Test Your Understanding Questions

advertisement
HOMEWORK
CHAPTER 3: NETWORK SECURITY
Last Name: ___________________________________
First Name: ___________________________________
Due Date: ____________________________________
DIRECTIONS
Place your cursor at the end of a question and hit Enter. This will place you in the Answer style. This has already
been done for Part a) of Question 1.
TEST YOUR UNDERSTANDING QUESTIONS
1.
a) How did the attacker get the credentials for the company’s bank account? [91]
b) Why were money mules used? [91-92]
c) List indications that this was a sophisticated attack. [91-92]
d) How might the company have been able to avoid this compromise? [91-92]
e) What motivated the attacker? [91-92]
f) What would you say to executives in small companies who believe that they are too little to be
attacked? [91-92]
2.
a) What are the two elements of the threat environment? [92]
b) Briefly explain each of the three stages in the plan–protect–respond cycle. [92-93]
c) Which of these three stages consumes the most corporate effort? [93]
d) Give three names for successful attack. [93]
e) What is the main thing that separates security from other aspects of IT? [93]
3.
What is malware? [95]
4.
a) What is a vulnerability? [95]
b) How can users eliminate a vulnerability in one of their programs? [95]
c) What name do we give to attacks that occur before a patch is available? [95]
d) What type of malware does not require a vulnerability? [95]
5.
a) What is a propagation vector? [96]
b) How do viruses propagate within computers? [96]
c) How do viruses propagate between computers? [96]
d) In what two ways can viruses be stopped? [96]
e) Do firewalls usually stop viruses? [96]
6.
a) How do viruses and worms differ? [97]
b) Distinguish how directly propagating worms and e-mail worms spread. [97]
c) Which can spread faster—viruses or directly propagating worms? Explain. [97]
d) How can directly propagating worms be stopped? [97]
e) Can antivirus programs usually stop directly propagating worms? [97]
7.
a) What is a script? [98]
b) Are scripts normally bad? [98]
c) Under what circumstances are scripts likely to be dangerous? [98]
d) Why are scripts on webpages called mobile code? [98]
8.
a) What are payloads?
b) What are Trojan horses? [98]
c) How do Trojan horses propagate to computers? [98]
d) What is spyware? [98]
e) What is a keystroke logger? [98]
f) What does data mining software do? [99]
9.
a) What is social engineering? [99]
b) What is fraud? [99]
c) What is the definition of spam? [99]
d) How can spam be used to harm people who open spam messages? [99]
e) What is phishing? [100-101]
f) Distinguish between credit card number theft and identity theft. [101]
g) What are carders? [101]
h) Which tends to produce more damage—credit card theft or identity theft? Explain your answer. [101]
10.
a) List the three main phases in human break-ins (hacks). [101-104]
b) What is hacking? [101]
c) What are the two purposes of probe packets? [101-102]
d) What is an exploit? [103]
e) What steps does a hacker usually take immediately after a break-in? [103-104]
f) What software does the hacker download to help him or her do work after compromising a system?
[103]
g) After breaking in, what does a hacker do to avoid being caught? [104]
h) What is a backdoor? [104]
i) What are the two types of backdoors? [104]
11.
a) What is the purpose of a denial-of-service attack? [104]
b) What are bots? [105]
c) What gives bots flexibility? [105]
d) How do distributed DoS attacks work? [105]
12.
a) Are most attackers today driven by curiosity and a sense of power? [107]
b) Is it generally illegal to write malware? [107]
c) For what four reasons are employees dangerous? [107]
d) What are the most dangerous types of employees? [107]
e) What type of attacker are most attackers today? [107]
f) What are cyberterror and cyberwar attacks? [107-108]
g) Why are cyberwar and cyberterror serious security concerns? [107-108]
13.
