(4 Points Each) 1. List and briefly define the fundamental security design principles.
2. Describe the risk analysis approach and the steps in a detailed or formal risk analysis.
3. Describe the basic principles utilized in mandatory access control. How do these basic principles help MAC control the dissemination of information?
4. What is a message authentication code?
5. What is the security of a virtualization solution dependent upon? What are some recommendations to address these dependencies?
6. List the items that should be included in an IT security implementation plan.
7. Describe the inference problem in databases. What are some techniques to overcome the problem of inference?
8. Assume you have found a USB memory stick in the parking lot at work. What threats might this pose to your work computer should you just plug the memory stick in and examine its contents? What steps could you take to mitigate those threats and safely determine the contents of the memory stick?
9. Explain why input validation mitigates the risks of SQL injection attacks.
10. What are the benefits and risks of server-side scripting?
11. What is the difference between persistent and non-persistent cross-site scripting attacks?
12. Briefly describe how Unix-like systems, including Linux, use filesystem quotas and process resource limits. What type of attacks are these mechanisms useful in preventing?
13. Why are pharming and phishing attacks often used in concert with each other?
14. Describe the Windows 10 security feature, Control Flow Guard, and the type of attack it helps to prevent. Who is responsible for implementing Control Flow Guard—the system administrator or application developer?
15. Define three types of intellectual property.
16. Give an example of a computer crime. What are some unique issues associated with such crimes?
17. Briefly summarize one federal law or regulation that addresses confidentiality, privacy, or security. Give an example of how the law is applied to ensure confidentiality, privacy, or security.
18. List and briefly describe three cloud service models.
19. What are the disadvantages to database encryption?
20. What are three broad mechanisms that malware can use to propagate?
21. What are the typical phases of operation for a virus or worm ?
22. Imagine you are the database administrator for a military transportation system. There is a table named cargo in the database that contains information on the various cargo holds available on each outbound airplane. Each row in the table represents a single shipment and lists the contents of that shipment and the flight identification number. Only one shipment per hold is allowed. The flight identification number may be cross-referenced with other tables to determine the origin, destination, flight time, and similar data. The cargo table appears as follows: Flight ID Cargo Hold Contents Classification 1254 A Boots Unclassified 1254 B Guns Unclassified 1254 C Atomic Bomb Top Secret 1254 D Butter Unclassified
There are two roles defined: Role 1 has full access rights to the cargo table. Role 2 has full access rights only to rows of the table in which the Classification field has the value Unclassified. Describe a scenario in which a user assigned to Role 2 uses one or more queries to determine there is a classified shipment on board the aircraft.
23. As part of a formal risk assessment on the use of laptops by employees of a large government department, you have identified the asset “confidentiality of personnel information in a copy of a database stored unencrypted on the laptop” and the threat “theft of personal information, and its subsequent use in identity theft caused by the theft of the laptop.” Suggest reasonable values for the items in the risk register for this asset and threat, and provide justifications for your choices.
24. Consider a popular Digital Rights Management (DRM) system like Apple’s FairPlay, which is used to protect audio tracks purchased from the iTunes music store. If a person purchases a track from the iTunes store by an artist managed by a record company such as EMI, identify which company or person fulfils each of the DRM component roles (Content Provider, Clearinghouse, Consumer, and Distributor).
25. Assume you receive an e-mail which appears to come from your bank, includes your bank logo on it, and with the following contents:
“Dear Customer, Our records show that your Internet banking access has been blocked due to too many login attempts with invalid information such as incorrect access number, password, or security number. We urge you to restore your account access immediately, and avoid permanent closure of your account, by clicking on this link to restore your account. Thank you from your customer service team.” What form of attack is this e-mail attempting? What is the most likely mechanism used to distribute this e-mail? How should you respond to such e-mails?