Computing @ Curtin University
FINAL ASSESSMENT
Semester 1, 2020
ISEC2001/ISEC5006 Fundamental Concepts of Data Security
This paper is for Curtin students
This FINAL ASSESSMENT has a total of 100 marks.
Time allowed: 240 minutes
Conditions
This is an online test. The test is open-book: you are allowed to access your hand-written notes,
lecture slides, textbooks, and printed and electronic materials in your possession.
The test must be completed by yourself only. No one else should do this test for you.
You are prohibited from communicating with people other than the unit coordinator/lecturer and the
tutors during the test.
You are prohibited from providing information about your work and your test to others during the test
window, which is the 24 hour period from when the test is made available to students.
Any attempts to compromise the system are strictly prohibited.
You must complete and submit the ”Declaration of Originality” form as instructed by your Unit Coordinator/Lecturer for this test.
IMPORTANT Your answers must be your own words. You are not allowed to copy any texts from
other sources (including lecture/tutorial materials), even with correct referencing, and present as your
own. Treat this assessment as the traditional invigilated exam. Copying of texts will be considered
plagiarism.
Any breaches of this policy will be considered cheating and appropriate action will be taken as per
University policy.
Instructions to Students:
This test consists of 8 questions. Attempt ALL questions. You must use the answer file provided.
Provide your answer in the space below each question heading, e.g. ## QUESTION 1, ## QUESTION
2, etc. Name your answer file using your surname and student ID, for example trump 12345678.txt.
When complete, upload the file to the following
• Blackboard test where you obtain this assessment
• Turnitin submission link provided to you by the lecture/unit coordinator
You are responsible for ensuring that the submission is correct and free of errors. Your assessment is
not valid if you fail to submit your answer file correctly to both places.
This page has been intentionally left blank
Semester 1, 2020
ISEC2001/ISEC5006 Fundamental Concepts of Data Security
Question 1 (16 Marks)
Ransomware attacks are becoming more common nowadays targeting large organisations. In 2017,
a medical centre in the United States suffered from a major attack by a ransomware known as
SamSam, which encrypted data on more than 6,000 computers of the centre, making them unusable
to staff and clinicians. The attack exploited three vulnerabilities: 1) a vulnerability in a Java-based
application server; 2) the availability of remote desktop protocol (RDP) on many Windows machines in
the organisation; and 3) poor password security practices (such as not changing the default password
of some IT equipment or using weak passwords). It took over two weeks for the system to be restored
and costed the organisation over $10 million worth of damage.
• Which security goal (Availability/Integrity/Confidentiality) was compromised by this ransomware
attack? Explain your reasoning. Your argument must be based on the information within the
question.
• Suggest one technical preventive control, one technical detective control, and one administrative
preventive control that should have been taken by the victim organisation prior to the attack in
order to prevent it from happening.
Answer:
• Security goal compromised: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
• Reasons:
• Technical preventive control example
• Technical detective control example
Page 1 of 14
Semester 1, 2020
ISEC2001/ISEC5006 Fundamental Concepts of Data Security
• Administrative preventive control example
Page 2 of 14
Semester 1, 2020
ISEC2001/ISEC5006 Fundamental Concepts of Data Security
Question 2 (12 Marks)
• Explain why the Clark-Wilson model can prevent unauthorised modification of data despite the
fact that it does not explicitly require subjects and objects to have multiple security levels like the
Biba model does.
• Suppose that the Clark-Wilson security model is used by a bank to implement an Internet
banking system so that customers can access their accounts and perform transactions online
using an Internet browser on a computer. From the customer’s perspective, give an example of
the relevant part of the Internet banking system best describes
– Constrained data items (CDIs)
– Unconstrained data items (UDIs)
– Transformation procedures (TPs)
– Integrity verification procedures (IVPs)
For each example, briefly describe your reasoning.
Answer:
• Explanation:
• Examples:
– Constrained data items (CDIs):
– Unconstrained data items (UDIs):
Page 3 of 14
Semester 1, 2020
ISEC2001/ISEC5006 Fundamental Concepts of Data Security
– Transformation procedures (TPs):
– Integrity verification procedures (IVPs):
Page 4 of 14
Semester 1, 2020
ISEC2001/ISEC5006 Fundamental Concepts of Data Security
Question 3 (10 Marks)
Explain two (2) differences between static data masking and dynamic data masking. Give one example
where static data masking is more suitable, and one example where dynamic masking is more suitable.
Answer:
• Difference 1:
• Difference 2:
• Example static masking more suitable:
• Example dynamic masking more suitable:
Page 5 of 14
Semester 1, 2020
ISEC2001/ISEC5006 Fundamental Concepts of Data Security
Question 4 (10 Marks)
A cyber security student discovered a loophole in the university’s computer system whilst testing some
hacking tools. This allowed the student access to other students’ home areas which contained their
work. The student also used the granted privilege to access license files to run restricted lab programs
on his personal laptop so he could do the assignment from home instead of going to the lab. He
told the system administrator about the loophole and described simple steps to fix it, but continued
to access others’ assignments until the problem was attended and corrected four weeks later. He
partially used the other students’ solution as his own.
Identify and discuss four (4) ethical and/or legal issues in this example. What could have done by the
university instead? Give at least two (2) suggestions.
Answer:
• Issue 1:
• Issue 2:
• Issue 3:
• Issue 4:
• Suggestion 1:
• Suggestion 2:
Page 6 of 14
Semester 1, 2020
ISEC2001/ISEC5006 Fundamental Concepts of Data Security
Question 5 (14 Marks)
You have been asked to give security advice for an organisation which has all of its internal information
system on premise and its website hosted on the cloud. The website is updated by an administrator
who is an employee of the organisation via a simple web-based login interface provided by the cloud
provider. The internal network consists of various desktop and laptop computers, networking devices,
servers, databases, applications, and users (see Fig. 1 for an illustration). All Internet traffic to and
from the premise is through a single gateway. You are considering the security principle Defensein-Depth to provide an overall security solution for the company. It is required that both the internal
information system and the website must be protected against attacks.
• For each layer of defense (preventive, detective, corrective, recovery) describe a security control
that could be used to strengthen the security of the company and briefly explain how it helps.
• A data security student suggests that the principle Defense-In-Depth allows more than one
control in each layer of defense. Discuss whether you agree with the student.
• The data security student also thinks that principle Defense-In-Depth requires the deployment of
all possible types of layers of defense, each layer with as many controls as possible. Discuss
whether you agree with the student.
Figure 1: Network diagram of the company in the question
Answer:
• Examples
– Preventive layer:
Page 7 of 14
Semester 1, 2020
ISEC2001/ISEC5006 Fundamental Concepts of Data Security
– Detective layer:
– Corrective layer:
– Recovery layer:
• Discussion 1:
• Discussion 2:
Page 8 of 14
Semester 1, 2020
ISEC2001/ISEC5006 Fundamental Concepts of Data Security
Question 6 (14 Marks)
An information asset of a company is currently valued at $100,000. Using the quantitative risk
assessment approach, the company is assessing the risk due to a type of attack that happens three
(3) times every four (4) weeks on average. Each attack to the information asset causes a damage
with an exposure factor EF = 0:5.
• Calculate the current single loss expectancy (SLE), annualised rate of occurrence (ARO), and
annualised loss expectancy (ALE) values. You may assume that there are 52 weeks in a year.
• The company is considering two possible controls described below to address this risk. Using
the cost-benefit analysis (CBA) approach, derive the SLE, ARO, ALE, ACS (annualised cost of
safeguard), and CBA values for each case and state clearly which control should be selected to
address the risk.
– Control A costs $200,000 per annum and reduces the frequency of attacks to once per
fortnight.
– Control B costs $700,000 per annum and reduces the exposure factor to 0:2.
Answer:
• Current values
– SLE
– ARO
– ALE
• Control A
– SLE
– ARO
– ALE
– ACS
– CBA
• Control B
– SLE
– ARO
– ALE
– ACS
– CBA
• Conclusion:
Page 9 of 14
Semester 1, 2020
ISEC2001/ISEC5006 Fundamental Concepts of Data Security
Question 7 (12 Marks)
• Business impact analysis (BIA) is an important exercise when developing a business continuity
plan. The first step in BIA is to identify critical business activities. Describe in your own words
what you think critical activities are and give two (2) examples of such critical activities of a
supercomputing centre which provides services to registered users via the Internet.
• Suppose the BIA team of the supercomputing centre is determining the recover time objective
(RTO) of a critical activity that will need to be recovered at an offsite facility due to a natural
disaster. The company has determined how the impact due to ceasing of this activity depends
on recovery time. The centre has also obtain quotes from offsite facility providers which allow
the company to derive the relationship between the cost and recovery time. Suggest how they
should determine the RTO value based on the above information.
• Discuss how the RTO value may be revised if additional requirements are also given. Your
answer must contain examples to support your argument.
Answer:
• Critical activities:
• Examples of critical activities:
– Example 1:
– Example 2:
Page 10 of 14
Semester 1, 2020
ISEC2001/ISEC5006 Fundamental Concepts of Data Security
• Suggest how to determine RTO value:
• Discussion:
Page 11 of 14
Semester 1, 2020
ISEC2001/ISEC5006 Fundamental Concepts of Data Security
Question 8 (12 Marks)
You are drafting up an incident response plan against denial-of-service (DoS) attacks to the website of
an organisation. For each of the six incident response stages, give one (1) example of the relevant
action. Note that your answer must be specific to DoS attacks.
Answer:
Example of response actions in
• Triage:
• Investigation:
• Containment:
• Analysis:
Page 12 of 14
Semester 1, 2020
ISEC2001/ISEC5006 Fundamental Concepts of Data Security
• Tracking:
• Recovery:
Page 13 of 14
Semester 1, 2020
ISEC2001/ISEC5006 Fundamental Concepts of Data Security
This page has been intentionally left blank
END OF FINAL ASSESSMENT
Page 14 of 14
The post ISEC2001/ISEC5006 Fundamental Concepts of Data Security appeared first on My Assignment Online.