Information Assurance Homework 1 s1
Total Page:16
File Type:pdf, Size:1020Kb
Name:
Information Assurance: Homework 2
Due February 3, 2009 on compass.
1. For an online shopping website, describe a threat, a vulnerability, an attack, and a security control, all of them related to each other. For example, the security control must prevent the vulnerability from being exploited by the attack. (20 pts) One example: Threat: data alteration Vulnerability: weak encryption Attack: an attacker can change payment amounts Control: using SSL (or strongly encrypted connection)
2. Identify the type of each of the following threats (interception, modification, fabrication, or interruption): (20 pts) a) Eve changes a transaction form submitted by Alice to her bank. modification b) A key-logger logs all of the keys pressed on the keyboard. interception c) An attacker sends so many fake and large requests to a server that the server’s memory runs out and it crashes. interruption d) Eve generate a bogus request from Alice to a web server. fabrication e) Eve flood a web server with dummy traffic so that the bandwidth runs out and nobody else can see the webpage. interruption 3. An online shopping company has two major assets. Each asset has the following value and risk of loss over a year: (20 pts) Asset Value Risk (per year) Customer records $200,000 10% Backend servers $500,000 0.5% a) What is the annual loss exposure (ALE)? (0.1*$200,000) + (0.005*$500,000)=$22,500 Name:
b) If you consult for this company, which of the following controls do you recommend? New risk for New risk for Control Cost customer backend servers records Intrusion detection $15,000 1% 0.5% system (IDS) Fire alarm system in $10,000 10% 0.1% the server rooms
Cost + ALE for IDS = $15,000 + $2,000 + $2500= $19,500 Cost + ALE for fire alarm = $10,000 + $20,000 + $500= $30,500 We recommend IDS.
4. Why in the IETF policy model, PEP and PDP are in different modules? (15 pts) clear separation of duty multiple PEPs can use one PDP (more scalable) modular design easier to debug (one reason is enough)
5. In the following DTEL policy: (15 pts) domain d_httpserver = (/sbin/httpd), (crwd->t_httpfiles), (rd->t_config), (rxd->t_scripts);
a) Can the httpd daemon change the configuration files? (file type t_config) no b) Which file types can the httpd daemon execute? t_scripts Name:
c) What files can the httpd daemon search? t_httpfiles, t_config, and t_scripts
6. XACML is a policy language usually used for access control in web services or attribute-based systems (http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xacml). Is it a high level or low level language? (10 pts) High level