Foundations of Information Assurance Final
The authors in Security in Computing (5th audition) explain the differences between laws and ethics. From this comparison define both a law and ethics.
- A law is a formal written documents that is enforced to define what is right. This document is applied to everyone and is used in courts. - Ethics are personal choices about right and wrong actions in a given situation. Everyone can have a different ethical framework where they reason what is right and wrong. This ethical framework can be based on religion, personal experience, etc...
According to Bruce Schneier, what two questions should first be asked when considering the "security" of a system? What is the purpose of addressing these questions?
- Secure from whom? - Secure against what? It is important to address these questions when analyzing the security of a system to aid in identifying the context of potential threats, types of attacks and types of attackers.
According to "What Is Security Engineering?" by Bruce Schneier, what term describes a measure that is designed to create a feeling of security rather than true security? What sort of controls are favored with this design?
Bruce Schneier refers to this as security theatre. Visible controls are chosen more often than effective controls.
Which of the following are non-malicous code? (Select all that apply) o Buffer overflow o Virus o Worm o Incomplete mediation o Logic Bomb o Checksum o Fuzzing o Off-by-one error o Trojan horse
Buffer overflow, incomplete mediation, off-by-one error Revelant material: Chapter 3 of Security in Computing, Fifth Edition
Which of these is not a class type for NIST SP 800-53 Control Classes
(A): Control Technical Operational Control Management
Place items in the correct order from the lowest memory address to the highest. (Security in Computing: Chapter 3) System data, Local data, System code, Program code
(L) System code, System data, Program code, Local Data (H)
What are two ways that designers, programmers, analysts, and administrators can help prevent security flaws from entering their system?
By reading case histories and reviewing the distribution of flaws. As well as answering the three following questions: How did it enter our system? When did it enter our system? Where in the system is it manifest? This method of identifying problems will aid in design and implementation, to find residual flaws during the system evaluation or certification, and to administer and operate systems securely
True or false: Dead code represents an unintentional program flaw.
False. (Intentional, non-malicious)
True or False: Civil law decisions are made based solely on defined standards with specific language that pertains to the case. If false, explain.
False. Many civil cases are decided using Tort Law, which is the practice of deciding a case based on the evolution of norms or precedents over time. When deciding a case based on tort law, a judge may weigh whether the action performed was good or normal in his or her consideration.
What does HIPAA stand for?
HIPAA is an acronym of the Health Insurance Portability and Accountability Act of 1996. It required the Secretary of the U.S. Department of Health and Human Services to develop regulations in order to the privacy and security of health information
What are two ways that the legal system addresses the threat of cyber attacks?
Increases risk for threat agents [Deterrence] Does not prevent damage, but may help recover fro attacks.
According to the same reading, a programmer building into a program a method of accessing files on a system remotely that is later exploited by an attacker to gain access to data they are not authorized to view would be an example of a [blank] flaw.
Intentional non-malicious. The programmer who wrote the code to implement the file access feature did so intentionally, but they did not ever intend for the "feature" to be used maliciously like it was.
What the software application mentioned in the book used to obtain passwords?
Lophtcrack
What concepts is being described: A malicious code needs to disguise it somehow so that it will be invoked by a non-malicious user and replicates itself by copying its code into other program files.
Malicious Flaws
According to the Landwehr reading, a programmer placing code in a program that is set to wait until a certain time, and then cause the program to crash, causing a denial of service, is an example of a [blank] flaw.
Malicious. The programmer who wrote and inserted the code did so to intentionally cause harm.
What are the three types of flaws as decribed by Landwehr in Flaw Taxonomy? Describe each flaw.
Malicious: Refers to a program that disguises itself as a useful service but actually executes malicious code. Intentional/Non-Malicious: Flaws that are rooted in component of the system required by the designers. They are difficult to remove because of this reason. Inadvertent: Sometimes created during coding and planning. A lot of times, they are undetected unless uncovered through testing.
