Dominican College of Tarlac

Capas, Tarlac
Final Examination AIS
Name: Christian LeRoy M. David Section: BSIT-IV______________ Score:
_____________
Answer the following questions:
1. Which of the following security goal(s) does encryption address: (1) Confidentiality
(2) Integrity (3) Sender authentication (4) Non-repudiation.(20 points)

Encryption addresses all of the mentioned characteristics above. Confidentiality because

allows those who are given permission to view encrypted data, integrity because
modifications is allowed only by the one who has passes, authentication because it
determines whether someone or something is, in fact, who or what it is declared to be. And
non-repudiation since a digital signature can only be created by one person, to ensure that a
person cannot later deny that they furnished the signature.

2. Please classify each of the following as a violation of (A) confidentiality, (B) integrity,
(C) Availability, or (D) non-repudiation: (explain your answer in not more than 2 sentences)

(a) A copies Bs homework (5 points)

Confidentiality homework should not be shared as it is assigned to be done alone in each
students house.

(b) A crashes Bs operating system (5 points)

Integrity person A will not be trusted by person B if somehow person B knew who crashed
his system.
Thus person A loses his integrity.

(c) A changes the amount on Bs check from 100 to 1000(5 points)

Integrity a is not

(d) A forges Bs signature on a land acquisition contract (5 points)

Non-repudiation

(e) A registers the domain name PrenticeHall.com and refuses to let the publishing
house buy or use the domain name.(5 points)

Availability

3. As you read through each case ask yourself these questions. (10 points each)

a) What should be the very first course of action? People should start disciplining
their selves, as the anomalies stated mostly come from lacking proper discipline.
b) Should the public be informed about the situation? If so, how will their trust be
regained? The public shouldnt be informed about the situation, only the involved
parties should be penalized for what theyve done.
c) What steps should be taken to prevent similar attacks in the future? The person
being attacked should be more aware of whats happening in their surrounding
and more strict about sensitive information
d) What are the ethical issues of this situation? Most of the attacks were made by
person a not having person bs approval which means breach of privacy of
another person.
e) How should students be dealt with if they were the people initiating the attack?
They should be suspended from going to school for some amout of time and do a
public apology for the parties involved.

Breached Passwords

There are many ways for people to get passwords. What they do once they have them can
be devastating. The important first step in data security is for everyone to take password
security seriously. Choosing good passwords, not posting it on your computer, making sure
no one is looking when you are typing it in are all simple steps in password security.

a. Brute force

Hackers used brute force password cracking program to break into the districts computers
and initiated a batch of bogus transfers out of the schools payroll account. The transfers
were kept below $10,000 to avoid the anti-money laundering reporting requirements. The
hackers had almost 20 accomplices they had hired through work at home job scams. Over
$100,000 was successfully removed from the account. Two days later a school employee
noticed the bogus payments. Unfortunately, unlike consumers who typically have up to 60
days from the receipt of a monthly statement to dispute any unauthorized charges,
organizations and companies have roughly two business days to spot and dispute
unauthorized activity. This is because school organizations that bank online fall under the
Uniform Commercial Code. Due to this law, the district was able to get less than $20,000 of
the transfers reversed.

Answer:

Make sure to have a strong password with numerical, symbols and capitalization, as a strong
password is virtually impossible and if possible, would take time to be cracked in a brute
force attack.

b. Shoulder surfing

A former student shoulder surfed (physically observed) the password of an employee while
still in high school. After graduating, he used this information to get into the districts
student information system. From there, he gained access to a different districts payroll
data including birth dates, social security numbers, and bank account information of 5000
current and former employees. This information was then used for identity theft purposes
including requesting and using credit cards, creating checks and altering bank account
information. The perpetrator was caught and arrested after attempting to use a fake check
at a local store. At a cost of $62,000 the district gave all of the affected employees fraud
prevention and resolution services. According to the district superintendent, the district
suffered damage to our reputation with the public and our employees. Hundreds of hours
were spent investigating the extent of the compromised data and developing the plans and
procedures to protect staff from further exposure to fraud.... District staff also spent
countless hours working with financial institutions, answering employee questions, and
preparing internal and external communications. It is impossible to measure lost productivity
as employees worried about their financial security and work to change bank account and
payroll information."

Answer:

Always be observant in your surroundings as many malicious people may be watching you
enter important private information which may lead to a bigger problem.
 c. Key logger

A group of students installed a keystroke-tracking program (this could also fall under
malware or student hacking) on computers at their high school to grab the user names and
passwords of about 10% of the students, teachers, parents, and administrators that use the
system. The students then used this password information to access the system to change
grades for themselves and others. They did not seem to do anything else to the system
while they had access.

Answer:

Always make sure to have latest antivirus installed and use an on-screen keyboard if
possible when typing confidential data. Make sure no one else is around or looking at the
screen if you would use and on screen keyboard.

