1. Security and vulnerability assessment analysis tool - Microsoft Baseline Security Analyzer (MBSA) for Windows OS Locate and launch MBSA CLI Check computer for common security misconfigurations MBSA will automatically select by default to scan WINDOWS VM WINATCK01 While scanning WINDOWS VM WINATCK01 Security Assessment Report 2 Security updates are missing ACTION **Requires immediate installation to protect computer 1 Update roll up is missing ACTION **Obtain and install latest service pack or update roll up by using download link Administrative Vulnerabilities More than 2 Administrators were found on the computer, ACTION **Keep number to a minimum because administrators have complete control of the computer. User accounts have non-expiring passwords ACTION ***Password should be changed regularly to prevent password attacks Windows firewall disabled and has exceptions configured Great! Auto logon is disabled (Even if it is configured, provided password is encrypted; not stored as text) GREAT! Guest account is disabled on the computer. GREAT! Anonymous access is restricted from the computer ADMINISTRATIVE SYSTEM INFORMATION DANGER! Logon success and logon failure auditing is not enabled. ACTION ** Enable and turn on auditing for specific events such as logon and logoff to watch for unauthorized access. 3 Shares are present ACTION ** Review list of shares and remove any shares that are not needed. GREAT! Internet explorer has secure settings for all users. Following to be included in the SAR a. Windows administrative vulnerabilities present are that more than 2 Administrators were found on the computer. It is advised to keep minimum number because administrators have complete control of the computer. b. Windows accounts were found to have non-expiring passwords while passwords should be changed regularly to prevent password attacks. One user account has blank or simple password or could not be analyzed c. Windows OS has two security updates missing and so requires immediate installation to protect the computer. One update roll up is missing which requires that latest service pack should be obtained and installed or roll up updated using the download link. 2.Security and vulnerability assessment analysis tool – OpenVAS for Linux OS Using the ifconfig command in Terminal to check the IP Address assigned to your VM Linux machine. eth0: (device name for Linux Ethernet cards), with IP Address in this example is determined to be 172.21.20.185 The IP address, 127.0.0.1, is the loopback address that points to the localhost, or the computer that applications or commands are being run from. This address will be used to access the OpenVas application on the VM. Using OpenVAS Web Interface which is running on port number 9392 and can be opened using the Mozilla Firefox browser. After getting a security exception, on Adding Exception Scan IP address by typing 127.0.0.1 next to the ‘Start Scan’ button, then click. ...

1. 1. Security and vulnerability assessment analysis tool -
Microsoft Baseline Security Analyzer (MBSA) for Windows OS
Locate and launch MBSA CLI
Check computer for common security misconfigurations
MBSA will automatically select by default to scan WINDOWS
VM WINATCK01
While scanning WINDOWS VM WINATCK01
Security Assessment Report
2 Security updates are missing ACTION **Requires immediate
installation to protect computer
1 Update roll up is missing ACTION **Obtain and install latest
service pack or update roll up by using download link
Administrative Vulnerabilities
More than 2 Administrators were found on the computer,
ACTION **Keep number to a minimum because administrators
have complete control of the computer.
User accounts have non-expiring passwords ACTION
***Password should be changed regularly to prevent password
attacks

2. Windows firewall disabled and has exceptions configured
Great! Auto logon is disabled (Even if it is configured, provided
password is encrypted; not stored as text)
GREAT! Guest account is disabled on the computer.
GREAT! Anonymous access is restricted from the computer
ADMINISTRATIVE SYSTEM INFORMATION DANGER!
Logon success and logon failure auditing is not enabled.
ACTION ** Enable and turn on auditing for specific events
such as logon and logoff to watch for unauthorized access.
3 Shares are present ACTION ** Review list of shares and
remove any shares that are not needed.
GREAT! Internet explorer has secure settings for all users.
Following to be included in the SAR
a. Windows administrative vulnerabilities present are that more
than 2 Administrators were found on the computer. It is advised
to keep minimum number because administrators have complete
control of the computer.
b. Windows accounts were found to have non-expiring
passwords while passwords should be changed regularly to
prevent password attacks. One user account has blank or simple
password or could not be analyzed
c. Windows OS has two security updates missing and so
requires immediate installation to protect the computer. One

3. update roll up is missing which requires that latest service pack
should be obtained and installed or roll up updated using the
download link.
2.Security and vulnerability assessment analysis tool –
OpenVAS for Linux OS
Using the ifconfig command in Terminal to check the IP
Address assigned to your VM Linux machine.
eth0: (device name for Linux Ethernet cards), with IP Address
in this example is determined to be 172.21.20.185 The IP
address, 127.0.0.1, is the loopback address that points to the
localhost, or the computer that applications or commands are
being run from. This address will be used to access the OpenVas
application on the VM.
Using OpenVAS Web Interface which is running on port number
9392 and can be opened using the Mozilla Firefox browser.
After getting a security exception, on Adding Exception
Scan IP address by typing 127.0.0.1 next to the ‘Start Scan’
button, then click.
Status says Requested
Status percent changes to 94%

4. Status percent changes to 98%
Scan completed with severity as 5.0 Medium
Vulnerabilities:
1) Remote server configured to allow weak encryption and Mac
algorithms
2) possible to detect deprecated protocols that will allow
attackers to eavesdrop connection between service and clients to
get access to sensitive data transferred across secured
connection.
3) Host is installed with open SSL prone to information
disclosure vulnerability which may allow man-in-the middle
attackers gain access to the plain text data stream. Application
layer is impacted. Weak ciphers offered by service.
Scan management results
All Security information by severity level
Assets Management – host
Host Details
Configuration Scanner details

5. Extras – My settings
Extras – Performance
Administration – User details
Administration – Roles
Administration – CERT feed management
Following to be included in the SAR
a. No Linux administrative vulnerability was present as there
was only one Administrator found on the computer. It is advised
to keep minimum number because administrators have complete
control of the computer.
Vulnerabilities present were as follows:
1) Remote server configured to allow weak encryption and Mac
algorithms
2) Possible to detect deprecated protocols that will allow
attackers to eavesdrop connection between service and clients to
get access to sensitive data transferred across secured
connection.
3) Host is installed with open SSL prone to information
disclosure vulnerability which may allow man-in-the middle
attackers gain access to the plain text data stream. Application
layer is impacted. Weak ciphers offered by service.
b. Admin was the only user on the computer. Admin password
should be restricted access to or changed regularly to prevent

6. password attacks. No user was found to have blank or simple
password or could not be analyzed.
c. No Linux security updates
For explanation:
Multiple sources exist for ideas for theory development and
research in which many problem areas are identified within the
domain of nursing to expand theory. In the recent times, nursing
theory has originated from:
· Role Proliferation: Conceptualization of nursing as a set of
functions became the focus of investigation, with theory
evolving on how to prepare nurses for various roles.
· Basic Sciences: PhD education of nurses in sociology,
psychology, anthropology, and physiology introduced ideas
from other disciplines and stimulated new ways of looking at
nursing phenomena.
· Nursing Process: Examination of processes in nurse-patient
relationships and patient care triggered ideas and questions
related to problem solving, priority setting, and decision
making.
· Nursing Diagnosis: Labels were given to and a universal
nomenclature was developed for problems that fall within the
domain of nursing. These are actually conceptual statements
about the health status of patients and, therefore, the first step
in theory development.
· Concept Identification: Theory development encouraged
identification of concepts central to nursing. Identification of
relationships between concepts (propositions) defined a new
nursing perspective.
CYB 610 PROJECT 1 – SCREENSHOTS OF PASSWORD
CRACKING EXERCISE
Results on experiment with the password cracking tools; please

7. find answers to the questions below while findings are equally
shared in the project report.
1. Which tool, on which operating system was able to recover
passwords the quickest? Provide examples of the timing by your
experimental observations.
Ophcrack tool was able to recover passwords the quickest on
Windows 7 Enterprise operating system
Cain and Abel tool using BRUTE FORCE attack with NTLM
Hashes loaded
User
NT
Password
Time left
Time taken
Time start
Time stop
1
Xavier
xmen
blank
< 1 min
12.01am
12.01am
2
Wolverine
Not cracked
3.1e+10 years
> 1 hr
3
Shield
Not cracked
2.9e+10 years

8. > 1 hr
4
EarthBase
Not cracked
2.9e +10 years
> 1 hr
5
dbmsAdmin
Not cracked
1.3e +17 years
> 1 hr
6
Kirk
Not cracked
1.3e+17 years
> 1 hr
7
Mouse
Not cracked
3.0e+10 years
> 1 hr
8
Rudolph
Not cracked
1.3e+17 years
> 1 hr

9. 9
Snoopy
Not cracked
3.0e+10 years
> 1 hr
10
Spock
Not cracked
3.0e+10 years
> 1 hr
11
Apollo
Not cracked
2.9e+10 years
> 1 hr
12
Chekov
Not cracked
2.9e+10 years
> 1 hr
13
Batman
Not cracked
2.9e+10 years
> 1 hr

10. Cain and Abel tool using Dictionary attack with NTLM Hashes
loaded
(common stop position 3456292)
User
NT
Password
Time spent
1
Xavier
Not cracked
2
Wolverine
Motorcycle (position 1747847)
< 1 min
3
Shield
Not cracked
< 1 min
4
EarthBase
Not cracked
< 1 min
5
dbmsAdmin
Not cracked
< 1 min
6
Kirk
Not cracked
< 1 min
7
Mouse

11. Not cracked
< 1 min
8
Rudolph
Not cracked
< 1 min
9
Snoopy
Not cracked
< 1 min
10
Spock
Not cracked
< 1 min
11
Apollo
Not cracked
< 1 min
12
Chekov
Not cracked
< 1 min
13
Batman
Not cracked
< 1 min
Ophcrack tool used for password cracking
User
LM
Password
1
Xavier
xmen
2

12. Wolverine
Not found
3
Shield
Not found
4
EarthBase
Not found
5
dbmsAdmin
Not found
6
Kirk
Not found
7
Mouse
Not found
8
Rudolph
Not found
9
Snoopy
Not found
10
Spock
Not found
11
Apollo
M00n
12
Chekov
Riza
13
Batman
Bats
Time elapsed was 17 secs