According to the book Security in Computing by Shari Lawrence Pfleeger, Charles P. Pfleeger, a malicious must have three things: Method, Opportunity, and Motive. Explain what these three terms mean.
Method - the skills, knowledge, tools, and other things with which to be able to pull of the attack. Opportunity - the time and access to accomplish the attack. Motive - a reason to want to perform this attack against this system.
What is one factor that makes ATM cards more secure?
Noncomputer interface. Requiring the user to stand at the machine to enter their pin. It's hard for a computer to attach itself to a user interface. Also machines will swallow cards after too many failed pin attempts.
Which of the following are enforced by federal law in the United States? HIPAA FERPA PCI DSS Americans with Disabilities Act
PCI DSS. This is an industry standard not a federal statute.
What are the three methods for secure Identification and Authentication?
Passwords, Biometrics, and Access Tokens.
What is patent and why do you need it?
Patent protects inventions. This applies to novel works of science, technology, and engineering. Patent protects a device or process to carry out an idea not the idea itself. It provides sustainable marketplace for innovation. Registering a patent is a long and elaborate process.
According to the book "Secrets and Lies: Digital Security in a Networked world by Bruce Schneier, what are the two types of privacy violations?
Schneier lists the targeted attacks and data harvesting. Targeted Attacks: This is when an attacker seeks to know everything about a person/company/government. Can be considered stalking/industrial espionage/spying. Data Harvesting: Focuses on the power of a correlation, like how many people subscribe to a particilar paper or magazine or how many people are prescibed ADHD medication.
What is the difference between Secrecy, Confidentiality, and Privacy according to Security Engineering Book by Ross Anderson.
Secrecy: A term referring to the effect of mechanisms that are used to limit the number of principals who can access information. Confidentiality: The obligation to protect the secrets of another person or an organization. Privacy: The ability or right to protect personal information or invasions personal space of you or your family.
What section of the U.S. Uniform Commercial Code states that "if the goods or the tender of delivery fail in any respect to conform to the contract, the buyer may reject them?"
Section 2-601 of the UCC. This section applies to any software within a reasonable period of time.
According to the Book Secrets and Lies: Digital Security in a Networked World by Bruce Schneier, what is the first question that needs to be asked about the security of products that are being released from companies?
Secure against what?
What is Security Engineering? And give an example related to security engineering.
Security engineering is about building systems to remain dependable in the face of malice, error, or mischance. An example of security engineering is system security engineering. System security engineering in cybersecurity is about building and evaluating systems to be dependable in the face of adversaries and errors.
What type of inadvertent flaw permits the exploitation of the asynchronous behavior between the different components of a system?
Serialized flaw.
According to Security in Computing by Pfleeger, what are the 2 factors and 2 applications of ethical theories.
The Factors are: consequence and rule-based The Applications are: individual and universal
According to the Landwher paper on Taxonomy, what are the 3 questions you should ask about a flaw?
The Landwher paper states: "• How did it enter the system? • When did it enter the system? • Where in the system is it manifest?"
One reason Security Engineering is important is to correctly allocate funds proportionally to the security risks faced. In Security Engineering, the author refers to a term for a condition that arises when decision makers are incentivized to choose visible security measures over effective ones, or rather, measures designed to make one feel secure rather than provide security. What is this term?
The author credits Bruce Schneier with the term "security theatre".
According to Shari Lawrence Pfleeger, Charles P. Pfleeger and Jonathan Margulies in Security in Computing, what is protected by copyrights, patents, and trade secrets?
The authors explain that copyright protects expressions of ideas, but not the idea itself. Patents protect an invention, tangible objects, not design or ideas. Trade secrets are valuable secrets to business owners.
Choose all answers that are threat categories as described by the book Security in Computing. 1. Elimination 2. Interception 3. Destruction 4. Desecration 5. Modification 6. Fabrication
The book describes four threat categories as: interception, interruption, modification, and fabrication. Therefore, numbers 2, 5, and 6 are correct.
According to Information As An Object the structure of an information object is the combination of what 5 things/concepts?
