INFO5301 – S1, 2022 Assignment 1 Information Security Management Instructions: This is an individual assignment. This assignment has 25 questions in 3 sections. Answer all questions. Assignment submission due date is 28th March 2022, 17:00 Hrs (AEDT). After the due date/- time, the standard late penalty will apply. Please write answers in the provided answer template. Please do not copy questions to the answer document. After answering ALL questions, (i) name the file with the convention
.docx, (ii) convert the answer document to a PDF, and (iii) upload it to this Canvas assignment. Section 1 Provide a short answer (up to 100 words max.) with your reasoning for agreement or dis- agreement with following statement Note: Please clearly state that you "Agree" or "Disagree" with the statement, in the first line of your answer. [0.5 marks each 5 marks in total] Question 1 Data encryption is sufficient to assure the confidentiality of data being transferred through a wireless network. Question 2 Organisations can reuse their security training programs as long as organisational responsi- bility and authority structure stays the same. Question 3 A security model to be selected depends on the organization type and environment. 1 INFO5301 – S1, 2022 Information Security Management Question 4 Technical control is the most effective way to protect organisations information from emerg- ing cyber threats. Question 5 The amount of resources allocated for security controls solely depends on the likelihood of breaches or vulnerabilities. Question 6 Encrypting entire message with public-key encryption is always better than just sending the message with singed message digest. Question 7 Digital signatures can assure non-repudiation. Question 8 Deep packet inspection of intrusion detection systems (IDS) is not highly effective today due to end-to-end data encryption. Question 9 Certificate for Bob’s public key signed by a certification authority can be decrypted by using Bob’s public key. Question 10 Biometric authentication mechanisms are always provides better security than pins or pass- words. Section 2 Select the most appropriate answer from given choices to the following question/statement. Also, provide a short answer (up to 100 words max.) with your reasoning to select the answer/statement. [0.5 marks each 5 marks in total] Question 11 Which one of the following statements about formal control is NOT true? (a) Firewall is required for all computer networks (b) Security task-force should have representatives from a wide range of functional areas (c) Significant importance should be given to personnel issues (d) Ongoing support should be provided by computer security professionals Information Security Management Page 2 of 7 INFO5301 – S1, 2022 Information Security Management (e) All statements are true Question 12 Which of the following is a requirement of the Clark-Wilson model? (a) The system must provide high confidentiality (b) The system must ensure that specified data items can be manipulated by all programs (c) The system must install firewall (d) The system must allow users to invoke all Transformation Procedures (e) None of the above Question 13 Select the correct order of basic principles of security at risk in the following cases (i) A few customer records are missing from the databases of an online sales company. (ii) A person setup a device to passively monitor the traffic through someone else’s net- work channel. (iii) IoT data collection tool receives data traffic from a set of unidentified devices but ap- peared as legitimate devices. (a) Confidentiality, Integrity, Authentication (b) Non-repudiation, Confidentiality, Integrity (c) Integrity, Confidentiality, Authentication (d) Integrity, Confidentiality, Non-repudiation (e) Integrity, Authentication, Non-repudiation Question 14 Obtaining buy-in from the executive leadership for a security program, (a) assures staff buy-in (b) ensures funding (c) guarantees success (d) both A) and B) (e) all of the above Information Security Management Page 3 of 7 INFO5301 – S1, 2022 Information Security Management Question 15 The information security requirement of major importance to an online news service website is ——- . (a) Confidentiality (b) Integrity (c) Frequency of news updates. (d) Availability (e) Privacy Question 16 If implemented correctly, encryption can ——– . (a) significantly increase perfromance of the system (b) significantly increase the reliability of data. (c) significantly reduce the possibilities of data interception and disclosure. (d) significantly improve the speed of communication. (e) significantly reduce the size of data. Question 17 Which of the following is NOT an aspect of authentication (a) Assures the message is from a source it claims to be from (b) Assures the message is not changed