How to Prepare for the Fall Exam

COM380/CIT304

Harry Erwin, PhD

University of Sunderland

Exam Structure

• Two parts– Fall Exam (Harry Erwin)

• Security, with three questions of 20 marks each. You answer two.

• Server Side Technology, with two questions of 10 marks each. You answer one.

– Spring Exam (John Wraith) worth 50 marks on e-commerce management.

• John has briefed you separately.

Exam Ground Rules

• We are aware some of you are relatively non-technical.

• We are aware that even those of you who are technical come from a number of courses.

• The exam is designed to be passable by all of you. It tests critical thinking.

• The exam is hard, but the marking takes that into account.

• You need to pass the exam as a whole, not each part individually.

Reread:

• Schneier, Beyond Fear—discusses how to think critically about security. Know his five-step analysis process and be able to apply it.

• Schneier, Secrets and Lies—the threat environment. Understand what it may mean for your organization.

• Anderson, Security Engineering—the technology (Don’t memorize—but know how it fits in!)

• Erwin, COM380 Lecture Slides—thinking about security requirements and solutions

Be Able To:

• Define the terms used in security• Describe what a security analyst does.• Write a job description for a security analyst.• Conduct a job interview for a security engineer/

analyst in your field.• Identify snake-oil when someone tries to sell you

some technology. – Know what probing questions to ask as a skeptical

manager with some money to spend on security. – Know what each security technology is good for.

For Example

• Suppose someone tries to sell you an intrusion detection system as a security solution.– Know what an IDS is good (and bad) for.– Know the two basic IDS technologies and their

strengths and weaknesses.

Another Example

• Do ID cards solve the terrorism problem?– What do ID cards do?– What are their risks?– What are the threats to ID cards?– What do they not do?– Do they solve the problem?

Likely Exam Areas

• The Threat• Risk Analysis• Trust Analysis• Policies (particularly legal areas)• Assumptions of Secure Operation• Security Objectives• Security Mechanisms• Securing E-Commerce

The Server-Side Technology Questions

• Read up on server side technology (see Bergsten, JavaServer Pages and my lectures for a start).

• Be prepared to evaluate it critically.

Some Questions from Previous Years

• The 25-mark security questions are from 2003, the 20-mark security questions from 2004, and the 10-mark server-side questions from 2004.

• You won’t see these specific questions on the exam.

Risk Analysis (25 marks total)

• What is a risk and how does it differ from a vulnerability or threat? (10 marks)

• Describe the risk analysis process in detail using an example. (10 marks)

• What information does a complete risk analysis give a manager? How can he use it in risk management? (5 marks)

Security Mechanisms (25 marks total)

• “Audit” describes a specific family of security mechanisms. In an essay,

• a) Explain what an audit mechanism does and describe the possible uses of audit log data (5 marks)

• b) Describe and critically justify against alternatives an approach to audit in a distributed environment. (10 marks)

• c) Describe the risks associated with the storage of audit log data and how to mitigate those risks. Critically justify your recommended approach. (10 marks)

Intrusion Detection (25 marks total)

• a) Explain what an intrusion detection system does. (6 marks)

• b) Describe in detail the three problems that developers of intrusion detection systems must solve– i) The timely notification problem (3 marks)– ii) The false alarm problem (3 marks)– iii) The response problem (3 marks)

• c) Name and describe two general approaches to intrusion detection, compare them critically, and explain how they address the three problems listed under (b). (10 marks)

Job Description (20 marks)

• What questions does a computer security analyst have to answer about a system? Discuss in detail using an example of a specific kind of business or service, e.g., an e-mail provider, a business web-site, a human resources department of a company, an electronic voting system, or an on-line bank. Describe critically how the analyst might approach each question.

Threat Environment (20 marks)

• Critically evaluate the current threat environment for a specific kind of business or service, for example an e-mail provider, a business web-site, a human resources department of a company, an electronic voting system, or an on-line bank. In other words, what are the threats, what is their relative importance, why did you come up with that rank-ordering, and how can the system be protected against those threats?

Privacy (20 marks)

• Describe the EU and US legal positions on individual privacy, and critically compare them. Critically discuss the possible ways that a US business has to address the requirements of the EU Data Protection Directive.

Job Description (20 marks)

• Assume you are hiring a security analyst. Describe and critically justify the required knowledge (10 marks) and skills (10 marks) you would list on the job description.

Trust Analysis (20 marks)

• Explain how to do a trust analysis (10 marks) and critically discuss mechanisms to enforce trust. (10 marks)

ID Cards (20 marks)

• Discuss in a short critical essay the Home Office proposal on identification cards.

Server-Side Technology (10 marks)

• Four example technologies were given and the following choices of question posed:

• Describe and evaluate in detail the technical pros and cons of these four approaches. That is, from a technical perspective, what are the issues that affect the choice of approach and what factors need to be assessed in making that choice?

SST Question Continued

• Describe and evaluate in detail the security pros and cons of these four approaches. That is, from a security perspective, what are the issues that affect the choice of approach and what factors need to be assessed in making that choice?

• Describe and evaluate in detail the managerial pros and cons of these four approaches. That is, from the perspective of a non-technical manager, what are the issues that affect the choice of approach and what factors need to be assessed in making that choice?

Server-Side Technology

• The ref-def question used another example, web services, but asked the same questions.

Changes this year

• The security questions remain similar. One will be on security in general that can be answered based on Schneier and the lectures, a second on some specific technology discussed in Anderson, and the third will be a critical analysis of a current security proposal.

• The server-side question now asks for a critical comparison of technical approaches. You will have a choice of question here.

Questions?