13. 2.Which tool(s) provided estimates of how long it might take to
crack the passwords?
Cain and Abel too using Brute force attack
Cain and Abel provided time left in number of years, days or
minutes depending on the specified password length.
What was the longest amount of time it reported? 3.1e+10 years
and for which username? Wolverine
3. Compare the amount of time it took for three passwords that
you were able to recover.
· Cain and Abel tool: Xavier user (xmen password cracked using
brute force attack) = <1 min
· Cain and Abel tool: Wolverine user (motorcycle password
cracked using dictionary attack) = <1 min
· Ophcrack tool : Batman user (bats password cracked under 17
secs)
4. Compare the complexity of the passwords for those
discussed in the last question. What can you say about recovery
time relevant to complexity of these specific accounts?
Xavier user password (xmen) was easier and quicker to crack
using brute force attack due to its short password length, while
it allocated a long time to crack Wolverine user password
(motorcycle). Dictionary attack found Wolverine user password
(motorcycle) simple to attack because it possibly exists in its
wordlists.
Dictionary attack of Cain and Abel tool keeps a record position
on the wordlist which allows you to continue from the word
where you left off before you halt the attack. Brute force attack
takes the specified password length (e.g minimum of 1,
maximum of 16 or more) into consideration to run through
every possible combination which makes it CPU intensive and
extremely slow.
Ophcrack tool has proved to be quicker and more powerful than
Cain and Abel to crack up to four passwords for users; Xavier,
Apollo, Chekov and Batman. One would have expected

14. Ophcrack tool to succeed in cracking Wolverine password
(motorcycle). It shows that the longer and/or more complex a
password is, the longer it will take to crack.
It is advisable to use passphrase (thkGodisfri), long words or
complex words with all four types of character sets as they are
pretty secure.
5. What are the 4 types of character sets generally discussed
when forming strong passwords?
Lower case letters, upper case letters, numbers (0 through 9)
and special characters ($,*, #, ! and so on)
How many of the 4 sets should you use, as a minimum?
Upper case letters, Lower case letters, and numbers depending
on the company password policy
What general rules are typically stated for minimum password
length?
Minimum of eight characters in length
6.How often should password policies require users to change
their passwords? 90 days
7. Discuss the pros and cons of using the same username
accounts and passwords on multiple machines.
Pros : You would only need to remember one set of username
and password for multiple machines
Cons : Hackers can have access to other machines using the
same account credentials that have been compromised.
8. What are the ethical issues of using password cracker and
recovery tools?
Systems Administrators can use it to recover lost passwords and
regain access to machines
Users that either lost their passwords or corporate entities that
need to look into any compromise or vulnerability they might
have exposed themselves to, should be made aware of when and
why such password cracker, recovery tools may be run
Recovered or cracked passwords should not be disclosed to
third parties and there shouldn’t be a way to link passwords
back to the users
9.Are there any limitations, policies or regulations in their use

15. on local machines?
Consent of the system owner should be acquired before usage of
password recovery tools as there might be damages and / or loss
of data using the password cracking software.
Home networks?
As an individual you can build your own labs and explore
password cracking
Small business local networks? Intranets? Internets? Where
might customer data be stored?
We need to coordinate with clients to clearly define the scope of
password recovery or cracking efforts and abide by the related
rules of engagement.
It is illegal to launch password cracking tools on individual’s or
organization’s web sites through the internet without adequate
notice and/or consent.
It does not really matter how long or strong your password may
be,what matters is how is your confidential or protected data
(password) is stored
10.If you were using these tools for approved penetration
testing, how might you get the sponsor to provide guidance and
limitations to your test team?
The test team will request guidance and limitation from the
sponsor by scheduling for a kickoff meeting where the timing
and duration of the testing will be discussed, so that normal
business and everyday operations of the organization will not be
disrupted. Information will be gathered as much as possible by
identifying the targeted machines, systems and network,
operational requirements and the staff involved.
11.Discuss any legal issues in using these tools on home
networks in States, which have anti-wiretap communications
regulations. Who has to know about the tools being used in your
household?
Using these tools on home networks in States, which have anti-
wiretap communications regulations would involve obtaining
the relevant legal documents protecting against any legal
actions, should anything go wrong during tests. If it is a rented

16. apartment, the leasing office management needs to be informed.
Please, find screenshots of step by step exercise on password
cracking:
References
Password storage and hashing
● http://lifehacker.com/5919918/how-your-passwords-are-
stored-on-the-internet-and-whenyour-password-strength-doesnt-
matter
● http://www.darkreading.com/safely-storing-user-passwords-
hashing-vs-encrypting/a/did/1269374
● http://www.slashroot.in/how-are-passwords-stored-linux-
understanding-hashing-shadowutils
Click on Lab broker to allocate resources
Signing into the workspace with StudentFirst/[email protected]
Right on the desktop of VM WINATK01, click Lab Resource
then folder - Applications, locate and launch Cain.
After launch of Cain
Maximize screen and click Cracker tab
20 user accounts on the local machine used to populate the right
window.

17. 1 hash cracked on Xavier user using brute force plus NTLM
hash
Brute force attack on Wolverine user
Results after using Cain and Abel application for both types
(brute force and dictionary) of attacks
Results after using Ophcrack application to crack all user
passwords
Click on Ophcrack -> click ‘crack’ then stop and take note of
time taken
Running Head: Risk Assessment Repot (RAR)
1
Risk Assessment Report (SAR)
5

18. Risk Assessment Report (RAR)
CHOICE OF ORGANIZATION IS UNIVERSITY OF
MARYLAND MEDICAL CENTER (UMMC) OR A
FICTITIUOS ORGANIZATION (BE CREATIVE)
· Define risk, remediation and security exploitation. (Cite )
· Read the attached documents on risk assessment resource for
the process in preparing the risk assessment
START TO READ:
Organizations perform risk assessments to ensure that they are
able to identify threats (including attackers, viruses, and
malware) to their information systems. According to the
National Institute of Standards and Technology (NIST),
Risk assessments address the potential adverse impacts to
organizational operations and assets, individuals, other
organizations, and the economic and national security interests
of the United States, arising from the operation and use of
information systems and the information processed, stored, and
transmitted by those systems (NIST, 2012).

19. When a risk assessment is completed, organizations rate risks at
different levels so that they can prioritize them and create
appropriate mitigation plans.
References
U.S. Department of Commerce, National Institute of Standards
and Technology (NIST). (2012). Information security: Guide for
conducting risk assessments (Special Publication 800-30).
Retrieved August 5, 2016, from
http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublicatio
n800-30r1.pdf
END OF READING:
· identify threats, vulnerabilities, risks, and likelihood of
exploitation and suggested remediation.
· Include the OPM OIG Final Audit Report findings and
recommendations as a possible source for methods to remediate
vulnerabilities.
· Research through the attached doc and cite
THREAT IDENTIFICATION
threat attacks on vulnerabilities
Potential hacking actors
types of remediation and mitigation techniques
IP address spoofing/cache poisoning attacks
denial of service attacks (DoS)
packet analysis/sniffing
session hijacking attacks

20. distributed denial of service attacks
· prepare a Risk Assessment Report (RAR) with information on
the threats, vulnerabilities, likelihood of exploitation of security
weaknesses, impact assessments for exploitation of security
weaknesses, remediation, and cost/benefit analyses of
remediation.
· Devise and include a high-level plan of action with interim
milestones (POAM), in a system methodology, to remedy your
findings.
· Summarize and include the results you obtained from the
vulnerability assessment tools (i.e., MBSA and OpenVas- proj 2
Lab) in RAR

21. Product I bought starts from herePURPOSE
The purpose of this risk assessment is to evaluate the adequacy
of the Amazon corporation’s security. This risk assessment
report provides a structured but qualitative assessment of the
operational environment for Amazon corporation’s . It
addresses issues of sensitivity, threats analysis ,
vulnerabilities analysis , risks analysis and safeguards applied
in Amazon corporation’s . The report and the assessment
recommends use of cost-effective safeguards in order to
mitigate threats as well as the associated exploitable
vulnerabilities in Amazon corporation’s.
THE ORGANISATION
The The Amazon corporation’s system environment is run as a
distributed client and server environment consisting of a
Microsoft Structured Query Language -SQL database built with
Powerful programming code. The Amazon corporation
contains SQL data files, Python application code, and
executable Java and Javascripts. The SQL production data
files, documented as consisting of SQL stored procedures and
SQL tables, reside on a CLOUD storage area network attached
to a HP server running on Windows XP and MS SQL 2000
operating systems. The Python application code resides on a
different IBM server running on KALI LINUX . Both servers
are housed in the main office Building 233 Data Center at the
CDC Clifton Road campus in Atlanta, GA.
The The Amazon corporation’s executables reside on a
fileserver running Windows 2000 and KALI LINUX or
occasaionally a local workstation is installed depending upon
the loads and jobs Requirements..
Users are physically distributed in multiple locations multiple

22. sales offices in Atlanta, Pittsburgh, Ft. Collins, Research
Triangle Park, Cincinnati, and San Juan. Their desktop
computers are physically connected to a wide area network -
WAN. Some users revealed that they usually connect via
secured dial-up and DSL connections using a powerful Citrix
server. Normally, a user should connect to an active
application server in their city that hosts the the Amazon
corporation’s application, and to the shared database server
located in Atlanta.
SCOPE
The scope of this risk assessment is to assess the system’s use
of resources and controls implemented and to report on plans
set to eliminate and manage vulnerabilities exploitable by
threats identified in this report whether internal and external to
Amazon. If not eliminated but exploited, these vulnerabilities
could possibly result in:
· Unauthorized disclosure of data as well as unauthorized
modification to the system, its data, or both and Denial of
service, denial of access to data, or both to authorized users.
This Risk Assessment Report project for Amazon corporation
evaluates the confidentiality which means protection from
unauthorized disclosure of system and data information,
integrity which means protection from improper modification
of information, and availability which means loss of system
access of the system.
Intrusion detection tools used in the methodology are MBSA
security analyzer in CLAB 699 Cyber Computing Lab,
OpenVAS security analyzer in CLAB 699 Cyber Computing
Lab, and Wire shark security analyzer. In conducting the
analysis the screenshots taken using each of the tools has been
looked at with a view to arriving at relevant conclusions.
Recommended security safeguards are meant to allow
management to make proper decisions about security-related
initiatives in Amazon .
METHODOLOGY

