Home‎ > ‎CIS 75‎ > ‎

CIS 75 Midterm Fall 2016

Question 1

A credit card skimmer is a device that fits over the card slot of an ATM or credit card reader. Skimmers are designed to look just like the legitimate card slot so that victims are unaware of any tampering. When you use an ATM or a gas pump that has a skimmer the skimmer reads the magnetic stripe on your credit card and transmits it to criminals. Krebs on Security has great pictures of skimmers:

https://krebsonsecurity.com/all-about-skimmers/ (Links to an external site.)

What form of attack is this? What critical attribute of information is lost in a successful attack?

Example Answer

Using a credit card skimmer is a form of sniffing. Just like a packet sniffer like Wireshark can capture and copy packets as they enter and exit the interface, a credit card skimmer can copy credit card information as it enters the card reader interface, making a copy but allowing the information to also continue into the system where it was intended to go.

When this happens confidentiality is lost because an unauthorized party or parties now has access to that information.

Grading Criteria

I'm always pleasantly surprised when I read student answers to questions like this one. While I had a simple answer in mind students often see aspects of an attack that I don't. A correct answer, though, must have confidentiality as the critical attribute of information that was lost because both the credit card number and the pin are leaked. Listing other attributes will cause a deduction. Taking a broader look at this attack there are two victims: The bank or retailer that owns the ATM or credit card machine and the person whose credit card information is stolen.

The ATM owner is the victim of a direct attack (the attack originates from the threat) that's intentional. The category of the attack is espionage or trespass because the attacker is violating the ATM in order to perform unauthorized data collection. I will also accept sabotage or vandalism without a deduction in points. The type of attack is skimming or spoofing.

The cardholder is the victim of an indirect attack (the attack originates from a compromised system) that's intentional. The category of attack is again trespass or theft because the attacker is performing unauthorized data collection. Specifically, this is a man in the middle attack.
  • You must identify confidentiality of the card number and/or PIN (+10)
    • -3 for identifying one or more attribute that's not correct
  • You may identify either or both of the attacks (+10)
    • -3 for missing intentional/unintentional
    • -3 for an improper categorization

Question 2

Increasingly schools are providing each student with a laptop or tablet to do classwork and homework. Schools face a difficult challenge in preventing the theft of expensive computers. Name the threat categories that apply to school laptops or tablets (the hardware, not the software or data on them). For each category you name give an example of a threat agent in that category.

Reference Answer

Threat categories that apply to laptops and tablets are:
  1. Forces of nature. A laptop can be damaged or destroyed by a fire, a flood or an earthquake. 
  2. Human error. A laptop can be dropped or destroyed by the careless action of a person. 
  3. Vandalism. A laptop can be defaced or damaged by a vandal.
  4. Hardware failures. Laptops crash, possibly taking useful work with them. 
  5. Obsolescence. Laptops will eventually get old and fail. 
  6. Theft. A laptop may be stolen by a thief or sold by the student that it's assigned to. 
The threat categories that do not apply to laptops and tablets are:
  1. Loss of intellectual property. The laptop is not the intellectual property of the school, therefore its loss is not a threat. 
  2. Variation in quality of service. The laptop is not a service. Therefore it cannot vary in quality. 
  3. Espionage or trespass. This category of threat threatens the data on the computer. Not the computer itself. 
  4. Extortion. Extortion is when a victim must pay to prevent a loss. Since a laptop is a physical object its loss would be the consequence of damage or theft. Extortion doesn't make sense. 
  5. Software attacks. Software attacks are when a threat agent uses malicious software to access data. The data on the computer is vulnerable to software attacks but not the physical object itself. 
  6. Software failures. Like a software attack, software failures affect software, not hardware. 

Example Answer

Theft. Anyone. Even if the laptops are locked, someone could steal and resell them.
Human Error. A student. They could drop their laptop, spill a drink on it, ect.
Vandalism. A bully. They could graffiti on someone's laptop.
Obsolescence. The school. Laptops will wear out over time.
Hardware Failures. Always a threat with hardware, it could simply wear out over time
Forces of Nature. Again, always a threat. Earthquake happens and the IT room collapses? Not much you can do about that.

Grading

  • +5 points for each category correctly named 
  • -3 if the threat agent doesn't make sense
  • -5 points for incorrect categories.

Question 3

A school decides to assess their risk. As a part of the assessment they compose an Asset Worksheet as shown below. The school has decided that the losses they wish to examine are financial loss, legal trouble and reputation loss. They want to evaluate how attacks on different assets affect the loss criteria.

Part 1 - Examine the following Information Asset Worksheet

Asset

Criterion 1:

Financial Loss 

Criterion 2:

Legal Trouble 

Criterion 3:

Reputation Loss 

Weighted Score

 

Weight

50

 40

10

100

Laptops

0.9

0.1

0.8

57

Student Records

0.6

0.7

0.2

60

Employee Records

0.2

0.1

0.4

18

Fill in the empty boxes then answer the following questions:

  1. What is loss is the organization is most interested in avoiding?
  2. What asset is the highest priority for protection? 

Example Answer

Row 2, Column 3: weight should be 40
Weighted scores for Laptops, Student Records and Employee Records respectively: 57, 60, 18
  1. Financial loss, it has both the highest weight and is also the highest totaling column, with weight ignored.
  2. Student Records are the highest priority asset, this is mostly because of the legal trouble the organization would face for not protecting this asset, followed closely by the threat of financial loss. Laptops are a close second.

Part 2 - Alternate Scenario

Changing the relative importance of the criteria may change the determination of the highest priority asset. What is the outcome if all criteria are weighted equally? What does that say about the importance of each asset?

Example Answer

If the weights were all equal (1 for simplicity's sake) the weighted scores for Laptops, Student Records and Employee Records would be respectively: 1.8, 1.5, .7
This puts Laptops as the highest priority asset. This is because the heavy weighted legal trouble had a nearly exclusive affect on Student Records- 7 times more than the other assets. This disparity is what originally put it the Student Records in the lead.

Grading:

Part 1:
  • +5 for identifying financial loss correctly
  • +5 for identifying student records correctly
  • +10 for showing your work
Part 2: 
  • +5 for identifying laptops correctly
  • +5 for explaining that laptops have the highest overall weights

Question 3 

In NetLab+ Lab 2 you used Wireshark on the "Linux Sniffer" host to view packets on the virtual network. In a physical network what technology makes it possible for a machine to view all the traffic that travels through a switch? Explain, in your own words, how the technology works and what are its shortcomings, if any.

Example Answer

In order to monitor all the traffic on a switch, you use a technology called "mirror port" monitoring.  This effectively "mirrors" all the traffic on all the other ports of the switch out the single port that you have your monitor on.
The limitations this imposes however is the fact that a switch has the "ability" to move significantly more traffic between ports than it can fit in a single port. For instance, a typical Cisco 3560 switch might have a 32Gb backplane with 48 1G ports on it.  If I were to use a single port for a mirror, I would only be able to monitor 1/32 of the potential traffic flowing through the switch. 

Grading

A Switch Port Analyzer (SPAN) port is the technology that allows a sniffer or other network analysis devices to be attached to a switch. Other names for similar technology (e.g. port mirroring) will also be accepted. Limitations of SPAN ports are that that they may not be able to handle all the traffic that flows through a switch and therefore may not see everything and that they cannot be used as "normal" network connections. 
  • +5 for identifying a SPAN port or similar technology
  • +5 for identifying a limitation of a SPAN port.
Comments