Chapter 1 Quiz

Part 1

Chapter 1 Problems: 1.4

For each of the following assets, assign a low, moderate, or high impact level for the loss of confidentiality, availability, and integrity, respectively. Justify your answers. a. An organization managing public information on its Web server. b. A law enforcement organization managing extremely sensitive investigative information. c. A financial organization managing routine administrative information (not privacy-related information). d. An information system used for large acquisitions in a contracting organization contains both sensitive, pre-solicitation phase contract information and routine administrative information. Assess the impact for the two data sets separately and the information system as a

Assuming no feedback to the adversary until each attempt has been completed, what is the expected time to discover the correct password?

b. Assuming feedback to the adversary flagging an error as each incorrect character is entered, what is the expected time to discover the correct password? 3.5

A phonetic password generator picks two segments randomly for each six-letter password. The form of each segment is CVC (consonant, vowel, consonant), where V = 6 a, e, i, o, u 7 and C = V - .

a. What is the total password population? b. What is the probability of an adversary guessing a password correctly? 3.6

Assume that passwords are limited to the use of the 95 printable ASCII characters and that all passwords are 10 characters in length. Assume a password cracker with an encryption rate of 6.4 million encryptions per second.

How long will it take to test exhaustively all possible passwords on a UNIX system?

Chapter 4 Review questions: 4.1

Briefly define the difference between DAC and MAC.

Problems: 4.1

For the DAC model discussed in Section 4.3, an alternative representation of the protection state is a directed graph. Each subject and each object in the protection state is represented by a node (a single node is used for an entity that is both subject and object). A directed line from a subject to an object indicates an access right, and the label on the link defines the access

5.10

Describe some of the main cloud-specific security threats.

Problems: 5.8

Part II

Article summary: Please read the article “Security Controls for Computer Systems” at the following URL. http://www.rand.org/pubs/reports/R609-1/index2.html 1.

Write a 1-2 page report (single-spaced, not counting quotations used) according to the following requirements. (20 points)  Pick up one specific technical issue related to authentication from the Rand report.  Justify your choice – why is this an authentication issue?  Include – does the technical issue you choose still exist in today’s computer systems? Why or why not?

Elaborate your answer. I would appreciate your critical thoughts on these questions. Referring to materials beyond the report and the textbook is highly recommended. If you choose to do so, please include a list of references, and use the APA format for citations and references where appropriate. I would appreciate your critical thoughts on these issues.

PART 3

2. Repeat the same process shown in #1 with a technical issue on access control from the Rand report. All requirements are the same except for the topic you choose for discussion. (20