SEC571 2019 January Full Course Latest

SEC571 Principles of Information Security and Privacy
Week 1 Discussion
DQ1 VULNERABILITIES OF YOUR SYSTEMS?
We’re spending some time this week coming up with a common understanding of security terminology, and vulnerability is one of those fundamental terms. While the word weakness seems to define it pretty well, there are a number of ways that information systems can become vulnerable. Acts of commission or omission can be equally responsible for a system vulnerability. What about your systems, both at home and at work? In what ways are they vulnerable?
DQ2 THREATS AGAINST YOUR SYSTEMS?
It’s a pretty rough world out there for data. While a large percentage of information technology security budgets is devoted to reducing the risk of malicious attacks, there are other ways in which systems or data become damaged. What threats are you aware of when it comes to your personal systems and the systems at your job?
 
SEC571 Principles of Information Security and Privacy
Week 2 Discussion
DQ1 SECURITY ISSUES IN TELECOMMUNICATIONS
What are the advantages and disadvantages of virtual offices, including telecommuting? What are the security and management issues concerning virtual offices, especially hooked up into large virtual networks? Please comment on the views of your fellow students here.
DQ2 WHAT ACCESS CONTROLS ARE IN USE?
What are your organization’s assets? Are there any access controls in place? How effective are they? How can you tell? What are the weaknesses in the controls? Are any new or upgraded access controls being considered? Let’s explore this substantial component of information security.
 
SEC571 Principles of Information Security and Privacy
Week 3 Discussion
DQ1 CRYPTOGRAPHIC PRODUCTS
As we are learning, there are a lot of uses for cryptography in information technology, and there are a lot of different algorithms, cryptographic processes, key lengths, implementation methods, and so on. Let’s explore the world of cryptographic products. What’s available out there? What kind of quality is found in free, open-source products? What types of hardware devices? What types of software implementations? How are they used? What problems do they solve? How effective are they? How can you tell? What are the tradeoffs between security and business process efficiency?
Let’s start with everyone presenting one cryptographic product (past, present, or future). No duplications, please, so be sure to read all the previous posts. Then, respond to the posts of your classmates with questions, additional information, and so forth.
DQ2 CRYPTOGRAPHIC STANDARDS
Ever since World War II and the ensuing Cold War, cryptographic methods have been the source of much government angst. Protecting the information of one’s own government and accessing the data of other governments has been a preoccupation of many nations. With the growth of civilian computer networks in the 1980s and the development of Internet-based e-commerce in the 1990s, concerns about data security spread from governments to the public sector. The tension between the government’s goal of control of cryptographic methods and business’ need for internationally trustworthy security resulted in skirmishes between the two.
Let’s discuss the modern history of cryptography in terms of commercial-governmental tensions. What can you find out about this? What are the considerations when determining how to standardize cryptographic methods? How are cryptographic methods regulated? What are the different laws that govern the use of cryptography? Are they reasonable? Whose interests are most important when determining the extent to which cryptography should be standardized, regulated, and mandated?
 
SEC571 Principles of Information Security and Privacy
Week 4 Discussion
DQ1 NETWORK SERVICES
Users are familiar with some network services such as HTTP (Hypertext Transport Protocol) – the Web; and SMTP (Simple Mail Transport Protocol) and POP (Post Office Protocol) – e-mail and instant messaging. But there are others like DHCP (Dynamic Host Configuration Protocol), DNS (Domain Name System), FTP (File Transport Protocol), NNTP (Network News Transport Protocol), Telnet, SSH (Secure Shell), SSL-TLS (Secure Sockets Layer-Transport Layer Security) and others that the average user may not have heard of.
Tell us more about these services. How do they figure into organizational security? What are the most recent threats against them? What are the risks associated with attacks against network services? What are possible consequences? What are specific controls and general best practices to mitigate risk?
Jump right in. Do a little research on some part of network service security and share with us your findings as well as your experiences and opinions. And, of course, please respond to your classmates’ posts with ideas, questions, comments, other perspectives, and so forth.
DQ2 SECURITY ARCHITECTURE
Think about your organization’s security architecture. How much do you know about it? How much do other workers know? How easy is it to learn more? Does your perception of the organization’s security architecture seem appropriate for the mission and goals of the organization? How much management commitment to security do you sense?
Briefly describe your organization, but please DON’T reveal any specific security details that would compromise your organization’s security controls. Feel free to make up a name and even alter the products or services the organization offers to maintain its anonymity as needed. What we should discuss is the general nature of the business, your role, your view on the organization’s security architecture, and what you think the ideal security architecture should be for your organization.
As we get moving on this discussion, consider the ideas of your classmates. Would they be appropriate for your organization? Even if you don’t have much connection with the security activities in your company, what do you THINK would be appropriate?
As always, post early, post often, and address the posts of your classmates.
 
