Security, Risk Management and Control in Electronic Commerce

Security, Risk Management and Control in Electronic Commerce

Paper instructions:

This is an exam with a short answers.

The required is rewrite the answers with more explanation to cover well the required of theses questions with a totally different way (By using the other

vocabularies aim to giving the same answers mean PLUS more explanation).

The plagiarism from the answers in the uploaded document is totally unacceptable.

Security, Risk Management, and Control in Electronic Commerce

Part A: Short Answer- this part consists of 4 questions. Each question is worth 5 marks. You must attempt  all 4 questions for a total  of  20 marks.

1.    (5 points) Risk Strategies
Analyze each of the following situation in terms of risk exposures.  Identify and explain the risk management  approaches that would be the most appropriate (cost

effective) for each situation.
Situation    Selected approach and justification of the choice
A space shuttle, when entering earth’s atmosphere caught fire. The black box , which logs all states of the shuttle, flew off and presumably landed somewhere on earh.
At a university,  the new student couyrse registration system ran into implementation delays by two weeks. It was rolled out on the first day of registration for the

next semester. Until noon that day, the system was down. Those students with first priority could not register on time.
Microsoft informed  company X that based on its calculation, it estimates  compmay X shlould have more  software licences that Microsoft customer record shows.
A subcontarctor who worked in the compant IS department had access to sensitive files. On his last day, he emailed  the company’s customer to himself.

2.    (5 points) Chinese wall policy
Suppose you work for a company with a Chinese wall security policy with clients in the following conflict classes:
?    { Cadbury, Nestle }
?    { Ford, Chrysler, GM }
?    { Citicorp, Credit Lyonnais, Deutsche Bank }
?    { Microsoft }
Assume that Ted, an analyst of the company,  has previously worked on cases for Nestle and Citicorp, and he is  awaiting   for a new assignment.
Question 1
As the security officer of the company, list any of the company’s clients for whom Ted will  not be  able to work as his next assignment.  You can assume that Ted can

work for a client for whom he has  previously worked.

Question 2
Assume that two of your colleagues Ali and Sally are currently working on the following cases:
?    Ali is working on Neslte, GM, and CitiCorp.
?    Sally is working on Nestle,  GM, and Credit Lyonnais
Your job is to determine the read/write/execute rights of Ali and Sally on the different objects.

3.    (5 points) Security Models
The Graph below represent the security levels of the staff ina large organization.
The arrows represent a specific operation.
By examining the graph below, can you determine which security model  applies  given that :
a)    The  operation represented by the arrow is a write statement? Justify your answer

b)    The   operation represented by the arrow is a read statement? Justify your answer

4.    (5 points) Contingency Planning
You are the Chief  Information Security Officer  of an E-commerce Company. You have received notification from your network security administrator  of a worm attack.

The message says:
?    the anti-malware softwarev had detected a worm atatck. The incident response team tried  to stop the worm unsuccesfully.
?    The worm has  spread through a software vulnerability in database management system software you are running on twenty computers on the network.
?    When the attack is discovered, the worm has infected three database servers, including a mission critical server that is not redundant.
Your network security administrator  has  launched  the disaster recovery plan. Since he is a new hire, you want to make sure that:
?    he follows just the required steps  of the plan
?    he follows them in the proper order
Your task will be to identify the steps  he  should take  and  to rank them by the order in which he  should take them.
You  will  do so by:
?    Placing  a number next to each step.
?    Placing  an X next to the actions you should not perform.
Since you are mentoring this new manager,   you will also justify  the choice of the required steps as well as the way you ranked them.
Action     Should be performed (yes/no)    Ranking if it should be performed
Shut down all infected systems.
Notify management.
Remove all infected systems from the network.
Visit the vendor’s website to locate a security update.
Reformat all infected systems.
Replace all infected systems with spares.