The combination of medium, form, layout, encoding, and the relationships between them can be referred to as the structure of an information object.
what is the first step to determine or estiamte the cost of any computer security incident?
The first step is to enumerate the losses. Some will be tangibles, such as damaged equipment. Other losses include lost or damaged data that must be re-created or repaired, and degradation of service in which it takes an employee twice as long to perform a task. Also, You must determine a fair value for each thing lost.
The Ware Report identifies flexibility as a desirable characteristic of a secure system. What does this mean?
The system should have convenient mechanisms for its maintenance under conditions such as shifting job assignments, issuance and withdrawal of clearances, changes in need-to-know parameters, and transfer of personnel from one duty assignment to another.
What are the main categories of agents with respect to motive?
There are mainly three broad categories of agents: 1. Vandals or Disgruntled Employee --- No clear objective 2. Cyber Mercenaries or Greedy Management --- Money 3. Nation States, own or foreign --- Patriotic, national interests
In chapter 8 the authors mention a couple of US federal laws that covers privacy and computer crime. Name at least three of them.
There are more laws mentioned in this chapter, but here are some of them. 1) U.S. Privacy Act 2)U.S. Electronic Communications Privacy Act 3) Health Insurance Portability and Accountability Act (HIPAA) 4)U.S. Computer Fraud and Abuse Act 5) USA Patriot Act
According to Security in Computing what are the defenses to patent infringement.
This isn't infringement where the inventions are different, The patent is invalid if a prior infringement was not opposed and the patent is no longer valid, The invention is not novel where the patent was incorrectly granted, and The infringer invented the object first where the infringer has the right to the patent.
Which legal device protects identifying marks such as Domain names, URLs, company names, product names, and commercial symbols? Patent Trade Secret Trademark Copyright
Trademark. Trademarks give exclusive rights of use to the owner of identifying marks.
Choose the true statements: (Reading Security in Computing Chapter 11)
Two composers have a right to hold a copyright on identically song that written in different places, neither knowing other. A software engineer can hold both patent and copyright on single software. A composer, an arranger and a singer all of them can copyright one song.
According to the book Security in Computing, cyber crime is hard to prosecute because its lack three things. What are these three things and what do you they mean in this context?
Understanding The individuals involved in the political process may not understand computers. Physical Evidence Depending on the case, with most evidence being digital as opposed to physical make the process of evidence collection more technical and difficult (especially with large amounts of data) Political Impact Cyber crime is not taken as seriously as something like murder or robbery. This means that the case may get less attention.
Three core parts of information security are confidentiality, integrity and ______________.
availability
What is the command to set the permissions of a program in linux so that the owner has full read/write and execute, members of the group can read and execute, and all other users can execute?
chmod 751 <file> chmod sets owner, group, user in that order. 7, or 0111, grants full permissions. 5, or 0101, grants read and execute, 1, or 0001, grants only execute so chmod 751 fulfills the requirements requested.
when going from paper to digital information objects what loses the most control over the information in the object?
Control of the information
What reason might a company have to protect a new piece of software under both a copyright and patent?
Copyright would protect the source code of the software from being directly copied and used elsewhere; the company would be protected from copyright infringement. A patent would protect an integral piece of the software's function - say an algorithm - from being reverse engineered.
According to Security in Computing by Charles Pfleeger, what are a Copyright, a Patent, and a Trade Secret.
Copyright: Protects how an idea is expressed and is required to be distributed and it's duration varies by country. Patent: Protects an invention or how something works. It is not required to be distributed and it lasts 19 years. Trade Secret: Protects a secret (i.e. the recipe for coca-cola). It is not required to be distributed and it lasts as long as you can protect the secret.
What are copyrights and how can they be applied?
Copyrights are designed to protect the expression of ideas. Thus, a copyright applies to a creative work, such as a story, photograph, song, or pencil sketch. The right to copy an expression of an idea is protected by a copyright.
According to the Ware Report what are the three major categories of vulnerabilities that a secure system should protect against?
