LA TROBE UNIVERSITY SEMESTER TWO EXAMINATION PERIOD. Unit Code: CSE3ENS Paper No: 1/1 CAMPUS AW BE BU MI SH ALLOWABLE MATERIALS

Transcription

1 RESTRICTED USE LA TROBE UNIVERSITY SEMESTER TWO EXAMINATION PERIOD 2011 Student ID: Seat Number: Unit Code: CSE3ENS Paper No: 1/1 Unit Name: Paper Name: Reading Time: Writing Time: Encryption and Network Security Encryption and Network Security 15 minutes 2.5 hours No. of Pages (including cover sheet): 8 (Eight) OFFICE USE ONLY (FACULTY/SCHOOL STAFF): CAMPUS AW BE BU MI SH ALLOWABLE MATERIALS Number Description 92 STUDENTS MAY MAKE NOTES DURING READING TIME (NOT ON SCRIPT BOOKS OR MULTIPLE CHOICE ANSWER SHEETS) INSTRUCTIONS TO CANDIDATES 1. This paper contains 2 sections. Students should attempt all questions in both sections. 2. Marks for this paper total 120. Questions are NOT of equal marks. 3. Sixty percent (60%) of the final assessment for this subject will be based on this examination paper. 4. No reference material may be used. 5. Any assumptions made in answering questions should be stated. This paper MUST NOT BE REMOVED from the venue

2 Section A: Network Security Answer this section in a different script book, labeled Section A Question 1 Basic Security Concepts Kevin Mitnick was one of the most famous of the early hackers, however (and by his own admission) he wasn t really a computing genius. What type of security attacks would (and did) someone like Mitnick commonly employ to break into secure systems? Upon connecting to a certain mail server on TCP port 25, you observe the following (line wrapped for clarity): 220 relay.xyz.com.au ESMTP Sendmail /8.12.8; Mon, 17 Oct :06: What information does this provide to an attacker and why is it considered to be a potential security risk? (d) (e) A dictionary attack can, in some circumstances, be used to discover important system passwords. However before such an attack can proceed, two prior conditions have to be met. What are these conditions? When an attacker gains control of a system, his/her first action is often to install a rootkit, (i) Briefly describe the purpose of a rootkit, identifying the primary steps that it will take when installed on the compromised host. (ii) Why is it difficult for a system administrator to discover that a rootkit has been installed? (iii) Assume that you are a system administrator who has discovered that a system under your control has been compromised and a rootkit has been installed. What, in general terms, should your first few actions normally be upon discovering the break-in? Explain briefly. Most professionals within the computer security arena believe in Responsible Full Disclosure. What is meant by this term? Explain briefly. ( (2 + 2) + ( ) + 3 = 20 Marks) Page 2 of 8

3 Question 2 Attack Characteristics Following modern best practice, a well-designed Web server will start out running as root in order to bind to TCP port 80, after which it lowers its credentials to that of a non-privileged user account (typically www or nobody ) prior to serving files via HTTP requests. (i) (ii) What is the generic name for this procedure? Why would the programmer of the daemon go to the additional effort of doing this, when they could simply check a file s permissions (to make sure it is world readable) before serving it in response to a request? (d) The security of many Internet protocols relies heavily on the host s ability to generate truly random numbers. Briefly describe one possible attack that could possibly succeed if the random numbers in use can be easily guessed by an attacker. Several successful Denial of Service security attacks have employed packets that carry fake source IP addresses. Describe briefly one such attack indicating why the faked source address was important, and mentioning any other conditions that were required for the attack to succeed. A buffer overflow 1 attack can allow an attacker to execute arbitrary code on a compromised system. All buffer overflows are complicated and unique, so it s difficult to generalise about their characteristics, but they do share some features. Answer the following questions in relation to this type of attack: (i) (ii) A buffer overflow can only succeed if the programmer who wrote the vulnerable code made a fundamental (but well-known and understood) mistake. In general terms, what is this coding error? Describe briefly (possibly using a simple diagram to illustrate your answer) how the attack is carried out, and show how it can allow the attacker s code to be executed. ((3 + 3) (4 + 4) = 20 Marks) 1 Also known by a variety of other names such as as a buffer overrun or stack overflow Page 3 of 8

4 Question 3 Firewalls and Network Security Packet filtering in firewall routers can be based on the original technology of packet filtering, or on the more recently developed technique of stateful packet inspection. (i) (ii) Explain briefly how the original packet filtering technique works, and briefly mention its limitations. Describe how stateful packet inspection works, and identify the advantages it provides in terms of network security. In particular, you should detail how states are created and removed by the firewall. What techniques do Virtual Private Networks (VPNs) use in order to securely interconnect private/internal networks (and give the illusion that they are directly connected), even though they are connected via the global Internet? In our lectures and tutorials, we introduced the concept of a DMZ-firewall structure. As you will recall, the components of this structure include a gateway or border router (R1), an interior router (R2) and an intermediate DMZ network interconnecting them. In the DMZ we usually find a bastion host, and other security-related equipment. (i) (ii) What characteristics would you expect the bastion host to have? The interior (R2) router located between the DMZ and the organisation s Intranet (or internal network) is the most crucial to overall security. Explain briefly. ((4 + 4) (4 + 4) = 20 Marks) End Of Section A Page 4 of 8

