Solution and Answer Guide: Michael T. Simpson, Nicholas D. Antill, Robert S. Wilson, Hands-On Ethical Hacking and Network Defense, 4th Edition, ISBN: 9780357509753; Module 01: Ethical Hacking Overview
Solution and Answer Guide
Michael T. Simpson, Nicholas D. Antill, Robert S. Wilson, Hands-On
Hands-On Activities
Activity 1-1: Determining the Corporate Need for IT Security Professionals
Time Required: 10 minutes
Objective: Examine corporations looking to employ IT security professionals.
Description: Many companies are eager to employ or contract security testers for their corporate networks. In this activity, you search the Internet for job postings, using the keywords “IT Security,” and read some job descriptions to determine the IT skills (as well as any non-IT skills) most companies want an applicant to possess.
Solution and Answer Guide: Michael T. Simpson, Nicholas D. Antill, Robert S. Wilson, Hands-On Ethical Hacking and Network Defense, 4th Edition, ISBN: 9780357509753; Module 01: Ethical Hacking Overview
1. Start your web browser and go to indeed.com
2. In the What search box, type IT Security. In the Where search box, enter the name of a major city near you, and then press Enter.
3. Note the number of jobs. Select three to five job postings and read the job description in each posting.
4. When you’re finished, exit your web browser.
Answer: Student should complete activity in their web browser. No submitted response is required.
Activity 1-2: Examining the Top 25 Most Dangerous Software Flaws
Time Required: 15 minutes
Objective: Examine the SANS list of the most common network exploits.
Description: As fast as IT security professionals attempt to correct network vulnerabilities, someone creates new exploits, and network security professionals must keep up to date on these exploits. In this activity, you examine some current exploits used to attack networks. Don’t worry you won’t have to memorize your findings. This activity simply gives you an introduction to the world of network security.
1 Start your web browser and go to www.sans.org
2 Under Resources, click the Top 25 Programming Errors link. (Because websites change frequently, you might have to search to find this link.)
3 Read the contents of the Top 25 list. (This document changes often to reflect the many new exploits created daily.) The Top 25 list is also known as the Top 25 Most Dangerous Software Errors. Links in the list explain the scoring system and framework used to rank these errors.
4 Investigate the first few flaws by clicking the CWE-# link. For each flaw, note the description, applicable platform, and consequences.
5 When you’re finished, exit your web browser.
Answer: Student should complete activity in their web browser. No submitted response is required.
Activity 1-3: Identifying Computer Statutes in Your State or Country
Time Required: 30 minutes
Objective: Learn what laws might prohibit you from conducting a network penetration test in your state or country.
Description: For this activity, you use Internet search engines to gather information on computer crime in your state or country (or a location selected by your instructor). You have been hired by ExecuTech, a security consulting company, to gather information on any new statutes or laws that might affect the
Solution and Answer Guide: Michael T. Simpson, Nicholas D. Antill, Robert S. Wilson, Hands-On Ethical Hacking and Network Defense, 4th Edition, ISBN: 9780357509753; Module 01: Ethical Hacking Overview
security testers it employs. Write a one-page memo to Liang Choi, director of security and operations, listing applicable statutes or laws and offering recommendations to management. For example, you might note in your memo that conducting a denial-of-service attack on a company’s network is illegal because your state’s penal code prohibits this type of attack unless authorized by the owner.
Answer: Answers will vary. The memo should include state laws that might affect how a penetration test could be conducted as well as problems that might arise because of state laws. The memo could also ask that management draw up a contract addressing any risks or possible network degradation that might occur during testing.
Activity 1-4: Examining Federal and International Computer Crime Laws
Time Required: 30 minutes
Objective: Increase your understanding of U.S. federal and international laws related to computer crime.
Description: For this activity, use Internet search engines to gather information on U.S. Code, Title 18, Sec. 1030, which covers fraud and related activity in connection with computers. Also, research the Convention on Cybercrime (the Budapest Convention). Write a summary explaining how these laws can affect ethical hackers and security testers.
Answer: Answers will vary. The summary should mention some key elements, such as (a)(2) “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains ….” Section (g) states: “Any person who suffers damage or loss by reason of a violation of this section may maintain a civil action against the violator.” The summary might also mention the possibility of a lawsuit. Students need to understand that this federal law addresses government computers and financial systems. Students should mention what nations are part of the Convention on Cybercrime (Budapest Convention).
