1

Momoh Sadi Zekeri

INFA670 9041

EXAM INSTRUCTIONS

1. There are three Parts to the exam.

2. Part I is short answers. You MUST submit ONLY the answer sheet below for this part.

3. For Parts II & III, descriptions should be provided IN YOUR OWN WORDS. However,

when you use the exact words of others in any answer, you MUST use quotation marks and

attribute the source right there and provide a separate reference section for each descriptive

question following APA style recommendations. For these questions, correctness, logical flow,

grammar, and proper references are all important in that order.

4. This is an open-book individual examination. You may use any resource such as

books, articles, and the Web. The questions may require research beyond the text, lecture notes,

and conferences. You must, however, do your own work and you may not collaborate with your

classmates.

5. Do NOT post questions about this exam in any of the class forums. If you have a question

about the exam e-mail your instructor directly for a decision on whether the entire class needs to

be advised of the issue or question.

6. Do NOT provide answers in a separate sheet, separate from the questions. It is very hard to

grade, especially if you mess up the order or provide the wrong number for a question.

7. This Final is due before Midnight, Sunday, April 22nd. No exceptions

 2

Part I: Multiple Choice Answers (20 Questions, 25 points total)

ANSWER KEY - SUMBIT THIS ONLY

1. C 2. 3. B 4. D 5. A,B 6. A,D 7. C 8. D 9. B 10.A

A,D,E,F,G

11. D 12. A 13. A 14. B 15.A 16. 17. A 18. 19. 20.A

A,D,E A,B,C,D,F,G B

Part II: Short Essay Answers (4 Questions, 35 points total)

1. (5 points) what are the conceptual differences among a Reference Validation

Mechanism (RVM), a Trusted Computing Base (TCB), and Target of Evaluation (TOE)

security functions? Be sure to do more than define what each is. Elaborate on their

differences.

Reference Validation Mechanism

This mechanism that uses a concept of a set of requirements designed on a reference

validation method. This mechanism uses a policy that defines requirements on a reference

validating process. The reference validation is in such a way that it regulates the system control

mechanism. This mechanism has the following properties;

(i) The validation must be non- by-passable. This means that if the system is being attacked, an

attacker will not be able to bypass this mechanism and be a threat to the system.

(ii) It must be tamperproof- This property helps the mechanism not be undermined by an

attacker.
 3

(iii) The reference validation must be invoked- if this property is not available, the mechanism

cannot perform its operations in a good manner. The attacker will then have an easy time to

violate this mechanism.

(iv) It must be evaluable- This means that it is a requirement for this property to be verified and

complete. In the absence of this property, this mechanism will not guarantee the security policy.

Trusted Computing Base

This is a set of hardware, software, and firmware components that are very crucial to a

computer system. The security property might be jeopardized by the bugs and the vulnerabilities

occurring in the computer system. Therefore, there is a need for a computer system to have a

trusted computing base. All the computer components should not be able to leak any information

concerning the security of the system outside the TCB.

Target of Evaluation

This is a framework in which users of a system specify their requirements, both functional and

fundamental (Watson & Jones, 2013). The system vendors make the security attributes of their

products and evaluate them to make sure that they meet the customer’s specifications. In this

mechanism, the system becomes the subject of evaluation. The evaluation process is expected to

verify the targeted security features.

References

Watson, D., & Jones, A. (2013). Digital forensics processing and procedures: Meeting the

Requirements of ISO 17020, ISO 17025, ISO 27001 and best practice requirements.

Amsterdam: Syngress.

2. (10 points) A company develops a new security product using the extreme

programming software development methodology – programmers code, then test, then add
 4

more code, then test, and continue the iteration. Every day, the code base is tested as a

whole. The programmers work in pairs when writing code to ensure that at least two

people review the code. The company does not offer any additional evidence of assurance.

Explain to the management of this company why their software is NOT highly assured.

Software assurance involves many things all together. It consists of monitoring the

software engineering process and ways in which quality of the software can be increased. The

methods used are different according to the staffs, and also the type of the software. Software

quality assurance involves scanning the system within the whole process. From the start of the

system development to the completion and the maintenance, the system should always be tested.

