CSCI 4911 Certification Examination Instructions Answer all Questions in the space provided. Email the exam to Robert.owor@asurams.edu before the due date.

ahemcurrentΔίκτυα και Επικοινωνίες

21 Νοε 2013 (πριν από 3 χρόνια και 6 μήνες)

278 εμφανίσεις

Page
1

of
9

CSCI 4911 Certification Examination


Instructions


Answer all Questions in the space provided.

Email the exam to
Robert.owor@asurams.edu

before the due date.



Name:___________________________________



Grade

Code:_______________________________

(An anonymous UseriD for posting grades on course website)



Major:____________________________________




Question 1


Manning’s job was to make sure that other intelligence analysts in his group had access to everythi
ng that they were entitled to see.
That included incoming intelligence streams from across the world on something called the Joint Worldwide Intelligence
Communications System (JWICS), the Department of Defense's computer network for Top Secret information
. Manning also had
access to another information stream dubbed the Secure Internet Protocol Router Network (SIPRNet), the Pentagon’s server for
information classified as Secret. (Secret and Top Secret are differing levels of classifications for materials.)

Using keyword searches and a knowledge of routing nomenclature, any intelligence analyst
--

even if he's sitting in a shack in Iraq
--

can access pretty much any piece of data classified at the level of access he has. Analysts are given updated documents
like this
unclassified list

of every military operating unit and its e
-
mail designator. The lists can be accessed through an unsecure and
unpublicized Joint Chiefs of Staff file transfer network. Another document lists every single mail routing address by
location, even for
unacknowledged locations like the Air Force test site in “Area 51” near Las Vegas.

Information and intelligence at the Top Secret level can’t be transferred off of those computers easily. To transfer informat
ion from
the SIPRNet to uncla
ssified networks, analysts like Manning use proprietary computers called SNAP. About 1,500 are deployed in
Iraq and Afghanistan, according to TeleCommunications Systems, the company that builds them.

SNAP
, which stands for SIPR
-
NIPR
Access Point, “allows you to bring stuff from the low side to the high side and vice versa, securely,” one current user of th
e program
said. The user asked to remain anonymous in order to share sensitive but unclassif
ied insights into how analysts perform their work.
Information on an unclassified computer can be transferred to a stick drive, burned onto a CD or simply e
-
mailed away.

The important thing to know is that diplomatic cables are no longer transmitted over w
ires to clattering teletype machines. They’re
sent via e
-
mail over secured networks, and they are also stored on servers until they’re erased. Cables and incident reports from the
field are stored on servers in the form of PST files
--

PS stands for "perso
nal storage"
--

e
-
mail archives that Microsoft’s Outlook
program uses to compress and store data.

So how did Manning allegedly manage to get access to the diplomatic cables? They’re transmitted via e
-
mail in PDF form on a State
Department network called Cl
assNet, but they’re stored in PST form on servers and are searchable. If Manning’s unit needed to know
whether Iranian proxies had acquired some new weapon, the information might be contained within a diplomatic cable. All any
analyst has to do is to downl
oad a PST file with the cables, unpack them, SNAP them up or down to a computer that is capable of
interacting with a thumb drive or a burnable CD, and then erase the server logs that would have provided investigators with a

road
map of the analyst's activ
ities. But analysts routinely download and access large files, so such behavior would not have been seen as
unusual.

Manning is alleged to have started to provide
WikiLeaks

with the information in the fall of 2009. His access to computer systems was
cut of
f in late May of 2010. The Army’s charging document accuses him of downloading “more than” 50 classified State Department
cables to his personal computer.”

Page
2

of
9

In terms of Integrity, Confidentiality, Non
-
Repudiation and
Availability
, discuss how
Manni
ng violat
ed key security principles in his conducting his work. What steps might
the Government take to minimize the occurrence of such an incident in the future?
















Questio
n 2
: What security risks do you
envisage in a 4G
Wi
-
Fi

network?

















Quest
ion 3: Why is Social Engineering and Social Networking a danger to Electronic
Security
Networks?

Discuss this example with reference to the Wiki
-
Leaks case.










Page
3

of
9










Question 4: Explain the difference between Symmetric and Asymmetric
Cryptography?
Which would you choose and under what conditions?















Question 5: What is the brute force attack method? Discuss how brute force may be used
to attack an encryption scheme











Que
stion 6: What balance might you establish
between the need to share information
between Security Agencies versus the risk of “too many people having access to vital
information” and using it for the wrong purpose?







Page
4

of
9











Question 7: Supposing you were asked to prepare a Contingency/Disast
er Recovery Plan,
Outline the steps you would take.















Question 8: Describe at least 5 physical security measures you would put in place to
protect a computer network under your care?












Question 9: Which key areas would you look at in

order to assess the vulnerability of a
computer system?






Page
5

of
9











Question 10: What is the Key Management problem? Outline a methodology you might
use to securely distribute Private, Session and Public Keys in a distributed network.










Q11.
What is confidentiality? What is the difference between confidentiality, privacy and
secrecy?









Q12. Briefly discuss the major loopholes in web based systems today? What three steps
might you take to make web based systems more secure?














Page
6

of
9


Q13. Should Governments trust Commercial Off the Shelf
Software

software?














Q14. What is “non
-
repudiation” and what is its significance?













Q15. Using a real life scenario, outline how encryption can be used to authenticate
messages.










Q16. Explain 5 five points of concern you take into account when
designing
a

de
cryption
scheme.






Page
7

of
9






Q17. In which of the following layers (Application, Services, Operating System, OS
Kernel, and Hardware) of the system should security
modules be loaded? Why?






Q18. Using three real life examples, explain how an attacker might compromise each of
the following:


(a)

Userid and Password page on the web

(b)

A Blog or Bulletin Board Forum

(c)

A For or While loop in an executable file using buffer ov
erflows.













Q19. According to your own assessment, do you think more people in key government
positions need cyber security training
?

Is Awareness training necessary for the general
public? Discuss your answer.














Page
8

of
9

Q20. What is the role
of packet filtering in firewall security? Outline at least 3 packet
filtering strategies you would recommend to meet your security goals.












Q21. List 6 major ways in which an Identity thief can compromise one’s identity. What
are some of the steps

one might take to protect one’s identity.















Q22. Discuss how a buffer overflow attack compromises systems security.








Q23. Supposing you were asked to protect an information system for an organization.
Outline the key steps you would take

to achieve this.








Page
9

of
9


Q24. What is Social Engineering? Describe how Social Engineering might be used to
gain access to confidential information.












Q25. What was the most significant thing you learned in this course? Has the course
helped you
become more security conscious at a personal level?