This document discusses Fares Sharif's final exam submission for Professor Park's CIS 4680 class. It includes responses to three essay questions about designing a secure network architecture for an online shopping company, identifying appropriate intrusion detection and prevention systems for an online bookstore, and developing contingency plans to recover from a factory fire at an auto parts manufacturing company. Fares provides detailed answers for each question, outlining proposed network designs, recommended security tools and protocols, and steps to analyze impacts and recover critical business functions after a disaster.
A Noval Method for Data Auditing and Integrity Checking in Public Cloudrahulmonikasharma
Data plays a huge role in today’s era. All business requires to deal with lot of business. So data has to be secured correctly. In this paper we aim to design a system to help to protect the data in the cloud. The public cloud is used in which the users stores the data and the data is secured by using the cryptographic method. Every customer wants to store the data and access or process the data from the cloud, but the major setback is security issues. In this paper we present a novel algorithm which helps the data to be accessed securely from the cloud.
A Noval Method for Data Auditing and Integrity Checking in Public Cloudrahulmonikasharma
Data plays a huge role in today’s era. All business requires to deal with lot of business. So data has to be secured correctly. In this paper we aim to design a system to help to protect the data in the cloud. The public cloud is used in which the users stores the data and the data is secured by using the cryptographic method. Every customer wants to store the data and access or process the data from the cloud, but the major setback is security issues. In this paper we present a novel algorithm which helps the data to be accessed securely from the cloud.
Data Privacy
Zero-Knowledge Proof
Transaction Privacy
Smart Contract Privacy
User Profile Sharing (KYC)
IoT Privacy
Multi-Chain Privacy
Lightweight Blockchain Client Privacy
Privacy-Preserving Machine Learning Data Sharing
Privacy-Preserving Shared Distributed Computing
Patents are a good information resource for obtaining the state of the art of blockchain privacy technology innovation insights.
I. Blockchain Privacy Technology Innovation Status
Patents that specifically describe the major blockchain privacy technologies are a good indicator of the blockchain privacy innovations in a specific innovation entity. To find blockchain privacy technology innovation status, patent applications in the USPTO as of June 15, 2020 that specifically describe the major blockchain privacy technologies are searched and reviewed. 35 published patent applications that are related to the key blockchain privacy technology innovation are selected for detail analysis.
II. Blockchain Privacy Technology Innovation Details
Patent information can provide many valuable insights that can be exploited for developing and implementing new technologies. Patents can also be exploited to identify new product/service development opportunities.
Anonymous Sharing of User Profile (KYC)/US20190028277 (IBM)
Anonymous Transaction with Increasing Traceability/US20200134586 (Tbcasoft, Inc.)
Zero-Knowledge Proof for Digital Asset Transaction/US20200034834 (Alibaba Group)
Patents are a good information resource for obtaining the state of the art of blockchain interoperability technology innovation insights.
I. Blockchain Interoperability Technology Innovation Status
Patents that specifically describe the major blockchain interoperability technologies are a good indicator of the blockchain interoperability innovations in a specific innovation entity. To find blockchain interoperability technology innovation status, patent applications in the USPTO as of June 15, 2020 that specifically describe the major blockchain interoperability technologies are searched and reviewed. 28 published patent applications that are related to the key blockchain interoperability technology innovation are selected for detail analysis.
II. Blockchain Interoperability Technology Innovation Details
Patent information can provide many valuable insights that can be exploited for developing and implementing new technologies. Patents can also be exploited to identify new product/service development opportunities.
Interoperability Smart Contract / US20200099533 (Accenture)
Transferring Digital Asset Using Sidechain / US20160330034 (Blockstream Corp)
Generic and efficient constructions of attribute based encryption with verifi...LeMeniz Infotech
Generic and efficient constructions of attribute based encryption with verifiable outsourced decryption
Do Your Projects With Technology Experts
To Get this projects Call : 9566355386 / 99625 88976
Web : http://www.lemenizinfotech.com
Web : http://www.ieeemaster.com
Mail : projects@lemenizinfotech.com
Blog : http://ieeeprojectspondicherry.weebly.com
Blog : http://www.ieeeprojectsinpondicherry.blogspot.in/
Youtube:https://www.youtube.com/watch?v=eesBNUnKvws
[CB20] Operation Chimera - APT Operation Targets Semiconductor Vendors by CK ...CODE BLUE
This presentation provides an analysis of the advanced persistent threat (APT) attacks that have occurred during the past two years on the semiconductor industry. Our research shows that the majority of these attacks were concentrated on the Taiwan semiconductor sector. This is worthy of concern, as Taiwan's semiconductor industry plays a very crucial role in the world. Even a small disruption in the supply chain could have a serious ripple effect throughout the entire industry. Surprisingly, up until now, there has been less coverage on these attacks. In this presentation, we seek to shed light on the threat actors and campaigns of these attacks, where they are collectively referred to as Operation Chimera (a.k.a. Skeleton). Additionally, we provide a brief overview of the current information security status of Taiwan's semiconductor industry.
Between 2018 and 2019, we discovered several attacks on various semiconductor vendors located at the Hsinchu Science-based Industrial Park in Taiwan. As these attacks employed similar attack techniques and tactics, a pattern could be discerned from the malicious activities. From this pattern, we deduced that these attacks, which we dubbed Operation Chimera, were actually conducted by the same threat actor. The main objective of these attacks appeared to be stealing intelligence, specifically documents about IC chips, software development kits (SDKs), IC designs, the source code, etc. If such documents are successfully stolen, the impact can be devastating. The motive behind these attacks likely stems from competitors or even countries seeking to gain a competitive advantage over rivals.
