Question 1:

You are the administrator for a tracking system application for a Human Resources (HR) Department that tracks different employee cases such as processing retirements or changing health benefits for ACME Inc.. There are different permissions that different members the HR Staff need to execute on the cases to perform their duties. The available permissions that may be accomplished for each case are:

Read a case - you can open a case and view the contents.
Create a case - you can make a new case and save it.
Update a case - you can open a saved case, make changes to it and save the changes.
Search a case - you can search for cases using criteria and get returned cases that match the criteria.
Delete a case - you can delete an entire case.
Assign a case - you can assign a case to someone else to be worked on.

I want to have a group of HR managers that can perform all of the functions. I want to also have a group of HR personnel that can do everything except for alter or delete cases. I want to have a group of HR personnel that can open and make changes to a case but only after it assigned to them. If an ACME employee calls the HR helpdesk with a problem, the HR personnel that answers the phone should be able to search for their case, look at its contents, and either make the appropriate changes or assign it to the group responsible for making the changes.

1. Out of Discretionary Access Control, Mandatory Access Control, and Role Based Access Control, which access control method is best at accommodating these permissions and why?

2. List all of the different groups you would make to accomplish the functions above along with the permissions that would be included in each group. Feel free to name all of the groups anything you like such as the HR Editors or HR Supervisors, etc.

Question 2:

You are charged with maintaining a legacy Web application. It is a publicly facing e-Commerce site that allows customers to search for and order commemorative memorabilia and souvenirs using credit or debit card through an HTTP interface. Even though the Web server software is outdated and is no longer supported, it has been extremely reliable and has supported all updates to the application. There is a publicly accessible search mechanism that allows you to pull up your previous order and payment information using other previous order information. To order souvenirs or memorabilia, you are required to search for the items you would like to order and submit your order request via a Web form. The customer service personnel login and are granted full access rights to the application and database to assist customers with any issues including ordering questions and credit card issues.

List and explain the attack surfaces for this scenario.

Question 3:

A bank wants to store the account number of its customers( an 8 digit number ) in encrypted form on magnetic strip ATM cards. Discuss the security of the following methods for storing the account number against an attacker who can read the magnetic stripe: (!) store a cryptographic hash of the account number; (2) store the ciphertext of the account number encrypted with the bank's public key using a public key cryptosystem; (3) store the ciphertext of the account number encrypted with the banks's secret key using a symmetric cryptosystem.

Question 4:

Consider the following security measures for airline travel. A list of names of people who are not allowed to fly is maintained by the government and given to the airline; people whose names are on the list are not allowed to make flight reservation. Before entering the departure area of the airport, passengers go through a security check where they have to present a government issued ID and a boarding pass. Before boarding a flight , passengers must present a boarding pass, which is scanned to verify the reservation . show how some one who is on the no fly list can manage to fly provided boarding passes can be printed online. Which additional security measures should be implemented in order to eliminate this vulnerability?

Question 5:

Explain four general means (factors) of authenticating a user's identity? Also give an example of a system that uses two of these factors together and a system that uses three of these factors together.

Question 6:

Dr.blahbah has implemented a system with a 8 bit random canary that is used to detect and prevent stack based buffer overflow attacks. Describe an effective attack against Dr.blahbah's system and analyze its likelihood of success.

Question 7:

Suppose you want to use an internet café to login to your personal account on a bank web site, but you suspect that the computers in this café are infected with software keyloggers. Assuming that you can have both a web browser window and a text editing window open at the same time , describe a schema that allows you to type in your user ID and password so that a keylogger, used in isolation of any screen captures or mouse event caputers , would not be able to discover your user id and password.

Question 8:

You are the system administrator for a provider that owns a large network(eg. At least 64000 ip address). Show how you can use SYN cookies to perform a DOS attack on a web server.

Question 9:

Describe how to modify a NAT router to prevent packets with spoofed IP addresses from exiting a private network.

Question 10:

List and explain seven different types of biometric authentication. Give examples of how they could be used in a system to authenticate a user such as devices that exist or systems that could be put into place