(Hands-On Ethical Hacking and Network Defense, 4e Rob Wilson)
(Solution Manual all Chapter)
Michael T. Simpson, Nicholas D. Antill, Robert S. Wilson, Hands-On Ethical Hacking and
Network Defense, 4th Edition, ; Module 01: Ethical Hacking Overview
Table of Contents
Hands-On Activities ....................................................................................................................................... 1
Activity 1-1: Determining the Corporate Need for IT Security Professionals ............................................. 1
Activity 1-2: Examining the Top 25 Most Dangerous Software Flaws....................................................... 2
Activity 1-3: Identifying Computer Statutes in Your State or Country ...................................................... 2
Activity 1-4: Examining Federal and International Computer Crime Laws ................................................ 3
Review Questions .......................................................................................................................................... 3
Case Projects ................................................................................................................................................. 8
Case Project 1-1: Determining Legal Requirements for Penetration Testing ............................................ 8
Case Project 1-2: Researching Hacktivists at Work ................................................................................... 9
Ethical Hacking for Life: Module 1 Ethical Hacking Overview ...................................................................... 10
Grading Rubric for Ethical Hacking for Life .............................................................................................. 11
Reflection: Module 1 ................................................................................................................................... 11
Grading Rubric for Reflection .................................................................................................................. 11
Hands-On Activities
Activity 1-1: Determining the Corporate Need for IT Security
Professionals
Time Required: 10 minutes
Objective: Examine corporations looking to employ IT security professionals.
Description: Many companies are eager to employ or contract security testers for their corporate
networks. In this activity, you search the Internet for job postings, using the keywords “IT Security,” and
read some job descriptions to determine the IT skills (as well as any non-IT skills) most companies want
an applicant to possess.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible 1
website, in whole or in part.
, 1. Start your web browser and go to indeed.com.
2. In the What search box, type IT Security. In the Where search box, enter the name of a major
city near you, and then press Enter.
3. Note the number of jobs. Select three to five job postings and read the job description in each
posting.
4. When you’re finished, exit your web browser.
Answer: Student should complete activity in their web browser. No submitted response is required.
Activity 1-2: Examining the Top 25 Most Dangerous
Software Flaws
Time Required: 15 minutes
Objective: Examine the SANS list of the most common network exploits.
Description: As fast as IT security professionals attempt to correct network vulnerabilities, someone
creates new exploits, and network security professionals must keep up to date on these exploits. In this
activity, you examine some current exploits used to attack networks. Don’t worry—you won’t have to
memorize your findings. This activity simply gives you an introduction to the world of network security.
1. Start your web browser and go to www.sans.org.
2. Under Resources, click the Top 25 Programming Errors link. (Because websites change
frequently, you might have to search to find this link.)
3. Read the contents of the Top 25 list. (This document changes often to reflect the many new
exploits created daily.) The Top 25 list is also known as the Top 25 Most Dangerous Software
Errors. Links in the list explain the scoring system and framework used to rank these errors.
4. Investigate the first few flaws by clicking the CWE-# link. For each flaw, note the description,
applicable platform, and consequences.
5. When you’re finished, exit your web browser.
Answer: Student should complete activity in their web browser. No submitted response is required.
Activity 1-3: Identifying Computer Statutes in Your State
or Country
Time Required: 30 minutes
Objective: Learn what laws might prohibit you from conducting a network penetration test in your state
or country.
Description: For this activity, you use Internet search engines to gather information on computer crime
in your state or country (or a location selected by your instructor). You have been hired by ExecuTech, a
security consulting company, to gather information on any new statutes or laws that might affect the
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible 2
website, in whole or in part.
,security testers it employs. Write a one-page memo to Liang Choi, director of security and operations,
listing applicable statutes or laws and offering recommendations to management. For example, you
might note in your memo that conducting a denial-of-service attack on a company’s network is illegal
because your state’s penal code prohibits this type of attack unless authorized by the owner.
Answer: Answers will vary. The memo should include state laws that might affect how a penetration test
could be conducted as well as problems that might arise because of state laws. The memo could also ask
that management draw up a contract addressing any risks or possible network degradation that might
occur during testing.
Activity 1-4: Examining Federal and International Computer
Crime Laws
Time Required: 30 minutes
Objective: Increase your understanding of U.S. federal and international laws related to computer
crime.
Description: For this activity, use Internet search engines to gather information on U.S. Code, Title 18,
Sec. 1030, which covers fraud and related activity in connection with computers. Also, research the
Convention on Cybercrime (the Budapest Convention). Write a summary explaining how these laws can
affect ethical hackers and security testers.
Answer: Answers will vary. The summary should mention some key elements, such as (a)(2)
“intentionally accesses a computer without authorization or exceeds authorized access, and thereby
obtains ….” Section (g) states: “Any person who suffers damage or loss by reason of a violation of this
section may maintain a civil action against the violator.” The summary might also mention the possibility
of a lawsuit. Students need to understand that this federal law addresses government computers and
financial systems. Students should mention what nations are part of the Convention on Cybercrime
(Budapest Convention).
Review Questions
1. The U.S. Department of Justice defines a hacker as which of the following?
a. A person who accesses a computer or network without the owner’s permission
b. A penetration tester
c. A person who uses phone services without payment
d. A person who accesses a computer or network system with the owner’s permission
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible 3
website, in whole or in part.
, Answer: a. A person who accesses a computer or network without the owner’s permission
2. A penetration tester is which of the following?
a. A person who breaks into a computer or network without permission from the owner
b. A person who uses telephone services without payment
c. A security professional hired to break into a network to discover vulnerabilities
d. A hacker who breaks into a system without permission but doesn’t delete or destroy files
Answer: c. A security professional hired to hack into a network to discover vulnerabilities
3. Some experienced hackers refer to inexperienced hackers who copy or use prewritten scripts or
programs as which of the following? (Choose all that apply.)
a. Script monkeys
b. Packet kiddies
c. Packet monkeys
d. Script kiddies
Answer: c. Packet monkeys d. Script kiddies
4. What three models do penetration or security testers use to conduct tests?
Answer: white box, black box, gray box
5. A team composed of people with varied skills who attempt to penetrate a network is called which of
the following?
a. Green team
b. Blue team
c. Black team
d. Red team
Answer: d. Red team
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible 4
website, in whole or in part.
