What three principles are used to define the C.I.A. triad? Define each in the context in which it is

Southern New Hampshire University Separation (of Domains) The division of power within a system. No one part of a system should have complete control over another part. There should always be a system of checks and balances that leverage the ability for parts of the system to work together (Tjaden, 2015). • Simplicity (of Design) The straightforward layout of the product. The ability to reduce the learning curve when analyzing and understanding the hardware or software involved in the information system (Tjaden, 2015). • Trust Relationships A logical connection that is established between directory domains so that the rights and privileges of users and devices in one domain are shared with the other (PC Magazine, 2018). • Usability How easy hardware or software is to operate, especially for the first-time user. Considering how difficult applications and websites can be to navigate through, one would wish that all designers took usability into greater consideration than they do (PC Magazine, 2018). References Bishop, M. (2003). Computer security: Art and science. Boston, MA: Addison-Wesley Professional. Kim, D., & Solomon, M. G. (2013). Fundamentals of information systems security (2nd ed.). Burlington, MA: Jones & Bartlett Publishers. PC Magazine. (2018). Encyclopedia. Retrieved from https://www.pcmag.com/encyclopedia Sons, S., Russell, S., & Jackson, C. (2017). Security from first principles. Sebastopol, CA: O'Reilly Media, Inc. Tjaden, B. C. (2015). Appendix 1: Cybersecurity first principles. Retrieved from https://users.cs.jmu.edu/tjadenbc/Bootcamp/0-GenCyber-First-Principles.pdf/nSouthern New Hampshire University • Fail-Safe Defaults / Fail Secure The theory that unless a subject is given explicit access to an object, it should be denied access to that object (Bishop, 2003). • Information Hiding Users having an interface to interact with the system behind the scenes. The user should not be worried about the nuts and bolts behind the scenes, only the modes of access presented to them. This topic is also integrated with object-oriented programming (Tjaden, 2015). • Isolation Individual processes or tasks running in their own space. This ensures that the processes will have enough resources to run and will not interfere with other processes running (Tjaden, 2015). • Layering Having multiple forms of security. This can be from hardware or software, but it involves a series of checks and balances to make sure the entire system is secured from multiple perspectives (Tjaden, 2015). • Least Astonishment (Psychological Acceptability) Security mechanisms should not make the resource more difficult to access than when security mechanisms were not present (Bishop, 2003). • Least Privilege The assurance that an entity only has the minimal amount of privileges to perform their duties. There is no extension of privileges to senior people just because they are senior; if they don't need the permissions to perform their normal everyday tasks, then they don't receive higher privileges (Tjaden, 2015). Minimization of Implementation (Least Common Mechanism) Mechanisms used to access resources should not be shared (Bishop, 2003). • Minimize Trust Surface (Reluctance to Trust) The ability to reduce the degree to which the user or a component depends on the reliability of another component (Bishop, 2003). • Modularity The breaking down of larger tasks into smaller, more manageable tasks. This smaller task may be reused, and therefore the process can be repurposed time and time again (Tjaden, 2015). Open Design The security of a mechanism should not depend on the secrecy of its design or implementation (Bishop, 2003)./nSouthern New Hampshire University CIA Triad and Fundamental Security Design Principles The terms listed below are essential in the field of cybersecurity and will be a topic of conversation and application throughout the program. It is therefore important for you to familiarize yourself with these terms and their definitions. Note that the CIA triad is sometimes referred to as the tenets of cybersecurity. The Fundamental Security Design Principles are sometimes called fundamental design principles, cybersecurity first principles, the cornerstone of cybersecurity, and so on. CIA Triad Information that is secure satisfies three main tenets, or properties, of information. If you can ensure these three tenets, you satisfy the requirements of secure information (Kim & Solomon, 2013). • Confidentiality Only authorized users can view information (Kim & Solomon, 2013). • Integrity Only authorized users can change information (Kim & Solomon, 2013). • Availability Information is accessible by authorized users whenever they request the information (Kim & Solomon, 2013). Fundamental Security Design Principles These principles offer a balance between aspirational (and therefore unobtainable) "perfect security," and the pragmatic need to get things done. Although each of the principles can powerfully affect security, the principles have their full effect only when used in concert and throughout an organization. These principles are a powerful mental tool for approaching security: one that doesn't age out of usefulness or apply only to a few specific technologies and contexts; one that can be used for architecture, postmortem analysis, operations, and communication. The principles are ultimately only one piece in the security practitioner's toolkit, but they are a flexible piece that will serve different roles for different people (Sons, Russell, & Jackson, 2017). • Abstraction Removal of clutter. Only the needed information is provided for an object-oriented mentality. This is a way to allow adversaries to see only a minimal amount of information while securing other aspects of the model (Tjaden, 2015). • Complete Mediation All accesses to objects should be checked to ensure that they are allowed (Bishop, 2003). • Encapsulation The ability to only use a resource as it was designed to be used. This may mean that a piece of equipment is not being used maliciously or in a way that could be detrimental to the overall system (Tjaden, 2015).

