APPLIED SCIENCE UNIVERSITY ‫جامعـة العلـوم التطبيقية‬

(ASU) ‫الخاصة‬
FACULTY OF INFORMATION TECHNOLOGY ‫كلية تكنولوجيا المعلومات‬
(FIT) 2024/1-2023 ‫الواجب األول‬
FIRST HW 2024-1

Subject: Infrastructure Security using Linux

1305311
Instructor: I.Qais Alnaamneh Student Name: Hasan Qadoumi
Student ID: 202210400
□ CS □ SE □ CCC □ DSAI □ Other

PLEASE NOTE THAT THIS HOMEWORK IS 3 PAGES AND WITH A TOTAL OF 10 POINTS.

To complete the homework, screenshot every command you execute on your screen.

Q1: [3 POINTS]
A. DISPLAY THE CURRENT TIME IN 12-HOUR CLOCK TIME (FOR EXAMPLE, 01:30:10 AM).
(1POINT)

B. WHAT KIND OF FILE IS ZCAT? IS IT READABLE BY HUMANS? (1POINT)

C. DISPLAY THE SIZE AND NUMBER OF WORD, LINE, AND CHARACTER OF ZCAT.
(1POINT)

© 2022-2023 Faculty of Information Technology (FIT), Applied Science Private University, Amman, Jordan. 1
Q2: [7 POINTS]

"AS A CYBERSECURITY CONSULTANT FOR A MULTINATIONAL CORPORATION, YOU ARE

TASKED WITH DESIGNING A COMPREHENSIVE INFRASTRUCTURE SECURITY FRAMEWORK
TO PROTECT CRITICAL ASSETS AND DATA FROM ADVANCED CYBER THREATS. YOUR
SOLUTION MUST ADDRESS VARIOUS ASPECTS OF NETWORK SECURITY, SYSTEM
HARDENING, ACCESS CONTROLS, AND THREAT DETECTION/MITIGATION ACROSS
HETEROGENEOUS ENVIRONMENTS"

A. DESIGN A NETWORK SECURITY ARCHITECTURE INCORPORATING DEFENSE-IN-DEPTH

PRINCIPLES, INCLUDING SEGMENTATION, ISOLATION, AND PERIMETER DEFENSE
MECHANISMS.

© 2022-2023 Faculty of Information Technology (FIT), Applied Science Private University, Amman, Jordan. 2
 B. DISCUSS THE SELECTION AND CONFIGURATION OF NETWORK SECURITY DEVICES SUCH AS
FIREWALLS, INTRUSION DETECTION/PREVENTION SYSTEMS (IDPS), VPN GATEWAYS, AND
SECURE GATEWAYS TO ENFORCE SECURITY POLICIES AND MONITOR NETWORK TRAFFIC.
INTRUSION DETECTION PREVENTION SYSTEMS: PUT IN PLACE AI-DRIVEN INTRUSION DETECTION AND
PREVENTION SYSTEMS FOR CONTINUOUS REAL-TIME THREAT DETECTION AND AUTOMATED RESPONSE.

VPN GATEWAY: USE IPSEC VPN WITH STRONG ENCRYPTION AND SOME MULTI-FACTOR AUTHENTICATION.

© 2022-2023 Faculty of Information Technology (FIT), Applied Science Private University, Amman, Jordan. 3
 CREDIBLE SECURE GATEWAYS: DEPLOY WEB AND EMAIL GATEWAYS WITH SANDBOXING AND DLP
CAPABILITIES.

CONFIGURATION OF EACH DEVICE FOR CENTRALIZED LOGGING TO A SIEM SO THAT COMPREHENSIVE

THREAT ANALYSIS AND POLICY ENFORCEMENT CAN TAKE PLACE.

