ISA 562 – 2020

ISA 562 – 2020

NOTE 1:You must submit answers to Bb, on time, as a typed pdf (i.e. one constructed from this .docx file. Otherwise you will receive 0 points)

NOTE 2:Be concise with your answers. Please do not write pages of prose to gain partial credit by providing definitions (this will not gain partial credit) unless the question explicitly asks for this. Additionally, listing incorrect reasoning will result in point loss even if your remaining answer is correct.

NOTE 3: While not mandatory, I would appreciate if your answers were in blue text.

Question 1 (15 points):

For the following access control policy rules, create an Access Control Matrix (as a table in Word…Insert/Table etc.), a list of ACLs for each Object, and a list of Capabilities for each Principal.Do not use the “graphical” representation outlined in the text…instead, use the set notation format indicated in the lecture slides.

Objects:

· budget.xls  

· process 1 

· print queue 1  

· print queue 2

Principals:

· Alice  

· Darci  

· Machelle  

· Leila  

· Jeri  

“The organization” makes the following decisions about its DAC access controls:

For this DAC implementation, the default access is “no access”, meaning a privilege must be explicitly mentioned to grant access. Additionally, deny takes precedence over accept rights, and formation of Auth should be done by evaluated the following requirements in the order listed:

1. Alice, Darci, and Machelle can read budget.xls but cannot alter it in any way. Each of these principals can submit print jobs to queue 1

2. Leila can submit print jobs to print queue 1 but cannot submit print jobs to queue 2

3. Everyone can submit print jobs to print queue 2

4. Darci and Machelle both own process 1

5. Everyone can execute process 1

6. Jeri has the same access rights as Alicebut is denied the rights that Leila has.

Question 2 (25 points)

Consider three hosts that each use a standard human-memorized password-based authentication system, with independent user accounts and passwords. Suppose Alice, Bob, and Chrisare people who have a user account on each of these three hosts. Suppose all systems enforce a complex password policy that produces long and difficult-to-remember passwords (however, users are instructed to memorize them).

Consider the following situation:

· No system uses salted passwords.

· Alice uses the same password across all hosts (a.k.a. multi-use passwords)

· Chris uses a different password for each host (a.k.a. single-use passwords[footnoteRef:2]) [2: Recall the specific definition for this from the lecture slides. Single-use passwords are not one-time-use passwords. ]

· Each host is configured to temporarily disable an account for 30 minutes, after 5 consecutive login failures (due to incorrect passwords)

Bob is trying to decide which password use strategy will best protect the organization against common password attack/recovery methods we have discussed in class. For each of the following password attacks, which user password selection strategy (Alice vs Chris) should Bob emulate to be most resistant to the following attack methods (include your reasoning and/or a brief comparison of both cases in the presence of the attack):

2.1 (4/25 points) – Online Dictionary Attack

2.2 (4/25 points) – Offline Dictionary Attack

2.3 (4/25 points) – Passive Social Engineering (e.g. physical access to Alice/Bob’s workspace, but no ability to modify…”observe only”)

2.4 (4/25 points) – Active keyboard wiretapping (e.g. physical access and means to install USB keylogger)

2.5 (9/25 points)– If the system administrators for these three systems decide to implement a randomized salt, do any of your answers above change? Include your justification for Y/N for each type of attack. Assume that an adversary will never have access to the stored password file (but may have access to the stored password hash, depending on the attack) and has no knowledge of the salt’sspecific implementation.

Question 3 (15 points)

3.1 (5/15 points) Viruses that performno overt malicious acts are referred to in the text as a bacteria or rabbits. This kind of code appears to be benign, but its activity can still have security implications. In less than 40 words, explain why such code can still have a negative effect on computer systems.

3.2.1 (5/15 points) Let’s assume that “bacteria” is discovered on a host by a network defender, and there exists no known information about this code or its true nature. What other kind of malicious code could this be (specifically, one of the types of code mentioned in this course that masquerades as something innocuous, but instead houses the means for a potential future attack)?

3.2.2 (5/15 points) Name one of the examples from the textbook for the malicious code type you mentioned in 3.2.1. Briefly explain the main outcome from this code (e.g. what does it do for the Adversary)?

Question 4 (20 points)

4.1 (5/20 points) What does NAT do to outgoing connections from an internal network to an external/public web server (be specific with changes to packet headers and other information within the communication)

4.2 (5/20 points) Which 2 layers from the OSI model are used to facilitate basic NAT.

4.3 (10/20 points)Describeone way that a NAT device effectively operates like a Firewall

Question 5 (15 points)

5.1 (5/20 points) Name a single pro and single con to choosing to use Smart Cards vs Magnetic Strip Cards for card-based authentication.

5.2 (10/20 points)Under what circumstance would a two-dimensional barcode provide the same secrecy of user identification data compared to a magnetic strip care or smart card when used in an authentication procedure (i.e. what constraints on the adversary would be necessary to make this the case)

Question 6 (10 points)

6.1 (10/10 points) What is the most significant reason for constructing “pull-based” adversary C2 (for example, in botnet deployments for bots to communicate to a botmaster on the Internet) whereby on-network assets use the HTTP protocol to request instructions from an external adversary web server? Hint: What network defense mechanism is such a channel meant to defeat?

Bonus Question (up to 10 points[footnoteRef:3]) [3: I will limit the maximum exam score at 100 total points, regardless of your bonus question answer. (i.e. 100 is the maximum exam score…this question is meant to provide a buffer for lost points, etc.)]

Other than of HTTP (or any HTTP-based protocol[footnoteRef:4]), what other protocol might provide the same opportunities for the C2 channel mentioned in Question 6? Briefly describe how bi-directional C2communication would be constructed using this alternative protocol. [4: Such as HTTPS, or any overlay communication protocol that uses HTTP/HTTPS]