Scott Rea - IoT: Taking PKI Where No PKI Has Gone BeforeDigiCert, Inc.
Presentation by Scott Rea, DigiCert's Sr. PKI Architect, at AppSec California 2015.
Abstract:
Traditional PKI focuses on binding a public key to the keyholder’s identity, which is implicitly assumed to be a well-defined, relatively static thing (such as individual’s full name or email address, or the hostname of a public webserver). However, in the envisioned smart grid, for example, the relevant properties of the keyholder are not just the device’s identity (i.e. this is a meter made by ACME or this is a refrigerator made by GE) but its context: This is a refrigerator in the apartment rented by Alice, who buys power from X.
This context information will not necessarily be known until device installation and also may change dynamically. What if Alice sells her fridge on Craigslist or sublets her apartment to Bob? What if repair personnel replace Alice’s meter? This information may also not be particularly simple. What if Alice’s landlord owns many apartment buildings, and changes power vendors to get a better rate?
If our cryptographic infrastructure is going to enable relying parties to make the right judgments about IoT devices (such as the example provided using Smart Grid), this additional contextual information needs to be available. We can try to modify a traditional identity-based PKI to attest to these more dynamic kinds of identities, and we can also try to adapt the largely experimental world of attribute certificates to supplement the identity certificates in the smart-grid PKI. Either of these approaches will break new ground.
Alternatively, we can leave the identity PKI in place and use some other method of maintaining and distributing this additional data; which would require supplementing our scalable PKI with a non-scalable database.
In any of these approaches, we also need to think about who is authorized to make these dynamic updates or who is authoritative for making these types of attestations. Who witnesses that Alice has sold her refrigerator? Thinking about this organizational structure IoT devices also complicates the revocation problem. If we can’t quite figure out who it is that speaks for where a device currently lives, how will we figure out who it is who is authorized to say it has been compromised?
In this presentation, all of these issues and more will be explored and actionable guidelines will be proposed to build a secure and scalable system of IDs and attributes for the complex networked world that awaits us all.
Frost & Sullivan: Moving Forward with Distributed CryptographyEMC
This analyst report provides an overview of distributed cryptography. The premise underlying distributed cryptography is that if a credential (such as a password or a response to a challenge question) is stolen, the illegitimate possessor of that credential now has access to the secured material
Secure and convenient strong authentication to protect identities and access to IT infrastructures is a key factor in the future of enterprise security. In the banking sector alone, Gemalto has contributed to large scale authentication rollouts for more than 3,000 financial institutions worldwide, with 50 million authentication devices delivered directly to our clients’ customers.
Through our knowledge and experience as the global leader in digital security, we have identified key steps to successfully implement strong authentication in your organization. The steps are presented in this guide.
Analysis of s s short cylindrical shells under internal hydrostatic pressure ...eSAT Journals
Abstract A new approach to the analysis of S-S short cylindrical shells subject to internal hydrostatic pressure is presented. Short cylindrical shells with both ends simply supported (S-S) loaded with axisymmetric internal hydrostatic pressure was considered. By satisfying the boundary conditions of S-S short cylindrical shell in the general polynomial series shape function, a particular shape function for the shell was obtained. This shape function was substituted into the total potential energy functional of conservation of work principle, and by minimizing the functional; the unknown coefficient of the particular polynomial shape function was obtained. Bending moments, shear forces and deflections of the shell were determined, and used in plotting graphs for a range of aspect ratios, 1 ≤ L/r ≤ 4. Stresses and deflections at various points of the shell were determined for different cases. Considering case one, with aspect ratio 1, maximum values of deflection, rotation, bending moment and shear force were m, -3.29878radians,KNm and KN respectively. Thus we observed that the stresses and strains along the S-S short cylindrical reservoir vary inversely as the aspect ratio. Key Words: Analysis, Boundary condition, Conservation of work principle, Hydrostatic pressure, Polynomial series, Shape function, Short cylindrical shell.
Data Privacy
Zero-Knowledge Proof
Transaction Privacy
Smart Contract Privacy
User Profile Sharing (KYC)
IoT Privacy
Multi-Chain Privacy
Lightweight Blockchain Client Privacy
Privacy-Preserving Machine Learning Data Sharing
Privacy-Preserving Shared Distributed Computing
Patents are a good information resource for obtaining the state of the art of blockchain privacy technology innovation insights.
I. Blockchain Privacy Technology Innovation Status
Patents that specifically describe the major blockchain privacy technologies are a good indicator of the blockchain privacy innovations in a specific innovation entity. To find blockchain privacy technology innovation status, patent applications in the USPTO as of June 15, 2020 that specifically describe the major blockchain privacy technologies are searched and reviewed. 35 published patent applications that are related to the key blockchain privacy technology innovation are selected for detail analysis.
II. Blockchain Privacy Technology Innovation Details
Patent information can provide many valuable insights that can be exploited for developing and implementing new technologies. Patents can also be exploited to identify new product/service development opportunities.
Anonymous Sharing of User Profile (KYC)/US20190028277 (IBM)
Anonymous Transaction with Increasing Traceability/US20200134586 (Tbcasoft, Inc.)
Zero-Knowledge Proof for Digital Asset Transaction/US20200034834 (Alibaba Group)
Patents are a good information resource for obtaining the state of the art of blockchain interoperability technology innovation insights.
I. Blockchain Interoperability Technology Innovation Status
Patents that specifically describe the major blockchain interoperability technologies are a good indicator of the blockchain interoperability innovations in a specific innovation entity. To find blockchain interoperability technology innovation status, patent applications in the USPTO as of June 15, 2020 that specifically describe the major blockchain interoperability technologies are searched and reviewed. 28 published patent applications that are related to the key blockchain interoperability technology innovation are selected for detail analysis.