C. EVALUATE THE EFFECTIVENESS OF NETWORK SEGMENTATION STRATEGIES (E.G., VLANS,

MICRO-SEGMENTATION) IN CONTAINING LATERAL MOVEMENT AND REDUCING THE ATTACK
SURFACE IN COMPLEX ENTERPRISE NETWORKS.
1. VLANS
PROS: LOGICAL SEPARATION, EASY TO IMPLEMENT, REDUCES BROADCAST TRAFFIC.
CONS: VULNERABLE TO VLAN HOPPING IF MISCONFIGURED.
2. MICRO-SEGMENTATION
PROS: GRANULAR CONTROL, PREVENTS LATERAL MOVEMENT, SUPPORTS ZERO-TRUST.
CONS: POLICY COMPLEXITY, REQUIRES ADVANCED TOOLS LIKE VMWARE NSX.
3. DMZ
PROS: ISOLATES INTERNET-FACING SERVICES, PROTECTS INTERNAL NETWORKS.
CONS: REQUIRES CAREFUL CONFIGURATION TO AVOID EXPOSURE.
EFFECTIVENESS: THESE STRATEGIES LIMIT LATERAL MOVEMENT, REDUCE ATTACK SURFACES, AND ENHANCE
SECURITY IN COMPLEX NETWORKS.
D. DEVELOP A SYSTEM HARDENING STRATEGY FOR SERVERS, ENDPOINTS, AND NETWORK
DEVICES ACROSS WINDOWS, LINUX, AND OTHER OPERATING SYSTEMS, CONSIDERING
FACTORS SUCH AS PATCH MANAGEMENT, CONFIGURATION BASELINES, AND SECURE
PROTOCOLS.
1. SERVERS
PATCH MANAGEMENT: REGULARLY APPLY PATCHES AND UPDATES TO OS AND SOFTWARE.
CONFIGURATION: HARDEN THE SYSTEM USING CIS BENCHMARKS, DISABLE UNUSED SERVICES, LIMIT
PRIVILEGES TO THE MINIMUM, AND SO FORTH.
SECURE PROTOCOLS: EMPLOY SSH AND HTTPS WHILE DISABLING OLDER PROTOCOLS SUCH AS TELNET.
2. ENDPOINTS
PATCH MANAGEMENT: ENABLE TIMELY AUTOMATIC UPDATES OF THE OS AND THIRD-PARTY APPLICATIONS.
CONFIGURATION: MONITORS ARE PUT IN PLACE TO ENABLE ENDPOINT PROTECTION TOOLS AND DISABLE
AUTORUN.
ENCRYPTION: ACTIVATE FULL DISK ENCRYPTION SUCH AS BITLOCKER OR LUKS.
3. NETWORK DEVICES
CONFIGURATION: STRONG PASSWORDS MUST BE SET, ALL UNUSED PORTS DISABLED, AND MANAGEMENT
THROUGH SECURE PROTOCOLS SUCH AS SNMPV3 AND SSH MUST BE IN PLACE.
FIRMWARE UPDATES: REGULARLY APPLY FIRMWARE UPDATES TO OVERCOME VULNERABILITIES.

KEY TOOLS INCLUDE CONFIGURATION MANAGEMENT TOOLS SUCH AS ANSIBLE, VULNERABILITY SCANNERS,
AND SECURE BASELINES.

E. DISCUSS THE IMPORTANCE OF VULNERABILITY SCANNING, PENETRATION TESTING, AND

SECURITY CONFIGURATION MANAGEMENT TOOLS IN IDENTIFYING AND REMEDIATING
SECURITY WEAKNESSES IN INFRASTRUCTURE COMPONENTS.
VULNERABILITY SCANNING
DETECTS: THIS INVOLVES MEASURING FOR KNOWN VULNERABILITIES IN SYSTEMS AND NETWORKS.
EXAMPLE TOOLS: NESSUS, OPENVAS.
PENETRATION TESTING
DETECTS: SIMULATED ATTACKS.
EXAMPLE TOOLS: METASPLOIT, BURP SUITE.
SECURITY CONFIGURATION MANAGEMENT
© 2022-2023 Faculty of Information Technology (FIT), Applied Science Private University, Amman, Jordan. 4
 DETECTS: THIS ENSURES THE BASELINE SECURITY POSTURE COMPLIANCE AND CHECKS FOR
MISCONFIGURATIONS.
EXAMPLE TOOLS: CIS-CAT, CHEF INSPEC.

ADVANTAGE: THESE TOOLS CAN QUICKLY FIND AND FIX VULNERABILITIES, THEREBY LOWERING THE
CHANCES THAT THOSE VULNERABILITIES COULD EVER BE EXPLOITED.