Part A: Guided file recovery Use either your host system or a Windows VM to complete this lab. You will need the disk image dfr-01-ntfs.dd.bz2 and the tool AccessData FTK Imager, which must be installed. Reference tutorial: https://eforensicsmag.com/how-to-investigate-files-with-ftk-imager/ 1. Unzip the disk image to obtain the original file dfr-01-ntfs.dd, then open it from FTK using the menu option Add Evidence Item. Finally, expand the evidence tree up to [root] and click on $MFT in the file list pane. Explain what this special file contains and what its general purpose is. 2. After clicking on $MFT, on the viewer pane at the bottom, the contents are divided into sections each beginning with FILEO. This is called the magic marker. Select the 5 characters and check their hexadecimal value. What is it? How many hex digits are needed for each ASCII character? 3. Scroll down to the last magic markers, belonging to the files Arcturus.txt, Bunda.txt and Castor.txt. Focus on the first of these three files. Right click on its magic marker and select Find. Look for the binary string "80000000". After this string you will see "48 00 00 00". What the next 2 hex digits are? What their meaning is? 4. Four lines below "80 00 00 00", you will find the hex digits "21 01", where 21 is the data run and 01 is the number of clusters this files takes, that is, the size in clusters. To know the exact amount of bytes a cluster takes, click on "NTFS" on the Evidence Tree pane and enable the Properties view from the top menu. Capture a screenshot of its properties. What is then the size of Arcturus.txt in bytes? 5. Click back on [root] → $MFT and locate again the hex digits "21 01" below "80 00 00 00". Select the next 3 hex digits after "21 01". This would be the cluster where the actual data is located, but you need to convert it from hexadecimal to decimal. To do so, enable the Hex Value Interpreter pane from the top menu, option View. Capture a screenshot showing the hex value and its decimal conversion./n6. You have now the 1st cluster and the number of clusters, which is one (this is a small file taking 4096 bytes or less). To recover the data, click on "NTFS" in the Evidence Tree pane. Then, on the bottom right pane, right click, select "Go to sector/cluster", and introduce the decimal number you converted. Capture a screenshot before accepting. 7. Look at the bottom for a reference to the file Arcturus.txt. Right click on the 1st hex digit, which is "OA" and choose "Set Selection Length". Enter the cluster size in bytes. Without undoing the selection, right click on it and choose "Save selection...", then save to a file named recovered.dat on the Desktop. Capture a screenshot of the file properties from Windows OS. 8. Open it with WordPad and scroll down to the last block. Capture a screenshot. Part B: Another simple file recovery In this section you will recover the file Castor.txt following the same steps. Answer all questions and capture a screenshot of each finding or relevant information. 9. Is it a file or directory? Proof it as well as that it has not been deleted. 10. This file only takes one cluster. What the 1st and only cluster is? Show it both in hex and decimal. 11. In the file's data there is a reference to the file and many plus signs. Show the reference to the file and the first line of plus signs. Part C: Using Autopsy Copy dfr-01-ntfs.dd.bz2, which must be uncompressed, in your Kali Linux VM. Then, using Autopsy, follow the steps below capturing relevant screenshots and answering all questions. 12. Create a new case. Show the form you filled./n14. After adding the image, analyze the NTFS filesystem. Choose File Analysis. Capture the data at the bottom, which correspond to the txt files. 15. Why two of the are in red? Why the last file is shown twice? 16. Click on Bunda.txt and scroll to the last lines of this file. Capture them. 17. Browse the different options on the top menu to find out what the original operating system was. Proof it. Part D: Conceptual questions 18. Discuss what files can be recovered (if any) in each of these scenarios using tools similar to those you used in this lab. Assume the filesystem is NTFS in all cases. A) A file deleted using the file explorer and sent to the recycling trash B) A file deleted using the file explorer, directly removed. C) Files belonging to a drive formatted with the quick format option. D) Files belonging to a drive formatted without the quick format option (full format). 19. Why you should avoid mounting the disk image as an actual drive?/n6. The webserver's logs were stored originally in the standard directory /var/log. Therefore, to access them you need to mount the corresponding logical volume in /mnt/blog/var and access them using the new path /mnt/blog/var/log. Capture a screenshot of the corresponding mount and is commands. 7. Execute "mount" without parameters and double check that both filesystems are mount as read-only. Why do we need to make sure? What would happen if forensic evidence is altered somehow? Part B: Logs analysis Based on the information in ENISA_Webserver_Analysis.pdf, provided with the lab, you need to analyze the webserver logs as part of your forensic investigation. The server with IP 195.251.97.97, which runs WordPress and hosts http://blog[.]mycompany[.Jex, was compromised on August 19th, 2016. Refer to the section 3.4.1 as a guideline, but you do not need to perform all tasks. 8. Move to /mnt/blog/var/log/apache2 to find Apache's logs. Execute "tail -5 access.log" to get identified with the fields found in every single entry. What browser was used in the last log entry? 9. The first field is the IP address of the system that accessed the webserver. As you can see, the last entries show the server itself. To avoid them, use the parameter -v in grep. Show the last 3 lines that do not relate to the server itself, either by 195.251.97.97 or ::1. 10. You can observe the IP address in these lines is 10.0.0.15, but there could be other IP addresses. Obtain them all using the command-line example in the PDF that combines cat, awk, sort and uniq. 11. Nonetheless, most connections are originated in this local IP address. Execute "grep ^10.0.0.15 access.log | tail -5". It seems the attacker uploaded a file c99.php somewhere/nin the WordPress document root. Usually WP's document root is under /var/www/html. However, we are working with all mounted under /mnt/blog. Therefore, the full path is /mnt/blog/var/www/html. Move there, then to the wordpress directory. From this point on, you need to move to where the file c99.php is, as per the information you observed in the log. What is the full path of this file? 12. Move to the folder (you can press TAB to complete the directories' names). Execute "head -20 c99.php". What is suspicious? 13. What kind of file is it (other than a PHP script), used by attackers to gain persistence? 14. What are 3 ways of mitigating vulnerabilities in jQuery-File-Upload?