Malwares
a. Malware

A school computer containing no confidential information was hooked to the network

containing the personal information of over 15,000 students. This computer was breached
with malware designed to steal sensitive data. Names, addresses, phone numbers, dates of
birth and Social Security numbers were all part of the database that was potentially exposed
to this malware. It is uncertain if any of this information was actually accessed, but the
malware was found to have been on the breached computer for approximately five years.

Answer:

An antivirus scan with updated version should be sufficient enough to detect malware.

b. Botnet

A school network administrator was contacted concerning spam e-mail and other attacks
emanating from the district system. When the administrator looked into the problem, it was
discovered several computers had been infected with a botnet. Several of the district
computers operating systems had been commandeered and were being used by the person
controlling the botnet for illicit activities.

Answer:
Lost or Stolen Device

a. Lost Flash Drive

A school employee was using a flash drive to transfer personal information of 6000
employees for job related purposes. The information included names, addresses, phone
numbers, dates of birth and Social Security numbers. This flash drive went missing. There is
currently no evidence that the sensitive information has been accessed or used
inappropriately.

Answer:

Always use a flash drive encryption program to make sure if important documents are stored
in it. Just in case it was lost or stolen, it cannot be accessed by the one who found it.

4. The district has decided to initiate a one-to-one initiative. Each child from middle
school through high school will be issued an internet and wireless enabled laptop for use
both in and outside of school. Since this is a significant investment of tax dollars, the school
board would like a system put into place for theft protection. The system administrator
installs a program for remote access of each computer with the capability to track the IP
address and take a picture of the current user. If a computer is reported as missing the
system will be activated and the information can be used to recover the computer. There is
no mention of this software to the students or parents. If a thief was aware of this software
they may be able to disable it, defeating its purpose. Only two district employees have the
capability to activate this system. A student was called into the office by the assistant
principal and accused of wrong-doing. The proof supplied included a picture of the student
taken by his school issued laptops webcam after school hours in the privacy of his home.(20
points)

a) Is this type of system appropriate for use on a school computer?

No because it breaches the privacy of the students who will be using this system

b) Should students be made aware of this type of system being installed on the computer?
Of course the students should be aware as it violates the integrity of student privacy

c) How can the school ensure this system is used correctly?

Only one administrator should be using this program and remove the control for taking
picture of the current user
Tracking system should be implemented instead

d) What other methods could be used for theft protection and prevention?
Second password and security question software.
5. Identify the answer below that pertains to cryptography.

Electronic Code Book 1.) This is a mode of operation for a block cipher, with the
characteristic that each possible block of plaintext has a defined corresponding ciphertext
value and vice versa.

Salt ______________2.) In password protection, this is a random string of data used to modify a
password hash stenography _______3.) This is the inclusion of a secret message in otherwise
unencrypted text or images Rijndael___________4.) This is the encryption algorithm that will
begin to supplant the Data Encryption Standard (DES) - and later Triple DES - over the next
few years as the new standard encryption algorithm

Pretty good privacy__5.) Developed by Philip R. Zimmermann, this is the most widely used
privacy-ensuring program by individuals and is also used by many corporations.
Certificate authority__6.) This is the name for the issuer of a PKI certificate.

Public key infastructure7.) Today, many Internet businesses and users take advantage of
cryptography based on this approach.
One-time pad________8.) This was commonly used in cryptography during World War II.

Brute force cracking___9.) This is a trial and error method used to decode encrypted data
through exhaustive effort rather than employing intellectual strategies.

Private key__________10.) This is an encryption/decryption key known only to the party or

parties that exchange secret messages.

6. Define the following terms that refer to passwords.

1. Authentication - authentication is commonly done through the use of login IDs

(user names) and passwords. Knowledge of the login credentials is assumed
to guarantee that the user is authentic.

2. Strong Password - A strong password consists of at least six characters (and

the more characters, the stronger the password) that are a combination of
letters, numbers and symbols (@, #, $, %, etc.) if allowed. Passwords are
typically case-sensitive, so a strong password contains letters in both
uppercase and lowercase

3. Password Cracker - password cracking is the process of recovering passwords

from data that have been stored in or transmitted by a computer system.

4. PIN or Personal Identification Number - a number allocated to an individual

and used to validate electronic transactions.

5. SSO Single Sign On - is a property of access control of multiple related, but

independent software systems. With this property a user logs in once and
 gains access to all systems without being prompted to log in again at each of
them.

6. Identity Chaos - is a situation in which users have multiple identities and

passwords across a variety of networks, applications, computers and/or
computing devices

7. Phishing - the activity of defrauding an online account holder of financial

information by posing as a legitimate company.

8. Social Engineering - is a non-technical method of intrusion hackers use that

relies heavily on human interaction and often involves tricking people into
breaking normal security procedures.

9. WORM (Write Once Read Many) - describes a data storage device in which
information, once written, cannot be modified. This write protection affords
the assurance that the data cannot be tampered with once it is written to the
device.

10. Shoulder surfing - the practice of spying on the user of an ATM, computer, or
other electronic device in order to obtain their personal access information.