Embed Size (px)
DESCRIPTION
information security
Citation preview
IS623 – Midterm
True/False ( 1 – 15): 1 point eachIndicate whether the statement is true or false.
1. A breach of possession always results in a breach of confidentiality. (True / False)
2. Hardware is often the most valuable asset possessed by an organization and it is the main target of intentional attacks. (True / False)
3. To achieve balance — that is, to operate an information system that satisfies the user and the security professional — the security level must allow reasonable access, yet protect against threats. (True / False)
4. Information security’s primary mission is to ensure that systems and their contents retain their confidentiality at all costs. (True / False)
5. A sniffer program shows all the data going by on a network segment including passwords, the data inside files—such as word-processing documents—and screens full of sensitive data from applications. (True / False)
6. Identifying human resources, documentation, and data information assets of an organization is less difficult than identifying hardware and software assets. (True / False)
7. To determine if the risk is acceptable or not, you estimate the expected loss the organization will incur if the risk is exploited. (True / False)
8. The permutation cipher simply rearranges the values within a block to create the ciphertext.(True / False)
9. Digital certificates are public-key container files that allow computer programs to validate the key and identify to whom it belongs. (True / False)
10.You cannot combine the XOR operation with a block cipher operation. (True / False)
11.Nonrepudiation means that customers or partners can be held accountable for transactions, such as online purchases, which they cannot later deny. (True / False)
12.When an asymmetric cryptographic process uses the sender’s private key to encrypt a message, the sender’s public key must be used to decrypt the message. (True / False)
13.Hash algorithms are public functions that create a hash value by converting variable-length messages into a single fixed-length value. (True / False)
14.Encryption methodologies that require the same secret key to encipher and decipher the message are using what is called public key encryption. (True / False)
15.The most popular modern version of steganography involves hiding information within files that contain digital pictures or other images. (True / False)
Multiple Choice (16 – 25): 1 point eachIdentify the choice that best completes the statement or answers the question.
16.____ of information is to protect my information from unauthorized modification.a. Availability c. Confidentialityb. Integrity d. Authorization
17.An information system is the entire set of ____, people, procedures, and networks that make possible the use of information resources in the organization.
a. software c. datab. hardware d. All of the above
18.Which of the following functions does information security perform for an organization?a. Protecting the organization’s ability to function.b. Enabling the safe operation of applications implemented on the organization’s IT
systems.c. Protecting the data the organization collects and uses.d. All of the above.
19.Risk ____ is the application of controls to reduce the risks to an organization’s data and information systems.
a. management c. identificationb. control d. security
20.____ equals likelihood of vulnerability occurrence times value (or impact) minus percentage risk already controlled plus an element of uncertainty.
a. Probability c. Possibilityb. Risk d. Chance
21.____ is the process of converting an original message into a form that is unreadable to unauthorized individuals.
a. Encryption c. Cryptologyb. Decryption d. Cryptography
22.____ is the information used in conjunction with an algorithm to create the ciphertext from the plaintext or derive the plaintext from the ciphertext.
a. Password c. Keyb. Cipher d. Passphrase
23.More advanced substitution ciphers use two or more alphabets, and are referred to as ____ substitutions.
a. multialphabetic c. polyalphabetic
b. monoalphabetic d. polynomic
24.A method of encryption that requires the same secret key to encipher and decipher the message is known as ____ encryption.
a. asymmetric c. publicb. symmetric d. Private
25.An X.509 certificate binds a ____, which makes all certificates unique, to a user’s public key.a. message digest c. distinguished nameb. fingerprint d. digital signature
Short Answer Questions
26. Suppose you have a secure system with three subjects and three objects, with levels as listed below. (10 points)
Here H dominates L. You wish to implement a Bell and LaPadula model of security for this system. Fill in the access rights (R and/or W) permitted by the model for each subject/object pair in the access matrix below:
Obj1 Obj2 Obj3
Subj1
Subj2
Subj3
Type Name LevelObject Obj1 (H, {A})Object Obj2 (L, {B})Object Obj3 (L, {A,B})Subject Subj1 (L, {A,B})Subject Subj2 (H,{B})Subject Subj3 (H,{A,B,C})
27.Suppose a department has determined that some users have gained unauthorized access to the computing system. Managers fear the intruders might intercept or even modify sensitive data on the system. Cost to reconstruct correct data is expected to be $2,000,000 with 5% likelihood per year.
One approach to addressing this problem is to install a more secure data access control problem. The cost of access control software is is $50,000 with 80% effectiveness. Here is the summary of risk and control:
- Cost to reconstruct correct data = $2,000,000 with 5% likelihood per year- Effectiveness of access control software: 80%- Cost of access control software: $50,000
Determine the expected annual costs due to loss and controls. Also, determine whether the costs outweigh the benefits of preventing or mitigating the risks. (5 points)
28. Briefly answer each question below:
(a) What are the three fundamental elements of an effective security program for information systems? Also, of these three fundamental controls, which two are used by the Domain User Admin (refer to Virtual Lab #3) to create users and assign rights to resources? (2 points)
(b) Once a vulnerability has been identified by OpenVAS (refer to Virtual Lab #2), where would you check formore information regarding the identified vulnerability, exploits, and any riskmitigation? (2 points)
(c) Why is military security mainly about confidentiality? Are there also aspects of integrity and availability? (2 points)
(d) If you and another person want to encrypt messages, should you provide that person with your public key, private key, or both? (2 points)
(e) What is the XOR operation results of the following two bit streams: (2 points)
S1 = 010011101S2 = 111100001
(End of Midterm)
