This one is a bit different than the previous assignment because there is no references needed and the answers only have to be one paragraph.

1 Create and Analyze

Please read the following problem description and answer the questions that follow it.

You are the CISO for a mid-sized university. The provost has asked you to examine the use of Amazon Web Services (AWS) throughout the university community. Perhaps the simplest of these services is Amazon Simple Storage Service (S3), which allows storage and retrieval of generic data through a web-based interface. Amazon Elastic Compute Cloud (EC2) is a step up from this in terms of complexity because it allows users to provide both data and programs to a virtual machine that can return an output of some sort. That said, the provost is interested in an estimate of both the total use of Amazon services and in the security risk of that use.

Amazon Web Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . (a) You recognize that finding all possible negative security outcomes is impossible given the myriad

possible uses of AWS. However, you must be able to outline the broad categories of concerns as they apply to the university. In no more than one paragraph, outline your strategy for identifying these concerns. Note: This question is not asking you to identify the concerns themselves; it is asking for a strategy that would identify concerns.

(b) The provost will also need recommendations for access control mechanisms that can help the university ensure that Amazon Web Services are only being used by authorized individuals. In no more than one paragraph, outline for the provost, who has no background in information security, why this process is not completely solved by information technology.

(c) The provost has also asked you to consider student privacy rights that the university is required to adhere to under the Family Educational Rights and Privacy Act (FERPA). However, the provost believes that this is “settled law” and, because of this, does not want to involve lawyers. In no more than one paragraph, explain why compliance with a privacy regulation like FERPA requires expertise from both lawyers and technologists.

In this section, you will be presented with three quotes from security questions. In no more than one paragraph, explain the importance of each quote as if you were being asked by a professional information technology colleague why it was so important.

Security Quotes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . (a) “Software security is about integrating security practices into the way you build software, not

integrating security features into your code.” –Gary McGraw

(b) “Finding vulnerabilities is simple; discover the assumptions a developer made, and then violate those assumptions.” –Eugene Spafford

(c) “We discovered in our research that insider threats are not viewed as seriously as external threats, like a cyberattack. But when companies had an insider threat, in general, they were much more costly than external incidents.” –Larry Ponemon

The following questions are not related to one another. Please respond to each one in no more than one paragraph.

Grab Bag . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . (a) What is the value in being able to differentiate between threats, vulnerabilities, and attacks? Why

do information security professionals need to reason about these things separately? (Feel free to use an example to illustrate this.)

(b) Data de-duplication is a process where large databases that may contain multiple copies of the same file or information are processed so that only one copy of this data exists. What implications does this process have for encryption?

(c) If you were supplying electronic voting machines for an election, what could you do to violate individuals’ privacy rights? That is, suggest some not readily apparent ways you could rig the machines to make it possible to determine after the election who had voted for which candidates.