I had an assignment done by someone else from here a few weeks ago and I got an F. Is there someone else who can relook the homework, my lab, and the feedback that I got from my professor?
Managing an IT Infrastructure Audit Running head: STEP 6: INCIDENT RESPONSE LAB REPORT 1 STEP 6: INCIDENT RESPONSE LAB REPORT 11 Step 6: Incident Response Lab Report Author Date Professors Name Task 1: Analyze WAP Beacon Traffic with Wireshark Analyzing pre-created Wireshark packet captures to identify rogue network devices What is the BSS Id? BSS Id: Netgear_45:11:11 (00:1f:33:45:11:11) What is the name of the WAP found? What is the vendor of the WAP? Netgear What is the MAC address of the WAP found? 00:1f:33:45:11:11 Were these in the whitelist? If not, then they are an unapproved device BSS Id: Netgear_45:11:11 (00:1f:33:45:11:11) was in the whitelist On comparing the BSS Id, vendor name and MAC address against the whitelist some of the devices where not in the white list. Others were the same and hence approved devices On repeating the process and examining at other packets, network packets No.1 to 19 were in the whitelist meaning they were from an approved device. Network packets No. 20 to 27 were not in the whitelist meaning they were from unapproved device. The rest of the packets i.e. No. 28 to 42were in the whitelist meaning they were from an approved device. Identified rogue WAPs Were any rogue WAPs found? If so, how many? BSS Id: Netgear_45:09:87 (00:1f:33:45:09:87) BSS Id: Netgear_45:33:33 (00:1f:33:45:33:33) BSS Id: Netgear_45:34:34 (00:1f:33:45:34:34) BSS Id: Netgear_45:35:35 (00:1f:33:45:35:35) BSS Id: Netgear_45:43:21 (00:1f:33:45:43:21) BSS Id: Netgear_45:67:89 (00:1f:33:45:67:89) BSS Id: Netgear_45:88:76 (00:1f:33:45:88:76) BSS Id: Netgear_45:99:99 (00:1f:33:45:99:99) Were these in the whitelist? If not, then they are an unapproved device There were 8 SSIDs not in the whitelist corresponding to 8 rogue WAPs Task 2: Analyze 802.11 State Machine Traffic with Wireshark 802.11 State Machine Traffic What is the vendor name of the source/receiver? Cisco Apple What is the MAC address of the sources/receiver? Source address: Cisco_d6:88:78 (0c:68:03:d6:88:78) Receiver address: Apple_1b:4f:05 (d8:bb:2c:1b:4f:05) On comparing the vendor name and MAC address against the whitelist the source and transmitter addresses were all in the whitelist meaning they are from an approved device Channel used by a WLAN device channel:48 Channel used by a WLAN device is channel 48 Does the channel information match any device in the approved whitelist? The channel matches all devices in the approved whitelist Does the source device, using this channel, match those in the approved whitelist? If not, then this is an unapproved device on the channel being used. IEEE 802.11 Probe Request What is the vendor of the transmitter/source? What is the MAC address of the transmitter/source? Receiver address: Apple_1b:4f:05 (d8:bb:2c:1b:4f:05) Destination address: Apple_1b:4f:05 (d8:bb:2c:1b:4f:05) Transmitter address: Cisco_d6:88:78 (0c:68:03:d6:88:78) Source address: Cisco_d6:88:78 (0c:68:03:d6:88:78) BSS Id: Cisco_d6:88:78 (0c:68:03:d6:88:78) Does the transmitter/source match any entry in the whitelist? The source and transmitter matches entry in the whitelist meaning they are approved devices IEEE 802.11 Probe Request channel:48 What is the channel being used? channel:48 Is the channel being used in the whitelist? If not, then it may be an unapproved device and channel being used. Yes BSSID, Channel and SSID being used What is the BSSID of each device? Remember that the BSSID is the MAC address of the device. Cisco_d6:88:78 (0c:68:03:d6:88:78) is the base station Apple_1b:4f:05 (d8:bb:2c:1b:4f:05)- BSS Id: Broadcast (ff:ff:ff:ff:ff:ff) Cisco_d6:88:78 (0c:68:03:d6:88:78) BSSID is the base station which is the MAC address usually connected to the network. What is the SSID being used? TEST Were any of these in the approved device whitelist? Those not on the list, are unapproved devices on the network YES -are unapproved devices on the network What devices do you suspect as rogue WAPs overall? Explain why The Apple_1b:4f:05 (d8:bb:2c:1b:4f:05) Cisco is a popular wireless network devices vendor. But Apple and other wireless network devices manufacturer allow small WAPs that can link to a network if permitted. They form a weak connection link within the network and vulnerable to attacks like invite man-in-the-middle. Task 3: Recommendations Recommendations for detecting rogue APs and devices To detect and remove rogue wireless APs, a network administrator may utilize a wireless scanner or a wireless IDS/IPS. Some of the common recommended intrusion detection/prevention system technologies include Wireshark, Fluke Networks, Cisco or the Snort which is an open-source tool (Baxter, 2014). Upon choosing the tool, configure it appropriately. The configuration of the wireless scanning device should be based on the tool’s log management and alerting features. Some of these features include enabling automatic warnings/alerts and a suppression mechanism to remove any rogue wireless hotspot. To maintain wireless network integrity, the network administrator should discover the wireless devices and make inventory control lists for the access points and BYOD devices. Also, obtain scanning tools and properly configure them. Decide where to scan and then scan the environment. Remediate any rogue access points found and maintain an ongoing regular scan schedule. The network administrator may also segment networks to separate BYOD network traffic as well as maintenance of BYOD device filtering logs. Statements to add to the BYOD policy · The IT department shall ensure strict password and encryption controls are in place for any access to sensitive data from BYOD devices · All BYOD devices must be encrypted · All BYOD devices shall use Anti-malware software which must be updated regularly. Every device within the organization’s environment should be managed to deter security and malware incidences irrespective of ownership. Risks associated