Case Study 6 ➢ Prepare your findings and submit to Dropbox by the deadline ➢ Failure to submit will result a zero mark. Case Studies Grade Submission: Case Study 1 10 • Two tasks Case Study 2 5 o One report (no word count) Case Study 3 5 ▪ Task 1 report (3.50 Points) ▪ Task 2 report (3.50 Points) Case Study 4 10 o One presentation (PowerPoint slides) Case Study 5 10 ▪ Presentation for Task 1 & 2 (3 points) Case Study 6 10 o Failure to present Tasks 1 & 2 will result in zero Case Study 7 10 grade for the whole case study. Case Study 8 10 o One submission per team Total 70 Deliverable ➢ Case study is teamwork ➢ The student cannot change their team. ➢ Teams will be self-managed ➢ Compile the information you found in team efforts ➢ Deadline for Case study is on Wednesday March 18 by 11:00pm ➢ Team ONLY present the PowerPoint submitted in drop box ➢ Present the case study to instructor during a Thursday March 19 -during Class time ➢ Presentation duration is 10 minutes a. Will be timed and cut off if it’s over 10 mins b. Less than 8 mins is zero (0) ➢ All the team member should do a part of the presentation. ➢ READING FROM SLIDE results zero mark for case study ➢ If the team member fails to present his/her part the rest of team should do the presentation and that team member’s grade who failed to present will be zero. ➢ On team case study, only those individuals who fully participate in the efforts necessary to complete the case study will receive credit ➢ Those individuals who do not participate will be assigned a grade of zero (0) ➢ All team members should work on both tasks ➢ During the presentation, there might be random questions about both tasks that all the team member should be able to answer ➢ Failure to submit & demonstrate will result zero mark for case study Contribution table Team Contribution Table (You need to clearly identify each member contribution to the team) Name Contribution Task 1 The Help Desk at the College of Engineering at Penn State University has special privileges. It can fix user access problems bypassing normal access control procedures. How did this come about, you might wonder? Years ago, an Electrical Engineering professor with considerable prestige in the College was unable to submit a grant proposal because he had accidently locked his Engineering account over the weekend. The Dean of the College and the Department Chair were extremely unhappy. As a “temporary” solution, student workers at the Help Desk were given administrative privileges to the Engineering domain, so they can change passwords and unlock accounts without inconveniencing the faculty and staff. Years later, the so-called “temporary solution” has become permanent, and quick response over the weekend is expected by all users. One Saturday morning, Adam, a new student hired as a Help Desk employee decides, against the College’s policy, to install a BitTorrent client on his Help Desk computer. Later in the week, an investigation into reports of sluggish computers leads to the discovery of a botnet installation on most of the computers in the College. After days of investigation, the source of the botnet installations is discovered when a keylogger is found on the machine Adam used. He had inadvertently installed malware on the machine together with the BitTorrent installation and the keylogger malware had captured Adam’s credentials. The College Dean has asked you to have a report on his desk as soon as possible covering the following: 1. List the threats and vulnerabilities that allowed this situation to occur. 2. Classify all the events found in 1 above, including: a. Asset affected, including asset classification and characterization b. Threat agent (including internal, external, or partner) c. Threat action (type, etc.) d. Vulnerability used 3. What recommendations would you make to the Dean going forward? 4. In your opinion, what should be done with Adam, the student recently hired to the Help Desk position? Task 2 The following is a summary of an incident you investigated for central IT. APPSERVER1 was compromised in the evening of February 29, 2013. The hacker had access to the machine for about 1 hour. During his/her time accessing the machine, the hacker tried to access other machines within the University network using a set of six different credentials. The following investigative methods were used to determine the extent of the break- in: • Extensive forensics investigation using forensic toolkits to determine timeline of the events, locate and extract log files, backdoors, and possible keyloggers. • Windows event logs were recovered and examined in detail. • Inbound and outbound network connections to and from APPSERVER1 were examined as well. • Special attention was paid to inbound and outbound traffic to the database server DB1, which holds restricted personal data for the university. The hacker used a known password to Remote Desktop into the APPSERVER1 application front-end server. Further investigation revealed a list of credentials that seemed to have been compromised previously. The credential used by the hacker to access APPSERVER1 was the only one still valid at the time. Password expiration at the university is set to 180 days. 1. List the threats and vulnerabilities that allowed this situation to occur. 2. Classify all the events found in 1 above, including: a. Asset affected, including asset classification and characterization b. Threat agent (including internal, external, or partner) c. Threat action (type, etc.) d. Vulnerability used 3. When was the incident discovered, and how? 4. What would be your recommendations for improvement?