SlideShare a Scribd company logo

1.8 Exercises1. Distinguish between vulnerability, threat, and con.docx

Download as DOCX, PDF
H
hacksoni

1.8 Exercises 1. Distinguish between vulnerability, threat, and control. 2. Theft usually results in some kind of harm. For example, if someone steals your car, you may suffer financial loss, inconvenience (by losing your mode of transportation), and emotional upset (because of invasion of your personal property and space). List three kinds of harm a company might experience from theft of computer equipment. 3. List at least three kinds of harm a company could experience from electronic espionage or unauthorized viewing of confidential company materials. 4. List at least three kinds of damage a company could suffer when the integrity of a program or company data is compromised. 5. List at least three kinds of harm a company could encounter from loss of service, that is, failure of availability. List the product or capability to which access is lost, and explain how this loss hurts the company. 6. Describe a situation in which you have experienced harm as a consequence of a failure of computer security. Was the failure malicious or not? Did the attack target you specifically or was it general and you were the unfortunate victim? 7. Describe two examples of vulnerabilities in automobiles for which auto manufacturers have instituted controls. Tell why you think these controls are effective, somewhat effective, or ineffective. 8. One control against accidental software deletion is to save all old versions of a program. Of course, this control is prohibitively expensive in terms of cost of storage. Suggest a less costly control against accidental software deletion. Is your control effective against all possible causes of software deletion? If not, what threats does it not cover? 9. On your personal computer, who can install programs? Who can change operating system data? Who can replace portions of the operating system? Can any of these actions be performed remotely? 10. Suppose a program to print paychecks secretly leaks a list of names of employees earning more than a certain amount each month. What controls could be instituted to limit the vulnerability of this leakage? 11. Preserving confidentiality, integrity, and availability of data is a restatement of the concern over interruption, interception, modification, and fabrication. How do the first three concepts relate to the last four? That is, is any of the four equivalent to one or more of the three? Is one of the three encompassed by one or more of the four? 12. Do you think attempting to break in to (that is, obtain access to or use of) a computing system without authorization should be illegal? Why or why not? 13. Describe an example (other than the ones mentioned in this chapter) of data whose confidentiality has a short timeliness, say, a day or less. Describe an example of data whose confidentiality has a timeliness of more than a year. 14. Do you currently use any computer security control measures? If so, what? Against what attacks are you trying to protect? 15. Describe an example i ...

