- State the advantages and disadvantages of using bottom-up and top-down approaches.
Approach | Advantages | Disadvantages |
Bottom-up | The bottom-level employees have the technical expertise to understand what to do to secure information and how to do it. | The bottom-level employees do not have the resource and authority to enforce the security policy for all employees |
Top-down | A security plan initiated by top-level managers has the backing to make the plan work. Additional resources such as funding, equipment, and personnel have the highest level of support. | The top management may not know the technical details of implementing the security plan. |
- Why is Human Firewall necessary in a company to ensure the implementation of security policy successful? (Note: a human firewall is an employee who tries to prevent security attacks from passing through him or her.)
___Human Firewall involves the commitment of each employee and therefore each employee tends to follow the security policy of the company closely, hence making the policy successful.
_____________________________________________________________________
- Why is it difficult for an attacker to break through a layered security system?
___An attacker is unlikely possesses the tools and skills to break through all the layers of defenses.________________________________________________________________
- The company has a security policy which does not allow employees of other departments to access the human resource system. This is an example of using the ____limiting__ policy.
- Guards do not change shifts at the same time each night is using the ___obscurity_ policy.
- Using firewalls produced by different vendors is an example of using the ___diversity_ policy.
- Describe why simplicity principle is using in security policy. If the security system is simple, then how can it prevent the crackers from breaking in?
____Simple security systems can be easily understood and maintained. The challenge is to make the system simple from inside but complex from outside.
- There are three main categories of authentication, list down one example for each.
Authentication by what you know. Examples:____password_kerberos and CHAP
Authentication by what you have. Examples:_____tokens, digital certificate
Authentication by what you are. Examples: ______iris, finger print__
- Information security rests on ___authentication, access control, and ___auditing_____, or we can also say it rests on AAA, i.e. _____authentication, authorization and accounting.
- A __digital certificate_____________ is issued by a certification authority (CA) and it links or binds a specific person to a __public_key___________.
- Kerberos is an authentication system which issues a ___ticket______ which contains specific user information, restrict what a user can do and expire after a few hours or a day.
- There are three models of access control:
- Access control ModelLevel of RestrictionCharacteristicsDiscretionary Access ControlLeastOne subject can adjust the permissions for other subjects over objectsRole Based Access ControlMediumThe users and objects inherit all of the permissions for the role.Mandatory Access ControlMostOne subject is not allowed to grant right to another subject to use an object
- You can audit a security system in two ways:___logging ________________ and _____system scanning____________.