Cis 502Enhance teaching / snaptutorial.com

CIS 502 All Assignments (2 Set)
For more classes visit
www.snaptutorial.com
CIS 502 Week 2 Assignment 1 Web Server Application Attacks
(2 Papers)
CIS 502 WEEK 6 Assignment 2: Critical Infrastructure
Protection (2 Papers)
CIS 502 Week 9 Assignment 3 Cybersecurity (2 Papers)
CIS 502 Week 10 Technical Paper Risk Assessment (2 Papers)
CIS 502 Week 3 Case Study 1 Advanced Persistent Threats
Against RSA Tokens (2 Papers)
CIS 502 Week 4 Case Study 2 Social Engineering Attacks and
Counterintelligence (2 Papers)
CIS 502 Week 7 Case Study 3 Mobile Devices Security (2
Papers)
CIS 502 WEEK 8 CASE STUDY Mobile Device Security and
Other Threats (2 Papers)
***************************************************
CIS 502 Final Exam Guide

CIS 502 Final Exam Guide
• 1 Two parties are exchanging messages using
public key cryptography. Which of the following statements
describes the proper procedure for transmitting an encrypted
message?
• 2 Public key cryptography is another name for:
• 3 A running-key cipher can be used when:
• 4 Two parties, Party A and Party B, regularly
exchange messages using public key cryptography. One party,
Party A, believes that its private encryption key has been
compromised. What action should Party B take?
• 5 Two parties that have never communicated
before wish to send messages using symmetric encryption key
cryptography. How should the parties begin?
• 6 A stream cipher encrypts data by XORing
plaintext with the encryption key. How is the ciphertext
converted back into plaintext?

• 7 Two parties that have never communicated before
wish to send messages using asymmetric key cryptography.
How should the parties begin?
• 8 The Advanced Encryption Standard is another
name for which cipher:
• 9 All of the following statements about the
polyalphabetic cipher are true EXCEPT:
• 10 Which U.S. law gives law enforcement
organizations greater powers to search telephone, e-mail,
banking, and other records?
• 11 A security incident as defined as:
• 12 An organization has developed its first-
ever computer security incident response procedure. What type
of test should be undertaken first?
• 13 The (ISC)2 code of ethics includes all of the
following EXCEPT:
• 14 The allegation that an employee has violated
company policy by downloading child pornography onto a
company workstation should result in:
• 15 A case of employee misconduct that is the subject
of a forensic investigation will likely result in a court
proceeding. What should included in the forensic investigation:

• 16 A suspect has been forging credit cards with the
purpose of stealing money from their owners through ATM
withdrawals. Under which U.S. law is this suspect most likely to
be prosecuted?
• 17 The categories of laws in the U.S. are:
• 18 The purpose of a password policy that requires a
minimum number of days between password changes is:
• 19 The most effective way to confirm
whether backups function properly is:
• 20 All of the following are valid reasons for backing
up data EXCEPT:
• 21 The purpose of backups includes all of the
following EXCEPT:
• 22 An organization has in its possession many types
of business records that vary in sensitivity and handling
requirements. No policy exists that defines how any of these
records should be protected. This organization lacks:
• 23 An employee in an organization is requesting
access to more information than is required. This request should
be denied on the basis of which principle:

• 24 An organization has been made a party in a civil
lawsuit. The organization is required to search its electronic
records for specific memoranda. This process is known as:
• 25 An organization’s IT manager is establishing a
business relationship with an off-site media storage company,
for storage of backup media. The storage company has a
location 5 miles away from the organization’s data center, and
another location that is 70 miles away. Why should one location
be preferred over the other?
• 26 The process of erasing magnetic media through
the use of a strong magnetic field is known as:
• 27 Which type of fire extinguisher is effective
against flammable liquids:
• 28 The type of smoke detector that is designed to
detect smoke before it is visible is:
• 29 The term “N+1” means:
• 30 A building access mechanism where only one
person at a time may pass is called a:
• 31 A secure facility needs to control incoming
vehicle traffic and be able to stop determined attacks. What
control should be implemented:

• 32 A security manager is concerned that lost key
cards can be used by an intruder to gain entrance to a facility.
What measure can be used to prevent this?
• 33 The risks of excessive humidity in a computing
facility include all of the following
• 34 Provided it is permitted by local fire codes, which
type of fire sprinkler system is most preferred for computer
rooms?
• 35 The innermost portion of an operating system is
known as:
• 36 A security analyst has a system evaluation criteria
manual called the “Orange Book”. This is a part of:
• 37 The component in a computer where program
instructions are executed is called the:
• 38 A resource server contains an access control
system. When a user requests access to an object, the system
examines the permission settings for the object and the
permission settings for the user, and then makes a decision
whether the user may access the object. The access control
model that most closely resembles this is:
• 39 The TCSEC system evaluation criteria is used to
evaluate systems of what type:

• 40 A source code review uncovered the existence of
instructions that permit the user to bypass security controls.
What was discovered in the code review?
• 41 A hidden means of communication between two
systems has been discovered. This is known as:
• 42 A security officer has declared that a new
information system must be certified before it can be used. This
means:
• 43 A systems engineer is designing a system that
consists of a central computer and attached peripherals. For
fastest throughput, which of the following technologies should
be used for communication with peripheral devices:
• 44 A network manager wishes to simplify
management of all of the network devices in the organization
through centralized authentication. Which of the following
available authentication protocols should the network manager
choose:
• 45 On a TCP/IP network, a station’s IP address is
10.0.25.200, the subnet mask is 255.255.252.0, and the default
gateway is 10.0.25.1. How will the station send a packet to
another station whose IP address is 10.0.24.10?
• 46 How many Class C networks can be created in a
Class B network:

• 47 Someone is sending ICMP echo requests
to a network’s broadcast address. What is this person doing?
• 48 A station on a network is sending hundreds of
SYN packets to a destination computer. What is the sending
computer doing?
• 49 An IT manager wishes to connect several branch
offices to the headquarters office for voice and data
communications. What packet switched service should the IT
manager consider?
***************************************************
CIS 502 Midterm Set 1
CIS 502 Midterm set 1
• 1 A security manager is developing a data
classification policy. What elements need to be in the policy?

• 2 An organization employs hundreds of office
workers that use computers to perform their tasks. What is the
best plan for informing employees about security issues?
• 3 The statement, “Information systems should be
configured to require strong passwords”, is an example of a/an:
• 4 The statement, “Promote professionalism among
information system security practitioners through the
provisioning of professional certification and training.” is an
example of a/an:
• 5 Exposure factor is defined as:
• 6 A security manager needs to perform a risk
assessment on a critical business application, in order to
determine what additional controls may be needed to protect the
application and its databases. The best approach to performing
this risk assessment is:
• 7 CIA is known as:
• 8 An organization has a strong, management-driven
model of security related activities such as policy, risk
management, standards, and processes. This model is better
known as:
• 9 The impact of a specific threat is defined as:
• 10 Annualized loss expectancy is defined as:

• 11 A security manager is performing a quantitative
risk assessment on a particular asset. The security manager
wants to estimate the yearly loss based on a particular threat.
The correct way to calculate this is::
• 12 An organization wishes to purchase an
application, and is undergoing a formal procurement process to
evaluate and select a product. What documentation should the
organization use to make sure that the application selected has
the appropriate security-related characteristics?
• 13 An organization suffered a virus outbreak when
malware was download by an employee in a spam message.
This outbreak might not have happened had the organization
followed what security principle:
• 14 Which of the following is NOT an authentication
protocol:
• 15 The categories of controls are:
• 16 Organizations that implement two-factor
authentication often do not adequately plan. One result of this is:
• 17 Buffer overflow, SQL injection, and stack
smashing are examples of:

• 18 A biometric authentication system that
incorporates the results of newer scans into a user's profile is
less likely to:
• 19 One disadvantage of the use of digital certificates
as a means for two-factor authentication is NOT:
• 20 A smart card is a good form of two-factor
authentication because:
• 21 Which of the following statements about
Crossover Error Rate (CER) is true:
• 22 The reason why preventive controls are preferred
over detective controls is:
• 23 What is the best defense against social
engineering?
• 24 The reason that two-factor authentication is
preferable over ordinary authentication is:
• 25 Video surveillance is an example of what type(s)
of control:
• 26 A database administrator (DBA) is responsible
for carrying out security policy, which includes controlling
which users have access to which data. The DBA has been asked
to make just certain fields in some database tables visible to
some new users. What is the best course of action for the DBA
to take?

