SEC571 Full Course Latest 2019 January Question # 00598652 Subject: Education Due on: 02/28/2019 Posted On: 02/28/2019 12:38 PM Tutorials: 1 Rating: 4.8/5

SEC571
Principles of Information Security and Privacy

Week 1
Discussion

DQ1 VULNERABILITIES OF YOUR SYSTEMS?

We’re spending some time this week coming up with a common
understanding of security terminology, and vulnerability is one of those
fundamental terms. While the word weakness seems to define it pretty well,
there are a number of ways that information systems can become vulnerable. Acts
of commission or omission can be equally responsible for a system
vulnerability. What about your systems, both at home and at work? In what ways
are they vulnerable?

DQ2 THREATS AGAINST YOUR SYSTEMS?

It’s a pretty rough world out there for data. While a large
percentage of information technology security budgets is devoted to reducing
the risk of malicious attacks, there are other ways in which systems or data
become damaged. What threats are you aware of when it comes to your personal
systems and the systems at your job?

SEC571
Principles of Information Security and Privacy

Week 2
Discussion

DQ1 SECURITY ISSUES IN TELECOMMUNICATIONS

What are the advantages and disadvantages of virtual
offices, including telecommuting? What are the security and management issues
concerning virtual offices, especially hooked up into large virtual networks?
Please comment on the views of your fellow students here.

DQ2 WHAT ACCESS CONTROLS ARE IN USE?

What are your organization’s assets? Are there any access
controls in place? How effective are they? How can you tell? What are the
weaknesses in the controls? Are any new or upgraded access controls being
considered? Let’s explore this substantial component of information security.

SEC571
Principles of Information Security and Privacy

Week 3
Discussion

DQ1 CRYPTOGRAPHIC PRODUCTS

As we are learning, there are a lot of uses for cryptography
in information technology, and there are a lot of different algorithms,
cryptographic processes, key lengths, implementation methods, and so on. Let’s
explore the world of cryptographic products. What’s available out there? What
kind of quality is found in free, open-source products? What types of hardware
devices? What types of software implementations? How are they used? What
problems do they solve? How effective are they? How can you tell? What are the
tradeoffs between security and business process efficiency?

Let’s start with everyone presenting one cryptographic
product (past, present, or future). No duplications, please, so be sure to read
all the previous posts. Then, respond to the posts of your classmates with
questions, additional information, and so forth.

DQ2 CRYPTOGRAPHIC STANDARDS

Ever since World War II and the ensuing Cold War,
cryptographic methods have been the source of much government angst. Protecting
the information of one’s own government and accessing the data of other
governments has been a preoccupation of many nations. With the growth of
civilian computer networks in the 1980s and the development of Internet-based
e-commerce in the 1990s, concerns about data security spread from governments
to the public sector. The tension between the government’s goal of control of
cryptographic methods and business’ need for internationally trustworthy
security resulted in skirmishes between the two.

Let’s discuss the modern history of cryptography in terms of
commercial-governmental tensions. What can you find out about this? What are
the considerations when determining how to standardize cryptographic methods?
How are cryptographic methods regulated? What are the different laws that
govern the use of cryptography? Are they reasonable? Whose interests are most
important when determining the extent to which cryptography should be
standardized, regulated, and mandated?

SEC571
Principles of Information Security and Privacy

Week 4
Discussion

DQ1 NETWORK SERVICES

Users are familiar with some network services such as HTTP
(Hypertext Transport Protocol) – the Web; and SMTP (Simple Mail Transport
Protocol) and POP (Post Office Protocol) – e-mail and instant messaging. But
there are others like DHCP (Dynamic Host Configuration Protocol), DNS (Domain
Name System), FTP (File Transport Protocol), NNTP (Network News Transport
Protocol), Telnet, SSH (Secure Shell), SSL-TLS (Secure Sockets Layer-Transport
Layer Security) and others that the average user may not have heard of.

