Instructor’s Manual Chapter 10 Incident and Disaster Response

Intrusion Detection Systems (IDSs)

An intrusion detection system (IDS) is software and hardware that captures suspicious network and host activity data in event logs, and provides automatic tools to generate alarms, as well as query and reporting tools to help administrators analyze the data interactively during and after an incident.

b) Is an IDS a preventative, detective, or restorative control?

It is only a detective control. Of course, if attackers believe that they are likely to be caught by an IDS, it may have preventative benefits as well.

c) What are false positives?

False positives in an IDS are known as false alarms.

d) Why are false positives problems for IDSs?

IDSs tend to be ignored if they generate many false positives.

Functions of an IDS

The four functions of IDSs are logging, automated analysis, administrator actions, and management.

b) What are the two types of analysis that IDSs usually do?

Two types of analysis IDSs usually perform are attack signature detection and anomaly detection.

c) What types of action did this section mention?

Actions mentioned include alarms and log summary reports with interactive manual log analysis tools.

d) What information should alarms contain?

Alarms should give the security administrator a description of what the problem is, a way to test the alarm for accuracy, and advice about what action the security administrator should take.

Log summary reports list various types of suspicious activity. They also indicate threat priority by type of threat or by statistical analysis, indicating high frequency. The purpose of log summary reports is to give IDS administrators notice of threats that aren’t high risk or detected by alarms.

f) Describe interactive log file analysis.

Interactive log file analysis allows administrators to drill down into log files to better understand an ongoing or completed attack, while filtering out irrelevant entries.

Distributed IDSs

A distributed IDS can collect data from many devices at a central manager console to allow a security manager to detect a more complex attack.

b) Name the elements in a distributed IDS.

There is a manager, an integrated log file, an agent host IDS, an agent network IDS, and an IDS vendor.

c) Distinguish between the manager and agents.

The agent collects event data and stores them in log files on the monitoring devices. The manager program is responsible for integrating the information from the multiple agents that run on multiple monitoring devices.

d) Distinguish between batch and real-time transfers for event data.

In batch transfers, the agent waits until it has several minutes or several hours of data and then sends a block of log file data to the manager. In real-time transfers, each event’s data goes to the manager immediately.

e) What is the advantage of each type?

Batch transfer is the least expensive and has the lowest network load, while real-time transfer allows capturing of log files without worrying about attackers deleting log files.

f) What two types of communication must be secure?

Communication between IDS agents and manager should be secure in order to ensure an attacker cannot spoof either and cause mass confusion to the IDS.

Network IDSs (NIDSs)

NIDSs look at all information traveling through a network.

b) Distinguish between stand-alone NIDSs and switch-based or router-based NIDSs.

Stand-alone NIDSs are boxes located at various points in a network. They read and analyze all network frames that pass by them. They are essentially corporate-owned sniffers. Switch NIDSs and router NIDSs are switches and routers that have IDS software. Typically, these capture data on all ports.

c) What are the strengths of NIDSs?

The strength of NIDSs is that they can see all packets passing through some locations in the network. Often, these packets are highly diagnostic of attacks.

d) What are the two weaknesses of NIDSs?

The two weaknesses of NIDSs are that they leave blind spots on the network where no NIDSs are placed, and they cannot read encrypted data.

Host IDSs

The main attraction of HIDSs is that they provide highly specific information about what happened on a particular host. This is important for problem diagnosis.

b) What are the two weaknesses of host IDSs?

The two weaknesses of HIDSs are that they have limited views of what is happening on a network because they can only see on a particular host, and they can be compromised if the system is owned by an attacker.

c) List some things at which host operating system monitors look.

Some things host operating system monitors look at are multiple failed logins, creating new accounts, adding new executables that may be attack programs, modifying executables (installing Trojan horses does this), adding registry keys (changes how system works), and changing or deleting system logs and audit files.

Log Files

Integrated log files are good because they are an aggregation of event logs from multiple IDSs.

b) Why are they difficult to create?

They are difficult to create because of format incompatibilities.

c) Explain the time synchronization issue for integrated log files.

If the times on the various IDSs are off by even a few thousandths of a second, it will be extremely difficult to see what is happening at a particular moment in time—especially if the attack is automated and occurs quickly.

d) How do companies achieve time synchronization?

Companies achieve time synchronization using the Network Time Protocol (NTP) service.

e) What is event correlation?

