User Account

All Pages

What is a brute-force attack

Assignment Help Computer Engineering
Reference no: EM131687343

PROJECT INSTRUCTIONS

Overview

In this project, you will perform a security assessment of a hypothetical website and report upon the results of that assessment. You will provide both an executive summary of your findings as well as detailed results of the assessment. You will complete the report in a subsequent paper by providing remediation recommendations and actions you recommend to mitigate against your findings.

Your assessment is to review the website of a hypothetical company, Liberty Beverages, Inc. It is a global corporation specializing as an e-Commerce business in the delivery of beverage products such as specialty coffee and tea products. The business problem that they wish to address is the recent successful attack by a suspected nation state on their website. The attack was able to deface the website as well as access some personal purchasing data by customers. Given its impact on their brand and customer loyalty, this has high visibility with senior management.

Assume that the current web infrastructure consists of a redundant group of web servers running on a Linux platform with Apache web server and ApacheTomcat application server software on which the web application runs. In addition, perimeter security is provided by redundant edge routers for load balancing and redundant firewalls (e.g., Cisco ASA 5000-series) in a demilitarized zone (DMZ) configuration as well as an intrusion detection software (IDS) solution and SIEM for security monitoring. Lastly, the web servers interface with a relational database (e.g., MySQL, SQL Server, Oracle, DB2) and a Storage Area Network (e.g., SAN) for persistent storage. The e-Commerce website is accessible by a variety of devices such as conventional web browsers, tablets, and smart phones. They communicate with the web server using the HTTPS protocol for enhanced security.

For purposes of this assignment, usethe support files for labs 6 and 7 provided as a zip collection, as well as optionally the results from Labs 1, 2, and 6 for inputs - as they have the results from Skipfish, Nessus, and RATS scans. You may also need to drill down into the directory structure in Labs 6 or 7 to assess some items. Of course, these inputs are not as comprehensive as those in a real-world thorough assessment. Your project report can signify those areas that you do not have enough evidence to properly evaluate.

The scope of your assessment is the e-commerce website itself, including the website code and configuration, Linux platform, and Apache web server and application server software. It is not within scope of this assignment to assess other infrastructure components such as the routers, firewalls, IDS, and databases - nor security on remote devices and authentication or authorization mechanisms. The only exception to that would be if there were a vulnerabilitydiscovered in the software directly related to the database. These may be recommended for subsequent follow-up activities.

Instructions

Collect the results of the web vulnerabilities and exploitations from the Support Files in Blackboard for labs 6-7. You may optionally use your work fromLabs 1, 2, and 6. Complete the assessment template (or use your own organization if you include all of the appropriate content listed below) provided for this assignment entitled "Web Application Security Report Template" - including the following sections:

Section 1: Assessment Introduction - Use the overview information from this document to set the context for the report.

Section 1.1: References - Add at least three (3)references.

Section 2: Web Application Description - Leave this section blank for a later remediation project.

Section 3: Assessment Assumptions - Use information from the assignment overview to describe components included in the assessment and components excluded from the assessment (in scope and out of scope). Also note the template instructions in this area.

Section 4: Assessment Approach. Include paragraph in section 4.5 on out of scope items based upon the information provided in the assignment overview (as it mentions what is in and out of scope)- as well as the tools utilized in sections 4.2 and 4.3

Section 5 and corresponding Appendix details. Also note the template instructions in this area- as there is extensive guidance on assessing pass/fail/not assessable status.

Section 5.1 - Include a count of how many high, medium, and low priority items found as well as a one (1)line per item list of high priority items.

Section 5.2 and 5.3 - Provide a pass/fail assessment in the Appendix on each item (including the NIST section) based upon the inputs listed above. You are using your best judgment based upon the assessment and the principles you have learned. For those items that are not directly or indirectly assessed, indicate that as well.There should be enough evidence, however, to assess some of items as pass or fail.

Section 5.5 - List comments about the review of the source code from Labs 1 and 2 and/or the RATS scan results found in the support files zip collection. Note that for purposes of the assignment, this is not a full source code review of all of the web pages but a review of at least one (1)piece of code corresponding to a web vulnerability discovered in the labs.Navigate to the file in the directory structure to research this. Be specific as possible about what you are reviewing. For instance, this could be a review of a web form that has been found to be vulnerable. You mustcomment about what makes the code an issue (e.g., it provides inadequate input validation).

