DOC

MIS 4850 Systems Security

By Marvin Diaz,2014-12-29 17:05
14 views 0
MIS 4850 Systems Security

    MIS 4850 Systems Security

    In-Class Exercise 1

    E1 Tuesday 1/19/2010

    Student Name: ___________________________________

    Visit the www.sophos.com web site in order to gather information about a malware called W32/Zafi-B (or just Zafi-B) and answer the following two questions.

    1) Using bullets, list five specific malicious things that Zafi-B could do to potentially damage or

    disturb a computer system.

    Answer:

;

    ;

    ;

    ;

    ;

2) What other names (or alias) does Zafi-B use?

    ____________________________________________________________________

    ____________________________________________________________________

3) What kind of malware is Zafi-B?

    a) A Trojan horse

    b) A spyware

    c) A worm

    d) None of the above

    4) Use the following questionnaire (see below) to assess the potential risk posed by W32/Zafi-B.

    The expected risk should be the average of your responses using the Likert scale provided in

    the questionnaire. The average score must be converted into a severity index (i.e. a number

    between 1 and 100) that represents the extent of the loss/damage caused by the malware to

    the security of a computer system. Your assignment should include the completed

    questionnaire.

    Questionnaire:

    Based on the type of malicious actions that Zafi-B could take to potentially damage or disturb a computer system, give your assessment of the potential loss or damage that could be caused by that malware. Circle the number that represents your assessment with 1 being low loss/damage and 10 being high loss/damage.

    112736649.doc 1

     Low High

    1 2 3 4 5 6 7 8 9 10 1. Degree to which Zafi-B could modify critical corporate information

    1 2 3 4 5 6 7 8 9 10 2. Degree to which Zafi-B could delete critical corporate information

    1 2 3 4 5 6 7 8 9 10 3. Degree to which Zafi-B could allow intruders to access confidential info.

    1 2 3 4 5 6 7 8 9 10 4. Degree to which Zafi-B could allow misdirection of critical corporate info.

    1 2 3 4 5 6 7 8 9 10 5. Degree to which Zafi-B could allow the alteration of message being transmitted

    1 2 3 4 5 6 7 8 9 10 6. Degree to which Zafi-B could lead to loss of customers’ private information

    1 2 3 4 5 6 7 8 9 10 7. Degree to which Zafi-B could lead to violation of employees’ private information

    1 2 3 4 5 6 7 8 9 10 8. Degree to which Zafi-B could slow down network services

    1 2 3 4 5 6 7 8 9 10 9. Degree to which Zafi-B could shut down network services

    1 2 3 4 5 6 7 8 9 10 10. Degree to which Zafi-B could lead to loss of customers’ faith and trust

Answer:

    Use the Windows Calculator (Start/Accessories/Calculator) to compute the average score (a

    number between 1 and 10), and then convert that score into a severity index.

    Average score: _______

    Severity index: _______

    5) Table 1 shows a severity analysis framework that is based on a survey conducted in 2006 in

    order to collect data for assessing the potential damage caused by any of the 10-top malware

    of the year 2006.

Table 1: Severity Analysis Framework

    Malware Severity Average System Average cost for restoring

    Index downtime infected system

    Between 1 and 20 3 hours $1800.00

    Between 21 and 40 7 hours $2300.00

    Between 41 and 60 10 hours $3000.00

    Between 61 and 80 15 hours $3500.00

    Between 81 and 100 20 hours $5000.00

    The following box defines the concept of system availability and explains how to compute the

    availability of a system or a network device.

    Availability: probability that a particular system or its components will be available

    during a fixed time period. Availability is function of:

     Mean time between failures or MTBF (Given by manufacturer or

    generated based on past performance)

     Mean time to repair or MTTR (Found in studies or in our archives)

    The MTBF is the average time a device or system will operate before it fails.

    The MTTR is the average time necessary to repair a failure.

    Standard equation for calculating Availability

     A(t) = a/(a+b) + b/(a+b) x e-(a+b)t

    in which: a = 1/MTTR

     b = 1/MTBF

     e = natural log function

     t = the time interval

    (continues on next page )

    112736649.doc 2

    Approximation equation for calculating Availability:

    Availability% = (Total available time Downtime)/Total available time

    Example: A component has been operating continuously for three months. During

    that time, it has failed twice, resulting in downtime of 4.5 hours. Calculate the

    availability of the component during that three-month period using the

    Approximation method.

    Total available time = 3 months = 3 x 30 x 24 = 2160 hours

    Downtime = 4.5 hours

    Availability% = (2160 4.5) / 2160 = 99%

    Assume that the average system downtime mentioned in Table 1 above is the typical duration of a network’s downtime (or unavailability) during a 7-day week. Use the Approximation equation to calculate the availability of a network that has been affected by Zafi-B during a typical 7-day week.

    Availability% = ________________________________________________________.

6) You have received an email on your Hotmail email account. In the email, the sender claims

    to be China. How could you check the TCP/IP headers of the email message to determine

    whether or not the claim is true? Visit http://aruljohn.com/info/howtofindipaddress and

    explain, in details, the steps you will go through to check the TCP/IP headers and determine

    the source IP address of the computer used to send the message you have received. Write

    your answer in the following text box. Be concise.

    7) Open your EIU email account and select the messages you have received from the class

    instructor with Security 1 in the Subject field. Then, do the following:

    a. Display the TCP/IP headers the selected message. Select the message headers.