• 27 The most effective countermeasures against input
attacks are:
• 28 The primary advantage of the use of workstation-
based anti-virus is:
• 29 The purpose for putting a “canary” value in the
stack is:
• 30 An attack on a DNS server to implant forged “A”
records is characteristic of a:
• 31 A defense in depth strategy for anti-malware is
recommended because:
• 32 A security assessment discovered back doors in
an application, and the security manager needs to develop a plan
for detecting and removing back doors in the future. The most
effective countermeasures that should be chosen are:
• 33 “Safe languages” and “safe libraries” are so-
called because:
• 34 The instructions contained with an object are
known as its:
• 35 A user, Bill, has posted a link on a web site that
causes unsuspecting users to transfer money to Bill if they click

the link. The link will only work for users who happen to be
authenticated to the bank that is the target of the link. This is
known as:
• 36 What is the most effective countermeasure
against script injection attacks?
• 37 All of the following are advantages of using self-
signed SSL certificates
• 38 The following are characteristics of a computer
virus EXCEPT:
• 39 An organization is about to start its first disaster
recovery planning project. The project manager is responsible
for choosing project team members. Which staff members
should be chosen for this project?
• 40 The activity that is concerned with the
continuation of business operations is:
• 41 The purpose of a parallel test is:
• 42 The greatest risk related to a cutover test is:
• 43 A DRP project team has determined that the RTO
for a specific application shall be set to 180 minutes. Which
option for a recovery system will best meet the application’s
recovery needs?

• 44 The primary impact of a pandemic on an
organization is:
• 45 An organization that is building a disaster
recovery capability needs to re-engineer its application servers
to meet new recovery requirements of 4 hour RPO and 24 hour
RTO. Which of the following approaches will best meet this
objective?
• 46 The first priority for disaster response should be:
• 47 The purpose of off-site media storage is:
• 48 The types of BCP and DRP tests are:
• 49 At the beginning of a disaster recovery planning
project, the project team will be compiling a list of all of the
organization’s most important business processes. This phase of
the project is known as:
• 50 The definition of Recovery Point Objective
(RPO) is:
***************************************************
CIS 502 Midterm Set 2

CIS 502 Midterm set 2
• 1 An organization recently underwent an audit of
its financial applications. The audit report stated that there were
several segregation of duties issues that were related to IT
support of the application. What does this mean?
• 2 A security manager is developing a data
classification policy. What elements need to be in the policy?
• 3 An organization employs hundreds of office workers
that use computers to perform their tasks. What is the best plan
for informing employees about security issues?
• 4 An organization suffered a virus outbreak when
malware was download by an employee in a spam message.
This outbreak might not have happened had the organization
followed what security principle:
• 5 A security manager is performing a quantitative risk
assessment on a particular asset. The security manager wants to
estimate the yearly loss based on a particular threat. The correct
way to calculate this is::
• 6 A qualitative risk assessment is used to identify:

• 7 An employee with a previous criminal history
was terminated. The former employee leaked several sensitive
documents to the news media. To prevent this, the organization
should have:
• 8 CIA is known as:
• 9 The options for risk treatment are:
• 10 The statement, “Information systems should be
configured to require strong passwords”, is an example of a/an:
• 11 An organization has a strong, management-driven
model of security related activities such as policy, risk
management, standards, and processes. This model is better
known as:
• 12 An organization wishes to purchase an application,
and is undergoing a formal procurement process to evaluate and
select a product. What documentation should the organization
use to make sure that the application selected has the appropriate
security-related characteristics?
• 13 The statement, “Promote professionalism among
information system security practitioners through the
provisioning of professional certification and training.” is an
example of a/an:
• 14One disadvantage of the use of digital certificates as a
means for two-factor authentication is NOT:

• 15 The categories of controls are:
• 16 A biometric authentication system that
incorporates the results of newer scans into a user's profile is
less likely to:
• 17 The use of retina scanning as a biometric
authentication method has not gained favor because:
• 18 Buffer overflow, SQL injection, and stack
smashing are examples of:
• 19 Which of the following statements about
Crossover Error Rate (CER) is true:
• 20 In an information system that authenticates users
based on userid and password, the primary reason for storing a
hash of the password instead of storing the encrypted password
is:
• 21 The reason why preventive controls are preferred
over detective controls is:
• 22 Video surveillance is an example of what type(s)
of control:
• 23 Which of the following is NOT an authentication
protocol:
• 24 An information system that processes sensitive
information is configured to require a valid userid and strong

password from any user. This process of accepting and
validating this information is known as:
• 25 What is the best defense against social engineering?
• 26 The following are valid reasons to reduce the
level of privilege for workstation users
• 27 The purpose for putting a “canary” value in the stack
is:
• 28 An organization wants to prevent SQL and script
injection attacks on its Internet web application. The
organization should implement a/an:
• 29 The instructions contained with an object are
known as its:
• 30 Rootkits can be difficult to detect because:
• 31 A user, Bill, has posted a link on a web site that
causes unsuspecting users to transfer money to Bill if they click
the link. The link will only work for users who happen to be
authenticated to the bank that is the target of the link. This is
known as:
• 32 An attack on a DNS server to implant forged “A”
records is characteristic of a:
• 33 “Safe languages” and “safe libraries” are so-
called because:

• 34 A defense in depth strategy for anti-malware is
recommended because:
• 35 The most effective countermeasures against input
attacks are:
• 36 A database administrator (DBA) is responsible
for carrying out security policy, which includes controlling
which users have access to which data. The DBA has been asked
to make just certain fields in some database tables visible to
some new users. What is the best course of action for the DBA
to take?
• 37 The following are characteristics of a computer
virus EXCEPT:
• 38 A list of all of the significant events that occur in
an application is known as:
• 39 The purpose of a parallel test is:
• 40 The first priority for disaster response should be:
• 41 In what sequence should a disaster recovery planning
project be performed?
• 42 For the purpose of business continuity and
disaster recovery planning, the definition of a “disaster” is:
• 43 The purpose of a server cluster includes all of the
following EXCEPT:

• 44 The definition of Recovery Point Objective
(RPO) is:
• 45 At the beginning of a disaster recovery planning
project, the project team will be compiling a list of all of the
organization’s most important business processes. This phase of
the project is known as:
• 46 An organization is about to start its first disaster
recovery planning project. The project manager is responsible
for choosing project team members. Which staff members
should be chosen for this project?
• 47 The types of BCP and DRP tests are:
• 48 Why is disaster recovery-related training a vital
component in a DRP project?
• 49 A DRP project team has determined that the RTO
for a specific application shall be set to 180 minutes. Which
option for a recovery system will best meet the application’s
recovery needs?
• 50 The primary reason for classifying disasters as
natural or man-made is:
***************************************************
CIS 502 Week 2 Assignment 1 Web Server Application Attacks
(2 Papers)

This Tutorial contains 2 Papers
Assignment 1: Web Server Application Attacks
Due Week 2 and worth 110 points
It is common knowledge that Web server application attacks
have become common in today’s digital information sharing
age. Understanding the implications and vulnerabilities of such
attacks, as well as the manner in which we may safeguard
against them is paramount, because our demands on e-
Commerce and the Internet have increased exponentially. In this
assignment, you will examine the response of both the U.S.
government and non-government entities to such attacks.
To complete this assignment, use the document titled
“Guidelines on Securing Public Web Servers”, located at
http://csrc.nist.gov/publications/nistpubs/800-44-ver2/SP800-
44v2.pdf, to complete the assignment. Read the Network World
article, “40% of U.S. government Web sites fail security test”
also, located
athttp://www.networkworld.com/news/2012/031512-dnssec-
survey-2012-257326.html.

Write a three to five (3-5) page paper in which you:
Examine three (3) common Web application vulnerabilities and
attacks, and recommend corresponding mitigation strategies for
each. Provide a rationale for your response.
Using Microsoft Visio or an open source alternative such as Dia,
outline an architectural design geared toward protecting Web
servers from a commonly known Denial of Service (DOS)
attack.Note: The graphically depicted solution is not included in
the required page length.
Based on your research from the Network World article,
examine the potential reasons why the security risks facing U.S.
government Websites were not always dealt with once they were
identified and recognized as such.
Suggest what you believe to be the best mitigation or defense
mechanisms that would help to combat the Domain Name
System Security Extensions (DNSSEC) concerns to which the
article refers. Propose a plan that the U.S. government could use
in order to ensure that such mitigation takes place. The plan
should include, at a minimum, two (2) mitigation or defense
mechanisms.
Use at least three (3) quality resources outside of the suggested
resources in this assignment.Note: Wikipedia and similar
Websites do not qualify as quality resources.
Your assignment must follow these formatting requirements:
Be typed, double spaced, using Times New Roman font (size
12), with one-inch margins on all sides; citations and references
must follow APA or school-specific format. Check with your
professor for any additional instructions.

