systems lab

Once the Application has started up and you are at the Start Page, select the create a new project option. When presented with the New Project window like the one below, be sure that you have highlighted Console Application under the Templates window. Now give the new project the name INV_GRAB in the Name field, and have the location field pointing to the F:SAI430 folder you have on the F: drive. The diagram below depicts what your New Project window should look similar to.

Once you have done this, select OK to complete this operation. You may get a “Microsoft Development Environment” message box stating that the project location is not a fully trusted .NET runtime location. You can ignore this and just select OK. You should now see your new project listed in the Solution Explorer window on the upper right hand corner of the editor window. You are now ready to begin setting up your form.

The first step now is to set up a database connection with Access and then a data set that can be used to transport the data from the database to the application to be written to a file. For the purposes of this lab and your project, you will only need data from two columns in the ITEMS table of the INVENTORY database, but we will control that with the code written later. The following steps will lead you through the process of setting up the connection.

• • To begin, you need to add the following three namespaces to the top of your application code:

using System.IO;

using System.Data;

using System.Data.OleDb;

Since you are going to be not only connecting to a database but also writing data to a file, you will need all three of these listed.

• • Now you can set up the connection to your Access database that you downloaded and put in your folder. The actual connection string is @”Provider=Microsoft.JET.OLEDB.4.0; data source=F:inventory.mdb”. This is a standard connection string for MS Access. You will want to precede this with the command – string conString = so that the finished connection looks like this.

string conString = @”Provider=Microsoft.JET.OLEDB.4.0; data source=F:SAI430inventory.mdb”;

This is simply defining a string variable named conString and assigning the connection string to it. We will use this variable later.

• • Now we need to define an OleDbConnection that will be used to connect to the database. To do this you will need to define a connection variable as a new OleDbConnection and point it to the connection string defined in the previous step. Your code should look like the following.

OleDbConnection conn = new OleDbConnection(conString);

Now you can connect and open the database with the following command entered right below the line above.

conn.Open();

• • Last, we need to declare a variable that will be used later on. Although this really has nothing to do with setting up the database connection, this is as good a place as any to do this. You need to define a single variable named rowCount as an integer and initialize it to zero. Your code should look like the following.

int rowCount = 0;

Now you will need to set up a Data Set that will be used to hold the data that is pulled from the database so that it can be processed. This dataset will hold all of the records from the item table. We will use this data to write out our inventory list to a file.

• • You will need to create a query string that will be used to get the data in the “item” table. This will be a simple select statement that will get all of the data from the table (we will be specific regarding what is needed later). You will need to define a string variable for this query string similar to what you did for the connection string. When finished, your new string should look like the following:

string selectStr = “SELECT * FROM item”;

There is a variable we will need to use later on, so we might as well define and initialize at this point. The new variable is an integer data type and needs to be named rowCount. Initialize it to zero.

• • Now you need a new OleDbDataAdapter to work with the dataset. To do this you will need to define an object named DataAdapter as a new OleDbDataAdapter and then use the selectStr created above and the connection variable create to load it. Your code should look like the following:

OleDbDataAdapter DataAdapter = new OleDbDataAdapter(selectStr, conn);

• • Now we can define the data set like the following:

DataSet dataSet = new DataSet();

This is a simple definition that we can use along with the DataAdapter Fill method to fill the data set like the following:

DataAdapter.Fill(dataSet, “item”);

• • We now have one more step that will allow us to define which columns we want to get data from later on. We need to define a DataTable object based on the new dataSet. To do this you will need the following code:

DataTable dataTable = dataSet.Tables[0];

So far we have put everything together to get the data from the database into our program. Now we need to deal with writing the data out to a file. To do this we will be using the StreamWriter class and some of its objects.

We must declare a new instance of the StreamWriter so that we can obtain its methods. At the same time we can also initialize the new writer to point to where we want the file to be written to. Your code should look like the following.

StreamWriter sw = new StreamWriter(@”F:sai430INV_GRB.txt”, false);

Now we are ready to set up the processing to loop through our data set, pull the data we need into a file, and print it out. To help with this there is a file in Doc Sharing named Lab1_code.txt. The code in this file can be copied and pasted into the area of the code section you are working, just below the line you added above. Be sure to change the directory path to match yours for the output file.

You are now ready to make your last build. If everything has been done correctly, you should end up with no error messages and clean build. Once this has been done then you are ready to execute the application by selecting Debug => Start from the main menu. If all goes well you should be able to find your output file in the location listed in the program.

