Foundations of Information Security and Assurance Final Exam Solution 





You are to take this test during 12/12 – 12/18. Work alone. You must not confer with other class members, or anyone else, directly or by e-mail or otherwise, regarding the questions, issues or your answers. You may use your notes, textbooks, other published materials, the LEO site for this class, and the Internet.

The test is due no later than 11:59 p.m. Eastern Daylight Time on 12/18/2016. Your answers should be contained in a Microsoft Word or compatible format document (no PDF file please) uploaded to your LEO Assignments folder. Be sure to put your name on the front of your exam.

The file name of your answer should be in the following format: INFA610_Final_Firstname_Lastname (e.g. INFA610_Final_Henry_Tsai).

General or logistical questions about the exam or these instructions should be posted in the Q&A Conference. Please submit specific or detailed questions regarding the exam to me at  If questions submitted via email are applicable to all, your instructor will post them in the LEO  Q&A Conference area, without revealing their source.

Part 1:   True and False Questions.  Write your answer, “T” or “F”, to each question in the following Answer Table.    (10 questions at 2 points each, 20 points totally)

1.       A one-time pad is a safe house used only once by an undercover agent.

2.       AES uses the Indirect-Rijndael algorithm.

3.      A hash algorithm uses a one-way cryptographic function, whereas both secret-key and public-key systems use two-way (i.e., reversible) cryptographic functions.

4.      In terms of privacy laws, companies have no advantage over the government in terms of the types of data that a company can collect.  Public companies and governments are subject to the same laws and statues (i.e. HIPPA and GLBA) regarding data collection.

5.      Consider data that is stored over time in a mandatory access control based system. The contents of files containing highly classified (“top secret”) information are not necessarily more trustworthy than material stored in files marked unclassified.

6.      3DES (Triple DES) requires the use of three independent keys.

7.       Deleting the browsing history and cookies in a computer system can completely delete the recently visited sites.

8.      A Denial-of-Service attack does not require the attacker to penetrate the target’s security defenses.

9.      The biggest advantage of public-key cryptography over secret-key cryptography is in the area of key management/key distribution.
10.   Packet filters protect networks by blocking packets based on the packets’ contents.

Part 2:  Multiple Choice Questions.

Note: In some questions you may need to select more than one of the options.  (Scored as 3 points for each question, no guarantee of partial credit for partially correct answers.)  Write your answers in the following Answer Table.

1.      Methods to avoid SQL injection include which of the following:

a.       Providing functions to escape special characters.

b.      Built-in functions that strip input of dangerous characters.

c.       Techniques for the automatic detection of database language in legacy code.

d.      Techniques for the automatic detection of SQL language in legacy code.

e.       All of the above.

2.      Protection of a software program that uses a unique, novel algorithm could be legally protected by:

a.       A patent

b.      A copyright

c.       A notary

d.      Ethical standards

e.       All of the above

3.      If person A uses AES to transmit an encrypted message to person B, which key or keys will A have to use:

a.      A’s private key

b.      A’s public key

c.       B’s private key

d.      B’s public key

e.       None of the keys listed above.

4.      Choose the right statement(s):

a.       On change-controlled system, you should run automatic updates to prevent security patches from introducing instability.

b.      A malicious driver can potentially bypass many security controls to install malware.

c.        It is critical that the operating system be kept as up to date as possible, with all critical security related patched installed.

d.      The operating system planning process should consider the categories of users on the system, and the privileges they have.

e.       All of the above.

5.      Broad categories of payloads that malware may carry include which of the following:

a.       Corruption of system or data files;

b.      Theft of service in order to make the system a zombie agent of attack as part of a botnet;

c.       Theft of information from the system, especially of logins, passwords or other personal details by keylogging or spyware programs;

d.      Stealthing where the malware hides it presence on the system from attempts to detect and block it;

e.       All of the above.

6.      SELinux implements different types of MAC: ________________________.

a.      Role Based Access Controls and Type Enforcement

b.      Multi Level Security

c.      Multi Task Level Security

d.      User Based Access Controls and Format Enforcement

e.      None of the above.

7.      Security threats include which of the following:

a.       Hurricanes

b.      Disgruntled employees

c.       Unlocked doors

d.      Un-patched software programs

e.       All of the above.

8.      The basic step(s) should be used to secure an operating system:

Install and register the operating system.

Harden and configure the operating system to adequately address the identified security needs of the system.

Installing and configure additional security controls, such as anti-virus, host-based firewalls, and intrusion detection systems (IDS), if needed.

Test the security of the basic operating system to ensure that the steps taken adequately address its security needs.

All of the above.

9.      Denial of service attacks include:

a.       DNS spoofing

b.      Smurf attack

c.       Ping of death

d.      SYN flood

e.       All of the above.

10.  Countermeasures against subdomain DNS cache poisoning include which of the following:

a.       Firewalls

b.      SPR

c.       DNSSEC uses RRSIG and DNSKEY records

d.      DNSSEC employing a chain of trust

e.       All of the above.

Note: Do not include the above questions.  Your submitted file should be editable saved in a file named as:   INFA610_Final_Firstname_Lastname (e.g. INFA610_Final_Henry_Tsai).

[Delete everything above this prior to submission]

Please put your Part 1 and Part 2 answers in the following table.

Part 1

Multiple Choice

Your Answer

T or F

Part 2

True and False

Your Answer

At least one of A, B, C, D, and E





















Part 3: Short Answer Questions. (5 questions at 10 points each, 50 points totally)

1.      How can a web site distinguish between lack of capacity and a denial-of-service attack? For example, web sites often experience a tremendous increase in volume of traffic right after an advertisement with the site’s URL is shown on television during the broadcast of a popular sporting event. That spike in usage is the result of normal access that happens to occur at the same time.   How can a site determine that high traffic is reasonable?

2.      What are the server-side attacks? What are the techniques a developer can employ to minimize these attacks?

3.       What are some of the individual rights associated with information privacy? Do expectations of privacy change depending on the individual’s environment?  If so, how?

4.      Explain the strengths and weaknesses of each of the following firewall deployment scenarios in defending servers, desktop machines, and laptops against network threats.

a. A firewall at the network perimeter.

b. Firewalls on every end host machine.

5.      The table below shows the authentication protocol, wherein pwd is Albert’s password and K is a key derived from pwd. Can an attacker that can eavesdrop messages (but not intercept or spoof messages) obtain pwd by off-line password guessing? If you answer no, explain briefly. If you answer yes, describe the attack.

Albert (has pwd)

Bob (has K)

send [conn] to Bob

generate random challenge Ram

send [Ram]

compute K from pwd

compute A ← encrypt(Ram) with key K

send [A] to Bob

compute B ← decrypt(A) with key K

if B = Ram then Albert is authenticated

Again, the file name of your answer should be in the following format:

INFA610_Final_Firstname_Lastname (e.g. INFA610_Final_Henry_Tsai).