Isa 562 2020 Note 1: You Must Submit Answers To BB On Time ✓ Solved

Isa 562 2020note 1youmustsubmit Answers To Bb On Time As A Typed

ISA 562 – 2020 NOTE 1: You must submit answers to Bb, on time, as a typed pdf (i.e., one constructed from this .docx file). Otherwise, you will receive 0 points.

NOTE 2: Be concise with your answers. Please do not write pages of prose to gain partial credit by providing definitions (this will not gain partial credit) unless the question explicitly asks for this. Additionally, listing incorrect reasoning will result in point loss even if your remaining answer is correct.

NOTE 3: While not mandatory, it is appreciated if your answers are provided in blue text.

Question 1 (15 points):

For the following access control policy rules, create an Access Control Matrix (as a table in Word), a list of ACLs for each Object, and a list of Capabilities for each Principal. Do not use graphical representations—instead, use the set notation format indicated in lecture slides. Objects include: budget.xls, process 1, print queue 1, print queue 2. Principals include: Alice, Darci, Machelle, Leila, Jeri.

The organization’s decisions:

  • Default access is “no access”; privileges must be explicitly granted.
  • Deny privileges override accept rights.
  • Access rules:
  • Alice, Darci, and Machelle can read budget.xls but cannot alter it. They can submit print jobs to queue 1.
  • Leila can submit print jobs to print queue 1 but not to queue 2.
  • Everyone can submit print jobs to print queue 2.
  • Darci and Machelle own process 1.
  • Everyone can execute process 1.
  • Jeri has rights identical to Alice but is denied Leila’s rights.

Construct the Access Control Matrix, ACLs per object, and Capabilities per principal based on these rules in set notation format.

Question 2 (25 points):

Consider three hosts with password-based authentication, used by Alice, Bob, and Chris. Password policies enforce complexity, but users memorize passwords. No system uses salting; Alice uses the same password across all hosts; Chris uses different passwords per host. Each host locks accounts for 30 minutes after 5 failed login attempts. Bob evaluates which strategy offers better resistance to attacks. For each attack type below, determine whether Alice’s or Chris’s password strategy is more resistant, providing reasoning.

  • 2.1 Online Dictionary Attack
  • 2.2 Offline Dictionary Attack
  • 2.3 Passive Social Engineering (e.g., observation without attack)
  • 2.4 Active Keyboard Wiretapping (e.g., installing keyloggers)
  • 2.5 If salts are implemented randomly, do your previous answers change?

Assumptions: adversary never accesses the password file directly, but may see password hashes. No knowledge of salt specifics. Justify Y/N and reasoning for each attack.

Question 3 (15 points):

3.1. In fewer than 40 words, explain why viruses that perform no overt malicious acts (bacteria or rabbits) can still negatively impact systems.

3.2.1. If “bacteria” is found on a host with no known nature, what other kind of malicious code could it be, specifically one that masquerades as benign but enables future attacks?

3.2.2. Name an example from the textbook of this malicious code type and briefly explain its main malicious outcome.

Question 4 (20 points):

4.1. Describe specifically what NAT does to outgoing connections from an internal network to an external web server, including changes to packet headers.

4.2. Identify the two OSI layers involved in facilitating basic NAT.

4.3. Explain one way a NAT device can function effectively as a firewall.

Question 5 (15 points):

5.1. Name one advantage and one disadvantage of using Smart Cards versus Magnetic Stripe Cards for authentication.

5.2. Under what scenario would a 2D barcode provide the same secrecy of user data as magnetic or smart cards? Specify the constraints on the adversary necessary for this equivalence.

Question 6 (10 points):

6.1. What is the main reason that pull-based adversary C2 channels, such as those using HTTP requests for instructions, are favored in botnet operations? Consider network defense mechanisms.

Bonus Question (up to 10 points):

Beyond HTTP (or HTTPS), identify another protocol that could be used for similar C2 communication channels. Briefly describe how bi-directional communication would be maintained over this protocol.

References

  • Anderson, R. (2020). Security Engineering: A Guide to Building Dependable Distributed Systems. Wiley.
  • Stallings, W. (2018). Computer Security Principles and Practice. Pearson.
  • Mitnick, K. D., & Simon, W. L. (2011). The Art of Deception. Wiley.
  • Gollmann, D. (2011). Computer Security. Wiley.
  • Furnell, S. M. (2019). Cybersecurity: A Human-Centered Approach. CRC Press.
  • Schneier, B. (2015). Data and Goliath. W. W. Norton & Company.
  • Klein, S. (2018). Practical Network Security. Sybex.
  • Farmer, D., & Venema, G. (2006). Forensic Discovery. Addison-Wesley.
  • Paula, P. (2020). Network Security Essentials. Cisco Press.
  • Rennie, F. (2017). Malware and Privacy: The War Against Cybercrime. Springer.

Related Assignments