Outputs

This is a five-page research-based paper in current APA format that focuses on the results from a web security assessment. These five or more pages include all of the content in the paper (cover page, table of content, references, all sections of the paper, etc). Since you are adding content to a template that already exceeds the page count, your final paper should exceed the default as well.Use the assessment template "Web Application Security Report Template" as a starting point. You can optionally choose to use your own format, but it must contain all of the elements mentioned above in the instructions. The paper must include at least three (3) referencesin addition to the course textbooks and the Bible.Include relevant screenshots as appropriate and answers to the instruction steps. Be sure to repaginate the table of contents and remove any instructions highlighted in red from the template.

Lab 1: Exploiting Known Web Vulnerabilities

Lab Assessment Questions

1. What are the current OWASP Top 10?

2. What is a brute-force attack and how can the risks of these attacks be mitigated?

3. Explain a scenario where a hacker may use cross-site request forgery (CRFS) to perform authorized transactions.

4. What could be the impact of a successful SQL injection?

5. How would you ensure security between a Web application and a SQL server?

6. What is the underlying cause of a cross-site scripting (XSS) attack?

7. What is the difference between a reflected XSS and a stored, or persistent, XSS?

Challenge Questions

1. What has changed between this year's OWASP Top 10 list and the Top 10 list in 2010? What is the rationale for these changes? List at least five changes.

2. Research any brute-force attack tool (for example, THC Hydra, Brutus, or Burp Intruder). List at least three features of that tool. What method does the tool use in its brute-force attack?

3. What is the purpose of a rainbow table?

Lab 2: Implementing a Security Development Lifecycle (SDL) Plan

Challenge Questions

1. Use the Internet to research the importance of understanding trust boundaries in threat modeling. Summarize your findings. A good resource for this research is the Microsoft SDL Web site.

2. In Part 3 of this lab, you tested five regular expressions to see if they were vulnerable to ReDoS. Two of the five were, in fact, vulnerable. It is possible to conduct these tests without understanding the regular expressions in question. For this challenge, alter the two regular expressions that failed so that they pass. If possible, explain why they failed and why they now pass.

Lab Assessment Questions

1. List and briefly describe the Training phase of the Security Development Lifecycle (SDL).

2. What does the acronym STRIDE stand for?

3. Which of the regular expressions in Part 3 are safe from ReDoS?

4. Why is it necessary for an SDL to include a Response phase? Use the Internet to research at least three components of a typical incident response plan.

5. What are the seven phases in the Microsoft SDL?

6. What is a buffer-overflow or overrun condition?

7. In which phases of the secure software development life cycle might cross-site scripting be discovered?

8. What is ReDoS?

9. What failure did Bin Scope identify in the ActionCenter.dll file? Use the Internet to research the failure and describe its significance.

Attachment:- Evaluating Web Vulnerabilities.rar

Verified Expert

The solution file is prepared in ms word which is based on lab 2 ,3 ,5 , 6 and 7. It discussed about the exploiting vulnerability, Implement SDLC, create security assessment for Liberty Beverages company. The solution file follows the assignment requirement with sections and screen shots are attached from the lab. The solution file also provided remedies of part 1 and network diagram for web application. The references are included as per APA format.

Reference no: EM131687343

Questions Cloud

How is this related to the law of demand : Assume a two-good case, goods X and Y, and the consumer is initially in equilibrium. If the price of X declines then explain how a consumer will respond
How many cakes and packages of ice cream : a. How many cakes and packages of ice cream should you purchase for the party? Why?
What is an annotated bibliography : What is an annotated bibliography, What is the purpose of an annotated bibliography. How will it help you with your research essay
What are two qualities that you think are essential : What are 2 qualities that you think are essential for the project manager to have for this project to be effective and successful? Why are these qualities essen
What is a brute-force attack : What are the current OWASP Top 10 - What is a brute-force attack and how can the risks of these attacks be mitigated and What could be the impact
What is the organization physical enviroment : WHAT IS THE ORGANIZATION'S PHYSICAL ENVIRONMENT? Does it appear that there is adequate maintenance?
Business model for any chosen website : Which are the business model for any chosen website. Identify the target customers for the website.
Describe unsuccessful change initiative from your experience : Describe an unsuccessful change initiative from your own experiences and why it did not achieve its intended objectives.
Describe the awareness about adolescent suicide : The primary methods in suicidal prevention would be to increase and awareness about adolescent suicide in the community.