Tell us more about these services. How do they figure into
organizational security? What are the most recent threats against them? What
are the risks associated with attacks against network services? What are
possible consequences? What are specific controls and general best practices to
mitigate risk?

Jump right in. Do a little research on some part of network
service security and share with us your findings as well as your experiences
and opinions. And, of course, please respond to your classmates’ posts with
ideas, questions, comments, other perspectives, and so forth.

DQ2 SECURITY ARCHITECTURE

Think about your organization’s security architecture. How
much do you know about it? How much do other workers know? How easy is it to
learn more? Does your perception of the organization’s security architecture
seem appropriate for the mission and goals of the organization? How much
management commitment to security do you sense?

Briefly describe your organization, but please DON’T reveal
any specific security details that would compromise your organization’s
security controls. Feel free to make up a name and even alter the products or
services the organization offers to maintain its anonymity as needed. What we
should discuss is the general nature of the business, your role, your view on
the organization’s security architecture, and what you think the ideal security
architecture should be for your organization.

As we get moving on this discussion, consider the ideas of
your classmates. Would they be appropriate for your organization? Even if you don’t
have much connection with the security activities in your company, what do you
THINK would be appropriate?

As always, post early, post often, and address the posts of
your classmates.

SEC571
Principles of Information Security and Privacy

Week 5
Discussion

DQ1 CASE STUDY – WOULD YOU HIRE GOLI?

How would you respond if Goli (Situation VIII: Ethics of
Hacking or Cracking, pp. 759-761 in the textbook) came to you describing a
vulnerability in your system and offering to help fix it? What would incline you
to hire her? What would disincline you from doing so? Please explain your
answer and also reply to the comments of others.

DQ2 PRIVACY: RIGHT OR PRIVILEGE?

Privacy seems to mean different things to different people.
What does privacy mean to you? Is privacy a right or a privilege? How should
one’s privacy be legally protected or secured, especially when using the
Internet? Maybe this is not absolutely possible; protection may always be
viewed as a relative term. Why or why not? Please comment on the responses of
other students.

SEC571
Principles of Information Security and Privacy

Week 6
Discussion

DQ1 BC AND DR

Business Continuity (BC) planning and Disaster Recovery (DR)
planning are key elements in organizational security architectures. What is the
difference between them and why is it important to know the difference when
representing security proposals to management?

DQ2 MEETING REGULATIONS

With what federal, state, and/or organizational regulations
regarding information systems and data management must your organization
comply? How can you identify these regulations? How can you remain informed
about changes in these requirements? How can your organization or industry
influence these regulations?

SEC571
Principles of Information Security and Privacy

Week 7
Discussion

DQ1 PERSONAL/GROUP ETHICS

What is ethics? Is it a cultural standard or an individual
standard? Do managers have a responsibility to maintain an ethical standard
within a department? If so, how is the expected ethical standard established?
How is it documented? How is compliance measured? What happens when an
individual’s ethical standard conflicts with the group standard? How should
members of the group react? How should the individual react?

DQ2 SECURITY SKILLS

What skills are needed by personnel working in information
security? List some job titles in the field and come up with some required
qualifications and some desirable qualifications. Take a look at some job
listings and resumes for ideas. After all, you may be applying for one of these
jobs soon!

SEC571
Principles of Information Security and Privacy

Week 1 Quiz

Question 1

(TCO A) Describe an
organizational information situation where data confidentiality would be more
important than data availability or integrity.

Question 2

(TCO A) Which of the
following is the weakest password?

rT%b9

2a$xY60

vG&3n9c

8d$iuR4

%s94Nd6

Question 3

(TCO A) While our
focus in the course is on threats to information systems, this question focuses
on the concept of threats, vulnerabilities, and controls as applied to other
kinds of systems. Select two examples of threats to automobiles for which auto
manufactures have instituted controls. Describe the vulnerabilities for which
the controls were created and assess the effectiveness of these controls giving
the justification for your assessment. Your answer does not need to address
information security but you need to demonstrate your understanding of the
terms: threat, vulnerability, and control. (Note: specific answers to this
question are not in the assigned reading material.)