II. Blockchain Interoperability Technology Innovation Details
Patent information can provide many valuable insights that can be exploited for developing and implementing new technologies. Patents can also be exploited to identify new product/service development opportunities.
Interoperability Smart Contract / US20200099533 (Accenture)
Transferring Digital Asset Using Sidechain / US20160330034 (Blockstream Corp)
Generic and efficient constructions of attribute based encryption with verifi...LeMeniz Infotech
Generic and efficient constructions of attribute based encryption with verifiable outsourced decryption
Do Your Projects With Technology Experts
To Get this projects Call : 9566355386 / 99625 88976
Web : http://www.lemenizinfotech.com
Web : http://www.ieeemaster.com
Mail : projects@lemenizinfotech.com
Blog : http://ieeeprojectspondicherry.weebly.com
Blog : http://www.ieeeprojectsinpondicherry.blogspot.in/
Youtube:https://www.youtube.com/watch?v=eesBNUnKvws
[CB20] Operation Chimera - APT Operation Targets Semiconductor Vendors by CK ...CODE BLUE
This presentation provides an analysis of the advanced persistent threat (APT) attacks that have occurred during the past two years on the semiconductor industry. Our research shows that the majority of these attacks were concentrated on the Taiwan semiconductor sector. This is worthy of concern, as Taiwan's semiconductor industry plays a very crucial role in the world. Even a small disruption in the supply chain could have a serious ripple effect throughout the entire industry. Surprisingly, up until now, there has been less coverage on these attacks. In this presentation, we seek to shed light on the threat actors and campaigns of these attacks, where they are collectively referred to as Operation Chimera (a.k.a. Skeleton). Additionally, we provide a brief overview of the current information security status of Taiwan's semiconductor industry.
Between 2018 and 2019, we discovered several attacks on various semiconductor vendors located at the Hsinchu Science-based Industrial Park in Taiwan. As these attacks employed similar attack techniques and tactics, a pattern could be discerned from the malicious activities. From this pattern, we deduced that these attacks, which we dubbed Operation Chimera, were actually conducted by the same threat actor. The main objective of these attacks appeared to be stealing intelligence, specifically documents about IC chips, software development kits (SDKs), IC designs, the source code, etc. If such documents are successfully stolen, the impact can be devastating. The motive behind these attacks likely stems from competitors or even countries seeking to gain a competitive advantage over rivals.
Scott Rea - IoT: Taking PKI Where No PKI Has Gone BeforeDigiCert, Inc.
Presentation by Scott Rea, DigiCert's Sr. PKI Architect, at AppSec California 2015.
Abstract:
Traditional PKI focuses on binding a public key to the keyholder’s identity, which is implicitly assumed to be a well-defined, relatively static thing (such as individual’s full name or email address, or the hostname of a public webserver). However, in the envisioned smart grid, for example, the relevant properties of the keyholder are not just the device’s identity (i.e. this is a meter made by ACME or this is a refrigerator made by GE) but its context: This is a refrigerator in the apartment rented by Alice, who buys power from X.
This context information will not necessarily be known until device installation and also may change dynamically. What if Alice sells her fridge on Craigslist or sublets her apartment to Bob? What if repair personnel replace Alice’s meter? This information may also not be particularly simple. What if Alice’s landlord owns many apartment buildings, and changes power vendors to get a better rate?
If our cryptographic infrastructure is going to enable relying parties to make the right judgments about IoT devices (such as the example provided using Smart Grid), this additional contextual information needs to be available. We can try to modify a traditional identity-based PKI to attest to these more dynamic kinds of identities, and we can also try to adapt the largely experimental world of attribute certificates to supplement the identity certificates in the smart-grid PKI. Either of these approaches will break new ground.
Alternatively, we can leave the identity PKI in place and use some other method of maintaining and distributing this additional data; which would require supplementing our scalable PKI with a non-scalable database.
In any of these approaches, we also need to think about who is authorized to make these dynamic updates or who is authoritative for making these types of attestations. Who witnesses that Alice has sold her refrigerator? Thinking about this organizational structure IoT devices also complicates the revocation problem. If we can’t quite figure out who it is that speaks for where a device currently lives, how will we figure out who it is who is authorized to say it has been compromised?
In this presentation, all of these issues and more will be explored and actionable guidelines will be proposed to build a secure and scalable system of IDs and attributes for the complex networked world that awaits us all.
Frost & Sullivan: Moving Forward with Distributed CryptographyEMC
This analyst report provides an overview of distributed cryptography. The premise underlying distributed cryptography is that if a credential (such as a password or a response to a challenge question) is stolen, the illegitimate possessor of that credential now has access to the secured material
Secure and convenient strong authentication to protect identities and access to IT infrastructures is a key factor in the future of enterprise security. In the banking sector alone, Gemalto has contributed to large scale authentication rollouts for more than 3,000 financial institutions worldwide, with 50 million authentication devices delivered directly to our clients’ customers.
Through our knowledge and experience as the global leader in digital security, we have identified key steps to successfully implement strong authentication in your organization. The steps are presented in this guide.
