Question 1
You are the administrator for a tracking system application for a Human Resources (HR) Department that tracks different employee cases such as processing retirements or changing health benefits for ACME Inc... There are different permissions that different members the HR Staff need to execute on the cases to perform their duties. The available permissions that may be accomplished for each case are:
Read a case - you can open a case and view the contents.
Create a case - you can make a new case and save it...
Update a case - you can open a saved case, make changes to it and save the changes..
Search a case - you can search for cases using criteria and get returned cases that match the criteria..
Delete a case - you can delete an entire case..
Assign a case - you can assign a case to someone else to be worked on..
A. I want to have a group of HR managers that can perform all of the functions above.
B. I want to also have a separate group of HR personnel that can do everything except for alter or delete cases.
C. I want to have a separate group of HR personnel that can open and make changes to a case but only after it assigned to them.
D. I also want a separate group that if an ACME employee calls the HR helpdesk with a problem, the HR personnel that answers the phone should be able to: search for their case, look at its contents, and either make the appropriate changes or assign it to the group responsible for making the changes.
1.Out of Discretionary Access Control, Mandatory Access Control, and Role Based Access Control, which access control method (choose only one) is best at accommodating these permissions and why?.
2. Using least privilege principles; list all of the different groups you would make to accomplish the functions above along with the permissions that would be included in each group. Feel free to name all of the groups anything you like such as the HR Editors or HR Supervisors, etc. but include what permissions each group would have (Read, Create, Update, Search, Delete, and Assign) and list which requirement above it is addressing such as A, B, C, or D. .
Question 2
You are charged with maintaining a legacy Web application. It is a publicly facing e-Commerce site that allows customers to search for and order commemorative memorabilia and souvenirs using credit or debit card through an HTTP interface. Even though the Web server software is outdated and is no longer supported, it has been extremely reliable and has supported all updates to the application. There is a publicly accessible search mechanism that allows you to pull up your previous order and payment information using other previous order information. To order souvenirs or memorabilia, you are required to search for the items you would like to order and submit your order request via a Web form. The customer service personnel login and are granted full access rights to the application and database to assist customers with any issues including ordering questions and credit card issues.
List and explain, at least three, attack surfaces for this scenario. (Hint: there are four)
Question 3
Explain the difference between a rainbow table and a hash lookup table in respect to trying to compromise a computer system's password? What is reduction function, what does it do, and what is its purpose?
Question 4
Define and describe the terms threat, vulnerability, exploit, and risk.
Out of the four terms:
Which one would an approaching hurricane represent?
Which one would a Denial of Service (Dos) represent?
Which one would a hacker represent?
Which one would be represented by using a lookup table to compromise the password from a LAN Manager hash?
Question 5
Explain four general means (factors) of authenticating a user's identity?
Give a specific example and describe how a system would work that uses two of these factors together.
Give a specific example and describe how a system would work that uses three of these factors together.
Question 6
I have sensitive file deliveries to a high-profile client on a regular weekly interval. I suspect that someone is doing passive analysis on my data communication on my system so I decide to encrypt all of my data and data transmission to prevent any passive analysis of my data.
If I encrypt all of my data and transmissions, have I protected myself from passive attacks? Explain why or why not?
Question 7
1. Explain the difference between salting a password and peppering a password?
2. Your organization provides customer service for a variety of high-profile clients. The system used by the customer service representatives need to provide additional security to the hashed passwords in the database to ensure the sensitive client information is protected, however, you also need to ensure that your customer service reps can login quickly and efficiently to rapidly help customers with problems with their accounts.
In addition to the hashed passwords in the database, would you salt, pepper, or both? Explain why you would use the option you chose. Explain why you didn't choose the other option(s).
Question 8
An attacker is able to get the IP address of the target organization's Web server. From information leakage and social engineering, the attacker finds out that the company has Wake-On-LAN (WOL) implemented to save power as part of their green initiative. This lets you know that IP directed broadcasts are enabled.
If the attacker plans to spoof his address as the mail server, explain why this information might be beneficial to an attacker that plans on carrying out an ICMP Flood style Denial of Service attack.
Question 9
Describe two safeguards that a Web based system might have in place to prevent dictionary attacks.
Question 10
List and fully explain seven different types of biometric authentication. Give an example, for each one, of how they could be implemented into a system to authenticate a user such as device that currently exists or an example of how you would implement this in an authentication mechanism.