Part II: Hands on Practices 1. Given the stacko.c and stack1.c please follow the files to create a simple program in C that has a buffer overflow vulnerability, then exploit it! Please submit your source code of program and the input you used to overflow it. 2. Write a shell script that simulates a port scan on a given IP range. Here you may use ping or other tools in Kali Linux.

Consider the following scenario. A team within your organization has brought in a WiFi access point and connected it to mobile phone to share its Internet connection with the team, bypassing all controls your security personnel have put in place for devices attached to your network. The team insists that this connection is business critical and can't shut it down without a workable alternative. They've asked you to come in and help them figure out how to conduct their business tasks while maintaining compliance to cybersecurity policies. Identify what controls you would recommend that implement the principles of defense in depth while permitting the work the team needs to complete. Classify those recommended controls according to their objective (prevent, deter, correct, etc.). Justify these choices with reference to the risks they're intended to mitigate.

Before you respond to this discussion, review the YouTube video, "What is the Cyber Kill Chain?" in the Readings and Instructional Material section of Week 5. • How can you apply the concepts from this video as part of an overall cybersecurity and cyber resilience strategy? • What processes, tools, and techniques do you think would be effective to discover and disrupt a cyber-attack while it's underway? This week's chapter of the course textbook focuses on threats, vulnerabilities, and the management processes needed to address them within the cybersecurity and cyber resilience strategy. Chapter 4 Cyber Threats, Vulnerabilities and Intelligence Analysis (Siegel and Sweeney 2020) https://www.youtube.com/watch?v=zhClg4cLemc%20

Open a Web browser and search for the "OWASP Top Ten." Visit the site. What information is provided here? What does it mean? How could a security manager use this information?

