Objectives:
- Students will evaluate literature on the topic
- Students will implement a test laboratory
- Students will evaluate threats and vulnerabilities
- Students will examine relationships between elements of security controls and users
- Students will examine relationships between technology and users
- Students will create a network penetration taxonomy
Directions:
1. Follow the laboratory format found in the syllabus.
2. Please read the provided articles and information (available for download from WebCT).
3. Prepare a literature review discussing the requirements as per the syllabus.
4. Specifically apply each of the tasks from the laboratory to the literature review.
5. The literature review should be approximately 1000-2000 words.
Your first task is to either build or modify a laboratory environment that meets the following requirements.
1. You do NOT have to do this in Citrix. However, if you choose to do it in another environment you will have to provide those resources yourself.
2. Your laboratory environment can be different but you should be able to make at least this minimum.
3. The MSDNAA subscription is available to provide the operating systems you think you will need.
Figure 1: Network Penetration Laboratory
Your second task is to complete this grid.
Figure 2: OSI 7 Layer Model created by Samuel Liles
1. As you can see it is an extended version of the OSI 7 Layer model. You will identify attacks against different layers of the OSI 7 layer model.
2. You need to investigate and research tool suites. As an example BackTrack is a tool suite distributed as a CD ROM image. DefCon also publishes tools from their conference (https://www.defcon.org/html/links/dc-tools.html). How many tools do you need to find? Fill the grid. BackTrack contains 300 tools.
3. You should create a list by layer of attack tools (not just say “Backtrack” ) but the applications or tools within “Backtrack”. As an example Wireshark would operate at what layer of the OSI 7 layer model?
4. As a further example is there any real difference between Wireshark and Ethereal?
5. Be careful of duplicates though you should likely name them.
Figure 3: McCumber Cube (Wikimedia Commons http://en.wikipedia.org/wiki/File:Mccumber.jpg)
1. Your third task is to look at the McCumber cube. For each attack tool you should identify whether it attacks “confidentiality, integrity, or availability”,
2. Then you should identify whether it is an attack against “storage, processing, or transmission”.
3. You should answer the question of why almost all of the tools are going to be related to technology versus policy and procedure or personnel.
4. Some of the tools will fit into multiple categories. Choose the best category but only place the tool in one place.
5. Answer the question if this suggests a substantial bias or issue for penetration testing and perhaps self selecting attacks may not be the best strategy. Along comes somebody looking further outside the box and messes up all your nice technical controls.
Special Directions:
| OSI 7 Layer Model Layer | Tool Name (link | McCumber cube coordinate |
| Layer 3 | Wireshark | Confidentiality, Transmission, Technology |
1. Do not try to recreate the image. Just do a table. It will be large.
2. Make sure the write up is provided as required.
Spell check and copy edit your work!!!
