Misc - Assignment Questions Flashcards Preview

Info Security > Misc - Assignment Questions > Flashcards

Flashcards in Misc - Assignment Questions Deck (16)
Loading flashcards...

Discuss the difference between the CIA triangle and the Parkerian Hexad, what are the pro's and cons of each.

-- CIA model is simple compared to Parkerian hexad
-- CIA consists of only confidentiality, integrity and availability
-- because it is simpler, it is less overhead (in terms of describing an event or
asset) and easier to maintain.
-- Parkerian hexad is more complex compared to CIA model
-- Parkerian hexad consists of confidentiality, integrity and availability as well as
possession (control), authenticity and utility
-- because it is more complex, explaining a security event using this model is
more detailed, and therefore less ambiguities. However it has more overhead (in terms of
describing an event or asset) and therefore more effort to maintain.


Assume that one of your friends has to use a public desktop computer to access his/her
bank account immediately. He/She is required to enter his/her username and password to
access the related web page. Please give him/her two recommendations about this
situation. Additionally, give a potential negative scenario (example) explaining what
might happen if he/she does not agree with the recommendation

Do not forget to log out (ns - the next person may directly connect your account)
- Use screen keyboard (ns - if a key-logger application is downloaded to the computer
before, it means your password is already detected and you will be hacked in short)
- Change your account password as soon as possible (ns - a person who detected your
password may use it a couple of days later to make you unable to guess when your
password was detected)
- Do not forget to remove cookies (ns - you may be exposed to a Tracking Cookie attack)
The advice below is a little bit arguable: even a public or private computer is used, the
user should be sure that he/she is using a secure channel. I think it may acceptable.
- Ensure you are using HTTPS (ns - your information can become access-able by others
except you and the related bank staff)


Assume that one of your colleague’s password is “Wah$af50” and he is changing this
password in every 90 days by increasing the number by 1 (i.e. Wah$af51, Wah$af52 etc.).
Even though you tell him that is not a secure way, he insists on doing it since he has some
memory problems. In this case, what do you suggest him and why do you think your
suggestion is good?

- Change your password with a passphrase that can be easily remembered, i.e. 1hsmpirmp
(I have some memory problems in remembering my password). In that case, one can
easily remember his/her password and even someone else sees it, he/she cannot
understand it)
- Change the number in the password based on a mathematical function, i.e. 3x-4. (In that
case, one cannot easily solve your method in changing your password)


Why does access control based on the MAC address of the systems on our
network not represent strong security?

-- strong access control requires multifactor, MAC address only filtering is not
multi factor
-- MAC addresses can be spoofed too
-- is not enough if it is the only level of defense
-- is not enough to represent a device uniquely on the network


What are the differences between MAC and DAC in terms of access

-- MAC in this case stands of Mandatory Access Control and DAC stands for
Discretionary Access Control
-- In DAC, the owner of the device / resource decides who can have access
-- In MAC, it is not the owner who is deciding to whom to give permission for
access but it is a higher level (authority or higher level manager or management group)
that decides who can have permission to access.
-- MAC is often used in government organizations or organizations such as
hospitals where the data is sensitive. On the other hand, DAC is often used by end users
who do not decide on sensitive information / resource.


The Bell-LaPadula and Biba multilevel access control models each have a
primary security focus. Can these two models be used in conjunction?

-- Bell-LaPadula focuses on confidentiality
-- Biba focuses on integrity
-- in short they are not mutually exclusive and in theory can be used together.
However that means “no state”! In other words, a class of users can only see/access the
info of their class, no sharing is possible! So only meaningful in theory.


Given a file containing sensitive data and residing in a Linux operating
system, would setting the permissions to rw-rw-rw- cause a potential security
issue? If so, which portions of the CIA triad might be affected?

-- yes, it will cause a potential security issues
-- it will affect confidentiality, integrity and availability
-- because everyone can r and w to the sensitive data so there is no sensitivity left!


Which type of access control would be used in the case where we wish to
prevent users from logging in to their accounts after business hours?

-- access control models – which one they choose
-- multi attribute access control – which attributes they choose
-- multi level access control -- which levels and models
-- physical access control – all the physical issues should be sorted out in the
answer too


What is the benefit of logging?

-- nonrepudiation
-- deterrence
-- intrusion detection and prevention
--admissibility of records


Why is accountability important when dealing with sensitive data?

-- nonrepudiation
-- deterrence
-- intrusion detection and prevention
--admissibility of records
AND -- monitoring!!!


Why might auditing our installed software be a good idea?

-- vulnerability analysis
-- penetration analysis


Given an environment containing servers that handle sensitive customer
data, some of which are exposed to the Internet, would we want to conduct
a vulnerability assessment, a penetration test, or both? Why?

: For this question, the answer should be: “both” and there should be a discussion
on why doing both vulnerability and penetration testing is beneficial.


How is physical security important when discussing cryptographic security
of data?

-- this answer needs to be discussed from the perspective of physical security for
(i) data at rest, (ii) data in motion and (iii) data in use. The most obvious physical security
is for data at rest. In this case storage devices should be physically safe, people who can
access them should have physical levels of access etc. These should be discussed in
detail. Moreover, physical security is important for data in motion and data in use as well.
This means that we should physically secure our data communication links (if we can) for
data in motion. Also, we should physically secure the devices we use (if we can) for data
in use. Some discussion for these points is important, too.


What issues might make conducting an international information security
program complex?

In this case, look for the discussion of the following three things. These could be
(or others that are meaningful to you):
-- cultural differences (Example: reporting a breech is less likely in eastern
cultures than western cultures etc.)
-- ethical differences (Example: many of ways in which Asian cultures use
computer technology is software piracy)
-- differences in cyber law (example: EU law vs USA law vs Canadian Law –
they need to give real examples like citing a law etc.)


Why are industry self-imposed regulations such as PCI DSS important?

“The PCI Security Standards Council offers robust and comprehensive standards and
supporting materials to enhance payment card data security. These materials include a
framework of specifications, tools, measurements and support resources to help
organizations ensure the safe handling of cardholder information at every step. The
keystone is the PCI Data Security Standard (PCI DSS), which provides an actionable
framework for developing a robust payment card data security process -- including
prevention, detection and appropriate reaction to security incidents.”
-- The discussions should be around: the companies self-impose such standards to
protect themselves against fraud, security issues etc. to minimize the business / money
they may loose because of such security issues. Also, these standards ensure “trust”
between companies as well as their customers



TCP Syn Scan
This technique is often referred to as half-open scanning, because you don't open a full TCP
connection. You send a SYN packet, as if you are going to open a real connection and then wait
for a response. A SYN/ACK indicates the port is listening (open), while a RST (reset) is
indicative of a non-listener. If no response is received after several retransmissions, the port is
marked as filtered. The port is also marked filtered if an ICMP unreachable error (type 3, code 1,
2, 3, 9, 10, or 13) is received. The port is also considered open if a SYN packet (without the
ACK flag) is received in response.
TCP Connect Scan
In this case, Nmap asks the underlying operating system to establish a full connection with the
target machine and port by issuing the connect system call. This is the same high-level system
call that web browsers, P2P clients, and most other network-enabled applications use to
establish a connection.