Review Questions
1. The U.S. Department of Justice defines a hacker as which of the following?
a. A person who accesses a computer or network without the owner’s permission
b. A penetration tester
c. A person who uses phone services without payment
d. A person who accesses a computer or network system with the owner’s permission
Solution and Answer Guide: Michael T. Simpson, Nicholas D. Antill, Robert S. Wilson, Hands-On Ethical Hacking and Network Defense, 4th Edition, ISBN: 9780357509753; Module 01: Ethical Hacking Overview
Answer: a. A person who accesses a computer or network without the owner’s permission
2. A penetration tester is which of the following?
a. A person who breaks into a computer or network without permission from the owner
b. A person who uses telephone services without payment
c. A security professional hired to break into a network to discover vulnerabilities
d. A hacker who breaks into a system without permission but doesn’t delete or destroy files
Answer: c. A security professional hired to hack into a network to discover vulnerabilities
3. Some experienced hackers refer to inexperienced hackers who copy or use prewritten scripts or programs as which of the following? (Choose all that apply.)
a. Script monkeys
b. Packet kiddies
c. Packet monkeys
d. Script kiddies
Answer: c. Packet monkeys d. Script kiddies
4. What three models do penetration or security testers use to conduct tests?
Answer: white box, black box, gray box
5. A team composed of people with varied skills who attempt to penetrate a network is called which of the following?
a. Green team
b. Blue team
c. Black team
d. Red team
Answer: d. Red team
Solution and Answer Guide: Michael T. Simpson, Nicholas D. Antill, Robert S. Wilson, Hands-On Ethical Hacking and Network Defense, 4th Edition, ISBN: 9780357509753; Module 01: Ethical Hacking Overview
6. How can you find out which computer crime laws are applicable in your state? (Choose all that apply.)
a. Contact your local law enforcement agencies.
b. Contact your ISP provider.
c. Contact your local computer store vendor.
d. Research online for the laws in your area.
Answer: a. Contact your local law enforcement agencies. d. Research online for the laws in your area.
7. What portion of your ISP contract might affect your ability to conduct a penetration test over the Internet?
a. Scanning policy
b. Port access policy
c. Acceptable use policy
d. Warranty policy
Answer: c. Acceptable use policy
8. If you run a program in New York City that uses network resources to the extent that a user is denied access to them, what type of law have you violated?
a. City
b. State
c. Local
d. Federal
Answer: d. Federal
9. Which federal law prohibits unauthorized access of classified information?
a. Computer Fraud and Abuse Act, Title 18
b. Electronic Communication Privacy Act
c. Stored Wire and Electronic Communications and Transactional Records Act
Solution and Answer Guide: Michael T. Simpson, Nicholas D. Antill, Robert S. Wilson, Hands-On Ethical Hacking and Network Defense, 4th Edition, ISBN: 9780357509753; Module 01: Ethical Hacking Overview
d. Fifth Amendment
Answer: a. Computer Fraud and Abuse Act, Title 18
10. Which federal law prohibits intercepting any communication, regardless of how it was transmitted?
a. Computer Fraud and Abuse Act, Title 18
b. Electronic Communication Privacy Act
c. Stored Wire and Electronic Communications and Transactional Records Act
d. Fourth Amendment
Answer: b. Electronic Communication Privacy Act
11. Which federal law amended Chapter 119 of Title 18, U.S. Code?
a. Computer Fraud and Abuse Act, Title 18
b. Electronic Communication Privacy Act
c. Stored Wire and Electronic Communications and Transactional Records Act
d. U.S. PATRIOT Act, Sec. 217: Interception of Computer Trespasser Communication
Answer: d. U.S. PATRIOT Act, Sec. 217: Interception of Computer Trespasser Communications
12. What is the Budapest Convention?
a. A hacking convention held in Europe
b. The first international treaty seeking to address Internet and computer crime
c. International rules governing penetration testing
d. A European treaty governing the protection of personal information
Answer: b. The first international treaty seeking to address Internet and computer crime
13. What organization offers the CEH certification exam?
a. a. ISC2
b. b. EC-Council
c. c. CompTIA
d. d. GIAC
Answer: b. EC-Council
14. What organization offers the PenTest1 certification exam?
a. ISC2
b. CompTIA
c. SANS Institute
d. GIAC
Answer: b. CompTIA
15. What is an OSCP?
a. Open Security Consultant Professional
b. Offensive Security Certified Professional
c. Official Security Computer Programmer
d. OSSTMM Security Certified Professional
Answer: b. Offensive Security Certified Professional
16. As a security tester, what should you do before installing hacking software on your computer? (Choose all that apply.)
a. Check with local law enforcement agencies.
b. Contact your hardware vendor.
c. Contact your ISP.
c.
d. Research online for the laws in your area. Act, Sec. 217: Interception of Computer Trespasser Communications
d.
