quiz

1.8 Exercises1. Distinguish between vulnerability, threat, and control.2. Theft usually results in some kind of harm. For example, if someone stealsyour car, you may suffer financial loss, inconvenience (by losing your mode oftransportation), and emotional upset (because of invasion of your personalproperty and space). List three kinds of harm a company might experience fromtheft of computer equipment.3. List at least three kinds of harm a company could experience from electronicespionage or unauthorized viewing of confidential company materials.4. List at least three kinds of damage a company could suffer when the integrityof a program or company data is compromised.5. List at least three kinds of harm a company could encounter from loss ofservice, that is, failure of availability. List the product or capability to whichaccess is lost, and explain how this loss hurts the company.6. Describe a situation in which you have experienced harm as a consequence ofa failure of computer security. Was the failure malicious or not? Did the attacktarget you specifically or was it general and you were the unfortunate victim?7. Describe two examples of vulnerabilities in automobiles for which automanufacturers have instituted controls. Tell why you think these controls areeffective, somewhat effective, or ineffective.8. One control against accidental software deletion is to save all old versions ofa program. Of course, this control is prohibitively expensive in terms of cost ofstorage. Suggest a less costly control against accidental software deletion. Isyour control effective against all possible causes of software deletion? If not,what threats does it not cover?9. On your personal computer, who can install programs? Who can changeoperating system data? Who can replace portions of the operating system? Canany of these actions be performed remotely?10. Suppose a program to print paychecks secretly leaks a list of names of employeesearning more than a certain amount each month. What controls could be instituted tolimit the vulnerability of this leakage?11. Preserving confidentiality, integrity, and availability of data is a restatement of theconcern over interruption, interception, modification, and fabrication. How do thefirst three concepts relate to the last four? That is, is any of the four equivalent to oneor more of the three? Is one of the three encompassed by one or more of the four?12. Do you think attempting to break in to (that is, obtain access to or use of) acomputing system without authorization should be illegal? Why or why not?13. Describe an example (other than the ones mentioned in this chapter) of datawhose confidentiality has a short timeliness, say, a day or less. Describe an exampleof data whose confidentiality has a timeliness of more than a year.14. Do you currently use any computer security control measures? If so, what?Against what attacks are you trying to protect?15. Describe an example in which absolute denial of service to a user (that is, the usergets no response from the computer) is a serious problem to that user. Describeanother example where 10 percent denial of service to a user (that is, the user’scomputation progresses, but at a rate 10 percent slower than normal) is a seriousproblem to that user. Could access by unauthorized people to a computing systemresult in a 10 percent denial of service to the legitimate users? How?16. When you say that software is of high quality, what do you mean? How doessecurity fit in your definition of quality? For example, can an application be insecureand still be “good”?17. Developers often think of software quality in terms of faults and failures. Faultsare problems (for example, loops that never terminate or misplaced commas instatements) that developers can see by looking at the code. Failures are problems,such as a system crash or the invocation of the wrong function, that are visible to theuser. Thus, faults can exist in programs but never become failures, because theconditions under which a fault becomes a failure are never reached. How do softwarevulnerabilities fit into this scheme of faults and failures? Is every fault avulnerability? Is every vulnerability a fault?18. Consider a program to display on your website your city’s current time andtemperature. Who might want to attack your program? What types of harm mightthey want to cause? What kinds of vulnerabilities might they exploit to cause harm?19. Consider a program that allows consumers to order products from the web. Whomight want to attack the program? What types of harm might they want to cause?What kinds of vulnerabilities might they exploit to cause harm?20. Consider a program to accept and tabulate votes in an election. Who might wantto attack the program? What types of harm might they want to cause? What kinds ofvulnerabilities might they exploit to cause harm?21. Consider a program that allows a surgeon in one city to assist in an operation on apatient in another city via an Internet connection. Who might want to attack theprogram? What types of harm might they want to cause? What kinds ofvulnerabilities might they exploit to cause harm?1. Describe each of the following four kinds of access control mechanisms interms of (a) ease of determining authorized access during execution, (b) ease ofadding access for a new subject, (c) ease of deleting access by a subject, and (d)ease of creating a new object to which all subjects by default have access.• per-subject access control list (that is, one list for each subject tellsall the objects to which that subject has access)• per-object access control list (that is, one list for each object tells allthe subjects who have access to that object)• access control matrix• capability2. Suppose a per-subject access control list is used. Deleting an object in such asystem is inconvenient because all changes must be made to the control lists ofall subjects who did have access to the object. Suggest an alternative, less costlymeans of handling deletion.3. File access control relates largely to the secrecy dimension of security. Whatis the relationship between an access control matrix and the integrity of theobjects to which access is being controlled?4. One feature of a capability-based protection system is the ability of oneprocess to transfer a copy of a capability to another process. Describe a situationin which one process should be able to transfer a capability to another.5. Suggest an efficient scheme for maintaining a per-user protection scheme.That is, the system maintains one directory per user, and that directory lists allthe objects to which the user is allowed access. Your design should address theneeds of a system with 1000 users, of whom no more than 20 are active at anytime. Each user has an average of 200 permitted objects; there are 50,000 totalobjects in the system.6. Calculate the timing of password-guessing attacks:(a) If passwords are three uppercase alphabetic characters long, how muchtime would it take to determine a particular password, assuming that testingan individual password requires 5 seconds? How much time if testingrequires 0.001 seconds?