Protecting Embedded OSs
Case 1: Protecting Embedded OSs on the Alexander Rocco Network
After performing enumeration tests, you discover that the network consists of 5 systems running Windows 10 IoT, 2 systems running Windows Server 2008 R2 for Embedded Systems, 23 systems running Jetdirect, and 5 network appliances running embedded Linux.
Question
a. Based on this information, write a one-page memo to Bob Jones, the IT manager, outlining some suggestions on possible weaknesses or vulnerabilities in these systems. The memo should include recommendations to reduce the risk of network attacks and cite specific CVE entries (check www.cve.mitre.org).
————————————————————————————————————————————————————————————————————————————————————————————
Case 2: Identifying Vulnerable Systems That Can’t Be Patched
You discover that some devices on the Alexander Rocco network can’t be patched against a buffer overflow attack because of FDA certification requirements.
Question
a. What recommendations can you make to reduce the risk these systems pose?
==============================================================================
Case 3: Identifying Vulnerabilities in Mobile Phones
More than three billion mobile phones are in use worldwide, and more people now reach the Internet with mobile phones than they do with desktop computers. Even if your phone can’t browse the Web, it probably has some limited Web capability and is at least part of a huge cell phone network. Have you ever thought about someone hacking your phone?
Question
a. Research your phone model on the Internet to determine what OS it uses and any existing or potential vulnerabilities. For example, could your phone be used as a covert listening device or used to send text message spam or perform a DoS attack? Be creative, but use real information that you find in your research. Write a one to two-page report on your findings.
==============================================================================
Case 4: Determining Vulnerabilities of Web Servers
After conducting preliminary security testing on the Alexander Rocco Corporation network, you have identified that the company has seven Web servers. One is a Windows 2003 Server system running IIS 6.0. Curt Cavanaugh, the Webmaster and network administrator, says the Web server is used only by sales personnel as a front-end to update inventory data on an Oracle database server. He says this procedure needs to be done remotely, and it’s convenient for sales personnel to use a Web browser when out of the office.
Question
a. Based on this information, write a one-page report on any possible vulnerabilities in the current configuration of the company’s Web server. Use the tools and techniques you have learned to search for possible vulnerabilities of IIS 6.0. Your report should include any recommendations that might increase Web security.
==============================================================================
Case 5: Discovering Web Application Attack Tools
After discovering that Alexander Rocco Corporation has multiple Web servers running on different platforms, you wonder whether your security tools can assess Web application vulnerabilities thoroughly. You have only two tools for conducting Web security tests: Wapiti and Wfetch.
Question
a. Based on this information, write a two-page report on other tools for security testers conducting Web application vulnerability testing. Use the skills you have gained to search the Internet and explore the Kali DVD to find tools for Windows and *nix platforms. The report should state the tool’s name, describe the installation method, and include a brief description of what the tool does.