You can see the instruction in the upload files. And here is the link of the book: https://people.scs.carleton.ca/~paulv/toolsjewels.html
899198
19 minutes ago
Home work Policy and Risk
1. (Topic: Command Injection) Consider command injection and SQL injection vulnerabilities. Explain the role of string concatenation in these vulnerabilities?
2. (Topic: Risk) A company has detected several security issues. One issue is that data archive system has a backdoor that could allow an employee to gain access to the system. Another issue is that the customer portal web server is running an old version of the Apache Web Server software that has a known vulnerability that, in a special situation, allows an attacker gain access to the server. Use the ideas of risk to discuss how one can decide as to which security issue should be addressed first. Note that there is no definitive answer as to which issue gets a higher priority without more information. Your answer should include some discussion of what could make one issue get higher priority than another.
3. (Topic: Risk, Code Signing) By some accounts, the Solar Winds is the largest and most advanced cybersecurity attack ever. Explain the role of code signing in that attack.
4. (Topic: Policy) Check the workstation policy (see link on class web page https://assets.contentstack.io/v3/assets/blt36c2e63521272fdc/blt80be505a65368218/5e9dffd845a2a97194a1dacd/workstation_security_for_hipaa_policy.pdf) Background: This is for a HIPPA compliant workstation. E.g., a workstation with health records, where we seek a high degree of privacy.
a) Describe how are violations detected?
b) Go through the appropriate measures listed in section 3.3 (focus only on measured listed below) and tag them as
§ Enforceable with a security mechanism yes/no
· If yes, technical or procedural mechanism.
· Briefly describe the mechanism (a very short sentence, a few words, or, if needed, a few sentences)
§ Useful for cybersecurity yes/no
For these questions, focus only on the following measures:
· Restricting physical access to workstations to only authorized personnel.
· Securing workstations (screen lock or logout) prior to leaving area to prevent unauthorized access.
· Enabling a password-protected screen saver with a short timeout period to ensure that workstations that were left unsecured will be protected.
· Complying with all applicable password policies specifically that passwords have 13 characters including both lower case and upper-case letters, numbers, and symbols.
· Complying with all applicable password policies specifically that passwords are not shared with other people and that password managers are used to store all passwords.
· Ensuring workstations are used for authorized business purposes only.
· Never installing unauthorized software on workstations.
· Keeping food and drink away from workstations in order to avoid accidental spills.
· Installing privacy screen filters or using other physical barriers to alleviate exposing data.
· Ensuring workstations are left on but logged off in order to facilitate after-hours updates.
· Ensuring that all workstations use a surge protector (not just a power strip) or a UPS (battery backup) to ensure protection from electrical/thunder storms.
5. (Topic: Policy) In the SANS examples of policy, the database credentials policy states
“Database user names and passwords may be stored in a file separate from the executing body of the program’s code. This file must not be world readable or writeable.”
A solution that satisfies this requirement is to store the database username and password in a file where the file is encrypted and the password (or key) that to decrypt that file is stored as plain text in the source code. Explain how this approach will or will not protect access to the database in the scenarios below.
a) The attacker is a software developer intern that is adding some functionality to the software
b) The attacker is an outside hacker that has gained access to the application server
6. (Topic: Policy) What is the difference between a security policy and security mechanism? Explain the difference between technical and procedural security mechanisms. Give examples.
7. (Topic: Incident Response) Which steps of an incident response must be prepared for in advance?
