Solution and Answer Guide: Michael T. Simpson, Nicholas D. Antill, Robert S. Wilson, Hands-On Ethical Hacking and Network

Solution and Answer Guide: Michael T. Simpson, Nicholas D. Antill, Robert S. Wilson, Hands-On Ethical Hacking and Network Defense, 4th Edition, ISBN: 9780357509753; Module 01: Ethical Hacking Overview 1 © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.

Michael T. Simpson, Nicholas D. Antill, Robert S. Wilson, Hands-On Ethical Hacking and Network Defense, 4 th

Edition, ; Module 01: Ethical Hacking Overview

Table of Contents Hands-On Activities ....................................................................................................................................... 1 Activity 1-1: Determining the Corporate Need for IT Security Professionals ............................................. 1 Activity 1-2: Examining the Top 25 Most Dangerous Software Flaws....................................................... 2 Activity 1-3: Identifying Computer Statutes in Your State or Country ...................................................... 2 Activity 1-4: Examining Federal and International Computer Crime Laws ................................................ 3 Review Questions .......................................................................................................................................... 3 Case Projects ................................................................................................................................................. 8 Case Project 1-1: Determining Legal Requirements for Penetration Testing ............................................ 8 Case Project 1-2: Researching Hacktivists at Work ................................................................................... 9 Ethical Hacking for Life: Module 1 Ethical Hacking Overview ...................................................................... 10 Grading Rubric for Ethical Hacking for Life .............................................................................................. 11 Reflection: Module 1 ................................................................................................................................... 11 Grading Rubric for Reflection .................................................................................................................. 11 Hands-On Activities

Activity 1-1: Determining the Corporate Need for IT Security

Professionals

Time Required: 10 minutes

Objective: Examine corporations looking to employ IT security professionals.

Description: Many companies are eager to employ or contract security testers for their corporate networks. In this activity, you search the Internet for job postings, using the keywords “IT Security,” and read some job descriptions to determine the IT skills (as well as any non-IT skills) most companies want an applicant to possess.(Hands-On Ethical Hacking and Network Defense, 4e Rob Wilson) (Solution Manual all Chapter) 1 / 4

Solution and Answer Guide: Michael T. Simpson, Nicholas D. Antill, Robert S. Wilson, Hands-On Ethical Hacking and Network Defense, 4th Edition, ISBN: 9780357509753; Module 01: Ethical Hacking Overview

2

© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.

• Start your web browser and go to indeed.com.
• In the What search box, type IT Security. In the Where search box, enter the name of a major

city near you, and then press Enter.

• Note the number of jobs. Select three to five job postings and read the job description in each

posting.

• When you’re finished, exit your web browser.

Answer: Student should complete activity in their web browser. No submitted response is required.

Activity 1-2: Examining the Top 25 Most Dangerous

Software Flaws

Time Required: 15 minutes

Objective: Examine the SANS list of the most common network exploits.

Description: As fast as IT security professionals attempt to correct network vulnerabilities, someone creates new exploits, and network security professionals must keep up to date on these exploits. In this activity, you examine some current exploits used to attack networks. Don’t worry—you won’t have to memorize your findings. This activity simply gives you an introduction to the world of network security.

• Start your web browser and go to www.sans.org.
• Under Resources, click the Top 25 Programming Errors link. (Because websites change

frequently, you might have to search to find this link.)

• Read the contents of the Top 25 list. (This document changes often to reflect the many new

exploits created daily.) The Top 25 list is also known as the Top 25 Most Dangerous Software Errors. Links in the list explain the scoring system and framework used to rank these errors.

• Investigate the first few flaws by clicking the CWE-# link. For each flaw, note the description,

applicable platform, and consequences.

• When you’re finished, exit your web browser.

Answer: Student should complete activity in their web browser. No submitted response is required.

Activity 1-3: Identifying Computer Statutes in Your State

or Country

Time Required: 30 minutes

Objective: Learn what laws might prohibit you from conducting a network penetration test in your state or country.Description: For this activity, you use Internet search engines to gather information on computer crime in your state or country (or a location selected by your instructor). You have been hired by ExecuTech, a security consulting company, to gather information on any new statutes or laws that might affect the 2 / 4

Solution and Answer Guide: Michael T. Simpson, Nicholas D. Antill, Robert S. Wilson, Hands-On Ethical Hacking and Network Defense, 4th Edition, ISBN: 9780357509753; Module 01: Ethical Hacking Overview

3

© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.security testers it employs. Write a one-page memo to Liang Choi, director of security and operations, listing applicable statutes or laws and offering recommendations to management. For example, you might note in your memo that conducting a denial-of-service attack on a company’s network is illegal because your state’s penal code prohibits this type of attack unless authorized by the owner.Answer: Answers will vary. The memo should include state laws that might affect how a penetration test could be conducted as well as problems that might arise because of state laws. The memo could also ask that management draw up a contract addressing any risks or possible network degradation that might occur during testing.

Activity 1-4: Examining Federal and International Computer

Crime Laws

Time Required: 30 minutes

Objective: Increase your understanding of U.S. federal and international laws related to computer crime.Description: For this activity, use Internet search engines to gather information on U.S. Code, Title 18, Sec. 1030, which covers fraud and related activity in connection with computers. Also, research the Convention on Cybercrime (the Budapest Convention). Write a summary explaining how these laws can affect ethical hackers and security testers.Answer: Answers will vary. The summary should mention some key elements, such as (a)(2) “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains ….” Section (g) states: “Any person who suffers damage or loss by reason of a violation of this section may maintain a civil action against the violator.” The summary might also mention the possibility of a lawsuit. Students need to understand that this federal law addresses government computers and financial systems. Students should mention what nations are part of the Convention on Cybercrime (Budapest Convention).Review Questions

• The U.S. Department of Justice defines a hacker as which of the following?
• A person who accesses a computer or network without the owner’s permission
• A penetration tester
• A person who uses phone services without payment
• A person who accesses a computer or network system with the owner’s permission 3 / 4

Solution and Answer Guide: Michael T. Simpson, Nicholas D. Antill, Robert S. Wilson, Hands-On Ethical Hacking and Network Defense, 4th Edition, ISBN: 9780357509753; Module 01: Ethical Hacking Overview

4

© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.Answer: a. A person who accesses a computer or network without the owner’s permission

• A penetration tester is which of the following?
• A person who breaks into a computer or network without permission from the owner
• A person who uses telephone services without payment
• A security professional hired to break into a network to discover vulnerabilities
• A hacker who breaks into a system without permission but doesn’t delete or destroy files

Answer: c. A security professional hired to hack into a network to discover vulnerabilities

• Some experienced hackers refer to inexperienced hackers who copy or use prewritten scripts or

programs as which of the following? (Choose all that apply.)

• Script monkeys
• Packet kiddies
• Packet monkeys
• Script kiddies

Answer: c. Packet monkeys d. Script kiddies

• What three models do penetration or security testers use to conduct tests?

Answer: white box, black box, gray box

• A team composed of people with varied skills who attempt to penetrate a network is called which of

the following?

• Green team
• Blue team
• Black team
• Red team

Answer: d. Red team

• / 4