In this method of software development, the developers use iteration process which allows the

system to be developed in bits (ObCom 2011, Venkata, Rajasekhara, &Ariwa, 2012). Therefore,

the best practice would test every phase of the system development.

The management needs to be checked regularly. The system should behave normally in

all the circumstances. For each development stage, the scanning needs to be done to make sure

that the whole system works efficiently. This system cannot be said to be fully assured because

there are so many loopholes that this system needs to avoid. In extreme programming, the

developers are mostly concerned about the code rather than the design. Therefore, if the system

is not tested regularly, its design may not impress the users of the system. The design is very

important when it comes to software applications. Because the extreme programming is mainly

done on XP projects, it is good to replace all the defects. Extreme methodology mainly does not

measure the quality assurance of the code. Therefore, there is a need to do testing regularly to

avoid defects. The management should, therefore, make sure that every step needs evaluation to

make sure it works effectively.

 5

In another argument, XP programming does not guarantee the system or software

assurance if the developers are widely apart. In this company, the developers are in groups and

are not working together. The software to be developed in this case becomes insecure in matters

concerning system security and code configuration. It is not a guarantee that this system will

work efficiently. The testing process needs a strategy which will provide information about items

and techniques used in testing a system. Another thing is a test plan. It involves testing a system

and verifying each phase including the design and functional specifications. This helps to know

the approaches to take to test each tool, responsibilities of each system, and procedures to follow.

The case design needs too to be tested (Khour, 2016). This helps in uncovering the errors that are

found in the system either inherited or done during the development process. Each procedure

should be followed up to the ladder. The special requirements should be documented for future

reference. This is what will make the company be sure that the system is fully assured.

The types of testing available include; unit testing where each unit is tested differently

and its results recorded. Each unit should be able to compact with others to make sure that the

complete system works harmoniously. In integration testing, the analysts are required to test at

intervals of the system modules. This help to locate the modules that have faults. Finally the

functional testing is done. This is done to determine whether the system functions correctly.

Therefore, the system should undergo testing in all those phases and even after it is in use,

testing should be done.

References

Khoury, J. (2016). Visual Studio Application Lifecycle Management: Customer

Feedback.
 6

ObCom 2011, Venkata, K. P., Rajasekhara, B. M., &Ariwa, E. (2012). Global trends in

computing and communication systems: 4th International Conference, ObCom 2011,

Vellore, TN, India, December 9-11, 2011, proceedings. Heidelberg: Springer.

3. (10 points) five security principles/concepts in software development

include least privilege, separation of privilege, fail securely, nonrepudiation, and

secure the weakest link. First, briefly describe each, then give a specific example of

each in practice, and then finally rank the relative importance of each (#1 highest,

#5 lowest). Justify your ranking.

(i) Least privilege

This design principle requires an approach that grants access to the user and gives him or

her rights to specific information and tools. The rights to access the content are determined by

the time. At times, the resources to be accessed are limited. The task that users want to perform

is determined by the time intervals which help them complete the necessary tasks. The approved

context will determine the implications of granting an access to the system users. Generally, this

principle of security tries to limit data changes and prevent errors and accidents from occurring

by reducing the number of interactions with the system resources. For example; mail servers are

known for accepting mail from the internet and message copies are made in the directory. The

local server is responsible for delivery of the messages. In order to access the appropriate

network ports, there must be rights granted to access the directory. In this case, the server should

be able to offer access of any of the user’s files.

(ii). Separation of privileges

 7

This principle requires that all the resources that are to be accessed by the users be

granted based on several conditions. For example there may be two conditions to be fulfilled. A

user may be granted to see the resources in a computer if he or she has an active status and also

has access to certain resources. In this case, if the user is not active, then he will not get access to

the resources. All the conditions must be met for a successful resources access.

