FOR ORDER THIS AND ANY OTHER COURSE,ASSIGNMENTS,QUIZES,EXAM,TEST BANKS OR SOLUTION MANUAL
CONTACT US AT WHISPERHILLS@GMAIL.COM
Week 1
discussion DQ1
Vulnerabilities of Your Systems? We're
spending some time this week coming up with a common understanding of security
terminology, and vulnerability is one of those fundamental terms. While the
word weakness seems to define it pretty well, there are a number of ways that
information systems can become vulnerable. Acts of commission or omission can
be equally responsible for a system vulnerability. What about your systems,
both at home and at work? In what ways are they vulnerable?
DQ2
Threats against Your Systems? It's a pretty
rough world out there for data. While a large percentage of information
technology security budgets is devoted to reducing the risk of malicious
attacks, there are other ways in which systems or data become damaged. What
threats are you aware of when it comes to your personal systems and the systems
at your job?
Week 2
discussion DQ1
Security Issues in Telecommunications What
are the advantages and disadvantages of virtual offices, including
telecommuting? What are the security and management issues concerning virtual
offices, especially hooked up into large virtual networks? Please comment on
the views of your fellow students here.
DQ2
What Access Controls Are in Use? What are
your organization's assets? Are there any access controls in place? How
effective are they? How can you tell? What are the weaknesses in the controls?
Are any new or upgraded access controls being considered? Let's explore this
substantial component of information security.
Week 3
discussion DQ1
Cryptographic Products As we are learning,
there are a lot of uses for cryptography in information technology, and there
are a lot of different algorithms, cryptographic processes, key lengths,
implementation methods, and so on. Let's explore the world of cryptographic
products. What's available out there? What kind of quality is found in free,
open-source products? What types of hardware devices? What types of software
implementations? How are they used? What problems do they solve? How effective
are they? How can you tell? What are the tradeoffs between security and
business process efficiency? Let's start with everyone presenting one
cryptographic product (past, present, or future). No duplications, please, so
be sure to read all the previous posts. Then, respond to the posts of your
classmates with questions, additional information, and so forth.
DQ2
Cryptographic Standards Ever since World
War II and the ensuing Cold War, cryptographic methods have been the source of
much government angst. Protecting the information of one's own government and
accessing the data of other governments has been a preoccupation of many
nations. With the growth of civilian computer networks in the 1980s and the
development of Internet-based e-commerce in the 1990s, concerns about data
security spread from governments to the public sector. The tension between the
government's goal of control of cryptographic methods and business' need for
internationally trustworthy security resulted in skirmishes between the two.
Let's discuss the modern history of cryptography in terms of
commercial-governmental tensions. What can you find out about this? What are
the considerations when determining how to standardize cryptographic methods?
How are cryptographic methods regulated? What are the different laws that
govern the use of cryptography? Are they reasonable? Whose interests are most
important when determining the extent to which cryptography should be
standardized, regulated, and mandated? Do a little research and see what you
can come up with in one or more of these areas. And be sure to comment on the
posts of your classmates.
Week 4
discussion DQ1
Network Services Users are familiar with
some network services such as HTTP (Hypertext Transport Protocol) - the Web;
and SMTP (Simple Mail Transport Protocol) and POP (Post Office Protocol) -
e-mail and instant messaging. But there are others like DHCP (Dynamic Host
Configuration Protocol), DNS (Domain Name System), FTP (File Transport
Protocol), NNTP (Network News Transport Protocol), Telnet, SSH (Secure Shell),
SSL-TLS (Secure Sockets Layer-Transport Layer Security) and others that the
average user may not have heard of. Tell us more about these services. How do
they figure into organizational security? What are the most recent threats
against them? What are the risks associated with attacks against network
services? What are possible consequences? What are specific controls and
general best practices to mitigate risk? Jump right in. Do a little research on
some part of network service security and share with us your findings as well
as your experiences and opinions. And, of course, please respond to your
classmates' posts with ideas, questions, comments, other perspectives, and so
forth.
DQ2
Security Architecture Before responding to
this forum, be sure to read the section in this week's lecture on security
architecture. Think about your organization's security architecture. How much
do you know about it? How much do other workers know? How easy is it to learn
more? Does your perception of the organization's security architecture seem
appropriate for the mission and goals of the organization? How much management
commitment to security do you sense? Briefly describe your organization, but
please DON'T reveal any specific security details that would compromise your
organization's security controls. Feel free to make up a name and even alter
the products or services the organization offers to maintain its anonymity as
needed. What we should discuss is the general nature of the business, your
role, your view on the organization's security architecture, and what you think
the ideal security architecture should be for your organization. As we get
moving on this discussion, consider the ideas of your classmates. Would they be
appropriate for your organization? Even if you don't have much connection with
the security activities in your company, what do you THINK would be
appropriate? As always, post early, post often, and address the posts of your
classmates.