Part B: Problem. This part  consists of 4 problems. each problem is worth 12.5 marks. You mut attempt all 4 problems for a total of 50 marks.

1.    (13 points) Qualitative risk analysis
Consider an e-commerce Web site that normally runs seven days a week, 24 hours a day, generating an average of $2,000 per hour in revenue from customer orders.
?    Experience has shown that the site becomes unavailable due to   operating systems failure three times a week.
?    At each operating system failure, the site is unavailable for 2 hours.
?    In addition, the company estimates that upon a failure, it would spend $10,000 on advertising to counteract the negative publicity from such an incident.
?    An upgrade of the operating system will eliminate the threat, but it will cost the company 1000,000 dollars a year.
The company has also a farm of backup servers for its data mining activity.
?    This farm of servers is valued at 1,500,000 dollars.
?    It is estimated that a fire will result in damages worth 85 %   to this asset.
?     Inspectors from the Fire Department have estimated that a fire can occur once every two years in the present situation.
?    You received a proposition of a fire prevention system that would reduce likelihood of a fire to once every 5 years with damages of only 15% of the asset. The

fire prevention system costs 1,750,000 dollars
The same e-commerce server faces the threats  of programming mistakes. In the past, experience has shown that programmer’s mistakes occur  about ten times a month, and

that each mistake leads to the web site unavailability for half an hour.  You have leanrt about a training program for your programmers  that would cut by 90%  the

occurrence of  programming errors by your programmers.
This program costs $ 4000,000
As the Information Security Officer, you are to conduct a risk analysis to determine whether to accept or reject the solutions offered. Base your decision on a

cost/benefit analysis.

2.    (13 points) Digital Signature
Comparing Digital signature (DS)  and Message authentication codes (MAC).
Asuume that  Oscar is able to observe all messages sent from Bob to Alice and Vice versa.
Oscar has no knowledge of any keys except the public ones in case DS is used.
State  whether  and how (i) DS and (ii) MAc protect against each type of attack. The value of Auth(x) is computed  with DS or a MAC algortithm respectively.
You can assume that When Alice signs a message , she uses her privte key.
You can also assume that when a MAC algorithm is used,  the MAC algorithm uses a secret (symmetric) key known to both parties included in the communication. You can

asssume that:
Alice and Bob use a key Kab  when  they use the MAC algorithm.
Alice and Oscar use a key Kao when  they use the MAC algorithm.

Scenarios    Result of the scenario if a digital signature is used for the Authentication(X)    Result of the scenario if a Message Authentication Code  MAC is used

for the Authentication(X)
Message Integrity:  Alice sends a message X=” Transfer 1000 dhs to Mark” in the clear, and also sends Auth(X) to BOB.
Oscar intercepts the message, and replaces “Mark” with “Oscar”.  Can  Bob detect this?
Replay:  Alice sends a message X=” Transfer 1000 dhs to Oscar ” in the clear, and also sends Auth(X) to BOB. Oscar observes the message and signature and sends the

message 100 times to Bob. Will Bob detect this?
Sender Authentication with cheating third party:
Oscar claims that he sent some message X with a valid Auth(X) to Bob but Alice claims the same. Can Bob clear the question with either case?
Authentication with Bob Cheating: Bob claims that he received a message X with a valid signature Auth(X) from Alice ( e.g., “Transfer 1000  dh from Alice to Bob”)  but

Alice claims she never sent it. Can Alice clear this  question in either case?