Deliberate Penetration, Physical Attack, Accidental Disclosure
According to A Taxonomy of Computer Program Security Flaws what are issues of concern that are on the hardware level that can introduce flaws into a system.
Design and implementation of the processor, microprograms and supporting chips, and other hardware or firmware for a machine's instruction set architecture.
select the following options that were listed as part of the seven categories of Operating System Security Flaws in the original RISOS (Research in Secured Operating Systems) report
Exploitable logic error Implicit sharing of privileged /confidential data
Which command is used to view a Linux-based system's current network configuration, including its IP address(es)?
ifconfig
Civil law ____
involves harm to an individual or a corporation. as covered in chapter 11. Legal Issues and Ethics of the Security in Computing, Fifth Edition. Civil law is handled in civil cases for claims of harm to individuals or collective groups. The goal is to make the victim 'whole' again by repairing the damage or harm done and as such can often occur on top of other types of trials.
what are the results that a security flaw in any condition or circumstance(from A Taxonomy of Computer Program Security Flaws, with Examples)
the four results that can come from any security flaw are denial of service, unauthorized disclosure, unauthorized destruction of data, or unauthorized modification of data
Match the following principles with their appropriate names: 1) An intruder must be expected to use any available means of penetration. The penetration may not necessarily be by the most obvious means, nor is it necessarily the one against which the most solid defense has been installed. 2) Computer items must be protected only until they lose their value. They must be protected to a degree consistent with their value. 3) Controls must be used—and used properly—to be effective. They must be efficient, easy to use, and appropriate. 4) Security can be no stronger than its weakest link. Choices: Principle of Weakest Link, Principle of Easiest Penetration, Principle of Effectiveness, Principle of Adequate Protection
1 = Principle of Easiest Penetration 2 = Principle of Adequate Protection 3 = Principle of Effectiveness 4 = Principle of Weakest Link
According to Security in Computing by Shari and Charles Pfleeger (and many other texts), a secure system relies on three fundamental security principles. What are they?
1) Confidentiality - only authorized users have access 2) Integrity - data available is exactly as it should be 3) Availability - system can be used as intended
What are the four global categories of errors as described in the Landwher Flaw Taxonomy paper?
1) Domain errors- errors of exposed representation, incomplete destruction of data within a deallocated object, or incomplete destruction of its context 2) validation errors- failure to validate operands or to handle boundary conditions properly in queue management 3) naming errors- aliasing and incomplete revocation of access to a deallocated object 4) serialization errors- multiple reference errors and interrupted atomic operations
What are the three basic question to ask about an observed flaw that is used to determine the flaw's taxonomy?
1) How did it enter the system? 2) When did it enter the system? 3) Where did it manifest in the system?
What three basic questions are asked for each observed flaw that also motivates a subsection of the taxonomy?
1) How did it enter the system? 2) When did it enter the system? 3) Where in the system is it manifest?
According to Landwher in "A Taxonomy of Computer Program Security Flaws." What are the first 3 questions asked when observing a flaw?
1) How did it enter the system? 2) When did it enter the system? 3) Where in the system is it manifested?
Landwher's Taxonomy lists several locations for security flaws within an operating system. Please list five.
1) Init/Boot record, 2) Memory Management, 3) Scheduling / Process Management, 4) I/O / Networking 5) File Management, 6) Permissions / Authentication, 7) Other / Unknown.
According to Security in Computing by Charles Pfleeger, what are the four kinds of threats?
1) Interruption- an asset of the system becomes lost, unavailable, or unusable. 2) Interception- some unauthorized party has gained access to an asset. 3) Modification- if an unauthorized party accesses and tampers with an asset. 4) Fabrication- an unauthorized party creating counterfeit objects on a computing system.
According to the book by Ross Anderson about Security Engineering, there are four things that need to come together to ensure proper security engineering, what are they and briefly describe them.
1) Policy: What you are supposed to achieve. 2) Mechanism: Machinery and access controls used in order to implement policy. 3) Assurance: Amount of reliance you can place on each mechanism in place. 4) Incentive: Motive for the people guarding the system to do their job properly.