Question 4

(TCO A) What
advantages does authentication with biometrics has over passwords?

Question 5

(TCO A) Network
enumeration is used to _______________________.

test for
vulnerabilities

determine what
service and operating systems are running

determine what
exploits have been committed

close security flaws

Question 6

(TCO A)
Virtualization is an operating system security technique. In the context of
virtualization, explain what hypervisor does.

SEC571
Principles of Information Security and Privacy

Week 4
Midterm

Question 1

(TCO A) What are the four kinds of security threats? Give
two examples of each.

Question 2

(TCO A) Explain the primary advantage of virtualization used
in security of an operating system.

Question 3

(TCO B) It’s been said that firewalls are dead. Some think
that, because of the prevalence of application-layer attacks, packet filtering
firewalls are of no real use in protecting networks. Name an advantage of using
packet filtering firewalls in modern networks.

Question 4

(TCO C) Describe how asymmetric encryption is used to send a
message from User A to User B that assures data confidentiality,
authentication, and integrity. Be specific as to the keys used and how they
achieve the three goals.

Question 5

(TCO B) Which of the following is a correct statement?

A SYN
flood involves an attacker sending a stream of acknowledgements.

In
link encryption, packet confidentiality is assured from sending to receiving
host.

Access
control is limiting who can access what in what ways.

SSL assures data confidentiality within the
recipient’s network.

None
of the above

SEC571
Principles of Information Security and Privacy

Week 8 Final
Exam

Question 1

(TCO A) You have designed a database. During testing you
discover that if, during the normal entry and modification of data, there is a
power outage, when the system is recovered, records may contain some of the new
data that were being entered but that some old data that should have been
modified, were left untouched. Explain how you could modify your database
design to eliminate this type of compromise of data integrity.

Question 2

(TCO B) Compare and contrast Intrusion Detection System
(IDS) versus Intrusion Prevention System (IPS). Are they mutually exclusive?
Explain.

Question 3

(TCO C) Why is a firewall usually a good place to terminate
a Virtual Private Network (VPN) connection from a remote user? Why not
terminate the VPN connection at the actual servers being accessed? Under what
circumstances would VPN termination at the server be a good idea?

Question 4

(TCO D) A computer programmer has been arraigned for a
computer crime. She is suspected of having accessed system files on a public
Web server. The programmer’s attorney argues that his client was only trying to
determine if the website was secure and that no harm was done to the Web server
or its system files. The programmer’s attorney also argues that it is possible
that the log files that show that his client accessed system files were
tampered with. The attorney claims that the Web server was made accessible to
the public anyway so that there was no violation of the law and that the
arraignment against her client should be thrown out. You’re the judge. What is
your analysis of these arguments?

Question 5

(TCO E) List five controls that could be used to maintain
data availability in a networked environment.

Question 6

(TCO F) In the U.S., laws are enforced by police agencies
and the courts. What are ethics and who enforces them?

Question 7

(TCO G) Which of the following statements is true?

From a
legal point of view, it is easier to return software to a store because it
doesn’t meet your needs than it is to do so because the software is of poor quality.

If a programmer is, i)
supervised in his work, ii) subject to being fired by his employer, iii)
directed in his work by his employer, and iv) under contract for the work he is
doing, it is most likely true that the programmer is considered the author of
the work he has produced.

A
civil judge cannot find that a plaintiff has been harmed and hold a defendant
liable if the defendant has violated no written law.

It is
easier to prove guilt in a criminal case than it is in a civil case.

A
company is not required to protect trade secrets in order to maintain legal
protection of the proprietary information.

Question 8

(TCO H) The CIO at your organization wants you to assess a
plan to replace the current username/password authentication methods with
fingerprint biometric authentication approach that requires users to use their
fingerprints to access any computing system. Assess three downsides to this
approach.