3.    (13 points) Firewalls
SMTP ( Simple mail transfer protocol) is the  standard protocol for transferring mail between hosts over TCP. A  TCP connection is set up between a user agent and a

server program. The server listens on TCP port 25 for incoming connection requests. The user end of the connection in on TCP port  number above 1023. Suppose you wish

to build packet filter rule set allowing inbound and outbound  SMTP traffic. You generate the following rule set:

Rule     direction    Src addr    Dest addr    Protocol     Dest port    Action
A    In    External    Internal     TCP    25    Permit
B    Out     Internal     External    TCP    > 1023    Permit
C    Out    Internal     External    TCP    25    Permit
D    In    External    Internal     TCP    >1023    Permit
E    Either    Any    Any     Any    Any    Deny

1.    Describe the effect of each rule

2.    Your host has IP address 172.16.1.1.   Someone tries to send e-mail from a remote host with IP address 192.168.3.4. If successful, this generates an SMTP

dialogue between the remote user and the SMTP server on your host consisting of SMPT commands and mail. Additionally, assume that a user on your host tries to send e-

mail to the SMTP server on the remote system.

3.    Four packets are shown in the table below. For each packet indicate which packets are permitted, which are denied, and which rules were used.

Packet     Direction     Src addr    Dest Addr    Protocol    Dest port    Action
1    In    192.168.3.4    172.16.1.1    TCP    25    ?
2    Out     172.16.1.1    192.168.3.4    TCP    1234    ?
3    Out     172.16.1.1    192.168.3.4    TCP    25    ?
4    In    192.168.3.4    172.16.1.1    TCP    1357    ?

4.    Someone from the outside world( 10.1.2.3) attempts to open a connection from port 5150 on a remote host to the web proxy server on port 8080on one of your

local hosts (172.16.3.4) in order to carry out an attack. Typical packets are:
Packet     Direction     Src addr    Dest Addr    Protocol    Dest port    Action
5    In    10.1.2.3    172.16.3.4    TCP    8080

6    Out     172.16.3.4    10.1.2.3    TCP    5150

4.    (13 points) Intrusion Detection Systems (IDS’s)
When searching for an purchasing an IDS, you need to know a little about how an IDS works. There are two methods used by IDSs to detect potential attacks:
?    knowledge-based
?    or behavior-based.
Understanding the differences and similarities between the two can help you make the right decision for your requirements.
Question
The table  below has two entries , one for each type of IDS’s.  You are also provided with a a list of statements that describe one or both of them. Check the boxes

for the letters that best describes each type of IDS
Statements
A. Requires signature updates.
B. Can detect new or original attacks.
C. Generally has a lower rate of false positives.
D. Also called a statistical anomaly IDS.
E. Can be added to the network as an inline NIDS.
F. Works best on a network with consistent access patterns.
G. Also called a signature-based IDS.
IDS Types    A    B    C    D    E    F    G
Behavior-based
Knowledge-based

Location of an IDS
The position of an IDS on the network will determine how effective it is at detecting suspicious activity that is an actual threat to a network resource. The  figure

belwo show the network diagram of a Dubai Limited, a trading company in Dubai.
?    Server1 and Server3 are file servers.
?    Server2 is a remote access server used by employees who are working from home or distant locations.
Possible locations for an IDS are shown as boxes labeled A through E.

Network Diagram of Dubai limited

Table 8 contains a list of statements that apply to one or more of the positions indicated in Figure 12-1. Check the boxes for the letters that best describes each

type of IDS.

Table 8. Description of IDS’s
Statements    A    B    C    D    E
Can identify potential attacks with Server2 as the target.
Best for analyzing the effectiveness of the firewall between the Internet and the perimeter network.
Known as a host-based IDS.
Best for protecting against attacks against Server1, Server2, or Server3 that have breached both firewalls.
Will generate too many alarms to be useful.
Known as a network-based IDS.
Can detect a potential attack through a dial-in connection.

Part C: Essay- This part consists of three questions. You must attempt the mandatory question worth 20 marks plus one optional question woth 10 marks.

1.    (20 points) CISCO Case Study
a)    Why did Cisco Systems transit from standalone physical access control systems to an IP networked systems?
b)    What challenges did Cisco Systems face in order to solve the physical security problems?
c)    How did the new architecture solve the physical access control problem? Explain.
d)    How did Cisco Systems solve the physical security problems?
e)    What security technologies did Cisco deploy to control building security?
f)    Even though the employees in the Cisco Systems have doubled the STS team remains the same, why?

