icon picker
ethical hacking worksheets

Exercise 1: Malware

Malware is a term made up from which two words?
Explain why it is incorrect to describe any type of malware as a virus.
Describe two characteristics unique to a computer virus.
Describe two methods by which viruses can spread.
Describe two symptoms that may suggest a computer system has been compromised malware.
In the context of computer viruses, explain what is meant by the term replication.
Computer viruses often use camouflage to evade detection. Describe two camouflage techniques that a virus may employ and explain why this makes it more difficult for anti-virus software to detect it.
Explain how a file virus differs from a boot sector virus.
Anti-malware software makes use of various techniques to detect malware.
Describe how each of the following techniques operates:
Signature detection
Heuristic detection
Checksum
Describe how a Trojan differs from a virus

Exercise 2: Malware 2 (Level 5)

Trojans are often used to create a backdoor into a computer system. Explain what is meant by a backdoor and how an attacker might use it.
Describe how a worm operates, and how it differs from a virus.
Describe two examples of spyware and describe how each might be used by criminals.
What is a ‘drive-by-download’?
It is essential to ensure users have strong passwords. State three characteristics of a strong password.
Some users have difficulty remembering many different passwords, and can be tempted into using the same password for several accounts. Explain why this practice carries risk.
Criminals make use of various techniques to 'crack' passwords and gain access to users' accounts. Describe two of these techniques.
Biometric systems are being used increasingly in place of passwords. Name and describe two methods of biometric authentication.
Describe how a DDOS attack makes use of a botnet to attack a computer system or website.
Describe how Ransomware operates.

Exercise 3: Advanced Persistent Threat (Level 6)

Use the internet to research an example of an advanced persistent threat. You should then create a short presentation on your findings.
Some points you may wish to include:
Nature of the threat
Target
How an APT differs from a conventional cyber threat

Exercise 4: Social Engineering (Level 5)

Describe three characteristics that would suggest an e-mail might be an attempt at phishing.
Describe the difference between phishing and spear phishing.
Explain what is meant by e-mail spoofing.
Describe what is meant by dumpster-diving and outline one method that could be employed to protect individuals and organisations from falling prey to it.
Describe how a watering-hole attack operates.
Give an example of how psychological manipulation can be used by malicious individuals to gain unauthorised access to computer systems or data.
Outline two methods an organisation could employ to make their company less susceptible to social engineering attacks.
Give two reasons why criminals might prefer to make use of social-engineering techniques instead of hacking computer systems.
Explain what is meant by the term ‘baiting’.
Describe two methods individuals can employ to prevent falling victim to a social engineering attack.

Exercise 5: Biometric Security Methods (Level 4)

Biometric authentication makes use of physical attributes (such as fingerprint/retina) to authenticate users.
Use the internet to investigate another type of biometric authentication. You should then write a brief summary of how it operates. You should consider the following points in your response:
How does it operate?
How secure is this method?
Speed of response
Comparison with other authentication methods

Exercise 6: Cyber Resilience (Level 6)

Explain what is meant by cyber resilience.
Cyber attacks are often analysed in terms of their effect on the ‘CIA’ of sensitive data.
Summarise what is meant by this.
Describe what is meant by a tabletop exercise and how it is beneficial for organisations to participate in these.
Explain why it is important that software patches be installed as soon as they become available.
It is important for organisations to ensure they have a robust backup system in operation.
Describe what is meant by a full backup.
Describe what is meant by an incremental backup.
A company that takes thousands of online orders per day operates a backup strategy whereby they take a full backup of their data every Sunday.
Explain why this backup strategy is insufficient.
Describe how this could be improved.
Intrusion detection is a useful part of a wider cyber security strategy. Describe how a honey-pot might be used as part of an Intrusion Detection system.
Staff training is one of the most important elements of a cyber security strategy. Describe three practices an organisation should consider as part of their staff training programme.
Two-factor authentication is a feature available on many online services. Explain how two-factor authentication protects users against cyber attacks.

Exercise 7a: Cybercrime Investigation (Level 6)

Part A: Historical example of cybercrime 9
Use the internet to investigate a historical example of cybercrime. For the purposes of this exercise, you should focus on cybercrime that took place prior to the year 2005.
Your research should attempt to find the following information, if applicable:
Type of cybercrime
Malware used (Virus/Trojan/Worm)
Behaviour of malware; how did the malware operate?
Did the attack compromise data confidentiality/integrity/availability? Or a combination of the three?
Primary method of infection/spreading
Techniques used (DDOS attack/Insider attack, etc)
Target of the crime (did the malware target a particular individual/organisation/sector? Or was it indiscriminate?
Motivation of criminals (financial gain? revenge?)
Impact of attack:
Financial
Reputational
Social/political
Effects on victims/other consequences
Final outcome: Were the perpetrators brought to justice? If so, what was the outcome?
What law(s) were broken? Has any remedial action been taken as a result of the attack, for example, changes in the law or company policies?
When you have collated your research, you should then present your findings in the form of a written report.