Analysis of s s short cylindrical shells under internal hydrostatic pressure ...eSAT Journals
Abstract A new approach to the analysis of S-S short cylindrical shells subject to internal hydrostatic pressure is presented. Short cylindrical shells with both ends simply supported (S-S) loaded with axisymmetric internal hydrostatic pressure was considered. By satisfying the boundary conditions of S-S short cylindrical shell in the general polynomial series shape function, a particular shape function for the shell was obtained. This shape function was substituted into the total potential energy functional of conservation of work principle, and by minimizing the functional; the unknown coefficient of the particular polynomial shape function was obtained. Bending moments, shear forces and deflections of the shell were determined, and used in plotting graphs for a range of aspect ratios, 1 ≤ L/r ≤ 4. Stresses and deflections at various points of the shell were determined for different cases. Considering case one, with aspect ratio 1, maximum values of deflection, rotation, bending moment and shear force were m, -3.29878radians,KNm and KN respectively. Thus we observed that the stresses and strains along the S-S short cylindrical reservoir vary inversely as the aspect ratio. Key Words: Analysis, Boundary condition, Conservation of work principle, Hydrostatic pressure, Polynomial series, Shape function, Short cylindrical shell.
Il y a quelques années, je bidouillais en JavaScript. Un effet “bling bling” par-ci, un contrôle de saisie par-là. L’essentiel de mon application était écrite en Java et tournait côté serveur.
Mais voilà, Gmail et Google Spreadsheets sont sortis depuis longtemps. On s’attend maintenant à des applications web qui répondent instantanément et qui fonctionnent offline.
Et pour cela, il faut bien plus de code JavaScript qu’avant.
Mais 20 000 lignes de JavaScript pour un site web ? Sérieux ? Dans ce langage sale, qui n’a pas la moitié des outils de Java ?
J’ai appris. Et l’écosystème JavaScript a évolué.
Lors de cette session, je vous dévoilerai comment maintenant j’écris, sans stress, des applications JavaScript complexes.
Securing Your Intellectual Property: Preventing Business IP LeaksHokme
Let us delve into strategies to safeguard your business's intellectual property (IP) and avoid leaks. Explore how Confiex's Virtual Data Room acts as a fortress against unauthorized access, ensuring your sensitive data and valuable IP remain protected at all times.
Source- https://confiexdataroom.com/blog/data-room/virtual-data-room/how-to-avoid-business-ip-leaks/
The national Scot-Secure Summit is the largest annual Cyber Security Conference in Scotland: the event brings together senior IT leaders and Information Security personnel, providing a unique forum for knowledge exchange, discussion and high-level networking.
The conference programme is focussed on promoting best-practice cyber security; looking at the current trends, the key threats - and offering practical advice on improving resilience and implementing effective security measures.
Steven Meister GDPR and Regulatory Compliance and Big Data Excelerator Profes...Steven Meister
Steven Meister Cover Letter and CV
My Expertise is in Data Regulatory Compliance like (EU GDPR), California Cyber Security and most every countries Data Privacy and Security Regulations and accelerating the building of Big Data Frameworks and platforms in Hadoop and AWS S3.
Recent Accomplishments: https://youtu.be/roPC1NSgRGg
https://youtu.be/nwwqZTY_6Gc https://youtu.be/ZcNGXR2eLT0
PCI DSS Implementation: A Five Step GuideAlienVault
Payment Card Industry Data Security Standard (PCI DSS) compliance can be both hard and expensive. For most small to medium sized organizations, it doesn’t have to be as long you have the right plan and tools in place. In this guide you’ll learn five steps that you can take to implement and maintain PCI DSS compliance at your organization.
AlienVault PCI DSS Compliance:
https://www.alienvault.com/solutions/pci-dss-compliance
Have a question? Ask it in our forum:
http://forums.alienvault.com
More videos: http://www.youtube.com/user/alienvaulttv
AlienVault Blogs: http://www.alienvault.com/blogs
AlienVault: http://www.alienvault.com
Your firm needs to be committed to protecting information assets, including personal data and client documents. As a trusted advisor to our clients, the expectation is that we are aware of threats and are guarding their data. Data privacy and information security are fundamental components of doing business today, no matter how large your firm is.
In this paper we will look at three specific ways of protecting our clients:
1. Protection through our ability to research and improve intellectual capital
2. Protection through policies, procedures and processes
3. Protection by securing client data
To implement data-centric security, while simultaneously empowering your business to compete and win in today’s nano-second world, you need to understand your data flows and your business needs from your data. Begin by answering some important questions:
•
What does your organization need from your data in order to extract the maximum business value and gain a competitive advantage?
•
What opportunities might be leveraged by improving the security posture of the data?
•
What risks exist based upon your current security posture? What would the impact of a data breach be on the organization? Be specific!
•
Have you clearly defined which data (both structured and unstructured) residing across your extended enterprise is most important to your business? Where is it?
•
What people, processes and technology are currently employed to protect your business sensitive information?
•
Who in your organization requires access to data and for what specific purposes?
•
What time constraints exist upon the organization that might affect the technical infrastructure?
•
What must you do to comply with the myriad government and industry regulations relevant to your business?
Finally, ask yourself what a successful data-centric protection program should look like in your organization. What’s most appropriate for your organization?
The answers to these and other related questions would provide you with a clearer picture of your enterprise’s “data attack surface,” which in turn will provide you with a well-documented risk profile. By answering these questions and thinking holistically about where your data is, how it’s being used and by whom, you’ll be well positioned to design and implement a robust, business-enabling data-centric protection plan that is tailored to the unique requirements of your organization.
Collaboration with a service provider may be a good choice to improve your company's security operations department efficiently and cost-effectively. Outsourced SOC services can be an important part of your company's information security program when properly established and maintained. To guarantee that your company obtains the best services, extensively evaluate SOC service providers in India.
Today, the delegation of risk decisions to the IT team
cannot be the only solution and has to be a shared
responsibility. The board and business executives are
expected to incorporate the management of cyber risk
as part of their business strategy since they are
accountable to stakeholders, regulators and
customers. For the CROs, CISOs, and Security and Risk
Management Professionals to be on the same page,
there has to be a single source of truth for
communicating the impact that cyber risk has on
business outcomes, in a language that everyone can
understand.
