure the security and privacy settings in the most popular Web browsers.

Estimated Completion Time If students are prepared, they should be able to complete all tasks in this project in 60 to 90 minutes.

Data Provided to Students No additional information required for this lab.

Rubrics and Evaluation There is a student response form included for this lab. [return to top]

Instructor’s Manual for Hands-On Labs: Whitman and Mattord, Principles of Information Security, Seventh Edition

Module 3: Malware Defense Purpose of Lab Module Upon completion of this activity, students will be able to: • • • •

Estimated Completion Time If students are prepared, they should be able to complete this project in 60 to 90 minutes.

Infrastructure Comments This lab can be used from any Windows computer system where the user is authenticated with the appropriate rights and privileges to modify the targeted software on the system being used. Lab-based computer systems often have these privileges locked. Students will need to have or be provided a USB memory device of at least 4GB.

Data Provided to Students No additional information required for this lab.

Rubrics and Evaluation There is a student response form included with this lab. [return to top]

Instructor’s Manual for Hands-On Labs: Whitman and Mattord, Principles of Information Security, Seventh Edition

Module 4: Windows Password Management Purpose of Lab Module Upon completion of this activity, the student will be able to: •

Review and configure password management policies in a Windows client computer.

Estimated Completion Time If students are prepared, they should be able to complete this lab in 30 to 60 minutes.

Data Provided to Students No additional information required for this lab.

Rubrics and Evaluation There is a student response form included with this lab. [return to top]

Instructor’s Manual for Hands-On Labs: Whitman and Mattord, Principles of Information Security, Seventh Edition

Module 5: Backup and Recovery and File Integrity Monitoring Purpose of Lab Module Upon completion of this activity, you will be able to: • •

Estimated Completion Time: If students are prepared, they should be able to complete this project in 15 to 20 minutes plus the amount of time needed to perform backup data transfers which are dependent on the local file storage size.

Infrastructure Comments This lab can be used from any Windows computer system where the user is authenticated with the appropriate rights and privileges to modify the targeted software on the system being used. Lab-based computer systems often have these privileges locked. Students will need to be able to invoke and run Windows PowerShell. Students will need to be able to download or otherwise have access to: • •

HashCalc from https://www.slavasoft.com/download.htm, and hash.exe and hashcmp.exe from MaresWare downloaded as part of the second set of labs.

To perform and store actual system and data backups, you will need an internal hard drive or external USB drive not currently used on your system.

Data Provided to Students No additional information is required for this lab.

Rubrics and Evaluation There is a student response form included with this lab. [return to top]

Instructor’s Manual for Hands-On Labs: Whitman and Mattord, Principles of Information Security, Seventh Edition

Module 6: OS Processes and Services Purpose of Lab Module Upon completion of this activity, the student will be able to: • • •

Review available and enabled OS services. Review available and enabled OS processes. Review current system resource utilization.

Estimated Completion Time If students are prepared, they should be able to complete this project in 60 to 90 minutes.

Data Provided to Students No additional information is required for this lab.

Rubrics and Evaluation There is a student response form included with this lab. [return to top]

Instructor’s Manual for Hands-On Labs: Whitman and Mattord, Principles of Information Security, Seventh Edition

Module 7: Log Management & Security Purpose of Lab Module In this lab, students will examine the default logs present in a standard Windows operating system. Since the modern Microsoft Windows user OS, like Windows 10 is based on the same underlying architecture as Microsoft’s server systems, this knowledge can be scaled to understand the actions of commercial servers as well as end-user systems.

Estimated Completion Time If students are prepared, they should be able to complete this project in 30 to 60 minutes.

Data Provided to Students None is required.

Rubrics and Evaluation There is a student response form included with this lab. [return to top]

Instructor’s Manual for Hands-On Labs: Whitman and Mattord, Principles of Information Security, Seventh Edition

Module 8: Footprinting, Scanning, & Enumeration Purpose of Lab Module Students learn how attackers perform reconnaissance on potential targets using a variety of tools to perform what is known as “Footprinting.” This process includes both researching information from printed resources as well as gathering facts that can be collected from online resources and through social engineering efforts.

Estimated Completion Time If students are prepared, they should be able to complete this project in 70 to 120 minutes.

Data Provided to Students None is required.

Rubrics and Evaluation There is a student response form included with this lab. [return to top]

Instructor’s Manual for Hands-On Labs: Whitman and Mattord, Principles of Information Security, Seventh Edition

Module 9: AlienVault OSSIM Purpose of Lab Module This lab seeks to introduce the student to the basic setup and operation of a SIEM environment using AlienVault OSSIM. Upon completion of this activity, students will understand the basic requirements for operating the AlienVault OSSIM software as a security information and event management (SIEM) tool. The lab will have students install the AlienVault OSSIM security information and event management system. Upon completion of this activity, students will be much more knowledgeable about the AlienVault OSSIM software and how to install, configure, and operate it. They will use the software more extensively in a subsequent lab.

Estimated Completion Time If students are prepared, they should be able to complete this project in 120 to 180 minutes.

Infrastructure Comments There should be no additional infrastructure requirements unless the lab has been modified by the instructor. Note: AlienVault OSSIM is a fully functional SIEM system with several open-source components, including Nmap, Open VAS, NetFlow, and full packet capture. This system may overtax a small student laptop, which is why the lab takes students on a walk-through.

Data Provided to Students Data that students will need to be given or determine themselves A static IPv4 address assigned to their virtual OSSIM system The subnet mask to use on the local network The IPv4 address of the local network gateway The IPv4 address of the DNS server Root password Local time zone

Record the value

Administrator password (used through Web access)

Required

Required Required Required Required Created during installation Chosen during setup

Rubrics and Evaluation This lab is a series of steps with screen shots that explain how to install AlienVault OSSIM. Students have successfully completed the lab if they can provide a screen shot of the OSSIM Getting Started Wizard:

Instructor’s Manual for Hands-On Labs: Whitman and Mattord, Principles of Information Security, Seventh Edition

Several self-reflection questions are also included. [return to top]

Instructor’s Manual for Hands-On Labs: Whitman and Mattord, Principles of Information Security, Seventh Edition

Module 10: Image Analysis Using Autopsy Purpose of Lab Module The purpose of this lab is to introduce students to the Autopsy forensic tool. Students will create a case, load a drive image, and analyze the results. Upon completion of this activity, students will have installed Autopsy on a local machine and analyzed the accompanying file of evidence.

Estimated Completion Time If students are prepared, they should be able to complete this project in 45 to 70 minutes.

Infrastructure Comments The latest version of Autopsy is 4.17.0 as of this writing. Autopsy can be installed directly to the student's system and should not require use of virtualization software like VMware Workstation or VirtualBox.

Data Provided to Students The students will need access to the evidence in the file named suspectdrive.img.

Rubrics and Evaluation This lab is an introduction to Autopsy. The only item that students need to submit is an HTML-generated report at the end. Because interpretation of evidence can vary from analyst to analyst, some people may tag every file and some may only tag files they feel certain are related to the case. There are multiple options for file tags, including Notable and Follow Up. A report that contains the information shown in the following screen would be acceptable for full credit.

Instructor’s Manual for Hands-On Labs: Whitman and Mattord, Principles of Information Security, Seventh Edition

Several self-reflection questions are also included. [return to top]