23. This risk assessment methodology for and approach Amazon
Corporation was conducted using the guidelines in NIST SP
800-30, Risk Management Guide for Information Technology
Systems and OPM OIG Final Audit Report findings and
recommendations. The assessment is very broad in its scope
and evaluates Amazon Corporation ‘s security vulnerabilities
affecting confidentiality, integrity, and availability. The
assessment also recommends a handful of appropriate security
safeguards, allowing the management to make knowledge-based
decisions on security-related initiative in Amazon Corporation
.
This initial risk assessment report provides an independent
review to help management at Amazon to determine what is
the appropriate level of security required for their system to
support the development of a stringent System Security Plan .
The accompanying review also provides the information
required by the Chief Information Security Officer (CISO) and
Designated Approving Authority DAA also known as the
Authorizing Official to assist in to making informed decision
about authorizing the system to operate. Intrusion detection
tools are used in the methodology and includes the MBSA
security analyzer, the OpenVAS security analyzer, and Wire
shark security analyzer.
DATA
The data collected using the MBSA and other tools reveals that
the following internal routines were done by MBSA and other
tools in the LAB 2 screenshots in CLAB 699 Cyber Computing
Lab and LAB 3 screenshots in CLAB 699 Cyber Computing Lab
given together with the question.
The MBSA security analyzer, the OpenVAS security analyzer
converted the raw scan data and particularly succeeded in
outputting the following vulnerabilities into risks based on the
following methodology in CLAB 699 Cyber Computing Lab:
· Categorizing vulnerabilities as evident the LAB 2 screenshots
· Compairing threat vectors the LAB 3 screenshots
· Assessing the probability of occurrence and possible impact

24. as evident in the LAB 2 screenshots
· Authentication assessment as evident the LAB 2 screenshots
· Determining authentication threat vectors as evident in the
LAB 3 screenshots
The MBSA security analyzer and the OpenVAS security also
had routines which communicated with green bone security
assessment centre especially to provide the automated
recommendation as evident in the LAB 2 in CLAB 699 Cyber
Computing Lab and LAB 3 screenshots in CLAB 699 Cyber
Computing Lab.
The green bone security assessment centre particularly
succeeded in doing the following as evident in output file.
Lists the risks and the associated recommended controls to
mitigate these risks. The management has the option of doing
the following in the corporation:
Accepting the risks and chosen recommended controls or
negotiating an alternative mitigation, while reserving the right
to override the green bone security assessment centre and
incorporate the proposed recommended control into the
Amazons Plan of Action and Milestones .
RESULTS
The following operational as well as managerial vulnerabilities
were identified in Amazon while using the project methodology:
Inadequate adherence and advocacy for existing security
controls. Inadequate adherence to management of changes to the
information systems infrastructure. Weak authentication
protocols; Inadequate adherence for life-cycle management of
the information systems; Inadequate adherence and advocacy
for configuration management and change management plan;
Inadequate adherence for and advocacy for implementing a
robust inventory of systems, for servers, for databases, and for
network devices; Inadequate adherence to and advocacy for
mature vulnerability scanning tools; Inadequate adherence to
and advocacy for valid authorizations for many systems,
Inadequate adherence to and advocacy for plans of action to
remedy the findings of previous audits.

25. Thefollowing attacks were identified in Amazon while using the
above project methodology.
IP address spoofing/cache poisoning attacks; denial of service
attacks (DoS) packet analysis/sniffing; session hijacking attacks
and distributed denial of service attacks
NIST SP 800-63 describes the classification of potential harm
and impact as follow as well as OPM OIG Final Audit Report
findings and recommendations:
Inconvenience, distress, or damage to standing or reputation;
Financial loss or agency liability; Harm to agency programs or
public interests; Unauthorized release of sensitive information ;
Personal safety and Civil or criminal violations
Potential Impact of Inconvenience, Distress, or Damage to
Standing or Reputation:
· Low— limited, short-term inconvenience, consisting of
distress or embarrassment to any party within Amazon.
· Moderate— serious short term or limited long-term
inconvenience, consisting distress or damage to the standing or
reputation of any party within Amazon.
High—severe or serious long-term inconvenience, consisting of
distress or damage to the standing or reputation of any party
within Amazon.
Potential Impact of Financial Loss
· Low— insignificant or inconsequential unrecoverable
financial loss to any party consisting of an insignificant or
inconsequential agency liability within Amazon.
· Moderate— a serious unrecoverable financial loss to any
party, consisting of a serious agency liability within Amazon.
· High—severe or catastrophic unrecoverable financial loss to
any party; consisting of catastrophic agency liability within
Amazon.
Potential Impact of Harm to Agency Programs or Public
Interests

26. · Low, a limited adverse effect on organizational operations or
assets, or public interests within Amazon.
· Moderate—a serious adverse effect on organizational
operations or assets, or public interests within Amazon..
High—a severe or catastrophic adverse effect on organizational
operations or assets, or public interests within Amazon.
Potential impact of Unauthorized Release of Sensitive
Information
· Low- a limited release of personal, U.S. government sensitive
or commercially sensitive information to unauthorized parties
resulting in a loss of confidentiality with a low impact
· Moderate— a release of personal, U.S. government sensitive
or commercially sensitive information to unauthorized parties
resulting in loss of confidentiality with a moderate impact.
High – a release of personal, U.S. government sensitive or
commercially sensitive information to unauthorized parties
resulting in loss of confidentiality with a high impact .
Potential impact to Personal Safety
Low— minor injury not requiring medical treatment within
Amazon.
Moderate— moderate risk of minor injury or limited risk of
injury requiring medical treatment within Amazon.
High—a risk of serious injury or death within Amazon.
Potential Impact of Civil or Criminal Violations
· Low— a risk of civil or criminal violations of a nature that
would not ordinarily be subject to enforcement efforts within
USA.
· Moderate— a risk of civil or criminal violations that may be
subject to enforcement efforts within USA.
· High—a risk of civil or criminal violations that are of special
importance to enforcement programs within USA.
CONCLUSIONS AND RECOMMENDATION
In the risk assessment, two issues came out that were striking
and which are resolved below. An employee was terminated and

27. his user ID was not removed from the system. This is
dependency failure kind of vulnerability and risk pair and has
an overall risk that is moderate.
The RECOMMENDED safeguard is to remove userID from the
system upon notification of termination
Secondly a VPN /Keyfob access does not meet certification and
accreditation level stipulated in NIST SP 800-63 .This is a kind
of vulnerability that touches on inconvenience, standing and
reputation and and has an overall risk that is moderate.
The RECOMMENDED safeguard is to migrate all remote
authentication roles to CDC or any other approved authority.
This Risk Assessment report for the organization identifies risks
of the operations especially in those domains which fails to
meet the minimum requirements and for which appropriate
countermeasures have yet to be implemented. The RAR also
determines the Probability of occurrence and issues
countermeasures aimed at mitigating the identified risks in an
endeavor to provide an appropriate level-of-protection and to
satisfy all the minimum requirements imposed on the
organization’s policy document.
The system security policy requirements are satisfied now with
the exception of those specific areas identified in this report.
The countermeasure recommended in this report adds to the
additional security controls needed to meet policies and to
effectively manage the security risk to the organization and its
operating environment. Finally, the Certification Official and
the Authorizing Officials must determine whether the totality of
the protection mechanisms approximate a sufficient level of
security, and/or are adequate for the protection of this system
and its resources and information. The Risk Assessment Results
supplies critical information and should be carefully reviewed
by the AO prior to making a final accreditation decision.

28. References
National Institute of Standards and Technology (NIST) (2014).
Assessing security and privacy
controls in federal information systems and organizations.
NIST Special Publication 800-53A Revision 4. Retrieved from
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.8
00-53Ar4.pdf
National Institute of Standards and Technology (NIST) (2010).
Guide for applying the risk
management framework to federal information systems. NIST
Special Publication 800-37 Revision 1. Retrieved from
http://csrc.nist.gov/publications/nistpubs/800-37-rev1/sp800-37-
rev1-final.pdf
.
Running Head: Security Assessment Repot (SAR)
1
Security Assessment Report (SAR)
27

29. Intentionally left blank
Security Assessment Report (SAR)
CHOICE OF ORGANIZATION IS UNIVERSITY OF
MARYLAND MEDICAL CENTER (UMMC) OR A
FICTITIUOS ORGANIZATION (BE CREATIVE)
Introduction
· Research into OPM security breach.
· What prompts this assessment exercise in our choice of
organization? “but we have a bit of an emergency. There's been
a security breach at the Office of Personnel Management. need
to make sure it doesn't happen again.
· What were the hackers able to do? OPM OIG report and found
that the hackers were able to gain access through compromised

30. credentials
· How could it have been averted? A) security breach could
have been prevented, if the Office of Personnel Management,
or OPM, had abided by previous
auditing reports and security findings.b) access to the
databases could have been prevented by implementing
various encryption schemas and c) could have been identified
after running regularly scheduled scans of the systems.
Organization
· Describe the background of your organization, including the
purpose, organizational structure,
· Diagram of the network system that includes LAN, WAN, and
systems (use the OPM systems model of LAN side networks),
the intra-network, and WAN side networks, the inter-net.
· Identify the boundaries that separate the inner networks from
the outside networks.
· include a description of how these platforms are implemented
in your organization: common computing platforms, cloud
computing, distributed computing, centralized computing,
secure programming fundamentals (cite references)
Threats Identification
Start Reading: Impact of Threats
The main threats to information system (IS) security are
physical events such as natural disasters, employees and
consultants, suppliers and vendors, e-mail attachments and
viruses, and intruders.
Physical events such as fires, earthquakes, and hurricanes can
cause damage to IT systems. The cost of this damage is not
restricted to the costs of repairs or new hardware and software.
Even a seemingly simple incident such as a short circuit can
have a ripple effect and cost thousands of dollars in lost
earnings.
Employees and consultants; In terms of severity of impact,
employees and consultants working within the organization can
cause the worst damage. Insiders have the most detailed