Over the last few years, there has been an increase in the number of cybersecurity headlines. Cybercriminals steal customer social security numbers, steal company secrets from the cloud, and grab personal information and passwords from social media sites. Keeping information safe has become a great concern for both big and small businesses
It is never possible to guarantee that a company is totally secure or that a breach will not occur, however implementing the latest tools and providing ongoing, end-user education will minimize those risks and allow companies to focus more on growing their business rather than repairing it.
Businesses involved in mergers and acquisitions must exercise due di.docxdewhirstichabod
Businesses involved in mergers and acquisitions must exercise due diligence in ensuring that the technology environment of the future organization is robust and adequately protects their information assets and intellectual property.. Such an effort requires time and open sharing to understand the physical locations, computing environment, and any gaps to address. Lack of information sharing can lead to a problematic systems integration and hamper the building of a cohesive enterprise security posture for the merged organization.
Often the urgency of companies undergoing a merger and acquisition (M&A) impedes comprehensive due diligence, especially in cybersecurity. This creates greater challenges for the cybersecurity engineering architect, who typically leads the cybersecurity assessment effort and creates the roadmap for the new enterprise security solution for the future organization. However, the business interest and urgency in completing the merger can also represent an opportunity for CISOs to leverage additional resources and executive attention on strategic security matters.
In this project, you will create a report on system security issues during an M&A. The details of your report, which will also include an executive briefing and summary, can be found in the final step of the project.
There are nine steps to the project. The project as a whole should take two weeks to complete. Begin with the workplace scenario and then continue to Step 1.
Deliverable
Cybersecurity for a Successful Acquisition, Slides to Support Executive Briefing
Step 1: Conduct a Policy Gap Analysis
As you begin Step 1 of your system security report on cybersecurity for mergers and acquisitions, keep in mind that the networks of companies going through an M&A can be subject to cyberattack. As you work through this step and the others, keep these questions in mind:
Are companies going through an M&A prone to more attacks or more focused attacks?
If so, what is the appropriate course of action?
Should the M&A activities be kept confidential?
Now, look at the existing security policies in regard to the acquisition of the media streaming company. You have to explain to the executives that before any systems are integrated, their security policies will need to be reviewed.
Conduct a policy gap analysis to ensure the target company's security policies follow relevant industry standards as well as local, state, and national laws and regulations. In other words, you need to make sure the new company will not inherit any statutory or regulatory noncompliance from either of the two original companies. This step would also identify what, if any, laws and regulations the target company is subject to. If those are different from the laws and regulations the acquiring company is subject to, then this document should answer the following questions:
How would you identify the differences?
How would you learn about the relevant laws and regulations?
How would .
An organization’s security architecture is comprehensively guided by cybersecurity frameworks and they delineate a set of best practices to be followed in specific circumstances. Additionally, these documents carry response strategies for significant incidents like breaches, system failures, and compromises.
Information technology lays out its strategies for using technology and infrastructure to help the company reach its goals. Plans are consistent with available means. There are also a number of novel ideas presented that might be included into the strategy to further improve the outcome. The PMCASPL IT department will aid the company's growth by offering a wide range of IT services such as evaluating data from various units and drawing conclusions on how to proceed with business. IT-employee policy, AI/ML integration, blockchain in AQMS, website/app development (Android/iOS), social media account management (technical side), ERP/ERP enterprise resource planning, cyber security, server system, IT communication, networking setup and management, hardware support, software support, cloud service, and backup system are all within the purview of the IT department. As a result, the IT department will offer technical assistance and creative ideas that add value to the company, allowing it to better carry out its commercial operations.
IT Department Roadmap | National Management Olympiad Season 4
Backup of FinalExam-EssayQ-Mon
1. Eunice Park
This is my final exam submission Professor Park. I thoroughly enjoyed your class with your charismatic spirit
and enthusiasmin this course. This information was animated to me in a way that I was able to understand according
to the sincerity of your time taken to include the class in discussion and lecture. I can tell you took your time to
search and find videos, which made the class entertaining. These factors concerning your teachingstyle are the likely
precursor to me deciding to specialize in info sec. I wanted to thank you for allowing me the opportunity to be in your
class itwas such a wonderful and upliftingexperience! I wish the best for you thank you for the memories
G e o r g i a S t a t e S p r i n g 2 0 1 4
Fares Sharif Final Exam
2. CIS 4680 Final Exam
2
Final Exam Questions
Name: ______Fares Sharif____________
Date: ______5/2/2104____________
1. (Case) Internet Shopping House (ISH) (an imaginary company) is a small online business that
has around 100 employees. It handles thousands of online transactions in a day by buying and
selling sports goods from buyers and sellers. The company aims at protecting its ‘web server’
from insider and outsider attacks. Now you need to design network security architecture.
Write a unified essay in which you perform the following tasks. (1) Design the secure network
architecture (e.g., location of web server, type of firewall, and other types of network security
devices) (You can draw the network architecture and describe it). Support your position by
providing reasons or evidences. (2) Identify appropriate ‘cryptographic tools’ and ‘protocols’
that can assure secure business transactions with your business partners and support your
position with reasons or evidences (25 points).
Using security programs can create architecture for this network.
These are used. The selection in particular for this will be for the goal of
future success for this small company. The architecture has to be thought
out in a very supplementary manner to the organizations goals initially
speaking. So whether so the primary goal of this architecture is going to be
a firewall.
We know that the company for example is a small company relatively
speaking. Therefore I suggest a small modem made for such a case.
Something such as a SonicWall TZ 200.This firewall starts at somewhere
around three hundred dollars. It supplements the company perfectly and
gives it exactly what it needs to flourish and develop. The location of the
web server depends entirely on the company’s manager. Depending on that
entirety is the amount of discretion and free will the manager might be.