You are now ready to make your last build, but first you need to make two changes to the properties for your project.

Changing the build option for 32-bit.

We need to build the application as a 32-bit application so it will work with the Microsoft ODBC drivers for Access; to do this you will need to select Project => INV_GRAB Properties from the main menu. Now select the Build tab on the side of the properties box, and then in the drop down list next to Program Target, select the X86 option. This will allow the application to build as a 32-bit application. Do not close the properties window yet though, because there is one more step.

Setting the Security option:

Now select the Security tab on the left side. Check the Enable ClickOnce Security Settings check box. This is a full trust application option, which is what you want.

Now select File => Save All from the main menu and then close the properties window.

Now you can either build or re-build the application. If everything has been done correctly, you should end up with no error messages and clean build. Once this has been done, you are ready to execute the application by selecting Debug => Start from the main menu. If all goes well you should be able to find your output file in the location listed in the program.

You first want to make sure that you have the Inventory.MDB database in the SAI430 folder on the F: of your directory structure in Citrix. This should also be the same location of your source code project and the location to which you have pointed the program to write the output file. In order to test the application and generate the output document you will need to turn in, do the following:

1. Again, make sure the application, inventory.mdb, and the output path in the application are all using the SAI430 directory on the F: drive in Citrix.
2. Execute your program.
3. Check to make sure that the output file has the correct data in it.
4. Submit this file along with your code to be graded

1

LAMP ZAP Analysis and Mitigation

Overview

For this final lab you will use the tools and techniques used throughout the course to analyze and mitigate and document the results of two LAMP applications. The first application you will analyze is the e-Commerce application you wrote during week 7. For the second application you will use a prototype UMUC tutoring LAMP application which you will need to install on your VM and then run the analysis, fix all vulnerabilities and document the results.

In both applications, you are expected to perform the scanning using ZAP research the results, identify and fix software vulnerabilities, and professionally document your process and final results.

Learning Outcomes:

At the completion of the lab you should be able to:

1. Set-up and run the UMUC tutor application on your VM

2. Conduct automated and manual analysis on two different LAMP applications

3. Identify, prioritize and repair software vulnerabilities found in the LAMP applications

4. Document the process and findings of your Web application security analysis

Lab Submission Requirements:

After completing this lab, you will submit a word (or PDF) document that meets all of the requirements in the description at the end of this document. In addition, the modified and software vulnerability mitigated LAMP applications and all associated files should be submitted.

Virtual Machine Account Information

Your Virtual Machine has been preconfigured with all of the software you will need for this class. The default username and password are:

Username : umucsdev Password: umuc$d8v

MySQL Username: sdev_owner

MySQL password: sdev300

MySQL database: sdev

Tutor Application user accounts:

Tutor1 username: tutor1 Tutor1 password: t123 Tutor2 username: tutor2

Tutor2 password: t234

Tutor3 username: tutor3

Tutor3 password: t345

Part 1 – Set-up and Run the UMUC tutor application on your VM

2

In this exercise you will create and populate the database tables for the LAMP application and install the PHP and associated files on your VM. The application is fully functional (but definitely not safe). You need to perform a few steps to make sure it is working properly on your VM.

1. From the Week 8 code examples, download the UMUCTutorLamp.zip file.

2. Move the file to your VM and unzip using the right mouse click – extract to here option. Note a folder names week8 will be provided that has two subfolders.

3

3. Create a folder named Week8 in your /var/www/html folder that will store the Tutor application.

4. Copy the contents from the Tutor folder to the /var/www/html/week8 location. Note: just copy the folders and files inside of the Tutor folder not the Tutor folder itself.

4

5. From the location where you unzipped your UMUCTutorLamp.zip file, open the SQL folder. Open the createTables.sql file.

6. Launch MySQL and use the sdev database. Important: make sure you use the sdev database so the tables are created in the correct area.

5

7. Carefully, copy and paste the SQL lines into the mysql prompt. You can do this in batches. Look for any errors as you are running the scripts.

8. Verify your tables are correctly created and populated by querying the tables and verifying data exists in the tables where you inserted data.

6

9. Open up your Browser and Launch the tutor app (localhost/week8/)

10. Click on the Create a new CSTutor account to create a student account. Click Submit after you have entered your test account data.

7

11. Login using the account information you just created and request two or three tutoring sessions using the form.

8

9

10

12. Login in as one of the tutors to see what students have sessions. (Use localhost/week8/tlogin.html) Note: tutor1 tutors, CMIS102, tutor2 tutors CMIS141/242 and tutor3 tutors CMIS320. Be sure to login as the tutor corresponding to the tutor sessions you created.