F. PROPOSE STRATEGIES FOR PRIORITIZING AND ADDRESSING CRITICAL VULNERABILITIES IN A

TIMELY MANNER TO MITIGATE THE RISK OF EXPLOITATION AND DATA BREACHES.
1. THE PROCESS OF RISK-BASED PRIORITIZATION SHOULD FOCUS ATTENTION ON THOSE VULNERABILITIES
THAT, IF EXPLOITED, WOULD CAUSE AN ACUTE RISK TO OPERATION (FOR EXAMPLE, REMOTE-CONTROL
EXECUTION AND ESCALATED PRIVILEGES). CVSS SHALL BE DEPLOYED TO AFFIRM THE SEVERITY OF THE
VULNERABILITY.
2. THE PRIORITY SHOULD BE IN MAINTAINING PATCHED VULNERABILITIES BASED ON THEIR CRITICALITY AND
EXPOSURE, FIXING THE MOST SIGNIFICANT ISSUES FIRST. PATCH MANAGEMENT WILL UTILIZE AUTOMATION
TOOLS FOR THE ACTUAL DEPLOYMENT OF PATCHES, LIKE WSUS OR QUALYS.
3. ZERO-DAY VULNERABILITIES SHALL MONITOR THREAT INTELLIGENCE SOURCES LIKE US-CERT AND CVE
TO IDENTIFY OLD EXPLOITS, COUNTERED BY FIREWALLS AND INTRUSION DETECTION SYSTEMS.

OBJECTIVE: VULNERABILITIES SHOULD BE PRIORITIZED ACCORDING TO BUSINESS EXPOSURE,

EXPLOITABILITY, AND THE MEANS TO MEASURE THEIR EFFECTS TO BEST MINIMIZE THE CHANCE OF
INTRUSION.

G. PREDICT FUTURE TRENDS IN INFRASTRUCTURE SECURITY, SUCH AS THE ADOPTION OF

ZERO-TRUST NETWORKING, SOFTWARE-DEFINED SECURITY, AND ARTIFICIAL
INTELLIGENCE/MACHINE LEARNING (AI/ML) FOR THREAT DETECTION AND RESPONSE.
1. ZERO TRUST NETWORKING
TREND: A DEPARTURE FROM PERIMETER-CENTRIC PROTECTION TO CONTINUOUS USER/DEVICE/APPLICATION
VERIFICATION.
IMPACT: MINIMIZES THE POTENTIAL FOR BREACH FALLOUT, AND ENFORCES LEAST-PRIVILEGE ACCESS.
2. SOFTWARE-DEFINED SECURITY
TREND: USE OF SOFTWARE IN DEFINING SECURITY POLICIES AND CONTROLS FOR FLEXIBLE AND HIGHLY
SCALABLE PROTECTION OF DYNAMIC ENVIRONMENTS.
IMPACT: LENDS SIMPLICITY TO SECURITY MANAGEMENT IN A HYBRID CLOUD AND VIRTUALIZED
ENVIRONMENTS.
3. USING AI OR ML FOR THREAT DETECTION
TREND: THE USE OF AI AND ML TO DISCOVER UNKNOWN THREATS WHILE MINIMIZING FALSE POSITIVES AND
AUTOMATING RESPONSES.
IMPACT: ENHANCED REAL-TIME ANOMALY DETECTION WITH FEWER MANUAL INTERVENTIONS.
PREDICTIONS: THIS WILL ENABLE SECURITY ARCHITECTURES TO BE SMARTER AND FLEXIBLE, FURTHER
INCREASING ITS STRENGTH TO FIGHT ADVANCED THREATS.

H. DISCUSS THE POTENTIAL IMPACT OF EMERGING TECHNOLOGIES ON INFRASTRUCTURE

SECURITY ARCHITECTURES, THREAT LANDSCAPE, AND CYBERSECURITY WORKFORCE
SKILLS REQUIRED TO ADDRESS EVOLVING CHALLENGES.
1. SECURITY ARCHITECTURE IMPACT
CLOUD AND VIRTUALIZATION: INCREASED ADOPTION OF CLOUD SERVICES AND VIRTUALIZED
ENVIRONMENTS DEMANDS MORE DYNAMIC AND SCALABLE SECURITY SOLUTIONS LIKE SOFTWARE-DEFINED
SECURITY AND MICRO-SEGMENTATION.
EDGE COMPUTING: AS MORE DATA IS PROCESSED AT THE EDGE, SECURITY MODELS MUST BE CHANGED IN
ORDER TO PROTECT DISTRIBUTED SYSTEMS WITHOUT A CENTRALIZED PERIMETER.
2. THE CHANGING THREAT SITUATION

