Home‎ > ‎CIS 75‎ > ‎

Midterm - Fall 2016

This is the midterm from Fall 2016. Lecture slides for today's class are here

Critical Attributes of Information

Read this short FAQ from the U.S. government:

http://www.consumer.ftc.gov/articles/0497-credit-freeze-faqs

It describes a form of information control called a credit freeze. Like all information controls, a credit freeze reduces the value of the information it protects by lessening one or more of the critical attributes of information. What information does a credit freeze protect and what critical attribute of information does it lessen? Be specific and justify your answer. 

Risk Assessment

Part 1 - Examine the following Information Asset Worksheet

Asset

Criterion 1:

Loss of Revenue

Criterion 2:

Penalties and Fines

Criterion 3:

Loss of Reputation

Weighted Score

Weight

50

30

20

100

Web Servers

0.5

0.1

0.8

 

DB Servers

0.5

0.8

0.2

 

Routers

0.2

0.1

0.3

 

Fill in the empty boxes then answer the following questions (you do not have to submit the values in the empty boxes, but you need to know them to answer the questions): 

  1. What loss is the organization most interested in avoiding?
  2. What asset is the highest priority for protection? 

Part 2 - Alternate Scenarios

Changing the relative importance of the criteria may change the determination of the highest priority asset. What is the outcome if all criteria are weighted equally? What does that say about the importance of each asset? 

Threat Categorization

Read the vignette and answer the questions below.

One day my laptop reported errors on its system disk and I called the IT help desk to send someone to fix it. When the IT worker arrived they began recovering my disk and, while logged in as an administrator, left for lunch. I seized the opportunity to "borrow" their administrator rights to elevate the privileges of my account. That way I wouldn't have to call IT to fix something that I could fix myself. I used my newfound administrator rights to install malTorrent, a filesharing program, so that while I was home I could download the latest episodes of HBO's Game of Thrones. (I don't subscribe to HBO so I can't watch it the usual way).

When I brought my computer back into work things went really wrong. A few minutes after I started working by boss came into my cube and complained about the email I was sending. I opened my mail reader to see that I had almost 500 unread emails and the number was climbing fast. Not long after that company's network collapsed and it took IT two days to restore it to normal.

They fired me for violating the acceptable use policy that I should have read before I clicked "OK". Before they walked me out the door an IT manager told me that malTorrent was infected with a copy of "TapeWorm.A" which spreads from computer to computer and tries to bring down the network so no one notices thieves stealing office supplies.

List all losses that you noticed in the story and for each of them answer the following questions:

  1. What was the CAPEC category of the threat that caused the loss?
  2. Who or what was the threat agent?
  3. If the loss was caused by an attack
    1. What was the subject and object of the attack?
    2. Was the attack direct or indirect? 

Justify your answers.

Secure Protocols

Wireshark is an open-source packet sniffer. It's an indispensable tool used by professionals to analyze and solve network problems. Security professionals use Wireshark to search for evidence of attackers and malware. I used it recently to discover my phone talking to a mysterious server in China.

If an organization allows the use of Wireshark (by anyone) what is an example of a protocol that the organization should avoid using? Why?
Comments