Why is security primarily a management issue, not a technology issue? [108]
14.
a) List the four major planning principles. [108-111]
b) What is risk analysis? [109]
c) Repeat the risk analysis described in this section, this time with Countermeasure B that does not affect
damage severity but that reduces the likelihood of an attack by 75 percent. The annual cost of
Countermeasure B is $175,000. Show the full table. [109-110]
d) Comment on the statement, “The goal of security is to eliminate risk.”
e) What is comprehensive security? [110]
f) Why is comprehensive security important? [110]
g) What is defense in depth? [110]
h) Why is defense in depth necessary? [110]
i) What is access control? [111]
j) What are permissions? [111]
k) Why should people get minimum permissions? [111]
15.
a) What is a policy? [112]
b) Distinguish between policy and implementation. [112]
c) Why is it important to separate policies from implementation? [112]
d) Why is oversight important? [112-113]
e) Compare the specificity of policies, implementation guidance, and implementation. [113]
f) Distinguish between standards and guidelines. [113]
g) Must guidelines be considered? [113]
h) List the three types of oversight listed in the text. [114]
i) What is vulnerability testing, and why is it done? [114]
j) Why is it important for policy to drive both implementation and oversight? [114]
16.
a) What is authentication? [115]
b) Distinguish between the supplicant and the verifier. [115]
c) What are credentials? [115]
d) Why must authentication be appropriate for risks to an asset? [115]
17.
a) Distinguish between usernames and reusable passwords. [115]
b) Why are passwords widely used? [116]
c) What types of passwords are susceptible to dictionary attacks? [116]
d) What types of passwords are susceptible to dictionary attacks in hybrid mode? [117]
e) Can a password that can be broken by a dictionary attack or a dictionary attack in hybrid mode be
adequately strong if it is very long? [117]
f) What is a brute force attack? [117]
g) What types of passwords can be broken only by brute force attacks? [117]
h) Why is password length important? [117]
i) How long should passwords be? [117]
18.
Critique each of the following passwords. First, describe the type of attack that would be used to crack it,
justifying your answer. Second, say whether or not it is of adequate strength, justifying your answer.
a) velociraptor [117]
b) Viper1 [117]
c) NeVeR [117]
d) R7%t& [117]
19.
a) What security problem do access cards have? [118]
b) What is biometrics? [118]
c) By what three criteria should biometric methods be judged? [118]
d) Why may fingerprint scanning be used to authenticate access to a laptop? [118]
e) Why is iris scanning desirable? [120]
f) Why is face recognition controversial? [120]
20.
a) In digital certificate authentication, what does the supplicant do? [120]
b) What does the verifier do? [120]
c) Does the verifier use the true party’s public key or the supplicant’s public key? [120]
d) How does the verifier get the public key? [120]
e) From what type of organization does the verifier get the digital certificate? [120]
21.
a) Why is two-factor authentication desirable? [120]
b) Will two-factor authentication still be strong if the attacker controls the supplicant’s computer? [121]
c) Will two-factor authentication still be strong if the attacker can intercept all authentication
communication? [121]
22.
a) What does a firewall do when a packet arrives? [122]
b) Does a firewall drop a packet if it probably is an attack packet? [122]
c) Why is it important to read firewall logs daily? [122]
d) Distinguish between ingress and egress filtering. [122]
23.
a) What is the limitation of static packet filtering? [123]
b) Why is static packet filtering still done despite its weakness, and how is it used? [124]
24.
a) Why are states important? [124]
b) Why are ACLs needed for stateful firewalls? [125]
c) When a packet that is part of an ongoing connection arrives at a stateful inspection firewall, what does
the firewall usually do? [125-126]
d) When a packet that is not part of an ongoing connection and that does not attempt to open a
connection arrives at a stateful inspection firewall, what does the firewall do? [126]
e) Why are stateful firewalls attractive? [126]
f) What type of firewalls do most corporations use for their main border firewalls? [126]
25.