with the BYOD devices must be managed in complement to the Bring Your Own Device security culture. The organization’s IT department under chief information officer shall implement applicable wireless security controls to minimize and mitigate BYOD devices within the internal network. Task 4: Proper Handling of cyber incident evidence The gathered evidence is an important legal piece of information that could be utilized against a misbehaving individual. The organization legal office may require the network administrator to protect any found information. The chain of custody form secures data and evidence. The form should include the names of who handles the evidence and keeps track. Feedback for Project 2: Incident Response Submission Feedback Overall Feedback CST 630 9040 Advanced Cyber Exploitation and Mitigation Methodologies (2218) Assignments View Feedback Snezhana[11/6/21]: Thanks for your timely submission. Your CIR report requires you to investigate, respond to, and manage a potential cyberattack for leadership. By the way, your paper is well written and has a good analysis, research, and recommendations with a few exceptions that need to be corrected. This is critically important as an attack, or even a data breach, can wreak havoc and potentially impact the company’s time, resources, and ultimately its brand. While your report addresses some key project requirements to an extent and covers almost all aspects, it needed to provide a clearer and more coherent justification of the prevailing issues in all sections for your audience. Based, on my analysis, you did not meet all the requirements to create your report for leadership (see the resubmission notes). You would agree with me that a clear and concise CIR report helps leadership, to a greater extent, achieve excellent decision-making, which ultimately promotes a high-security posture within the enterprise. To help organizations collect, organize, and report the findings defined within the individual CIR, you have been able to identify and understand potential risk assessments associated with the security recommendations. In addition, your readiness to recommend strategic solutions to address malicious intrusions and risks, either by accepting and mitigating the risks, is what top executives need you to focus on. Such a report and other findings can also be used to help protect the evidence in case of legal action against an attacker or an employee, knowing that that one day you may be called to testify in court as a technical expert. Lastly, being able to provide practical remediation guidance that accounts for the organization’s readiness can contribute to the required security posture —this is what your leadership needs. Good job but review the additional feedback and let me know if you have any questions. Best, Dr. LJ ---- Note: Review the following, incorporate feedback, and resubmit for improvement: [*] Analysis of wireless traffic is missing from your report - this is a key part of your paper. You need to fully submit all required project components for each week in order for them to be graded. Your ability to apply your findings from the labs to expose suspicious behavior and employee misconduct is an important requirement of your CIR. For example, how does tracking suspicious behavior help you investigate employee misconduct? What role does performing the lab play here? Part of what you completed with those project steps was to analyze wireless traffic by performing the lab. This is the reason you were given pre-captured files of wireless traffic on a company network, as a way to way to monitor employee behavior and detect any potential malicious behavior. You were given the opportunity to describe your findings from the lab as part of the CIR and incorporate them into your final deliverables for submission. [*] Recommendations for management is missing. Think of why you are writing this report. Don’t forget, your recommendation should include a more detailed and in-depth discussion. Developing a wireless security plan, establishing a continuous improvement plan, and others, and the takeaway. The conclusion is intended to help the leadership, or your reader, understand why your report should matter to them after they have finished reading it. A conclusion is not merely a summary of your points or a re-statement of your findings but a synthesis of key technical points. For most technical reports, one or two well-developed paragraphs are sufficient; however, in some cases, a three-or-four paragraph conclusion is the way to go. In any case, your conclusion should be substantive enough by https://learn.umgc.edu/d2l/home/610119 https://learn.umgc.edu/d2l/lms/dropbox/user/folders_List.d2l?ou=610119 Rubric Name: Project 2: Incident Response Project 2: Incident Response Associated Learning Objectives 2.1.1: Summarize the issue or problem, using supporting details to enable a deeper understanding of the issue or problem. Assessment Method: Score on Criteria - 2.1: Identify and clearly explain the issue, question, problem under critical consideration. Required Performance: Meets Performance Requirements Level Achieved: Meets Performance Requirements 2.1.2: Identify potential underlying causes or conditions contributing to the issue or problem and consider the context. Assessment Method: Score on Criteria - 2.1: Identify and clearly explain the issue, question, problem under critical consideration. Required Performance: Meets Performance Requirements Level Achieved: Meets Performance Requirements 2.1.3: Pose significant questions to inform the direction of the investigation of the problem or question. Assessment Method: Score on Criteria - 2.1: Identify and clearly explain the issue, question, problem under critical consideration. Required Performance: Meets Performance Requirements Level Achieved: Meets Performance Requirements 2.1.4: Scan the environment for cues to inform and direct search for information relevant to the issue or problem. Assessment Method: Score on Criteria - 2.1: Identify and clearly explain the issue,