SEC571
Principles of Information Security and Privacy

COURSE
PROJECT

Security Assessment and Recommendations

Overview

This course does involve a lot of technical information and
theory, but what really matters is how this knowledge can be used to identify
and remediate real-world security issues. What you learn in this course should
be directly applicable to your work environment. The course project that you
will complete is designed to further this goal. In the first part of the
project, you will choose an organization from one of two given scenarios
(below) and identify potential security weaknesses, and in the second part of
the project, you will recommend solutions. The first part of the project is due
in Week 3, and the second part of the project, along with the first part
(presumably revised based on instructor feedback) is due in Week 7. This
project constitutes a significant portion of your overall grade. This is an
individual assignment and may not be completed in teams.

Guidelines

Phase I – Identify potential weaknesses from either the
Aircraft Solutions or Quality Web Design Company

In this phase, you will choose either Aircraft Solutions or Quality
Web Design as the company you will work with. The scenarios are in the Files
section in the Course Project select area. You will then identify potential
security weaknesses.

Security weaknesses – You must choose two from the following
three areas (hardware, software, and policy – excluding password policies) and
identify an item that requires improved security.

To define the asset or policy with sufficient detail to
justify your assessment, your assessment must include:

the vulnerability associated with the asset or policy

the possible threats against the asset or policy

the likelihood that the threat will occur (risk)

the consequences to mission critical business processes
should the threat occur

how the organization’s competitive edge will be affected
should the threat occur

To clarify an item that requires improved security, you must
identify one of these items:

one hardware and one software weakness

one hardware and one policy weakness

one software and one policy weakness

Other required elements include:

Cover sheet

APA-style

In-text citations and Reference section

Minimum length 3 pages, maximum length 5 pages (not counting
cover sheet, diagram(s), references). Do not exceed the maximum length.

Phase II: the
Course Project (comprised of Phase I and II) – Recommend solutions to the
potential weaknesses from either the Aircraft Solutions or Quality Web Design
Company

In this phase of the project you will include Part I
(presumably improved as needed based upon Week 3 feedback) and then you will
recommend solutions for the security weaknesses you identified in the Phase I.

Definition of the solution – Hardware solutions must include
vendor, major specifications with an emphasis on the security features, and
location of placement with diagram. Software solutions must include vendor and
major specifications, with an emphasis on security features. Policy solutions
must include the complete portion of the policy that addresses the weakness
identified. Any outsourced solution must include the above details and the
critical elements of the service level agreement.

Justification – You must address the efficacy of the
solution in terms of the identified threats and vulnerabilities; the cost of
the solution, including its purchase (if applicable); and its implementation,
including training and maintenance.

Impact on business processes – You must discuss any
potential positive or negative effects of the solution on business processes
and discuss the need for a trade-off between security and business requirements
using quantitative rather than simply qualitative statements.

Other required elements include:

Cover sheet

APA-style

In-text citations and Reference section

5 reference minimum

Minimum length of solutions: 6 pages, maximum length 10
pages (not counting cover sheet, diagram(s), references). Do not exceed the
maximum length.

Grading Rubrics

The course project will consist of two deliverables:

Phase I (Identify potential weaknesses from either the
Aircraft Solutions or Quality Web Design Company); and Phase II: the Course
Project (comprised of Phases I and II – Recommend solutions to the potential
weaknesses from either the Aircraft Solutions or Quality Web Design Company).

The grading standards for each deliverable are as follows:

Phase I (Identify potential weaknesses from either the
Aircraft Solutions or Quality Web Design Company)

Category Points Description

Security Weaknesses 80 Identifies two plausible and
significant weaknesses from required list (hardware, software, policy).
Includes realistic vulnerability(s) associated with the asset or policy,
plausible and likely threats against the asset or policy, an estimation of the
likelihood that the threat will occur (risk), the consequences to mission
critical business processes should the threat occur, and how the organization’s
competitive edge will be affected should the threat occur.

Presentation 20 Writing quality and flow demonstrates
a graduate-level writing competency and does not contain misspellings, poor
grammar, incorrect punctuation, and questionable sentence structure (syntax
errors).