SEC571 Principles of Information Security and Privacy
Week 5 Discussion
DQ1 CASE STUDY – WOULD YOU HIRE GOLI?
How would you respond if Goli (Situation VIII: Ethics of Hacking or Cracking, pp. 759-761 in the textbook) came to you describing a vulnerability in your system and offering to help fix it? What would incline you to hire her? What would disincline you from doing so? Please explain your answer and also reply to the comments of others.
DQ2 PRIVACY: RIGHT OR PRIVILEGE?
Privacy seems to mean different things to different people. What does privacy mean to you? Is privacy a right or a privilege? How should one’s privacy be legally protected or secured, especially when using the Internet? Maybe this is not absolutely possible; protection may always be viewed as a relative term. Why or why not? Please comment on the responses of other students.
 
SEC571 Principles of Information Security and Privacy
Week 6 Discussion
DQ1 BC AND DR
Business Continuity (BC) planning and Disaster Recovery (DR) planning are key elements in organizational security architectures. What is the difference between them and why is it important to know the difference when representing security proposals to management?
DQ2 MEETING REGULATIONS
With what federal, state, and/or organizational regulations regarding information systems and data management must your organization comply? How can you identify these regulations? How can you remain informed about changes in these requirements? How can your organization or industry influence these regulations?
 
 
 
SEC571 Principles of Information Security and Privacy
Week 7 Discussion
DQ1 PERSONAL/GROUP ETHICS
What is ethics? Is it a cultural standard or an individual standard? Do managers have a responsibility to maintain an ethical standard within a department? If so, how is the expected ethical standard established? How is it documented? How is compliance measured? What happens when an individual’s ethical standard conflicts with the group standard? How should members of the group react? How should the individual react?
DQ2 SECURITY SKILLS
What skills are needed by personnel working in information security? List some job titles in the field and come up with some required qualifications and some desirable qualifications. Take a look at some job listings and resumes for ideas. After all, you may be applying for one of these jobs soon!
 
 
 
SEC571 Principles of Information Security and Privacy
Week 1 Quiz
Question 1
 (TCO A) Describe an organizational information situation where data confidentiality would be more important than data availability or integrity.
Question 2
 (TCO A) Which of the following is the weakest password?
  rT%b9
  2a$xY60
  vG&3n9c
  8d$iuR4
  %s94Nd6
Question 3
 (TCO A) While our focus in the course is on threats to information systems, this question focuses on the concept of threats, vulnerabilities, and controls as applied to other kinds of systems. Select two examples of threats to automobiles for which auto manufactures have instituted controls. Describe the vulnerabilities for which the controls were created and assess the effectiveness of these controls giving the justification for your assessment. Your answer does not need to address information security but you need to demonstrate your understanding of the terms: threat, vulnerability, and control. (Note: specific answers to this question are not in the assigned reading material.)
Question 4
 (TCO A) What advantages does authentication with biometrics has over passwords?
Question 5
 (TCO A) Network enumeration is used to _______________________.
  test for vulnerabilities
  determine what service and operating systems are running
  determine what exploits have been committed
  close security flaws
Question 6
 (TCO A) Virtualization is an operating system security technique. In the context of virtualization, explain what hypervisor does.
 
SEC571 Principles of Information Security and Privacy
Week 4 Midterm
Question 1
(TCO A) What are the four kinds of security threats? Give two examples of each.
Question 2
(TCO A) Explain the primary advantage of virtualization used in security of an operating system.
Question 3
(TCO B) It’s been said that firewalls are dead. Some think that, because of the prevalence of application-layer attacks, packet filtering firewalls are of no real use in protecting networks. Name an advantage of using packet filtering firewalls in modern networks.
Question 4
(TCO C) Describe how asymmetric encryption is used to send a message from User A to User B that assures data confidentiality, authentication, and integrity. Be specific as to the keys used and how they achieve the three goals.
Question 5
(TCO B) Which of the following is a correct statement?
                A SYN flood involves an attacker sending a stream of acknowledgements.
                In link encryption, packet confidentiality is assured from sending to receiving host.
                Access control is limiting who can access what in what ways.
                SSL assures data confidentiality within the recipient’s network.
                None of the above
 
