Part 1: True/False – Multiple Choice answers (2 Points Each)
- Suppose you have the following secret message you want to send to your friend: Meet me at Starbucks at 3pm to go over the security project!
- Your public key
- Friend’s private key
- Your secret key
- Friend’s public key
- Shared key
- You want to check the integrity of a file and want to make sure it was not modified in transit. What would you use to check the file’s integrity?
You want to encrypt and transmit the message and send to your friend so he/she can read it. You are using asymmetric encryption.Which key would you use to encrypt the message?
3. True or False
4. True or False
Discretionary Access Control (DAC) policy is vulnerable to Trojan horse attacks.
- You are developing a cryptographic embedded system. One of the requirements is for you to use a block cipher mode. Which of the following modes would use different key inputs to different blocks so that two identical blocks of plaintext will not result in the same ciphertext?
- True or False
- True or False
- The RMF framework addresses the security concerns of organizations related to the design, development, implementation, operation, and disposal of information systems and the environments in which those systems operate. In which step of the RMF framework is SP 800-37 document used?
- Attacks against passwords is a serious problem that is a growing concern.Which of the following is not a common method of attack against passwords?
- Key logger
- Password guessing
- Shadow password
- Dictionary attack
- True or False
You are asked to design and implement a secure computer system for your company.One of the requirements is to use access controls using a defense-in-depth strategy. One layer of defense should satisfy this requirement to keep intruders or attackers from reaching the system.
An old federal system architecture is being replaced with a new one. You are asked to implement new security controls for the new architecture. FIPS 200 and NIST 800-53 are used as a guidance that will ensure requirements and security controls are selected properly.
Biometrics are based on something you are, smartcards are based on something you have, passwords are based on something you know.
Part 2: Short Answers (10 points each). Please answer briefly and completely and cite all sources of information. Please restrict your answer for each question to three fourth (3/4) of a page (double spaced) or less.
- Explain the details of each of the access control models (MAC, DAC, Role-BAC, Rule-BAC, ABAC) and provide an example of how each of them is used.
- Define the difference between need to know and the principle of least privilege.
- Compare and contrast a security plan and security policy. Give an example of how each of these are used?
- What is the difference between Symmetric Key Cryptography and Asymmetric Key Cryptography? Provide an example of when each is best used.
- Define the CIA Triad security principles. Provide a use example of each of the principles.
Part 3: Short Essay (30 points). Please restrict your answer to 3 pages (double spaced) or less.
A company has been the victim of a series of security breaches. You are hired as the security consultant and your job is to help reduce the risk from future attacks. You check the web server log for possible clues as to what happened. Also, you check the database and some of the data is missing or corrupted.
Respond to each of the following, considering all the material we have studied in this course so far. Cite these and other pertinent sources used in your answer. Be specific but fully explain and give reasons for your answers.
- What are the steps you would take in order to identify the vulnerabilities that lead to the security breaches?
- What would your recommendation be to the management team to help them reduce the risk from future attacks?
- Write a security policy for this company.