?
3. CIS 4680 Final Exam
3
Managers can choose for their clients to be allowed a certain exponentially
effective cryptographic number combination that is strong. Thus, avoiding
the problem that many software development studies and developers face
when they use numbers that either aren’t random enough or aren’t strong
enough to secure their network. So that things such as command injection
hacks do not occur. This company is dealing with online transactions,
therefore use of this hardware with the proper installation should take care
of the initial wireless tracking of online customers by having filtering for
false keys so that hackers do not access random bank accounts and attempt
to purchase information which can lose the company money and the
cardholder loss of faith in their bank account and online shopping in
general. Cryptography has been defined as the process of making and using
codes to secure the transmission of information. Cryptographic tools are
the tools we will use to secure effective and safe Internet business
transactions. The cryptographic tools potential areas of use can include
both the ability to conceal the contents of sensitive messages, as well as the
verification of message contents and identities of their senders. Tools we
should incorporate through the use of this firewall include the integrated
system of software, encryption methodologies, protocols, legal agreements,
and third party services enabling users to communicate securely:
The securing of the web transactions for this small company should be done
through the SET or secure electronic transactions developed by MasterCard
and Visa. Company further can then allow DES encryption of credit card
4. CIS 4680 Final Exam
4
information to protect transfers against the fraudulent transfers for their
sporting goods. The security of sporting goods sales can be done on the
Internet traffic and as well as the credit card swipe system in retail stores. If
a customer decides they want to make up and create an account due to
frequent purchase, they should be careful however of cookie storage of such
credit card information to further protect from fraudulent charges. Wi-Fi
network can require a WPA and WPA2 protected password account to have
the protocol of the company be protected by requiring a complex password
by the manager and employees which expires every 120 days or so.
Implementation of the IPSec open-source protocol framework could also
additionally add security development within the TCP/IP framework for
security development under the protocol of standards. If this however
doesn’t suffice and is outdated, the implementation of the PGP hybrid
cryptosystem uses a combination of cryptographic algorithms to be used as
open source de facto standard for encryption and authentication of e-mail
and file storage applications. This is also applicable because this
cryptosystem is economically efficient with low cost commercial versions
online and available for download or torrent. The six services of PGP
solution allow for digital signature authorization, message encryption,
compatibility of e-mails and segmentation while finally key management.
The overall depending success of the encryption tools and the protocols is
dependent on the management structure and code of conduct for the online
interaction between employees and clients. This also depends on the
acceptance of company policy agreement checkboxes on the websites open
server that can agree to the company disregarding liability of fraudulence
and hence avoiding loss on the sales done illegally. ISH is a company that
buys and sells sports goods to and from other customers. Operating as the
middleman, much traffic is going on and many keys are constantly being
sent and received. Therefore ideally the firewall and cryptographic tools in
addition to protocol should be cohesively efficient without gaps. This
requires synchronization of the systems from the manager and
communicating these urgencies for security precaution.
Finally, an illustration of a packet filtering router will be used to
incorporate the first generation firewall from allowing unwanted
information inside the company.
5. CIS 4680 Final Exam
5
2. (Case) HappyOnlineBookStore, which is a small online business company, sells and buys
new/old books. It has two branches across the southern part of Georgia. In its data center, tens of
servers support online transactions. Administrators in the data center are monitoring the network
activities. Currently, the company makes a great effort to provide customers with fast,
convenient, and secure service.
Write a unified essay in which you perform the following tasks. (1) Identify proper type(s) of
IDPS for the HappyOnlineBookStore case and support your position by providing explanation.
(2) Identify appropriate IDPS detection method(s) that can detect DoS and DDos attacks during
normal system usages and support your position. (3) Discuss other security tools and
scanning/analysis tools that the administrator can use together with the IDPS (25 points).
Happy Online Books Store is a small business and has two branches and
one data center with tens of servers to support the online transactions.
Administrators monitor the data and network activities in that center. The
first question I am asked is to identify the proper IDPS detection method
for this company and support your position by providing explanation. The
first thing is the IDPS is defined as the intrusion detection and prevention
systems. These are designed to protect an organizations asset dependent on
the people and the controls. Therefore, we are going to establish this IDPS
in particular to prevent from intrusion by such means as a virus or a DDoS
attack. We know that we have to detect the intrusion as the first step, react
to the intrusion as the following step, and finally we have to correct the
intrusion as the third step. This will insure that the procedures of all the
systems created and operated to detect the intrusions are encompassed by
actions and finalize by restoring the operations back to their normal state.
The first decision we have to make as the managers of this company is what
IDPS detection methods we choose to use and explain the beneficial factors
of each. Then through examination I will select the most appropriate choice
of the options available for this company. This honeycomb illustration will
attempt to bring forth the different security tools and scanning analysis
tools that an administrator can use in alliance with the IDPS. Following the
illustration is a summarizing conclusive decision as to which method is
most appropriate.
6. CIS 4680 Final Exam
6
Network-
based
•focus on network
info asses
abnormalities
Host-Based
•benchmark&
monitor intruder
Signature-
based
•searches data
patters
IDPS types
7. CIS 4680 Final Exam
7
The question now boils down to which one to decide for this small
company. My personal opinion is that they should use a network based
IDPS operating system. It seems the only one feasible with the small
amounts of supervisors who walk about concerned to see whether or not
the service is being conducted in an orthodox manner.