(iii). Fail securely principle

In this principle, applications will most of the times fail to process the transactions for a

number of reasons. By failing, this is what determines if the application is secure or not. For

example an application may fail due if the user is not admin. The specifi8cations assigned to the

admin are not the same as those assigned to other users. If then he is the admin, there may be a

restriction of trying to enter into the system. Some trials will go through while others will

decline. In this case, if the system fails to throw an exception, the user will automatically be the

admin which is very risky.

(iv). Non repudiation

In this principle, it involves matching an action or a change to a certain individual. This

principle may be violated if it is not strictly enforced. For example the sharing of a key card

access system can be implemented and sharing of the key card may be a way of violating this

principle.

(v). Secure the weakest link

In this principle, security practitioners often look at the system security as a chain. The

chain’s strength is compared to the weakest link. A weakest component is the same as a software

system. Attackers will always target the weakest point of the system. This point is rarely a

security function. The weakest link should be considered when determining a secure design and
 8

the developers should make sure that the system is secure enough. For example; it is wise to stay

updated on all the software that is upcoming (Duro, Kondratenko, & Duro, 2015). Some new

software utilities allow you to delete data from another computer remotely. This can be used to

hack your computer’s data or sending data on your behalf.

Ranking of the Security Principles

1. Fail Securely

2. Secure the weakest link

3. Separation of privilege

4. Least privilege

5. Nonrepudiation

According to the discussion of guidelines in these principles, fail securely is the most

important because all the contents available in the system are separated as either those that

should be accessed by the admin or those to be accessed by other users. Securing the weakest

link is the second in privilege. Hackers have been on the rise, and their target is where the system

is weakest. Separation of privilege principle allows you to access the specifics of the system

according to reasons of access that user has. In the fourth principle, specifics are considered

which has no bold reason as secure mean as the three principles discussed above. The fifth one

deals with the matching of actions with the resources to be availed. Some of the people may

confuse their actions and end up access of the unintended information.

References

Duro, R., Kondratenko, Y., &Duro, R. J. (2015). Advances in Intelligent Robotics and

Collaborative Automation ¿. Aalborg: River Publishers.

 9

4, (15 points) Vulnerability is weakness in computational logic found in software

and hardware components that, when exploited, results in a negative impact to

confidentiality, integrity, and/or availability. Mitigating vulnerabilities typically

involves coding changes, but could also include specification changes or even

specification deprecations (e.g., removing affected protocols or functionality entirely).

Several approaches, as shownin Table 1,exist to assess how exposed a system is to

vulnerabilities.

Approach Description Organizati

on

Common Attack
Publicly available catalog of attack patterns, a
Patter Enumeration
dictionary and classification taxonomy of attack DHS
and Classification
methods used to exploit vulnerabilities.
(CAPEC)

Common Weakness Method to score the severity of the CWEs based

Scoring System on 16 factors across 3 groups (base, attack MITRE

(CWSS) surface, and environmental)

Dictionary of names for software weaknesses

Common Weakness (flaws, faults, bugs, or other errors in

Risk Analysis implementation, design or architecture that

MITRE
Framework could result in vulnerabilities). Intended for

(CWRAF) users and developers of security tools before

fielding
 10

Adversarial Tactics,

Techniques, and
Post attack activities of an adversary. MITRE
Common Knowledge

(ATT&CK)

National Standards-based vulnerability management

Vulnerability data repository integrates into the scoring of NIST

Database (NVD) vulnerabilities.

Table 1: Five Approaches to Understanding Vulnerability Exposure

The Pentagon’s Development Test and Evaluation (DT&E) organization has hired

YOU, a cybersecurity Subject Matter Expert (SME), to recommend the BEST

approachto understanding vulnerability exposure when conducting a Cyber Table Top

(CTT) exercise within the Department of Defense (DoD) (see

https://insidedefense.com/daily-news/dods-dte-shop-encourages-tabletop-exercises-

focus-cybersecurity-efforts and

https://www.dau.mil/cop/test/DAU%20Sponsored%20Documents/Cybersecurity%20St

andard%20Overview%20May%202017%20PRMark.pdf).