Include a cover page containing the title of the assignment, the
student’s name, the professor’s name, the course title, and the
date. The cover page and the reference page are not included in
the required assignment page length.
Include charts or diagrams created in Visio or an open source
alternative such as Dia. The completed diagrams / charts must
be imported into the Word document before the paper is
submitted.
The specific course learning outcomes associated with this
assignment are:
Define common and emerging security issues and management
responsibilities.
Evaluate an organization’s security policies and risk
management procedures, and its ability to provide security
countermeasures.
Use technology and information resources to research issues in
security management
***************************************************
CIS 502 Week 3 Case Study 1 Advanced Persistent Threats
Against RSA Tokens (2 Papers)

CIS 502 Week 3 Case Study 1 – Strayer New
Case Study 1: Advanced Persistent Threats Against RSA Tokens
Authentication breach by impersonation or password crack has
been popular for attackers to breach our assets. The latest RSA
APT attack to breach one of the most secure RSA tokens alerted
the industry and reminded all of us that there is no security that
can last forever. We must remain vigilant and stay ahead of the
game. Read the following documents:
 “APT Summit Findings” located in the online course
shell
 “RSA Security Brief” located in the online course
shell Write a five to eight (5-8) page paper in which you:
1. Analyze the Advanced Persistent Threats (APT) Summit
Findings article as well as the RSA Security Brief article and
identify the vulnerabilities that existed in the system.
2. Analyze the attack methods carried out in pursuit of the
authentication breach and explain which methods were
successful and why.
3. Suggest three (3) techniques or methods to protect against
APT attacks in the future as the CSO for a large organization.

4. Determine what types of technologies would help alleviate the
problems identified in the articles assuming you are the CSO or
CTO in an organization.
5. Use at least three (3) quality resources in this assignment.
Note: Wikipedia and similar Websites do not qualify as quality
resources.
 Be typed, double spaced, using Times New Roman
font (size 12), with one-inch margins on all sides; citations and
references must follow APA or school-specific format. Check
with your professor for any additional instructions.
 Include a cover page containing the title of the
assignment, the student’s name, the professor’s name, the course
title, and the date. The cover page and the reference page are not
included in the required assignment page length. The specific
course learning outcomes associated with this assignment are:
 Describe the industry requirements and organizational
challenges of forming a sound information security workforce
from a management perspective.
 Define common and emerging security issues and
management responsibilities.
 Analyze the methods of managing, controlling, and
mitigating security risks and vulnerabilities.

 Explain access control methods and attacks.
 Use technology and information resources to research
issues in security management.
 Write clearly and concisely about the theories of
security management using proper writing mechanics and
technical style conventions.
***************************************************
CIS 502 Week 4 Case Study 2 Social Engineering Attacks and
Counterintelligence (2 Papers)
Case Study 2: Social Engineering Attacks and
Counterintelligence
Social engineering attacks and counterintelligence have major
impacts to our national security. In July 2010, the Afghan War

Diary was released in WikiLeaks. In October 2010, WikiLeaks
also released the largest military leak in history – the Iraq War
Logs revealing the war occupation in Iraq. This type of
information is considered as classified data by the Department
of Defense.
Read the article titled, “WikiLeaks Releases 400,000 Classified
US Military Files”, located at
Write a five to eight (5-8) page paper in which you:
1. Describe what social engineering and counterintelligence are
and their potential implications to our national security in regard
to the leaked Afghan War Diary and the Iraq War Logs.
2. Examine the importance of forming a sound information
security workforce and describe the challenges faced by
organizations in doing this as evidenced by the articles about the
Afghan War Diary and the Iraq War Logs that were released in
WikiLeaks.
3. Predict how the Afghan War Diary and the Iraq War Logs
that were released in WikiLeaks could influence organizations in
regard to their security policies and risk management
procedures.
4. Propose two (2) methods to thwart this type of intelligence
leak in the future and explain why each would be effective.

resources.
 Evaluate an organization’s security policies and risk
countermeasures.

 Write clearly and concisely about the theories of
security management using proper writing mechanics and
technical style conventions.
***************************************************
CIS 502 WEEK 6 Assignment 2 Critical Infrastructure
Protection (2 Papers)
CIS 502 WEEK 6 ASSIGNMENT 2
Assignment 2: Critical Infrastructure Protection
According to the text, Critical Infrastructure Protection (CIP) is
an important cybersecurity initiative that requires careful
planning and coordination in protecting our infrastructure.
You may use the following resources in order to complete the
assignment,
“National Infrastructure Protection Plan”, located at
http://www.dhs.gov/xlibrary/assets/NIPP_Plan.pdf

DHS Critical Infrastructure Security Webpage, located at
https://www.dhs.gov/topic/critical-infrastructure-security
“NIST Framework for Improving Critical Infrastructure
Cybersecurity,” located at
http://www.nist.gov/cyberframework/upload/cybersecurity-
framework-021214-final.pdf
“NIST Roadmap for Improving Critical Infrastructure
Cybersecurity,” located at
http://www.nist.gov/cyberframework/upload/roadmap-
021214.pdf
Interpret the Department of Homeland Security’s mission,
operations and responsibilities.
Detail the Critical Infrastructure Protection (CIP) initiatives,
what they protect, and the methods we use to protect our assets.
Analyze the way in which CIP has or has not advanced between
the releases of the DHS’ NIPP and the NIST’s Framework for
Improving Critical Infrastructure Cybersecurity. Justify your
response.
Describe the vulnerabilities that should concern IS professionals
who protect the U.S.’s critical infrastructure.
Suggest three (3) methods to improve the protection of the
U.S.’s critical infrastructure, and justify each suggested method.
Evaluate the effectiveness of IS professionals in regard to
protecting the U.S.’s critical infrastructure, and indicate the
strategic ways that you believe IS professionals could better
serve as protectors.

Use at least three (3) quality resources outside of the suggested
resources in this assignment. Note:Wikipedia and similar
Websites do not qualify as quality resources.
assignment are:
Analyze the methods of managing, controlling, and mitigating
security risks and vulnerabilities.
Evaluate potential situations of business interruption and the
planning necessary to mitigate the threats involved.
Compare and contrast business continuity and disaster recovery
planning.
security management.
Write clearly and concisely about the theories of security
management using proper writing mechanics and technical style
conventions.
***************************************************
CIS 502 Week 7 Case Study 3 Mobile Devices Security (2
Papers)

Case Study 3: Mobile Devices Security
The use of mobile devices is prevalent and growing rapidly as
users heavily depend on them. Unfortunately, attackers follow
the money and user population. In addition, mobile devices do
not receive patches for their vulnerabilities. The Zeus-in-the-
Mobile (ZitMo) attack against Android users is an example
defeating the emerging technology to steal user’s credentials and
ultimately money. Mobile devices can also spread malware.
Read the article titled, “Mobile device attacks surge”, located at
http://www.treasuryandrisk.com/2011/02/08/pr-mobile-device-
attacks-surge, and FIPS 140-2 Security Policy, located at
http://csrc.nist.gov/groups/STM/cmvp/documents/140-
1/140sp/140sp1648.pdf. In addition, read the report titled,
“Emerging Cyber Threats 2012”, located at

http://www.gtisc.gatech.edu/doc/emerging_cyber_threats_report
2012.pdf.
Write a five to eight (5-8) page paper in which you:
1. Describe the emerging cybersecurity issues and vulnerabilities
presented in the “Emerging Cyber Threats 2012” report.
2. Analyze vulnerabilities of mobile devices in regard to
usability and scale based on your research and suggest methods
to mitigate the vulnerabilities of mobile devices.
3. Assess and describe the value of cryptography and encryption
in regard to Equifax’s approach to implementing stronger
security policies around mobile devices.
4. Justify Gunter Ollmann’s comments about Zeus-in-the-
Mobile (ZitMo) and describe the implications of advanced
security breaches such as this.
5. Several challenges of controlling information online are set
forth in the section of the article titled, “Controlling Information
Online – A New Frontier in Information Security”. Determine
what you believe is the greatest challenge in regard to
controlling information online.
6. Justify Dan Kuykendall’s statement about the biggest issue
with mobile browsers and give two (2) examples illustrating his
point.

resources.
 Explain access control methods and attacks.
 Describe the applications and uses of cryptography
and encryption.

conventions.
***************************************************
CIS 502 WEEK 8 CASE STUDY Mobile Device Security and
Other Threats (2 Papers)
CIS 502 WEEK 8 CASE STUDY
Case Study: Mobile Device Security and Other Threats
Read the article titled, “Mobile Devices Will Be Biggest
Business Security Threat in 2014”, located at
http://www.businessnewsdaily.com/5670-mobile-devices-will-
be-biggest-business-security-threat-in-2014.html, and reference
FIPS 140-2 Security Policy, located at
http://csrc.nist.gov/groups/STM/cmvp/documents/140-
1/140sp/140sp1648.pdf. In addition, read the Sophos report
titled, “Security Threat Report 2014”, located at

http://www.sophos.com/en-us/medialibrary/PDFs/other/sophos-
security-threat-report-2014.pdf.
Analyze the emerging security threats presented within the
“Security Threat Report 2014” report.
Analyze the major threats to mobile devices, and suggest at least
two (2) methods to mitigate the concerns and make the devices
more secure from an organizational standpoint.
Justify your response.
Determine whether or not you believe that the mobile device
threats are the most critical and disturbing of all of the security
threats presented in the articles. Provide a rationale for your
response.
Select one (1) security threat, unrelated to mobile devices, that
you believe is the most alarming, and explain the main reasons
why you believe that the chosen threat warrants concern.
Suggest key strategies for mitigating the risk. Justify your
response.
Use at least three (3) quality resources in this assignment.
Note:Wikipedia and similar Websites do not qualify as quality
resources.

assignment are:
Define common and emerging security issues and management
responsibilities.
security risks and vulnerabilities.
Explain access control methods and attacks.
Describe the applications and uses of cryptography and
encryption.
conventions.
***************************************************
CIS 502 Week 9 Assignment 3 Cybersecurity (2 Papers)
CIS 502 Week 9 Assignment 3 – Strayer New

Assignment 3: Cybersecurity
Cybersecurity is such an important topic today and
understanding its implications is paramount in the security
profession. Compliance, certification, accreditation, and
assessment are critical in understanding the legal and ethical
procedures to follow as a security professional. In support of
cybersecurity initiatives, the National Initiative for Cyber
Security Education (NICE) has published several initiatives in
regard to protecting national security. The following document
titled, “National Initiative for Cybersecurity Education”, located
at http://csrc.nist.gov/nice/framework/documents/NICE-
Cybersecurity-Workforce- Framework-Summary-Booklet.pdf,
will be used to help you complete the assignment.
1. Examine the National Initiative for Cyber Security Education
and describe the initiative.
2. Assess the value of the NICE framework. Discuss the
importance of this framework in regard to the security
profession and individual organizations.
3. Suggest three (3) examples that illustrate the importance of
the National Initiative for Cyber Security Education initiative.
4. Describe the expected outcomes of this initiative.

5. Evaluate how organizations can implement the NICE
framework to prevent internal and external attacks.
6. Determine how the NICE framework addresses the legal and
ethical issues in the field of information security.
7. Use at least three (3) quality resources outside of the
suggested resources in this assignment. Note: Wikipedia and
similar Websites do not qualify as quality resources.
Be typed, double spaced, using Times New Roman font
(size 12), with one-inch margins on all sides; citations and
Include a cover page containing the title of the
Evaluate and explain from a management perspective the
industry-standard equipment, tools, and technologies
organizations can employ to mitigate risks and thwart both
internal and external attacks.
Describe the legal and ethical issues inherent in
information security.

