KEAMANAN DATA

“CEH Chapter 1 – 1-1 Searching for Exposed Passwords and

1-2 Examining Security Policies”

OLEH :
NAMA : RETNO BUDI PALUPI
NIM : 170411100103
KELAS :A

TEKNIK INFORMATIKA
UNIVERSITAS TRUNOJOYO MADURA
2020
A. 1-1 Searching for Exposed Passwords

Step 1. Go to the Have I Been Pwned website located at

https://haveibeenpwned.com/.
Step 2. Enter your email address and check to see if any
of your email accounts have been compromised.
Step 3. Were any of your accounts compromised? If so,
how many?
Step 4. Verify that any passwords used at compromised
sites are not being used at any other locations. If
those passwords are in use elsewhere, you have
left an easy way for a script kiddie to access your
account.
B. 1-2 Examining Security Policies

Step 1. Go to the SANS Information Security Policy

Templates page located at
https://www.sans.org/security-
resources/policies.

Step 2. Click the Network Security category, and then

click the Acquisition Assessment Policy
hyperlink.

Step 3. Click the PDF hyperlink and review the

Acquisition Assessment Policy. It defines
responsibilities regarding corporate acquisitions
and the minimum requirements of an acquisition
assessment to be completed by the information
security group.
Step 4. Return to the main Policy Templates page, click the
Old/Retired category, click the Risk Assessment
Policy hyperlink, click PDF, and review the
template. This policy template defines the
requirements and provides the authority for the
information security team to identify, assess, and
remediate risks to the organization’s information
infrastructure associated with conducting business.
 Step 5. Return to the main Policy Templates page, click
the General category, click the Ethics Policy
hyperlink, click PDF, and review the template.
This template discusses ethics and defines the
means to establish a culture of openness, trust,
and integrity in the organization.

C. REVIEW
1. Acquisition Assessment Policy
It defines responsibilities regarding corporate acquisitions and the minimum
requirements of an acquisition assessment to be completed by the information security
group.
a. Overview
The process of integrating a newly acquired company can have a drastic impact on
the security poster of either the parent company or the child company.
b. Purpose
The purpose of this policy is to establish Infosec responsibilities regarding
corporate acquisitions, and define the minimum security requirements of an
Infosec acquisition assessment.
c. Scope
 This policy applies to all companies acquired by and pertains to all systems,
networks, laboratories, test equipment, hardware, software and firmware, owned
and/or operated by the acquired company.

d. Policy
1. General
Acquisition assessments are conducted to ensure that a company being
acquired by does not pose a security risk to corporate networks, internal
systems, and/or confidential/sensitive information
2. Requirements
a. Hosts
b. Networks
c. Internet
d. Remote Access
e. Labs

e. Policy compliance
a. Compliance Measurement
b. Exceptions
c. Non-Compliance

2. Risk Assessment Policy

A. Purpose
To empower Infosec to perform periodic information security risk assessments
(RAs) for the purpose of determining areas of vulnerability, and to initiate
appropriate remediation
B. Scope
 Risk assessments can be conducted on any entity within or any outside entity that
has signed a Third Party Agreement with
C. Policy
The execution, development and implementation of remediation programs is the
joint responsibility of Infosec and the department responsible for the system area
being assessed
D. Policy Compliance
1. Compliance Measurement
The Infosec team will verify compliance to this policy through various
methods, including but not limited to, business tool reports, internal and
external audits, and feedback to the policy owner

2. Exceptions
Any exception to the policy must be approved by the Infosec team in advance.

3. Non-Compliance
An employee found to have violated this policy may be subject to disciplinary
action, up to and including termination of employment.

