Week 1

Security Policy (graded)

Policy is central to affecting security in organizations. Using the security policy for your workplace (or other organization with which you are familiar), what are some key features that allow personnel to control security? Are there any deficiencies? What can be added that would improve security?

 

Security CBK (graded)

The security Common Body of Knowledge (CBK) describes what security professionals collectively know about the discipline. What knowledge domains are included in the CBK? What do you think will be added to the CBK in the future?

This section lists options that can be used to view responses.

Week 2

Compliance Legislation (HIPAA) (graded)

How can we utilize the four types of security policies to develop a HIPAA security program for organizations? What kinds of information does HIPAA protect? What kinds of organizations does HIPAA cover?

 

Intellectual Property (IP) (graded)

Your organization has asked you to assist in the discussion about how to best protect its intellectual property (IP). The engineers in your organization have developed new database and ordering software to support a faster process for fulfilling customer orders. Which of the various forms of IP protection will you recommend for safeguarding the engineers’ work? Should it be protected at all? What does the organization risk by getting IP protection?

 

Week 3

Snack Cake Security (graded)

Your company has a special recipe for snack cakes. This snack cake is a key product in your company’s lineup, and it is responsible for a large majority of shareholder value. Using a security model described in the text, describe Security and the OSI Model (graded)

Security can have a cumulative effect. Consider the OSI model as a key component of the Common Body of Knowledge. For definitions of OSI layers, click here: OSI Layers. What is the OSI model about, and how can we use it when we are selecting security controls?
e an approach that will allow this important recipe to be kept secure.

 

Week 4

Amusement Security (graded)

Your company is in the business of entertainment; they run an amusement park. There are thousands of people all over the park every day. It is very important to control who has access to what, and not just for visitors, but for employees as well. Define groups of people, and indicate how you would control physical access for them.

 

Security Operations Changes (graded)

Describe how to insert changes in the operational security of the organization. How do you manage those who do not want to accept the changes?

This section lists options that can be used to view responses.

 

Week 5

Backup and Recovery Planning (graded)

Why are backups so often overlooked in an organization? How do we sell the benefits of spending money on backup solutions to business managers and executives?

Access Control Lists (graded)

Access control lists are very valuable for administering granular control over an organization’s resources. So why do a lot of organizations opt not to use them in lieu of more general super user or administrator accounts?

 

Week 6

Cryptograhy (graded)

Which algorithm is more secure: AES256 or AES128? Why?

The Enterprise Firewall is Dead (graded)
A popular computer network publication stated at one time that the enterprise firewall was dead. It boldly stated that the exterior firewalls of the organization should be torn down and replaced with host-based firewalls instead. Is this insane, or is it the best new practice in security management? Explain your answer.

This section lists options that can be used to view responses.

 

Week 7

Intrusion Detection (graded)

Your organization’s business manager has read an article about how intrusion detection systems can help deter hackers. He or she wants to spearhead a campaign to deploy them around the company’s locations in three states. Since an IDS can help deter hackers, does this make it a worthwhile project, or is there some reason to be wary? Specific to this example, how do you respond to ad hoc security requests like this? In general, how can you keep requests like this in check

 

Secure as a Car (graded)

Engineering software is like engineering a car; if one were so inclined, there could be a completely bug- and security-free application. Do you agree with this? Why or why not?

 

Week 2 You Decide

You Decide

Information Systems Use Security Policy: Write a paper consisting of 500-1,000 words (double spaced) about your experience in the Week 1 You Decide exercise. Briefly explain some of the issues that a company may face as it experiences growth, and begin to address the proper use of their information systems.

Students should see Appendix C of the textbook for examples of policies that address the issues that companies may face.

View Grading Rubric

Submit your assignment to the Dropbox located on the silver tab at the top of this page. For instructions on how to use the Dropbox, read thesestep-by-step instructions or watch this

 

Week 5 and 6

 

YOU DECIDE

Scenario, Your Role, Key Players

Information Systems Use Security Policy
ScenarioScenario descriptionRoleWhat is Your Role in this scenario?PlayersLearn more about the Key Players in this scenario.DeliverableWhat would you to resolve this scenario?
Scenario
Sunshine Machine Works, who recently expanded its infrastructure, now needs to ensure that any authorized employee can access the intranet. Sales people and management staff frequently travel to remote locations, and often require access to documents stored on the intranet file server.Play00:00Mute
Role
You are the IT Services manager for Sunshine Machine Works. You are to assess the information presented and provide a response to management on how remote access may be handled for Sunshine Machine Works.Play00:00Mute

Players
StoneChief Executive Officer Margie NelsonChief Financial Officer GarThomasGeneral Manager
Deliverable
Given the scenario, your role and the information provided by the key players involved, it is time for you to make a decision.<br><br>If you are finished reviewing this scenario, close this window and return to this Week’s You Decide tab, in eCollege, to complete the activity for this scenario.<br><br>You can return and review this scenario again at any time.
YOUDECIDE

 

Activity
Assignment
Since you are responsible for IT Services and want to keep the systems and network functioning effectively, you will want to provide technical guidance and leadership on this issue.

