This action might not be possible to undo. Are you sure you want to continue?
CSIA301 – Chapter 1 Exercises
Due Sunday, August 28, 2011
1. In computer security, a vulnerability is a weak point in the system that guards a computer and
its data. It may be characterized by the ability for multiple users to access the same material,
the absence of firewalls or other protective security layers, or any number of other ways an
attacker could find a way into the system.
A threat is any entity that has the ability to cause damage or loss of what is being protected by
the security system. It may be characterized by a human attacking a computer system, or
malicious code that has the potential to cause damage or steal data.
Controls are methods that directly address vulnerabilities. If, for example, the threat is a
computer virus, and the vulnerability is the target computer's firewall, then the appropriate
control would be a firewall program that monitors the computer's ports for unauthorized access.
Controls can be physical or virtual, but the thing that characterizes them is their purpose of
reducing the severity of vulnerabilities in a computer system.
2. If a company experiences the theft of their computer equipment, they may suffer from one or
more of a few kinds of damage. Obviously the first would be the loss of valuable equipment.
This might qualify as an interruption, since the company is no longer in control of those
physical assets. The attacker may then use that equipment to cause further harm, perhaps by
modifying the data that was stolen. They could use the security keys on the stolen equipment to
access the company's other resources, and steal or modify other pools of data. Third, the
attacker may use account information from the stolen equipment to gain access and either
intercept or fabricate transactions on what remains of the company's network, potentially
causing further financial harm.
3. If a company experienced electronic espionage, they could suffer from similar harm as the
company that lost their hardware. If an attacker gained access to their network, they could steal
or modify confidential material. That material could also be deleted, or even replaced so that
valuable assets are not used in the manner that the company intended. In the case of electronic
espionage, then, interruption, interception, modification and fabrication may all apply. This
company would also suffer from a decrease in confidentiality, since their systems have been
accessed by an unauthorized party. This is an important issue with regards to online privacy,
since companies generally have a user base and store those customers' information on their
4. If the integrity of a company software program or valuable data is compromised, it may have
already undergone some kind of modification, including possible deletion of essential files
needed for the software to run properly, or for the data to be accessed. This directly affects the
availability of services or data, and can also be known as denial of service. The company has
also experienced a decrease in integrity, since the data or software may have been modified in a
way that is not consistent with the way it is meant to be used. This is also an important issue
with regards to online privacy and functionality, since the integrity of data makes sure that
information can be accessed and used when it is needed.
write or execute) for the files they create. there are several controls that could be implemented to limit vulnerability. it is up to the user to find out where that information went. They may use any available means and exploit any known vulnerabilities to get that information. write and execute access to the operating system's code. On a multiple user computing system. can access data from other integrity levels. however. or to have their cache of data encrypted and stored in a folder with strict permissions. which further specify which types of users. The administrator has powers comparative to his or her responsibility for that computer system. 9. or for all users of that system. Lastly. They would need to know who to notify and what to do in the case of a leak. in order to protect the integrity of the entire system. For instance. or some program. such as by a USB drive. The first would be the human response. as is their responsibility. An electronic spy is someone. Even if controls are going to be instated after the fact. and in some cases the ability to protect them with passwords or encryption. You would also want to control the ability for information on that payroll system to be transferred. or a software control such as a firewall or program that monitors access to that system. such as a payroll program meant for a user in Human Resources. but if the code or content of that code is malicious or illegal. They are able to both view and modify essential files and code that governs the operation of the system. a medium integrity user may not be able to write data to a higher integrity level. There are also other models of integrity. superceding any controls a regular user would be able to put into place. In certain operating systems such as Windows. be able to modify that code as well in order to protect the computer system and the integrity of the company or group to which that system belongs. Any code created by a regular user should be able to be modified by that user. After the program is installed. It may not seem so nice. who performs a set of tasks designed to gather information through the use of a computer or network of computers. The purpose of their work is to somehow gain valuable information stored on a computer somewhere. a user without administrative access still has control over their own files. If a computer program is installed. but this is the way it should work. you would want to make sure that the system hosting the payroll program is protected from prying eyes. An information broker may then be who comes after the electronic spy has done their work. or even systems. in order to protect its own integrity from being polluted. the program would be able to be used by whichever user accounts have been granted access by the administrator who installed the program. either electronically or physically. One would hope.7. further modifications can be made to control who has access to the program. A superuser would also also probably be able to delete any user's files. that for a subject as sensitive as employee earnings. 8. the administrator or “superuser” has read. The administrator should also have access to view programs and unencrypted data created by a normal user of the system. That same medium user may also not be able to read data from a lower integrity system. either by a physical control such as not having it connected to the company network. If the list of leaked names has already been created. They may or may not also be able to change permissions (the ability to read. If a payroll program leaked the names of high earning employees. it would be necessary to have a security policy in place. A . an internal program control would already be in place to limit the availability of data created by payroll programs. the administrator should. So. the administrator has the option to install certain programs for just themselves.
and if that commodity is information.com LLC. This information is protected only before and during normal trading hours. By definition. The best example I can think of.marshallip. in order to be privy to this valuable information.broker buys and sells commodities. For data whose confidentiality has a lifespan of more than a year. does the electronic spy.forbes. Wall Street brokers make deals that are not disclosed to the public. it can be financially disadvantageous for the participants. for that matter. and legally less protected. a broker also does not own the information being bought and sold. Interestingly enough. 20 (3).7. trade secrets may not be protected to a degree consistent with their value if the owner enters into one of these agreements. Retrieved from http://www.M.com/media/pnc/7/media. Neither.html . is the record of stock transactions in dark trading pools. (2009). Retrieved from http://www. Intellectual Property Litigation. These dark pools obviously have to have some sort of data security in place. that trade secret may still be very valuable.com/2009/05/18/dark-pools-trading-intelligent-investing-exchanges. A. Time limits in confidentiality agreements. J. keep quiet about it for a period of five or ten years. of data that has a short timeliness with regard to protection. Sources: Hartzell. usually in order to move large quantities without affecting market price or the cost of trading. the best example I can find is that of confidentiality agreements governing trade secrets. Don't be afraid of the dark pools. Forbes.pdf Zendrian. (2009). The owner of a trade secret usually requires that their business partner or customer. then that it what they are buying and selling. In them. After the period of agreed-upon confidentiality expires. 12. since if information from them is leaked.
This action might not be possible to undo. Are you sure you want to continue?
We've moved you to where you read on your other device.
Get the full title to continue reading from where you left off, or restart the preview.