Education
1 of 11
1.8 Exercises 1. Distinguish between vulnerability, threat, and control. 2. Theft usually results in some kind of harm. For example, if someone steals your car, you may suffer financial loss, inconvenience (by losing your mode of transportation), and emotional upset (because of invasion of your personal property and space). List three kinds of harm a company might experience from theft of computer equipment. 3. List at least three kinds of harm a company could experience from electronic espionage or unauthorized viewing of confidential company materials. 4. List at least three kinds of damage a company could suffer when the integrity of a program or company data is compromised. 5. List at least three kinds of harm a company could encounter from loss of service, that is, failure of availability. List the product or capability to which access is lost, and explain how this loss hurts the company. 6. Describe a situation in which you have experienced harm as a consequence of a failure of computer security. Was the failure malicious or not? Did the attack target you specifically or was it general and you were the unfortunate victim? 7. Describe two examples of vulnerabilities in automobiles for which auto manufacturers have instituted controls. Tell why you think these controls are effective, somewhat effective, or ineffective. 8. One control against accidental software deletion is to save all
old versions of a program. Of course, this control is prohibitively expensive in terms of cost of storage. Suggest a less costly control against accidental software deletion. Is your control effective against all possible causes of software deletion? If not, what threats does it not cover? 9. On your personal computer, who can install programs? Who can change operating system data? Who can replace portions of the operating system? Can any of these actions be performed remotely? 10. Suppose a program to print paychecks secretly leaks a list of names of employees earning more than a certain amount each month. What controls could be instituted to limit the vulnerability of this leakage? 11. Preserving confidentiality, integrity, and availability of data is a restatement of the concern over interruption, interception, modification, and fabrication. How do the first three concepts relate to the last four? That is, is any of the four equivalent to one or more of the three? Is one of the three encompassed by one or more of the four? 12. Do you think attempting to break in to (that is, obtain access to or use of) a computing system without authorization should be illegal? Why or why not? 13. Describe an example (other than the ones mentioned in this chapter) of data whose confidentiality has a short timeliness, say, a day or less. Describe an example of data whose confidentiality has a timeliness of more than a year.
14. Do you currently use any computer security control measures? If so, what? Against what attacks are you trying to protect? 15. Describe an example in which absolute denial of service to a user (that is, the user gets no response from the computer) is a serious problem to that user. Describe another example where 10 percent denial of service to a user (that is, the user’s computation progresses, but at a rate 10 percent slower than normal) is a serious problem to that user. Could access by unauthorized people to a computing system result in a 10 percent denial of service to the legitimate users? How? 16. When you say that software is of high quality, what do you mean? How does security fit in your definition of quality? For example, can an application be insecure and still be “good”? 17. Developers often think of software quality in terms of faults and failures. Faults are problems (for example, loops that never terminate or misplaced commas in statements) that developers can see by looking at the code. Failures are problems, such as a system crash or the invocation of the wrong function, that are visible to the user. Thus, faults can exist in programs but never become failures, because the conditions under which a fault becomes a failure are never reached. How do software vulnerabilities fit into this scheme of faults and failures? Is every fault a vulnerability? Is every vulnerability a fault? 18. Consider a program to display on your website your city’s
current time and temperature. Who might want to attack your program? What types of harm might they want to cause? What kinds of vulnerabilities might they exploit to cause harm? 19. Consider a program that allows consumers to order products from the web. Who might want to attack the program? What types of harm might they want to cause? What kinds of vulnerabilities might they exploit to cause harm? 20. Consider a program to accept and tabulate votes in an election. Who might want to attack the program? What types of harm might they want to cause? What kinds of vulnerabilities might they exploit to cause harm? 21. Consider a program that allows a surgeon in one city to assist in an operation on a patient in another city via an Internet connection. Who might want to attack the program? What types of harm might they want to cause? What kinds of vulnerabilities might they exploit to cause harm? 1. Describe each of the following four kinds of access control mechanisms in terms of (a) ease of determining authorized access during execution, (b) ease of adding access for a new subject, (c) ease of deleting access by a subject, and (d) ease of creating a new object to which all subjects by default have access. • per-subject access control list (that is, one list for each subject tells all the objects to which that subject has access) • per-object access control list (that is, one list for each object tells all the subjects who have access to that object)
• access control matrix • capability 2. Suppose a per-subject access control list is used. Deleting an object in such a system is inconvenient because all changes must be made to the control lists of all subjects who did have access to the object. Suggest an alternative, less costly means of handling deletion. 3. File access control relates largely to the secrecy dimension of security. What is the relationship between an access control matrix and the integrity of the objects to which access is being controlled? 4. One feature of a capability-based protection system is the ability of one process to transfer a copy of a capability to another process. Describe a situation in which one process should be able to transfer a capability to another. 5. Suggest an efficient scheme for maintaining a per-user protection scheme. That is, the system maintains one directory per user, and that directory lists all the objects to which the user is allowed access. Your design should address the needs of a system with 1000 users, of whom no more than 20 are active at any time. Each user has an average of 200 permitted objects; there are 50,000 total objects in the system. 6. Calculate the timing of password-guessing attacks: (a) If passwords are three uppercase alphabetic characters long, how much time would it take to determine a particular password, assuming that testing
an individual password requires 5 seconds? How much time if testing requires 0.001 seconds? (b) Argue for a particular amount of time as the starting point for “secure.” That is, suppose an attacker plans to use a brute-force attack to determine a password. For what value of x (the total amount of time to try as many passwords as necessary) would the attacker find this attack prohibitively long? (c) If the cutoff between “insecure” and “secure” were x amount of time, how long would a secure password have to be? State and justify your assumptions regarding the character set from which the password is selected and the amount of time required to test a single password. 7. Design a protocol by which two mutually suspicious parties can authenticate each other. Your protocol should be usable the first time these parties try to authenticate each other. 8. List three reasons people might be reluctant to use biometrics for authentication. Can you think of ways to counter those objections? 9. False positive and false negative rates can be adjusted, and they are often complementary: Lowering one raises the other. List two situations in which false negatives are significantly more serious than false positives. 10. In a typical office, biometric authentication might be used to control access to
employees and registered visitors only. We know the system will have some false negatives, some employees falsely denied access, so we need a human override, someone who can examine the employee and allow access in spite of the failed authentication. Thus, we need a human guard at the door to handle problems, as well as the authentication device; without biometrics we would have had just the guard. Consequently, we have the same number of personnel with or without biometrics, plus we have the added cost to acquire and maintain the biometrics system. Explain the security advantage in this situation that justifies the extra expense. 11. Outline the design of an authentication scheme that “learns.” The authentication scheme would start with certain primitive information about a user, such as name and password. As the use of the computing system continued, the authentication system would gather such information as commonly used programming languages; dates, times, and lengths of computing sessions; and use of distinctive resources. The authentication challenges would become more individualized as the system learned more information about the user. • Your design should include a list of many pieces of information about a user that the system could collect. It is permissible for the system to ask an authenticated user for certain additional information, such as a favorite book, to use in subsequent challenges.
• Your design should also consider the problem of presenting and validating these challenges: Does the would-be user answer a truefalse or a multiple-choice question? Does the system interpret natural language prose? 12. How are passwords stored on your personal computer? 13. Describe a situation in which a weak but easy-to-use password may be adequate. 14. List three authentication questions (but not the answers) your credit card company could ask to authenticate you over the phone. Your questions should be ones to which an imposter could not readily obtain the answers. How difficult would it be for you to provide the correct answer (for example, you would have to look something up or you would have to do a quick arithmetical calculation)? 15. If you forget your password for a website and you click [Forgot my password], sometimes the company sends you a new password by email but sometimes it sends you your old password by email. Compare these two cases in terms of vulnerability of the website owner. 16. Defeating authentication follows the method–opportunity– motive paradigm described in Chapter 1. Discuss how these three factors apply to an attack on authentication. 17. Suggest a source of some very long unpredictable numbers. Your source must be something that both the sender and receiver can readily access but that is not obvious to outsiders and not transmitted directly from sender to
receiver. 18. What are the risks of having the United States government select a cryptosystem for widespread commercial use (both inside and outside the United States). How could users from outside the United States overcome some or all of these risks? 19. If the useful life of DES was about 20 years (1977–1999), how long do you predict the useful life of AES will be? Justify your answer. 20. Humans are said to be the weakest link in any security system. Give an example for each of the following: (a) a situation in which human failure could lead to a compromise of encrypted data (b) a situation in which human failure could lead to a compromise of identification and authentication (c) a situation in which human failure could lead to a compromise of access control 21. Why do cryptologists recommend changing the encryption key from time to time? Is it the same reason security experts recommend changing a password from time to time? How can one determine how frequently to change keys or passwords? 22. Explain why hash collisions occur. That is, why must there always be two different plaintexts that have the same hash value? 23. What property of a hash function means that collisions are not a security problem? That is, why can an attacker not capitalize on collisions and change the underlying plaintext to another form whose value collides with
the hash value of the original plaintext? 24. Does a PKI perform encryption? Explain your answer. 25. Does a PKI use symmetric or asymmetric encryption? Explain your answer. 26. Should a PKI be supported on a firewall (meaning that the certificates would be stored on the firewall and the firewall would distribute certificates on demand)? Explain your answer. 27. Why does a PKI need a means to cancel or invalidate certificates? Why is it not sufficient for the PKI to stop distributing a certificate after it becomes invalid? 28. Some people think the certificate authority for a PKI should be the government, but others think certificate authorities should be private entities, such as banks, corporations, or schools. What are the advantages and disadvantages of each approach? 29. If you live in country A and receive a certificate signed by a government certificate authority in country B, what conditions would cause you to trust that signature as authentic? 30. A certificate contains an identity, a public key, and signatures attesting that the public key belongs to the identity. Other fields that may be present include the organization (for example, university, company, or government) to which that identity belongs and perhaps suborganizations (college, department, program, branch, office). What security purpose do these other fields serve, if
any? Explain your answer.

Recommended

3 to 4 line answers only each.No Plagarism.$25Need by 109201.docx
3 to 4 line answers only each.No Plagarism.$25Need by 109201.docx3 to 4 line answers only each.No Plagarism.$25Need by 109201.docx
3 to 4 line answers only each.No Plagarism.$25Need by 109201.docxLyndonPelletier761
 
WHAT IS SOFTWARE ENGINEERING (CYBERSECURITY)
WHAT IS SOFTWARE ENGINEERING (CYBERSECURITY)WHAT IS SOFTWARE ENGINEERING (CYBERSECURITY)
WHAT IS SOFTWARE ENGINEERING (CYBERSECURITY)ChristopherAntonius
 
Part 1 List the basic steps in securing an operating system. Assume.pdf
Part 1 List the basic steps in securing an operating system. Assume.pdfPart 1 List the basic steps in securing an operating system. Assume.pdf
Part 1 List the basic steps in securing an operating system. Assume.pdffashiionbeutycare
 
CISA GOV - Seven Steps to Effectively Defend ICS
CISA GOV - Seven Steps to Effectively Defend ICSCISA GOV - Seven Steps to Effectively Defend ICS
CISA GOV - Seven Steps to Effectively Defend ICSMuhammad FAHAD
 
Defending industrial control systems from cyber attack
Defending industrial control systems from cyber attackDefending industrial control systems from cyber attack
Defending industrial control systems from cyber attackAnalynk Wireless, LLC
 
NCCIC - Seven Steps for Achieving Cybersecurity for Industrial Control Systems
NCCIC - Seven Steps for Achieving Cybersecurity for Industrial Control SystemsNCCIC - Seven Steps for Achieving Cybersecurity for Industrial Control Systems
NCCIC - Seven Steps for Achieving Cybersecurity for Industrial Control SystemsMiller Energy, Inc.
 
Defending Industrial Control Systems From Cyberattack
Defending Industrial Control Systems From CyberattackDefending Industrial Control Systems From Cyberattack
Defending Industrial Control Systems From CyberattackCTi Controltech
 
Seven recommendations for bolstering industrial control system cyber security
Seven recommendations for bolstering industrial control system cyber securitySeven recommendations for bolstering industrial control system cyber security
Seven recommendations for bolstering industrial control system cyber securityCTi Controltech
 

Recommended

3 to 4 line answers only each.No Plagarism.$25Need by 109201.docx
3 to 4 line answers only each.No Plagarism.$25Need by 109201.docx3 to 4 line answers only each.No Plagarism.$25Need by 109201.docx
3 to 4 line answers only each.No Plagarism.$25Need by 109201.docxLyndonPelletier761
 
WHAT IS SOFTWARE ENGINEERING (CYBERSECURITY)
WHAT IS SOFTWARE ENGINEERING (CYBERSECURITY)WHAT IS SOFTWARE ENGINEERING (CYBERSECURITY)
WHAT IS SOFTWARE ENGINEERING (CYBERSECURITY)ChristopherAntonius
 
Part 1 List the basic steps in securing an operating system. Assume.pdf
Part 1 List the basic steps in securing an operating system. Assume.pdfPart 1 List the basic steps in securing an operating system. Assume.pdf
Part 1 List the basic steps in securing an operating system. Assume.pdffashiionbeutycare
 
CISA GOV - Seven Steps to Effectively Defend ICS
CISA GOV - Seven Steps to Effectively Defend ICSCISA GOV - Seven Steps to Effectively Defend ICS
CISA GOV - Seven Steps to Effectively Defend ICSMuhammad FAHAD
 
Defending industrial control systems from cyber attack
Defending industrial control systems from cyber attackDefending industrial control systems from cyber attack
Defending industrial control systems from cyber attackAnalynk Wireless, LLC
 
NCCIC - Seven Steps for Achieving Cybersecurity for Industrial Control Systems
NCCIC - Seven Steps for Achieving Cybersecurity for Industrial Control SystemsNCCIC - Seven Steps for Achieving Cybersecurity for Industrial Control Systems
NCCIC - Seven Steps for Achieving Cybersecurity for Industrial Control SystemsMiller Energy, Inc.
 
Defending Industrial Control Systems From Cyberattack
Defending Industrial Control Systems From CyberattackDefending Industrial Control Systems From Cyberattack
Defending Industrial Control Systems From CyberattackCTi Controltech
 
Seven recommendations for bolstering industrial control system cyber security
Seven recommendations for bolstering industrial control system cyber securitySeven recommendations for bolstering industrial control system cyber security
Seven recommendations for bolstering industrial control system cyber securityCTi Controltech
 
Defending Industrial Control Systems From Cyberattack
Defending Industrial Control Systems From CyberattackDefending Industrial Control Systems From Cyberattack
Defending Industrial Control Systems From CyberattackMountain States Engineering and Controls
 
Essay QuestionsAnswer all questions below in a single document, pr.docx
Essay QuestionsAnswer all questions below in a single document, pr.docxEssay QuestionsAnswer all questions below in a single document, pr.docx
Essay QuestionsAnswer all questions below in a single document, pr.docxjenkinsmandie
 
Internet Security Agent
Internet Security AgentInternet Security Agent
Internet Security AgentInternational Journal of Engineering Inventions www.ijeijournal.com
 
H04025057
H04025057H04025057
H04025057International Journal of Engineering Inventions www.ijeijournal.com
 
unit 2 -program security.pdf
unit 2 -program security.pdfunit 2 -program security.pdf
unit 2 -program security.pdfKavithaK23
 
Program security chapter 3
Program security chapter 3Program security chapter 3
Program security chapter 3Education
 
6 Ways to Deceive Cyber Attackers
6 Ways to Deceive Cyber Attackers6 Ways to Deceive Cyber Attackers
6 Ways to Deceive Cyber AttackersSirius
 
Chapter 4Secure Design PrinciplesCopyright © 2014 by McGraw-
Chapter 4Secure Design PrinciplesCopyright © 2014 by McGraw-Chapter 4Secure Design PrinciplesCopyright © 2014 by McGraw-
Chapter 4Secure Design PrinciplesCopyright © 2014 by McGraw-WilheminaRossi174
 
Cis 349 Extraordinary Success/newtonhelp.com
Cis 349 Extraordinary Success/newtonhelp.com Cis 349 Extraordinary Success/newtonhelp.com
Cis 349 Extraordinary Success/newtonhelp.com amaranthbeg147
 
Cain and AbelOphcrackStart H.docx
Cain and AbelOphcrackStart H.docxCain and AbelOphcrackStart H.docx
Cain and AbelOphcrackStart H.docxRAHUL126667
 
The 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan KochThe 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan KochQA or the Highway
 
The 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan KochThe 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan KochQA or the Highway
 
COMPLETE NETWORK SECURITY PROTECTION FOR SME’SWITHIN LIMITED RESOURCES
COMPLETE NETWORK SECURITY PROTECTION FOR SME’SWITHIN LIMITED RESOURCESCOMPLETE NETWORK SECURITY PROTECTION FOR SME’SWITHIN LIMITED RESOURCES
COMPLETE NETWORK SECURITY PROTECTION FOR SME’SWITHIN LIMITED RESOURCESIJNSA Journal
 
Lab 10
Lab 10Lab 10
Lab 10Harouna Pame
 
Download
DownloadDownload
DownloadValar Mathi
 
Vulnerability Assessment and Penetration Testing Framework by Falgun Rathod
Vulnerability Assessment and Penetration Testing Framework by Falgun RathodVulnerability Assessment and Penetration Testing Framework by Falgun Rathod
Vulnerability Assessment and Penetration Testing Framework by Falgun RathodFalgun Rathod
 