(b) Argue for a particular amount of time as the starting point for “secure.”That is, suppose an attacker plans to use a brute-force attack to determine apassword. For what value of x (the total amount of time to try as manypasswords as necessary) would the attacker find this attack prohibitivelylong?(c) If the cutoff between “insecure” and “secure” were x amount of time,how long would a secure password have to be? State and justify yourassumptions regarding the character set from which the password isselected and the amount of time required to test a single password.7. Design a protocol by which two mutually suspicious parties can authenticateeach other. Your protocol should be usable the first time these parties try toauthenticate each other.8. List three reasons people might be reluctant to use biometrics forauthentication. Can you think of ways to counter those objections?9. False positive and false negative rates can be adjusted, and they are oftencomplementary: Lowering one raises the other. List two situations in which falsenegatives are significantly more serious than false positives.10. In a typical office, biometric authentication might be used to control access toemployees and registered visitors only. We know the system will have some falsenegatives, some employees falsely denied access, so we need a human override,someone who can examine the employee and allow access in spite of the failedauthentication. Thus, we need a human guard at the door to handle problems, as wellas the authentication device; without biometrics we would have had just the guard.Consequently, we have the same number of personnel with or without biometrics,plus we have the added cost to acquire and maintain the biometrics system. Explainthe security advantage in this situation that justifies the extra expense.11. Outline the design of an authentication scheme that “learns.” The authenticationscheme would start with certain primitive information about a user, such as name andpassword. As the use of the computing system continued, the authentication systemwould gather such information as commonly used programming languages; dates,times, and lengths of computing sessions; and use of distinctive resources. Theauthentication challenges would become more individualized as the system learnedmore information about the user.• Your design should include a list of many pieces of informationabout a user that the system could collect. It is permissible for thesystem to ask an authenticated user for certain additional information,such as a favorite book, to use in subsequent challenges.• Your design should also consider the problem of presenting andvalidating these challenges: Does the would-be user answer a truefalseor a multiple-choice question? Does the system interpret naturallanguage prose?12. How are passwords stored on your personal computer?13. Describe a situation in which a weak but easy-to-use password may be adequate.14. List three authentication questions (but not the answers) your credit cardcompany could ask to authenticate you over the phone. Your questions should beones to which an imposter could not readily obtain the answers. How difficult wouldit be for you to provide the correct answer (for example, you would have to looksomething up or you would have to do a quick arithmetical calculation)?15. If you forget your password for a website and you click [Forgot my password],sometimes the company sends you a new password by email but sometimes it sendsyou your old password by email. Compare these two cases in terms of vulnerabilityof the website owner.16. Defeating authentication follows the method–opportunity–motive paradigmdescribed in Chapter 1. Discuss how these three factors apply to an attack onauthentication.17. Suggest a source of some very long unpredictable numbers. Your source must besomething that both the sender and receiver can readily access but that is not obviousto outsiders and not transmitted directly from sender to receiver.18. What are the risks of having the United States government select a cryptosystemfor widespread commercial use (both inside and outside the United States). Howcould users from outside the United States overcome some or all of these risks?19. If the useful life of DES was about 20 years (1977–1999), how long do youpredict the useful life of AES will be? Justify your answer.20. Humans are said to be the weakest link in any security system. Give an examplefor each of the following:(a) a situation in which human failure could lead to a compromise ofencrypted data(b) a situation in which human failure could lead to a compromise ofidentification and authentication(c) a situation in which human failure could lead to a compromise of accesscontrol21. Why do cryptologists recommend changing the encryption key from time totime? Is it the same reason security experts recommend changing a password fromtime to time? How can one determine how frequently to change keys or passwords?22. Explain why hash collisions occur. That is, why must there always be twodifferent plaintexts that have the same hash value?23. What property of a hash function means that collisions are not a securityproblem? That is, why can an attacker not capitalize on collisions and change theunderlying plaintext to another form whose value collides with the hash value of theoriginal plaintext?24. Does a PKI perform encryption? Explain your answer.25. Does a PKI use symmetric or asymmetric encryption? Explain your answer.26. Should a PKI be supported on a firewall (meaning that the certificates would bestored on the firewall and the firewall would distribute certificates on demand)?Explain your answer.27. Why does a PKI need a means to cancel or invalidate certificates? Why is it notsufficient for the PKI to stop distributing a certificate after it becomes invalid?28. Some people think the certificate authority for a PKI should be the government,but others think certificate authorities should be private entities, such as banks,corporations, or schools. What are the advantages and disadvantages of eachapproach?29. If you live in country A and receive a certificate signed by a governmentcertificate authority in country B, what conditions would cause you to trust thatsignature as authentic?30. A certificate contains an identity, a public key, and signatures attesting that thepublic key belongs to the identity. Other fields that may be present include theorganization (for example, university, company, or government) to which thatidentity belongs and perhaps suborganizations (college, department, program, branch,office). What security purpose do these other fields serve, if any? Explain youranswer.