2.    (8 points) Working with Proxy Servers and Application-Level Firewalls
Ron Hall was dreaming of his next vacation. He had been working for Andy Ying, the manager of the security consulting group, on a very demanding project for nearly six

months. Today he finally finished the work and had a few minutes to surf the Web to plan his upcoming trip to New Zealand. Ron knew that ATI did not allow

indiscriminate Web surfing and that they used a proxy server to ensure compliance with this policy, but he felt he had earned this treat and believed that Andy would

have no problems with a little recreational Web surfing. Besides, it was almost 5:00 and nearly time to go home. Google was allowed by the proxy server, so Ron went

there to start his search. He typed in “new zealand vacation spots.” Faster than he could blink, the giant search engine Google came back with a list of relevant

links. The first entry looked promising: “New Zealand Tourism Online: New Zealand Travel Guide.” But the second one looked even better: “New Zealand Pictures.” He

clicked that URL. No pictures opened up. No green valleys. No coral reefs. No gorgeous mountains. Just a plain white screen with black letters that read:
“ACCESS PROHIBITED—CONTACT PROXY SERVER ADMINISTRATOR FOR INSTRUCTIONS ON HOW TO ACCESS THE REQUESTED CONTENT.”
Ron was not surprised, but he had hoped. He clicked the “Back” button and tried the next link. He got the same message. He tried three or four more times and then

realized he was not getting any pictures today. Ron got to his desk a little early the next morning. He turned on his PC and went to get a cup of coffee while it

booted up. When he got back he opened his email program. In the list of new email was a note from the network security group. He opened the message and saw it had been

addressed to him and to Andy Ying, his boss. It also had a CC to the HR department. The message said:
“Recently, your account was used to access Web content that has not been approved for use inside ATI. We are asking you to explain your actions to your supervisor. You

are encouraged to enroll in a class on appropriate use of the Internet at ATI at your earliest convenience. Until you complete the class or your supervisor contacts

this office, your network privileges have been suspended. If this access attempt was for legitimate business purposes, please have your supervisor notify us at once so

that this Web location can be added to the ATI approved Web locations list.”
What a hassle. Ron did not look forward to his conversation with Andy.
Questions:
?    Does the ATI policy on Web usage seem harsh to you?
?    Why or why not?
?    Do you think Ron was justified in his actions?
How should Andy react to this situation if Ron is known to be a reliable and a diligent employee?

3.    (8 points) Authenticating Users
Niki Simpson was in the conference room waiting for the training session to begin. She was at the session because her user account credentials had been used by an

unidentified attacker, attempting to access the school computer system. She had been an employee of the local school district for 12 years, and this was her first

formal training in information security. Three hours and thirty minutes later, Niki closed her workbook.
The trainer said, “And that concludes the basic information security training session for school district employees. Are there any questions?”
Niki raised her hand. When the trainer acknowledged her, she said, “OK. I understand that the district policy is to have a twelve character password of nonsense

syllables that are changed by the system every 30 days. I also understand we are not supposed to write the new passwords down on anything. Any suggestions on how I am

supposed to remember this password?” The trainer said, “I really can’t say. I suppose you’ll just have to memorize the new password before you clear the screen when it

is assigned to you.”
Niki’s mouth dropped open. She said to the trainer, “That’s easy for you to say, but I think I’m going to have a hard time with that.” The day after her remedial

security class, Niki got a call at her office from the help desk. The technician on the other end said that her account had been reset and she could log on again and

her temporary password would be her employee ID number and then the last 4 digits of her social security number.
A short while later,  she was ready to try to connect to the system for the first time in a week—her access had been suspended until she took the training class.  She

turned on her computer, and after it had booted, she entered her username and password as instructed. The next screen that opened said that her password had been

reset. It displayed her new password as a series of twelve letters, numbers, and special characters, and then provided a brief mnemonic nonsense phrase. She saw:
HA YU M2 KA Y! I7
Hello All, You’re Unhappy, Me Too, Keep Apples, Yes Bang, It’s Seven.
Questions
?    Does the school district’s password policy seem to be effective, considering the needs of the employees affected?
?    How would you suggest the district IT department adjust its password approach? Consider how your recommendations might improve or degrade compliance with the

policy.
?     How would your suggestions alter the strength of the passwords?