SEC571 Principles of Information Security and Privacy
Week 8 Final Exam
Question 1
(TCO A) You have designed a database. During testing you discover that if, during the normal entry and modification of data, there is a power outage, when the system is recovered, records may contain some of the new data that were being entered but that some old data that should have been modified, were left untouched. Explain how you could modify your database design to eliminate this type of compromise of data integrity.
Question 2
(TCO B) Compare and contrast Intrusion Detection System (IDS) versus Intrusion Prevention System (IPS). Are they mutually exclusive? Explain.
Question 3
(TCO C) Why is a firewall usually a good place to terminate a Virtual Private Network (VPN) connection from a remote user? Why not terminate the VPN connection at the actual servers being accessed? Under what circumstances would VPN termination at the server be a good idea?
Question 4
(TCO D) A computer programmer has been arraigned for a computer crime. She is suspected of having accessed system files on a public Web server. The programmer’s attorney argues that his client was only trying to determine if the website was secure and that no harm was done to the Web server or its system files. The programmer’s attorney also argues that it is possible that the log files that show that his client accessed system files were tampered with. The attorney claims that the Web server was made accessible to the public anyway so that there was no violation of the law and that the arraignment against her client should be thrown out. You’re the judge. What is your analysis of these arguments?
Question 5
(TCO E) List five controls that could be used to maintain data availability in a networked environment.
Question 6
(TCO F) In the U.S., laws are enforced by police agencies and the courts. What are ethics and who enforces them?
Question 7
(TCO G) Which of the following statements is true?
                From a legal point of view, it is easier to return software to a store because it doesn’t meet your needs than it is to do so because the software is of poor quality.
                If a programmer is, i) supervised in his work, ii) subject to being fired by his employer, iii) directed in his work by his employer, and iv) under contract for the work he is doing, it is most likely true that the programmer is considered the author of the work he has produced.
                A civil judge cannot find that a plaintiff has been harmed and hold a defendant liable if the defendant has violated no written law.
                It is easier to prove guilt in a criminal case than it is in a civil case.
                A company is not required to protect trade secrets in order to maintain legal protection of the proprietary information.
Question 8
(TCO H) The CIO at your organization wants you to assess a plan to replace the current username/password authentication methods with fingerprint biometric authentication approach that requires users to use their fingerprints to access any computing system. Assess three downsides to this approach.
 
 
SEC571 Principles of Information Security and Privacy
COURSE PROJECT
Security Assessment and Recommendations
Overview
This course does involve a lot of technical information and theory, but what really matters is how this knowledge can be used to identify and remediate real-world security issues. What you learn in this course should be directly applicable to your work environment. The course project that you will complete is designed to further this goal. In the first part of the project, you will choose an organization from one of two given scenarios (below) and identify potential security weaknesses, and in the second part of the project, you will recommend solutions. The first part of the project is due in Week 3, and the second part of the project, along with the first part (presumably revised based on instructor feedback) is due in Week 7. This project constitutes a significant portion of your overall grade. This is an individual assignment and may not be completed in teams.
Guidelines
Phase I – Identify potential weaknesses from either the Aircraft Solutions or Quality Web Design Company
In this phase, you will choose either Aircraft Solutions or Quality Web Design as the company you will work with. The scenarios are in the Files section in the Course Project select area. You will then identify potential security weaknesses.
Security weaknesses – You must choose two from the following three areas (hardware, software, and policy – excluding password policies) and identify an item that requires improved security.
To define the asset or policy with sufficient detail to justify your assessment, your assessment must include:
the vulnerability associated with the asset or policy
the possible threats against the asset or policy
the likelihood that the threat will occur (risk)
the consequences to mission critical business processes should the threat occur
how the organization’s competitive edge will be affected should the threat occur
To clarify an item that requires improved security, you must identify one of these items:
one hardware and one software weakness
one hardware and one policy weakness
one software and one policy weakness
Other required elements include:
Cover sheet
APA-style
In-text citations and Reference section
Minimum length 3 pages, maximum length 5 pages (not counting cover sheet, diagram(s), references). Do not exceed the maximum length.
 