Project Quality-SIPOCSelect a process of your choice and creat.docx
Project Quality-SIPOCSelect a process of your choice and creat.docxProject Quality-SIPOCSelect a process of your choice and creat.docx
Project Quality-SIPOCSelect a process of your choice and creat.docxwkyra78
 
Application security
Application securityApplication security
Application securityHagar Alaa el-din
 
Include at least 250 words in your posting and at least 250 words in
Include at least 250 words in your posting and at least 250 words inInclude at least 250 words in your posting and at least 250 words in
Include at least 250 words in your posting and at least 250 words inmaribethy2y
 
CIS 349 Imagine Your Future/newtonhelp.com   
CIS 349 Imagine Your Future/newtonhelp.com   CIS 349 Imagine Your Future/newtonhelp.com   
CIS 349 Imagine Your Future/newtonhelp.com   bellflower46
 
CAPS794 Presentation RubricLearning Outcome Assess the leader.docx
CAPS794 Presentation RubricLearning Outcome Assess the leader.docxCAPS794 Presentation RubricLearning Outcome Assess the leader.docx
CAPS794 Presentation RubricLearning Outcome Assess the leader.docxhacksoni
 
CAPSTONE CASE The Student will be required to read the Capstone.docx
CAPSTONE CASE The Student will be required to read the Capstone.docxCAPSTONE CASE The Student will be required to read the Capstone.docx
CAPSTONE CASE The Student will be required to read the Capstone.docxhacksoni
 

More Related Content

Similar to 1.8 Exercises1. Distinguish between vulnerability, threat, and con.docx

Essay QuestionsAnswer all questions below in a single document, pr.docx
Essay QuestionsAnswer all questions below in a single document, pr.docxEssay QuestionsAnswer all questions below in a single document, pr.docx
Essay QuestionsAnswer all questions below in a single document, pr.docxjenkinsmandie
 
unit 2 -program security.pdf
unit 2 -program security.pdfunit 2 -program security.pdf
unit 2 -program security.pdfKavithaK23
 
Program security chapter 3
Program security chapter 3Program security chapter 3
Program security chapter 3Education
 
6 Ways to Deceive Cyber Attackers
6 Ways to Deceive Cyber Attackers6 Ways to Deceive Cyber Attackers
6 Ways to Deceive Cyber AttackersSirius
 
Chapter 4Secure Design PrinciplesCopyright © 2014 by McGraw-
Chapter 4Secure Design PrinciplesCopyright © 2014 by McGraw-Chapter 4Secure Design PrinciplesCopyright © 2014 by McGraw-
Chapter 4Secure Design PrinciplesCopyright © 2014 by McGraw-WilheminaRossi174
 
Cis 349 Extraordinary Success/newtonhelp.com
Cis 349 Extraordinary Success/newtonhelp.com Cis 349 Extraordinary Success/newtonhelp.com
Cis 349 Extraordinary Success/newtonhelp.com amaranthbeg147
 
Cain and AbelOphcrackStart H.docx
Cain and AbelOphcrackStart H.docxCain and AbelOphcrackStart H.docx
Cain and AbelOphcrackStart H.docxRAHUL126667
 
The 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan KochThe 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan KochQA or the Highway
 
The 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan KochThe 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan KochQA or the Highway
 
COMPLETE NETWORK SECURITY PROTECTION FOR SME’SWITHIN LIMITED RESOURCES
COMPLETE NETWORK SECURITY PROTECTION FOR SME’SWITHIN LIMITED RESOURCESCOMPLETE NETWORK SECURITY PROTECTION FOR SME’SWITHIN LIMITED RESOURCES
COMPLETE NETWORK SECURITY PROTECTION FOR SME’SWITHIN LIMITED RESOURCESIJNSA Journal
 
Vulnerability Assessment and Penetration Testing Framework by Falgun Rathod
Vulnerability Assessment and Penetration Testing Framework by Falgun RathodVulnerability Assessment and Penetration Testing Framework by Falgun Rathod
Vulnerability Assessment and Penetration Testing Framework by Falgun RathodFalgun Rathod
 
Project Quality-SIPOCSelect a process of your choice and creat.docx
Project Quality-SIPOCSelect a process of your choice and creat.docxProject Quality-SIPOCSelect a process of your choice and creat.docx
Project Quality-SIPOCSelect a process of your choice and creat.docxwkyra78
 
Include at least 250 words in your posting and at least 250 words in
Include at least 250 words in your posting and at least 250 words inInclude at least 250 words in your posting and at least 250 words in
Include at least 250 words in your posting and at least 250 words inmaribethy2y
 
CIS 349 Imagine Your Future/newtonhelp.com   
CIS 349 Imagine Your Future/newtonhelp.com   CIS 349 Imagine Your Future/newtonhelp.com   
CIS 349 Imagine Your Future/newtonhelp.com   bellflower46
 

Similar to 1.8 Exercises1. Distinguish between vulnerability, threat, and con.docx (20)

Defending Industrial Control Systems From Cyberattack
Defending Industrial Control Systems From CyberattackDefending Industrial Control Systems From Cyberattack
Defending Industrial Control Systems From Cyberattack
 
Essay QuestionsAnswer all questions below in a single document, pr.docx
Essay QuestionsAnswer all questions below in a single document, pr.docxEssay QuestionsAnswer all questions below in a single document, pr.docx
Essay QuestionsAnswer all questions below in a single document, pr.docx
 
Internet Security Agent
Internet Security AgentInternet Security Agent
Internet Security Agent
 
H04025057
H04025057H04025057
H04025057
 
unit 2 -program security.pdf
unit 2 -program security.pdfunit 2 -program security.pdf
unit 2 -program security.pdf
 
Program security chapter 3
Program security chapter 3Program security chapter 3
Program security chapter 3
 
6 Ways to Deceive Cyber Attackers
6 Ways to Deceive Cyber Attackers6 Ways to Deceive Cyber Attackers
6 Ways to Deceive Cyber Attackers
 
Chapter 4Secure Design PrinciplesCopyright © 2014 by McGraw-
Chapter 4Secure Design PrinciplesCopyright © 2014 by McGraw-Chapter 4Secure Design PrinciplesCopyright © 2014 by McGraw-
Chapter 4Secure Design PrinciplesCopyright © 2014 by McGraw-
 
Cis 349 Extraordinary Success/newtonhelp.com
Cis 349 Extraordinary Success/newtonhelp.com Cis 349 Extraordinary Success/newtonhelp.com
Cis 349 Extraordinary Success/newtonhelp.com
 
Cain and AbelOphcrackStart H.docx
Cain and AbelOphcrackStart H.docxCain and AbelOphcrackStart H.docx
Cain and AbelOphcrackStart H.docx
 
The 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan KochThe 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan Koch
 
The 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan KochThe 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan Koch
 
COMPLETE NETWORK SECURITY PROTECTION FOR SME’SWITHIN LIMITED RESOURCES
COMPLETE NETWORK SECURITY PROTECTION FOR SME’SWITHIN LIMITED RESOURCESCOMPLETE NETWORK SECURITY PROTECTION FOR SME’SWITHIN LIMITED RESOURCES
COMPLETE NETWORK SECURITY PROTECTION FOR SME’SWITHIN LIMITED RESOURCES
 
Lab 10
Lab 10Lab 10
Lab 10
 
Download
DownloadDownload
Download
 
Vulnerability Assessment and Penetration Testing Framework by Falgun Rathod
Vulnerability Assessment and Penetration Testing Framework by Falgun RathodVulnerability Assessment and Penetration Testing Framework by Falgun Rathod
Vulnerability Assessment and Penetration Testing Framework by Falgun Rathod
 
Project Quality-SIPOCSelect a process of your choice and creat.docx
Project Quality-SIPOCSelect a process of your choice and creat.docxProject Quality-SIPOCSelect a process of your choice and creat.docx
Project Quality-SIPOCSelect a process of your choice and creat.docx
 
Application security
Application securityApplication security
Application security
 
Include at least 250 words in your posting and at least 250 words in
Include at least 250 words in your posting and at least 250 words inInclude at least 250 words in your posting and at least 250 words in
Include at least 250 words in your posting and at least 250 words in
 
CIS 349 Imagine Your Future/newtonhelp.com   
CIS 349 Imagine Your Future/newtonhelp.com   CIS 349 Imagine Your Future/newtonhelp.com   
CIS 349 Imagine Your Future/newtonhelp.com   
 

More from hacksoni

CAPS794 Presentation RubricLearning Outcome Assess the leader.docx
CAPS794 Presentation RubricLearning Outcome Assess the leader.docxCAPS794 Presentation RubricLearning Outcome Assess the leader.docx
CAPS794 Presentation RubricLearning Outcome Assess the leader.docxhacksoni
 
CAPSTONE CASE The Student will be required to read the Capstone.docx
CAPSTONE CASE The Student will be required to read the Capstone.docxCAPSTONE CASE The Student will be required to read the Capstone.docx
CAPSTONE CASE The Student will be required to read the Capstone.docxhacksoni
 
Capitalism emphasizes fostering individualism while socialism emphas.docx
Capitalism emphasizes fostering individualism while socialism emphas.docxCapitalism emphasizes fostering individualism while socialism emphas.docx
Capitalism emphasizes fostering individualism while socialism emphas.docxhacksoni
 
Capitão et al. Translational Psychiatry ( 2019) 930 httpsdoi.docx
Capitão et al. Translational Psychiatry ( 2019) 930 httpsdoi.docxCapitão et al. Translational Psychiatry ( 2019) 930 httpsdoi.docx
Capitão et al. Translational Psychiatry ( 2019) 930 httpsdoi.docxhacksoni
 
Capital in the Twenty-First CenturyCAPITAL IN THE.docx
Capital in the Twenty-First CenturyCAPITAL IN THE.docxCapital in the Twenty-First CenturyCAPITAL IN THE.docx
Capital in the Twenty-First CenturyCAPITAL IN THE.docxhacksoni
 
Capital-Equipment BudgetingCapital-equipment budgeting is typica.docx
Capital-Equipment BudgetingCapital-equipment budgeting is typica.docxCapital-Equipment BudgetingCapital-equipment budgeting is typica.docx
Capital-Equipment BudgetingCapital-equipment budgeting is typica.docxhacksoni
 
Capital StructureCreate an argument for a publically traded heal.docx
Capital StructureCreate an argument for a publically traded heal.docxCapital StructureCreate an argument for a publically traded heal.docx
Capital StructureCreate an argument for a publically traded heal.docxhacksoni
 
Capital RationingCompare and contrast the Internal Rate of Retur.docx
Capital RationingCompare and contrast the Internal Rate of Retur.docxCapital RationingCompare and contrast the Internal Rate of Retur.docx
Capital RationingCompare and contrast the Internal Rate of Retur.docxhacksoni
 
Capital in the Twenty- First CenturyCAPITAL IN.docx
Capital in the Twenty- First CenturyCAPITAL IN.docxCapital in the Twenty- First CenturyCAPITAL IN.docx
Capital in the Twenty- First CenturyCAPITAL IN.docxhacksoni
 
Capital Investment EvaluationSelect one of the capital investmen.docx
Capital Investment EvaluationSelect one of the capital investmen.docxCapital Investment EvaluationSelect one of the capital investmen.docx
Capital Investment EvaluationSelect one of the capital investmen.docxhacksoni
 
Capacity ToolkitWhat is ‘capacity’ How do I decide whethe.docx
Capacity ToolkitWhat is ‘capacity’ How do I decide whethe.docxCapacity ToolkitWhat is ‘capacity’ How do I decide whethe.docx
Capacity ToolkitWhat is ‘capacity’ How do I decide whethe.docxhacksoni
 
Capital Investment 5Sources of Finance for the Proposed .docx
Capital Investment 5Sources of Finance for the Proposed .docxCapital Investment 5Sources of Finance for the Proposed .docx
Capital Investment 5Sources of Finance for the Proposed .docxhacksoni
 
Capital Investment Case Waterways Corporation is a private.docx
Capital Investment Case Waterways Corporation is a private.docxCapital Investment Case Waterways Corporation is a private.docx
Capital Investment Case Waterways Corporation is a private.docxhacksoni
 
Capital Budgeting ProcessComplete an APA-formatted two-page paper .docx
Capital Budgeting ProcessComplete an APA-formatted two-page paper .docxCapital Budgeting ProcessComplete an APA-formatted two-page paper .docx
Capital Budgeting ProcessComplete an APA-formatted two-page paper .docxhacksoni
 
Can We Know the Universe The following excerpt was publ.docx
Can We Know the Universe The following excerpt was publ.docxCan We Know the Universe The following excerpt was publ.docx
Can We Know the Universe The following excerpt was publ.docxhacksoni
 
Capital Budgeting and Dividend PolicyWe examined two very import.docx
Capital Budgeting and Dividend PolicyWe examined two very import.docxCapital Budgeting and Dividend PolicyWe examined two very import.docx
Capital Budgeting and Dividend PolicyWe examined two very import.docxhacksoni
 