31. knowledge of how the information systems are being used. They
know what data is valuable and how to get it without creating
tracks.
Suppliers and vendors; Organizations cannot avoid exchanging
information with vendors, suppliers, business partners, and
customers. However, the granting of access rights to any IS or
network, if not done at the proper level—that is, at the least
level of privilege—can leave the IS or network open to attack.
Someone with an authorized connection to the network can
enter and probe further into the network to sniff proprietary or
confidential data. In this case, Fluffy Toys was obliged to give
one supplier better terms and is losing another supplier
altogether.
Email attachments and viruses; Viruses can corrupt an IS and
completely disrupt the normal functioning of a business. Most
virus infections spread through e-mail attachments and
downloads. E-mail attachments can also be used to implant
malware or malicious programs in order to steal data or even
money. Trojan horses, logic bombs, and trapdoors are types of
malicious code that can corrupt an IS and destroy or
compromise information.
Intruders; Corporate espionage agents are typically hired by
competitors to obtain confidential or proprietary information,
such as patents, intellectual property, and trademarks. Hackers
are usually out to get any information they can lay their hands
on. Regardless of the identity of the intruder, the damage to the
organization can be substantial if confidential information is
lost.
Equally read STEP 2 attachments
End reading:
· From above, identify insider threats that are a risk to your
organization.
· differentiate between the external threats to the system and the
insider threats. Identify where these threats can occur in the
previously created diagrams.
· Define threat intelligence, and explain what kind of threat

32. intelligence is known about the OPM breach.
· Relate the OPM threat intelligence to your organization. How
likely is it that a similar attack will occur at your organization?
· Mention security communication, message and protocols, or
security data transport methods used such as (TCP/IP), SSL, and
others in your organization.
· Describe the purpose and function of firewalls for
organization network systems, and how they address the threats
and vulnerabilities you have identified.
· Describe the value of using access control, database
transaction and firewall log files.
· Describe the purpose and function of encryption, as it relates
to files and databases and other information assets on the
organization's networks.
Scope
Methodology
Data
· Share and relate the data from evaluating the strength of
passwords used by employees (password cracking tools –
ophcrack and Cain/Abel -test data –project lab1), run scans
using security and vulnerability assessment analysis tools such
as MBSA, OpenVAS, (data from project lab2) Nmap, or
NESSUS (proj lab 3 attached), network traffic sampled and
scanned using Wireshark (proj lab 3 attached) on either the
Linux or Windows systems. Wireshark allows you to inspect all
OSI Layers of traffic information.
READ NOTES about other network security tools and relate
their use at your organization
· Network Mapper (Nmap) is a security scanner that is used to
discover hosts and services on a computer network. Based on
network conditions, it sends out packets with specific
information to the target host device and then evaluates the
responses. Thus, it creates a graphical network map illustration.

33. · Nessus is a UNIX vulnerability assessment tool. It was a free
and open-source vulnerability scanner until 2005. Nessus'
features include remote and local security checks, client/server
architecture with a GTK graphical interface, and an embedded
scripting language for plugins.
· Netcat is a feature-rich network debugging and exploration
tool. It is designed to be a reliable back-end tool for other
programs. It reads and writes data across TCP and UDP network
connections.
· GFI LanGuard is an all-in-one package. It is a network
security and vulnerability scanner that helps to scan for, detect,
assess, and correct problems on the network.
· Snort is a free and open-source responsive IDS. It performs
real-time traffic analysis and packet logging on IP networks.
The program can also be used to detect probes and attacks.
Snort can be configured in three main modes—sniffer, packet
logger, and network intrusion detector. In the sniffer mode, it
reads network packets. In the packet logger mode, it logs the
packets onto a disk; and in the network intrusion detector mode,
it logs traffic. In this mode, it also analyzes the traffic against a
set of rules and acts accordingly.
· Fport is a free tool that scans the system and maintains a
record of the ports that are being opened by various programs.
System administrators can examine the Fport record to find out
if there are any alien programs that could cause damage. Any
nonstandard port, typically opened up by a virus or Trojan,
serves as an indicator of system compromise.
· PortPeeker is a freeware security tool used for capturing
network traffic using TCP, UDP, or Internet Control Message
Protocol (ICMP).
· SuperScan is a tool used to evaluate a computer's security. It
can be used to test for unauthorized open ports on the network.
Hackers also use this tool to check for insecure ports in order to
gain access to a system. SuperScan helps to identify open ports
and the services running on them. It also runs queries such as

34. Whois and ping.
End of reading
Results
Network Security Issues:
· Provide an analysis of the strength of passwords used by the
employees in your organization, emphasizing weak and
vulnerable passwords as a security issue for your organization.
(from the use of password cracking tools to crack weak and
vulnerable passwords – proj lab 1)
·
Findings
Reflect any weaknesses found in the network and information
system diagrams previously created and the security issues the
following may cause:
· Some critical security practices, such as lack of diligence to
security controls and
· lack of management of changes to the information systems
infrastructure were cited as contributors to the massive data
breach in the OPM Office of the Inspector General's
(OIG) Final Audit Report, which can be found in open source
searches. (research and cite)
· weak authentication mechanisms;
· lack of a plan for life-cycle management of the information
systems;
· lack of a configuration management and change management
plan;
· lack of inventory of systems, servers, databases, and network
devices;
· lack of mature vulnerability scanning tools;
· lack of valid authorizations for many systems, and
· lack of plans of action to remedy the findings of previous
audits.(POAM)
· determine the role of firewalls and encryption, and auditing –
RDBMS that could assist in protecting information and

35. monitoring the confidentiality, integrity, and availability of the
information in the information systems.
· In the previously created Wireshark files,(see proj lab 3
attached) identify if any databases had been accessed. What are
the IP addresses associated with that activity?
· Provide analyses of the scans and any recommendation for
remediation, if needed.
· Identify any suspicious activity and formulate the steps in an
incidence response that could have been, or should be, enacted.
· Include the responsible parties that would provide that
incidence response and any follow-up activity. Include this in
the SAR. Please note that some scanning tools are designed to
be undetectable.
· While running the scan and observing network activity with
Wireshark, attempt to determine the detection of the scan in
progress. If you cannot identify the scan as it is occurring,
indicate this in your SAR.
Product I bought starts from here

36. INTRODUCTION
OPERATING SYSTEMS
This is an interface that sits between a user and hardware
resources. Basically it is a software that has among others the
following modules: File management modules, memory
management module, process management modules , input and
output and control module and peripheral device control
modules. This description applies to all operating systems.
ROLE OF USERS.
In order to appreciate the role of users it must be recognized
that an operating system provides users the services to execute
the programs in a convenient way .So the operating system
interacts by users when the users play the roles of asking the
operating system to do each of the following:
Role of direct program execution using threads and Parallel
programming routines.
Role of I/O operation request by writing to external devices and
reading from the same.
Role of File system manipulation by creating directories.
Role of requesting communication by stopping some running
processes or issuing interrupts and signals
Role of requesting program verification by getting error
detection and flagging of errors especially by parsers and
debuggers and compilers which are part of the operating
systems.
Role of protection especially by using locks for drives or
documents so that unauthorized personnel may not access the
the resources for malicious use.
Role of resource allocation where a programming uses system
calls to do some routines instead of programming his own and
these routines operate in critical regions to avoid deadlock and
starvation issues. Furthermore users get interactivity with
operating systems which is defined as the ability of users to
interact with a computer through each of the following:
Providing an interface to interact with the system. Secondly

37. managing input devices that takes from the user such as
keyboard and managing outputs to the user. Multitasking is also
another feature that allows users to interact with the system. In
Multitasking is enabled by threads and Symmetric
multiprocessing (SMP).The role of schedulers can’t be ignored
in multitasking and the Operating system Handles multitasking
in the way it can handle operations in a time slice.
KERNEL AND OPERATING SYSTEM APPLICATIONS
The kernel is the core of the operating system and executes such
privileged instructions over the management of the following
resources:
· Memory Management: Which algorithms avoids memory leak
and buffer overflow attacks and allow shadow paging and using
virtual pages and pointers efficiently?
· Processor Management: Which strategies when applied reduce
idle time and avoids starvation and deadlock over processor
time for competing resources?
· Device Management: Which techniques reduce disk access
times, disk seek times, disk write and disk read for internal
head disk drives and external storage. How do routines respond
to beeps, alarms, keypress,enter and other keyboard commands.
File Management: Which is the most efficient structures for file
system to minimize search times and also increase performance
even when in distributed environments?
Security regards and concerns: How can passwords and other
techniques be integrated to improve overall system vulnerability
to protect data, information and resources? .
Control towards the system performance: How do the OS
regulate delays between request for a service and response
from the requested entity.
Jobs and processes accounting: How do we know the times and
resources each user wanted so as to form models that can be
used for learning and estimating resources requirements.
Coordination among softwares as well as among users :How do
the communication take place between compilers .assemblers,

38. debuggers ,linkers, loaders and interpreters about which
component is using which resource and system users.
TYPES OF OPERATING SYSTEMS
· Batch operating system: There is lack of direct interaction
between the user and the computer so the user prepares his job
on punch cards and gives it to computer operator much like
calling customer care centre nowadays. To increase processing
batches of jobs are prepared meaning they have similar
processing cycle and runt at one time. It was the initial
generation of computing system.:
Time-sharing operating systems: This second generation OS
mostly in Unix/Linux allows many people located at various
terminals to use a particular computer at the same time.
Processor’s time is shared among multiple users simultaneously
so the use of the term timesharing is allowed. In such
distributed computing environments, Processors are connected
and they use message passing systems to communicate and
because of conditions such as global starvation and global
deadlocks, additional layer of software called middleware is
used and use of cohorts and elect ions algorithms justified.
A real-time system :
A real time system is defined as a data processing system in
which time intervals required to process and respond to in a
particular input is so small such that it controls the rest of the
environment. Theses systems are called real time because an
input is processed against the clock and response given within
restricted time. Systems such as temperature regulating systems
and air traffic control are real time as work goes as per the
clock.
VULNERABILITIES.
A vulnerability is a weaknesses in the design or operation of a
system that can be used by a threat or else a threat agent with
the consequences of causing undesirable impact especially in
the areas of computer information confidentiality ,data and
information integrity or service availability. This could also be