Phase II: the Course Project (comprised of Phase I and II) – Recommend solutions to the potential weaknesses from either the Aircraft Solutions or Quality Web Design Company
In this phase of the project you will include Part I (presumably improved as needed based upon Week 3 feedback) and then you will recommend solutions for the security weaknesses you identified in the Phase I.
Definition of the solution – Hardware solutions must include vendor, major specifications with an emphasis on the security features, and location of placement with diagram. Software solutions must include vendor and major specifications, with an emphasis on security features. Policy solutions must include the complete portion of the policy that addresses the weakness identified. Any outsourced solution must include the above details and the critical elements of the service level agreement.
Justification – You must address the efficacy of the solution in terms of the identified threats and vulnerabilities; the cost of the solution, including its purchase (if applicable); and its implementation, including training and maintenance.
Impact on business processes – You must discuss any potential positive or negative effects of the solution on business processes and discuss the need for a trade-off between security and business requirements using quantitative rather than simply qualitative statements.
Other required elements include:
Cover sheet
APA-style
In-text citations and Reference section
5 reference minimum
Minimum length of solutions: 6 pages, maximum length 10 pages (not counting cover sheet, diagram(s), references). Do not exceed the maximum length.
Grading Rubrics
The course project will consist of two deliverables:
Phase I (Identify potential weaknesses from either the Aircraft Solutions or Quality Web Design Company); and Phase II: the Course Project (comprised of Phases I and II – Recommend solutions to the potential weaknesses from either the Aircraft Solutions or Quality Web Design Company).
The grading standards for each deliverable are as follows:
Phase I (Identify potential weaknesses from either the Aircraft Solutions or Quality Web Design Company)
Category              Points   Description
Security Weaknesses     80           Identifies two plausible and significant weaknesses from required list (hardware, software, policy). Includes realistic vulnerability(s) associated with the asset or policy, plausible and likely threats against the asset or policy, an estimation of the likelihood that the threat will occur (risk), the consequences to mission critical business processes should the threat occur, and how the organization’s competitive edge will be affected should the threat occur.
Presentation      20           Writing quality and flow demonstrates a graduate-level writing competency and does not contain misspellings, poor grammar, incorrect punctuation, and questionable sentence structure (syntax errors).
Total      100         A quality paper will meet or exceed all of the above requirements.
Phase II – the Course Project (comprised of Phase I and II) – Recommend solutions to the potential weaknesses from either the Aircraft Solutions or Quality Web Design Company
Category              Points   Description
Security Weaknesses     60           Identifies two plausible and significant weaknesses from required list (hardware, software, policy). Includes realistic vulnerability(s) associated with the asset or policy, plausible and likely threats against the asset or policy, an estimation of likelihood that the threat will occur (risk), the consequences to mission critical business processes should the threat occur, and how the organization’s competitive edge will be affected should the threat occur
Definition of Solution     30           Includes vendor and major specifications, and identifies the relevant security features as related to the weakness identified. If hardware, includes location of placement with diagram. Policy solutions include the complete portion of the policy that effectively address the weakness identified. Any outsourced solution must include the above details and the critical elements of the service level agreement.
Justification        30           Demonstrates the efficacy of the solution in terms of the identified threats and vulnerabilities. Includes complete costs, including purchase, implementation, training, and maintenance as needed.
Impact on Business Processes    25           Addresses plausible, potential positive, or negative effects on business processes. Discusses trade-off between security and business requirements using quantitative statements.
Presentation      25           Writing quality and flow demonstrates a graduate-level writing competency and does not contain misspellings, poor grammar, incorrect punctuation, and questionable sentence structure (syntax errors).
Total      170         A quality paper will meet or exceed all of the above requirements.
Best Practices
Course projects cause many students anxiety. Some anxiety is probably healthy; it means you want to do a good job. But too much anxiety usually interferes with performance. There is writing assistance available in the Tutor Source link in the Introduction & Resources Module and here are some tips you may want to consider as you plan and create your course project.
Read the Course Project Requirements and the Course Project Sample Template (in the Files section) early. Here’s why: if you have in mind the required specifications of the ssignment as you start the weekly assignments and other activities, you’ll be able to recognize when you come across information that you might want to use in your project.
Keep a separate project notebook. Don’t worry about keeping it highly organized and documented; just jot down ideas as they come to you. You’ll be surprised how much anxiety you prevent by simply having ideas ready when you sit down to write.
Use the “mull” method. This means spend a few days mulling over the assignment. Don’t force yourself to think about it, but, if you’ve read over the project requirements and have your project notebook with you as you do your regular class activities and your regular daily activities, your brain will work on the assignment all by itself. As it does so, more ideas will come to you and all you have to do is jot them down.