Event correlation is the analysis of suspicious patterns in a series of events across multiple devices.

f) Distinguish between aggregation and event correlation.

Aggregation is the collection of all log files, whereas event correlation requires analysis to determine related attack patterns.

g) Why is analyzing log file data difficult?

Analyzing log file data is difficult because the relevant event exists in much larger event streams than are logged.

h) In Figure 10-19, how long is the delay between the first attempted login and the second?

The delay is 44.28 seconds.

i) Does this indicate that the attack is a human attack or an automated attack?

This is most likely a human attack (based on memory of the logs) because the attack is done in a reasonably human amount of time.

Managing IDSs

Precision in IDS means that the IDS should report all attack events and report as few false alarms as possible.

b) What are false positives, and why are they bad?

False positives are also known as false alarms and are bad because they will outnumber true alarms ten-to-one or even more. In fact, the large number of false positives generated by IDSs is the major problem with IDSs today, causing many firms to stop using them after a trial period.

c) What are false negatives, and why are they bad?

False negatives are failures to report true attack activities. They are bad because they fail to notify the user of a valid attack.

d) How can tuning reduce the number of false positives?

Tuning turns off unnecessary rules, and reduces the severity level of alarms generated by other rules, in order to limit the total number of false positives.

e) What does an IDS do if it cannot process all of the packets it receives?

IDSs that are overwhelmed by packets will simply skip packets and possibly miss a valid, suspicious attack packet.

f) What may happen if a system runs out of storage space?

When the system nears the point of running out of storage space, the IDS will transfer the log file to backup and start a new log file.

g) Why is limiting the size of log files necessary but unfortunate?

Limiting the size of log files is necessary to avoid exceeding storage capacity, and this limits the amount of log file data available for historical analysis.

Honeypots

A honeypot is a fake server or entire network segment with multiple clients and servers.

b) How can honeypots help companies detect attackers?

Because legitimate users will not access the honeypot network assets, honeypot activities are normally attacker activities.

c) Could a honeypot attract unwanted attention from attackers?

Yes, due to the number of ports being faked, a honeypot could attract additional attention from attackers looking for a specific service, operating system, or port.

Business Continuity Planning

24. a) What do business continuity plans specify?

Business continuity plans specify how a company will maintain or restore core business operations after disasters.

b) Distinguish between business continuity plans and IT disaster recovery plans.

Business continuity plans specify how a company, as a whole, will maintain or restore core business operations after disasters. Disaster recovery plans are geared only toward IT functions after a disaster.

Principles of Business Continuity Management

25. a) What four protections can firms provide for people during an emergency?

Four protections are evacuation plans and drills, not allowing people to go back inside, accounting for all members, and counseling after a disaster.

b) Why is accounting for all personnel important? (The answer is not in the text.)

Accounting for all personnel is important because it shows that the company believes in its employees, takes care of them, and demonstrates corporate citizenship.

c) Why does human cognition in crises call for extensive pre-planning and rehearsal?

Human cognition in crises is stifled; only extensive preplanning and practice provides a decent chance of proper human action during a crisis.

d) Why is it necessary not to make plans and processes for crisis recovery too rigid?

Avoiding rigidity is key because each crisis will be somewhat unique and require flexibility to address unexpected conditions.

e) Why do communication systems tend to break down during crises?

Communication systems tend to rely on electrical power, which usually does not survive long during crises.

Business Process Analysis

26. a) List the four steps in business process analysis?

Identification of business processes and interrelationships

Prioritization of business processes

Specification of resource needs

Specification of actions and sequences

b) Explain why each is important.

Identification of business processes and their interrelationships is important because all business processes must be identified and understood in order to move to the next step.

Prioritization of business processes is important because it helps the firm restore the most important functions of the business first.

Specifying resource needs is important and necessary when there are disruptions during and after the disaster.

Specifying actions and sequences is important because it will get the job done.

Testing and Updating the Plan

27. a) Why are business continuity plans more difficult to test than incident response plans?

The processes involved in incident response plans are complex, but business continuity response processes are far more complex and therefore far more difficult to test.

b) Why is frequent plan updating important?

Frequent plan updating is important because business conditions change constantly and because businesses reorganize constantly.

c) Why must companies update contact information even more frequently?

The people holding specific roles changes very frequently.

d) For what two reasons is a business continuity staff necessary?

The reason a business continuity staff is necessary is because there is constant updating and the staff will act as the operational manager when there is a disaster.

IT Disaster Recovery

28. a) What is IT disaster recovery?