E. Related Standards, Policies and Processes

1. Risk Assessment Process
2. Third Party Agreement

3. Ethics Policy
A. Overview
is committed to protecting employees, partners, vendors and the company from
illegal or damaging actions by individuals, either knowingly or unknowingly.
When addresses issues proactively and uses correct judgment, it will help set us
apart from competitors.
B. Purpose
The purpose of this policy is to establish a culture of openness, trust and to
emphasize the employee’s and consumer’s expectation to be treated to fair
business practices

C. Scope
This policy applies to employees, contractors, consultants, temporaries, and other
workers at , including all personnel affiliated with third parties.
D. Policy
1. Executive Commitment to Ethics
 Senior leaders and executives within must set a prime example. In any
business practice, honesty and integrity must be top priority for
executives.
 Executives must have an open door policy and welcome suggestions
and concerns from employees. This will allow employees to feel
comfortable discussing any issues and will alert executives to concerns
within the work force.
 Executives must disclose any conflict of interests regard their position
within.
2. Employee Commitment to Ethics
 employees will treat everyone fairly, have mutual respect, promote a
team environment and avoid the intent and appearance of unethical or
compromising practices.
 Every employee needs to apply effort and intelligence in maintaining
ethics value.
 Employees must disclose any conflict of interests regard their position
within.
 Employees will help to increase customer and vendor satisfaction by
providing quality product s and timely response to inquiries.
 Employees should consider the following questions to themselves
when any behavior is questionable:
a. Is the behavior legal?
 b. Does the behavior comply with all appropriate policies?
c. Does the behavior reflect values and culture?
d. Could the behavior adversely affect company stakeholders?
e. Would you feel personally concerned if the behavior appeared in a
news headline?
f. Could the behavior adversely affect if all employees did it?

3. Company Awareness
a. Promotion of ethical conduct within interpersonal communications of
employees will be rewarded.
b. will promote a trustworthy and honest atmosphere to reinforce the vision of
ethics within the company.

4. Maintaining Ethical Practices

a. will reinforce the importance of the integrity message and the tone will
start at the top. Every employee, manager, director needs consistently
maintain an ethical stance and support ethical behavior.
b. Employees at should encourage open dialogue, get honest feedback and
treat everyone fairly, with honesty and objectivity.
c. has established a best practice disclosure committee to make sure the
ethical code is delivered to all employees and that concerns regarding the
code can be addressed.
d. Employees are required to recertify their compliance to Ethics Policy on an
annual basis.
 5. Unethical Behavior
a. will avoid the intent and appearance of unethical or compromising practice
in relationships, actions and communications.
b. will not tolerate harassment or discrimination.
c. Unauthorized use of company trade secrets & marketing, operational,
personnel, financial, source code, & technical information integral to the
success of our company will not be tolerated.
d. will not permit impropriety at any time and we will act ethically and
responsibly in accordance with laws.
e. employees will not use corporate assets or business relationships for
personal use or gain.

E. Policy Compliance
a. Compliance Measurement
The will verify compliance to this policy through various methods, including
but not limited to, business tool reports, internal and external audits, and
feedback.
b. Non-Compliance
An employee found to have violated this policy may be subject to disciplinary
action, up to and including termination of employment
D. REVIEW QUESTIONS

1. You have been asked to perform a penetration test for a local company. You have had
several meetings with the client and are now almost ready to begin the assessment.
Which of the following is the document that would contain verbiage which describes
what type of testing is allowed and when you will perform testing and limits your
liabilitiesas a penetration tester?

a. Nondisclosure agreement

b. Rules of engagement

c. Service-level agreement

d. Project scope

2. Which of the following addresses the secrecy and privacy of information?

a. Integrity

b. Confidentiality

c. Availability

d. Authentication

3. You are part of a pen testing team that has been asked to assess the risk of an online
service. Management is concerned as to what the cost would be if there was an outage
and how frequent these outages might be. Your objective is to determine whether
there should be additional countermeasures. Given the following variables, which of
the following amounts is the resulting annualized loss expectancy (ALE)?

Single loss expectancy = $2,500

Exposure factor = .9
 Annual rate of occurrence = .4

Residual risk = $300

a. $960

b. $120c.

c. $1,000

d. $270

4. Who are the individuals who perform legal security tests while sometimes performing
questionable activities?

a. Gray hat hackers

b. Ethical hackers

c. Crackers

d. White hat hackers

5. Which of the following is the most important step for the ethical hacker to perform
during the pre-assessment?

a. Hack the web server.

b. Obtain written permission to hack.

c. Gather information about the target.

d. Obtain permission to hack.

