IS623 Midterm

True/False ( 1 15): 1 point each

Indicate whether the statement is true or false.
1. A breach of possession always results in a breach of confidentiality.

(True / False)

2. Hardware is often the most valuable asset possessed by an organization and it is the main
target of intentional attacks.
(True / False)
3. To achieve balance that is, to operate an information system that satisfies the user and the
security professional the security level must allow reasonable access, yet protect against
threats.
(True / False)
4. Information securitys primary mission is to ensure that systems and their contents retain their
confidentiality at all costs.
(True / False)
5. A sniffer program shows all the data going by on a network segment including passwords, the
data inside filessuch as word-processing documentsand screens full of sensitive data
from applications.
(True / False)
6. Identifying human resources, documentation, and data information assets of an organization
is less difficult than identifying hardware and software assets.
(True / False)
7. To determine if the risk is acceptable or not, you estimate the expected loss the organization
will incur if the risk is exploited.
(True / False)
8. The permutation cipher simply rearranges the values within a block to create the ciphertext.
(True / False)
9. Digital certificates are public-key container files that allow computer programs to validate the
key and identify to whom it belongs.
(True / False)
10. You cannot combine the XOR operation with a block cipher operation.

(True / False)

11. Nonrepudiation means that customers or partners can be held accountable for transactions,
such as online purchases, which they cannot later deny.
(True / False)
12. When an asymmetric cryptographic process uses the senders private key to encrypt a
message, the senders public key must be used to decrypt the message.
(True / False)
13. Hash algorithms are public functions that create a hash value by converting variable-length
messages into a single fixed-length value.
(True / False)
14. Encryption methodologies that require the same secret key to encipher and decipher the
message are using what is called public key encryption.
(True / False)

15. The most popular modern version of steganography involves hiding information within files
that contain digital pictures or other images.
(True / False)
Multiple Choice (16 25): 1 point each
Identify the choice that best completes the statement or answers the question.
16. ____ of information is to protect my information from unauthorized modification.
a. Availability
c. Confidentiality
b. Integrity
d. Authorization
17. An information system is the entire set of ____, people, procedures, and networks that make
possible the use of information resources in the organization.
a. software
c. data
b. hardware
d. All of the above
18. Which of the following functions does information security perform for an organization?
a. Protecting the organizations ability to function.
b. Enabling the safe operation of applications implemented on the organizations IT
systems.
c. Protecting the data the organization collects and uses.
d. All of the above.
19. Risk ____ is the application of controls to reduce the risks to an organizations data and
information systems.
a. management
c. identification
b. control
d. security
20. ____ equals likelihood of vulnerability occurrence times value (or impact) minus percentage
risk already controlled plus an element of uncertainty.
a. Probability
c. Possibility
b. Risk
d. Chance
21. ____ is the process of converting an original message into a form that is unreadable to
unauthorized individuals.
a. Encryption
c. Cryptology
b. Decryption
d. Cryptography
22. ____ is the information used in conjunction with an algorithm to create the ciphertext from
the plaintext or derive the plaintext from the ciphertext.
a. Password
c. Key
b. Cipher
d. Passphrase
23. More advanced substitution ciphers use two or more alphabets, and are referred to as ____
substitutions.
a. multialphabetic
c. polyalphabetic
b. monoalphabetic
d. polynomic
24. A method of encryption that requires the same secret key to encipher and decipher the
message is known as ____ encryption.

a. asymmetric
b. symmetric

c. public
d. Private

25. An X.509 certificate binds a ____, which makes all certificates unique, to a users public key.
a. message digest
c. distinguished name
b. fingerprint
Type
Name
Level
d. digital signature

26.

Object
Object

Obj1
Obj2

Object

Obj3

Subject
Subject

Subj1
Subj2

Subject

Subj3

(H, {A})
(L, {B})
(L,
{A,B})
(L,
{A,B})
(H,{B})
(H,
{A,B,C})

Short Answer Questions

Suppose you have a secure system with three
subjects and three objects, with levels as listed
below. (10 points)

Here H dominates L. You wish to implement a Bell and LaPadula model of security for this
system. Fill in the access rights (R and/or W) permitted by the model for each subject/object
pair in the access matrix below:

Obj1
Subj1
Subj2
Subj3

Obj2

Obj3

27. Suppose a department has determined that some users have gained unauthorized access to the
computing system. Managers fear the intruders might intercept or even modify sensitive data
on the system. Cost to reconstruct correct data is expected to be $2,000,000 with 5%
likelihood per year.
One approach to addressing this problem is to install a more secure data access control
problem. The cost of access control software is is $50,000 with 80% effectiveness. Here is the
summary of risk and control:
-

Cost to reconstruct correct data = $2,000,000 with 5% likelihood per year

Effectiveness of access control software: 80%
Cost of access control software: $50,000

Determine the expected annual costs due to loss and controls. Also, determine whether the
costs outweigh the benefits of preventing or mitigating the risks. (5 points)

28. Briefly answer each question below:

(a) What are the three fundamental elements of an effective security program for
information systems? Also, of these three fundamental controls, which two are used
by the Domain User Admin (refer to Virtual Lab #3) to create users and assign rights
to resources? (2 points)

(b) Once a vulnerability has been identified by OpenVAS (refer to Virtual Lab #2), where
would you check formore information regarding the identified vulnerability, exploits,
and any riskmitigation? (2 points)

(c) Why is military security mainly about confidentiality? Are there also aspects of
integrity and availability? (2 points)

(d) If you and another person want to encrypt messages, should you provide that person
with your public key, private key, or both? (2 points)
(e) What is the XOR operation results of the following two bit streams: (2 points)
S1 = 010011101
S2 = 111100001
(End of Midterm)