IT disaster recovery looks specifically at the technical aspects of how a company can get IT back into operation using backup facilities.

b) Why is it a business concern?

IT disaster recovery is a business concern because decisions that seem purely technical may have major implications for the business that IT professionals may not accept and should not have the authority to make.

Types of Backup Facilities

29. a) What are the main alternatives for backup sites?

The main alternatives for backup sites are hot sites, cold sites, and continuous data protection (CDP).

b) What is the strength of each?

Hot sites have everything ready to go in an emergency and have little down time. Cold sites offer the physical facilities to support a backup site, but do not have the equipment in place that a hot site does; this is cheaper than a hot site. As its name suggests, CDP provides continuous data protection with instantaneous recovery.

c) What problem or problems does each raise?

Hot sites are very expensive, cold sites take significant time to procure and install needed equipment and software, and CDP sites usually cannot handle duties of both sites and must prioritize applications.

d) Why is CDP necessary?

CDP is necessary if any down time will significantly impact the business, which it almost always will.

Office PCs

30. What three things should a firm do about disaster recovery planning for office PCs?

When recovery planning for office PCs, a company should first do a backup of everything. Then the firm should get in touch with computer vendors to preorder for new office PCs. Finally, a firm should find a good working environment in which to use the office PCs, especially if the previous office is damaged.

Restoration of Data and Programs

31. a) What must be done to restore data at a backup site via tapes?

First, the backup tapes must be delivered to the backup site; then the backup site must have the proper equipment to do the restoration.

b) How does this change if a firm uses continuous data protection?

With CDP, the backup site already has the proper equipment and data, so recovery is instantaneous.

Testing the IT Disaster Recovery Plan

Conclusion

Synopsis

Thought Questions

1. You are advising a small company. a) Would you recommend using a firewall? Explain.

Advise the company to use a firewall because firewalls are part of intrusion prevention, which is designed to prevent or block any malicious activity into the network. Implementation of this may be long and expensive, but it is well worth it, depending on the type of data and information the company wants to protect and keep safe.

b) Would you recommend using antivirus filtering? Explain.

Yes. Antivirus filtering is very necessary for a company to implement because it is one of the things that will protect a system from outside attacks. Also, because a company can’t fully regulate the Internet browsing activities of its employees, antivirus filtering can help protect against this as well. This is also something that doesn’t take much time to do and is relatively inexpensive.

c) Would you recommend an intrusion detection system? Explain.

For a small company, an IDS would probably be too difficult to manage.

2. When IDSs generate alerts, it can send them to a console in the security center, to a mobile phone, or via e-mail. Discuss the pros and cons of each.

Putting an alarm on the manager console screen is not effective at nights or on weekends if no one will be at the console.

Mobile phone warnings will reach the security administrator, but only very high-probability attacks should be signaled this way or the security administrator will throw the mobile away.

E-mail also is not good for instant announcements. E-mail is best if the security administrator checks e-mail frequently, but during attacks, e-mail cannot be trusted because the e-mail system may be compromised.

3. Examine the integrated log file shown in Figure 10-19. a) Identify the stages in this apparent attack.

Lines 1 – 8

Lines 9 – 11

Lines 13 – 16

Lines 17 – 21

b) For each stage, describe what the attacker seems to be doing.

Lines 1 – 8: Human attacker attempting and finally succeeding in logging into account Lee on 60.3.4.5

Lines 9 – 11: Compromised computer 60.3.4.5 opens a TFTP connection to transfer files from suspect host, possibly downloading hacker toolkit

Lines 13 – 16: Compromised host communicating with another suspect host, possibly sending data retrieved by hacker software or downloading new hacker programs to exploit the compromised host

Lines 17 – 21: Compromised host scanning computes on the 60.0.1.x network, looking for HTTP services for possible exploitation

c) Decide whether the actions in this stage work at human speed or at a higher speed, indicating an automated attack.

Lines 1 – 8: Speed appears to be human driven

Lines 9 – 11: Speed appears to be human driven

Lines 13 – 16: Speed appears to be human driven

Lines 17 – 21: Speed appears to be machine driven

d) Decide whether the evidence in each stage is suggestive of an attack or conclusive evidence.

Lines 1 – 8: Suggestive of an attack, but not conclusive. Need to know more about the Lee account and who might be using it.

Lines 9 – 11: This is conclusive; do not expect any legitimate user to open TFTP connections to an outside host.