during the transmission (c) Assures the auditability of a message exchange (d) Assures that the entity has actually participated in the authentication process (e) Assures the identity of a second party through corroborative evidence Question 18 What is the best way to store passwords? (a) Using certificate authority (b) In a one-way encrypted file (c) Using public-private key encryption (d) Using symmetric encryption Information Security Management Page 4 of 7 INFO5301 – S1, 2022 Information Security Management (e) By means of a digital signature Question 19 What is the correct order of network security aspects of the following cases? (i) Hosts receive the data without any loss (ii) Only sender and receiver can read the message transmitted (iii) Sender can prove her/his identity to receiver (iv) Hosts can exchange data at a any given time (a) Confidentiality, Integrity, Availability, Authentication (b) Integrity, Confidentiality, Availability, Authentication (c) Integrity, Confidentiality, Authentication, Availability (d) Authentication, Integrity, Non-repudiation, Availability (e) Integrity, Confidentiality, Non-repudiation, Availability Question 20 Assume that Bob wants to send a message to Alice and they are planning to use public key cryptography. Which one of the following statements are true about this process? (a) Both parties share their private keys as a shared secret (b) Bob can use the private key of Alice to encrypt the message. (c) It is impossible to decrypt the ciphertext sent from Bob to Alice (d) (b) and (c) (e) None of the above. Section 3 Question 21 You have been consulted to develop a security model to ensure information flow integrity in a newly formed financial institute. The company has categorised its staff and objects into the following categories. Top Secret (TS), Secret (S), Confidential (C), and Unclassified (UC) as the security/integrity clearance levels with decreasing privileges. Financial (FIN), Executive (EXE), Marketing (MAR) and Operational (OPR) as object categories. The following Table explains integrity clearances for subjects and integrity classification for objects in a company. Information Security Management Page 5 of 7 INFO5301 – S1, 2022 Information Security Management Subject Security Level Category Top Executives TS FIN, EXE, OPR, MAR Finance staff SC FIN System programmers C OPR Operations staff UC OPR Object Security Level Category production_code TS OPR security_policy TS EXE, OPR payroll_db SC FIN bank_info C FIN door_locks C OPR public_media UC OPR, MAR staff_welfare UC FIN, OPR If the company has decided to follow Biba security model, draw the access permission matrix that includes all subjects and objects listed above with Read (R) and/or Write (W) permissions. [3 marks] Question 22 Provide a short answer with your reasoning for agreement or dis-agreement with following statement related to the developed Biba security model.[0.5 marks] "Bob as a top executive can read staff welfare document which are stored in staff_welfare". Question 23 Ronda is a marketing specialist at the company. Ronda’s job role requires her to read and write to public_media documents. What should be the security level and category as- signed to Ronda according to Biba model? Explain your reasons. [0.5 marks] Section 4 Question 24 HLFinace Ltd is a company that provides home load consultancy. The recently appointed management executives ordered to carry out an audit of information systems with specific focus on security. The recent audit found that the company’s IT systems consisted of a wide variety of hardware makes/models and software versions. Many of these were very old and most were not covered by service/maintenance agreements from their respective vendors. While the company’s staff numbered 530, the records appeared to indicate a total of 634 user accounts actively being used. The anti-virus software installed on workstations that are con- nected to Internet were up-to-date, but most of the backup servers which are not connected to Internet were not updated recently. However there had not been any incidents/failures in the past requiring restoration of data from such backups. As an information security consultant, list three actions you would recommend the com- pany should initiate immediately. Please provide a short summary of your reasons for making the recommendations. [3 marks] Information Security Management Page 6 of 7 INFO5301 – S1, 2022 Information Security Management Question 25 Assuming that there were no security policy violation according to the current security pol- icy, write three statements that you would recommend to be added to the security policy of HLFinace Ltd. (Note the difference of security policy and procedures in writing the statements) [3 marks] Information Security Management Page 7 of 7 欢迎咨询51作业君
