Group act 1

1. Look up “the paper that started the study of computer security.” Prepare a summary of
the key points. What in this paper specifically addresses security in previously
unexamined areas?
2. Assume that a security model is needed for the protection of information at UMak. Using
the CNSS model, examine each of the cells and write a brief statement on how you would
address the three components of each cell.
3. Identify the chief information officer (CIO), chief information security officer (CISO),
and systems administrator for our school. Which of these people represents the data
owner? Which represents the data custodian? What positions are there related to data
privacy? With regards to data privacy, who represents the data owner and data custodian?
What are the tasks that each perform to protect integrity, availability, authenticity, non-
repudiation, and confidentiality of information. What is their approach to IS
Implementation?
4. Using the Web, find a large company or government agency that is familiar to you or
located in your area. Try to find the name of the chief executive officer (CEO), the CIO,
and the CISO. Which was easiest to find? Which was hardest? 
5. Using the Web, find out about Kevin Mitnick. What did he do? Who caught him? Write a
short summary of his activities and explain why he is infamous.
6. Using the Web, find out about Onel De Guzman. What did he do? Who caught him?
Write a short summary of his activities and explain why he is infamous.

7. Using the Web, explore the technique known as “iterative and incremental development.”
Then, investigate “agile development.” How are they related?
Answer: Agile method combines both incremental and iterative methodology. It is
iterative because it plans for the work of one iteration to be improved upon in subsequent
iterations. It is incremental because completed work is delivered throughout the project.

8. Differentiate SecOps and DevOps. Identify the people and their roles that are part of the
SecOps team. Identify the people and their roles that are part of the DevOps team.
Answer:
A SecOps engineer is a security professional who is responsible for securing and
protecting network systems, applications, and data. In short, a SecOps engineer supports
enterprise security.

A SecOps engineer can go by a number of titles:

Security Engineer
Security Architect
Security Device Engineer
SIEM engineer
Many similar titles
 The DevOps team (aka everyone) is responsible for exposing blind spots in their
applications and infrastructure, and then figuring out how they can monitor those
services. Monitoring is just one small step into building highly observable systems – but
it's an important start for building reliable systems.

A DevOps Team are:

Software developers
IT engineers
Systems architects
QA engineers
User experience engineers
Security engineers
DevOps evangelists
Nontechnical DevOps roles

9. What is the Microsoft SDL? What is the NIST's approach in Securing the SDLC?
Differentiate both approaches. Which one of them is better than the other?
Answer: The Microsoft Security Development Lifecycle is a software development
process used and proposed by Microsoft to reduce software maintenance costs and
increase reliability of software concerning software security related bugs. It is based on
the classical spiral model.

NIST SP 800-64 helps organizations integrate specific security steps into a linear and
sequential SDLC process. The five-phase method of development that is described in the
guide is also known as the waterfall method, and is one process for system development.
Other methodologies can be used as well.

As a group we have thought this through, The NIST's approach is much more detailed
than the Microsoft SDL.

10. Search the web for OWASP Top 10 and CWE/SANS Top 25. 

1. For the OWASP Top 10, identify five risks that you've encountered or are interested in,
describe the risk, enumerate how to prevent it and provide attack scenarios. 
2. For CWE/SANS Top 25, identify 10 errors that you've encountered or are interested in,
provide the ID, describe the error, enumerate how to mitigate the error in particular
phases of the SDL and enumerate how to detect these errors.