Follow the instructions provided in the You Decide Exercise: Cryptographic Tunneling and the OSI Model.

Write a paper consisting of 500-1,000 words (double-spaced) on the security effects of cryptographic tunneling based on an understanding of the OSI (Open Systems Interconnect) model.
Review the OSI Simulation in the week 3 lecture.
Provide input on the type of cryptographic tunneling protocols (e.g., L2TP, IPSEC, SSL, etc.) which may be used, the layer(s) of the OSI at which each operates, and also recommend how they may be implemented. Cryptographic tunneling is inherent in building any common virtual private network (VPN).
Grading Rubric:

Category    Points    Description
Understanding    20    Demonstrate a strong grasp of the problem at hand. Demonstrate understanding of how the course concepts apply to the problem.
Analysis    20    Apply original thought to solving the business problem. Apply concepts from the course material correctly toward solving the business problem.
Execution    10    Write your answer clearly and succinctly using strong organization and proper grammar. Use citations correctly.
Total    50    A quality paper will meet or exceed all of the above requirements.
Note!
Submit your assignment to the Dropbox located on the silver tab at the top of this page. For instructions on how to use the Dropbox

 

 

Cryptographic Tunneling and the OSI Model

Write a paper consisting of 500-1,000 words (double-spaced) on the security effects of cryptographic tunneling based on an understanding of the OSI (Open Systems Interconnect) model (Review the OSI Simulation in the Week 3 Lecture).

Provide input on the type of cryptographic tunneling protocols (e.g., L2TP, IPSEC, SSL, etc.) that may be used, the layer(s) of the OSI at which each operates, and also recommend how they may be implemented. Cryptographic tunneling is inherent in building any common virtual private network (VPN).

View Grading Rubric

 

Submit your assignment to the Dropbox located on the silver tab at the top of this page. For instructions on how to use the Dropbox, read these step-by-step instructions

 

 

Physical Security Simulation Report

Compose a report on the experience of performing the Physical Security survey. Students will write a report consisting of 250-500 words (double-spaced) on experiences in the Physical Security Simulation (see tab under Week 4).

View Grading Rubric

 

Submit your assignment to the Dropbox located on the silver tab at the top of this page. For instructions on how to use the Dropbox, read thesestep-by-step instructions

 

 

Physical Security Simulation Report

Compose a report on student experience in performing the Physical Security survey. Students will write a 250–500 word report (double-spaced) on experiences in the Physical Security Simulation.

Note: The correct information for the physical security survey is provided at the end of the simulation. The people who were interviewed were aware ahead of time that the survey was to take place and were also aware of the problems of concern to management.

Students should focus on the problems of acquiring good information through a physical security survey. Did the people you interviewed mislead you (either intentionally or unintentionally)? How did you go about obtaining good or correct information?

The purpose of this project is to make students aware of some important issues that arise in a facility security survey.

 

QUIZZES

(TCO 1) Defense-in-depth is a _____.

security requirement

security model

security strategy

security policy

security control

 

Question 2. Question :

(TCO 1) What are the common effects of controls?

Prevention, detection, and response

Administration, technology, and physical

Detection, accounting, and access control

Identification, audit, and access control

Confidentiality, integrity, and availability

 

Question 3. Question :

(TCO 1) Information security managers should not be motivated by _____.

IN concern for the well-being of society

governmental regulation

fear, uncertainty, and doubt

promotion potential

readiness

:

Question 4. Question :

(TCO 1) The unique security issues and considerations of every system make it crucial to understand all of the following, except _____.

security standards

security skills of developers

hardware and software security configurations

data sensitivity

IN the business of the organization

 

Question 5. Question :

(TCO 2) Which of the following domains is not part of the IISSCC CBK?

Architecture

Project Management

Ethics

Law

Operations Security

 

Question 6. Question :

(TCO 2) A security event that causes damage is called _____.