Lines 13 – 16: Suggestive, but not conclusive, as we don’t know what data is being transferred.

Lines 17 – 21: Conclusive – this is an obvious port 80 scan by a machine.

e) Overall, do you have conclusive evidence of an attack?

Yes, there is conclusive evidence that an attack has taken place, based primarily upon the TFTP and HTTP port scanning.

f) Do you have conclusive evidence of who committed the attack?

The attacks were committed by a person or a program on 60.3.4.5. However, the evidence that 1.15.3.6 took over the Lee account is not strong. Trying to log in three times is not that uncommon. On the other hand, the attack occurred right after the Lee account login.

4. A firm is trying to decide whether to place its backup center in the same city or in a distant city. List the pros and cons of each choice.

• 
  Same city pros:
  
  • 
    Shorter distance between sites means cheaper costs for the dedicated bandwidth required for CDP-type backup.
    
  • 
    Shorter distance for IT personnel to travel to get cold or hot backup site functional in shortest amount of time
    
• 
  Same city cons
  
  • 
    Major environmental disaster coud possibly take out both primary and backup sites
    
  • 
    Even if the backup site is available, it may not be safe to have personnel travel to backup site due to inclement environmental conditions
    
• 
  Distant city pros:
  
  • 
    Chance that an environmental disaster occurs at both primary and secondary site simultaneously is hopefully very slim
    
• 
  Distant city cons:
  
  • 
    Less visibility of conditions at hot or cold site at time of disaster at primary site may make switching to backup site take longer
    
  • 
    Higher cost in transferring data (CDP), material (computers and backup tapes) and personnel to backup site
    
  • 
    May be unable to get knowledgeable personnel from primary site to backup location quickly in order to facilitate cutover
    

5. To get out of taking exams, students occasionally phone in bomb threats just before the exam. Create a plan to deal with such attacks. This should take one single-spaced page. It should be written by you (a policy advisor) for your dean to approve and post in your college.

• 
  Actions to be taken before the term begins:
  
  • 
    Each teacher should decide on an alternate place to meet in case there is a bomb threat. The alternate place should be written into the syllabus. This removes the motivation to call in a bomb threat.
    
• 
  Actions to be taken by recipient of bomb threat (assuming it’s a phone call):
  
  • 
    Remain calm and attempt to obtain as much information as possible from the caller. Ask the caller to repeat the message and record every word.
    
  • 
    If the caller does not indicate the location of the bomb or time of detonation, ask for this information. Note if the caller appears familiar with the buildings.
    
  • 
    Listen closely to the voice of the caller to determine voice quality, sex, age, accents, or words used repeatedly. If the caller is talkative, ask questions to try to ascertain the caller’s name and/or location.
    
  • 
    Note background noises that could indicate the location of the caller.
    
  • 
    If bomb threat is made via electronic means, save the information and provide it immediately to campus security for investigation.
    
• 
  After the threat is received:
  
  • 
    Immediately call Campus Security.
    
  • 
    Notify your immediate supervisor that you have received a bomb threat and have called security. Do not state the nature of the call to anyone else.
    
  • 
    Complete the university’s Bomb Threat Checklist. Remain at your location until the security officer arrives. The officer will interview you regarding the call and review the checklist.
    
• 
  Evacuation:
  
  • 
    Based on recommendations from Campus Security and/or HPD, the appropriate university designee will determine if an evacuation is necessary and coordinate the evacuation of threatened buildings. Do not evacuate until told to do so by security, as evacuation routes may be unsafe. Follow security instructions. Move to the designated evacuation location stated in the evacuation plan.
    
  • 
    Campus Security will not allow anyone to enter a suspected building except authorized personnel. The Campus Security Director will decide when re-entry is permitted.
    
  • 
    Supervisors will account for all personnel and teachers will attempt to account for all students in class at the time of evacuation. Admissions will prepare to contact all students known to have classes in the affected building, in case of emergency.
    
• 
  Search procedures:
  
  • 
    Campus Security will be in charge of the search. The search will be conducted by Campus Security personnel only.
    
  • 
    Under no circumstances should faculty, staff, or students touch or move a suspected bomb. Notify the security officer in charge of the search in your location of any suspicious objects.
    
• 
  Those found guilty of false or real bomb threats will be expelled from the university in accordance with current university bylaws and prosecuted under state and federal laws.
  

6. After you restore files following an incident, users complain that some of their data files are missing. What might have happened?