The question just boils down to management style. This group wants to
conduct a fast and convenient secure service. They would not want to use
signature based because it requires continuous updating and would take to
long to update every network and computer. They most certainly would not
want host based because host based is far too complex and analytical and
requires a much higher amount of monitoring than does network based
monitoring. Network based seems the most feasible and practical solution
in my opinion as concerning the needs of the company and needs of the
customers. Indeed it does have drawbacks of its own, yet it still operates in
the most formidable manner considering the circumstances that have
arisen from a result of the lesser options.
NIDPS can use signature matching to detect attacks or attack patterns. They
can implement the TCP/IP stack and use the protocol stack verification.
This would insure the quick and efficient selling of books from company to
customer. Additionally, the in app protocol verification can examine
unexpected pattern behavior or improper use. The improper use of
patterns can then be identified, assessed, and eventually corrected in a
proper and normal matter.
This determination whether or not attacks seem to be infiltrating is
interpreted by the attack patterns. These attack patterns are measured into
known signatures. This can be the company’s defense when dealing with
unknown signatures trying to buy books or use fraudulent credit cards. The
knowledge base has known signatures to compare the network traffic
8. CIS 4680 Final Exam
8
trapped that was seen as a threat. TCP/IP stacks verify these packets and
apply the protocol stack for the application verification of that protocol.
Notifications of hacked attacks can be sent to the network administrators
for further termination of the hacked packets and information. The
network can be installed somewhere on the database where it can be safely
monitored. This can be installed on either the inside or the outside of the
company’s router. They can also use the NIDPS in between the other
computers on the network to ensure that all the ten computers they have
are not affected. Stateful protocol analysis is similar and is a tool that can
be used because it stores and uses the relevant data detected in a session to
show the possible intrusions. Comparing predetermined profile definitions
of benign activity is similar to the TCP/IP stack verification and is another
way that this tool can be successfully used. It can also record the deviations
to be sent back to the manager as an alert that someone is trying to hack the
system. Honeypots can additionally be used to encourage people who are
trying to hack the system to internally damage them by reversing the hack.
Diversion and collection about hackers activity and critical systems
encourage the hacker to stay long enough until notification is received by
the NIDPS system and the problem is resolved that way. These honeypots
can all one honey net.
9. CIS 4680 Final Exam
9
3. (Case) On June 12, 2013, fire damaged the Atlanta factory in HighTechAuto Manufacturing
Company that produces auto parts for GM (General Motors). The Atlanta factory lost raw
materials and finished goods. Also the fire damaged most of auto part manufacturing machines.
Write a unified essay in which you perform the following tasks. (1) Identify proper contingency
plan(s) to assure recovering the main factory and continuous business availability in a secondary
site and support your position. (2) Discuss the steps to recover this situation from the fire in
detail (25 points).
Contingency plans is defined as the entire planning conducted by the
organization to prepare for, react to, and recover from events that threaten
the security of information and information assets in the organization. It
also encompasses the subsequent restoration of modes deemed as normal
and regular to the mode of daily business operations. If this was my
company and I was the manager, I would have presumed to have already
had IRP planning ready and available.
IRP is considered the incident response planning. It is the planning process
associated with identify the classified problem, and then the ability to
recover and respond to a particular situation which in this case, has to do
with a manufacturing company and equipment. Heavy machinery that
could have been inside the buildings when they burnt down may still be
salvageable depending on the severity of the fire and the burns inflicted on
such heavy machinery. Depending on the context, this fire could be seen as
well as DRP and BCP. The terms DRP term the disaster recovery plan. The
term is also closely linked and often defined to a further sense as BCP.
Which we will cover as one of the questions follow this one. As BCP is
primarily associated with DRP simultaneously and is applicable to the
damage being major or long term. The simple restoration of information
with information resources is also important in the contingency plan.
Depending on which extent the fire reached and how bad it really made life
for some people is the reasoning for the status of the situation escalating.
The plans to recover the machinery in my eyes would be done by the
insurance company sending over contractors to salvage the machinery they
could and to use the property to either sell or rebuild my business. For the
time being however and the building is destroyed. Any natural resources
left or items that could be salvaged should be exported to the nearest
manufacturer. Or the purchase of a new facility is also an option as well.
However this is an ineffective way of managing resources and should be
avoided. The first thing the company should do or the manager should do is
to hire a professional to see whether the property is or is not applicable to
be built over again for further use in the future.
10. CIS 4680 Final Exam
10
The contingency plans for DRP are used to save the business
information that is stored that can be recovered from the disaster.
Unaffected computers and software that was saved and emailed could be
considered DRP. The first phase for this development of the CP process can
be identified as the business impact analysis or the BIA. It is an
investigation and assessment of the impact that various attacks can have on
the organization and takes up where the risk assessment process leaves off.
We assume that the controls have been bypassed, failed, or ineffective in
stopping the attack. The attack was therefore unsuccessful. We take the
following steps for the stages of the rebuilding of this company:
1. Threat attack identification
2. Business Unit analysis
3. Attack success scenarios
4. Potential damage assessment
5. Subordinate plan classification
The first step would be to have the threat attack identification and
prioritization to continue the business availability of this company. The
system has to be updated with the threat list already existing. The attack
profile has to be added and to be documented in order for the business to
eventually be ready again. The attack profile consists of detailed
descriptions of activities that occur during the attack. The fire must be
developed and be documented to show that a story was developed for every
serious threat that the organization faces. The attack profile should be
serious and determine the damage that could result to a business unit if the
attack was successful.
The second big task when assessing the BIA is the analysis and
prioritization of the company and its business functions within the
organization. This company was a manufacturer of auto parts for General
Motors. Therefore the most vital parts of the operations that make the most
profit have to be saved and assessed to see which of these are the most
essential to keeping the organization afloat. Efforts in function analysis
focus on the result of the prioritized list of the various functions an
organization prefers.