IN a compromise

a violation

an incident

a mishap

a transgression

 

Question 7. Question :

(TCO 2) What is the enemy of security?

Industry

Foreign nations

Competitors

Complexity

People

 

Question 8. Question :

(TCO 2) What are the effects of security controls?

Confidentiality, integrity, and availability

Administrative, physical, and operational

Detection, prevention, and response

Management, operational, and technical

None of the above

 

Question 9. Question :

(TCO 1) Policies and procedures are often referred to as _____.

models

a necessary evil

guidelines

documentation

 

Question 10. Question :

(TCO 2) There are _____ domains of the Common Body of Knowledge.

12

nine

11

10

 

Question 1. Question

(TCO 3) _____ conduct periodic risk-based reviews of information assets, policies, and procedures.

Security testers

Vendor managers

Internal auditors

Access coordinators

Technical managers

 

 

Question 2. Question :

(TCO 3) An excellent document to review for best practices in security management is _____.

IN ISO/IEC 17799

BS 7799

ISO/IEC 27001

Appendix H of NIST SP 800-53

Any of the above

 

Question 3. Question :

(TCO 3) An organization’s security posture is defined and documented in _____ that must exist before any computers are used.

standards

guidelines

procedures

policies

All of the above

 

Question 4. Question :

(TCO 3) What does SDLC stands for?

Software development license cycle

Software development life cycle

System development life cycle

System definition life cycle

None of the above

Lecture

 

 

Question 5. Question :

(TCO 4) Various countries have different views of individual privacy. The European Union (EU) has very different privacy laws than the United States has. To allow U.S. companies better ease of operation in the European Union, the Department of Commerce negotiated the _____ with the EU.

privacy treaty

Memorandum of Agreement regarding privacy

Privacy Reciprocity Act of 1993

international safe harbor principles

Privacy Act of 1983

 

 

Question 6. Question :

(TCO 4) Which of the following “commandments” should be part of the information security professional’s code of ethics?

I will abide by the Constitution of the United States.

I will dress appropriately for the company environment.

I will protect the equities of senior management.

I will act honorably, honestly, justly, responsibly, and legally.

 

 

Question 7. Question :

(TCO 5) Information hiding or data hiding is implemented through _____.

abstraction

encapsulation

layering

isolated storage

encryption

 

 

Question 8. Question :

(TCO 5) A reference monitor is _____.

a security model

a security control

a network security model

only appropriate in ringed architecture

Text, page 90 and lecture

 

 

Question 9. Question :

(TCO 4) Denial of service attacks, rogue code, and software piracy are some of the ways that _____ commit crimes.

aggressive programmers

computer enthusiasts

cyber criminals

foreign operatives

 

 

 

Question 10. Question :

 

(TCO 5) The _____ can be illustrated using something known as a ring of trust.

TCB

principle of least privilege

secondary storage zone

kernel

 

 

Question 1. Question

 

 

 

(TCO 6) The layers of physical security defense in depth do not include _____.

monitoring (video or human)

intrusion detection/prevention

mechanical and electronic

environmental

security clearances

 

(Week 4 Lecture) Security clearances are personnel security controls. Authenticating clearances may well be part of the physical security process.

 

 

 

Question 2. Question :

(TCO 6) Which of the following are categories of intrusion detection devices?

Door sensors

Biometric detectors

Perimeter detectors

Security detectors

All of the above

Text, pages 175-176

 

 

 

Question 3. Question :

(TCO 6) Physical security deals with all of the following except _____.

buildings

logical systems

computer rooms

computer devices

fences

Text, Chapter 8, p. 165

 

 

Question 4. Question :

 

(TCO 7) Security operations generally does not provide controls for _____.

IN personnel security

resource protection

backup and recovery of locally stored workstation data

privileged entity controls

virus scanning

Text, page 193

 

 

 

 

Question 5. Question :

(TCO 7) Security operations does NOT use controls for _____.

threats

vulnerabilities

intrusions

communications devices

management decision making

(Lecture) Security operations provides information to management, but does not decide for management.

 

 

 

 

Question 6. Question :

(TCO 8) Disaster recovery planning includes all of the following except _____.