39. a phenomenon created by errors in configuration which makes
your current network or hosts on your computer network be
exposed to malicious attacks from either local or remote users.
Vulnerability attacks affect the following important subsystems
in a system:
Firewalls in a VLAN or WAN.See diagram for these in DMZ
diagram included .
Application servers in networked system architectures. See
diagram for these in DMZ diagram included.
Web servers in networked system architectures. See diagram for
these in DMZ diagram included.
Operating systems discussed in chapter one .
Fire suppression systems .In the diagram below which includes
the architecture I have discussed and investigated on .the
internet is supplied from ISP(Internet Service Provider)with the
icon of a cloud. This creates the WAN(Wide Area Network
)component mentioned previously .
The firewall separates the backend of the WAN architecture
from End and is the Orange Book –In-The-Shelf icon Depicting
library arrangement. Beneath the firewall is the switch
appearing as a box with slots for determining in which segment
of sub network a packet belongs to. Similar symbols will
indicate such switching and forwarding services.
The devices with the network addresses appended are the
routers for determining the shortest route a packet should be
placed on so as to reach destination. The DMZ is acronym for
demilitarized zone in a network.
The computers which individuals use are the bottom nodes of
the structures. This structure is a non-binary tree structure and
at each level we can identify the services being done like
securing connections and sessions as per TCP/IP protocols,
routing as per TCP/IP protocols, switching and forwarding as
per TCP/IP protocols and encapsulation as well as encoding and
decoding of packet data and packet formats as per TCP/IP
protocols.
Level I of the tree: Connections and connectionless services

40. integrated with Encoding and Encapsulation-Creating sessions
and connections by incorporated transaction monitors.
Level 2 of the tree: Routing services.-Use of routing algorithms
like OSPF.
Level 3 of the tree: Switching and forwarding services. Use of
address (MAC ) tables .
Level 4 of the tree: De-encapsulation and decoding services-
The presentation layer.
Physical layer and data link layer are covered in transport media
Cables in the diagram.
WINDOWS VULNERABILITY.
A threat is a force that is adversarial that directly can cause
harm to availability, integrity or confidentiality of a computer
information system including all the subsystems .A threat agent
is an element that provides delivery mechanisms for a threat
while an entity that initiates the launch of a threat is referred to
as a threat actor.
Threat actors are normally made more active through forces of
too much curiosity, or huge monetary gain without work or a
big political leverage or any form of social activism and lastly
by revenge. .
Windows vulnerabilities summarized:
Audit compromise: Reported in Windows 8, Internal procedures
were not followed in generating audited results so a compromise
was programmed at Bells Lab.
Logic bomb:Planted at the National institute for Carnegie
research on Windows 1998 and discovered by programmers, for
source see references
Communication failure: Occurred on a hacked distributed air
system for FAA (FEDERAL AVIATION AUTHORITIES) and
reported to Microsoft databases also happened with NASA, for
source see references.
Cyber brute force: Reported in windows 2000 in Stanford
Laboratories with brute force attack on encrypted message. This
is trying all possible combination of passwords, for source see

41. references.
Cyber disclosure: Reported in windows 8 in which Microsoft
databases reported complaints about Hacked Dept of State for
Immigration Services, for source see references.
INTRUSION METHODS IN WINDOWS:
Stealth port scans: This is an advanced technique in intrusion
when port scanning Can’t be detected by auditing tools.
Normally, by observing frequent attempts to connect, in which
no data is available , detecting intrusion is easy. In stealth port
scans, ports scan are done at a very low rate such that it is hard
for auditing tools to identify connections requests or malicious
attempt to intrude into computer systems. Occurred on a hacked
distributed Military control system for DOD and reported to
Microsoft databases also happened with NASA.
CGI attacks: Common gateway interface is an interface between
client side computing and server side computing. Cyber
criminals who are good programmers can break into computer
systems even without the usual login capabilities .They just
bypass this. : Reported in windows XP in which Microsoft
databases reported complaints about Hacked Department of
NSA for Security Services.
SMB probes: A server message block works as an application
layer protocol that functions by providing permissions to files,
ports, processes and so on. A probe into SMB can check for
shared entities that are available on the systems. If a
cybercriminal uses an SMB Probe ,he can detect which files or
ports are shared on the system. Cyber brute force: Reported in
windows 10 in Carnegie Research laboratories with brute force
attack on encrypted message. This is trying all possible
combination of passwords.
LINUX VULNERABILITY ATTACKS
A threat actor might purposefully launch a threat using an agent
.A threat actor could be for instance be a trusted employee who

42. commits an unintentional human error like a Trusted employee
who clicks on an email designed to be a phishing email then the
email downloads a malware.
Scavenging: Reported in Variant of UNIX in which company
databases reported complaints about Oracle security files, for
source see references.
Software Tampering: Reported in Ubuntu .Internal command
controls overtasked to work differently in a Publishing firm in
UK, for source see references.
Theft: Planned at the National institute for Carnegie research
and hard disks stolen by programmers, for source see references
Time and state: Occurred on a hacked distributed medical
dosage injection system in Maldives a race condition occurred,
for source see references
Transportation accidents: Reported in KALI Linux in MIT
when some computers in transportation were damaged for
source see references.
LINUX INTRUSION DETECTION:
OS fingerprinting attempts:In OS finger printing, the OS
details of a target computer are looked after and the attacker
goes for the same. Information looked after includes the vendor
name,underlying OS,OS generation device type and such.
Occurred on a hacked distributed Airport clearance system in
Panama , for source see references.
Buffer overflows: In buffer overflow attacks, the inputs
provided to a program overruns the buffer’s capacity and spills
over to overwrite data stored at neighbouring memory locations.
Reported in Ubuntu .Program routines overflowed buffer
memory by design in a Cargo clearance firm in France, for
source see references.
Covert port scans: This is an advanced technique in intrusion
when port scanning Can’t be detected by auditing tools.
Normally, by observing frequent attempts to connect, in which
no data is available, detecting intrusion is easy. In stealth port
scans, ports scan are done at a very low rate such that it is hard
for auditing tools to identify connections requests or malicious

43. attempt to intrude into computer systems. Occurred on a hacked
distributed Guests control system for US Embassy in Russia,
for source see references.
CGI attacks: Common gateway interface is an interface between
client side computing and server side computing. Cyber
criminals who are good programmers can break into computer
systems even without the usual login capabilities .They just
bypass this. : Reported in Variant of Ubuntu in which
databases reported complaints about Hacked Credit cards
systems for Payment Services, for source see references.
MAC VULNERABILITY ATTACKS
Equipment failure: Reported in MAC OS in which MAC ‘S
databases reported complaints about IPhone malfunctioning , for
source see references.
Hardware Tampering: Reported in MAC Tablets .Internal
design procedures were not followed in manufacturing the apple
devices, for source see references.
Malicious Softwares: Discovered at the Payroll system using
MAC system by programmers in department of labour, for
source see references
Phishing attacks: Occurred on a hacked distributed National
Data Services system and reported to company .Done by rogue
employees.
Resource exhaustion: Reported in apple IPHONE 7 in which
databases reported complaints about Hacked Dept of Taxation
Services, for source see references.
MOBILE DEVICES VULNERABILITY ATTACKS
Date Entry Error: Reported in windows 7 devices in which
Microsoft mobile databases reported complaints about illegal
login for Department of social welfare, for source see
references.
Denial of Service: Reported in Windows 8 phones .Internal
routines overloaded in MIT’S MOBILE Lab, for source see
references.

44. Earthquake: Hurricanes and earthquakes in China and Japan
destroy tablets at home and in office, for source see references.
Espionage: Occurred on a hacked facial recognition system for
FBI and reported to Android databases , for source see
references.
Floods: Reported in parts of South America and Central Asia
flooding homes and destroying mobile devices .Control
Analysis
The objective of risks control analysis is to assess the status of
the management ‘s operational ,managerial and technical
capabilities in the security system which may be either
preventive or detective in nature. Assessment of this form is
required in order to assess the likelihood that the identified
vulnerabilities could be exploited and the impact that such
exploitation could have on the organization security strength.
The impact of a threat event could be described in terms of
mission impact that occur because of loss of data or compromise
.Mission impact could be degraded if data integrity, data
availability and data confidentiality are compromised.Risk
Level Determination
The guidelines in NIST SP 800-30 stipulate the risk ratings as a
mathematical function of the likelihood and of impact. These
values are calculated in the table drawn below using probability
scale as decimal values.
RISK MITIGATION.
When the risks have all been identified and risk levels
determined, recommendations or countermeasures are drawn to
mitigate or eliminate the risks .The goal is to reduce the risk to
an acceptable level as considered by management just before
system accreditation can be granted. The countermeasures draw
their arguments from the following authoritative sources.
The effectiveness of the recommended options like system
compatibility.
Legislation and regulations in place
The strength of organization policy

45. Overall Operational impact
Safety and reliability of the system in consideration.
A sample table to be filled for the mitigation plan is outlined
below.
ACCEPTABLE RISKS.
According to the observations listed in the discussion section of
this research paper,11 vulnerabilities were regarded as having
low risk ratings,15 as having moderate risk rating and 7 as
having a high risk rating .This observations leads us to comment
that the overall level of risk for the organization is Moderate.
Among the 33 total number of vulnerabilities identified, 49 %
are considered unacceptable because serious harm could result
with the consequence of affecting the operations of the
organization. Therefore immediate mandatory countermeasures
needs to be implemented so as to mitigate the risk brought about
by these threats and resources should be made available so as to
reduce the risk level to acceptable level.
Of the identified vulnerabilities 51% are considered acceptable
to the system because only minor problems may result from
these risks and recommended countermeasures have also been
provided to be implemented so as to reduce or eliminate risks.
PURPOSE
The purpose of this security assessment report is to evaluate
the adequacy of the Amazon corporation’s security. This
security assessment report provides a structured but
qualitative assessment of the operational environment for
Amazon corporation’s . It addresses issues of
svulnerabilities, threats analysis , Firewalls aqnd encryption ,
risks remediation and safeguards applied in Amazon
corporation’s . The report and the assessment recommends use
of cost-effective safeguards in order to mitigate threats as well
as the associated exploitable vulnerabilities in Amazon
corporation’s.
ORGANISATION