Cape Town contends with worst drought in over a century By D.docx
Cape Town contends with worst drought in over a century By D.docxCape Town contends with worst drought in over a century By D.docx
Cape Town contends with worst drought in over a century By D.docxhacksoni
 
Cape Cod Wind project Please respond to the followingThe Cape.docx
Cape Cod Wind project Please respond to the followingThe Cape.docxCape Cod Wind project Please respond to the followingThe Cape.docx
Cape Cod Wind project Please respond to the followingThe Cape.docxhacksoni
 
Capella Career Center Last updated 62216 1 COMPE.docx
Capella Career Center Last updated 62216 1 COMPE.docxCapella Career Center Last updated 62216 1 COMPE.docx
Capella Career Center Last updated 62216 1 COMPE.docxhacksoni
 
Cape Town Water Crisis and the Efficient Use of Scarce Water B.docx
Cape Town Water Crisis and the Efficient Use of Scarce Water B.docxCape Town Water Crisis and the Efficient Use of Scarce Water B.docx
Cape Town Water Crisis and the Efficient Use of Scarce Water B.docxhacksoni
 

More from hacksoni (20)

CAPS794 Presentation RubricLearning Outcome Assess the leader.docx
CAPS794 Presentation RubricLearning Outcome Assess the leader.docxCAPS794 Presentation RubricLearning Outcome Assess the leader.docx
CAPS794 Presentation RubricLearning Outcome Assess the leader.docx
 
CAPSTONE CASE The Student will be required to read the Capstone.docx
CAPSTONE CASE The Student will be required to read the Capstone.docxCAPSTONE CASE The Student will be required to read the Capstone.docx
CAPSTONE CASE The Student will be required to read the Capstone.docx
 
Capitalism emphasizes fostering individualism while socialism emphas.docx
Capitalism emphasizes fostering individualism while socialism emphas.docxCapitalism emphasizes fostering individualism while socialism emphas.docx
Capitalism emphasizes fostering individualism while socialism emphas.docx
 
Capitão et al. Translational Psychiatry ( 2019) 930 httpsdoi.docx
Capitão et al. Translational Psychiatry ( 2019) 930 httpsdoi.docxCapitão et al. Translational Psychiatry ( 2019) 930 httpsdoi.docx
Capitão et al. Translational Psychiatry ( 2019) 930 httpsdoi.docx
 
Capital in the Twenty-First CenturyCAPITAL IN THE.docx
Capital in the Twenty-First CenturyCAPITAL IN THE.docxCapital in the Twenty-First CenturyCAPITAL IN THE.docx
Capital in the Twenty-First CenturyCAPITAL IN THE.docx
 
Capital-Equipment BudgetingCapital-equipment budgeting is typica.docx
Capital-Equipment BudgetingCapital-equipment budgeting is typica.docxCapital-Equipment BudgetingCapital-equipment budgeting is typica.docx
Capital-Equipment BudgetingCapital-equipment budgeting is typica.docx
 
Capital StructureCreate an argument for a publically traded heal.docx
Capital StructureCreate an argument for a publically traded heal.docxCapital StructureCreate an argument for a publically traded heal.docx
Capital StructureCreate an argument for a publically traded heal.docx
 
Capital RationingCompare and contrast the Internal Rate of Retur.docx
Capital RationingCompare and contrast the Internal Rate of Retur.docxCapital RationingCompare and contrast the Internal Rate of Retur.docx
Capital RationingCompare and contrast the Internal Rate of Retur.docx
 
Capital in the Twenty- First CenturyCAPITAL IN.docx
Capital in the Twenty- First CenturyCAPITAL IN.docxCapital in the Twenty- First CenturyCAPITAL IN.docx
Capital in the Twenty- First CenturyCAPITAL IN.docx
 
Capital Investment EvaluationSelect one of the capital investmen.docx
Capital Investment EvaluationSelect one of the capital investmen.docxCapital Investment EvaluationSelect one of the capital investmen.docx
Capital Investment EvaluationSelect one of the capital investmen.docx
 
Capacity ToolkitWhat is ‘capacity’ How do I decide whethe.docx
Capacity ToolkitWhat is ‘capacity’ How do I decide whethe.docxCapacity ToolkitWhat is ‘capacity’ How do I decide whethe.docx
Capacity ToolkitWhat is ‘capacity’ How do I decide whethe.docx
 
Capital Investment 5Sources of Finance for the Proposed .docx
Capital Investment 5Sources of Finance for the Proposed .docxCapital Investment 5Sources of Finance for the Proposed .docx
Capital Investment 5Sources of Finance for the Proposed .docx
 
Capital Investment Case Waterways Corporation is a private.docx
Capital Investment Case Waterways Corporation is a private.docxCapital Investment Case Waterways Corporation is a private.docx
Capital Investment Case Waterways Corporation is a private.docx
 
Capital Budgeting ProcessComplete an APA-formatted two-page paper .docx
Capital Budgeting ProcessComplete an APA-formatted two-page paper .docxCapital Budgeting ProcessComplete an APA-formatted two-page paper .docx
Capital Budgeting ProcessComplete an APA-formatted two-page paper .docx
 
Can We Know the Universe The following excerpt was publ.docx
Can We Know the Universe The following excerpt was publ.docxCan We Know the Universe The following excerpt was publ.docx
Can We Know the Universe The following excerpt was publ.docx
 
Capital Budgeting and Dividend PolicyWe examined two very import.docx
Capital Budgeting and Dividend PolicyWe examined two very import.docxCapital Budgeting and Dividend PolicyWe examined two very import.docx
Capital Budgeting and Dividend PolicyWe examined two very import.docx
 
Cape Town contends with worst drought in over a century By D.docx
Cape Town contends with worst drought in over a century By D.docxCape Town contends with worst drought in over a century By D.docx
Cape Town contends with worst drought in over a century By D.docx
 
Cape Cod Wind project Please respond to the followingThe Cape.docx
Cape Cod Wind project Please respond to the followingThe Cape.docxCape Cod Wind project Please respond to the followingThe Cape.docx
Cape Cod Wind project Please respond to the followingThe Cape.docx
 
Capella Career Center Last updated 62216 1 COMPE.docx
Capella Career Center Last updated 62216 1 COMPE.docxCapella Career Center Last updated 62216 1 COMPE.docx
Capella Career Center Last updated 62216 1 COMPE.docx
 
Cape Town Water Crisis and the Efficient Use of Scarce Water B.docx
Cape Town Water Crisis and the Efficient Use of Scarce Water B.docxCape Town Water Crisis and the Efficient Use of Scarce Water B.docx
Cape Town Water Crisis and the Efficient Use of Scarce Water B.docx
 