IT systems and applications

application data

data entry users

networks

IN communication lines

Text, pages 129-133

 

 

Question 7. Question :

(TCO 8) A business impact analysis identifies _____.

risks to the business

quantifies risks

risks to the business if critical services are discontinued

IN priorities of restoring critical services

All of the above

Text, Chapter 6, p. 128

 

 

Question 8. Question :

(TCO 9) The minimum set of access rights or privileges needed to perform a specific job description is called _____.

separation of duties

least privilege

privileged controls

separation of privilege

Text, pages 188 & 206

 

 

Question 9. Question :

(TCO 9) Which of the following is NOT true for RADIUS?

Uses remote access Dial-In User Service

Used by AOL to authenticate users

Creates a private tunnel between end points

Policies can be centrally administered

Can use multifactor authentication

(Text, p. 220) Radius is not a tunneling technology.

 

 

Question 10. Question :

(TCO 9) The predominant strategy that is used to assure confidentiality is _____.

biometric authentication

discretionary access control

role-based access control

symmetric encryption

the principle of least privilege

Text, page 206

Question 1 . Question

(TCO 10) Secure hashing is also known as _____.

public-key cryptography

a message digest

Transport Layer Security

Secure Sockets Layer

IPSec

Instructor Explanation: Week 6 Lecture and page 239 of course text

 

 

Question 2. Question :

(TCO 10) Which of the following uses symmetric-key or shared-secret cryptography?

AES

RSA

Diffie Hellman

IN MD5

PSA

Instructor Explanation: Week 6 Lecture and pages 244-245 of course text

 

 

 

Question 3. Question :

(TCO 11) Firewalls do not _____.

block unauthorized traffic

detect tampering

use simple software

filter words or phrases in traffic

enforce a security policy

Instructor Explanation: Week 6 Lecture and pages 275-279 of course text

 

 

 

Question 4. Question :

(TCO 11) Which of the following is not a characteristic of a proxy server?

Configured to allow access only to specific systems

Maintains detailed audit information

Dependent on all other proxies on the bastion host

Runs as a nonprivileged user

Any service that is not supported by the proxy server is blocked.

Instructor Explanation: Page 273 of course text and Week 6 Lecture

 

 

 

 

Question 5. Question :

(TCO 12) Modern intrusion detection systems act as sensors for hosts and network devices and work in a centrally controlled distributed fashion using _____.

software

remote procedure calls

agent technology

common interfaces

access to local audit records

Instructor Explanation: (Week 7 Lecture) Distributed agent technology with a central management module is most common.

 

Question 6. Question :

(TCO 12) A decoy used to lure intruders into staying around is called a(n) _____.

pharm

phish

entrapment

honeypot

mug of ale

Instructor Explanation: (Week 7 Lecture) A honeypot is a decoy to capture the attention of intruders. A mug of ale might work, but that is not software!

 

Question 7. Question :

(TCO 12) An event where seemingly harmless data is forwarded by the router to a host on an internal network is known as a _____.

drive-by attack

proxy-server attack

data-driven attack

penetration testing

steganography

Instructor Explanation: Page 271 of course text

 

 

 

Question 8. Question :

(TCO 13) Which form of malware is dependent on operating systems and replicating?

Trap door

Virus

Worm

Trojan

Logic bomb

Instructor Explanation: Week 7 Lecture and page 304 of course text

 

 

 

 

Question 9. Question :

(TCO 13) Which phase of the SDLC should have security representation?

Concept definition

Requirements definition

Design

Test and Evaluation

All phases

Instructor Explanation: Week 7 Lecture and page 307 of course text

 

 

 

Question 10. Question :

(TCO 13) Which form of malware contains hidden and malicious functions disguised as a utility program that performs useful work?

Trap door

Virus

Worm

Trojan horse

Logic bomb

Instructor Explanation: Page 304 of course text

 

 

FINAL

Page 1

Question 1.1. (TCO 1) Security policy contains three kinds of rules as policy clauses. What are they? (Points : 5)

Preventive, detective, and responsive

Prohibitive, permissive, and mandatory

Administrative, technical, and physical

Management, technical, and operational

Roles, responsibilities, and exemptions

 

Question 2.2. (TCO 2) The _____ of the 17 NIST control _____ can be placed into the 10 IISSCC _____ comprising the common body of knowledge for information security. (Points : 5)

technologies, domains, families

controls, families, domains

domains, families, technologies

principles, domains, families

controls, domains, principles

 

Question 3.3. (TCO 2) What are the effects of security controls? (Points : 5)

Confidentiality, integrity, and availability

Administrative, physical, and operational

Detection, prevention, and response

Management, operational, and technical

 

