saint com545 all modules lab assignments latest 2017
Module 1 lab
assignment
Complete Lab 1 from The Laboratory Manual.
Read and complete all the deliverables associated with this
lab.
1.
What are some of the greatest risks businesses
face when connecting to the Web?
Why?
2. Why is it critical
to perform periodic Web-application vulnerability assessments and
penetration tests?
3. What kind
of web application does Damn Vulnerable Web Application use?
4. Why might
connecting your Web servers and Web applications to the Internet be like
opening Pandora’s box?
5. What does
the Skipfish application do, and why is it a good security tool for Web
servers and Web-application testing?
6. What is
tcpdump, and why is it a good tool for testing the Ubuntu Linux Web server
and Web-application security?
7. What does
the Firefox Live HTTP Headers plug-in application do, and why is this a
good tool for Web-server and Web-application security
testing?
8. What does
using the -h switch for tcpdump and skipfish do?
9. What is
the tcpdump usage message that you recorded during this lab?
10. What
information can you determine from the ifconfig -a command?
Module 2 lab
assignment
Complete Lab 2: “Obtaining Personally Identifiable
Information through Internet Research.”
Read and complete all the deliverables associated with this
lab.
1. Complete the following table to describe the results you
discovered about your own
personally identifiable information on the Internet.
|
Search Engine |
Was personal information returned? (Yes or No) |
|
Dogpile.com |
|
|
Google.com |
|
|
InstantCheckmate.com |
|
|
AlltheInternet.com |
|
|
WhitePages.com |
|
|
ZabaSearch.com |
|
|
Your local government Web site |
|
|
|
|
|
|
|
|
|
2. Was there enough personal information returned that could
potentially be used for identity
theft? Explain why or why not.
3. How can identity thieves take advantage of social
networking users to steal personal
information?
4. According to Facebook.com, who owns the information
posted by a user? Include specific
text from Facebook.com in your answer.
5. What is a security feature you should always look for in
any Web site that will ask for
personal information to share with others?
6.
What implications can the social networking
sites have for job applicants?
7.
What is the risk of combining your family and
personal friends with your business contacts
and
associates?
8. What type of personal information could an attacker
obtain from a user profile on
LinkedIn.com that he or she could use for identity theft?
9. Suppose someone posted your highly confidential personal
information on a social
networking site, and you wish to have the results removed
from the Google search engine.
Describe some actions you could take to have the information
removed.
10.
How does one find public records online?
11. What are some options if you wish to continue using
Twitter.com, but need to protect the
information you send from public view?
12. List the type of information you can obtain from a
background search on sites such as
Module 3 lab
assignment
Complete Lab 3: “Perform a Post-Mortem Review of a Data
Breach Incident”.
Read and complete all the deliverables associated with this
lab.
1.
What is the purpose and function of Google
analytics?
2.
What is the purpose of performing ongoing
website traffic analysis and web trending analysis on production web servers
and web sites?
3.
How can tcpdump be used as a critical web server
tool for conducting on-going traffic monitoring and traffic analysis?
4.
How can the various modes of verbose in tcpdump
provide more information for analysis?
5.
Using the saved file from the Live Http Headers
tool, what is the user-agent used by the client
browser?
6.
Using the saved file from the Live Http Headers
tool, what information can be gathered just from the HTTP Headers
7.
How could Tcpdump be used to capture passwords
sent to a website?
8.
Why is it more appropriate to submit sensitive
information using HTTP POST than HTTP GET ?
9.
How can webalizer aid in the interpretation of
web log files?
10.
How do tools such as Google Analytics work to
track web site traffic?
Module 4 lab
assignment
Complete Lab 4: “Exploiting Known Web Vulnerabilities on a
Live Web Server.”
Read and complete all the deliverables associated with this
lab.
Lab Assessment Questions & Answers
1. What are the OWASP Top 10?
2. What is a brute force attack and how can the risks of
these attacks be mitigated?
3. Explain a scenario where a hacker may use cross-site
request forgery (CRFS) to perform
authorized transactions
4. What are the Web application attacks that you performed in
this lab using the DVWA?