The Pentagon asks you to providethe following:

A) First, identify at least one advantage and disadvantage for each approach and rank

each on ascale from #1 (Highest) to #5 (Lowest). (10 points)

B) Next, fully justify your toptwo recommendations. (3 points)

C) Lastly, explain how to improve your #1 approach for proper use in a DT&E CTT.(2

points)
 11

A) First, identify at least one advantage and disadvantage for each approach and rank
each on a scale from #1 (Highest) to #5 (Lowest). (10 points)

#1. Common Weakness Scoring System (CWSS)

This approach provides a mechanism for giving software weaknesses a priority in how it is

opened, its flexibility, and consistency. It is done by involving the community and stakeholders

in the government and other related companies. It involves all the stakeholders thus it is a very

efficient way of dealing with security threats thus any decision made is more informed. The

problem is that it may take longer to review all these three parties views to make a decision.

Also, people see things differently.

#2. Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK)

It is more concerned in educating the community on a threat to the system. The more people

know about the systems threats, the more they can deal with them. This method is one of the best

because everybody who is educated can know the trends involved in hacking and how to deal

with the threats. Therefore, safety is guaranteed. The shortcoming is that; this method may be

costly as people need to be educated regularly.

#3. National Vulnerability Database (NVD)

This is a project by the United States government to help people and organizations in researching

the automation of managing vulnerabilities. This comes along with other security goals of the

company. The advantage of this approach is that government is involved. Therefore, the services

are cheaper and also deals with both individuals and companies. The shortcomings of this

approach are that it deals with so many people and offers standardized security practices while

others need special attention.

#4. Common Weakness Risk Analysis Framework (CWRAF)

 12

This approach provides a framework on where the software has weaknesses regarding flexibility,

consistency, and other aspects regarding security. The benefit of this approach is that it supports

the selection of relevant weaknesses that affects a specific organization’s mission. The only

disadvantage is that a company may concentrate on one weakness that they feel it affects them,

but there are many other security loopholes that hackers can use.

#5. Common Attack Pattern Enumeration and Classification (CAPEC)

This is a document that is used by MITRE Corporation. It looks into how the systems are

attacked and how the attackers do it. This pattern is clear and allows the company to block the

attackers from repeating the hacking using the same method. The shortcomings of this method

are that attackers are aware of new technology and new methods of hacking. So, there is need of

research on what other ways that are there that attackers can use to hack the system.

A) Next, fully justify your top two recommendations. (3 points)

In the first approach, it involves all the stakeholders, community, and even the government.

Although the process may be long, it helps the community and all people as a country to come

together and fight cybercrimes that are on rising (Liu, Yang, University of Delaware,, &

University of Delaware, 2017). In the second approach, it makes the community aware that there

is cybercrime and how bad people use it benefits themselves and spoiling other people’s data.

This is the best thing to do as the community is aware, sees the threats and know how to counter

them.

C) Lastly, explain how to improve your #1 approach for proper use in a DT&E CTT. (2

points)

In an effort of improving the priority approach, not only the community needs to be involved in

giving out their views but also being educated. If we combine the approach number one and two,
 13

this would be a perfect thing to fight cybercrime. Stakeholders together with the government

should put the necessary measures in preventing attackers from accessing the systems. In the

development, testing, and evaluation stages, the community needs to be involved to make sure

that the system works best for them. For example in the process of sending and receiving parcels

or emails, the system needs to be monitored to make sure that they come from authentic sources

before reaching the intended receiver(Rountree, 2011). The government should also give a guide

on how to form new cybercrime policies so that the law can be clear about it.

References

Liu, C., Yang, C., University of Delaware,, & University of Delaware. (2017). Design time and

runtime collaborative defense to enhance embedded system security.

Rountree, D. (2011). Security for Microsoft Windows system administrators: Introduction to key

information security concepts. Amsterdam: Syngress.

Part III: Long Essay (1 Question, 3-page max double-spaced) (35 points)

5. Two popular secure software development methodologies are:

a. Microsoft Security Development Lifecycle (SDL) (see https://www.microsoft.com/en-

us/sdl/)

b. Open Web Application Security Project (OWASP) Comprehensive Lightweight

Application Security Process (CLASP) (see

https://www.owasp.org/index.php/CLASP_Concepts).