Question 4.4. (TCO 3) Three of the most important jobs of security management are to ensure _____ are organized according to sensitivity, ensure that roles maintain _____, and to manage _____ because that is the enemy of security. (Points : 5)

assets, accountability, software

assets, separation of duties, complexity

software, separation of duties, complexity

software, accountability, people

people, separation of duties, technology

 

Question 5.5. (TCO 4) “There shall be a way for an individual to correct information in his or her records” is a clause that might be found in a _____. (Points : 5)

law

code of ethics

corporate policy

fair information practices statement

Any of the above

 

Question 6.6. (TCO 5) Evaluation of ideas for security may use _____, which are _____ that are not meant to be _____. (Points : 5)

criteria, models, solutions

controls, abstractions, solutions

solutions, abstractions, models

models, abstractions, solutions

models, controls, solutions

 

Question 7.7. (TCO 6) Many believe that the most important physical security control is _____. (Points : 5)

closed-circuit television

a good security plan

an educated workforce

certified security staff

resources

 

Question 8.8. (TCO 7) The mission of the security operations center might best be described as _____. (Points : 5)

continuous monitoring

maintaining the known good state

policy enforcement

reporting to management

configuration management

 

Question 9.9. (TCO 8) Alternate sites used in disaster recovery would normally not include which of the following? (Points : 5)

Hot site

Cold site

Warm site

Shared site

Alternate site

 

Question 10.10. (TCO 9) The basic elements of any access control model is a reference monitor that mediates access to _____ by _____. (Points : 5)

files, people

objects, subjects

files, principals

named resources, named users

computer time, applications

 

Question 11.11. (TCO 10) In a network system, you will normally find that _____ are encrypted using asymmetric cryptography, and _____ are encrypted using symmetric cryptography. (Points : 5)

signatures, messages

messages, data

hash totals, messages

messages, hash totals

data, messages

 

Question 12.12. (TCO 10) A company wants to assure customers that their online transactions are secure. Given this scenario, what should the company do? (Points : 5)

Use symmetric keys

Issue smart cards

Implement SSL

Use IPSec

Set up VPN connections

 

Question 13.13. (TCO 11) A packet-filtering router operates at OSI Layer 3 so it can filter Internet protocol source and destination addresses, but it can also filter _____ port numbers. (Points : 5)

Layer 1

Layer 2

Layer 3

Layer 4/7

applications

 

Question 14.14. (TCO 12) The two standard approaches to intrusion detection are _____ and _____. (Points : 5)

access control, firewall

anomaly, rule

policy, label

role, account

user, program

 

Question 15.15. (TCO 13) All of the following are obscure reasons why distributed systems are more prevalent now than in the past, expect for which one? (Points : 5)

Improved performance

Increased availability

Greater versatility

Efficient business models

 

Page 2

Question 1. 1. (TCO 1) Explain what is wrong with this policy clause, and show how you could fix it. People shall obey corporate policies. (Points : 15)

Question 2. 2. (TCO 2) Briefly explain the relationship of the known good state to the three effects of security controls–prevention, detection, and recovery. (Points : 15)

Question 3. 3. (TCO 3) Briefly explain how defense in depth is a management strategy for security. (Points : 15)

Question 4. 4. (TCO 4) Briefly explain what needs to be accomplished before your company monitors the activities of authorized users of your company systems, and then explain what should be accomplished to legally monitor the activities of a hacker (unauthorized user) of your system. (Points : 15)

Question 5. 5. (TCO 5) Explain the effects of the three goals of information security. (Points : 15)

Question 6. 6. (TCO 6) Briefly describe the idea of a smart card. (Points : 15)

Question 7. 7. (TCO 7) Explain the purpose of a security operations center. (Points : 15)

Question 8. 8. (TCO 8) Explain the term warm site. (Points : 15)

 

Page 3

Question 1. 1. (TCO 9) Distinguish between an access control list and a capabilities list. (Points : 15)

Question 2. 2. (TCO 10) Briefly explain why key management is a critical requirement for a good symmetric cryptographic solution. (Points : 15)

Question 3. 3. (TCO 11) Explain how a demilitarized zone might be used to protect critical resources that are not to be shared outside of an organization. (Points : 15)

Question 4. 4. (TCO 11) What is often another term for a bastion host? (Points : 15)

Question 5. 5. (TCO 12) Explain what the symbol P(A|B) means. (Points : 15)

Question 6. 6. (TCO 12) Summarize the benefits of application-level gateways. (Points : 15)

Question 7. 7. (TCO 13) Briefly explain what object orientation is and what it is used for. (Points : 15)