Use technology and information resources to research
conventions.
***************************************************
CIS 502 Week 10 Technical Paper Risk Assessment (2 Papers)
CIS 502 Week 10 Technical Paper
Technical Paper: Risk Assessment
Global Finance, Inc.
Internet OC193 10Gbps
Remote Dial UpUsers
OC193 10Gbps
DMZ
Border (Core) Routers
Distribution Routers
VPN Gateway
10Gbps
RAS
PBX

Printers Mgmt (x3)
Credit Dept
Finance
Accounting Worstations Printers
Worstations (x5)
LoanDept WorstationsPrinters
10Gbps
10 Gbps
10 Gbps
Oracle 9i DB Server
10 Gbps
Access Layer VLAN Switch
10 Gbps
10 Gbps
Exchange 2000 Email
Worstations (x10)Printers
(x3)
Worstations (x49) Printers
(x25)
Customer Services Worstations
(x12)
(x5)
Printers (x3)
SUS Server
(x5)
(x63)
(x7)
Off-Site Office VPN Gateway
PSTN
Intranet Web Server
Internal DNS

File and Print Server
Workstations (x7)
100Mbps
Trusted Computing Base Internal Network
Global Finance, Inc. Network Diagram
Above is the Global Finance, Inc. (GFI) network diagram. GFI
has grown rapidly this past year and acquired many network
devices as displayed in the diagram. The company invested in
the network and designed it to be fault tolerant and resilient
from any network failures. However, although the company’s
financial status has matured and its network has expanded at a
rapid pace, its network security has not kept up with the
company growth.
GFI’s network is fairly stabilized as it has not experienced many
outages due to network failures. GFI has hired three (3) network
engineers to keep up with the network growth and the bandwidth
demand by the company employees and the clients. However,
the company has not hired any security personnel who can take
care of the operational security responsibility.
The trusted computing base (TCB) internal network in the
Global Finance, Inc. Network Diagram hosts the company’s
mission critical systems without which the company’s
operations and financial situation would suffer. The Oracle
database and email systems are among the most intensively used
application servers in the company. GFI cannot afford system
outages because its cash flow and financial systems heavily
depend on the network stability. GFI has experienced DOS
network attacks twice this year and its Oracle database and
email servers had been down for a week. The recovery process
required GFI to use $25,000 to restore its operations back to

normal. GFI estimated the loss from these network attacks at
more than $100,000 including lost customer confidence.
Write a twelve to fifteen (12-15) page formal risk assessment
proposal and redraw the above diagram of a secure and risk-
mitigating model in which you:
1. Describe the company network, interconnection, and
communication environment.
2. Assess risk based on the Global Finance, Inc. Network
Diagram scenario. Note: Your risk assessment should cover all
the necessary details for your client, GFI Inc., to understand the
risk factors of the organization and risk posture of the current
environment. The company management will decide what to
mitigate based on your risk assessment. Your risk assessment
must be comprehensive for the organization to make data-driven
decisions.
a. Describe and defend your assumptions as there is no further
information from this company. The company does not wish to
release any security-related information per company policy.
b. Assess security vulnerabilities, including the possibility of
faulty network design, and recommend mitigation procedures
for each vulnerability.
c. Justify your cryptography recommendations based on data-
driven decision making and objective opinions.
3. Examine whether your risk assessment methodology is
quantitative, qualitative, hybrid, or a combination of these.
resources.
5. Create the redrawn diagram of a secure and risk-mitigating
model using Microsoft Visio or its open source equivalent. Note:

The graphically depicted solution is not included in the required
page length.
6. Include a cover page containing the title of the assignment,
the student’s name, the professor’s name, the course title, and
the date. The cover page and the reference page are not included
in the required assignment page length.
7. Include charts or diagrams created in Excel, Visio, MS
Project, or one of their equivalents such as Open Project, Dia,
and OpenOffice. The completed diagrams/charts must be
imported into the Word document before the paper is submitted.
assignment are
Evaluate an organization’s security policies and risk
countermeasures
Describe the details and the importance of application security
models and their implementation from a management
perspective.
security risks and vulnerabilities
Evaluate and explain from a management perspective the
industry-standard equipment, tools, and technologies
organizations can employ to mitigate risks and thwart both
internal and external attacks.
Explain access control methods and attacks.

conventions.
***************************************************

Cis 502Enhance teaching / snaptutorial.com

Recommended

Recommended

More Related Content

What's hot

What's hot (16)

Similar to Cis 502Enhance teaching / snaptutorial.com

Similar to Cis 502Enhance teaching / snaptutorial.com (17)

Recently uploaded

Recently uploaded (20)

Cis 502Enhance teaching / snaptutorial.com