Professional Documents
Culture Documents
personal identification number (PIN) and a card for account access. Give
associated with the system. In each case, indicated the degree of importance
of the requirement.
The system must keep personal identification numbers confidential, both in the
host system and during transmission for a transaction. It must protect the integrity
is important to the economic well being of the bank, but not to its fiduciary
1.1 Consider an automated tell machine (ATM) in which users provide a personal identification
number (PIN) and a card for account access. Give examples of confidentiality, integrity, and
availability requirements associated with the system and, in each case, indicate the degree of
importance of the requirement.
Confidentiality requirements:
the communication channel between the ATM and the bank must be encrypted
the PIN must be encrypted (wherever it is stored)
Integrity requirements:
the actions performed via the ATM must be associated to the account associated with the
card
Availability requirements:
the system must be able to serve at least X concurrent users at any given time
the system must be available 99.9% of the time
PROBLEMS # 2
PROBLEMS # 3
3. Consider a desktop publishing system used to produce documents for various organizations. Give
an example of a type of publication:
a) For which confidentiality of the stored data is the most important requirement.
a. The system will have to assure confidentiality if it is being used to publish corporate proprietary
material.
b. The system will have to assure integrity if it is being used to laws or regulations.
c. The system will have to assure availability if it is being used to publish a daily paper.
1.1. What is Computer Security:
Passives - an attack intended to learn about the system without changing the information and
resources of the system - the integrity of the information in it is not compromised, breaking
confidentiality - such as spying on data in the system,
For example: ' unauthorized disclosure' - a circumstance in which someone can gain access to
information that they do not have permissions to.
Deception- - Fraud:
Passive attacks:
Release of message contents - The attacker learns the contents of sensitive messages that are
passing through the system, or out / entering the system
Traffic analysis - analysis of information flowing in the system in order to obtain more data on how
it operates
Active attacks:
Masquerade - When one entity impersonates another entity and uses its identity / permissions to
affect the system
Replay - Passive perception of information and transmission once again (eg replay of a message
about transferring money from account to account - will pass 2 times more money)
Modification of messages - Changes messages sent to the system to obtain permissions / sensitive
information