MIS 4850 Systems Security

MIS 4850 Systems Security

In-Class Exercise 1

Tuesday 1/19/2010

Student Name: ______

Visit the web site in order to gather information about a malware called W32/Zafi-B(or just Zafi-B) and answer the following two questions.

1)Using bullets, list fivespecific malicious things that Zafi-B could do to potentially damage or disturb a computer system.

Answer:











2)What other names (or alias) does Zafi-B use?

______

______

3)What kind of malware is Zafi-B?

a)A Trojan horse

b)A spyware

c)A worm

d)None of the above

4)Use the following questionnaire(see below) to assess the potential risk posed by W32/Zafi-B. The expected risk should be the average of your responses using the Likert scale provided in the questionnaire. The average score must be converted into a severity index (i.e. a number between 1 and 100) that represents the extent of the loss/damage caused by the malware to the security of a computer system. Your assignment should include the completed questionnaire.

Questionnaire:

Based on the type of malicious actions that Zafi-Bcould take to potentially damage or disturb a computer system, give your assessment of the potential loss or damage that could be caused by that malware. Circle the number that represents your assessment with 1 being low loss/damage and 10 being high loss/damage.

Low / High
1. Degree to which Zafi-B could modify critical corporate information / 1 / 2 / 3 / 4 / 5 / 6 / 7 / 8 / 9 / 10
2. Degree to which Zafi-B could delete critical corporate information / 1 / 2 / 3 / 4 / 5 / 6 / 7 / 8 / 9 / 10
3. Degree to which Zafi-B could allow intruders to access confidential info. / 1 / 2 / 3 / 4 / 5 / 6 / 7 / 8 / 9 / 10
4. Degree to which Zafi-B could allow misdirection of critical corporate info. / 1 / 2 / 3 / 4 / 5 / 6 / 7 / 8 / 9 / 10
5. Degree to which Zafi-B could allow the alteration of message being transmitted / 1 / 2 / 3 / 4 / 5 / 6 / 7 / 8 / 9 / 10
6. Degree to which Zafi-B could lead to loss of customers’ private information / 1 / 2 / 3 / 4 / 5 / 6 / 7 / 8 / 9 / 10
7. Degree to which Zafi-B could lead to violation of employees’ private information / 1 / 2 / 3 / 4 / 5 / 6 / 7 / 8 / 9 / 10
8. Degree to which Zafi-B could slow down network services / 1 / 2 / 3 / 4 / 5 / 6 / 7 / 8 / 9 / 10
9. Degree to which Zafi-B could shut down network services / 1 / 2 / 3 / 4 / 5 / 6 / 7 / 8 / 9 / 10
10. Degree to which Zafi-B could lead to loss of customers’ faith and trust / 1 / 2 / 3 / 4 / 5 / 6 / 7 / 8 / 9 / 10

Answer:

Use the Windows Calculator (Start/Accessories/Calculator) to compute the average score (a number between 1 and 10), and then convert that score into a severity index.

Average score: ______

Severity index: ______

5)Table 1 shows a severity analysis framework that is based on a survey conducted in 2006 in order to collect data for assessing the potential damage caused by any of the 10-top malware of the year 2006.

Table 1: Severity Analysis Framework

Malware Severity
Index / Average System
downtime / Average cost for restoring
infected system
Between 1 and 20 / 3 hours / $1800.00
Between 21 and 40 / 7 hours / $2300.00
Between 41 and 60 / 10 hours / $3000.00
Between 61 and 80 / 15 hours / $3500.00
Between 81 and 100 / 20 hours / $5000.00

The following box defines the concept of system availability and explains how to compute the availability of a system or a network device.

Availability: probability that a particular system or its components will be available during a fixed time period. Availability is function of:
–Mean time between failures or MTBF (Given by manufacturer or generated based on past performance)
–Mean time to repair or MTTR (Found in studies or in our archives)
The MTBF is the average time a device or system will operate before it fails.
The MTTR is the average time necessary to repair a failure.
Standard equation for calculating Availability
A(t) = a/(a+b) + b/(a+b) x e-(a+b)t
in which:a = 1/MTTR
b = 1/MTBF
e = natural log function
t = the time interval
(continues on next page )
Approximation equation for calculating Availability:
Availability% = (Total available time – Downtime)/Total available time
Example:A component has been operating continuously for three months. During that time, it has failed twice, resulting in downtime of 4.5 hours. Calculate the availability of the component during that three-month period using the Approximation method.
Total available time = 3 months = 3 x 30 x 24 = 2160 hours
Downtime = 4.5 hours
Availability% = (2160 – 4.5) / 2160 = 99%

Assume that the average system downtime mentioned in Table 1 above is the typical duration of a network’s downtime (or unavailability) during a 7-day week. Use the Approximation equation to calculate the availability of a network that has been affected by Zafi-B during a typical 7-day week.

Availability% = ______.

6)You have received an email on your Hotmail email account. In the email, the sender claims to be China. How could you check the TCP/IP headers of the email message to determine whether or not the claim is true? Visit and explain, in details, the steps you will go through to check the TCP/IP headers and determine the source IP address of the computer used to send the message you have received. Write your answer in the following text box. Be concise.

7)Open your EIU email account and select the messages you have received from the class instructor with Security 1 in the Subject field. Then, do the following:

1. Display the TCP/IP headers the selected message. Select the message headers. Then, copy and paste the selected headers in the following text box. You may need to adjust the size of the text box so that the whole headers you pasted appear. Make sure the formatting of the headers (like the line brakes, etc.) looks like the headers in the EIU email window you copied the headers from.

1. Provide the following information based on your reading of the TCP/IP headers.

IP address of the computer used to send the message: ______

IP address of your email server (i.e. the server that received the message):______

Domain name of your email server (i.e. the server that received the message):

______

1. Determine the location of the computer used to send the message by providing the name of the city, state, and country. You can use any web-based IP locator to answer this question. City: ______

State: ______

Country: ______

8)Examine the printout provided in the Appendix of this assignment and determine: the sender’s IP address, as well as the host/domain mane of the sender’s email server and corresponding IP address.

Sender’s IP address______

Server’s host name: ______
Server’s IP Address: ______

9) The sender of the email shown in the Appendix claims to be in North Korea when he sent the message. Use the Internet and your investigative knowledge to determine the city and the country where the computer used to send the message is located.

City: ______

Country: ______

Appendix

1

In-ClassExercise1-S09.doc