CYB 260 Project Three Guidelines and Rubric Service Level Agreement Requirement Recommendations Overview Once security requirements have been defined, an organization must have a way to ensure these requirements are satisfied. Security controls are safeguards or countermeasures implemented by organizations to protect all types of assets (data, physical, personnel, etc.) from threats to confidentiality, integrity, or availability. Trade groups such as the Center for Internet Security (CIS), the International Organization for Standardization (ISO), and the National Institute of Standards and Technology (NIST) provide collections of security controls intended to address critical areas of cybersecurity concern; however, these guidelines provide different levels of detail, vary in prescriptiveness, and apply to different industries and organizational structures. Ultimately, it is up to each organization to determine how to best implement security controls to meet an organization's expectations for asset protection. As such, the security practitioner's role centers around the selection, design, implementation, and management of the policies, procedures, standards, and guidelines designed to implement these controls. In the milestone assignment for this project, you examined employee training as a control measure to reduce the incidents and effects of social engineering. As you saw, training is a key method for incorporating security best practices. However, it is not the only type of control measure relied on by cybersecurity professionals. In this project, you will incorporate instructor feedback on the milestone as you envision a more comprehensive approach to security controls at an organization. In this project, you will analyze requirements, select appropriate security controls, and specify methods to implement your selected controls to satisfy the requirements. You will demonstrate your mastery of the following course competency: • Design security controls and practices for humans in the system Scenario Your instructor will provide you with the specific scenario for this project in an announcement. This scenario places you in the role of a security consultant for an organization. The scenario will include additional requirements related to the proposal you addressed in Projects One and Two. To complete this task, you will prepare service level agreement requirement recommendations for the internal stakeholder board identifying an approach to meeting the requirements in the scenario. Prompt Prepare a brief that outlines the requirement recommendations for the service level agreement and describes your approach to meeting the requirements of the scenario. You must address the critical elements listed below. The codes shown in brackets indicate the course competency to which each critical element is aligned. I. Select two sub-controls that address the requirements of the scenario. A. Control One: Justify how your selected control type (i.e., policy, standard, procedure, or guideline) and implementation will meet the requirements. B. Control Two: Justify how your selected control type (i.e., policy, standard, procedure, or guideline) and implementation will meet the requirements. II. Describe the necessity for a training program to address a specific social engineering threat. III. Describe the expected outcomes of a training program that addresses the social engineering threat you identified in the previous critical element.

Southern New Hampshire University CYB 260 Project One Milestone Template I. Analysis of Requirements Select three fair information practice principles from the privacy statement provided by your instructor. Then fill in the blank cells in the table below. Fair Information Practice Principle Requirements Table Applicable Privacy Law or Laws Level of Compliance Safeguards

CYB 260 Module Two Activity Guidelines and Rubric Privacy Case Study Overview A common skill for a cybersecurity analyst is the evaluation of current scholarly articles. Analyzing the findings within those articles develops skills that will help protect data. Evaluating privacy laws and regulations helps the analyst form baselines for policies within organizations. Choose one of the following articles to analyze for this assignment: • Privacy, Notice, and Design This article discusses the approach to the design of privacy policies and discusses how they might not have been designed in a way that is consumable. • The Surveillance Gap: The Harms of Extreme Privacy and Data Marginalization This article investigates the dangers of having too much privacy and existing in a surveillance gap. • Privacy and Cybersecurity Lessons at the Intersection of the Internet of Things and Police Body-Worn Cameras This article looks at police body-worn cameras as internet of things (IoT) devices and explores the cybersecurity concerns of privacy for the public. Prompt After reading your selected article, address the following critical elements: I. Analyze the issues within the article related to privacy. II. Describe the regulations or laws within the article that play a role in the protection of privacy. III. Explain your opinions on the conclusion of the article. Consider these questions: • Is the conclusion comprehensive? • Do you agree with the conclusion? • Are there areas that could be improved upon?

• Discuss the threat actors, threat warning, and what makes cyber intelligence different from traditional intelligence disciplines. Assess how cyber threat intelligence can best support the DHS Cybersecurity and Infrastructure Security Agency (CISA). Describe how emerging technologies can support the cyber intelligence.