Introduction to Information Security Assignment -
Task 1: Review Questions
Answers the following questions on a separate sheet during lecture and submit.
Students should perform this task individually.
1. What is the OSI security architecture?
2. What is the difference between passive and active security threats?
3. List and briefly define categories of passive and active security attacks.
4. List and briefly define categories of security services.
5. List and briefly define categories of security mechanisms.
Task 2: Problems
Answers the following questions on a separate sheet during lecture and submit.
Students should perform the steps in this task individually.
1. Consider an automated teller machine (ATM) in which users provide a personal identification number (PIN) and a card for account access. Give examples of confidentiality, integrity, and availability requirements associated with the system. In each case, indicate the degree of importance of the requirement.
2. Repeat Problem 1 for a telephone switching system that routes call through a switching network based on the telephone number requested by the caller.
3. Consider a desktop publishing system used to produce documents for various organizations.
a) Give an example of a type of publication for which confidentiality of the stored data is the most important requirement.
b) Give an example of a type of publication in which data integrity is the most important requirement.
c) Give an example in which system availability is the most important requirement.
4. For each of the following assets, assign a low, moderate, or high impact level for the loss of confidentiality, availability, and integrity, respectively. Justify your answers.
a) An organization managing public information on its Web server.
b) A law-enforcement organization managing extremely sensitive investigative information.
c) A financial organization managing routine administrative information (not privacy-related information).
d) An information system used for large acquisitions in a contracting organization that contains both sensitive, pre-solicitation phase contract information and routine administrative information. Assess the impact for the two data sets separately and the information system as a whole.
e) A power plant contains a SCADA (supervisory control and data acquisition) system controlling the distribution of electric power for a large military installation. The SCADA system contains both real time sensor data and routine administrative information. Assess the impact for the two data sets separately and the information system as a whole.
|
Table 1.4 - Relationship Between Security Services and Mechanisms
|
|
Mechanism
|
|
Service
|
Encipherment
|
Digital Signature
|
Access Control
|
Data Integrity
|
Authentication Exchange
|
Traffic Padding
|
Routing Control
|
Notarization
|
|
Peer Entity Authentication
|
Y
|
Y
|
|
|
y
|
|
|
|
|
Data-Origin Authentication
|
Y
|
Y
|
Y
|
|
|
|
|
|
|
Access Control
|
|
|
|
|
|
|
|
|
|
Confidentiality
|
y
|
|
|
|
|
|
Y
|
|
|
Traffic-Flow Confidentiality
|
y
|
|
|
|
|
Y
|
Y
|
|
|
Data Integrity
|
Y
|
Y
|
|
Y
|
|
|
|
|
|
Nonrepudiation
|
|
Y
|
|
Y
|
|
|
|
Y
|
|
Availability
|
|
|
|
|
|
|
|
|
5. Draw a matrix similar to Table 1.4 that shows the relationship between security services and attacks.
6. Draw a matrix similar to Table 1.4 that shows the relationship between security mechanisms and attacks.