Cyber Security Cohort 6

Week 3 Assignment
Q.1 Explain What is Sandboxing in Cyber security? How can cuckoo sandbox be
utilized for sandboxing and what are its features?
(Provide screenshot of the cuckoo sandbox of your own or any online service)
Ans. Sandboxing: It is very effective way to improve an organization’s security by providing
highest level of threat deduction. Sandboxing is used create a virtual environment to run
program or open files without effecting application, system, or platform on which they run. It is
widely used to test new code or to run untrusted code.

Use of cuckoo sandbox: To use effectively, install and configure cuckoo on your virtual or
physical server. Virtual machine will serve as sandbox environment where malware can run.
Now, malware or suspicious file is submitted for analysis. Cuckoo sandbox will execute and
monitor the suspicious file, and keep record of its all activities and behavior and generate a
report for further analysis. This report contains all details, including its behavior and impact on
the system. This report is very useful for tacking necessary actions to mitigate impact of the
malware such as updating antivirus software.

Features of Cuckoo: It is used to analyze malwares, such as viruses, Trojan, and worms.

It can be used to monitor suspicious activity such as network connections and registry
modification.

It can provide complete report of malware analysis, including network traffic log, screenshot,
and behavioral analysis result.

It provides facility of integration with other security tools such as IDS/IPS systems and SIEM
solutions.

It can be used to test new codes to view their execution behavior.

Screenshot of Cuckoo:
Q. 2. What is canary token and how does it work? Make your own canary token
and show its working and screenshots
ANS. Canary Token: Canary token is a quick, way to know if someone has breached their
system. Canary token is digital security mechanism; it can be used to track user actions online.
A canary token is a small piece of code or data; it cauld be a file, DNS token, AWS keys etc.
These files are placed into network endpoints, such as computers, servers by security team.
When someone tries to temper with the file an alert is received by the network security team to
take further actions.
How it Works: Canary token is placed in a location which is normally not accessed by the
users; it could be a link on website that has not been advertised. When someone tries to access
a canary token it triggers a certain predefined action such as sends an email to system
administrator. In this way admin can be alerted to take appropriate actions regarding the activity
performed. Canary token provides certain information about the attacker such as IP address
which could be helpful to take further actions. It is simply but very useful tool for protecting the
network from attackers.

For example I have created a word file; I can send to someone when he opens the file an alert
will be sent to me through my email address containing geolocation of IP address of that
person.

Screeshots:
Q.3 What is CVE in cyber security and ACL in firewall? How do they work?
Ans. CVE: It stands for Common Vulnerabilities and Exposures. It is the list of common known
vulnerabilities and threats; each CVE is assigned a unique identifier, it contains all the
characteristics of the vulnerability and necessary steps to fix it. CVE provides all measures that
should be taken to tackle different types of vulnerabilities and mitigate them in the network. It
helps security researchers, network admins and developers to effectively communicate about
the security issues and coordinate to resolve them efficiently.

ACL: It stands for Access Control List. It is a set of rules that is used to control access to
resources of a computer or network. It defines which user or group of users is allowed to access
the resources and what level of access they have granted. An ACL consist a list of access
control entries (ACEs). This list defines access rights which could be read, write, edit, or
execute, of a particular user or group of users. When a user or group of users tries to access an
ACL protected file, the ACL check its authority and level of authority. In case of unauthorized
access, the system denies the resource access.

Q.4What is RARP? How does it works? show screenshot of RARP table of your
operating system
Ans. What is RARP: The RARP is used to find IP address of a device on the network. When
diskless workstation is trying to boot from a network server hardware address is known but IP
address is unknown, in this case Reverse Address Resolution Protocol is used to find IP
address.

Working of RARP: The working of RARP is opposite to ARP. When a device wants to find an
IP address it sends RARP broadcast to all the devices on the network. In the RARP broadcast,
it sends its own MAC address and request for the IP address. When a device receives RARP
broadcast, it looks for its MAC address if it matches; then it sends back its IP address to the
requested device. In case MAC address is not found it drops the request.

RARP is an older protocol; it is not secure in modern network systems. Instead of RARP, a
newer protocol DHCP (Dynamic Host Configuration Protocol) is used for accessing IP address.
Q.5 What are Bastion host and port security?
An. Bastion host: During usage of any service, there is always threat of a malicious attack.
To protect data from vulnerability of theft and attack, a special purpose server is used to
configure and work against attacks or threats. It is also known as jump box, it acts like proxy
server and allows client machines to connect to the remote server. It is a gateway between
private subnet and the internet. Bastion host provides entry point to the client machines which
want to connect to the external network securing them form the attacks. Bastion host can be
used to enable or disable inbound SSH communication from the internet.

Port Security: Port security is used to secure network ports on a computer or network. It is
used to monitor the network traffic and ensures only authorized traffic is allowed to pass. By
using port security user can limit the MAC addresses to a single switch, and in case of
unauthorized access, traffic should be discarded by using certain actions.

Bastion host and port security ensures that network is protected from unauthorized access and
other security threats.

Q. 6 Name some of the valid software host firewalls and show their screenshots
by running them.
Ans. Software Host Firewall: It is used to protect form unauthorized device on the same
network. Host-based firewalls are extra layer of security; it can also be used for monitoring and
login purposes.

Some host-based firewalls are:

 Malwarebites
 GlassWire
 Comodo
 ZoneAlarm
1. Malwarebites

2. GlassWire
 3. Comodo

4. ZoneAlarm

Q.7 Why is ICPM usually blocked on the firewalls?

Ans. ICPM(Internet Control Massage Protocol) is used for network control and diagnostic
purposes on the network. It is also commonly used by the attackers for network reconnaissance
and DoS attacks. So, it is often considered as a security risk by many network admins. By
blocking ICPM traffic they can reduce the risk of network-based attacks, but it can make it
difficult to diagnose network issues and troubleshooting.

Blocking of ICPM should be considered very carefully. It can help in some cases, but in other
cases instead of blocking ICPM; alternate security measures should be taken for the efficient
working and protection of the network.

Q.8 What is Kerberos and explain its completed authentication process?

Ans. Kerberos: It is a network authentication protocol; it is used to authenticate service
requests between two or more trusted hostess on untrusted network, such as Internet. It uses
secret key cryptography and a trusted third party for the authentication. It is built in all major
operating systems. It is alternate to SSH, POP, and SMTP.

How it works:

A client sends a plaintext authentication request to Kerberos authentication server. The

server verifies that client is in KDC (Key Distribution Center) database, if client is not present in
KDC database, request is denied. In case, client is present in database then it issues TGT
(Ticket Granting Ticket) which is encrypted by secret key, it is only known to KDC and client.

After authentication, client uses TGT to request for service ticket from TGS (Ticket Granting
Service). KDC verifies request and issues a service ticket which is also encrypted by using a
secret key.

The client device sends service ticket to the network service which decrypts it and verifies that it
is valid. If the service ticket is valid, the client is granted access to the network service.

In Kerberos, mutual authentication is performed which helps us to prevent unauthorized access

and “man-in-the-middle” attacks.

Kerberos support is included in these systems:

Amazon Web Service

Google Cloud

Microsoft Azure

OpenBSD etc.