Week 5
discussion DQ1
Case
Study –
Would You Hire Goli? How would you respond if
Goli (Case VIII, p. 707 in our text) came to you describing a vulnerability in
your system and offering to help fix it? What would incline you to hire her?
What would disincline you from doing so? Please explain your answer and also
reply to the comments of others.
DQ2
Privacy: Right or Privilege?
Privacy seems to mean different things to
different people. What does privacy mean to you? Is privacy a right or a
privilege? How should one's privacy be legally protected or secured, especially
when using the Internet? Maybe this is not absolutely possible; protection may
always be viewed as a relative term. Why or why not? Please comment on the
responses of other students.
Week 6
discussion DQ1
BC
and DR Business Continuity (BC) planning and Disaster Recovery (DR) planning
are key elements in organizational security architectures. What is the
difference between them and why is it important to know the difference when
representing security proposals to management?
DQ2
Meeting Regulations With what federal,
state, and/or organizational regulations regarding information systems and data
management must your organization comply? How can you identify these
regulations? How can you remain informed about changes in these requirements?
How can your organization or industry influence these regulations?
Week 7
discussion DQ1
Personal/Group Ethics What is ethics? Is it a
cultural standard or an individual standard? Do managers have a responsibility
to maintain an ethical standard within a department? If so, how is the expected
ethical standard established? How is it documented? How is compliance measured?
What happens when an individual's ethical standard conflicts with the group
standard? How should members of the group react? How should the individual
react?
DQ2
Security Skills What skills are needed by
personnel working in information security? List some job titles in the field
and come up with some required qualifications and some desirable
qualifications. Take a look at some job listings and resumes for ideas. After
all, you may be applying for one of these jobs soon!
Week 1 quiz 1 Question : (TCO A)
Describe an organizational information situation where data confidentiality
would be more important than data availability or integrity.
Question 2. (TCO A) Which of the following
is the weakest password?
Question 3. (TCO A) While our focus in the
course is on threats to information systems, this question focuses on the
concept of threats, vulnerabilities, and controls as applied to other kinds of
systems. Select two examples of threats to automobiles for which auto
manufactures have instituted controls. Describe the vulnerabilities for which
the controls were created and assess the effectiveness of these controls giving
the justification for your assessment. Your answer does not need to address
information security but you need to demonstrate your understanding of the
terms: threat, vulnerability, and control. (Note: specific answers to this
question are not in the assigned reading material.)
Question 4. (TCO A) To what extent does
U.S. Combined Federal Criteria quantitatively and measurably demonstrate the
practical effectiveness of the security measures it mandates? In other words,
how well does it objectively measure real-world security? How would this
influence your use of this standard in a given computing environment? Be sure
that your answer addresses quantitative and measureable practical
effectiviness.
Question 5. (TCO A) Network enumeration is
used to _______________________.
Question 6. (TCO A) One privacy concern
about the use of biometric authentication is unintentional functional scope.
Please briefly define this concern and give an example.
Week 4
midterm Question 1. (TCO A) What are the
three types of user authentication?
Name three examples of each type of
authentication.
Question 2. (TCO A) Cite a real-world database
situation in which the sensitivity of an aggregate is greater than that of its
constituent values.
Question 3. (TCO B) Suppose you have a high
capacity network connection coming into your home, and you also have a wireless
network access point. Also suppose you do not use the full capacity of your
network connection. List three reasons you might still want to prevent an
outsider obtaining free network access by intruding into your wireless network.
Question 4. (TCO C) Respond to each part of
this question: a) Describe how a long number (encryption key) can be shared
between sender and receiver without using any source that is obvious to
outsiders and without directly sending the number from sender and receiver. b)
Describe how a long number (encryption key) can be shared between sender and
receiver over an unsecured network without loss of confidentiality.
Question 5. (TCO B) Which of the following
is a correct statement? The UDP protocol provides flow control for transport-layer
communications. The Kerberos authentication protocol requires that network
servers' clocks be synchronized. A rogue DNS server can be used to participate
in a DHCP cache poison attack. ARP is used to resolve MAC addresses to IP
addresses. Link encryption ensures that information is protected within the
communicating systems.
Week 3
assignment Phase I - Identifying potential
weaknesses from either the Aircraft Solutions or Quality Web Design Company is
due this week. Please carefully read Course Project Requirements in Doc Sharing
to be sure your submission addresses all required elements. Pay particular
attention to the grading standards found in the Course Project page (Course
Home.) See the Syllabus section "Due Dates for Assignments & Exams"
for due date information. Submit your assignment to the Dropbox, located at the
top of this page. For instructions on how to use the Dropbox, read these
step-by-step instructions. Week 7 course project Phase II: the Course Project
(comprised of Phase I revised based on
Week 3 feedback and the Solution's phase) -
Recommend solutions to the potential weaknesses from either the Aircraft
Solutions of Quality Web Design Company is due. Please be sure that your
submission contains all of the required elements and grading standards. Refer
to the grading standards outlined in the Course Project found in the Course
Home and the Course Project Requirements document in the Doc Sharing tab. See
the Syllabus section "Due Dates for Assignments & Exams" for due
date information. Week 8 final exam
Question 1. 1. (TCO A) You are responsible
for developing a security evaluation process that can be used to assess various
operating systems both during and after development. List the five most
desirable qualities your evaluation process should have and explain why they
are important. (Be sure to address qualities of the evaluation process, not
specific metrics for assessment of operating systems.)
Question 2. 2. (TCO B) Acme Films produces
advertisements for cable television stations. They have two locations in a
large metropolitan area. Building 1 contains the administrative, sales,
marketing, human resources, development, and graphics departments. Building 2
contains the sound stages, production and post production facilities,
equipment, and mobile unit storage. The two buildings, five miles apart, are
connected by a VPN using a T1 connection. Each location is protected by
hardware firewalls and each location has a DMZ. Building 1's DMZ includes Web,
FTP, DNS, and e-mail servers. Building 2's DMZ includes an FTP server from which
clients can access work product. Network-based IDS systems are placed in the
DMZs. There are 75 Windows XP workstations in each location. Workstation
security is centrally managed and includes anti-virus, anti-spyware, and patch
management. File, application, database, and print servers at each location are
protected by anti-virus, anti-spyware, and patch management. Internet access is
provided to users via a proxy server and NAT. User authentication is controlled
by Windows 2008 Active Directory and users must authenticate by using a smart
card and entering a PIN. Discretionary access control methods are in use. List
and assess three security threats faced by the information technology systems
and list and describe 1 security control needed that would be appropriate to
address each threat. (Points : 40)
Question 3. 3. (TCO C) Why is a firewall
usually a good place to terminate a Virtual Private Network (VPN) connection
from a remote user? Why not terminate the VPN connection at the actual servers
being accessed? Under what circumstances would VPN termination at the server be
a good idea?
Question 4. 4. (TCO D) A computer
programmer has been arraigned for a computer crime. She is suspected of having
accessed system files on a public Web server. The programmer's attorney argues
that his client was only trying to determine if the website was secure and that
no harm was done to the Web server or its system files. The programmer's
attorney also argues that it is possible that the log files that show that his
client accessed system files were tampered with. The attorney claims that the
Web server was made accessible to the public anyway so that there was no
violation of the law and that the arraignment against her client should be
thrown out. You're the judge. What is your analysis of these arguments? (Points
: 40)
Question 5. 5. (TCO E) After reading about
attacks on servers similar to the ones used in one of your company's
departments, the CIO has asked you to come up with a report as to what, if any,
steps should be taken with your servers. List and describe the steps you would
need to take in order to complete a detailed report. (Points : 40)
Question 6. 6. (TCO F) Are ethics a matter
of absolute right and wrong or are they changeable? Can an ethical person
consider something to be wrong and then, later, consider that same thing to be
right while still being ethical? Explain your reasoning. (Points : 40)
Question 7. 7. (TCO G) Which of the
following statements is true? (Points : 20) A patent is typically easier to
obtain than a copyright. Computer programs cannot be copyrighted. The
"fair use doctrine" prohibits reproduction of copyrighted material.
Copyright applies to ideas. Patents apply to things. In order to assure patent
rights, the holder need not oppose all infringement.
Question 8. 8. (TCO H) Some IT department
policies are designed to prevent behaviors by IT staff. While some depend upon
the employee voluntarily complying with the policy (for example: do not reveal
technical information to outside parties), others are enforced technically (for
example, authentication required for system access). What is an example of a
policy that technically enforces ethical behavior by IT staff? Provide policy
wording for your example. (Points : 40)
=========================================================================
=========================================================================
No comments:
Post a Comment