Security, Risk Management, and Control in Electronic Commerce

Answer Section

SHORT ANSWER

1.    ANS:
Situation    Selected approach and justification of the choice
A space shuttle, when entering earth’s atmosphere caught fire. The black box , which logs all states of the shuttle, flew off and presumably landed somewhere on earh.

A. Risk reduction.  Proactive measures can be taken to prevent a loss from occurring and minimizes the losses from the consequences of a risk.
At a university,  the new student couyrse registration system ran into implementation delays by two weeks. It was rolled out on the first day of registration for the

next semester. Until noon that day, the system was down. Those students with first priority could not register on time.    B.  Risk reduction will save the system due to

implementation problems.  At the reduced level, the risk still needs to be managed, using either risk retention or risk transfer.
Microsoft informed  company X that based on its calculation, it estimates  compmay X shlould have more  software licences that Microsoft customer record shows.    C.

Risk retention.  Absorbing the consequences of any exposures within it may be more cost effective to use risk retention depending on the differences of licenses versus

non licensed software.  If the difference is high, risk sharing may be the next step.
A subcob=ntarctor who worked in the compant IS department had access to sensitive files. On his last day, he emailed  the company’s customer to himself.    D.

Risk reduction.  In this instance, taking away the subcontractor’s privileges to prevent a loss from occurring helps eliminate risk in a cost effective manner.

PTS:    5    REF:    rav 2, E 2

2.    ANS:
see lecture
Chinese wall policy
Suppose you work for a company with a Chinese wall security policy with clients in the following conflict classes:
?    { Cadbury, Nestle }
?    { Ford, Chrysler, GM }
?    { Citicorp, Credit Lyonnais, Deutsche Bank }
?    { Microsoft }
Assume that Ted, an analyst of the company,  has previously worked on cases for Nestle and Citicorp, and he is  awaiting   for a new assignment.
Question 1 5 marks
As the security officer of the company, list any of the company’s clients for whom Ted will  not be  able to work as his next assignment.  You can assume that Ted can

work for a client for whom he has  previously worked.
Answer:
Let
?    CC1={ Cadbury, Nestle }
?    CC2={ Ford, Chrysler, GM }
?    CC3={ Citicorp, Credit Lyonnais, Deutsche Bank }
?    CC4={ Microsoft }
Ted has worked on cases related to Nestle from CC1 and Citicorp from CC2. Thus, he will not be able to work on the following companies:
?    Cadbury from CC1
?    Credit Lyonnais, , Deutsche Bank  from CC2

Question 2
Assume that two of your colleagues Ali and Sally are currently working on the following cases:
?    Ali is working on Neslte, GM, and CitiCorp.
?    Sally is working on Nestle,  GM, and Credit Lyonnais
Your job is to determine the read/write/execute rights of Ali and Sally on the different objects.
Write property 2 marks
8marks    credit Lyonnais 1 marks/  Citicorp  1 marks  others: 2/3 mark
Neslte    GM    CitiCorp    Credit Lyonnais    Microsoft
Ali     RE    RE    RWE        RE
Sally     RE    RE        RWE    RE

PTS:    5

3.    ANS:
The Graph below represent the security levels of the staff ina large organization.
The arrows represent a specific operation.
By examining the graph below, can you determine which security model  applies  given that :
a)    The  operation represented by the arrow is a write statement? Justify your answer
if the operation is a write statement,  there is a write down   –     BIBA model
information is flowing from upper levels to lwoer levels. This is valid in the bIBAl model.

b)    The   operation represented by the arrow is a read statement? Justify your answer
if the operation is a read statement    there is a read down          BLP Model.
A read down is allowed in the BLP model.

