Distinguish between vulnerability, threat, and control.Preserving confidentiality, integrity, and availability of data is a restatement of the concern over interruption, interception, modification, and fabrication.
1.8 Exercises
1. Distinguish between vulnerability, threat, and control.
2. Theft usually results in some kind of harm. For example, if someone steals
your car, you may suffer financial loss, inconvenience (by losing your mode of
transportation), and emotional upset (because of invasion of your personal
property and space). List three kinds of harm a company might experience from
theft of computer equipment.
3. List at least three kinds of harm a company could experience from electronic
espionage or unauthorized viewing of confidential company materials.
4. List at least three kinds of damage a company could suffer when the integrity
of a program or company data is compromised.
5. List at least three kinds of harm a company could encounter from loss of
service, that is, failure of availability. List the product or capability to which
access is lost, and explain how this loss hurts the company.
6. Describe a situation in which you have experienced harm as a consequence of
a failure of computer security. Was the failure malicious or not? Did the attack
target you specifically or was it general and you were the unfortunate victim?
7. Describe two examples of vulnerabilities in automobiles for which auto
manufacturers have instituted controls. Tell why you think these controls are
effective, somewhat effective, or ineffective.
8. One control against accidental software deletion is to save all old versions of
a program. Of course, this control is prohibitively expensive in terms of cost of
storage. Suggest a less costly control against accidental software deletion. Is
your control effective against all possible causes of software deletion? If not,
what threats does it not cover?
9. On your personal computer, who can install programs? Who can change
operating system data? Who can replace portions of the operating system? Can
any of these actions be performed remotely?
10. Suppose a program to print paychecks secretly leaks a list of names of employees
earning more than a certain amount each month. What controls could be instituted to
limit the vulnerability of this leakage?
11. Preserving confidentiality, integrity, and availability of data is a restatement of the
concern over interruption, interception, modification, and fabrication. How do the
first three concepts relate to the last four? That is, is any of the four equivalent to one
or more of the three? Is one of the three encompassed by one or more of the four?
12. Do you think attempting to break in to (that is, obtain access to or use of) a
computing system without authorization should be illegal? Why or why not?
13. Describe an example (other than the ones mentioned in this chapter) of data
whose confidentiality has a short timeliness, say, a day or less. Describe an example
of data whose confidentiality has a timeliness of more than a year.
14. Do you currently use any computer security control measures? If so, what?
Against what attacks are you trying to protect?
15. Describe an example in which absolute denial of service to a user (that is, the user
gets no response from the computer) is a serious problem to that user. Describe
another example where 10 percent denial of service to a user (that is, the user’s
computation progresses, but at a rate 10 percent slower than normal) is a serious
problem to that user. Could access by unauthorized people to a computing system
result in a 10 percent denial of service to the legitimate users? How?
16. When you say that software is of high quality, what do you mean? How does
security fit in your definition of quality? For example, can an application be insecure
and still be “good”?
17. Developers often think of software quality in terms of faults and failures. Faults
are problems (for example, loops that never terminate or misplaced commas in
statements) that developers can see by looking at the code. Failures are problems,
such as a system crash or the invocation of the wrong function, that are visible to the
user. Thus, faults can exist in programs but never become failures, because the
conditions under which a fault becomes a failure are never reached. How do software
vulnerabilities fit into this scheme of faults and failures? Is every fault a
vulnerability? Is every vulnerability a fault?
18. Consider a program to display on your website your city’s current time and
temperature. Who might want to attack your program? What types of harm might
they want to cause? What kinds of vulnerabilities might they exploit to cause harm?
19. Consider a program that allows consumers to order products from the web. Who
might want to attack the program? What types of harm might they want to cause?
What kinds of vulnerabilities might they exploit to cause harm?
20. Consider a program to accept and tabulate votes in an election. Who might want
to attack the program? What types of harm might they want to cause? What kinds of
vulnerabilities might they exploit to cause harm?
21. Consider a program that allows a surgeon in one city to assist in an operation on a
patient in another city via an Internet connection. Who might want to attack the
program? What types of harm might they want to cause? What kinds of
vulnerabilities might they exploit to cause harm?
1. Describe each of the following four kinds of access control mechanisms in
terms of (a) ease of determining authorized access during execution, (b) ease of
PLACE THIS ORDER OR A SIMILAR ORDER WITH NURSING HOMEWORK HELP TODAY AND GET AN AMAZING DISCOUNT