a) How will an SPI firewall handle a packet containing a TCP segment which is an acknowledgement? [125126]
b) How will an SPI firewall handle a packet containing a TCP SYN segment? [125-126]
c) How will an SPI firewall handle a packet containing a TCP FIN segment? [125-126]
d) How will the access control list (ACL) in Figure 3-19 handle a packet that attempt to open a connection
to an FTP server? Explain. [125]
26.
a) What two things do deep inspection firewalls do that SPI firewalls do not? [127-128]
b) Why is the first useful? [127-128]
c) Why is the second useful? [127-128]
d) What is an application-aware firewall, and how it useful? [128]
e) For what type of devices was deep inspection first used? [128]
f) What is the main problem with deep inspection firewalls? [128]
g) What technology is overcoming this problem, and how is it doing so? [128]
27.
a) What is a cipher? [128-129]
b) What protection does confidentiality provide? [128]
c) In two-way dialogues, how many keys are used in symmetric key encryption? [129]
d) What is the minimum size for symmetric keys to be considered strong? [129]
28.
What two protections do electronic signatures provide? [129-130]
29.
a) What is the definition of response? [130]
b) What are the two benefits of a well-rehearsed response plan? [130]
c) What are the four response phases when attacks occur? [130-131]
d) What is the purpose of forensic tools? [131]
e) Why are CSIRTs necessary? [132]
f) Should the CSIRT be limited to security staff personnel? [132]
g) Distinguish between disaster recovery and business continuity recovery. [132]
h) Explain how firms use backup sites in disaster recovery. [132]
END-OF-CHAPTER QUESTIONS
THOUGHT QUESTIONS
1.
a) Suppose that an attack would do $100,000 in damage and has a 15 percent annual probability of
success. Spending $9,000 per year on “Measure A” would cut the annual probability of success by 75
percent. Do a risk analysis comparing benefits and costs. Show your work clearly. [110]
b) Should the company spend the money? Explain. [110]
c) Do another risk analysis if Measure A costs $20,000 per year. Again, show your work. [110]
d) Should the company spend the money? Explain. [110]
2.
a) What form of authentication would you recommend for relatively unimportant resources? Justify your
answer. [115-121]
b) What form of authentication would you recommend for your most sensitive resources? [115-121]
3.
For each of the following passwords, first state the kind of attack that would be necessary to crack it.
Justify your answer. Then say whether or not it is an adequate password, again giving specific reasons.
a) swordfish [116-118]
b) Processing1 [116-118]
c) SeAtTLe [116-118]
d) 3R%t [116-118]
e) 4h*6tU9$^l [116-118]
4.
Keys and passwords must be long. Yet most personal identification numbers (PINs) that you type when
you use a debit card are only four or six characters long. Yet this is safe. Why? [No page numbers]
5.
Revise the ACL in Figure 3-18 3-19 to permit access to an FTP server with IP address 10.32.67.112. [125]
6.
In digital certificate authentication, the supplicant could impersonate the true party by doing the
calculation with the true party’s private key. What prevents impostors from doing this? [No page number]
ONLINE EXERCISE
1.
Go to http://www.cybercrime.gov. Go to the section on computer crimes. Select one of the cases
randomly. Describe the type of attacker and the type of attack(s). [No page number]
CASE STUDY: PATCO
In 2009, the Patco Construction Company had $588,000 drained from its bank accounts at Ocean Bank. The theft
involved six withdrawals on May 8, May 11, May 12, May 13, May 14, and May 15. The money in each withdrawal
was sent to a group of money mules.
After thieves stole all of the company’s cash, they continued to make withdrawals. Patco’s bank continued to allow
withdrawals, covering them with over $200,000 from Patco’s line of credit. Although the bank was able to recover
or block $243,406 in transfers, Patco was still out $345,400. In addition, the bank began charging Patco for interest
on the money that had been withdrawn using Patco’s line of credit.
Although the transactions were far larger than Patco normally made, Ocean Bank did not inform Patco of any
problems until one of the account numbers entered by the thieves was invalid. It sent a notification by mail, and it
did not arrive at Patco until several days later. Patco notified the bank of problems the next morning. However, the
bank had already sent out $111,963 that day, some of which was recovered.