© 2022-2023 Faculty of Information Technology (FIT), Applied Science Private University, Amman, Jordan. 5
 AI/ML IN CYBER ATTACKS: THREAT ACTORS MIGHT USE AI TO PERFORM SOPHISTICATED ATTACKS (I.E.,
AUTOMATED VULNERABILITY DISCOVERY, AI-INFLUENCED MALWARE).
5G NETWORKS: 5G INTRODUCES ADDITIONAL ATTACK SURFACE SUCH AS VULNERABILITIES IN A LARGE
NUMBER OF CONNECTED IOT DEVICES.
3. THE CYBERSECURITY WORKFORCE
DEMAND FOR SKILLS: THE RISE OF ADVANCED TECHNOLOGIES RESULTS IN A NEED FOR MORE
PROFESSIONALS FAMILIAR WITH AI/ML, CLOUD SECURITY, AND THREAT INTELLIGENCE.
CONTINUING EDUCATION: CYBERSECURITY EXPERTS WILL, HOWEVER, REQUIRE PROGRESSIVE AND LONG-
LIFE LEARNING-BASED UPGRADING, BEING ABREAST OF NEWER TOOLS AND FRAMEWORKS, ALONG WITH
RAPIDLY EVOLVING ATTACK METHODS.
I. RECOMMEND STRATEGIES FOR ADAPTING EXISTING SECURITY FRAMEWORKS AND
PRACTICES TO EMBRACE NEW TECHNOLOGIES AND ADDRESS EMERGING THREATS IN
DYNAMIC AND RAPIDLY EVOLVING IT ENVIRONMENTS.
1. ACCESSING NEW TECHNOLOGIES
CLOUD SECURITY: PROTECT WORKLOADS RUNNING IN HYBRID AND MULTI-CLOUD ENVIRONMENTS USING
COMPLEMENTARY SECURITY TOOLS, SUCH AS CASB (CLOUD ACCESS SECURITY BROKER) AND CLOUD-
NATIVE FIREWALLS.
AUTOMATION: ADOPT SOAR (SECURITY ORCHESTRATION, AUTOMATION, AND RESPONSE) PLATFORMS TO
SIMPLIFY THEIR RESPONSE TO INCIDENTS AND LIMIT MANUAL ACTIVITIES.
2. NEW THREATS ARE HAVING TO BE CONFRONTED
ZERO-TRUST: A CONSTANT PROCESS OF VERIFYING THE IDENTITY, THE DEVICES, AND THE USER ACTIVITIES
MUST TRANSITION ENTERPRISES TO A ZERO-TRUST ARCHITECTURE.
AI/ML: AI-ENABLED SECURITY SOLUTIONS SHOULD BE ADOPTED TO ENHANCE THREAT DETECTION,
INCIDENT RESPONSE, AND VULNERABILITY MANAGEMENT.
3. ADAPTING PRACTICES FOR FAST-MOVING IT ENVIRONMENTS
AGILE SECURITY: DEVSECOPS PRACTICES SHOULD BE INSTILLED WITHIN THE SDLC TO ENSURE THE SECURE
CODING AND AUTOMATED SECURITY TESTING.
CONTINUOUS MONITORING: MONITORING SHOULD BE SUPPLEMENTED WITH SIEM AND THREAT-
INTELLIGENCE FEEDS TO STAY ONE STEP AHEAD OF EMERGING THREATS IN RAPIDLY CHANGING
ENVIRONMENTS.
CONCLUSION: WHILE CONFRONTING EMERGING THREATS WITH NEW TECHNOLOGICAL APPROACHES, A
PROACTIVE AND AGILE APPROACH SHALL MEET AUTOMATION-, ZERO-TRUST-, AND AI-BASED INTEGRATIONS
TO EMBRACE THE EVER-CHANGING RESILIENCY WITHIN A DYNAMIC ENVIRONMENT.

Submission:
To submit your homework, rename this file with "your name and ID". Upload the file to the ASU
Edugate system.

© 2022-2023 Faculty of Information Technology (FIT), Applied Science Private University, Amman, Jordan. 6