Total 100 A quality paper will meet or exceed all
of the above requirements.

Phase II – the Course Project (comprised of Phase I and II)
– Recommend solutions to the potential weaknesses from either the Aircraft
Solutions or Quality Web Design Company

Category Points Description

Security Weaknesses 60 Identifies two plausible and
significant weaknesses from required list (hardware, software, policy).
Includes realistic vulnerability(s) associated with the asset or policy,
plausible and likely threats against the asset or policy, an estimation of
likelihood that the threat will occur (risk), the consequences to mission
critical business processes should the threat occur, and how the organization’s
competitive edge will be affected should the threat occur

Definition of Solution 30 Includes vendor and major
specifications, and identifies the relevant security features as related to the
weakness identified. If hardware, includes location of placement with diagram.
Policy solutions include the complete portion of the policy that effectively
address the weakness identified. Any outsourced solution must include the above
details and the critical elements of the service level agreement.

Justification 30 Demonstrates the efficacy of the
solution in terms of the identified threats and vulnerabilities. Includes
complete costs, including purchase, implementation, training, and maintenance
as needed.

Impact on Business Processes 25 Addresses plausible, potential
positive, or negative effects on business processes. Discusses trade-off
between security and business requirements using quantitative statements.

Presentation 25 Writing quality and flow demonstrates
a graduate-level writing competency and does not contain misspellings, poor grammar,
incorrect punctuation, and questionable sentence structure (syntax errors).

Total 170 A quality paper will meet or exceed all
of the above requirements.

Best Practices

Course projects cause many students anxiety. Some anxiety is
probably healthy; it means you want to do a good job. But too much anxiety
usually interferes with performance. There is writing assistance available in
the Tutor Source link in the Introduction & Resources Module and here are
some tips you may want to consider as you plan and create your course project.

Read the Course Project Requirements and the Course Project
Sample Template (in the Files section) early. Here’s why: if you have in mind
the required specifications of the ssignment as you start the weekly
assignments and other activities, you’ll be able to recognize when you come
across information that you might want to use in your project.

Keep a separate project notebook. Don’t worry about keeping
it highly organized and documented; just jot down ideas as they come to you. You’ll
be surprised how much anxiety you prevent by simply having ideas ready when you
sit down to write.

Use the “mull” method. This means spend a few days mulling
over the assignment. Don’t force yourself to think about it, but, if you’ve
read over the project requirements and have your project notebook with you as
you do your regular class activities and your regular daily activities, your
brain will work on the assignment all by itself. As it does so, more ideas will
come to you and all you have to do is jot them down.

Don’t try to write the paper from the beginning to the end
correctly the first time. If you do, you’ll probably forget all kinds of things
and your sentence structure and word choice, not to mention spelling and
grammar, will likely not be as good as it should be. Don’t edit as you write.
Just write. That way the ideas can come out with less effort. Edit later.

Use your text to help you get ideas. For example, when
considering vulnerabilities, check the index at the back of the text for the
word “vulnerabilities” and browse through those pages. When you’re designing
the network, look through the chapter on security in networks.

Use available sources such as the DeVry Library, our course
Lectures, discussions, other books, journals, the Internet, and so forth.

Keep a digital notebook. When you find an interesting
article (or even an article that looks as if it could be useful), copy it and
paste it into your document along with the address (URL), date, author, and so
forth. You can read through these later and keep what seems useful and discard
the rest.

Make a schedule and keep to it. For example, you may set
aside an hour to research topics. Use the suggestion in #7, pasting down
articles and parts of articles to read later. Set aside another hour or two
later to read through the material you collected. If it’s of no use, delete it
so that your digital notebook becomes more refined and useful. If you start
work early and schedule smallish times to do your work, you’ll find that, a)
you learn a lot more, b) you have much less anxiety, and c) you end up with a
better grade. Try it!