Pick ONE of the above methodologies. Explain what the methodology is, how well it

addresses security concerns in the life cycle, and what the drawbacks are if any. Using

other references is highly recommended.

Microsoft Security Development Lifecycle (SDL)

 14

Microsoft Company is concerned with both the mobile applications and PCs. In the

building of their systems, it is very crucial to consider the opening of the IDE, and testing before

submitting the apps to be downloaded and used. For example in their mobile app development

cycle, there are major development processes that are involved. It usually starts with the idea that

needs to be implemented. The idea is then designed, and different phases are used in, the layout.

The development process is then followed. This is the actual making of the applications.

The stabilization of the system or the application is done to make sure that all the bugs

are fixed fully. The system may be used by many audiences. Therefore, at times, there is a need

for the company to get some feedback on how the system works. The system is also deployed

while the UI is being finalized. If there is a need to add new features to the system, this is the

best time that the Microsoft Company does so.

The Microsoft SDLC follows the following phases

1. Training

The system developers are trained on the specifications that the company needs. They

analyze their competitor’s similar systems and the addition that they are supposed to9 make in

their new system. The training also incorporates the security features of the system which is the

most important thing in securing the user’s information (Easttom, 2016). In this phase, every

other security infringement that has been experienced before are analyzed, and improvements

that are supposed to be made are made clear to every developer.

2. Requirements

The security requirements of the new system are documented. Each system has its

specifications based on the security requirements. On the same process, quality gates are made.

This is to make sure that the bugs that may be experienced during the usage process of the
 15

system have a solution. This helps in countering the threats to occur in future. Assessments are

also done to make sure that the privacy property of the users is maintained. The privacy of data

and information determines the loyalty of the clients to the system. So, this is a very crucial

process.

3. Design

In this phase, the design requirements that suit the users are analyzed. The design should

not be giving hints to the attackers on how to access unauthorized resources from the system. An

analysis of how attack may be performed is the also done. This is to mitigate for future attacks.

The threat modeling is the last one. This is to point out the possibilities, impacts, and other risks

associated with security of the system.

4. Implementation

In this stage, the company is concerned about the tools used. They approved the tools to

be used which are line with their security principles. The next step is deprecating the unsafe

functions. This is more into data corruption. The consistency of the system is maintained to

avoid maintaining successful search of any information in the system. It also avoids or notes data

alteration activities in good time. The last step of this phase is conducting static analysis. This is

done without executing the programs. This is done with the source code to measure their security

performances.

5. Verification

Dynamic analysis is performed. An examination of how the system is being developed

and the security measures are being considered during each process is conducted. A lot of testing

is done to be sure that no special feature is left out. All the parts of the system are also reviewed

and test for vulnerabilities.

 16

6. Release

A response plan is created. This is to help the system detect any malicious activity that

may be going on in the system. Also final security, a review is done to analyze the security

strengths of the whole system at large. If the security is seen to be what it was expected, the

system is then certified, released, and security features archived by the normal users (Privacy

Commissioner of Canada, 2015).

7. Response

While the system is in use, the security issues associated with its executions are

responded to as soon as possible. Therefore, there is a need to have a [plan of how to conduct

such a response soi that users can operate the system in the most effective way without fail.

Drawbacks of the SDLC Process used by the Microsoft Company

1. This process is used where the requirements are available. If the company has set the

requirements and some of them fail to be available, the process cannot go on.

2. If the system is not complete, the software cannot be said to be fully secure.

3. This method does not offer any insights of how the final system will look like until it is

complete.

4. This type of model is not available if software needs to be upgraded. It must start from the

initial stage up to the final stages.

5. The process needs a strong approval so that it can be operational.

References

Easttom, W. I. (2016). Computer security fundamentals. Place of publication not

identified: Pearson It Certification.

 17

Privacy Commissioner of Canada. (2015). Privacy and cyber security: Emphasizing

privacy protection in cyber security activities.