6. Which of the following is one primary difference between a malicious hacker and an
ethical hacker?
 a. Malicious hackers use different tools and techniques than ethical hackers use.

b. Malicious hackers are more advanced than ethical hackers because they can use any
technique to attack a system or network.

c. Ethical hackers obtain permission before bringing down servers or stealing credit
card databases.

d. Ethical hackers use the same methods but strive to do no harm.

7. This type of security test might seek to target the CEO’s laptop or the organization’s
backup tapes to extract critical information, usernames, and passwords.

a. Insider attack

b. Physical entry

c. Stolen equipment

d. Outsider attack

8. Which of the following best describes an attack that altered the contents of two
critical files?

a. Integrity

b. Confidentially

c. Availability

d. Authentication

9. Which individuals believe that hacking and defacing websites can promote social
change?

a. Ethical hackers
 b. Gray hat hackers

c. Black hat hackers

d. Hactivists

10. After the completion of the pen test, you have provided the client with a list of
controls to implement to reduce the identified risk. What term best describes the risk
that remains after thecontrols have been implemented?

a. Gap analysis

b. Total risk

c. Inherent risk

d. Residual risk

11. This type of security test usually takes on an adversarial role and looks to see what an
outsider can access and control.

a. Penetration test

b. High-level evaluation

c. Network evaluation

d. Policy assessment

12. Assume you performed a full backup on Monday and then an incremental backup on
Tuesday and Wednesday. If there was on outage on Thursday, what would you need to
restore operations?

a. The full backup from Monday

 b. Both incremental backups from Tuesday and Wednesday

c. The full backup from Monday and Wednesday’s incremental backup

d. The full backup from Monday and both incremental backups from Tuesday
and Wednesday

13. During a security review, you have discovered that there are no documented security
policies for the area you are assessing. Which of the followingwould be the most
appropriate course of action?

a. Identify and evaluate current practices

b. Create policies while testing

c. Increase the level of testing

d. Stop the audit

14. Your company performs PCI-DSS audits and penetration testing for third-party
clients. During an approved pen test you have discovered a folder on an employee’s
computer that appears to have hundreds of credit card numbers and other forms of
personally identifiable information (PII). Which of the following is the best course of
action?

a. Contact the employee and ask why they have the data.

b. Make a copy of the data and store it on your local machine.

c. Stop the pen test immediately and contact management.

d. Continue the pen test and include this information in your report.
15. During which step of the incident response process would you be tasked with
building the team, identifying roles, and testing the communication system?

a. Containment

b. Recovery

c. Preparation

d. Notification

16. Clark is a talented coder and as such has found a vulnerability in a well known
application. Unconcerned about the ethics of the situation, he has developed an
exploit that can leverage this unknown vulnerability. Based on this information,
which of the following is most correct?

a. Clark is a suicide hacker.

b. Clark has violated U.S. Code Section 1027.

c. Clark has developed a zero day.

d. Clark is a white hat hacker.

17. Your ethical hacking firm has been hired to conduct a penetration test. Which of the
following documents limits what you can discuss publicly?

a. Nondisclosure agreement

b. PCI-DSS

c. Memorandum of understanding
 d. Terms of engagement

18. Which of the following is a common framework applied by business management and
other personnel to identify potential events that may affect the enterprise, manage the
associated risks and opportunities, and provide reasonable assurance that objectives
will be achieved?

a. NIST SP 800-37

b. Qualitative risk assessment

c. PC-DSS

d. Risk management framework

19. Your ethical hacking firm has been hired toconduct a penetration test. Which of the
following documents limits the scope of your activities?

a. Nondisclosure agreement

b. PCI-DSS

c. Memorandum of understanding

d. Terms of engagement

20. Which of the following is a proprietary information security standard that requires
organizations to follow security best practices and use 12 high-level requirements,
aligned across six goals?

a. SOX

b. FISMA

c. PCI-DSS

d. Risk Management Framework