PTS:    5

4.    ANS:
_________    Shut down all infected systems.
_____1____    Notify management.
_____2____    Remove all infected systems from the network.
_____4___    Visit the vendor’s website to locate a security update.
_________    Reformat all infected systems.
_____3____    Replace all infected systems with spares.

PTS:    5

PROBLEM

1.    ANS:
k

PTS:    13

2.    ANS:
Scenarios    Result of the scenario if a digital signature is used for the Authentication(X)    Result of the scenario if a Message Authentication Code  MAC is used

for the Authentication(X)
Message Integrity:  Alice sends a message X=” Transfer 1000 dhs to Mark” in the clear, and also sends Auth(X) to BOB.
Oscar intercepts the message, and replaces “Mark” with “Oscar”.  Can  Bob detect this?    will be detected    will be detected
Replay:  Alice sends a message X=” Transfer 1000 dhs to Oscar ” in the clear, and also sends Auth(X) to BOB. Oscar observes the message and signature and sends the

message 100 times to Bob. Will Bob detect this?    wont be detectded    wont be detectded
Sender Authentication with cheating third party:
Oscar claims that he sent some message X with a valid Auth(X) to Bob but Alice claims the same. Can Bob clear the question with either case?    (i) DS: Bob simply has

to verify the message with the public key from both.
Obviously, only Alice’s public key results in a successful verification.
(ii) MAC: Bob has to challenge both, Oscar and Bob, to reveal their secret key to
him (which he knows anyway). Only Bob can do that.

Authentication with Bob Cheating: Bob claims that he received a message X with a valid signature Auth(X) from Alice ( e.g., “Transfer 1000  dh from Alice to Bob”)  but

Alice claims she never sent it. Can Alice clear this  question in either case?    DS: Alice has to force Bob to prove his claim by sending her a copy of the
message in question with the signature. Then Alice can show that message and
signature can be verified with Bob’s public key ) Bob must have generated the message.    (ii) MAC: No, Bob can claim that Alice generated this message.

hha. Will be detected with both (i) DS and (ii) MAC.
b. Won’t be detected by either (Remark: use timestamps).
c. (i) DS: Bob simply has to verify the message with the public key from both.
Obviously, only Alice’s public key results in a successful verification.
(ii) MAC: Bob has to challenge both, Oscar and Bob, to reveal their secret key to
him (which he knows anyway). Only Bob can do that.
d. (i) DS: Alice has to force Bob to prove his claim by sending her a copy of the
message in question with the signature. Then Alice can show that message and
signature can be verified with Bob’s public key ) Bob must have generated the
message.
(ii) MAC: No, Bob can claim hat Alice generated this message.

PTS:    13

3.    ANS:
Firewalls
SMTP ( Simple mail transfer protocol) is the  standard protocol for transferring mail between hosts over TCP. A  TCP connection is set up between a user agent and a

server program. The server listens on TCP port 25 for incoming connection requests. The user end of the connection in on TCP port  number above 1023. Suppose you wish

to build packet filter rule set allowing inbound and outbound  SMTP traffic. You generate the following rule set:

Rule     direction    Src addr    Dest addr    Protocol     Dest port    Action
A    In    External    Internal     TCP    25    Permit
B    Out     Internal     External    TCP    > 1023    Permit
C    Out    Internal     External    TCP    25    Permit
D    In    External    Internal     TCP    >1023    Permit
E    Either    Any    Any     Any    Any    Deny

1.    Describe the effect of eac

Get a 10 % discount on an order above $ 100
Use the following coupon code :
WIZARDS35