95752MidtermExamination

Examinationlength:Nolongerthan4hours,notincludingreadingandpreparationtime.
Due:Oct15,2009,5:30pmEasternTime.

Instructions:
1. Youwillneedtoaddpapertorecordyourresponsestothesequestions.Pleasebesurethatyouputyourname
onEACHPAGEyouwishincludedinthegradingofthisexamination.Electronicsubmissions(includinge
mail)mustbeeditedsothatyournameappearsoneachpage.Emailsubmissionsmusthavethesubjectline
MidtermSubmission;allemailedsubmissionswillbeacknowledged.Pleasedonotsubmitbothviaemail
andphysicallyinclass.

2. Thisexaminationisopenbook,opennotes,closedneighbor.Studentsmayconsultanynoninteractive
referencetheychoose,butnodirectorindirect(e.g.,NOEmail,NOnetnews,NOconversation)contactwith
anyhumanotherthantheinstructororteachingassistants.Anycommunicationbetweenstudentsconcerningthe
examinationisforbidden.Citationofsourcesofinformationismandatory,incompliancewiththeCMU
Plagiarismpolicy.

3. Ensurethatyouanswerallpartsofeachquestion.Somequestionshavemorethanonepart.

4. Pleasewriteclearly(ifIcannotreadit,Icannotgradeyouanythingbuta0onthatportion).

5. Pleasereadeachquestioncarefully.Ifthequestionisunclearthendonothesitatetoaskforclarification.
GoodLuck!

Grading:
1(25points)

2(25points)

3(25points)

4(25points)

Total:

1
1)(25points)Assumeyouareworkingforanorganizationconcernedwithsecurityinitscustomerrelations.You
havebeentaskedtostudypossiblemeasurestopreventlossesduetopossibleemailfromattackers
directinguserstoamaliciouscloneofyourorganizationswebsite.(a.k.a.Phishing)

a) Inashortparagraph,identifythreeriskstoanorganizationassociatedwithphishing.

b) Briefly(1shortsentence)identifyonewayinwhichauthenticationmethodsmayaidinprotectingusersfrom
phishing.

c) Briefly(2shortsentences)identifyonewayinwhichasymmetricencryptionmethodsmayaidinthiseffortand
onewayinwhichasymmetricencryptionmethodsmayhamperthiseffort.

d) Briefly(12paragraphs)discussthecounterbalanceofpeopleorientedsolutions(e.g.,usertraining)versus
automatedsolutions(e.g.,animprovedmailtransferprogram)indealingwithphishing.Identifyatleastone
strength,onelimitationandoneriskassociatedwitheachapproach.

2)(25points)Flightfreeisdevelopingaphysicalsecuritypolicy.Theyoccupyonefloorofabusinesspark
buildingnearthePittsburghairport,withonlylimitedinfluenceovertheremainderofthebuilding.Itis
expectedthatcustomerswouldrarelyvisittheFlightfreesite,butratherthatsaleswouldoccuratthewebsite
andengineeringcoordinationwouldoccuratthevenueoftheinstallation.Currently,FlightFreeusesproximity
cardforbuildingaccessenforcedbyelectroniclocks,withACLslimitingemployeesbasedontheirduties.The
spacealsohasaudiblealarmsinstalled,whichareactivatedbythelastsupervisorleavingthefacility.

a) Briefly(12sentenceseach)describefourpoliciesforFlightFreeassociatedwithconductinthepartsofthe
buildingitdoesntoccupy.

b) Briefly(12sentenceseach)describefourpoliciesforFlightFreeregardingconductatvenuesites.

c) Briefly(1paragraph)describeonephysicalsecuritytechniquethatwouldimproveFlightFreesphysical
securityinthebuildingitcurrentlyoccupies,withoutgreatlyharmingemployeeproductivity

3)(25points)AssumethatyourbosshasdirectpurchaseauthorityoverallITacquisitionsforyourorganization.
Recently,yourbosshasreadaboutvulnerabilitymanagementsystemsandisenthusiasticthattheywillsolveyour
organizationsproblemswithrespecttooutsidehackers.

a) Briefly(1shortsentenceeach)identifyonewayinwhichvulnerabilitymanagementsystemsmayaidwith
respecttohackers,andonewayinwhichitwouldimpededealingwithhackers.

b) Whatarefourreasonsyoumightgiveyourbossastowhynottouseavulnerabilitymanagementsystemwithin
yourorganization.Listeachinabriefsentenceorphrase.

c) Describe(12paragraphs)aprocessbywhichyourorganizationmightevaluatetheeffectivenessofa
vulnerabilitymanagementsystemindealingwithhackers.

4)(25points)Afterseveralhighlypublicizedwormattacksafewyearsago,therehavenotbeenasmanybroad
scalewormattacks.Instead,malwareauthorsappeartobeworkingonmuchmoredirectedattacksrestrictedto
specificindustries.

a) Describe(1sentenceeach)threeriskstoorganizationsfromthisshiftinmalwarebehavior(regardlessofany
affiliationoftheauthorofthemalware).

b) Describe(1sentenceeach)threewaysthatorganizationsmightuseacombinationofaccesscontroland

2
 encryptiontopreventdirectedmalicioussoftwarefromcompromisingproprietarydata.

c) Discuss(1paragraph)threeriskstoonlineorganizationsarisingfromorganizedcrimesuseoftheInternetand
similarwideareanetworks,specificallyrelatedtodirectedmalicioussoftware.