46. The Amazon corporation’s system environment is run as a
distributed client and server environment consisting of a
Microsoft Structured Query Language -SQL database built with
Powerful programming code. The Amazon corporation
contains SQL data files, Python application code, and
executable Java and Javascripts. The SQL production data
files, documented as consisting of SQL stored procedures and
SQL tables, reside on a CLOUD storage area network attached
to a HP server running on Windows XP and MS SQL 2000
operating systems. The Python application code resides on a
different IBM server running on KALI LINUX . Both servers
are housed in the main office Building 233 Data Center at the
CDC Clifton Road campus in Atlanta, GA.
The The Amazon corporation’s executables reside on a
fileserver running Windows 2000 and KALI LINUX or
occasaionally a local workstation iis installed depending upon
the loads and jobs Requirements..
SCOPE
The scope of this project includes the carrying out of the nine
steps outlined in the project namely.
· Conducting independent research on organization structure
and identifying the boundaries that seperate the inner network
from outside network in Amazon Corporation.
· Describing threats to the Amazon Corporation whose
background is detailed above.
· A review of the information on TCP/IP especially identifying
security in communications and data transport in Amazon
Corporation.
· An analysis of the strength of passwords used in by
employees in Amazon corporation
· Determining the role of firewalls and encryption as well as
auditing that affects integrity, confidentiality and availability
in Amazon Corporation.
· Determining the various threats known to the Amazon’s
network architecture and IT assets.

47. · Providing an analysis of the scans and the recommendations
for remediation if needed in Amazon as well as designing and
formulating steps in an incidence response that should be in
place in Amazon Corporation.
METHODOLOGY
In order to successfully carry out the security assessment, I
used the resources provided in for CLAB 699 Cyber Computing
Lab workspace which is a collection of automated Security scan
tools and network analyzers. The use of automated methodology
proved efficient for the project since dialog boxes communicate
with the experimenter and navigation tools aid in browsing
various categories of services that can be automated.
These tools run various scans are designed to scan and report on
the appropriateness of the following security concerns
especially in Amazon. Security of Software and hardware
components, Security of firmware components, Security of
governance policies and and effectiveness and implementation
of security c Security of firmware components controls. The
automated monitoring and the automated assessment of the
computer infrastructure and its components, its policies, and its
processes should also account for changes made to security
system.
In using the automated tools in CLAB 699 Cyber Computing
Lab the following security vulnerabilities were looked for using
each of the MBSA tools, OpenVMS tools , Nmap tools , or
NESSUS tools in CLAB 699 Cyber Computing Lab.
SECURITY AREAS LEADING TO DISCOVERY OF
VULNERABILITIES BEING ADDRESSED WHILE
SCANNING WINDOWS USING MBSA AND LINUX USING
OpenVMS.
Whether the Amazon ever been compromised internally or
externally as in CLAB 699 Cyber Computing Lab screenshots 3
Listing of all IP address blocks and domain names registered to

48. Amazon as in CLAB 699 Cyber Computing Lab screen shots 3
Whether the Amazon uses a local firewall, a local intrusion
detection system and a local intrusion prevention system as in
CLAB 699 Cyber Computing Lab screen shots 2 and 3.
Whether Amazon uses a host based or network based IDS or a
combination of both as in in CLAB 699 Cyber Computing Lab
screen shots 2.
Whether the Amazon uses DMZ networks and whether it uses
remote access services and what type as in CLAB 699 Cyber
Computing Lab screen shots 3.
Whether Amazon uses site to site virtual private network
tunnels and modems for connections.
What antivirus application do you use and is it standalone or
managed client server architecture as in CLAB 699 Cyber
Computing Lab screen shots 2.
SECURITY AREAS LEADING TO DISCOVERY OF
VULNERABILITIES BEING ADDRESSED WHILE
SCANNING NETWORK USING WIRESHARK.
What services does Amazon expose to the internet like web
database FTP, SSH?
What type of authentication do you use for web services e.g.
pubcookies, windows integrated or http access.
DATA
The following are the results generated using wire shark as in
CLAB 699 Cyber Computing Lab .The above vulnerabilities are
investigated
And any suspicious activity in the network flagged accordingly
as highlighted in the screen shots 3.
The vulnerabilities being investigated in this project include the
following, remotely exploitable vulnerabilities; patch level
vulnerabilities; unnecessary services; weakness of encryption
and weakness of authentication.
The following are the results generated using wire shark as in
CLAB 699 Cyber Computing Lab .The above vulnerabilities are
investigated

49. From the screen shots obtained from screen shots 3 it enables
the analyst to answer the question of whether patching is up to
date; whether unnecessary services are running and whether
antivirus and malware are up to date.
A look at the data in Amazon clearly indicates that the
vulnerabilities include but not limited to the following
:Remotely exploitable vulnerabilities; patch level
vulnerabilities; unnecessary services; weakness of encryption
and weakness of authentication ;access right vulnerabilities and
vulnerabilities from failing to use best practices.
Consequently the following kind of threat was identified as
likely to have been carried in Amazon corporation’s network
infrastructure :
IP address spoofing/cache poisoning attacks related to patch
level vulnerabilities
Denial of service attacks (DoS) related to remotely exploitable
vulnerabilities
Packet analysis/sniffing related to vulnerabilities from
failing to use best practices.
Session hijacking attacks related to weakness of authentication
Distributed denial of service attacks related to weakness of
encryption
In using RDBMS Amazon corporation has had instances of
SQL Injection affecting database transactions mechanisms in
RDBMS.
· Cross Site Scripting affecting database transactions
mechanisms in RDBMS.
· Cross Site Request Forgery affecting access control
mechanisms in RDBMS.
· Improper data sanitization affecting access control
mechanisms in RDBMS
· Buffer overflows attacks affecting firewall log file
mechanisms.
RESULTS
When the results of the Amazons’ security assessment report
were provided to the Remediation committee, the committee’s

50. initial activity was to review and prioritize each weakness
identified for Amazon Corporation. The committee then
identified and disclosed vulnerabilities which did apply to
Amazon corporation as it is configured and hosted by the
CISCO Infrastructure. The justification for disclosing these
findings is documented in the system’s remediation spreadsheet.
With the support of the System stakeholders in Amazon, the
database and system administrators in Amazon, and application
support staff in Amazon, a Corrective Action Plan was
developed to identify findings that could otherwise be corrected
immediately and then to schedule the remaining findings with
an appropriate Plan of Action and Milestones
(POA&M)designed for Amazon corporation. There are three
stages of remediation.
Stage 1: Comprehensive analysis of the reported weaknesses
Stage 2: Generation of a comprehensive corrective Action Plan
to address each weakness
Stage 3: Disclosure of findings and creation of (POA&M) for
remaining items of risk
High risk findings were identified for immediate correction.
Immediate correction of moderate risk findings is preferred by
stakeholders, but near term scheduling was accepted for funding
or complex implementation issues. Because of the minimal
impact of Low vulnerabilities, the remediation team prioritized
each of these vulnerabilities in coordination with the
appropriate stakeholders and identified and scheduled
remediation activities as part of routine system maintenance.
For those findings in this Amazon report that required a more
complex corrective action, the stakeholders, and System
Administrators collaborated in the development of a CAP and
POA&M.
The Amazon system’s RAR and SSP were updated to reflect the
weaknesses that were remediated prior to the presentation of the
final Certification and Accreditation package to the
Accrediting authority. The remediation team continues to track
and report on the status of correction activities for the POA&M

51. items on a periodic basis after the presentation of the final C&A
package to the AO.
FINDINGS
The following is an action plan adopted by Amazon Corporation
.This is because non conforming Controls were identified during
the project in Amazon. AS technology continues to change the
specific non conforming controls in Amazon requires to be
reevaluated as detailed below in the conclusions section of this
report.
False positives must be identified within the SAR along with
the supporting clean scan report that does not have to be
identified in the (POA AND M).
Each item on the proposed POA &M should have a unique
identifier matched with a finding in SAR.
All high and critical risk findings must be remediated prior to
receiving a provisional authorization.
Moderate findings shall have a mitigation date within 90 days
of provisional authorization date
CONCLUSIONS AND RECOMEDATIONS
This Risk Assessment report for the organization identifies risks
of the operations especially in those domains which fails to
meet the minimum requirements and for which appropriate
countermeasures have yet to be implemented. The RAR also
determines the Probability of occurrence and issues
countermeasures aimed at mitigating the identified risks in an
endeavor to provide an appropriate level-of-protection and to
satisfy all the minimum requirements imposed on the
organization’s policy document.
The system security policy requirements are satisfied now with
the exception of those specific areas identified in this report.
The countermeasure recommended in this report adds to the

52. additional security controls needed to meet policies and to
effectively manage the security risk to the organization and its
operating environment. Finally, the Certification Official and
the Authorizing Officials must determine whether the totality of
the protection mechanisms approximate a sufficient level of
security, and/or are adequate for the protection of this system
and its resources and information. The Risk Assessment Results
supplies critical information and should be carefully reviewed
by the AO prior to making a final accreditation decision.
.
References
National Institute of Standards and Technology (NIST) (2014).
Assessing security and privacy
controls in federal information systems and organizations.
NIST Special Publication 800-53A Revision 4. Retrieved from
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.8
00-53Ar4.pdf
National Institute of Standards and Technology (NIST) (2010).
Guide for applying the risk
management framework to federal information systems. NIST
Special Publication 800-37 Revision 1. Retrieved from
http://csrc.nist.gov/publications/nistpubs/800-37-rev1/sp800-37-
rev1-final.pdf

