Академический Документы
Профессиональный Документы
Культура Документы
Examinationlength:Nolongerthan4hours,notincludingreadingandpreparationtime.
Due:Oct15,2009,5:30pmEasternTime.
Instructions:
1. Youwillneedtoaddpapertorecordyourresponsestothesequestions.Pleasebesurethatyouputyourname
onEACHPAGEyouwishincludedinthegradingofthisexamination.Electronicsubmissions(includinge
mail)mustbeeditedsothatyournameappearsoneachpage.Emailsubmissionsmusthavethesubjectline
MidtermSubmission;allemailedsubmissionswillbeacknowledged.Pleasedonotsubmitbothviaemail
andphysicallyinclass.
2. Thisexaminationisopenbook,opennotes,closedneighbor.Studentsmayconsultanynoninteractive
referencetheychoose,butnodirectorindirect(e.g.,NOEmail,NOnetnews,NOconversation)contactwith
anyhumanotherthantheinstructororteachingassistants.Anycommunicationbetweenstudentsconcerningthe
examinationisforbidden.Citationofsourcesofinformationismandatory,incompliancewiththeCMU
Plagiarismpolicy.
3. Ensurethatyouanswerallpartsofeachquestion.Somequestionshavemorethanonepart.
4. Pleasewriteclearly(ifIcannotreadit,Icannotgradeyouanythingbuta0onthatportion).
5. Pleasereadeachquestioncarefully.Ifthequestionisunclearthendonothesitatetoaskforclarification.
GoodLuck!
Grading:
1(25points)
2(25points)
3(25points)
4(25points)
Total:
1
1)(25points)Assumeyouareworkingforanorganizationconcernedwithsecurityinitscustomerrelations.You
havebeentaskedtostudypossiblemeasurestopreventlossesduetopossibleemailfromattackers
directinguserstoamaliciouscloneofyourorganizationswebsite.(a.k.a.Phishing)
a) Inashortparagraph,identifythreeriskstoanorganizationassociatedwithphishing.
b) Briefly(1shortsentence)identifyonewayinwhichauthenticationmethodsmayaidinprotectingusersfrom
phishing.
c) Briefly(2shortsentences)identifyonewayinwhichasymmetricencryptionmethodsmayaidinthiseffortand
onewayinwhichasymmetricencryptionmethodsmayhamperthiseffort.
d) Briefly(12paragraphs)discussthecounterbalanceofpeopleorientedsolutions(e.g.,usertraining)versus
automatedsolutions(e.g.,animprovedmailtransferprogram)indealingwithphishing.Identifyatleastone
strength,onelimitationandoneriskassociatedwitheachapproach.
2)(25points)Flightfreeisdevelopingaphysicalsecuritypolicy.Theyoccupyonefloorofabusinesspark
buildingnearthePittsburghairport,withonlylimitedinfluenceovertheremainderofthebuilding.Itis
expectedthatcustomerswouldrarelyvisittheFlightfreesite,butratherthatsaleswouldoccuratthewebsite
andengineeringcoordinationwouldoccuratthevenueoftheinstallation.Currently,FlightFreeusesproximity
cardforbuildingaccessenforcedbyelectroniclocks,withACLslimitingemployeesbasedontheirduties.The
spacealsohasaudiblealarmsinstalled,whichareactivatedbythelastsupervisorleavingthefacility.
a) Briefly(12sentenceseach)describefourpoliciesforFlightFreeassociatedwithconductinthepartsofthe
buildingitdoesntoccupy.
b) Briefly(12sentenceseach)describefourpoliciesforFlightFreeregardingconductatvenuesites.
c) Briefly(1paragraph)describeonephysicalsecuritytechniquethatwouldimproveFlightFreesphysical
securityinthebuildingitcurrentlyoccupies,withoutgreatlyharmingemployeeproductivity
3)(25points)AssumethatyourbosshasdirectpurchaseauthorityoverallITacquisitionsforyourorganization.
Recently,yourbosshasreadaboutvulnerabilitymanagementsystemsandisenthusiasticthattheywillsolveyour
organizationsproblemswithrespecttooutsidehackers.
a) Briefly(1shortsentenceeach)identifyonewayinwhichvulnerabilitymanagementsystemsmayaidwith
respecttohackers,andonewayinwhichitwouldimpededealingwithhackers.
b) Whatarefourreasonsyoumightgiveyourbossastowhynottouseavulnerabilitymanagementsystemwithin
yourorganization.Listeachinabriefsentenceorphrase.
c) Describe(12paragraphs)aprocessbywhichyourorganizationmightevaluatetheeffectivenessofa
vulnerabilitymanagementsystemindealingwithhackers.
4)(25points)Afterseveralhighlypublicizedwormattacksafewyearsago,therehavenotbeenasmanybroad
scalewormattacks.Instead,malwareauthorsappeartobeworkingonmuchmoredirectedattacksrestrictedto
specificindustries.
a) Describe(1sentenceeach)threeriskstoorganizationsfromthisshiftinmalwarebehavior(regardlessofany
affiliationoftheauthorofthemalware).
b) Describe(1sentenceeach)threewaysthatorganizationsmightuseacombinationofaccesscontroland
2
encryptiontopreventdirectedmalicioussoftwarefromcompromisingproprietarydata.
c) Discuss(1paragraph)threeriskstoonlineorganizationsarisingfromorganizedcrimesuseoftheInternetand
similarwideareanetworks,specificallyrelatedtodirectedmalicioussoftware.