5 Section B: Information Security Answer this section in a different script book, labeled Section B All questions in this section carry equal marks Q1: What is the current series of ISO standards specifically relating to Information Security? Q2: According to the Information Security related ISO standards, Information security includes three main dimensions:. What are those three (3) dimensions? Q3: In relation to Information Security, what is the CIA-Triad? Q4: Which of the following best defines: Confidentiality? preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information; guarding against improper information modification or destruction, and includes ensuring information nonrepudiation and authenticity; ensuring timely and reliable access to and use of information. Q5: Which of the following best defines: Availability? preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information; guarding against improper information modification or destruction, and includes ensuring information nonrepudiation and authenticity; ensuring timely and reliable access to and use of information. Q6: Which of the following best defines: Integrity? preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information; guarding against improper information modification or destruction, and includes ensuring information nonrepudiation and authenticity; ensuring timely and reliable access to and use of information. Q7: What were the three (3) Information Security Objectives highlighted in the lectures? Page 5 of 8

6 Q8: What were the key aspects of the role of Information Security highlighted in the lectures? Q9: What were some of the key differences between Network and Information Security highlighted in the lectures? Q10: What were the four (4) functions of the example Information Security Practice highlighted in the lectures? Q11: From the example Information Security Practice highlighted in the lectures, which one of the four (4) functions could be described as...the development, implementation and management of the Information Security Structure -- Principles, Security Organisation, Information Security Policy, Standards & Guidelines, Engagement Model, Toolkit, and Policy review, etc...? Q12: From the example Information Security Practice highlighted in the lectures, which one of the four (4) functions could be described as...the development and delivery of a targeted organisation wide security education program...? Q13: From the example Information Security Practice highlighted in the lectures, which one of the four (4) functions could be described as...utilising the model developed in the Framework, this is the implementation and management of an engagement model for formal project & adhoc consultancy...? Q14: Which one of the four functions of the example Information Security Practice highlighted in the lectures could be described as...utilising the model developed in the Framework, this program assess business processes and organisational systems against internal policy; including the assessment of the Information Security Practice maturity...? Q15: In the example Information Security Framework highlighted in the lectures, there were eight (8) components. From the two lists below, match each component with its correct description. COMPONENTS: Information Security Principles. Information Security Organisation. Information Security Policy Information Security Committee. Information Security Team Overview. Minimum Security Requirements. Information Security Standards & Guidelines. Information Security Team Tool Kit. Page 6 of 8

7 DESCRIPTIONS: An extensive list of controls to cover off the security/legal/legislative/compliance requirements as stated in the policy. As the name suggests, a bunch of tools (documentation templates and profromas) to assist with regularly repeated tasks. The formalisation of the organisational Information Security roles, responsibilities and reporting structures. The executive and senior management obtain the appropriate information during the relevant forums and reporting structures which ensures all aspects of security, and related issues are adequately addressed. A high level statement of intent which states goals on key areas or objectives in general terms. An overiview of the purpose of the team; where the team sits in the organisational structure; the team members roles; staff numbers; who they report to and a Vision/Mission/Charter type document. A high level document that sets out the 10,000 foot view of the current state and future direction of the Information Security practice. Internally developed standards, and their supporting guidelines, establish measurable controls and requirements to achieve policy objectives. Q16: What type of management is a Formalised Document Hierarchy used for? Q17: In the example Information Security Classification Standard highlighted in the lectures, what were the four (4) Classification Ratings? Q18: What were the three (3) Information Security Biggest Challenges highlighted in the lectures? Q19: What were the five (5) stages of the Maturity Model highlighted in the lectures? Q20: What does PCI-DSS standard for? Q21: What is a Service Catalogue? Q21: What is professed to be the weakest link in the Information Security Awareness chain? Q22: There were five (5) tiers defined in the Formalised Document Hierarchy used in the lectures. Match the description to the relevant Tier. THE TIERS: Page 7 of 8

8 Tier 1; Tier 2; Tier 3; Tier 4; Adhoc ; THE DESCRIPTIONS: One off, single use documents. Mid-level Standards and Guidelines High-level Policy documents Top-level Strategies, Principles & Framework documents. Lower-level Procedures and Work Instructions. End Of Section B Page 8 of 8