Users did not save their files to the file server and they were lost in the incident.

Backup tapes do not include data since last backup, and their files may not have been backed up.

The backup may not have been done properly. Restoration tests should be done to see if there is a problem.

Hands-on Projects

NOTE: Screenshots and IP addresses for individual students will vary.

HoneyBOT^® is a simple honeypot for beginners to use. Honeypots can give you a good idea of how many people are probing your machine for weaknesses. Without a honeypot, you may not be able to tell if anyone is scanning your machine.

In this example, you will use your Web browser to generate some entries in HoneyBOT. You will try to make FTP and HTTP connections with your own computer. The honeypot will record the IP address of the remote machine that is scanning your computer and each port that was scanned.

1. Download HoneyBOT from http://www.atomicsoftwaresolutions.com/honeybot.php.

2. Click on the Download link in the left-hand menu.

3. Click on the appropriate "here" link to download the latest version of HoneyBOT.

4. Click Save.

5. Select your downloads folder.

6. Browse to your downloads folder.

7. Double-Click HoneyBOT_018.exe. (The version number may be different as newer releases become available.)

8. Click Run, Next, I Accept, Next, Next, and Next.

9. Check Create desktop icon.

10. Click Next, Install, and Finish.

11. Press the Start button or click File, and Start.

12. HoneyBOT may ask you to select an adapter if you have multiple NICs in your computer; select your current IP address. (It could be a non-routable IP that starts with "192.168" or it could be a typical IP address.)

13. Click OK.

14. Take a screenshot showing the total number of sockets loaded in the bottom status bar.

15. Click Start.

16. Open a Web browser and go to FTP://[Your IP Address]. (Replace Your IP Address with the IP address that is being used by HoneyBOT. In this example, it was ftp://155.97.74.45.)

17. When prompted for a username, enter your first name.

18. Enter your last name for the password. (Entering your first and last name as username and password will record them in the HoneyBOT log. You don't really have an FTP server running. It's being "faked" by HoneyBOT.)

19. Open a Web browser and go to HTTP://[Your IP Address]. (Replace Your IP Address with the IP address that is being used by HoneyBOT.)

20. Return to HoneyBOT and take a screenshot.

21. Double-click on one of the entries with the local port listing 21. (The remote IP and local IP should be the same.)

22. Take a screenshot of the HoneyBOT log entry showing your first and last name being used to access an FTP server.

Recuva^® is a useful program by Piriform^® that will scan the empty memory space on your computer to see if there are any files that can be recovered. It can also securely delete files so they cannot be recovered.

Most users errantly believe that data is gone forever when they empty it from the Recycle Bin. This is incorrect. It merely marks the space as open to be written over if another file needs to be stored. Your operating system writes over these open spaces and subsequently “damages” the previously deleted file.


1. Download Recuva from http://www.recuva.com/download.



2. Click Download from FileHippo.com.



3. Click Download Latest Version.



4. Click Save.



5. If the program doesn’t automatically open, browse to your download folder.



6. Run the installation program.



7. Select Run, Ok, Next, I Agree, Install, and Finish.



8. Click Start, Programs, Recuva, and Recuva (or you can double-click the Recuva desktop icon).



9. Select the drive from which you want to recover files. (Your C: drive will work, but it will take longer to complete the scan. The scan will complete much more quickly on a USB drive.)



10. Click Scan.



11. After the scan completes, click on any of the recovered files listed with a graphic extension (e.g., .jpg or .bmp) until you see a picture on the right-hand side of the screen.



12. Take a screenshot.



13. Click on the Info tab to see the details for the file.



14. Take a screenshot.



15. Check one of the recoverable graphic files. (Even some of the “unrecoverable” files are actually recoverable.)



16. Click Recover.



17. Save it to your desktop.



18. Open the picture you recovered.



19. Take a screenshot.

Project Thought Questions

1. 
   What impact would more open ports have on the ability of your honeypot to attract hackers?
   

Having more ports open may attract certain hackers. Some hackers look for certain open ports. Some larger servers have many different services running, so hackers look for those machines with many open ports.

2. 
   Can hackers tell that you have a honeypot running?
   

Yes, some hackers may be able to tell that you have a honeypot running based on certain responses given by your honeypot. Since extradition to another country is unlikely, they may not care too much. However, they might want to avoid spending too much time on your machine if they think your computer is just faking all ports.