11

13. Click on “Show all my Sessions” to view all of the available sessions for this tutor.

14. Continue to experiment the Tutor to learn most of the functionality.

Lab submission details:

As part of the submission for this Lab, you will run manual and automatic attacks on your week7 lab submission and the UMUC Tutor app on your VM.

12

Be sure to work on each application separately and document the issues you found and the process you used to fix the applications. You can provide the findings in one well-organized document. You should work to eliminate all alerts in both applications and clearly document specifically what you did to mitigate each issue.

Create screen captures demonstrating your process and results. Each screen capture should be fully described. The document should be well-organized and include a table of contents, page numbers, figures, and table numbers. The writing style should be paragraph style with bullets used very sparingly to emphasize specific findings. In other words, this should be a professional report and demonstrate mastery of writing.

Be sure your process includes both manual and automatic scanning. When researching your security alerts, be sure to document your references using APA style. You should show both before and after fix vulnerability reports. Your final vulnerability report should show zero alerts and vulnerabilities.

For your deliverables, you should submit a zip file containing your word document (or PDF file) along with the before and after application files. (including sql and parameter files) If you made changes to your VM environment (e.g. security.conf, apache2.conf, php.ini) you should provide those files also.

Include your full name, class number and section and date in the document.

Grading Rubric:

Attribute

Meets

Does not meet

ZAP attacks

6 points

Runs manual attacks on your week7 lab submission. (1 point)

Runs automatic attacks on your week7 lab submission. (1 point)

Runs manual attacks on the tutor app. (1 point)

Runs automatic attacks on the tutor app. (1 point)

Eliminates all alerts in both applications. (2 points)

0 points

Does not run manual attacks on your week7 lab submission.

Does not run automatic attacks on your week7 lab submission.

Does not run manual attacks on the tutor app.

Does not run automatic attacks on the tutor app.

Does not eliminate all alerts in both applications

Documentation and submission

4 points

Submits a word or PDF document that includes screen captures demonstrating your process and results. Screen captures are fully described. Clearly documents specifically what you did to mitigate each issue. (2 points)

0 points

Does not submit a word or PDF document that includes screen captures demonstrating your process and results. Screen captures are not fully described. Does not clearly document specifically what you did to mitigate each issue.

13

Document is well-organized and includes a table of contents, page numbers, figures and table numbers. The writing style should be paragraph style with bullets used very sparingly to emphasize specific findings. Document your references using APA style. (1 point)

Includes all before and after application files in zip format. (sql and parameter files, security.conf, apache2.conf, php.ini) (1 point)

Document is not well-organized or includes a table of contents, page numbers, figures or table numbers. The writing style is not paragraph style with bullets used excessively. APA style references not used.

Does not include all before and after application files in zip format. (sql and parameter files, security.conf, apache2.conf, php.ini)

Run Zap on both UMUCTutorLamp and store.sql

 

Prepare a Business Impact Analysis (BIA) for an information system, such as a payroll system.

Download the template “Business Impact Analysis (BIA) Template” from the Computer Security Resource Center website.

Read the template. Notice that text in italics is instructive and placeholder text.

Compete the Business Impact Analysis (BIA) Template.

Part 2: 

Download the Information System Contingency Plan template from the Computer Security Resource Center website. Choose the low, moderate, or high template based on the impact value you identified in the Outage Impacts section of the BIA template for Par

Write a two to four (2-4) page paper in which you:

1. Explain what you believe are the three (3) most important concerns when it comes to mobile devices in the workplace. Justify your response.
2. Determine whether or not you believe organizations should have strict policies regarding the use of mobile devices in the workplace, also known as BYOD. Recommend whether these policies should stretch across all industries or apply to only a select few. Provide a rationale for your recommendation.
3. Select a current mobile operating system (e.g., iOS, Android, etc.) that you believe to be the largest concern in the workplace, and explicate why you believe that to be the case. 
4. Use at least three (3) quality resources in this assignment. Note: Wikipedia and similar Websites do not qualify as quality resources. 

Your assignment must follow these formatting requirements:

• Be typed, double spaced, using Times New Roman font (size 12), with one-inch margins on all sides; citations and references must follow APA or school-specific format. Check with your professor for any additional instructions.
• Include a cover page containing the title of the assignment, the student’s name, the professor’s name, the course title, and the date. The cover page and the reference page are not included in the required assignment page length.

The specific course learning outcomes associated with this assignment are: