provide the answer under the question apa format include referencepart 1:Our course reading this week discusses the use of electromagnetic signals to transmit digital data, i.e. wireless and mobile networking and communications.Certain parts of the electromagnetic spectrum are heavily regulated by governments and international agreements. Why do some frequencies require licensing, and some frequencies do not? Can you give examples of both cases?part 2You have just been hired as a consultant by an eCommerce Chocolate Company to help find a third party vendor to complete a vulnerability scanning and penetration testing. Research 2-3 vendors and discuss the services they perform and estimated costs of those services. Don’t be afraid to actually reach out to the company, many are more than happy to help out students. (200 words)part 3What is a vulnerability assessment and why do we do it?Beyond finding vulnerabilities in a system, what other purposes can a vulnerability assessment fill? What else can they do?Your company has just decided to take advantage of an external cloud provider for new application needs. Would you ask for a vulnerability assessment of the external cloud systems? Why or why not?Research and discuss the Nessus tool. What functions would you think are the most useful? Why?Why do we do port scans? What port scan results would cause an auditor to be concerned?IS 464 – Policy and
Week 9 – Managing the Audit
 Vulnerability assessments
 Seek to find any vulnerability that can be exploited by an attacker
 Must be performed on any electronic system (to identify
vulnerabilities and mitigate them)
 Output is a report of each vulnerability, where in the software, and
possible mitigations
 Can document what devices and systems are active in company –
great for asset management
Chapter 1
 Software involves a cycle of code development, code installed in
production for the business to use, vulnerability scan, determine
mitigation(s), fix code (prepare patch), and deploy to production.
 Vulnerability scans can be built into any and every device or
software being deployed – leads to increased security
Deploy to
Slide 2
 Many types of assessments: host, network, software applications
(COTS or internally developed)
 Are a number of automated vulnerability systems (such as Nessus)
 Stand-alone systems – installed on target systems – are advantages
and disadvantages
 Subscription – allow external provider to come into your systems
Chapter 1
 Start by determining what is to be tested including ports,
address(s), and configuration settings
 **Be aware such testing can impact production performance!!
 Assessments will target TCP, ICMP, and UDP connections
 Will look for ‘fingerprints’ related to available applications
 Look for what services are accepted (SSL transport), HTTP,
HTTPS, SMTP, POP3 and others
 Based on services can look for specific applications that use them
Slide 3
 Finally, look for known vulnerabilities such as unneeded open ports,
software versions with known vulnerabilities, and test for the
 Report details what is found from services, systems, and
Chapter 1
 Perform testing based on an administrative (based on what a
system administrator can see and do – very powerful) or external
perspective (looking for ways attackers would evaluate systems)
 Can use a hybrid approach to evaluate both administrative and
external perspectives (Nessus and eEye Retina applications)
 **Be aware of how system is constructed as many items can
interfere with results
 Vulnerability testing applications are not a ‘magic bullet’ in that
they can only test what they know. Still do see many false positives
and false negatives – therefore need manual audits as well
Slide 4
 Nessus vulnerability testing application
Chapter 2

Is still a highly rated remote security scanning tool
Can get free versions or purchase version with more functions
Can handle large, complex cyber eco-systems
Can build own plugins specific to what you want to test
Useful or information security in house or ‘for hire’ consultants
Can target specific types of tests for specific industries (ie PCI-DSS)
Can scale up as necessary
Scanning configurations can be set and then it will perform the scan(s)
without direct intervention and produce a report
 Can gather data using encrypted connection (for security)
 Storing scan data in a database means can make time based
comparisons as well as review trends over time and provide proof of
meeting regulations and laws
 Has a large set of knowledge articles and plugins for testing and analysis
 Consultants (internal or external) need to go beyond running the
report – need to investigate the report findings to ensure they are an
Slide 5
 Installing Nessus:
 Download the (latest) free version (Google for latest version)
 Read through the install guide
 and install (if at corporate level install on a separate server for
security reasons)
Chapter 3
 Be sure to follow PoLP (principle of least privilege so that Nessus is not
 Register as noted during install to get latest updates
 Determine what types of testing to be done (which OS, network
location, when to scan, how much of the network to scan)
 Finally, execute! Perform scan
Slide 6
 BE careful when scanning (or may bring network down)
 Be sure to have the right authorization (in writing/encrypted email) to
perform scan
 Communicate with system administrative staff or ISP (otherwise they
may think you are attacking
Chapter 4 –
Running a scan
 Need a full understanding of the system(s) involved
 Evaluate denial of service and missing vulnerabilities – can be
 Think about breaking scans up into short phases – gives faster results
and less network impact
 May need expanded authentication to access some systems
 Once scan is done, review findings and follow up to:
 Determine if really an issue
 Determine if just a configuration problem
 Use scan results to create scanning policies for use in other systems
Slide 7
 Use safety options to decrease possibility of impacts on network
or a device (means less effective scan)
 Create a userid for the scan that has just sufficient privileges –
avoid using administrator accounts
 Limit first scan to 5-10 ‘targets’
Chapter 4 Running a scan
 Current version can scan for > 50,000 CVE (vulnerabilities) and has
previously detected zero day exploits
 Contains templates for specific types of compliance testing to meet
specific regulations and legal requirements
 Can fix issues as reported for some systems
 Currently there are 130,000 plugins
 User front end looks similar to what is shown in Rogers
Slide 8
 Results report out to GUI and have colour coded information on
vulnerabilities by IP address
 Export results to other file formats for review and creation of
future trending evaluations
 Can pull previous reports back into Nessus GUI
Chapter 5 Nessus reports
 Can write results to a database (for further analysis)
 Nessus focuses on business goals of confidentiality, integrity, and
availability (CIA) of systems and data
 System risks include: brute force attacks, exploitations, data
mining, and attackers looking for any vulnerability
 Reports include such elements as: category (type of issue), subnet,
hostname, port (including type), script ID (that was run), CVE
issue, possible solution and how high a risk
Slide 9
 Evaluate each risk for being a true risk/issue, or a possible false
 ‘Safe Check’ option is still in the current version – determine how
aggressive the scan will be run
Chapter 5 Nessus reports
 There are a multitude of different settings and testing Nessus can
run – set them up based on what looking for and the cyber
Slide 10
 Nessus is a very powerful vulnerability scanning tool that has been
around for approximately 20 years
 Free version is still available
 Install and configuration is straightforward
 Has a multitude of specific criteria for scanning
Take Aways for
Week 9
 Can save reports, allowing for trends to be created as well as
historical data reviews
 Can either use a bundled template to test for specific compliance
(PCI-DSS) or can set own configurations and save them in a
template to be used on other Nessus scanning servers
Slide 11

Purchase answer to see full

Why Choose Us

  • 100% non-plagiarized Papers
  • 24/7 /365 Service Available
  • Affordable Prices
  • Any Paper, Urgency, and Subject
  • Will complete your papers in 6 hours
  • On-time Delivery
  • Money-back and Privacy guarantees
  • Unlimited Amendments upon request
  • Satisfaction guarantee

How it Works

  • Click on the “Place Order” tab at the top menu or “Order Now” icon at the bottom and a new page will appear with an order form to be filled.
  • Fill in your paper’s requirements in the "PAPER DETAILS" section.
  • Fill in your paper’s academic level, deadline, and the required number of pages from the drop-down menus.
  • Click “CREATE ACCOUNT & SIGN IN” to enter your registration details and get an account with us for record-keeping and then, click on “PROCEED TO CHECKOUT” at the bottom of the page.
  • From there, the payment sections will show, follow the guided payment process and your order will be available for our writing team to work on it.