Reviews

inf1687343

1/19/2018 4:05:38 AM

I will let all of my friends know about this great website, without you guys I would've failed this. Thanks once again and I really appreciate your effort into this work. Great work guys keep it going.

inf1687343

12/21/2017 5:19:03 AM

ok check from the labs 25683278_1Lab 1 Evaluating Web Vulnerabilities .docx 25683278_2Lab 2 .docx 25683278_3Lab 3.docx 4,5,6 25683225_1Lab 4.docx 25683225_2Lab 5.docx 25683242_3Lab 6.docx here is part 1 25683240_1Security Assessment Findings Project.docx http://www.webappsec_blog3452.org/ 25683289_1Screen Shot 2017-10-19 at 31919 PM.png send whatever you did for the assignment by tonight. https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project all my labs are from the website related. you might find here what you looking for. https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

len1687343

10/23/2017 4:59:15 AM

I need to complete part 2 of the assignment, I send the template. Web Application Security Assessment Report Template3.doc The instructions are in last couple messages" Use that to complete the project Please format into this template?In this paper you are to write an additionalfive (5) pages to the report template associated with this assignment. The final deliverable for this project will be a 10-page paper in current APA format (including the 5pages from a previous assignment with the new content in this paper). Since you are adding content to a template that already exceeds the page count, your final paper should exceed the default as well.In addition, it must include at least 3 additional referencesfor a total of 6 references) not counting the course textbook and the Bible. Modify sections previously written in the earlier paper as appropriate to make the final paper cohesive- including addressing issues that were reported in grading comments. Be sure to repaginate the table of contents and remove any instructions highlighted in red from the template.

len1687343

10/23/2017 4:52:35 AM

SECURITY ASSESSMENT REMEDIATION PROJECT GRADING RUBRIC Criteria Points Possible Points Earned Instructor Comments • Report includes network diagram with all major components showing the logical connectivity between components. 15 • Report includes completed web site application architecture component descriptions in step 5a(2). 15 • Report includes remediation actions for each of the assessment findings in section six of the template. 35 • Adheres to the APA format in the project report and practices good spelling and grammar 5 • Adheres to minimum number of pages (10) and references (6) 5 TOTAL 75

Write a Review

Computer Engineering Questions & Answers

  Evaluate the process using informal benchmarking

Describe in very general terms the as-is business process for applying for admission at your university. Collaborate with another student in your class and evaluate the process using informal benchmarking.

  The network connection works fine devoid of errors the

an organizations head office is connected to its branch office over the internet. the network connection works fine

  Compare the instruction sets of intel itanium and mips

Compare the instruction sets of Intel 8080 and Intel Pentium II with respect to instruction execution speeds and modes of execution.

  Explain methods whereby training materials can be delivered

Describe the methods whereby training materials can be delivered to the users of the software system. Explain the ways in which software can be supported after it is implemented/released.

  What protocol information would be in one packet

Will the protocol packet used to transfer the video be identical to the protocol packet used for data transmission? What protocol information would be in one packet and not the other?

  Draw an er diagram that captures the preceding information

ITEC 630- Exam: Draw an ER diagram that captures the preceding information. Identify any constraints not captured by the ER diagram. How would your design change if each drug must be sold at a fixed price by all pharmacies?

  Design alternatives have to be thoroughly considered

Design alternatives have to be thoroughly considered. There must be a process to fairly evaluate the pros and cons of each option. Let's look at how the alternative matrix can help facilitate the design decision through creation of our own alterna..

  When should multinational business consolidate data systems

When should a multinational/multisite business consolidate data systems? What justification should Conor use to push for a consolidated, unified ERP system? 3. At times, Conor has to deal with incomplete and incompatible data.

  Determine the spectrum of a signal describe the

question 1 explain the relationship between frequency period and wavelength in a sine wave.question 2 what is the

  What restrictions must be imposed

Free Speech Online Some feel that there is too much objectionable material allowed on the Internet, whereas others argue that the Internet must be completely censored.what restrictions must be imposed.

  Commercialization of business

Whenever it comes time to commercialize an invention, specify the options that are available to an inventor in order to navigate the business side of commercialization.

  Define the difference between an interpreter and a compiler

How does uncertainty affect computer programs and databases when it occurs.Why don't decision trees work well for planning, scheduling, or synthesis problems.

Free Assignment Quote

Assured A++ Grade

Get guaranteed satisfaction & time on delivery in every assignment order you paid with us! We ensure premium quality solution document along with free turntin report!

Submit Assignment

Academics

Major Subjects

Majors

Get In Touch

whatsapp: +1-415-670-9521

Phone: +1-415-670-9521

Email: [email protected]

TERMS & POLICIES

HELP & SUPPORT

All rights reserved! Copyrights ©2019-2020 ExpertsMind IT Educational Pvt Ltd