Information Systems homework help. INFA 670-9040 (2208), Fall 2020
MIDTERM EXAM
EXAM INSTRUCTIONS
1. There are three (3) questions on this exam; the point value of each is noted adjacent to the Question number. The total point value of this exam is 100 points and it is worth a total of 25% of this course as per the Course Syllabus.
1. Ensure that your response to all questions are written in the contexts of security and trusted systems.
1. You should attempt to answer all three (3) of these questions. I do give partial credit so at least attempt all questions.
1. Each question must be answered in your own words. However, when you use the words of others in any question responses, you must use quotation marks and attribute the source right there following APA style recommendations. Also be sure to cite references right there using APA style when you paraphrase the words of others.
1. Adequate answers for the entire examination should run approximately ten (10 -12) double-spaced pages (not much more; however it is important to note that I will not be counting pages or words) with one-inch margins and 12-point font. If you choose to repeat the exam question in your response that length will not count toward your paper length.
1. You must provide a separate bibliography or list of references for each question following APA style recommendations. The bibliography or list of references for each question is outside the scope of the 10 -12 double-spaced pages and should be placed at the end of each question. I require this so that I do not have to “untangle” what citations go with which exam question.
1. Answers will be evaluated on the following criteria: key content and its relevance, logical flow, clarity, spelling, grammar, and proper citations.
EXAM QUESTIONS
Question 1, total 33 points.
This question is about Vulnerability Analysis as defined and discussed, among other places, in INFA670 Session 4 and in a myriad of conference papers and text books. For example; in Matt Bishop’s (2003, Chap. 23) textbook. Feel free to use any OER or equivalent resource which you may have access to.
Select two Vulnerability Analysis tools of you’re choosing which are used in research and/or commercially available and describe their main features and functionality. Compare and contrast their relative strengths and weaknesses when used in the three (3) scenarios described below:
1. The system to be developed is intended to be operational in a large enterprise environment and the system itself when fully developed will be of a size typically found in large enterprise deployments such as federal organizations like DOE, DOD, FBI, DHS, large international banks or similar sized operations where integration and deployment includes use in a networked environment.
1. The system to be developed is intended to be operational in a midmarket sized firm which has branches located nationwide as well as internationally. Familiar examples might include a fast food chain of outlets such as Burger King, McDonald’s, a nationwide clothing store or similar set of replicated stores where integration and deployment includes use in a vast networked environment.
1. The system to be developed is intended to be operational in a small market firm or small business firm or even in home usage. Familiar examples might include an income tax preparation package by a small tax consulting firm.
Be sure to frame your answer in logical argumentations and referenced research results which may include textbooks and other credible outside sources.
Question 2, total 33 points.
This question is based on one or more problems found in various publications and text books. For example, Exercise 3 in Chapter 21 of Matt Bishops’ textbook (2003, pp. 609 – 610). Exercise 3 states:
“‘Recall that criteria creep’ is the process of refining evaluation requirements as the industry gains experience with them, making the evaluation criteria something of a moving target.
This issue is not confined to the TCSEC, but rather is a problem with all evaluation technologies”. (See for example, Bishop, 2003, pp. 609 – 610 or another text focusing on evaluation technologies)
With this in mind address the following requirements:
1. Analyze the benefits and drawbacks of the Common Criteria (CC) methodology for handling criteria creep.
1. Provide recommendations for ensuring that the benefits can be realized; and for mitigating the drawbacks.
Question 3, total 34 points.
The Internet has dramatically changed the way we communicate and how we handle everyday tasks. We send emails, texts and we share documents, we pay accounts and we purchase online. Many if not all of these transactions require personal details to be entered online, possibly ending up in an “untrusted ICT environment” where they may reside for an indeterminate amount of time.
This question refers to papers which are recent contemporary publications of current research & development projects focused on performing trusted computing on private information which had its genesis in a trusted environment. However; that information will now be processed in an environment which uses untrusted software such as some browser’s extensions and other unknown apps.
This is a common issue which appears frequently in the world of ICT:
In today’s data processing world ICT firms sometimes need to resolve the following: How to protect and maintain data privacy when working with such data in an untrusted ICT environment.
Below is a hyperlink to a PDF file entitled: “Hails: Protecting Data Privacy in Untrusted Web Applications” found at the following hyperlink:
https://www.usenix.org/system/files/conference/osdi12/osdi12-final-35.pdf
By Daniel B. Giffin, etal. (2012). Note that Deian Stefan is not only a co-author of the above paper; but also a coauthor of the paper below.
This paper was first published by the USENIX Association
10th USENIX Symposium on Operating Systems Design and Implementation (OSDI ’12)
There are one or two other papers published around two years later as follows:
PUBLIC RELEASE: 5-OCT-2014
New web privacy system could revolutionize the safety of surfing
UNIVERSITY COLLEGE LONDON
https://www.eurekalert.org/pub_releases/2014-10/ucl-nwp100214.php
Protecting Users by Confining JavaScript with COWL Deian Stefan and Edward Z. Yang, Stanford University; Petr Marchenko, Google; Alejandro Russo, Chalmers University of Technology; Dave Herman, Mozilla; Brad Karp, University College London; David Mazières, Stanford University
The following URL:”Protecting Users by Confining JavaScript with COWL”
Authors:
Deian Stefan and Edward Z. Yang, Stanford University; Petr Marchenko, Google; Alejandro Russo, Chalmers University of Technology; Dave Herman, Mozilla; Brad Karp, University College London; David Mazières, Stanford University
Abstract:
https://www.usenix.org/conference/osdi14/technical-sessions/presentation/stefan
The following URL has the paper.
This paper is included in the Proceedings of the 11th USENIX Symposium on Operating Systems Design and Implementation. October 6–8, 2014 • Broomfield, CO
https://www.usenix.org/system/files/conference/osdi14/osdi14-paper-stefan.pdf
The following URL has the paper abstract AND a 24 minute video presented by one of the paper author’s, Deian Stephan. To better understand the problem it is very useful to watch this 24 minute video.
https://www.usenix.org/conference/osdi14/technical-sessions/presentation/stefan
Your task in this Q3 is to ascertain to the best of your ability the following:
Briefly discuss what you see as issues when working with private data and information on untrusted Web sites or web sites in general. In addition these papers are representative of the technology and thinking during their time of writing. Although they are approximately 6 years old, going by the publication dates, a question we would like to address is what, if anything new has been developed during the elapsed six years? I posit that this is a very important issue which needs to be resolved; hence let’s look at what steps have been taken to ameliorate the issue of processing private information in current day ICT environments?
Please frame your claims in logical argumentations and referenced research results using credible sources which may be found in professional journals, relevant textbooks as well as any materials found on the WEB.
END OF EXAM