    Then, copy and paste the selected headers in the following text box. You may

    need to adjust the size of the text box so that the whole headers you pasted appear. 112736649.doc 3

    Make sure the formatting of the headers (like the line brakes, etc.) looks like the

    headers in the EIU email window you copied the headers from.

     Paste the TCP/IP headers in the box below

    b. Provide the following information based on your reading of the TCP/IP headers.

    IP address of the computer used to send the message: __________________

    IP address of your email server (i.e. the server that received the

    message):_______

    Domain name of your email server (i.e. the server that received the message):

    __________________________________________________________________

    c. Determine the location of the computer used to send the message by providing the

    name of the city, state, and country. You can use any web-based IP locator to

    answer this question. City: _____________________________________

    State: _____________________________________

    Country: ___________________________________

    8) Examine the printout provided in the Appendix of this assignment and determine: the sender’s IP address, as well as the host/domain mane of the sender’s email server and

    corresponding IP address.

     Sender’s IP address___________________________

     Server’s host name: ______________________________________

     Server’s IP Address: __________________________

    9) The sender of the email shown in the Appendix claims to be in North Korea when he sent the message. Use the Internet and your investigative knowledge to determine the city and the country where the computer used to send the message is located.

    City: ________________________

     Country: _____________________

    112736649.doc 4

Appendix

     Received: from barracuda.eiu.edu (barracuda1.eiu.edu [139.67.8.80]) by cupertino.eiu.edu (Postfix) with ESMTP id C20BF1773E23

     for <aillia@eiu.edu>; Tue, 18 Dec 2007 20:16:00 -0600 (CST) X-ASG-Debug-ID: 1198030560-3f7900540000-XywefX X-Barracuda-URL: http://139.67.8.80:8000/cgi-bin/mark.cgi

    Received: from ismtp1.eiu.edu (localhost [127.0.0.1])

     by barracuda.eiu.edu (Spam Firewall) with ESMTP id 35570E44C0F

     for <aillia@eiu.edu>; Tue, 18 Dec 2007 20:16:00 -0600 (CST) Received: from ismtp1.eiu.edu (ismtp1.eiu.edu [139.67.9.21]) by

    barracuda.eiu.edu with ESMTP id rc74OtLhd0eTaawT for <aillia@eiu.edu>; Tue,

    18 Dec 2007 20:16:00 -0600 (CST)

    X-IronPort-Anti-Spam-Filtered: true

    X-IronPort-Anti-Spam-Result: AgAAAHINaEdEjslTn2dsb2JhbACCb40QAQEBAQcEBgkgmRk Received: from web82702.mail.mud.yahoo.com ([68.142.201.83])

     by ismtp1.eiu.edu with SMTP; 18 Dec 2007 20:15:59 -0600

    Received: (qmail 20044 invoked by uid 60001); 19 Dec 2007 02:15:59 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;

     s=s1024; d=yahoo.com;

     h=X-YMail-OSG:Received:X-RocketYMMF:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding:Message-ID;

b=s2W/jZQEAkuCRyQ7+c1zyY37dBRrzgnVs6639PBUxEPEIc9aZVFCQpPStap5sQdx5tBM3ypAy7

    9lync2D8Tq6x4tu8B7tDqYXNgdEa+D445nxpXdmoVR3L5jjwgHLEk0u8zZaV8tq4jMlUuah1/wQ9

    XqNdkXiSCHws6cyffc30s=;

    X-YMail-OSG:

    Hd68L1IVM1nu0MI6f622bzosN5ADctARG.uvM_WKx.b_q7_tQQRUqB_eN1dGtyRhODCaSoc.e27o

    qblQpasxfbcOXARERn5MTAva7yX0AJGcaa78sg0Mca8Myki7mA--

    Received: from [125.99.143.112] by web82702.mail.mud.yahoo.com via HTTP;

    Tue, 18 Dec 2007 18:15:59 PST

    X-RocketYMMF: drraous@sbcglobal.net

    Date: Tue, 18 Dec 2007 18:15:59 -0800 (PST)

    From: Mohan Rao <mohan.rao1@yahoo.com>

    Reply-To: mohan.rao1@yahoo.com

    X-ASG-Orig-Subj: Re: Thank you for the phone interview -- MIS position Subject: Re: Thank you for the phone interview -- MIS position To: Abdou Illia <aillia@eiu.edu>

    In-Reply-To: <15490567.635261198001935544.JavaMail.root@ocean.eiu.edu> MIME-Version: 1.0

    Content-Type: multipart/alternative; boundary="0-1431303504-

    1198030559=:19025"

    Content-Transfer-Encoding: 8bit

    Message-ID: <502701.19025.qm@web82702.mail.mud.yahoo.com>

    X-Barracuda-Connect: ismtp1.eiu.edu[139.67.9.21]

    X-Barracuda-Start-Time: 1198030560

    X-Barracuda-Virus-Scanned: by Barracuda Spam Firewall at eiu.edu X-Barracuda-Spam-Score: 0.45

    X-Barracuda-Spam-Status: No, SCORE=0.45 using per-user scores of TAG_LEVEL=3.5 QUARANTINE_LEVEL=1000.0 KILL_LEVEL=9.0 tests=HTML_FONT_FACE_BAD, HTML_MESSAGE

    X-Barracuda-Spam-Report: Code version 3.1, rules version 3.1.37025

    112736649.doc 5

Report this document

For any questions or suggestions please email
cust-service@docsford.com