PROBLEMS # 1

1. Consider an automated teller machine (ATM) in which users provide a

personal identification number (PIN) and a card for account access. Give

examples of confidentiality, integrity, and availability requirements

associated with the system. In each case, indicated the degree of importance

of the requirement.

The system must keep personal identification numbers confidential, both in the

host system and during transmission for a transaction. It must protect the integrity

of account records and of individual transactions. Availability of the host system

is important to the economic well being of the bank, but not to its fiduciary

responsibility. The availability of individual teller machines is of less concern.

1.1 Consider an automated tell machine (ATM) in which users provide a personal identification
number (PIN) and a card for account access. Give examples of confidentiality, integrity, and
availability requirements associated with the system and, in each case, indicate the degree of
importance of the requirement.

Confidentiality requirements:

 the communication channel between the ATM and the bank must be encrypted
 the PIN must be encrypted (wherever it is stored)

Integrity requirements:

 the actions performed via the ATM must be associated to the account associated with the
card

Availability requirements:

 the system must be able to serve at least X concurrent users at any given time
 the system must be available 99.9% of the time
PROBLEMS # 2
PROBLEMS # 3

3. Consider a desktop publishing system used to produce documents for various organizations. Give
an example of a type of publication:

a) For which confidentiality of the stored data is the most important requirement.

b) In which data integrity is the most important requirement.

c) In which system availability is the most important requirements.

a. The system will have to assure confidentiality if it is being used to publish corporate proprietary
material.

b. The system will have to assure integrity if it is being used to laws or regulations.

c. The system will have to assure availability if it is being used to publish a daily paper.
1.1. What is Computer Security:

The protection offered to a computerized system in order to provide integrity, reliability,

availability and confidentiality of information in the system resources (including software,
hardware, data, software based on hardware) - the triangle.

1.2 What is the difference between active and passive threats?

Active - an attack aimed at changing resources in the system and data in it -

Passives - an attack intended to learn about the system without changing the information and
resources of the system - the integrity of the information in it is not compromised, breaking
confidentiality - such as spying on data in the system,

For example: ' unauthorized disclosure' - a circumstance in which someone can gain access to
information that they do not have permissions to.

Deception- - Fraud:

1.3 Describe and describe categories of active and passive attack

Passive attacks:

Release of message contents - The attacker learns the contents of sensitive messages that are
passing through the system, or out / entering the system

Traffic analysis - analysis of information flowing in the system in order to obtain more data on how
it operates

Active attacks:

Masquerade - When one entity impersonates another entity and uses its identity / permissions to
affect the system

Replay - Passive perception of information and transmission once again (eg replay of a message
about transferring money from account to account - will pass 2 times more money)

Modification of messages - Changes messages sent to the system to obtain permissions / sensitive
information

Denial of service - preventing normal use or management of communication objects or dropping

the entire network