Assignment 3 - Program Security
Hands-on Activity
(DUE February 21, 2003 by midnight EST)
You are going to use a product called WebInspect to assess the security of a web site. You will need to connect to http://www.spidynamics.com and download a copy of WebInspect. After you have downloaded the file, you will need to install the software. You will then need to obtain a license key before the software will work. If you are not contacted within a day with the key, you will need to call 1.866.774.2700 x 1 and ask the sales rep to e-mail you the key. Explain to them that you are doing this as part of an assignment for a class. After you follow the instructions and place the key in c:\ProgramFiles\SPIDynamics\WebInspect , you will be able to start WebInspect.
- Run WebInspect on the default website: http://endo.websecurity.com
- Do a safe scan with crawl turned off.
- The bottom screen displays the alerts. By clicking on a description in the bottom window, the top window will give you more details about the selected vulnerability.
- After it finished, click the report button
- select Custom Report
- Select critical and high vulnerabilities
- generate report
- Post the report to the eCollege dropbox
- Select one critical and one high vulnerability and explain what it is and how you would protect the webserver from these vulnerabilities. Post to the dropbox your answer.
Discussion Questions
- (DUE February 5, 2003 by midnight EST) Select one of the following questions to discuss in detail through the threaded discussion.
- "The Slammer worm, whose attack over the weekend represented the most serious online assault in 18 months, demonstrates the Internet is still highly vulnerable. The worm infected defenseless machines, reproduced itself, and sent out large volumes of data traffic that disrupted many systems, including Bank of America ATMs, high-tech manufacturing, mortgage and credit card companies' Web sites, and police dispatch operations. More than 200,000 North American computers and between 400,000 and 700,000 global computers were affected by the worm, according to the Information Technology Information Sharing and Analysis Center. Asian businesses received some of the worst disruption, and both American and South Korean authorities are seeking out the worm's inventor, a task complicated by the hacker's unknown location. Slammer exploited an established security hole in Microsoft's SQL Server database software, for which a patch had been issued several times last year; the havoc caused by the worm proved that the patch was not installed by many users. Ensuring Internet security and keeping abreast of security patches as well as vulnerabilities is an almost impossible challenge, says Computer Security Institute director Patrice Rapalus. "If individuals or organizations are determined to exploit whatever kinds of flaws there are in the millions of lines of code for different applications, you have no real defense," she explains. The SQL flaw was one of several recent security embarrassments for Microsoft, including other vulnerabilities that were exploited by the Code Red and Nimda worms in 2001." SiliconValley.com (01/28/03) Discuss this attack and what needs to be done to prevent further attacks of this nature.
- A recent study commissioned by NIST asserts that software bugs cost the U.S. economy an estimated $59.5 billion annually. More than a third of those costs could be eliminated with improved testing and earlier identification of errors. One company Cenzic is marketing a tool, Hailstorm, that helps developers build security into their code. Discuss the importance of the emergence of these kinds of tools and what it will take to make them effective.
- An electronic mail system could be used to leak information. First, explain how the leakage could occur. Then, identify controls that could be applied to detect or prevent the leakage.
- "No matter how good you or your security provider are at firewalls, intrusion detection and other security management, such measures cannot protect you from legitimate applications running on your system with flawed code." (Charles Neal, VP Managed Security Services, Cable and Wireless) Discuss your views on this statement and how we can address this type of concern.
- Explain how information in an access log could be used to identify the true identity of an imposter who has acquired unauthorized access to a computing system. Describe several different pieces of information in the log that could be combined to identify the imposter.
- (DUE February 10, 2003 by midnight EST) Select a discussion from one or more of your classmates and respond to their comments.
Webliography Assignment
(DUE February 10, 2003 by midnight EST) Submit to the class Webliography 5 annotated links related to program security. These will be added to our Information Assurance E-library (http://csc.ColumbusState.edu/summers/e-library/security.html) You will receive 1 point if just a new link; 1 point if annotation for one of my links; or 2 points if a new annotated link.