Following this is the attack success scenario development. This is when the
BIA team creates a series of scenarios depicting and predicting the boards
reaction and consequence. Then the potential damage assessment is talking
about how the cost of the best, worst, and most likely of the cases will be.
This will end the attack scenario case. The potential damage has been
assessed and each evaluated. Finally the subordinate ending plan is
classified to and from board members to take effective action during an
attack.
11. CIS 4680 Final Exam
11
The incident however in this case could be classified as a disaster. The
incident becomes a disaster when the organization is not able to decipher
the impact of an incident as it takes place. The level of damage or
destruction is so sever that typically it takes an organization a long time to
recover. Businesses need a blueprint for desired solution and applications
capable of providing needed services are selected. They also need data
support structures capable of providing need inputs identified and
technologies to implement physical solutions to be determined. Feasibility
analysis is to be performed at the end. This company essentially should
create a BCP, which stands for a business continuity plan. These plans are
strategic and long-term plan that encompasses the continuation of business
activities if a catastrophic event occurs. The loos of a database, building, or
operation center is what happened in this case. This is the primary
reasoning for BCP. The steps listed above when the scope or the scale
surpasses the DRP that in this case is true. A re-evaluation of priorities and
resources to be used for allocation and further sale should be done by
methods such as benchmarking to find out what the organization needs.
Transfer and allocation of all remaining intact resources on software or on
hardware need to be allocated to an alternate location to be conducted and
processed without being lost. The methods could be used as steps to save
the company from the fire if there was a proper risk control strategy done
through cost benefit analysis and a feasibility study. Followed by a
quantitative risk control and residual risk and residual appetite factors
were put into location. Leave the resources in an alternate location for long
enough so that the company can get back on its feet again and purchase a
new property.
4. (Case) Southern American Bank company provides online banking services and has ten
branches across the southern part of America. In its data center in Atlanta, thousands of servers
support online banking services. Administrators in the data center are monitoring the large
network activies.
12. CIS 4680 Final Exam
12
In risk management perspective, organizations should evaluate the tradeoffs between perfect
security and unlimited accessibility…Organizations should decide the level of risk appetite to
accept the tradeoffs (Whitman and Mattord 2011, Chapter 4).
Write a unified essay in which you perform the following tasks. (1) Explain what the above
statement means. (2) Imagine and describe two specific situations in which the Southern
American Bank company may pursue more ‘perfect security’ than ‘unlimited accessibility.’ (3)
Discuss what type of risk control strategies might be appropriate in such situations and provide
your justification for the selection of risk control strategy (25 points).
This statement above is talking about the opportunity cost a company has to
decide when it comes to their organizational security management. The
analysis is discussing the positive values of a tradeoff by making the
assumption that it is an ultimatum. Managers of these systems can either
have a system that is labeled as “perfect” or a system that “allows unlimited
access”.
From deducing the philosophy behind this statement, I will attempt to show
the advantages and disadvantages of both having too much and having to
little security. The level of risk assessed with bank accounts is a heavy
amount. Banks store personal information and keep electronic databases of
essential information people wish to retain. Nonetheless, if too much
security is added as a precautionary measure, online actions can be
hindered. Banks do not want to lose customers based on the online banking
bugs that might occur through too many security concerns caused by those
people also wanting their money to be safe. The safety of the IP address
attempting to log onto an individuals bank account could be them but using
an untrusted source such as a strangers cell phone or a friends laptop. The
bank wants to keep the customers but also wants their money to be safe.
Disabling cookies on stored devices might pose as a threat or maybe an
unauthorized key in the likes of some web development systems.
Organizations such as this bank have to identify what level of risk they can
live with. This quote is also a reference to the terminology called risk
appetite. Risk appetite involves the numerical value and organic natural
value of risk that a company is will to accept as trade-offs between perfect
security and unlimited accessibility. This is a very common risk
management discussion point that we discussed in class. Not every
organization has collective will to manage every vulnerability through
applying controls. Depending on the willingness for the bank to assume the
risk, the risk appetite is developed. We can never have truly perfect
security, but we can try to and we can limit much of the residual risk but
limit the accessibility of the company. Identifying the risk is the formal
process of documenting and examining the risk in information systems.
Risk controls are the steps in the process of taking carefully calculated
decisions to ensure the confidentiality, integrity, and availability of
components of an information system. Risk identification is a risk
13. CIS 4680 Final Exam
13
management strategy that identifies classification of the organizations
assets. The residual risk is the remaining information asset even after the
existing control is applied.
Risk control can be application of the five strategies used to control
risks from vulnerabilities, this includes
1. Defend
2. Transfer
3. Mitigate
4. Accept
5. Terminate
Following are two example scenarios to exemplify my reasoning:
Logging risk area Infastructure
Data integrity is
hindered by the useof
audittrails to
investigateissues. Loss
of audittrail &
integrity causes
confusion and hinders
service levels
Mitigating controls
Sendingbank audit
logs to a centralized
log server will send
alert mail from
matches that filter its
rulebase. Use tools for
HIPAA logging when
requirementsaremet
Results
Windowsserversfor
bank auditsdeploy
solutionsfor bad
auditson syslogbased
log client. Server
implementation of
security savesrisk of
bank information
14. CIS 4680 Final Exam
14
Personal Device Confidentiality
Hacker tries to steal
account information
stored on the server by
administering an attack
to withdraw money
from a bank account
Reactions
Host Based IDPS uses
benchmark activity on
master computer.
Host system detects
inconsistencies in audit
logs and decrypts
incoming traffic
Results
Identify hacker and
benchmark key systems
by examining records in
audit logs. Company can
identify and arrest
hacker