53. .
Vetting the Security of Mobile Applications by Steve
Quirolgico, Jeffrey Voas, Tom Karygiannis,
Christoph Michael, and Karen Scarfone comprises public
domain material from the National Institute of
Standards and Technology, U.S. Department of Commerce.
Vetting the Security of
Mobile Applications
Steve Quirolgico
Jeffrey Voas
Tom Karygiannis
Christoph Michael
Karen Scarfone
This publication is available free of charge from:
http://dx.doi.org/10.6028/NIST.SP.800-163
C O M P U T E R S E C U R I T Y

54. http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.8
00-163.pdf
Vetting the Security of Mobile Applications by Steve
Quirolgico, Jeffrey Voas, Tom Karygiannis,
Christoph Michael, and Karen Scarfone comprises public
domain material from the National Institute of
Standards and Technology, U.S. Department of Commerce.
Vetting the Security of
Mobile Applications
Steve Quirolgico, Jeffrey Voas, Tom Karygiannis
Computer Security Division
Information Technology Laboratory

55. Christoph Michael
Leidos
Reston, VA
Karen Scarfone
Scarfone Cybersecurity
Clifton, VA
This publication is available free of charge from:
http://dx.doi.org/10.6028/NIST.SP.800-163
January 2015

56. U.S. Department of Commerce
Penny Pritzker, Secretary
National Institute of Standards and Technology
Willie May, Acting Under Secretary of Commerce for Standards
and Technology and Acting Director
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.8
00-163.pdf
Authority
This publication has been developed by NIST in accordance
with its statutory responsibilities under the
Federal Information Security Management Act of 2002
(FISMA), 44 U.S.C. § 3541 et seq., Public Law
107-347. NIST is responsible for developing information
security standards and guidelines, including
minimum requirements for federal information systems, but
such standards and guidelines shall not apply
to national security systems without the express approval of
appropriate federal officials exercising policy
authority over such systems. This guideline is consistent
with the requirements of the Office of
Management and Budget (OMB) Circular A-130, Section 8b(3),
Securing Agency Information Systems, as
analyzed in Circular A-130, Appendix IV: Analysis of Key
Sections. Supplemental information is

57. provided in Circular A-130, Appendix III, Security of Federal
Automated Information Resources.
Nothing in this publication should be taken to contradict the
standards and guidelines made mandatory
and binding on federal agencies by the Secretary of Commerce
under statutory authority. Nor should
these guidelines be interpreted as altering or superseding the
existing authorities of the Secretary of
Commerce, Director of the OMB, or any other federal official.
This publication may be used by
nongovernmental organizations on a voluntary basis and is not
subject to copyright in the United States.
Attribution would, however, be appreciated by NIST.
National Institute of Standards and Technology Special
Publication 800-163
Natl. Inst. Stand. Technol. Spec. Publ. 800-163, 44 pages
(January 2015)
CODEN: NSPUE2
This publication is available free of charge from:
http://dx.doi.org/10.6028/NIST.SP.800-163
Certain commercial entities, equipment, or materials may be
identified in this document in order to describe an
experimental procedure or concept adequately. Such
identification is not intended to imply recommendation or
endorsement by NIST, nor is it intended to imply that the

58. entities, materials, or equipment are necessarily the best
available for the purpose.
There may be references in this publication to other
publications currently under development by NIST in
accordance with its assigned statutory responsibilities. The
information in this publication, including concepts and
methodologies, may be used by federal agencies even before the
completion of such companion publications. Thus,
until each publication is completed, current requirements,
guidelines, and procedures, where they exist, remain
operative. For planning and transition purposes, federal
agencies may wish to closely follow the development of
these new publications by NIST.
Organizations are encouraged to review all draft publications
during public comment periods and provide feedback
to NIST. All NIST Computer Security Division publications,
other than the ones noted above, are available at
http://csrc.nist.gov/publications.
Comments on this publication may be submitted to:
National Institute of Standards and Technology
Attn: Computer Security Division, Information Technology
Laboratory
100 Bureau Drive (Mail Stop 8930) Gaithersburg, MD 20899-
8930
[email protected]
ii

59. Reports on Computer Systems Technology
The Information Technology Laboratory (ITL) at the National
Institute of Standards and Technology
(NIST) promotes the U.S. economy and public welfare by
providing technical leadership for the Nation’s
measurement and standards infrastructure. ITL develops tests,
test methods, reference data, proof of
concept implementations, and technical analyses to advance the
development and productive use of
information technology. ITL’s responsibilities include the
development of management, administrative,
technical, and physical standards and guidelines for the cost-
effective security and privacy of other than
national security-related information in federal information
systems. The Special Publication 800-series
reports on ITL’s research, guidelines, and outreach efforts in
information system security, and its
collaborative activities with industry, government, and
academic organizations.
Abstract
The purpose of this document is to help organizations (1)
understand the process for vetting the security
of mobile applications, (2) plan for the implementation of an
app vetting process, (3) develop app security
requirements, (4) understand the types of app vulnerabilities
and the testing methods used to detect those
vulnerabilities, and (5) determine if an app is acceptable for
deployment on the organization's mobile
devices.

60. Keywords
app vetting; apps; malware; mobile devices; security
requirements; security vetting; smartphones;
software assurance; software security; software testing;
software vetting
Acknowledgments
Special thanks to the National Security Agency’s Center for
Assured Software for providing Appendices
B and C which describe Android and iOS app vulnerabilities.
Also, thanks to all the organizations and
individuals who made contributions to the publication including
Robert Martin of The MITRE
Corporation, Paul Black and Irena Bojanova of NIST, the
Department of Homeland Security (DHS), and
the Department of Justice (DOJ). Finally, special thanks to the
Defense Advanced Research Projects
Agency (DARPA) Transformative Applications (TransApps)
program for funding NIST research in
mobile app security vetting.
Trademarks
All registered trademarks belong to their respective
organizations.
3

61. Table of Contents
1 Introduction
...............................................................................................
....................... 1
1.1 Traditional vs. Mobile Application Security Issues
.....................................................1
1.2 App Vetting Basics
...............................................................................................
.....2
1.3 Purpose and Scope
...............................................................................................
....3
1.4 Audience
...............................................................................................
....................3
1.5 Document Structure
...............................................................................................
...4
2 App Vetting Process
...............................................................................................

62. ......... 5
2.1 App Testing
...............................................................................................
................5
2.2 App Approval/Rejection
.............................................................................................5
2.3 Planning
...............................................................................................
.....................6
2.3.1 Developing Security Requirements
............................................................... 6
2.3.2 Understanding Vetting Limitations
................................................................. 9
2.3.3 Budget and
Staffing...................................................................................
...10
3 App Testing
...............................................................................................
......................11
3.1 General Requirements

63. ............................................................................................1
1
3.1.1 Enabling Authorized Functionality
................................................................12
3.1.2 Preventing Unauthorized Functionality
.........................................................12
3.1.3 Limiting Permissions
....................................................................................13
3.1.4 Protecting Sensitive Data
.............................................................................14
3.1.5 Securing App Code Dependencies
..............................................................15
3.1.6 Testing App
Updates...................................................................................
.16
3.2 Testing Approaches
...............................................................................................
.16
3.2.1 Correctness Testing
.....................................................................................16

64. 3.2.2 Source Code Versus Binary
Code................................................................17
3.2.3 Static Versus Dynamic Analysis
...................................................................17
3.2.4 Automated Tools
............................................................................... ...........18
4
3.3 Sharing Results
...............................................................................................
........20
4 App Approval/Rejection
............................................................................. ..................
...21
4.1 Report and Risk Auditing
.........................................................................................21
4.2 Organization-Specific Vetting Criteria
......................................................................22

65. 4.3 Final
Approval/Rejection..................................................................
........................23
Appendix A—
Recommendations....................................................................
......................24
A.1 Planning
...............................................................................................
...................24
A.2 App Testing
...............................................................................................
..............24
A.3 App Approval/Rejection
...........................................................................................25
Appendix B— Android App Vulnerability
Types...................................................................26
Appendix C— iOS App Vulnerability Types
..........................................................................29
Appendix D— Glossary
...............................................................................................
...........32

66. Appendix E— Acronyms and
Abbreviations.........................................................................
33
Appendix F—
References..............................................................................
.........................34
List of Figures and Tables
Figure 1. An app vetting process and its related actors.
...................................................... 6
Figure 2. Organizational app security requirements.
............................................................ 8
Table 1. Android Vulnerabilities, A Level
..............................................................................26
Table 2. Android Vulnerabilities by
Level..............................................................................27
Table 3. iOS Vulnerability Descriptions, A Level

67. ..................................................................29
Table 4. iOS Vulnerabilities by Level
.....................................................................................30
5
Executive Summary
Recently, organizations have begun to deploy mobile
applications (or apps) to facilitate their business
processes. Such apps have increased productivity by providing
an unprecedented level of connectivity
between employees, vendors, and customers, real-time
information sharing, unrestricted mobility, and
improved functionality. Despite the benefits of mobile apps,
however, the use of apps can potentially lead
to serious security issues. This is so because, like traditional
enterprise applications, apps may contain
software vulnerabilities that are susceptible to attack. Such
vulnerabilities may be exploited by an attacker
to gain unauthorized access to an organization’s information
technology resources or the user’s personal
data.
To help mitigate the risks associated with app vulnerabilities,
organizations should develop security
requirements that specify, for example, how data used by an app
should be secured, the environment in
which an app will be deployed, and the acceptable level of risk

68. for an app. To help ensure that an app
conforms to such requirements, a process for evaluating the
security of apps should be performed. We
refer to this process as an app vetting process. An app vetting
process is a sequence of activities that aims
to determine if an app conforms to an organization’s security
requirements. An app vetting process
comprises two main activities: app testing and app
approval/rejection. The app testing activity involves
the testing of an app for software vulnerabilities by services,
tools, and humans to derive vulnerability
reports and risk assessments. The app approval/rejection
activity involves the evaluation of these reports
and risk assessments, along with additional criteria, to
determine the app's conformance with
organizational security requirements and ultimately, the
approval or rejection of the app for deployment
on the organization's mobile devices.
Before using an app vetting process, an organization must first
plan for its implementation. To facilitate
the planning of an app vetting process implementation, this
document:
-sensitive requirements that
make up an organization's app security
requirements.
es a questionnaire for identifying the security needs
and expectations of an organization that
are necessary to develop the organization's app security
requirements.