3. 
   Do they have honeypots for spammers to keep them from harvesting e-mails from your webpages?
   

Yes, there are honeypots for spammers. It’s against the law to “harvest” e-mails from any webpage. Security professionals are starting to use different e-mail notation to stop harvesting programs. Instead of posting their e-mail address as John.doe@company.com, they will post it as “john dot doe at company dot com” or a variation thereof.

4. 
   Do you think law enforcement agencies (e.g., CIA, FBI, NSA, etc.) in the United States run honeypots to track criminal behavior?
   

Yes, they have many different honeypots and IDSs running. They watch criminal behavior very closely and know who is doing what. They watch certain blocks of IP addresses very closely. They even know who is producing viruses and malware. They have big budgets and pretty smart people. It’s a good idea to just stay away from government computers.

5. 
   Would this work on your cell phone if it were connected to your computer?
   

Yes, this will recover data on any device that shows up as a drive. If your phone has this ability, then you can recover lost data/pictures. You can also purchase hardware and software from Paraben that is specifically designed to recover data from mobile devices.

6. 
   What effect does the “condition” of the file have on its ability to be recovered?
   

Some files have been written over and are only partially recoverable. Some files may have been written over many times and are not recoverable. You may have to take an image of that part of your hard drive and examine the files directly.

7. 
   What other recovery options does Recuva come with?
   

This program comes with multilingual support. It will look at both logical and physical drives. It will look in hidden system drives and do a deep scan. It will also show you the information about the file and the detailed file contents.

8. 
   Does Recuva have the ability to find a deleted file by its specific file name?
   

Yes, you can search by a specific file name.

Case Discussion Questions

1. Why are merchants usually responsible for merchandise purchased with stolen credit cards?

Merchants are usually responsible for dollar losses related to stolen credit cards as part of their contract with their credit card company. Making merchants liable for losses makes them very weary to accept stolen credit cards.

2. What is the most common way to detect corporate fraud? Why?

Occupational fraud is more likely to be detected by a tip than by any other method. The majority of tips reporting fraud come from employees of the victim organization.

3. Which forms of fraud are the most common? Why?

Asset misappropriation schemes are by far the most common type of occupational fraud, comprising 87% of the cases reported. They are also the least costly form of fraud, with a median loss of $120,000.

4. Which forms of fraud are the most costly? Why?

Financial statement fraud schemes make up just 8% of the cases, but cause the greatest median loss at $1 million. Corruption schemes fall in the middle, occurring in just over one-third of reported cases and causing a median loss of $250,000. Financial statement fraud cases have the potential to inflict much larger damages due to the nature of the fraud.

5. Why does a perpetrator’s level of authority in the organization, or time working for the organization, affect the average amount of money stolen?

Perpetrators with higher levels of authority and longer tenure with the organization tend to cause much larger losses. They may have greater responsibility over larger assets, be better able to conceal their fraud, be more motivated to commit the fraud, be more knowledgeable about the corporation’s procedures (to avoid getting caught), and may be able to coerce/co-opt subordinates into the fraud scheme.

6. Why are banking and financial services, government and public administration, and manufacturing sectors the most commonly targeted?

These are industries that deal with large budgets, lucrative contracts, and large sums of liquid money. They provide very attractive targets for fraudsters.

7. Why are workers in accounting, operations, sales, executive/upper management, customer service, and purchasing functions most likely to commit fraud?

These workers have access to the systems, personnel, and paperwork to be able to commit the fraud. They also likely have a higher level of knowledge about how internal systems might be manipulated.

8. What are some “red flags” that a person might be involved in fraudulent activities?

Red flags discussed in the report include living beyond one’s means (36% of cases), financial difficulties (27%), unusually close association with vendors or customers (19%), and excessive control issues (18%).

Perspective Questions

1. What was the most surprising thing you learned in this chapter?

Student answers will differ.

2. What was the most difficult material in this chapter for you?

Student answers will differ.

Copyright © 2015 Pearson Education, Inc.

Directory: file -> view
view -> Western Europe after wwii
view -> Author study: paul fleischman
view -> Qpa1 7ela study Guide
view -> Arctic Oil/Gas Neg
view -> November 1970 Approximately 150,000-500,000 deaths Bhola Cyclone Bangladesh
view -> Grade Level: 6 Unit of Study: Caribbean glce
view -> Citation: Duffield, Katy
view -> Table of Contents Lesson #
view -> Chinese Wind Energy Disad

Download 107.44 Kb.

Share with your friends: