QUESTION 1 Advanced Security Inc. was hired by the Treasury Bank Inc. for securing their systems....

QUESTION 1 Advanced Security Inc. was hired by the Treasury Bank Inc. for securing their systems. The first thing they did was implement the best practice if separation of domains. As a result of this The bank had to get a new domain name. any change made in the records points to only one party who could have made that change. If you are a technical person, you must have office in a particular area of the building. accessing outside websites depends on whether this website is within the domain of company business. 10 points QUESTION 2 When the company management met the Chief Information Office (CIO) last week, one of the managers pointed out that the CIO himself should be mindful of the least privilege principle in using the information technology. She gave the example of violation by saying that the CIO had done least work that will do the job (that is, least privilege) instead of going above and beyond. the CIO has not distributed his power among his sub-ordinates to implement least privilege by keeping least power to himself. the CIO uses root (highest privileged account) for casual email communications that does not require high privilege level. the CIO does not provide enough information about system security as a least privilege practice. 10 points QUESTION 3 In answer to a question 'it is a surprise, why don't we have all the features of the new software enabled', the IT engineer explained that we will use only the ones we need for the business operation, so that we expose least attack vectors. This practice is called minimization of implementation. secrecy about the IT potential of a software. usability. least astonishment. 10 points QUESTION 4 When the Financial Transactions Inc. ATM machine broke down, it started giving out money for any code entered. Shopping for the new ATM machine, they want to make sure that its design follows least privilege principle so that the ATM can't give money to anyone except the designated parties. minimization of implementation principle so that there are no features of giving out money except for a minimum number of scenarios. Usability so that it knows that there is a valid customer before giving out money. fail safe defaults or fail secure operation so that if it fails it defaults to a secure state. 10 points QUESTION 5 Kerckhoff's principle requires that there should be no secrecy in the design of an encryption algorithm because if adversary can break it, it is no good and if she can't break it then is proven to be good. This has led to the following design practice to be followed in cipher suites. fail safe usability open design minimization (of implementation) 10 points QUESTION 6 An operating system consists of three rings of resources. The programs in ring 2 are accessible by users and guest users. Programs in ring 1 are accessible by device drivers and users with special privilege that requires them of enter two passwords. The programs in ring 0 make the kernel of the OS and require three passwords for human access, the first password giving access to only the 'user land' area, the second password giving access to the 'device land' area and the third password giving access to the 'kernel'. When someone makes more than two errors of entering password at the device land or kernel levels, an email is sent to the administrator warning of the unsuccessful attempt to login as administrator. This protects against many attacks. This type of protection can be described as multiple firewalls. defense in depth. honeypot. no man's land. 10 points QUESTION 7 Most smart phones now provide a mechanism to authenticate the users. A loose form of authentication on smart phones is swiping a certain pattern or entering a four-digit PIN. Modern systems can identify an individual using biometrics. can't identify specific individual but can only check for a password. don't provide an authentication mechanism because anyone could be using them. don't work without at least a 2-factor authentication. 10 points QUESTION 8 Activity logging and monitoring is a powerful secure design principle. Suppose you get an email from a close relative saying 'here are family photos'. You click on the link provided in the email only to find out that it was a phishing attack. You quickly checked your login activity and find that you are currently logged in from a foreign country. Realizing that you have been 'phished' you should call the police right away. call network administrator right away. logout and shut down your computer right away. login (if possible, from anther device) and change your password right away. 10 points QUESTION 9 As a security engineer, you are afraid that if there is any breach into your employers data, the whole data becomes fishy. One solution to this is that you always keep two copies of the main server data so that if one is tampered with the other can be used.The other approach is that you keep a copy of the secure hash of the database in a secure place and anytime you try to use the database you first check its secure hash. This later approach eliminates the need to keep a second copy as a backup. Later approach is no sufficient because you should always have a backup of important data. If you can catch a tampering event then you need to recover from it by using the backup. The later appproach is called auditing and it is necessary anyway. The first approach (having a backup) is called auditing and is required anyway. 10 points QUESTION 10 Two-factor authentication can be broken if while riding the bus you use your password to login to your account and someone can shoulder-surfs your password and then pick-pockets your phone. You are going to use this example to your employees as part of training them to avoid social engineering attacks. DDoS attacks. spear phishing. least privilege practice. 10 points QUESTION 11 (With this question correct you can get 100/100) Auditing is important because it tells you who used the system at what time. it saves money because emploeeys will spend carefully. it makes sure that duties are separated in individual domains. it can help you avoid unwanted ads.