69. With respect to the app testing activity of an app vetting
process, this document describes:
files during testing.
unauthorized functionality, protecting
sensitive data, and securing app code dependencies.
code vs. binary code, static vs. dynamic
analysis, and automated tools for testing apps.
of test
results.
With respect to the app approval/rejection activity of an app
vetting process, this document describes:
-specific vetting criteria that may be used to help
determine an app's conformance to
context-sensitive security requirements.
6
NIST SP 800-163 Vetting the Security of Mobile Applications

70. 1 Introduction
When deploying a new technology, an organization should be
aware of the potential security impact it
may have on the organization’s IT resources, data, and users.
While new technologies may offer the
promise of productivity gains and new capabilities, they may
also present new risks. Thus, it is important
for an organization’s IT professionals and users to be fully
aware of these risks and either develop plans
to mitigate them or accept their consequences.
Recently, there has been a paradigm shift where organizations
have begun to deploy new mobile
technologies to facilitate their business processes. Such
technologies have increased productivity by
providing (1) an unprecedented level of connectivity between
employees, vendors, and customers; (2)
real-time information sharing; (3) unrestricted mobility; and (4)
improved functionality. These mobile
technologies comprise mobile devices (e.g., smartphones and
tablets) and related mobile applications (or
apps) that provide mission-specific capabilities needed by users
to perform their duties within the
organization (e.g., sales, distribution, and marketing). Despite
the benefits of mobile apps, however, the
use of apps can potentially lead to serious security risks. This is
so because, like traditional enterprise
applications, apps may contain software vulnerabilities that are
susceptible to attack. Such vulnerabilities
may be exploited by an attacker to steal information or control a
user's device.

71. To help mitigate the risks associated with software
vulnerabilities, organizations should employ software
assurance processes. Software assurance refers to “the level of
confidence that software is free from
vulnerabilities, either intentionally designed into the software
or accidentally inserted at any time during
its life cycle, and that the software functions in the intended
manner” [1]. The software assurance process
includes “the planned and systematic set of activities that
ensures that software processes and products
conform to requirements, standards, and procedures” [2]. A
number of government and industry legacy
software assurance standards exist that are primarily directed at
the process for developing applications
that require a high level of assurance (e.g., space flight,
automotive systems, and critical defense
systems).1 Although considerable progress has been made in the
past decades in the area of software
assurance, and research and development efforts have resulted
in a growing market of software assurance
tools and services, the state of practice for many today still
includes manual activities that are time-
consuming, costly, and difficult to quantify and make
repeatable. The advent of mobile computing adds
new challenges because it does not necessarily support
traditional software assurance techniques.
1.1 Traditional vs. Mobile Application Security Issues
The economic model of the rapidly evolving app marketplace
challenges the traditional software
development process. App developers are attracted by the
opportunities to reach a market of millions of

72. users very quickly. However, such developers may have little
experience building quality software that is
secure and do not have the budgetary resources or motivation to
conduct extensive testing. Rather than
performing comprehensive software tests on their code
before making it available to the public,
developers often release apps that contain functionality flaws
and/or security-relevant weaknesses. That
can leave an app, the user’s device, and the user’s network
vulnerable to exploitation by attackers.
Developers and users of these apps often tolerate buggy,
unreliable, and insecure code in exchange for the
low cost. In addition, app developers typically update their apps
much more frequently than traditional
applications.
1 Examples of these software assurance standards include DO-
178B, Software Considerations in Airborne Systems and
Equipment Certification [3], IEC 61508 Functional Safety of
Electrical/Electronic/Programmable Electronic Safety-related
System [4], and ISO 26262 Road vehicles -- Functional safety
[5].
1
NIST SP 800-163 Vetting the Security of Mobile Applications
Organizations that once spent considerable resources to
develop in-house applications are taking
advantage of inexpensive third-party apps and web services to
improve their organization’s productivity.
Increasingly, business processes are conducted on mobile

73. devices. This contrasts with the traditional
information infrastructure where the average employee uses
only a handful of applications and web-based
enterprise databases. Mobile devices provide access to
potentially millions of apps for a user to choose
from. This trend challenges the traditional mechanisms of
enterprise IT security software where software
exists within a tightly controlled environment and is uniform
throughout the organization.
Another major difference between apps and enterprise
applications is that unlike a desktop computing
system, far more precise and continuous device location
information, physical sensor data, personal health
metrics, and pictures and audio about a user can be exposed
through apps. Apps can sense and store
information including user personally identifiable information
(PII). Although many apps are advertised
as being free to consumers, the hidden cost of these apps may
be selling the user’s profile to marketing
companies or online advertising agencies.
There are also differences between the network capabilities of
traditional computers that enterprise
applications run on and mobile devices that apps run on. Unlike
traditional computers that connect to the
network via Ethernet, mobile devices have access to a
wide variety of network services including
Wireless Fidelity (Wi-Fi), 2G/3G, and 4G/Long Term Evolution
(LTE). This is in addition to short-range
data connectivity provided by services such as Bluetooth and
Near Field Communications (NFC). All of
these mechanisms of data transmission are typically available to
apps that run on a mobile device and can

74. be vectors for remote exploits. Further, mobile devices are not
physically protected to the same extent as
desktop or laptop computers and can therefore allow an attacker
to more easily (physically) acquire a lost
or stolen device.
1.2 App Vetting Basics
To provide software assurance for apps, organizations should
develop security requirements that specify,
for example, how data used by an app should be secured, the
environment in which an app will be
deployed, and the acceptable level of risk for an app (see [6] for
more information). To help ensure that
an app conforms to such requirements, a process for evaluating
the security of apps should be performed.
We refer to this process as an app vetting process. An app
vetting process is a sequence of activities that
aims to determine if an app conforms to the organization’s
security requirements.2 This process is
performed on an app after the app has been developed and
released for distribution but prior to its
deployment on an organization's mobile device. Thus, an app
vetting process is distinguished from
software assurance processes that may occur during the software
development life cycle of an app. Note
that an app vetting process typically involves analysis of an
app’s compiled, binary representation but can
also involve analysis of the app’s source code if it is available.
The software distribution model that has arisen with mobile
computing presents a number of software
assurance challenges, but it also creates opportunities. An app

75. vetting process acknowledges the concept
that someone other than the software vendor is entitled to
evaluate the software’s behavior, allowing
organizations to evaluate software in the context of their own
security policies, planned use, and risk
tolerance. However, distancing a developer from an
organization’s app vetting process can also make
those activities less effective with respect to improving the
secure behavior of the app.
2 The app vetting process can also be used to assess other app
issues including reliability, performance, and accessibility but
is
primarily intended to assess security-related issues.
2
NIST SP 800-163 Vetting the Security of Mobile Applications
App stores may perform app vetting processes to verify
compliance with their own requirements.
However, because each app store has its own unique, and not
always transparent, requirements and
vetting processes, it is necessary to consult current agreements
and documentation for a particular app
store to assess its practices. Organizations should not assume
that an app has been fully vetted and
conforms to their security requirements simply because it is
available through an official app store. Third-
party assessments that carry a moniker of “approved by” or
“certified by” without providing details of
which tests are performed, what the findings were, or how apps

76. are scored or rated, do not provide a
reliable indication of software assurance. These assessments
are also unlikely to take organization-
specific requirements and recommendations into account, such
as federal-specific cryptography
requirements.
Although a “one size fits all” approach to app vetting is not
plausible, the basic findings from one app
vetting effort may be reusable by others. Leveraging another
organization’s findings for an app should be
contemplated to avoid duplicating work and wasting scarce app
vetting resources. With appropriate
standards for scoping, managing, licensing, and recording the
findings from software assurance activities
in consistent ways, app vetting results can be looked at
collectively, and common problems and solutions
may be applicable across the industry or with similar
organizations.
An app vetting process should be included as part of the
organization's overall security strategy. If the
organization has a formal process for establishing and
documenting security requirements, an app vetting
process should be able to import those requirements created by
the process. Bug and incident reports
created by the organization could also be imported by an app
vetting process, as could public advisories
concerning vulnerabilities in commercial and open source apps
and libraries, and conversely, results from
app vetting processes may get stored in the organization’s bug
tracking system.

77. 1.3 Purpose and Scope
The purpose of this document is to help organizations (1)
understand the app vetting process, (2) plan for
the implementation of an app vetting process, (3) develop app
security requirements, (4) understand the
types of app vulnerabilities and the testing methods used to
detect those vulnerabilities, and (5) determine
if an app is acceptable for deployment on the organization's
mobile devices. Ultimately, the acceptance of
an app depends on the organization’s security requirements
which, in turn, depend on the environment in
which the app is deployed, the context in which it will be used,
and the underlying mobile technologies
used to run the app. This document highlights those elements
that are particularly important to be
considered before apps are approved as “fit-for-use.”
Note that this document does not address the security of the
underlying mobile platform and operating
system, which are addressed in other publications [6, 7, 8].
While these are important characteristics for
organizations to understand and consider in selecting mobile
devices, this document is focused on how to
vet apps after the choice of platform has been made. Similarly,
discussion surrounding the security of web
services used to support back-end processing for apps is out of
scope for this document.
1.4 Audience
This document is intended for organizations that plan to

78. implement an app vetting process or leverage
existing app vetting results from other organizations. It is also
intended for developers that are interested
in understanding the types of software vulnerabilities that may
arise in their apps during the app’s
software development life cycle.
3
NIST SP 800-163 Vetting the Security of Mobile Applications
1.5 Document Structure
The remainder of this document is organized into the following
sections and appendices:
including recommendations for planning the
implementation of an app vetting process.
process. Organizations interested in
leveraging only existing security reports and risk assessments
from other organizations can skip this
section.
app vetting process.

79. app testing and app approval/rejection
activities of an app vetting process as well as the planning of an
app vetting process implementation.
-specific
vulnerabilities for apps running on the
Android and iOS operating systems, respectively.
efines selected terms used in this document.
in this document.
4
NIST SP 800-163 Vetting the Security of Mobile Applications
2 App Vetting Process
An app vetting process comprises a sequence of two main
activities: app testing and app
approval/rejection. In this section, we provide an overview of
these two activities as well as provide