INFA 610

profileAskabul
INFA610_FinalExam_Spring19.docx

INFA 610

Final Exam

Due: April 28, 2019

Professor: Dr. Zulema Caldwell

Name:

Instructions: Please submit answers to the questions below. Answers can be submitted on a separate answer key or can be inserted into this document. The Final Exam is open-book and open notes, and the exam covers all reading and material covered in the course (Sessions 1-11). All work must be completed individually, and a document containing your answers must be uploaded by the due date listed above.

Multiple Choice (1 Point Each)

1. Under the Digital Millennium Copyright Act (DCMA), what type of offenses do not require prompt action by an Internet service provider after it receives a notification of infringement claim from a copyright holder?

a. Storage of information by a customer on a provider’s server

b. Caching of information by the provider

c. Transmission of information over the provider’s network by a customer

d. Caching of information in a provider search engine

2. Yolanda is the chief privacy officer for a financial institution and is researching privacy issues related to customer checking accounts. Which one of the following laws is most likely to apply to this situation?

a.

b. GLBA

c. SOX

d. HIPAA

e. FERPA

3. Tim’s organization recently received a contract to conduct sponsored research as a government contractor. What law now likely applies to the information systems involved in this contract?

a.

b. FISMA

c. PCI DSS

d. HIPAA

e. GISRA

4. Kesla Systems recently developed a new manufacturing process for microprocessors. The company wants to license the technology to other companies for use but wants to prevent unauthorized use of the technology. What type of intellectual property protection is best suited for this situation?

a.

b. Patent

c. Trade Secret

d. Copyright

e. Trademark

5. Bethany is the security administrator for a public school. She is implementing a new student information system and is testing the code to ensure that students are not able to alter their own grades. What principle of information security is Bethany enforcing?

a.

b. Integrity

c. Availability

d. Confidentiality

e. Denial

Questions 6-7 use the following scenario:

A web content development company with 40 employees has two offices (New York and San Francisco). Each office has a local area network protected by a perimeter firewall. The LAN contains modern switch equipment connected to both wired and wireless networks.

Each office has its own file server, and the IT team runs software every hour to synchronize files between the two servers, distributing content, such as images and web content, between the offices. The team also uses a SaaS-based email and document collaboration solution for much of their work.

You are the newly appointed IT manager for the company, and you are working to augment existing security controls to improve the organization’s security.

6. Users in the two offices would like to access each other’s file servers over the Internet. What control would provide confidentiality for those communications?

a.

b. Digital signatures

c. Virtual private network

d. Virtual LAN

e. Digital content management

7. Finally, there are historical records stored on the server that are extremely important to the business and should never be modified. You would like to add an integrity control that allows you to verify on a periodic basis that the files were not modified. What control can you add?

a.

b. Hashing

c. ACLs

d. Read-only attributes

e. Firewalls

8. What law serves as the basis for privacy rights in the United States?

a. Privacy Act of 1974

b. Fourth Amendment

c. First Amendment

d. Electronic Communications Privacy Act of 1986

9. Michael is the security administrator for a consulting firm and must enforce access controls that restrict users’ access based upon their previous activity. For example, once a consultant accesses data belonging to Cheery Cola, a consulting client, they may no longer access data belonging to any of Cheery’s competitors. What security model best fits Michael’s needs?

a.

b. Clark-Wilson

c. Biba

d. Bell-LaPadula

e. Brewer-Nash

10. Raju is selecting an encryption algorithm for use in his organization and would like to be able to vary the strength of the encryption with the sensitivity of the information. Which one of the following algorithms allows the use of different key strengths?

a.

b. Blowfish

c. DES

d. Skipjack

e. IDEA

11. Which one of the following statements is correct about the Biba model of access control?

a. It addresses confidentiality and integrity.

b. It addresses integrity and availability.

c. It prevents covert channel attacks.

d. It focuses on protecting objects from integrity threats.

12. In a virtualized computing environment, what component is responsible for enforcing separation between guest machines?

a.

b. Guest operating system

c. Hypervisor

d. Kernel

e. Protection manager

13. Alison is examining a digital certificate presented to her by her bank’s website. Which one of the following requirements is not necessary for her to trust the digital certificate?

a. She knows that the server belongs to the bank.

b. She trusts the certificate authority.

c. She verifies that the certificate is not listed on a Certificate Revocation List.

d. She verifies the digital signature on the certificate.