Ask questions. The Course Q & A forum in the discussions
in the course shell is an excellent place to ask questions. This isn’t
cheating; this is working together to increase everyone’s knowledge. You’re not
asking someone to write your paper, you’re asking for ideas (or answering other
students’ questions). Contact your instructor with questions. Your instructor
is the expert on what is expected, so use this resource.

Read about APA-style citations by clicking the link, APA
Guidelines for Citing Sources, near the bottom of the Course Syllabus. You will
save a lot of time by addressing these style issues as you write your paper
rather than trying to do this at the end.

Once you’ve written your rough draft, start the editing
process:

Look over the Course Project Requirements, particularly the
Grading Standards, and make sure that you’ve addressed every element that is
required.

Remove any unnecessary sentences or phrases. This project is
not supposed to be long (remember that there is a 12-page maximum for the final
project – not counting the cover page, graphics, references, etc.), it’s
supposed to be good. Any extra wording should be deleted. For example, “All of
these weaknesses happen on a regular base and in order to make sure that they
do not occur, the company needs to step in and make modification that will not
only correct existing issues but prevent future ones as well,” could be written
effectively as, “These vulnerabilities are ongoing and action needs to be
taken.”

The key to good technical or business (and some would say
creative) writing is being clear and effective. Don’t try to make the paper
sound “educated.” For example, instead of writing “This document is set forth
to identify and address potential security issues…,” just say what you need to
say. Much better would have been, “This report addresses security issues….”
This type of clear writing is a lot easier on the writer and on the reader.

When you use an acronym for the first time, spell it out.
For example, “…the use of a VPN (virtual private network) is common among….”
After that, just use the acronym.

Whenever you use pronouns like “it” or “they” that refer to
something mentioned earlier, be sure that it is clear to what or to whom “it”
or “they” refer. For example, “The company has implemented a firewall at
corporate headquarters and a packet filtering router at the branch office. It
has functioned well since then.” In this case, the “It” could refer to the
company, the firewall, the headquarters, the branch office, or the packet
filtering router. Clearer would be, “The company has implemented a firewall at
corporate headquarters and a packet filtering router at the branch office.
Network perimeter security has functioned well since then.”

Read your work out loud. You may find lots of little
mistakes and sentence structure errors this way.

Use spell check and grammatical correction features of your
word processing software, but don’t rely on them. Correctly spelled words will
two often be red as bean write when they are whey off.

Proofread when you are not tired and when you have had some
time away from your work on the paper. Your goal should be to catch ALL
mistakes or omissions. Professional or academic papers that contain errors send
a message to the reader that a) you are not a reliable source of information or
b) you don’t care about the reader. Neither of these may be true but, that’s
the message you send when you send errors.

Be sure that all ideas that you got from outside sources are
accompanied by an in-text citation (not a footnote) and that the in-text
citation refers to an item in the References section. Be sure to use APA-style.

As much as possible, avoid direct quotations. Only use
direct quotations when necessary. For example, “…as Bill Gates once famously
said, ‘No one will ever need more than 640K of memory’….” Since the writer is
stating a specific (and silly) idea expressed by a well-known person, this
little direct quotation is appropriate. But longer “cut-and-paste” sections are
almost always unnecessary in this project, and most instructors don’t feel
comfortable giving you a grade for a paper that was, to any significant extent,
written by someone else. Usually a paper that contains more than 15-20% direct
quotations is considered unacceptable. Some instructors think even this is way
too high. When in doubt, contact the instructor. In any case, if you use a lot
of direct quotations, expect to receive a poor grade and, if you use ANY direct
quotation, be sure to use quotation marks and an in-text citation. If you
don’t, you risk disciplinary action for violation of the academic integrity
policy. See the course syllabus for more details.

Of all these tips, probably the most important are: start
early and ask questions. Your instructor is committed to helping you get the
most out of the course. If you start early, you’ll be able to ask questions
that will save you time and effort. If you wait until the last minute, you’ll
be stressed and won’t have time to incorporate feedback from your instructor.