The book Security in Computing, Third Edition, says there is four principles that affect the direction of work in computer security. Pick two and give a quick definition for them.
1) Principle of easiest penetration: A system penetrator will attack using whatever means is the easiest. 2) Principle of weakest link: Security is only as strong as it's weakest point. 3) Principle of timeliness: A system only needs to be protected as long as there is value in its contents to an attacker. 4) Principle of effectiveness: Security controls must be usable and used correctly to serve their purpose.
According to Shari Lawrence Pfleeger; Charles P. Pfleeger; Jonathan Margulies in the book Security in Computing, Copyrights, Patents, and Trade Secrets all have different durations. What are the durations of each?
1) The duration of copyright differs from country to country but typically is 75-100 years. 2) A patent lasts 19-20 years 3) Trade Secrets last indefinitely, until someone reverse engineers or finds out the secret.
According to the book, security in computing, what are the two examples of buffer overflow attacks that are used frequently?
1- The attacker may replace code in the system space. 2- The intruder may wander into an area called the stack and heap.
According to Concepts and Terminology for Computer Security by Donald Brinkley and Roger Schell, What are the three fundemental nations that need to be understand in order to understand computer security?
1. A security policy, stating the laws, rules, and practices that regulate how an organization manages, protects, and distributes sensitive information. 2. The functionality of internal mechanisms to enforce that security policy. 3. assurance that the mechanisms do enforce the security policy.
In the Taxonomy paper by Landwehr they discuss the three (very broad) methods of describing a flaw or bug. What are those three methods?
1. By Genesis (whether it was intentional or inadvertent). 2. By Time of Introduction (during development, maintenance, or operation). 3. By Location (in the software or in the hardware).
According Chapter 3 in our textbook, what are three of the seven ways that overflows can be countered?
1. Check lengths before writing 2. Confirm that array subscripts are within limits. 3. Double-check boundary condition code to catch possible off-by-one errors.
According to "Security in Computing, Fifth Edition" What are the four aspects of malicious code infections:
1. Harm: How does malicious code affect users and systems. 2. Transmission and propagation: How does malicious code get transmitted and replicated, and how does it cause further transmission. 3. Activation: How does it gain control and install itself so that it can reactivate. 4. Stealth: How does the malicious code hide to avoid detection.
According to Bruce Schneier's book,Secrets and Lies: Digital Security in a Networked World, what are the 5 categories used to categorize adversaries?
1. Objectives - Does the adversary want to damage the company financially? Do they want to damage the reputation of the company? What do they want to get out of the attack? 2. Access - What kind of access does the adversary have? Are they an insider threat or are they working for a competitor or someone outside of the organization itself? 3. Resources - Do they have a large amount of resources, or are they operating while broke? 4. Expertise - Do they know how the technology works or do they not know how to install apps on their phone without help? 5. Risk - How far are they willing to go? Are they going to risk jail-time, or are they going to avoid prison at all costs?
What are the seven items that you have to deal with for managing risk to information?
1. Policy 2. Boundary 3. Membership 4. Damage detection and recovery 5. Fusion and Separation 6. Secure systems management 7. Assurance
How long does it take the above software to try every possible keyboard password?
480 hours.
In Security in Computing copyrights and patents are discussed in Chapter 11. What is the difference between the two?
A copyright applies to the expression of an idea, usually in a unique way. This means that music, written books/articles, and written programs (not including the algorithm/idea) can be copyrighted. A patent applies to physical things or methods used to create physical things. So you could patent both a new car you made as well as the super-secret method you devised to create it (and then you could copyright the name of the car, so long as it isn't in the public domain).
According to the reading A Taxonomy of Computer Security Flaws, With Examples by Carl E. Landwher, what is a covert channel and it's two most common classifications?
A covert channel is simply a path used to transfer information in a way not intended by the system's designers. The two most common classifications are storage and timing channels.
According to Chapter 11 of the textbook Security in Computing, Fifth Edition, define a trademark and what a trademark protects.
A trademark gives exclusive rights of use to the registered owner; a trademark protects domain names, URLs, company names, product names, and commercial symbols.
What is the difference between a transient virus and a resident virus?
A transient virus is a virus that runs when the program that it's attached to runs, and stops when the program stops. A resident virus is located in the memory of a computer, so it can run even when the program it is attached to is not running.
According to the textbook Security in Computing, what is the distinction between a vulnerability and a threat?
A vulnerability is a weakness in a system which can be exploited to cause harm, whereas a threat is a set of circumstances with the potential to cause loss or harm.
In chapter 1 of "Security for computing" the authors make a distinction between a vulnerability and a threat. What is a Vulnerability? and what is a threat?
A vulnerability is a weakness in the security system that might be exploited to cause loss or harm A threat to a computing system is a set of circumstances that has the potential to cause loss or harm.
In software, a buffer overflow can serve as a very dangerous threat. List three possible countermeasures to prevent a buffer overflow:
Any 3 apply: - Check lengths before writing. - Confirm that array subscripts are within limits. - Double-check boundary condition code to catch possible off-by-one errors. - Monitor input and accept only as many characters as can be handled. - Use string utilities that transfer only a bounded amount of data. - Check procedures that might overrun their space. - Limit programs' privileges, so if a a piece of code is overtaken maliciously, the violator does not acquire elevated system privileges as part of the compromise. Source: Security in Computing, Fifth Edition, Chapter 3
The Ware report lists desirable characteristics of secure systems. List and briefly explain each.
Auditable: the system should provide records to auditors so that its performance and activities can be monitored. Reliable: if safeguards fail, the system should fail on the side of caution (i.e. not sharing information to unverified users). In general, the system should provide information to verified users as best as it can, independent of other failures where possible. Manageable: security supervisors should be able to modify the system in the event of failure or updated requirements. Adaptable: security controls should be able to be adjusted for various files that require different permissions. The needs of a particular user should be easy to accommodate in the system. Dependable: the system must not deny service to users, particularly in the event of an attack designed to prevent that service. The system should repel those attacks such that service can be maintained. Assure Configuration integrity: The system must ensure that its protocols and rules work by self-testing its operations on a routine basis.
How does automation aid an attacker according to Secrets and Lies: Digital Security in a Networked World.
Automation can aid an attacker in three ways: making repetitive tasks simple, helps when there is a low probability of success in an attack, and allows for minimal return rate to be profitable.
What is one downside to biometrics?
Biometrics are really easy to crack. Example: Taking a picture of someone's face.
What does CAN SPAM from the CAN SPAM act mean, and what are some of it's requirements?
CAN SPAM stands for "Controlling the Assault of Non-Solicited Pornography and Marketing" and it covers a couple of things, such as: 1. Headers in emails should not be false or misleading 2. Subject lines cannot be subjective 3. If the email is from a company or used for commercial purposes, the receiver has to have the option to opt out of receiving the emails. 4. If the receiver has opted out, their email cannot be sold or transferred to another entity. 5. Emails must be labeled as an advertisement if that's what they are.
According to the chapter A Taxonomy of Computer Program Security Flaws by Carl E. Landwehr and Alan R. Bull, etc. What are the three phases of software development? And what is the relationship between each other?
Carl E. Landwehr, Alan R. Bull and the others discussed the following three phases. 1) Requirements and specifications: software requirements describe behaviors that particular program and program system must execute; Also, the specification is to give instructions to these programs. 2) Source code: the source code implements the design of the software system given by specifications, and most flaws in source code can be inadvertent or intentional. 3) Object code: objects code programs are generated by compilers or assemblers. It is a computer-readable form of source code. The relationship between these three phases is the specifications are developed based on requirements, source code is developed from specifications, and object code is generated from source code.
According to the book Security in Computing by Charles P. Pfleeger, What are the most important three aspects that can influence the computer-based system?
Charles P. Pfleeger discussed these three different aspects that can influence computer-based system. 1) Threats: It has two different conditions. the first one is human-initiated error. For example, people's oversights and some bugs on hardware would collapse computer system. The second one is computer-initiated ones, such as software failures. Furthermore, natural disasters, that are floods and earthquakes, also can destroy a system. 2) Vulnerabilities: It will rise the occurrence rate of threat. For example, a system can access some unauthorized data before verify its user's identity. 3) Control: It has many actions, methods, and techniques to reduce the vulnerability. Normally, it focuses on decreasing interception, interruption, modification, and fabrication.
According to the book Security in Computing by Charles P. Pfleeger, What's the provision of Digital Millennium Copyright Act(DMCA)?
Charles P. Pfleeger lists the following contents that are in DMCA 1) Digital objects should be considered as copyright. 2) Circumvention or disable antipiracy is illegal 3) It is crime to manufacture, sell, or distribute devices that are infringe other's copyright 4) Using some devices in educational area in acceptable 5) Making a backup copy of a digital object as a protection against hardware or software failure or to store copies in an archive. 6) Libraries can make up to three copies of a digital object for lending to other libraries.
According to Security in Computing, why are computer criminals so hard to catch?
Computer criminals are hard to catch because computer crime is a multinational activity. In order to criminals to be tried, many nationals may have to participate and cooperate with one another, which is a very daunting task. Another reason is that computer crime is very complex, making it hard to distinguish where an attack originated from.
Define confidentiality, integrity, and availability.
Confidentiality is prevention of unauthorized disclosure of information. Integrity is prevention of unauthorized modification of information. Availability is prevention of unauthorized withholding of information or resources.
What are some key differences between law and ethics?
Per Chapter 11 of Security in Computing, law is a described by formal written documents while ethics are described by unwritten principles. Ethics are interepted by each individual where laws are interpreted by courts. Law is applied to everyone in an area, while ethics are personally chosen. Ethics cannot be arbitrated externally but who is right can be arbirated under law in a court. Laws are enforced by a physical form of government or society in the form court and police where ethics are enforced by intangible principles and beliefs.
According to the book Security in Computing by Pfleeger, What are the three requirements for a hacker to initiate an attack? What is each requirement asking for?
Pfleeger states that the three requirements are; Method: The skills, knowledge, tools and other things with which to able to pull off the attack. Opportunity: The time and access to accomplish the attack. Motive: A reason to want to perform this attack against this system
Security in Computing, 5th edition claims computer crime is hard to prosecute. Give 2 reasons computer crime is hard to prosecute and describe why.
Possible answers: 1. Lack of understanding. Many law practicing individuals, such as judges, prosecutors, and defendants do not understand computers or how they work. One of the main reasons these people do not understand computers is because they started studying and practicing law before computers were everywhere, and a part of every facet of life. 2. Lack of physical evidence. Many computer crimes don't leave behind the physical evidence like fingerprints or DNA that other crimes have, and that prosecutors rely on. 3. Lack of political impact. Solving computer crimes doesn't have the public impact that solving a murder or robbery would have, most likely because computer crime doesn't have as much of a noticeable effect on people, even though computer crimes can have a more lasting effect than a lot of robberies. 4. Complexity of case. Similar to the lack of evidence and lack of political impact answers given above. Computer crimes are more complex and not necessarily as clean cut as a murder or robbery charge, so they are harder to prosecute. 5. Age of defendant. A lot of crimes are committed by young people, and a lot of crimes committed by young people are written off as being due to "immaturity" or "not knowing better" even when that shouldn't be the case.
The goal of the .............. project was to collect error examples and abstract patterns from them that, it was hoped, would be useful in automating the search for flaws.
Protection Analysis
According to the book Security in Computing by Shari Lawrence Pfleeger & Charles P. Pfleeger, what are ways we can deal with risks?
Shari Lawrence Pfleeger & Charles P. Pfleeger list several ways to help deal with risk. 1) prevent it, by blocking the attack or closing the vulnerability 2) deter it, by making the attack harder, but not impossible 3) deflect it, by making another target more attractive (or this one less so) 4) detect it, either as it happens or sometime after the fact 5) recover from its effects These are several ways to help mitigate the risks that may occur on data.