Recently uploaded

Solving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptxSolving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptxOH TEIK BIN
 
Contemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptx
Contemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptxContemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptx
Contemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptxRoyAbrique
 
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdfssuser54595a
 
URLs and Routing in the Odoo 17 Website App
URLs and Routing in the Odoo 17 Website AppURLs and Routing in the Odoo 17 Website App
URLs and Routing in the Odoo 17 Website AppCeline George
 
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...Marc Dusseiller Dusjagr
 
Separation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and ActinidesSeparation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and ActinidesFatimaKhan178732
 
Introduction to ArtificiaI Intelligence in Higher Education
Introduction to ArtificiaI Intelligence in Higher EducationIntroduction to ArtificiaI Intelligence in Higher Education
Introduction to ArtificiaI Intelligence in Higher Educationpboyjonauth
 
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Sapana Sha
 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityGeoBlogs
 
CARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxCARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxGaneshChakor2
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introductionMaksud Ahmed
 
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...EduSkills OECD
 
Employee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptxEmployee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptxNirmalaLoungPoorunde1
 
A Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformA Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformChameera Dedduwage
 
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxOrganic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxVS Mahajan Coaching Centre
 
Presiding Officer Training module 2024 lok sabha elections
Presiding Officer Training module 2024 lok sabha electionsPresiding Officer Training module 2024 lok sabha elections
Presiding Officer Training module 2024 lok sabha electionsanshu789521
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxheathfieldcps1
 
Grant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingGrant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingTechSoup
 

Recently uploaded (20)

Solving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptxSolving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptx
 
Contemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptx
Contemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptxContemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptx
Contemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptx
 
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
 
URLs and Routing in the Odoo 17 Website App
URLs and Routing in the Odoo 17 Website AppURLs and Routing in the Odoo 17 Website App
URLs and Routing in the Odoo 17 Website App
 
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
 
Código Creativo y Arte de Software | Unidad 1
Código Creativo y Arte de Software | Unidad 1Código Creativo y Arte de Software | Unidad 1
Código Creativo y Arte de Software | Unidad 1
 
Separation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and ActinidesSeparation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and Actinides
 
Introduction to ArtificiaI Intelligence in Higher Education
Introduction to ArtificiaI Intelligence in Higher EducationIntroduction to ArtificiaI Intelligence in Higher Education
Introduction to ArtificiaI Intelligence in Higher Education
 
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activity
 
CARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxCARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptx
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introduction
 
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
 
Employee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptxEmployee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptx
 
A Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformA Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy Reform
 
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxOrganic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
 
Staff of Color (SOC) Retention Efforts DDSD
Staff of Color (SOC) Retention Efforts DDSDStaff of Color (SOC) Retention Efforts DDSD
Staff of Color (SOC) Retention Efforts DDSD
 
Presiding Officer Training module 2024 lok sabha elections
Presiding Officer Training module 2024 lok sabha electionsPresiding Officer Training module 2024 lok sabha elections
Presiding Officer Training module 2024 lok sabha elections
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptx
 
Grant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingGrant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy Consulting
 