Exercise 7b: Cybercrime Investigation (Level 6)

Part B: Contemporary example of cybercrime
Use the internet to investigate a recent example of cybercrime. For the purposes of this exercise, you should focus on cybercrime that took place on, or after, the year 2005.
Your research should attempt to find the following information, if applicable:
Type of cybercrime
Malware used (Virus/Trojan/Worm)
Behaviour of malware; how did the malware operate?
Did the attack compromise data confidentiality/integrity/availability? Or a combination of the three?
Primary method of infection/spreading
Techniques used (DDOS attack/Insider attack, etc)
Target of the crime (did the malware target a particular individual/organisation/sector? Or was it indiscriminate?
Motivation of criminals (financial gain? revenge?)
Impact of attack:
Financial
Reputational
Social/political
Effects on victims/other consequences
Final outcome: Were the perpetrators brought to justice? If so, what was the outcome?
What law(s) were broken? Has any remedial action been taken as a result of the attack, for example, changes in the law or company policies?
When you have collated your research, you should then present your findings in the form of a
written report.

Exercise 8: Legislation

Using the following list of pieces of legislation, find out some more details about each of them.
Think about the purpose of each Act and the date they were passed.
Data Protection Act
General Data Protection Regulation
Computer Misuse Act
Regulation of Investigatory Powers Act
Investigatory Powers Act
Police and Justice Act
Copyright, Design and Patents Act
Intellectual Property Act
Present your findings in a presentation, word document or poster.

Exercise 9: Data Protection Act versus GDPR

Data Protection Regulation (Level 6) 12
Create a chart or diagram that represents the differences between the Data Protection Act and the General Data Protection Regulation. Think about the main differences and in what ways they differ.
Extension: Can you think of any areas where the General Data Protection Regulation may not be good enough? Is this new piece of legislation sufficient to replace the Data Protection Act?

Exercise 10: RIPA Discussion (Levels 5 and 6)

Research RIPA and makes notes to prepare for a discussion on this piece of legislation.
Do you think it is a good piece of legislation?
Can you find examples of this piece of legislation being misused or used correctly?
What are you overall feelings regarding this piece of legislation?

Exercise 11: Controversial Legislation (Level 6)

A lot of the legislation that has been covered can be considered controversial. In pairs, select two pieces of legislation and have a discussion on any controversial examples you can find regarding the legislation and decide if you agree with the outcome.

Exercise 12: Legislation Research (Levels 5 and 6)

The list below contains the legislation that we have explored in this unit. Choose two from the list to investigate, and then collate your findings in a manner that you choose. You may wish to create a presentation, poster, word document or voice recording.
Data Protection Act
General Data Protection Regulation
Computer Misuse Act
Regulation of Investigatory Powers Act
Investigatory Powers Act
Police and Justice Act
Copyright, Design and Patents Act
Intellectual Property Act
You should consider the following points in your investigations, but this list is not exhaustive:
Examples of the legislation being breached
Any future updates to the legislation
Examples of when the legislation failed

Exercise 13: Case Studies (Levels 5 and 6)

The list below contains well-known cyber attacks. Choose two from the list to investigate, and then produce a written report on your findings.
WannaCry
Stuxnet
Sony Hack
ILOVEYOU
Conficker
Ashley Madison
Some points to consider/investigate:
Type of Malware (Virus? Worm? Ransomware?)
Behaviour of malware (how did it operate?)
Target of malware
Perpetrators
Motivation (Financial? Political?)
Individual/group/nation state
What aspects of C/I/A were affected?
Impact of attack
Was the attack preventable? If so, how?
What lessons can be learned?
How did the attack come to an end?
Outcome: Did the target recover from the attack? What damage had been done?
Have the perpetrators been caught/prosecuted?
Once your investigation is complete, pair up with a pupil who investigated different cyber attacks and compare your findings.

Exercise 14: Penetration Testing (Theory)

Describe what is meant by the scope of a penetration test.
Explain why it is important that the scope of the test and any confidentiality arrangements are agreed and signed before the test commences.
The reconnaissance stage of a penetration test is crucial to the success of the test. State two examples of the type of information a reconnaissance activity may attempt to retrieve.
Describe the difference between passive and active reconnaissance techniques and give one example of each.
Once reconnaissance is complete, the next stage is to search for vulnerabilities. State what is meant by the term vulnerability in this context.
When a vulnerability has been discovered, the next stage is to exploit it in order to gain some level of access to the system. Describe the role that the Metasploit Framework (MSF) plays at this stage.
Malicious hackers may attempt to maintain access to a system once they have successfully managed to gain access. Name and describe one method of maintaining access.
Malicious hackers may also attempt to ‘cover their tracks’ in order to evade detection.
Describe one action a hacker might perform in order to cover their tracks.
When the penetration test is complete, a report is written for the client.
Describe two features of this report.

Exercise 15: Information Gathering (Reconnaissance)


Passive Reconnaissance
‘Passive reconnaissance is an attempt to gain information about targeted computers and networks
without actively engaging with the systems.’
When conducting a penetration test, it is vital that we gain as much information as possible about our target beforehand. This will make working on the later stages much easier. In the real world, security professionals spend a great deal of time working on this stage in order to ensure success later on.
An appropriate analogy is a quote by Abraham Lincoln:
‘If you give me six hours to chop down a tree, I will spend the first four sharpening my axe...’
The reconnaissance stage is effectively ‘sharpening your axe’.
Look at the following sites, which contain information on passive reconnaissance.
Below is a list of some tools that you may find useful when conducting passive reconnaissance.
Site: search (when used with google, will search only a specified site for keywords)
It is also a good idea to search jobsites/vacancies that the company has advertised, such as job descriptions/skills they ask for, as this will provide clues as to the technologies the company uses.
Eg,
Want to print your doc?
This is not the way.
Try clicking the ⋯ next to your doc name or using a keyboard shortcut (
CtrlP
) instead.