1) In an SSL/TLS certificate, explain the trust chain and the difference between a Root certificate authority (CA) and an Intermediate CA?
Why would end-user certificates be issued by the Intermediate CA and not the Root CA?
2) Assume you are looking for a new bank to join to do your online banking.
In addition to the normal characteristics of banks that interest the average consumer such as the interest rates and customer service; you are hold online security in high regard and you want to evaluate the safety of the entity to ensure your online transactions will be secure.
Pick a bank (of your choosing) that has online services and evaluate the SSL certificate with your browser.
Answer the following questions:
What is the URL of the organization (this should be https://...)?
Who is the Issued by: of your Root CA certificate?
Who is the Issued to: of your Intermediate CA certificate?
What is the expiration date of the end user certificate?
What is the Signature Algorithm of your Root CA? Is this considered a secure algorithm? Repeat steps A-E for a social media site.
3) Describe the differences between a qualitative risk assessment and a quantitative risk assessment and give a brief example of each.
What requirements or circumstances may lead you to choose one over the other?
4) Is a cryptographic hash function/digest considered encryption? Why or why not?
5) Describe, define, and explain three vulnerabilities from the latest Open Web Application Security Project (OWASP) Top Ten that has been covered in this class.
6) Describe, define and explain the uses of a:
- Business continuity plan
- Disaster recovery plan
- Incident response plan.
Out of the three plans, which two of them may overlap to small
degree and how?
QUESTION 7
1. Your organization has a Web based information system and it is discovered that your information system vulnerable to several high risk Open Web Application Security Project (OWASP) Top Ten vulnerabilities.
- What reason, conditions or circumstances may exist that may cause you to accept (risk control strategy) all of the
vulnerabilities and do nothing to protect your system?
- What reason, conditions or circumstances may exist that may cause you to terminate (risk control strategy) the information system as opposed to remedying the issues associated with the vulnerabilities?