2. (25 points)
Classify each of the following acts (not necessarily related to computing infrastructures) as a violation of confidentiality, integrity, authenticity, or availability, or some combination thereof:
Hint: Answers may not be unique. Explain your answers as well as possible!
a. A hacker obtains millions of Facebooks passwords.
Answer:
b. Bob accidentally cuts the electricity from the server room.
Answer:
c. The National Security Agency (NSA) that is in charge of cryptographic and communications intelligence and security, finds an efficient method to break Advanced Encryption Standard (AES).
Answer:
d. Hanna registers the domain name “JohnSmith.com” and refuses to let John Smith buy or use the domain name.
Answer:
e. Ransomware attacks victim’s hard drive by locking with a secret key, and a criminal asks for a ransom to decrypt it.
Answer:
f. The NSA wiretaps the cell phone of a suspect in a criminal investigation.
Take into consideration that, according to Executive Order 12333 (EO 12333), NSA is prohibited the collection, retention, or dissemination of information about U.S. persons except pursuant to procedures established by the head of the agency and approved by the Attorney General.
Answer:
g. A foreign state actor finds a zero-day vulnerability for voting machines used in the US.
A zero-day vulnerability is a vulnerability in a software that exists and maybe known to the vendor, or developer, or a hacker, but there is no “patch” for it yet.
Answer:
h. A result of Tom’s college admission test was sent to Tim.
Answer:
3. (15 points)
Read the following scenarios, provide the analysis of the situations and described what you would do. Justify your answers.
a. A friend sends an electronic greeting card (e-card) to your work email. You need to click on the attachment to see the card. What should you do? Justify.
Answer:
b. Your supervisor is very busy and asks you to log into the HR Server using her user-ID and password to retrieve some reports. What should you do? Justify.
A: It’s your boss, so it’s okay to do this.
B: Ignore the request and hope she forgets.
C: Decline the request and remind your supervisor that it is against your policy.
Answer:
c. You receive an email from your bank telling you there is a problem with your account. The email provides instructions and a link so you can log in to your account and fix the problem. What should you do? Justify.
Answer:
4. (5 points)
What is the difference between information security strategy and information security policy?
Answer:
5. (20 points)
a. (10 points)
Why having an information security strategy is important for an organization? Be sure to describe how having an information security strategy supports your ideas.
Answer:
b. (10 points)
List at least four (4) “high level” items with descriptions that should be part of a security strategy. A high level item is an item that would represent a major area or topic that you would include in a security strategy.
Answer:
6. (20 points)
a. (10 points)
a. Why having an information security policy is important for an organization? Be sure to describe how having an information security policy supports your ideas.
b. Answer:
b. (10 points)
a. List at least four (4) “high level” items with descriptions that should be part of a security policy. A high level item is an item that would represent a major area or topic that you would include in a security policy.
Answer:
7. (10 points)
The notes (week 2) enumerate several information system assets. While these assets are important to an organization they are not the most important assets to a company or organization. What do you consider to be the top two (2) assets to an organization? Note that the information assets enumerated in the notes are NOT the correct answers to this problem. This question is asking for the most important assets, which means they may extend beyond the notion of information assets. Explain your reasoning for the assets you have selected.
Answer: