Security in Computing (CC2021N) Tutorial Security in Computing (CC2021N) Week 1 Tutorial Exercises

1. Distinguish between vulnerability, threat, and control. Vulnerability is weak point of a system through which an attack can be imposed on that system or by which threats are imposed. Threats are entities that can bring some major harm to the system by using the vulnerable point of the system. Control is to neutralize the threat imposition onto the system by identifying vulnerable parts of that system.

2. Theft may result in some kind of harm. For example, car theft results in someone suffering financial loss, inconvenience (by losing mode of transportation), and emotional upset (because of invasion of personal property and space). List three kinds of harm a company might experience from theft of computer equipment. Harm to the company by the theft of computer equipment: Loss of time and manpower to reinstall and reconfigure the computing network in the company. Lack of confidence in overall security of the system. Loss of financial budget.

3. List at least three kinds of harm a company could experience due to electronic espionage or unauthorised viewing/access of confidential materials. Harm to the company by electronic espionage or unauthorised viewing/access of confidential: Company may have to recalculate their business strategies. Company could lose their public relation status as their data integrity will also be compromised. Company have to do their database correction as many manipulation of it may have occurred during espionage.

Saphal khadka

SAK1184/1

Security in Computing (CC2021N) Tutorial 4. List at least three kinds of damage a company could suffer when the integrity of a program or company data are compromised. Damage a company could suffer when the integrity of a program or company data is compromised: Company rely on its data and its integrity to make decision but once integrity of data is compromised, business decision could hamper more than profiting the company. Company financial statement will be inaccurate if data are modified. Also company would lose their customers confidence.

5. Define the terms secure and protected. Secure means to be out of reach of the malicious attacks and threats. Protected is to use the certain method of control for preventing malicious attacks and threats.

6. What is denial of service? Denial of service is an attack which do not let the intended user or host to use the services of their selves. They will be deprived to use their own service.

7. List and define the three components or conditions necessary for a successful attack. Three components necessary for a successful attack are MOM. a. Method It is the tactics used by the attacker to penetrate the system. Attacker must be skilful, knowledgeable and handy in using different kinds of tools for successful penetration of system. b. Opportunity Attacker must be certain of when to attack the system by identifying the vulnerable point. Attacker must continuously check the victim system for the point where there is availability to access the system with less chances of detection. c. Motive Motivation is main part of attackers to attack the system. Attackers need clear reasons to penetrate the system. The reasons may be either beneficial, vengeful or for cutback of service.

Saphal khadka

SAK1184/1

Security in Computing (CC2021N) Tutorial

8. For each of the following computing system indicate who can modify the code (software) of: i. The operating System? - System developer A payroll or statistical analysis package program? - Programmer A program developed by a single user? 9. What is an electronic spy? What is an information broker? Electronic spy is to follow the victim and keeping track of its activities by using certain kind of tools and software like key loggers, Trojan horses etc. Information broker is a thief who steals vital information from a company which is then sold to other companies which might be their competitors. Programmer

ii.

iii.

10. How do confidentiality, integrity, and availability relate to interruption, interception, modification and fabrication? C-I-A must be operated together for securing data to unauthorised access to modify data (modification), to harmful tools which can destroy the data (interruption), to unauthorised copying of data (Interception) and to illegitimate version (fabrication).

Saphal khadka

SAK1184/1