5. Phishing is the practice of trying to obtain extra
personal information such as passwords
or banking details while using the guise of a trusted Web
site. What type of Web
application vulnerability is exploited by hackers who use a
phishing page on a Web site?
6. What could be the impact of a successful SQL injection?
7. What would finding the URL
http://www.testurl.com/../../../../../../../../../../../../etc/passwd
in your Web logs indicate?
8.
How would you ensure security between a Web
application and an SQL server?
Module 5 lab
assignment
Complete Lab 5: “Apply OWASP to a Web Security Assessment.”
Read and complete all the deliverables associated with this
lab.
1.
Identify the four recognized business functions
and each security practice of OpenSAMM
2 Identify and describe the four maturity levels for
security practices in SAMM
3. What are some activities an organization could perform
for the security practice of “Threat Assessment”?
4. What are two recommended assessment styles to SAMM and
how are they utilized?
5. What are the three main objectives of the OWASP
Application Security Verification Standard (ASVS) Project?
6. Identify the four levels used for ASVS
7. According to the OWASP Development guide, what are some
guidelines for handling credit cards on web sites?
8. What are the four known data validation strategies?
9. What are two methods for performing a code review?
10. Why is it important to review how errors are handled
during a code review?
11. When should the testing process be introduced in the
Software Development Lifecycle (SDLC)?
12. What is black box testing?
13. According the OWAP Development guide, what are some
basic best practices for handling authentication when designing and developing
web based software?
14. What is a
limitation of automated testing tools?
15. What is
meant by the phrase “Test early and test often”?
Module 6 lab
assignment
Complete Lab 6: “Applying Regulatory Compliance Standards.”
Read and complete all the deliverables associated with this
lab.
1. With what
section of SOX would the IT professional deal the most, and why?
2. Under
HIPAA, when is a health care provider required to notify all patients and the
Department of Health and Human Services when a security
breach is discovered?
3. Which
database is more secure: the Java-based Apache Derby or MySQL?
4. Which
types of businesses or entities are governed by HIPAA?
5. According
to the PCI Quick Reference guide, who must comply with PCI-DSS
Standards?
6. What are
the 11 titles of mandates and requirements for SOX compliance?
7. What
purpose may COBIT serve to help comply with regulations such as Sarbanes-Oxley?
8. What is
RDP? What port number does it use?
Module 7 lab
assignment
Complete Lab 7: “Perform Dynamic and Static Quality Control
Testing.”
Read and complete all the deliverables associated with this
lab
1. How does
Skipfish categorize findings in the scan report?
2. Which
tool used in the lab is considered a static analysis tool? Explain what is
referred to by static code analysis.
3. What
possible high risk vulnerabilities did the Rats tool find in the DVWA
application source code?
4. Did the
static analysis tool find all the potential security flaws in the application?
5. What is
black box testing on a web site or web application?
6. Explain
the Skipfish command in detail:: ./skipfish –o /var/scans/is308lab.org –A
admin:password –d 3 –b i –X logout.jsp –r 200000 http://www.is308lab.org
7. During the
manual code review, what is noticed about high.php to make it less likely to
victimize users with XSS reflection and why is it considered more secure?
8. Would
Firefox be considered a web application assessment tool?
9. Compare
and contrast a pent testing tool such as OWASP WebScarab with an automatic
analysis tool like skipfish.
10. Judging
from the two scan reports, describe how Skipfish and Rats can complement one
another.
Module 8 lab
assignment
Complete Lab 8: “Perform an IT and Web Application Security
Assessment.”
Read and complete all the deliverables associated with this
lab
Collepals.com Plagiarism Free Papers
Are you looking for custom essay writing service or even dissertation writing services? Just request for our write my paper service, and we'll match you with the best essay writer in your subject! With an exceptional team of professional academic experts in a wide range of subjects, we can guarantee you an unrivaled quality of custom-written papers.
Get ZERO PLAGIARISM, HUMAN WRITTEN ESSAYS
Why Hire Collepals.com writers to do your paper?
Quality- We are experienced and have access to ample research materials.
We write plagiarism Free Content
Confidential- We never share or sell your personal information to third parties.
Support-Chat with us today! We are always waiting to answer all your questions.