Don’t try to write the paper from the beginning to the end correctly the first time. If you do, you’ll probably forget all kinds of things and your sentence structure and word choice, not to mention spelling and grammar, will likely not be as good as it should be. Don’t edit as you write. Just write. That way the ideas can come out with less effort. Edit later.
Use your text to help you get ideas. For example, when considering vulnerabilities, check the index at the back of the text for the word “vulnerabilities” and browse through those pages. When you’re designing the network, look through the chapter on security in networks.
Use available sources such as the DeVry Library, our course Lectures, discussions, other books, journals, the Internet, and so forth.
Keep a digital notebook. When you find an interesting article (or even an article that looks as if it could be useful), copy it and paste it into your document along with the address (URL), date, author, and so forth. You can read through these later and keep what seems useful and discard the rest.
Make a schedule and keep to it. For example, you may set aside an hour to research topics. Use the suggestion in #7, pasting down articles and parts of articles to read later. Set aside another hour or two later to read through the material you collected. If it’s of no use, delete it so that your digital notebook becomes more refined and useful. If you start work early and schedule smallish times to do your work, you’ll find that, a) you learn a lot more, b) you have much less anxiety, and c) you end up with a better grade. Try it!
Ask questions. The Course Q & A forum in the discussions in the course shell is an excellent place to ask questions. This isn’t cheating; this is working together to increase everyone’s knowledge. You’re not asking someone to write your paper, you’re asking for ideas (or answering other students’ questions). Contact your instructor with questions. Your instructor is the expert on what is expected, so use this resource.
Read about APA-style citations by clicking the link, APA Guidelines for Citing Sources, near the bottom of the Course Syllabus. You will save a lot of time by addressing these style issues as you write your paper rather than trying to do this at the end.
Once you’ve written your rough draft, start the editing process:
Look over the Course Project Requirements, particularly the Grading Standards, and make sure that you’ve addressed every element that is required.
Remove any unnecessary sentences or phrases. This project is not supposed to be long (remember that there is a 12-page maximum for the final project – not counting the cover page, graphics, references, etc.), it’s supposed to be good. Any extra wording should be deleted. For example, “All of these weaknesses happen on a regular base and in order to make sure that they do not occur, the company needs to step in and make modification that will not only correct existing issues but prevent future ones as well,” could be written effectively as, “These vulnerabilities are ongoing and action needs to be taken.”
The key to good technical or business (and some would say creative) writing is being clear and effective. Don’t try to make the paper sound “educated.” For example, instead of writing “This document is set forth to identify and address potential security issues…,” just say what you need to say. Much better would have been, “This report addresses security issues….” This type of clear writing is a lot easier on the writer and on the reader.
When you use an acronym for the first time, spell it out. For example, “…the use of a VPN (virtual private network) is common among….” After that, just use the acronym.
Whenever you use pronouns like “it” or “they” that refer to something mentioned earlier, be sure that it is clear to what or to whom “it” or “they” refer. For example, “The company has implemented a firewall at corporate headquarters and a packet filtering router at the branch office. It has functioned well since then.” In this case, the “It” could refer to the company, the firewall, the headquarters, the branch office, or the packet filtering router. Clearer would be, “The company has implemented a firewall at corporate headquarters and a packet filtering router at the branch office. Network perimeter security has functioned well since then.”
Read your work out loud. You may find lots of little mistakes and sentence structure errors this way.
Use spell check and grammatical correction features of your word processing software, but don’t rely on them. Correctly spelled words will two often be red as bean write when they are whey off.
Proofread when you are not tired and when you have had some time away from your work on the paper. Your goal should be to catch ALL mistakes or omissions. Professional or academic papers that contain errors send a message to the reader that a) you are not a reliable source of information or b) you don’t care about the reader. Neither of these may be true but, that’s the message you send when you send errors.
Be sure that all ideas that you got from outside sources are accompanied by an in-text citation (not a footnote) and that the in-text citation refers to an item in the References section. Be sure to use APA-style.
As much as possible, avoid direct quotations. Only use direct quotations when necessary. For example, “…as Bill Gates once famously said, ‘No one will ever need more than 640K of memory’….” Since the writer is stating a specific (and silly) idea expressed by a well-known person, this little direct quotation is appropriate. But longer “cut-and-paste” sections are almost always unnecessary in this project, and most instructors don’t feel comfortable giving you a grade for a paper that was, to any significant extent, written by someone else. Usually a paper that contains more than 15-20% direct quotations is considered unacceptable. Some instructors think even this is way too high. When in doubt, contact the instructor. In any case, if you use a lot of direct quotations, expect to receive a poor grade and, if you use ANY direct quotation, be sure to use quotation marks and an in-text citation. If you don’t, you risk disciplinary action for violation of the academic integrity policy. See the course syllabus for more details.
Of all these tips, probably the most important are: start early and ask questions. Your instructor is committed to helping you get the most out of the course. If you start early, you’ll be able to ask questions that will save you time and effort. If you wait until the last minute, you’ll be stressed and won’t have time to incorporate feedback from your instructor.