Part 1: Determine if the following statements are True or False and you must defend your answer in a short paragraph and cite all sources of information if any. Each question is worth 3 points.
1. T F A BLP model breaks down when low classified executable data are allowed to be executed by a high clearance subject.
2. T F An agent in CWM should also have the execute rights regarding an entity after the agent is permitted to certify that entity.
3. T F User authentication is a procedure that allows communicating parties to verify that the contents of a received message have not been altered and that the source is authentic.
4. T F Traditional RBAC systems define the access rights of individual users and groups of users.
5. T F Consider data that is stored over time in a mandatory access control based system. The contents of files containing highly classified (“top secret”) information are necessarily more trustworthy than material stored in files marked unclassified.
6. T F With unlimited resources and security controls, it is possible to reduce risk to zero.
7. T F The purpose of the DSS algorithm is to enable two users to securely reach agreement about a shared secret that can be used as a secret key for subsequent symmetric encryption of messages.
8. T F Viruses infect executable files and hardware as well.
9. T F Modes of operation are the alternative techniques that have been developed to increase the security of symmetric block encryption for large sequences of data.
10. T F In a BLP model, some process of managed downgrading of information is needed to restore reasonable classification levels.
Please put your answers in the following table.
Part 2: Short Answers (10 points each). Please answer briefly and completely, and you must cite all sources of information.
1. An electronic mail system could be used to leak information. First, explain how the leakage could occur. Then, identify controls that could be applied to detect or prevent the leakage.
2. Respond to the allegation “An operating system requires no protection for its executable code (in memory) because that code is a duplicate of code maintained on disk.” Is the statement true? Why?
3. Assume that passwords are limited to the use of the 95 printable ASCII characters and that all passwords are 12 characters in length. Assume a password cracker with an encryption rate of 8 giga encryptions per second. How many years will it take to test exhaustively all possible passwords on a UNIX system? Note: You must show the procedures of calculation as well.
4. Consider a public key encryption. Ann wants to send Bill a message. Let Annpriv and Annpub be Ann’s private and public keys respectively. The same for Bill (Billpriv and Billpub).
(a) If Ann sends a message to Bill, what encryption should Ann use so that only Bill can decrypt the message (secrecy)? (3 points)
(b) Can Ann encrypt the message so that anyone who receives the message is assured that the message only came from Ann (authenticity)? (3 points)
(c) Is it possible for Ann to devise a method that will allow for both secrecy and authenticity for her message? Please justify your answer. (4 points)
5. As part of a formal risk assessment of the main file server for a small legal firm, you have identified the asset “integrity of the accounting records on the server” and the threat “financial fraud by an employee, disguised by altering the accounting records.” Suggest reasonable values for the items in the risk register for this asset and threat with justifications for your choice.
Part 3: Short Essay (20 points). Please restrict your answer to three (3) pages (double spaced) or less. You must cite all sources of information if any.
Steven Information Technology, Inc. (SITI) is a fictional multi-national company providing outsourced financial services to a variety of clients across many industries, including commercial and government entities. SITI specializes in billing and invoicing services, in which SITI receives relevant data from its clients and processes the data to produce the invoices, monthly statements, and other billing items that are sent to SITI’s clients’ customers. SITI employees serve the company’s customers both on-site at customer locations and while working in SITI facilities. SITI employees routinely store data related to multiple clients on their company-issued laptops.
SITI’s Chief Information Officer, having read of the numerous data breaches reported among commercial and government organizations, has become concerned about the risk to SITI’s customers and potentially the company’s reputation if SITI were to experience a similar breach. He has tasked you, the Director of Information Security, to create a new corporate policy regarding the protection of client and company confidential data stored on employee computers, particularly including laptops. Respond to each of the following, taking into account material we have studied in this course regarding threats and vulnerabilities. Cite the pertinent sources used in your answer. Be specific and briefly but fully explain and give reasons for your answers.
a. Summarize the primary vulnerabilities and potential threats that exist for SITI related to the practice of storing sensitive data on laptops. Use your answer to clarify the difference between vulnerabilities and threats (if there are any). In your opinion, which of the risks SITI faces are most significant to the company?
b. What measures would you propose to senior management to try to prevent a breach of data held by SITI? Your response should include recommendations for mitigating vulnerabilities identified in part (a).
c. Discuss the key characteristics of a policy statement and write one specifying employee and company responsibilities for protecting client and corporate data, such as the data stored on employee laptops. Be sure to address requirements for protecting the data from theft, and for rendering the data unusable should it be compromised.
Note please answer the above questions a-c separately. Your total answer to all three questions should be restricted to three (3) pages (double spaced) or less. In addition to the answer, you must cite all sources of information if any.