Answer: a. Check with local law enforcement agencies. d. Research online for the laws in your area.
17. Before using hacking software over the Internet, you should contact which of the following? (Choose all that apply.)
Solution and Answer Guide: Michael T. Simpson, Nicholas D. Antill, Robert S. Wilson, Hands-On Ethical Hacking and Network Defense, 4th Edition, ISBN: 9780357509753; Module 01: Ethical Hacking Overview © 2022 Cengage. All Rights Reserved. May
Solution and Answer Guide: Michael T. Simpson, Nicholas D. Antill, Robert S. Wilson, Hands-On Ethical Hacking and Network Defense, 4th Edition, ISBN: 9780357509753; Module 01: Ethical Hacking Overview
a. Your ISP
b. Your vendor
c. Local law enforcement authorities to check for compliance
d. The FBI
Answer: a. Your ISP c. c. Local law enforcement authorities to check for compliance
18. Which organization issues the Top 25 list of software errors?
a. SANS Institute
b. ISECOM
c. EC-Council
d. OPST
Answer: a. SANS Institute
19. A written contract isn’t necessary when a friend recommends a client. True or False?
Answer: False
20. A security tester should have which of the following attributes? (Choose all that apply.)
a. Good listening skills
b. Knowledge of networking and computer technology
c. Good verbal and written communication skills
d. An interest in securing networks and computer systems
Answer: a., b., c., and d.a. Good listening skills
Solution and Answer Guide: Michael T. Simpson, Nicholas D. Antill, Robert S. Wilson, Hands-On Ethical Hacking and Network Defense, 4th Edition, ISBN: 9780357509753; Module 01: Ethical Hacking Overview
Case Projects
Case Project 1-1: Determining Legal Requirements for Penetration Testing
Time Required: 45 minutes
Objective: Increase your understanding of state and federal laws related to computer crime.
Description: Alexander Rocco Corporation, a large real estate management company in Maui, Hawaii, has contracted your computer consulting company to perform a penetration test on its computer network. The company owns property that houses a five-star hotel, golf courses, tennis courts, and restaurants. Claudia Mae, the vice president, is your only contact at the company. To avoid undermining the tests you’re conducting, you won’t be introduced to any IT staff or employees. Claudia wants to determine what you can find out about the company’s network infrastructure, network topology, and any discovered vulnerabilities, without any assistance from her or company personnel.
Based on this information, write a report outlining the steps you should take before beginning penetration tests of the Alexander Rocco Corporation. Research the laws applying to the state where the company is located, and be sure to reference any federal laws that might apply to what you have been asked to do.
Answer: The report could include the following possible steps:
1. Prepare a statement of work detailing what the penetration tests would include.
2. Verify that a contract exists between both companies authorizing you to perform the penetration test.
3. Review state laws for Hawaii and any applicable federal laws.
4. Discuss with management the formation of a red team.
Case Project 1-2: Researching Hacktivists at Work
Time Required: 45 minutes
Objective: Consider the legal and ethical concerns surrounding hacktivism.
Description: A 2021 U.S. News & World Report article discusses how a new wave of hacktivism is adding a twist to cybersecurity woes. At a time when U.S agencies and companies are fighting off hacking campaigns originating in Russia and China, activist hackers looking to make a political point are reemerging.
The government’s response shows that officials regard the return of hacktivism with alarm. An acting U.S. Attorney was quoted as saying, “Wrapping oneself in an allegedly altruistic motive does not remove
Solution and Answer Guide: Michael T. Simpson, Nicholas D. Antill, Robert S. Wilson, Hands-On Ethical Hacking and Network Defense, 4th Edition, ISBN: 9780357509753; Module 01: Ethical Hacking Overview
the criminal stench from such intrusion, theft, and fraud.” A counterintelligence strategy released in 2020 stated, “ideologically motivated entities such as hacktivists, leaktivists, and public disclosure organizations, are now viewed as ‘significant threats’, alongside five countries, three terrorist groups, and transnational criminal organizations.”
Previous waves of hacktivism, notably by the collective known as Anonymous in the early 2010s, have largely faded away due to law enforcement pressure. Now a new generation of youthful hackers, angry about how the cybersecurity world operates and upset about the role of tech companies in spreading propaganda, is joining the fray. Research hacktivism, and write a one-page paper that answers the following questions:
• Is hacktivism an effective political tool?
• Did any of the hacktivists you researched go too far?
• Can hacktivism ever be justified?
Answer: The paper is subjective in nature. The simple answer to the questions posed would be hacking is never justified. However, this project should generate discussion and debate among the students.
Answers to questions:
1. Subjective question. Some might reference hacktivism as civil disobedience.
2. Subjective. What is too far for someone might be not far enough for someone else.
3. The simple answer is no. Hacking is illegal.
Ethical Hacking for Life: Module 1 Ethical
Hacking Overview
There are several good online resources that you can use to stay current in the field of ethical hacking. The Hacker News (thehackernews.com) is a leading, trusted, and widely recognized cybersecurity news platform that attracts over 8 million readers monthly, including IT professionals, researchers, hackers, technologists, and enthusiasts.
At Hacker News, you'll find the latest cybersecurity news and in-depth reports on current and future Infosec trends and how they are shaping the cyber world.
1. For this Ethical Hacking for Life activity, you will explore The Hacker News (thehackernews.com) site and read and comment on a posting that interests you.
2. Go to the discussion feature of the Learning Management System (LMS) used by your school or organization and read through all previous postings by other students and make note of those documents that have already been researched.
Solution and Answer Guide: Michael T. Simpson, Nicholas D. Antill, Robert S. Wilson, Hands-On Ethical Hacking and Network Defense, 4th Edition, ISBN: 9780357509753; Module 01: Ethical Hacking Overview
3. The blog post that you select must be unique and not a post that another student has already commented on for this class.
4. Read the blog post you have chosen and then read the comments posted by others on the The Hacker News site.
5. Post your summary (minimum of 100 words) to your LMS. Include your opinion of the value of this information and assign it a grade (1-10) regarding its value and how you could use this information.
6. Finally, post a reply to another student’s initial posting (minimum of 50 words).
Grading Rubric for Ethical Hacking for Life
Content of Posting Contains: summary of 100 words or more of the selected blog posting. Summary should cover the standard what, how, where, who, and why details.
Points 50
Holistic Score: _________ 4 - Outstanding (significantly exceeds expectations); 3 - Good (exceeds expectations); 2 - Fair (meets basic expectations); 1 - Poor (does not meet basic expectations)
Reflection: Module 1
You have learned that penetration tests are usually conducted by using one of three models: white box model, black box model, and gray box model. The model the tester uses is based on the amount of information the client is willing to supply.
1. For this Reflection activity, answer the following questions:
A. What types of applications could work without a transport protocol?
B. What are some of the problems modern networks would face if there was no transport protocol in the TCP/IP suite?
Email: Tbworld2020@gmail.com
Solution and Answer Guide: Michael T. Simpson, Nicholas D. Antill, Robert S. Wilson, Hands-On Ethical Hacking and Network Defense, 4th Edition, ISBN: 9780357509753; Module 01: Ethical Hacking Overview
2. Go to the discussion forum in your school’s LMS (learning management system) and write a post of several sentences outlining your answers to questions A and B.
3. The solutions that you post must be unique and not a solution that another student has already presented for this activity.
4. Then comment on two of your classmates’ posts, stating whether you agree or disagree with their assessment. Be sure to respond to the students that post on your thread.
Grading Rubric for Reflection
Criteria Meets Requirements Needs Improvement Incomplete
Participation Submits or participates in discussion by the posted deadlines. Follows all assignment instructions for initial post and responses. 5 points
Contribution Quality
Etiquette
Comments stay on task. Comments add value to discussion topic. Comments motivate other students to respond. 20 points
Maintains appropriate language. Offers criticism in a constructive manner. Provides both positive and negative feedback. 5 points
Does not participate or submit discussion by the posted deadlines. Does not follow instructions for initial post and responses. 3 points
Comments may not stay on task. Comments may not add value to discussion topic. Comments may not motivate other students to respond. 10 points
Does not always maintain appropriate language. Offers criticism in an offensive manner. Provides only negative feedback. 3 points
Does not participate in discussion.
0 points
Does not participate in discussion.
0 points
Does not participate in discussion.
0 points