Tuesday, January 14, 2014

CIS 481-20: INTRO TO INFORM SECURITY EXAM 2 PART 2

  • Question 1

    10 out of 10 points
    Answer one of the two options:
    1. Explain the differences between a policy, a standard, and a practice. In what order should they be created? Why?
    2. Name and describe the three general types of security policies. Give an example of each, explaining when/where they would be used.


    Correct Answer:
    Correct
    1. A policy is a plan or course of action intended to influence and determine decisions, actions, and other matters. Policies are organizational laws because they dictate acceptable and unacceptable behavior within the context of the organization’s culture. A standard, like a policy, has the same requirement for compliance, but it provides more detail as to what must be done to comply with policy. The level of acceptance of standards may be informal (as in de facto standards) or formal (as in de jure standards). Finally, practices, procedures, and guidelines effectively explain how to comply with policy. Typically, you would start by developing policies. The policies then drive the creation of organization standards that meet the requirements laid out in policy. These standards, in turn, drive the development of practices, procedures, and guidelines that are compliant with the policies and standards.
    2. There are three general types of information security policies. First are the enterprise information security policies (EISPs), which are usually drafted by the chief information officer of the organization and are executive-level. The EISPs are used to directly support the mission, vision, and direction of the organization and set the strategic direction, scope, and tone for all security efforts within the organization. Second are issue-specific security policies (ISSPs) that are formally written to instruct employees to properly use the technologies of the organization such as use of the Internet, electronic email, and use of photocopy equipment. The ISSPs require frequent updates and must contain a statement on the organization’s position on a specific issue. Third are system-specific security policies (SysSPs). The SysSPs that are usually codified as standards and procedures used when configuring or maintaining systems. For example, there might be a SysSP that describes the proper default configuration for web servers being deployed.


  • Question 2

    10 out of 10 points
    Name and describe the three general forms of authentication and give an example of each. What is meant by multi-factor authentication? Give an example.
    Correct Answer:
    Correct
    Something a Supplicant Knows: This factor of authentication relies upon what the supplicant knows and can recall—for example, a password, passphrase, or other unique authentication code, such as a personal identification number (PIN).

    Something a Supplicant Has: This authentication factor relies upon something a supplicant has and can produce when necessary. One example is dumb cards, such as ID cards or ATM cards with magnetic stripes containing the digital (and often encrypted) user PIN, against which the number a user input is compared.

    Something a Supplicant Is or Can Produce: This authentication factor relies upon individual characteristics, such as fingerprints, palm prints, hand topography, hand geometry, or retina and iris scans, or something a supplicant can produce on demand, such as voice patterns, signatures, or keyboard kinetic measurements.

    Multi-factor authentication requires a minimum of two different authentication mechanisms drawn from different factors of authentication, most often something you have and something you know. For example, access to a bank’s ATM services requires a banking card (something you have) plus a PIN (something you know).

     

  • Question 3

    10 out of 10 points
    VPNs are increasingly being used to establish connections between remote users and their office network using the Internet. Can this be a secure connection? Explain how transport mode differs from tunnel mode VPNs.


    Correct Answer:
    Correct
    A virtual private network (VPN) is a private and secure network connection between systems that uses the data communication capability of an unsecured and public network, such as the Internet. Yes, they can produce secure connections using security protocols and encrypting traffic transmitted across unsecured public networks.

    In transport mode, the data within an IP packet is encrypted, but the header information is not. This allows the user to establish a secure link directly with the remote host, encrypting only the data contents of the packet. The downside to this implementation is that packet eavesdroppers can still identify the destination system.

    Tunnel mode establishes two perimeter tunnel servers that encrypt all traffic that will traverse an unsecured network. In tunnel mode, the entire client packet is encrypted and added as the data portion of a packet addressed from one tunneling server to another. The receiving server decrypts the packet and sends it to the final address. The primary benefit to this model is that an intercepted packet reveals nothing about the true destination system.

     

  • Question 4

    10 out of 10 points
    Choose from the following options:
    1. How does a network-based IDPS differ from a host-based IDPS?
    2. How does a signature-based IDPS differ from a statistical anomaly-based IDPS?
    Correct Answer:
    Correct
    1. A network-based IDPS (NIDPS) resides on a computer or appliance connected to a segment of an organization’s network and monitors network traffic on that network segment, looking for indications of ongoing or successful attacks. When the NIDPS identifies activity that it is programmed to recognize as an attack, it responds by sending notifications to administrators. When examining incoming packets, an NIDPS looks for patterns within network traffic such as large collections of related items of a certain type—which could indicate that a denial-of-service attack is underway—or the exchange of a series of related packets in a certain pattern—which could indicate that a port scan is in progress. An NIDPS can detect many more types of attacks than a host-based IDPS, but it requires a much more complex configuration and maintenance program. While a network-based IDPS resides on a network segment and monitors activities across that segment, a host-based IDPS (HIDPS) resides on a particular computer or server, known as the host, and monitors activity only on that system. HIDPSs are also known as system integrity verifiers because they benchmark and monitor the status of key system files and detect when an intruder creates, modifies, or deletes monitored files. An HIDPS has an advantage over an NIDPS in that it can access encrypted information traveling over the network and use it to make decisions about potential or actual attacks.
    2. A signature-based system looks for patterns of behavior that match a library of known behaviors. A potential problem with the signature-based approach is that new attack strategies must continually be added into the IDPS’s database of signatures; otherwise, attacks that use new strategies will not be recognized and might succeed. A statistical anomaly-based system collects statistical summaries by observing traffic that is known to be normal. This normal period of evaluation establishes a performance baseline. Once the baseline is established, the stat IDPS periodically samples network activity and, using statistical methods, compares the sampled network activity to this baseline. When the measured activity is outside the baseline parameters the IDPS sends an alert to the administrator. The advantage of the statistical anomaly-based approach is that the IDPS can detect new types of attacks, since it looks for abnormal activity of any type. Unfortunately, these systems require much more overhead and processing capacity than signature-based IDPSs, because they must constantly compare patterns of activity against the baseline.
     

  • Question 5

    9.5 out of 10 points


    Correct Answer:
    Correct
    Asymmetric encryption is also known as public key encryption. It uses two different keys to encrypt messages, the public key and the private key. Symmetric is different because it uses only one key to encrypt and decrypt messages. Symmetric encryption is much faster for the computer to process, however it raises the costs of key management. Symmetric encryption, also called private key encryption, is where the same key is used to conduct both the encryption and decryption of the message. Both the sender and receiver must possess the key. The problem with symmetric encryption is getting a copy of the key to the sender, traditionally using an out of band approach. Hybrid methods such as Diffie-Hellman combine the best features of both symmetric and asymmetric encryption. By using the more computationally difficult asymmetric encryption to first exchange a secret session key between the parties allows the faster symmetric encryption to be used for the duration of the message passing.


  • Question 6

    9.5 out of 10 points
    Choose from the following options:

    1. Alex wants to send a message to Bob ensuring that:
      • Bob knows that the message could only have come from Alex
      • Only Bob can read the message
      • Bob knows that the message was not modified in transit
      Describe the necessary steps and keys to use with asymmetric encryption and hashing. Explain your choices.
    2. Using the Vigenere Square provided, encode the message "THIS TEST IS EASY" using the key "ENCRYPT". What is your newly encoded message? A paper copy of the Vigenere Square is available from your instructor, as well.

    VigenereSquare-small.png


    Correct Answer:
    Correct
    1. Alex takes the plaintext message and runs it through a secure hash function creating a message digest. Both the original plaintext message and the message digest get encrypted first using Alex's private key. This will ensure that the message must have come from Alex, as only he has access to his private key. Let's call this result CipherText1. Next, we encrypt a second time, now using Bob's public key. This will ensure that only Bob can decrypt the message. Let's call this result CipherText2. This new ciphertext is sent to Bob and he uses his private key to extract the signed message and message digest, CipherText1. He decrypts a second time using Alex's public key (thus verifying that the message must have come from Alex). This leave the plaintext message and message digest. He runs the extracted message through the same secure hash function producing a new message digest. Bob can now compare the new message digest to the one sent in the signed message. If they match, he knows that the message wasn't changed at any point during transmission.
    2. ENCRYPTENCRYPT
      THISTESTISEASY
      --------------
      XUKJRTLXVUVYHR
    Response Feedback:
     one off
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)