1.8 Exercises1. Distinguish between vulnerability, threat, and con.docx

  • 1. 1.8 Exercises 1. Distinguish between vulnerability, threat, and control. 2. Theft usually results in some kind of harm. For example, if someone steals your car, you may suffer financial loss, inconvenience (by losing your mode of transportation), and emotional upset (because of invasion of your personal property and space). List three kinds of harm a company might experience from theft of computer equipment. 3. List at least three kinds of harm a company could experience from electronic espionage or unauthorized viewing of confidential company materials. 4. List at least three kinds of damage a company could suffer when the integrity of a program or company data is compromised. 5. List at least three kinds of harm a company could encounter from loss of service, that is, failure of availability. List the product or capability to which access is lost, and explain how this loss hurts the company. 6. Describe a situation in which you have experienced harm as a consequence of a failure of computer security. Was the failure malicious or not? Did the attack target you specifically or was it general and you were the unfortunate victim? 7. Describe two examples of vulnerabilities in automobiles for which auto manufacturers have instituted controls. Tell why you think these controls are effective, somewhat effective, or ineffective. 8. One control against accidental software deletion is to save all
  • 2. old versions of a program. Of course, this control is prohibitively expensive in terms of cost of storage. Suggest a less costly control against accidental software deletion. Is your control effective against all possible causes of software deletion? If not, what threats does it not cover? 9. On your personal computer, who can install programs? Who can change operating system data? Who can replace portions of the operating system? Can any of these actions be performed remotely? 10. Suppose a program to print paychecks secretly leaks a list of names of employees earning more than a certain amount each month. What controls could be instituted to limit the vulnerability of this leakage? 11. Preserving confidentiality, integrity, and availability of data is a restatement of the concern over interruption, interception, modification, and fabrication. How do the first three concepts relate to the last four? That is, is any of the four equivalent to one or more of the three? Is one of the three encompassed by one or more of the four? 12. Do you think attempting to break in to (that is, obtain access to or use of) a computing system without authorization should be illegal? Why or why not? 13. Describe an example (other than the ones mentioned in this chapter) of data whose confidentiality has a short timeliness, say, a day or less. Describe an example of data whose confidentiality has a timeliness of more than a year.
  • 3. 14. Do you currently use any computer security control measures? If so, what? Against what attacks are you trying to protect? 15. Describe an example in which absolute denial of service to a user (that is, the user gets no response from the computer) is a serious problem to that user. Describe another example where 10 percent denial of service to a user (that is, the user’s computation progresses, but at a rate 10 percent slower than normal) is a serious problem to that user. Could access by unauthorized people to a computing system result in a 10 percent denial of service to the legitimate users? How? 16. When you say that software is of high quality, what do you mean? How does security fit in your definition of quality? For example, can an application be insecure and still be “good”? 17. Developers often think of software quality in terms of faults and failures. Faults are problems (for example, loops that never terminate or misplaced commas in statements) that developers can see by looking at the code. Failures are problems, such as a system crash or the invocation of the wrong function, that are visible to the user. Thus, faults can exist in programs but never become failures, because the conditions under which a fault becomes a failure are never reached. How do software vulnerabilities fit into this scheme of faults and failures? Is every fault a vulnerability? Is every vulnerability a fault? 18. Consider a program to display on your website your city’s
  • 4. current time and temperature. Who might want to attack your program? What types of harm might they want to cause? What kinds of vulnerabilities might they exploit to cause harm? 19. Consider a program that allows consumers to order products from the web. Who might want to attack the program? What types of harm might they want to cause? What kinds of vulnerabilities might they exploit to cause harm? 20. Consider a program to accept and tabulate votes in an election. Who might want to attack the program? What types of harm might they want to cause? What kinds of vulnerabilities might they exploit to cause harm? 21. Consider a program that allows a surgeon in one city to assist in an operation on a patient in another city via an Internet connection. Who might want to attack the program? What types of harm might they want to cause? What kinds of vulnerabilities might they exploit to cause harm? 1. Describe each of the following four kinds of access control mechanisms in terms of (a) ease of determining authorized access during execution, (b) ease of adding access for a new subject, (c) ease of deleting access by a subject, and (d) ease of creating a new object to which all subjects by default have access. • per-subject access control list (that is, one list for each subject tells all the objects to which that subject has access) • per-object access control list (that is, one list for each object tells all the subjects who have access to that object)
  • 5. • access control matrix • capability 2. Suppose a per-subject access control list is used. Deleting an object in such a system is inconvenient because all changes must be made to the control lists of all subjects who did have access to the object. Suggest an alternative, less costly means of handling deletion. 3. File access control relates largely to the secrecy dimension of security. What is the relationship between an access control matrix and the integrity of the objects to which access is being controlled? 4. One feature of a capability-based protection system is the ability of one process to transfer a copy of a capability to another process. Describe a situation in which one process should be able to transfer a capability to another. 5. Suggest an efficient scheme for maintaining a per-user protection scheme. That is, the system maintains one directory per user, and that directory lists all the objects to which the user is allowed access. Your design should address the needs of a system with 1000 users, of whom no more than 20 are active at any time. Each user has an average of 200 permitted objects; there are 50,000 total objects in the system. 6. Calculate the timing of password-guessing attacks: (a) If passwords are three uppercase alphabetic characters long, how much time would it take to determine a particular password, assuming that testing
  • 6. an individual password requires 5 seconds? How much time if testing requires 0.001 seconds? (b) Argue for a particular amount of time as the starting point for “secure.” That is, suppose an attacker plans to use a brute-force attack to determine a password. For what value of x (the total amount of time to try as many passwords as necessary) would the attacker find this attack prohibitively long? (c) If the cutoff between “insecure” and “secure” were x amount of time, how long would a secure password have to be? State and justify your assumptions regarding the character set from which the password is selected and the amount of time required to test a single password. 7. Design a protocol by which two mutually suspicious parties can authenticate each other. Your protocol should be usable the first time these parties try to authenticate each other. 8. List three reasons people might be reluctant to use biometrics for authentication. Can you think of ways to counter those objections? 9. False positive and false negative rates can be adjusted, and they are often complementary: Lowering one raises the other. List two situations in which false negatives are significantly more serious than false positives. 10. In a typical office, biometric authentication might be used to control access to
  • 7. employees and registered visitors only. We know the system will have some false negatives, some employees falsely denied access, so we need a human override, someone who can examine the employee and allow access in spite of the failed authentication. Thus, we need a human guard at the door to handle problems, as well as the authentication device; without biometrics we would have had just the guard. Consequently, we have the same number of personnel with or without biometrics, plus we have the added cost to acquire and maintain the biometrics system. Explain the security advantage in this situation that justifies the extra expense. 11. Outline the design of an authentication scheme that “learns.” The authentication scheme would start with certain primitive information about a user, such as name and password. As the use of the computing system continued, the authentication system would gather such information as commonly used programming languages; dates, times, and lengths of computing sessions; and use of distinctive resources. The authentication challenges would become more individualized as the system learned more information about the user. • Your design should include a list of many pieces of information about a user that the system could collect. It is permissible for the system to ask an authenticated user for certain additional information, such as a favorite book, to use in subsequent challenges.
  • 8. • Your design should also consider the problem of presenting and validating these challenges: Does the would-be user answer a truefalse or a multiple-choice question? Does the system interpret natural language prose? 12. How are passwords stored on your personal computer? 13. Describe a situation in which a weak but easy-to-use password may be adequate. 14. List three authentication questions (but not the answers) your credit card company could ask to authenticate you over the phone. Your questions should be ones to which an imposter could not readily obtain the answers. How difficult would it be for you to provide the correct answer (for example, you would have to look something up or you would have to do a quick arithmetical calculation)? 15. If you forget your password for a website and you click [Forgot my password], sometimes the company sends you a new password by email but sometimes it sends you your old password by email. Compare these two cases in terms of vulnerability of the website owner. 16. Defeating authentication follows the method–opportunity– motive paradigm described in Chapter 1. Discuss how these three factors apply to an attack on authentication. 17. Suggest a source of some very long unpredictable numbers. Your source must be something that both the sender and receiver can readily access but that is not obvious to outsiders and not transmitted directly from sender to
  • 9. receiver. 18. What are the risks of having the United States government select a cryptosystem for widespread commercial use (both inside and outside the United States). How could users from outside the United States overcome some or all of these risks? 19. If the useful life of DES was about 20 years (1977–1999), how long do you predict the useful life of AES will be? Justify your answer. 20. Humans are said to be the weakest link in any security system. Give an example for each of the following: (a) a situation in which human failure could lead to a compromise of encrypted data (b) a situation in which human failure could lead to a compromise of identification and authentication (c) a situation in which human failure could lead to a compromise of access control 21. Why do cryptologists recommend changing the encryption key from time to time? Is it the same reason security experts recommend changing a password from time to time? How can one determine how frequently to change keys or passwords? 22. Explain why hash collisions occur. That is, why must there always be two different plaintexts that have the same hash value? 23. What property of a hash function means that collisions are not a security problem? That is, why can an attacker not capitalize on collisions and change the underlying plaintext to another form whose value collides with
  • 10. the hash value of the original plaintext? 24. Does a PKI perform encryption? Explain your answer. 25. Does a PKI use symmetric or asymmetric encryption? Explain your answer. 26. Should a PKI be supported on a firewall (meaning that the certificates would be stored on the firewall and the firewall would distribute certificates on demand)? Explain your answer. 27. Why does a PKI need a means to cancel or invalidate certificates? Why is it not sufficient for the PKI to stop distributing a certificate after it becomes invalid? 28. Some people think the certificate authority for a PKI should be the government, but others think certificate authorities should be private entities, such as banks, corporations, or schools. What are the advantages and disadvantages of each approach? 29. If you live in country A and receive a certificate signed by a government certificate authority in country B, what conditions would cause you to trust that signature as authentic? 30. A certificate contains an identity, a public key, and signatures attesting that the public key belongs to the identity. Other fields that may be present include the organization (for example, university, company, or government) to which that identity belongs and perhaps suborganizations (college, department, program, branch, office). What security purpose do these other fields serve, if