The bank used account numbers and passwords. For transactions over $1,000, Patco employees had to answer two
challenge questions. Most withdrawals were over $1,000, so employees had to answer these same challenge
questions many times. Patco believes that these challenge messages were too easy. The State of Maine has
stringent banking laws. The Federal Financial Institutions Examination Council in 2005 required banks to use at
least two-factor authentication and specifically noted that usernames and passwords were not enough. Patco sued
People’s United Bank for its losses, claiming that the challenge questions were nothing more than a second set of
passwords and that the bank should have required much stronger credentials. Patco also claimed that Ocean Bank
should have been suspicious when such large unprecedented withdrawals were made and when they were sent to
30 different accounts. Normally, Patco only withdrew money for payrolls on Fridays. Its previous largest single day
withdrawal had been under $37,000. Patco’s complaint stated that based on belief and information from the bank,
Patco assumed that antifraud monitoring was being done by the bank. Ocean Bank did not comment on the case,
but most banks in a similar situation use the defense that they were not negligent. A bank can be found negligent
only if it has lower protections than are the norm in the industry.
Caution: The information in this case is based only on Patco’s complaint.14 Consequently, the statements made in
the case have not been validated and may be disputed by Ocean Bank as being nonfactual. Analyze the case based
on Patco’s allegations, but do not draw firm conclusions against the bank.
1. a) According to the information in the case, do you think the bank satisfied the requirement to use two-factor
authentication? [136-137]
b) According to the information in the case, do you think the bank was doing antifraud monitoring? [136137]
c) According to the information in the case, do you think Ocean Bank was negligent? [136-137]
d) According to the information in the case, if you were the head of Ocean Bank, what would you do to
prevent the reoccurrence of this problem? [136-137]
CASE STUDY: WALMART
In 2005, Hurricane Katrina slammed into Louisiana and Mississippi, devastating New Orleans and many other cities
along the U.S. Gulf Coast. Shortly afterward, the fourth most intense Atlantic hurricane in history, Rita, added
enormously to the destruction. The Federal Emergency Management Agency (FEMA) became notorious for its
handling of the crisis, responding belatedly and acting ineptly when it did respond.
Many businesses collapsed because they were poorly prepared for the hurricanes. One company that did respond
effectively was Walmart.15 In its Brookhaven, Mississippi, distribution center, the company had 45 trucks loaded
and ready for delivery even before Katrina made landfall. The company soon supplied $20 million in cash
donations, 100,000 free meals, and 1,900 truckloads full of diapers, toothbrushes, and other emergency supplies
to relief centers. The company also supplied flashlights, batteries, ammunition, protective gear, and meals to
police and relief workers.
Although the relief effort was impressive, it was merely the visible tip of Walmart’s disaster recovery program. Two
days before Katrina hit, Walmart activated its business continuity center. Soon, 50 managers and experts in specific
areas such as trucking were hard at work. Just before the storm knocked out the company’s computer network,
the center ordered the Mississippi distribution center to send out recovery merchandise such as bleach and mops
to its stores. The company also sent 40 generators to its stores so that stores that lost power could open to serve
their customers. It also sent out many security employees to protect stores.
After computer networks failed, the company relied on the telephone to contact its stores and other key
constituencies. Most stores came back immediately, and almost all stores were able to serve their customers
within a few days. Lines of customers were long, and Walmart engaged local law enforcement to help maintain
order.
Walmart was successful because of intensive preparation. The company has a full-time director of business
continuity. It also has detailed business continuity plans and clear lines of responsibility. In fact, while the company
was still responding to Katrina and Rita, it was monitoring a hurricane off Japan, preparing to take action there if
necessary.
1.
a) Why was Walmart able to respond quickly? [137-138]
b) List at least three actions that Walmart took that you might not have thought of. [137-138]
Download