Answer ALL Questions
Question 1
You are concerned about the presence of malware on some hosts that are communicating with your network. You do not have access to these hosts so cannot directly check them with any antivirus or antimalware software. However, you can test whether the malware is present simply by observing if the relevant ports are open.
The following malware are suspected, along with the network ports that they operate on
| 139/tcp | Nuker |
| 1010/tcp | Cloud Snooper |
| 6346/tcp | Gnutella |
Using network tools only, attempt to ascertain if any of the following hosts might be infected with malware. The list of IP addresses is also available in text format as “question1.txt” on LMS under the “Final Exam” link.
13.54.149.6
182.160.155.175
123.136.51.148
110.141.235.209
223.27.30.26
203.219.180.210
110.173.134.65
20.188.250.112
172.105.190.51
180.150.61.245
45.76.120.7
180.181.75.28
180.150.104.195
139.99.149.183
49.67.9.197
176.236.70.162
49.82.12.167
31.208.244.153
95.137.161.67
144.217.233.143
Hint: Only scan the ports which you suspect.
Question 1a – Explain the tools and methodology that you followed to test for the presenceof malware on these hosts. Use screenshots if needed to illustrate your answer, but ensure that you provide your own discussion.
(10 marks)
Page 1 of 4
Question 1b – Did you find any evidence of malware? If so, which hosts was it found on, and what steps might we take to prevent this malware from spreading to other machines on the same network (assuming that we control the network itself)?
(10 marks)
(Question 1 Total 20 marks)
Question 2
During a routine security audit, a file was found on a public network share. It is assumed that hackers have breached the network and placed this file on the public network share so that they may later download it. The file, “question2.txt” is available on LMS under the “Final Exam” link.
Question 2a – Describe the contents of this file and what you believe it contains. Next,describe how you will decipher the contents of this file, including what tools you are using, the output of these tools and the workflow that you followed.
(15 marks)
Question 2b –Based on your findings from Part 2a of this question, and the contents of thefile you analysed, provide THREE security measures that the company/affected users must take immediately. Explain what purpose each of the security measures will serve.
(15 marks)
(Question 2 Total 30 marks)
Question 3
A Wireshark packet capture is available for download along with this exam paper. This file, “question3.pcap” is available on LMS under the “Final Exam” link.
Your task is to explain what is taking place in the capture. Provide comments explaining what activity the capture describes.
HINT: You should provide a description of what the user of the computer is doing at the time of the capture and do not simply provide a line by line explanation of packets.
Question 3a –What is the host 192.168.1.10 doing at the time of this packet capture?
Explain the protocols in use, what is the hostname and IP address of the server, as well as a plain English description of the data that is transferred. Explain how you got to this information in Wireshark including the use of any features such as display filters.
(15 marks)
Page 2 of 4
Question 3b –Let us assume that this Wireshark capture had been made an unknownadversary as the user communicated over the internet.
What security measures can the user take to protect against this same adversary from spying on their activity as they continue to communicate over the internet in the same way? Provide a detailed explanation of the security measures and explain the purpose of each measure, as well as an overview of how it works.
(15 marks)
(Question 3 Total 30 marks)
Question 4
In addition to performing technical security duties, one of the roles of an InfoSec specialist is to provide training and education to colleagues.
Assume that a junior colleague has created a report describing Denial of Service attacks. In this question, you must evaluate the attached report and provide commentary and areas for improvement.
The report is available in PDF format, as “question4.pdf” under the “Final Exam” link.
Your evaluation of their report may use the below sections as a guide for your response which should include a discussion and suggestions for improvement in all of the four areas:
- How well explained and clear is the overview of this vulnerability? How clear is the main definition and concept being examined? Provide any improvements if needed.
(5 marks)
- Is this vulnerability a sensible choice based on current security trends? In addition, are the root causes explained properly? Discuss any aspects which are incomplete or missing.
(5 marks)
- Does this report use the latest data and evidence of this vulnerability in real environments? Describe any latest trends and attacks in this area that have not been covered.
(5 marks)
Page 3 of 4
- Does this report provide suitable and real mitigation steps that the organization can take to prevent these attacks? Provide your own comments on any areas for improvement.
(5 marks)
(Question 4 Total 20 marks)
(Exam Total 100 Marks)
END OF EXAMINATION
Page 4 of 4