Documente Academic
Documente Profesional
Documente Cultură
Capas, Tarlac
Final Examination AIS
Name: Christian LeRoy M. David Section: BSIT-IV______________ Score:
_____________
Answer the following questions:
1. Which of the following security goal(s) does encryption address: (1) Confidentiality
(2) Integrity (3) Sender authentication (4) Non-repudiation.(20 points)
2. Please classify each of the following as a violation of (A) confidentiality, (B) integrity,
(C) Availability, or (D) non-repudiation: (explain your answer in not more than 2 sentences)
(e) A registers the domain name PrenticeHall.com and refuses to let the publishing
house buy or use the domain name.(5 points)
Availability
3. As you read through each case ask yourself these questions. (10 points each)
a) What should be the very first course of action? People should start disciplining
their selves, as the anomalies stated mostly come from lacking proper discipline.
b) Should the public be informed about the situation? If so, how will their trust be
regained? The public shouldnt be informed about the situation, only the involved
parties should be penalized for what theyve done.
c) What steps should be taken to prevent similar attacks in the future? The person
being attacked should be more aware of whats happening in their surrounding
and more strict about sensitive information
d) What are the ethical issues of this situation? Most of the attacks were made by
person a not having person bs approval which means breach of privacy of
another person.
e) How should students be dealt with if they were the people initiating the attack?
They should be suspended from going to school for some amout of time and do a
public apology for the parties involved.
Breached Passwords
There are many ways for people to get passwords. What they do once they have them can
be devastating. The important first step in data security is for everyone to take password
security seriously. Choosing good passwords, not posting it on your computer, making sure
no one is looking when you are typing it in are all simple steps in password security.
a. Brute force
Hackers used brute force password cracking program to break into the districts computers
and initiated a batch of bogus transfers out of the schools payroll account. The transfers
were kept below $10,000 to avoid the anti-money laundering reporting requirements. The
hackers had almost 20 accomplices they had hired through work at home job scams. Over
$100,000 was successfully removed from the account. Two days later a school employee
noticed the bogus payments. Unfortunately, unlike consumers who typically have up to 60
days from the receipt of a monthly statement to dispute any unauthorized charges,
organizations and companies have roughly two business days to spot and dispute
unauthorized activity. This is because school organizations that bank online fall under the
Uniform Commercial Code. Due to this law, the district was able to get less than $20,000 of
the transfers reversed.
Answer:
Make sure to have a strong password with numerical, symbols and capitalization, as a strong
password is virtually impossible and if possible, would take time to be cracked in a brute
force attack.
b. Shoulder surfing
A former student shoulder surfed (physically observed) the password of an employee while
still in high school. After graduating, he used this information to get into the districts
student information system. From there, he gained access to a different districts payroll
data including birth dates, social security numbers, and bank account information of 5000
current and former employees. This information was then used for identity theft purposes
including requesting and using credit cards, creating checks and altering bank account
information. The perpetrator was caught and arrested after attempting to use a fake check
at a local store. At a cost of $62,000 the district gave all of the affected employees fraud
prevention and resolution services. According to the district superintendent, the district
suffered damage to our reputation with the public and our employees. Hundreds of hours
were spent investigating the extent of the compromised data and developing the plans and
procedures to protect staff from further exposure to fraud.... District staff also spent
countless hours working with financial institutions, answering employee questions, and
preparing internal and external communications. It is impossible to measure lost productivity
as employees worried about their financial security and work to change bank account and
payroll information."
Answer:
Always be observant in your surroundings as many malicious people may be watching you
enter important private information which may lead to a bigger problem.
c. Key logger
A group of students installed a keystroke-tracking program (this could also fall under
malware or student hacking) on computers at their high school to grab the user names and
passwords of about 10% of the students, teachers, parents, and administrators that use the
system. The students then used this password information to access the system to change
grades for themselves and others. They did not seem to do anything else to the system
while they had access.
Answer:
Always make sure to have latest antivirus installed and use an on-screen keyboard if
possible when typing confidential data. Make sure no one else is around or looking at the
screen if you would use and on screen keyboard.
Malwares
a. Malware
Answer:
An antivirus scan with updated version should be sufficient enough to detect malware.
b. Botnet
A school network administrator was contacted concerning spam e-mail and other attacks
emanating from the district system. When the administrator looked into the problem, it was
discovered several computers had been infected with a botnet. Several of the district
computers operating systems had been commandeered and were being used by the person
controlling the botnet for illicit activities.
Answer:
Lost or Stolen Device
A school employee was using a flash drive to transfer personal information of 6000
employees for job related purposes. The information included names, addresses, phone
numbers, dates of birth and Social Security numbers. This flash drive went missing. There is
currently no evidence that the sensitive information has been accessed or used
inappropriately.
Answer:
Always use a flash drive encryption program to make sure if important documents are stored
in it. Just in case it was lost or stolen, it cannot be accessed by the one who found it.
4. The district has decided to initiate a one-to-one initiative. Each child from middle
school through high school will be issued an internet and wireless enabled laptop for use
both in and outside of school. Since this is a significant investment of tax dollars, the school
board would like a system put into place for theft protection. The system administrator
installs a program for remote access of each computer with the capability to track the IP
address and take a picture of the current user. If a computer is reported as missing the
system will be activated and the information can be used to recover the computer. There is
no mention of this software to the students or parents. If a thief was aware of this software
they may be able to disable it, defeating its purpose. Only two district employees have the
capability to activate this system. A student was called into the office by the assistant
principal and accused of wrong-doing. The proof supplied included a picture of the student
taken by his school issued laptops webcam after school hours in the privacy of his home.(20
points)
b) Should students be made aware of this type of system being installed on the computer?
Of course the students should be aware as it violates the integrity of student privacy
d) What other methods could be used for theft protection and prevention?
Second password and security question software.
5. Identify the answer below that pertains to cryptography.
Electronic Code Book 1.) This is a mode of operation for a block cipher, with the
characteristic that each possible block of plaintext has a defined corresponding ciphertext
value and vice versa.
Salt ______________2.) In password protection, this is a random string of data used to modify a
password hash stenography _______3.) This is the inclusion of a secret message in otherwise
unencrypted text or images Rijndael___________4.) This is the encryption algorithm that will
begin to supplant the Data Encryption Standard (DES) - and later Triple DES - over the next
few years as the new standard encryption algorithm
Pretty good privacy__5.) Developed by Philip R. Zimmermann, this is the most widely used
privacy-ensuring program by individuals and is also used by many corporations.
Certificate authority__6.) This is the name for the issuer of a PKI certificate.
Public key infastructure7.) Today, many Internet businesses and users take advantage of
cryptography based on this approach.
One-time pad________8.) This was commonly used in cryptography during World War II.
Brute force cracking___9.) This is a trial and error method used to decode encrypted data
through exhaustive effort rather than employing intellectual strategies.
9. WORM (Write Once Read Many) - describes a data storage device in which
information, once written, cannot be modified. This write protection affords
the assurance that the data cannot be tampered with once it is written to the
device.
10. Shoulder surfing - the practice of spying on the user of an ATM, computer, or
other electronic device in order to obtain their personal access information.