According to chapter 11 Legal Issue and Ethics of Security in Computing by Shari Lawrence Pfleeger; Charles P. Pfleeger, etc. Comparing to Copyright, Patents, and Trade Secrets, please list these four different attributes for each ethical protection: Protects: Ease of filing: Duration: Legal protection:
Shari Lawrence Pfleeger and Charles P. Pfleeger provide a table to illustrate these four traits. Protects: 1. Copyright focuses on expression of ideas, not idea itself. 2. Patent maintains the way for something works 3. Trades Secret gives companies advantages to surpass the others. Ease of filing: 1. Copyright is simple to file, but it has to do it by person who has the right 2. Filing Patent is very complicated. It has specialist layer. 3. Trade Secrets doesn't has filing part. Duration: 1. Copyright periods is about 70-100 years. It has different time on different country. 2. Patent has the fixed period about 19 years. 3. Trade Secrets have infinite time period. Legal protection: 1. Unauthorized usage and sold will be sued by copyrighter 2. Invention copied will be sued by patentor 3. Regrading on Trade Secrets part, any leaking information will be prosecuted
According to the textbook Security Computing, Third Edition by Charles and Shari Pfleeger, what are the four types of program controls used in software?
Shari and Charles Pfleeger talk about the following four controls: 1) Internal program controls: the program itself enforces security restrictions 2) Operating system and network system controls: limitations are enforced by the operating and/or network systems 3) Independent control programs: applications that protect against certain types of vulnerabilities, such as anti-malware programs 4) Development controls: standards which dictate how programs are developed, tested, coded, and maintained to reduce faults and vulnerabilities
In Charles Pfleeger's Security in Computing, which of the following was not a reason listed for why Universities are Prime Targets for attacks?
Since Students are typically unemployed and less motivated to alert to security threats that may drive cost of ownership, more vulnerabilities go unreported or unnoticed by the users of the student systems.
In chapter 3 of the Security and Computing book, the authors describe a certain type of polymorphic virus that uses encryption and a slew of encryption keys to attempt to evade detection by signature-based anti-virus scanners. How is it these viruses are still able to be detected?
Since signature-based anti-virus scanners use signatures or "fingerprints" of files, encrypting the same file with different encryption keys is effective, because the encrypted versions of the files have different signatures. However, there must always be a common decryption program piece to the virus (which takes the decryption key and decrypts the encrypted version to yield the working virus), and because that decryption program piece is common amongst all the versions of the encrypting virus, that becomes the signature.
What are the two types of covert channels? (_____________ channels and _____________ channels.)
Storage channels and timing channels.
According to Carl E. Landwehr, Alan R. Bull, John P. McDermott, and William S. Choi in their paper A Taxonomy of Computer Program Security Flaws, with Examples, they explain that covert channels are classified as either storage or timing channels. What is a storage channel and what is a timing channel?
Storage channels transfer info through the setting of bits by one program and the reading of those bits by another. Timing channels convey info by modulating an aspect of system behavior over time, such as the system's paging rate. The system behavior then can be monitored by the program to receive data.
In their paper, A taxonomy of computer flaws, Landwehr and his co-authors define five types of inadvertent flaws. What are these types of flaws, and what do they mean?
Validation Errors: a program fails to check that supplied or returned parameters conform to its assumptions about them. Domain Errors: boundaries between programs are porous, allowing information from previous versions of files or different files altogether to be exposed. Serialization Errors: the system permits asynchronous behaviors of different components to be exploited. Like a forgetful gatekeeper, the system may check credentials or authorizations for tasks, but allow them to be altered in the process, creating a security problem. Identification/Authorization Errors: the system permits a protected operation to be invoked without sufficiently checking the ID and authority of the invoking agent. Boundary Condition Errors: the system omits necessary check to assure that constraints are not exceeded, allowing edge cases or exceptional data to manipulate behavior.