14. Which one of the following is an example of a covert timing channel when used to exfiltrate information from an organization?

a. Sending an electronic mail message.

b. Posting a file on a peer-to-peer file sharing service

c. Typing with the rhythm of Morse code

d. Writing data to a shared memory space

15. Mandatory access control is based on what type of model?

a.

b. Discretionary

c. Group based

d. Lattice based

e. Rule based

16. Which of the following is not a type of attack used against access controls?

a.

b. Dictionary attack

c. Brute force attack

d. Teardrop

e. Man-in-the-middle attack

17. What type of security issue arises when an attacker can deduce a more sensitive piece of information by analyzing several pieces of information classified at a lower level?

a.

b. SQL injection

c. Multilevel security

d. Aggregation

e. Inference

18. Luke runs the accounting systems for his company. The morning after a key employee was fired, systems began mysteriously losing information. Luke suspects that the fired employee tampered with the systems prior to his departure. What type of attack should Luke suspect?

a.

b. Privilege escalation

c. SQL injection

d. Logic bomb

e. Remote code execution

19. Sally is eavesdropping on the unencrypted communications between the user of a website and the web server. She manages to intercept the cookies from a request header. What type of attack can she perform with these cookies?

a.

b. Session hijacking

c. Cross-site scripting

d. Cross-site request forgery

e. SQL injection

20. Which one of the following attack types takes advantage of a vulnerability in the network fragmentation function of some operating systems?

a.

b. Smurf

c. Land

d. Teardrop

e. Fraggle

21. Which one of the following cryptographic algorithms supports the goal of nonrepudiation?

a.

b. Blowfish

c. DES

d. AES

e. RSA

Questions 22-25 refer to the following scenario:

Mike and Renee would like to use an asymmetric cryptosystem to communicate with each other. They are located in different parts of the country but have exchanged encryption keys by using digital certificates signed by a mutually trusted certificate authority.

22. When the certificate authority (CA) created Renee’s digital certificate, what key was contained within the body of the certificate?

a.

b. Renee’s public key

c. Renee’s private key

d. CA’s public key

e. CA’s private key

23. When the certificate authority created Renee’s digital certificate, what key did it use to digitally sign the completed certificate?

a.

b. Renee’s public key

c. Renee’s private key

d. CA’s public key

e. CA’s private key

24. When Mike receives Renee’s digital certificate, what key does he use to verify the authenticity of the certificate?

a.

b. Renee’s public key

c. Renee’s private key

d. CA’s public key

e. CA’s private key

25. Mike would like to send Renee a private message using the information gained during the exchange. What key should he use to encrypt the message?

a.

b. Renee’s public key

c. Renee’s private key

d. CA’s public key

e. CA’s private key

Short Answer (5 Points Each)

What is system hardening? List the NIST recommendations for system hardening.

Describe the basic principles utilized in mandatory access control. How do these basic principles help MAC control the dissemination of information?

What is a message authentication code?

What is the security of a virtualization solution dependent upon? What are some recommendations to address these dependencies?

List the items that should be included in an IT security implementation plan.

There are several issues security professionals must address for database implementation. Two of those issues are how to handle inference as well as database encryption.

Describe the inference problem in databases. What are some techniques to overcome the problem of inference?

What are the disadvantages with implementing database encryption?

Explain why input validation mitigates the risks of SQL injection attacks.

For each layer in the OSI model, identify a typical security threat and describe how each threat can be neutralized.

Define three types of intellectual property.

Briefly summarize one federal law or regulation that addresses confidentiality, privacy, or security. Give an example of how the law is applied to ensure confidentiality, privacy, or security.

List and briefly describe three cloud service models.

What are three broad mechanisms that malware can use to propagate?

Imagine you are the database administrator for a military transportation system. There is a table named cargo in the database that contains information on the various cargo holds available on each outbound airplane. Each row in the table represents a single shipment and lists the contents of that shipment and the flight identification number. Only one shipment per hold is allowed. The flight identification number may be cross-referenced with other tables to determine the origin, destination, flight time, and similar data. The cargo table appears as follows:

Flight ID

Cargo Hold

Contents

Classification

1254

A

Boots

Unclassified

1254

B

Guns

Unclassified

1254

C

Atomic Bomb

Top Secret

1254

D

Butter

Unclassified

There are two roles defined: Role 1 has full access rights to the cargo table. Role 2 has full access rights only to rows of the table in which the Classification field has the value Unclassified. Describe a scenario in which a user assigned to Role 2 uses one or more queries to determine there is a classified shipment on board the aircraft.

As part of a formal risk assessment on the use of laptops by employees of a large government department, you have identified the asset “confidentiality of personnel information in a copy of a database stored unencrypted on the laptop” and the threat “theft of personal information, and its subsequent use in identity theft caused by the theft of the laptop.” Suggest reasonable values for the items in the risk register for this asset and threat, and provide justifications for your choices. 

Consider a popular Digital Rights Management (DRM) system like Apple’s FairPlay, which is used to protect audio tracks purchased from the iTunes music store. If a person purchases a track from the iTunes store by an artist managed by a record company such as EMI, identify which company or person fulfils each of the DRM component roles (Content Provider, Clearinghouse, Consumer, and Distributor).