CS155 Computer and Network Security

Please briefly answer the following questions.

1. What are some examples of confidential information? ( provide at least 5 examples).

2. What does SQL injection do?

3. What does a buffer overflow do?

4. Why is it important for information security professionals to know the laws that affect them?

5. What are some other security models besides the CIA triad?

6. What are the four components of security documentation?

7. What are responsibilities of a security architect?

8. What is authentication? What is authorization? Together, what are authentication and authorization used for?

9. What are the three commands for administering database object permissions?

10. What best practice network architecture should be used for databases that provide data via a web server to the Internet?

11. Why is encryption generally not used in the core layer?

12. What are the layers of the Cisco Hierarchical Internetworking model and what are each used for?

13. Why is encryption generally not used in the core layer?

14. What is an intranet used for?

1.The examples of confidential information are- name, date of birth, age, sex and address, individual plans, current contact details of closed ones, reports or assignments, medical history or records, personal health and cure issues, service records and document advance notes (Hannah & Robertson, 2015).

2.SQL Injection is "a code mixture procedure that enterprises a security shortcoming that occurs in the database layer of a software application". SQL Injection is a champion among the most understood web hacking techniques (Shar & Tan, 2013). SQL infusion is the position of harmful code in SQL Injections, through site page input. SQL Injections can control data and deteriorate or delete tables of the database.

3.Buffer overflow alludes to any case in which a program composes past the finish of the memory designated for any support including on the load, and not simply on the stack (Pang et al., 2016). For instance, while coding if any coder composes past the finish of an array apportioned from the heap, at that point the coder has caused a buffer overflow.

4.Organizations need to guarantee that their associations know about controls, create approaches to fuse the necessities, and create systems to guarantee consistence with the directions. The dangers to one’s association of noncompliance are criminal, common, statutory, administrative or authoritative punishments (Spring, 2014). The improvement and execution of authoritative security arrangements and measures will augment consistence and limit the assets your association needs to spend to experience inward and outer consistence reviews. Therefore, the information security professionals need to know the laws counterfeit cybercrimes.

5.Take-grant protection model, Bell-La Padula model, Lattice-based access control (LBAC), Biba model, Brewer and Nash model, Multi-level security (MLS), Clark-Wilson model and Graham-Denning model, Mandatory access control (MAC), Harrison-Ruzzo-Ullman (HRU), High-water mark (computer security), Non-interference (security,) Object-capability model, Role-based access control (RBAC), Protection ring, Discretionary access control are some other security models other than CIA traid (Alexeev et al., 2017).

6.The four components of a security policy are purpose, scope, responsibilities and compliance

Purpose involves the goals of the program, as Advanced recuperation times, Lessen expenses or layoff because of mislaying of information, Diminishment in mistakes for both framework alteration and operational actions, Management of overall availability, integrity and confidentiality and Regulatory consent (Spring, 2014).

Scope involves Procedures, Facilities, Technology, Employees, Lines of business.

Responsibilities regarding the usage and administration of the arrangement are appointed in this section. Hierarchical units are possible task candidates.

Compliance accommodates the arrangement's implementation. Depict neglected exercises and punitive contemplations plainly. In any case, the substance of this area is inane unless a powerful mindfulness program is set up.

7.It is the duty of a security architect to get an entire comprehension of an organization's innovation and data frameworks, plan, research and outline strong security structures for any IT anticipate, perform weakness testing, hazard investigations and security appraisals, examine security models, security frameworks and verification conventions, create prerequisites for local area networks (LANs), wide area networks (WANs), routers, design public key infrastructures (PKIs), firewalls, and related network devices, virtual private networks (VPNs), including use of certification authorities (CAs) and digital signatures, get ready cost evaluates and recognize mix issues (Spring, 2014).

8.Authentication is the way toward recognizing a client's character. It is the mechanism of associating an approaching solicitation with an arrangement of recognizing qualifications.

Authorization is the way toward conceding or denying access to a system resources.

The main stage is authentication, which guarantees that a client is who he or she claims to be (Ayed et al., 2014). The second stage is authorization, which permits the client access to different resources in view of the client's personality.

9.SQL GRANT REVOKE Commands, SQL GRANT Command, SQL REVOKE Command are the three orders for overseeing database object permissions.

10.Network architectures are classified into two broad categories- client-server architectures and peer-to-peer architectures (Spring, 2014). Client-server architectures are commonly organized into Two-tier architecture, Three-tier architecture and Multi-tier architecture.

11.Encryption is not used in the core layer, if used it will slow down the connectivity within the network campus (Carrie & Wilshire, 2013). The employees or the workers within the intranet will have to access the system via login id, password, if they want to communicate with each other they will have to communicate with each other through secure encrypted tunnel.

12.A typical enterprise hierarchical LAN campus network design can be classified into three layers:

Access layer: Workgroup/client entry to the network is provided by the access layer.

Distribution layer: Policy-based connectivity is provided by the distribution layer and it controls the limit between the core and access layers (Beletskaya et al., 2013)

Core layer: Quick transport is provided between appropriation switches within the enterprise campus

13.Encryption is not utilized as a part of the core layer, if utilized it will back off the availability inside the network campus (Carrie & Wilshire, 2013). The employees or the workers inside the intranet should get to the framework by means of login id, secret word, in the event that they need to speak with each other they should speak with each other through secure encrypted tunnel.

14Intranet is utilized for profitability, corporate interchanges, streamline process, goad cooperation, learning administration; it permits a focal correspondence region for the whole organization (Beletskaya et al., 2013). Many individuals work in remote areas, hence, it helps give a feeling of connectedness to the organization overall paying little mind to where somebody is found.

Intranets have been very successful in keeping correspondence open with representatives, obviously, it is fundamental that your workers sign into the intranet a few times every day. Many organizations make the intranet the default start-up page from any browser inside organization, which makes it simpler for workers to make sure to sign in for critical data.

References

Alexeev, V. S., Bavykin, D. V., Fedorov, A. V., Gleyzerman, E. A., Ilyushin, A. V., Kazarkin, L. A., ... & Yakovlev, E. A. (2017). U.S. Patent No. 9,690,944. Washington, DC: U.S. Patent and Trademark Office.

Ayed, D., Bichsel, P., Camenisch, J., & den Hartog, J. (2014, June). Integration of data-minimising authentication into authorisation systems. In International Conference on Trust and Trustworthy Computing (pp. 179-187). Springer, Cham.

Beletskaya, S. Y., Zolnikov, V. K., Kravets, O. J., Lapshina, M. L., & Podvalny, E. S. (2013). Specific features of modeling and developing the mathematical and program software for designing intranet-interfaces during competitive development of information systems. World Applied Sciences Journal, 23(12), 64.

Carrie, M., & Wilshire, J. C. (2013). U.S. Patent No. 8,612,650. Washington, DC: U.S. Patent and Trademark Office.

Hannah, D. R., & Robertson, K. (2015). Why and how do employees break and bend confidential information protection rules?. Journal of Management Studies, 52(3), 381-413.

Pang, J. N. K., Watts, M. S., Parandehgheibi, A., & Yadav, N. (2016). U.S. Patent Application No. 15/136,791.

Seo, J. H., & Emura, K. (2013, January). Revocable Identity-Based Encryption Revisited: Security Model and Construction. In Public Key Cryptography (Vol. 7778, pp. 216-234).

Shar, L. K., & Tan, H. B. K. (2013). Defeating SQL injection. Computer, 46(3), 69-77.

Spring, M. (2014). Toward realistic modeling criteria of games in internet security.