Question 1:
In an SSL/TLS certificate, explain the trust chain and the difference between a Root certificate authority (CA) and an Intermediate CA? Why would end-user certificates be issued by the Intermediate CA and not the Root CA?
Question 2:
Assume you are looking for a new bank to join to do your online banking. In addition to the normal characteristics of banks that interest the average consumer such as the interest rates and customer service; you hold online security in high regard and you want to evaluate the safety of the entity to ensure your online transactions will be secure.
Answer the following questions:
A. Who is the "Issued by:" of the Root CA certificate?
B. Who is the "Issued to:" of the Intermediate CA certificate?
C. What is the expiration date of the end user certificate?
D. What is the Signature Algorithm of the Root CA? Is this considered a secure algorithm?
E. Repeat steps
Question 3:
Give a detailed explanation of the differences between a qualitative risk assessment and a quantitative risk assessment and give a brief example of each. What requirements or circumstances may lead you to choose one over the other?
Question 4:
Is a cryptographic hash function/digest considered encryption? Why or why not?
Question 5:
Fully describe, fully define, and fully explain three vulnerabilities from the latest Open Web Application Security Project (OWASP) Top Ten that has been covered in this course.
Question 6:
You are the Information Systems Security Officer (ISSO) for your organization and you see the following job posting on your company's website:
Web Application Developer
ISEC615 Inc. is a progressive software development company specializing in tracking solutions with a strong commitment to our customers. We are growing and adding new Developers to our Engineering Department. We are looking for dynamic, results oriented, enthusiastic individuals at all experience levels who thrive in a fast paced environment and enjoy staying up to date on technologies.
Application Stack:
•Apache 2.2
•Tomcat 6.x, 6.0.35, 6.0.36
•HTML
•CSS
•Javascript
•1+ year RDMS/SQL experience
•1+ year Unix/Linux environment experience
•2+ years web application development experience with any of the following languages:
?JavaScript, Perl, PHP, Python, Ruby
Your qualifications will stand out if you have:
• A strong knowledge of information security principles Ideal Attributes:
•Willingness to learn/expand Perl knowledge
•Willingness to participate in Agile methodologies
•Willingness to participate in on-call rotation for production support
•Self-motivated and confident with an ownership mentality
•Autonomous producer
Education: B.S. in Computer Science, Information Technology, or similar specialization.
From the perspective of an information security practitioner, answer the following question about the above job posting:
* Giving a detailed explanation; what is wrong with this job posting that may be of use to an attacker?
* Perform research and describe exactly where an attacker may find the information in the previous question based on this job posting. Provide links to what you have found that may be of use to an attacker pertaining to that specific job posting.
Question 7:
Your organization has a Web based information system and it is discovered that your information system vulnerable to several high risk Open Web Application Security Project (OWASP) Top Ten vulnerabilities.
- What reason, conditions or circumstances may exist that may cause you to accept (risk control strategy) all of the vulnerabilities and do nothing to protect your system?
- What reason, conditions or circumstances may exist that may cause you to terminate (risk control strategy) the information system as opposed to remedying the issues associated with the vulnerabilities?