Corporate Computer Security 4th edition Randy Boyle, Raymond Panko - Solutions

Unlock comprehensive insights into "Corporate Computer Security 4th Edition" by Randy Boyle and Raymond Panko with our expertly curated solutions. Our online platform offers a complete answers key, ensuring you have access to every solution manual and solutions PDF you need. Delve into solved problems with detailed questions and answers that cover each chapter. Enhance your understanding with our test bank and chapter solutions, featuring step-by-step answers. Whether you're an instructor seeking a manual or a student exploring textbook resources, enjoy free downloads of essential content to guide your learning journey.

What happens if we pit Imp against Dwarf?
Write a "carpet bombing" program in CodeBlue that zeros out all of memory (with the possible exception of the program locations).
How would the following program fare against Imp? Loop COPY #0, -1 JUMP -1 Remember that instruction execution alternates between the two opposing programs.
Consider the following NAMS instruction: cmp vleft, vright For signed integers, there are three status flags that are relevant. If vleft = vright, then ZF is set. If vleft > vright, ZF is unset (set to 0) and SF = OF. If vleft < vright, ZF is unset and SF ≠ OF. Why does SF = OF if vleft > vright?
Consider the following C program: /* a simple C program to average 3 integers */ main ( ) { int avg; int i1 = 20; int i2 = 13; int i3 = 82; avg = (i1 + i2 + i3)/3; } Write an NASM version of this program.
Consider the following C code fragment: if (EAX == 0) EBX = 1; else EBX = 2; Write an equivalent NASM code fragment.
(a) Why is it important for firms to understand the threat environment? (b) Name the three common security goals. (c) Briefly explain each. (d) What is an incident? (e) What are the synonyms for incidents? (f) What are countermeasures? (g) What are the synonyms for countermeasure? (h) What are
(a) What is a DoS attack? (b) Describe a DDoS attack. (c) Describe a SYN flooding attack in some detail. (d) Why do many botnets have multiple owners over time?
(a) What are the two primary characteristics of skilled hackers? (b) Why are script kiddies dangerous? (Give two reasons.) (c) Why are malware and exploit toolkits expanding the danger of script kiddies?
(a) What is the dominant type of attacker today? (b) Is cybercrime negligible today compared to non-computer crime? (c) Why are international gangs difficult to prosecute? (d) Why do international gangs use transshippers? (e) How do they use transshippers? (f) How do they use money mules?
(a) What is fraud? Be specific. (b) What is click fraud? (c) How do criminals engage in online extortion?
(a) What is carding? (b) Describe bank account theft and online stock account theft. (c) Distinguish between credit card theft and identity theft. (d) Why is identity theft more serious than credit card number theft? (e) How do criminals usually get the information they need for credit card
(a) Distinguish between public intelligence gathering and trade secret espionage. (b) What must a company do to its trade secrets if it wishes to be able to prosecute people or companies who steal it? (c) How strong do those protections have to be? (d) Who is likely to engage in espionage
(a) Distinguish between cyberwar and cyberterror. (b) How can countries use cyberwar attacks? (c) How can terrorists use IT?
(a) Who were the victims in the Sony breach? (b) How did the attackers steal the information from Sony? Explain. (c) What likely motivated the attackers? (d) What is SQL injection? (e) Were Sony's security measures strong enough? Why or why not?
(a) Give four reasons why employees are especially dangerous. (b) What type of employee is the most dangerous? (c) What is sabotage? (d) Give the book's definition of hacking. (e) What is intellectual property? (f) What two types of things are employees likely to steal? (g) Distinguish
(a) What is malware? (b) Distinguish between viruses and worms. (c) How do most viruses spread between computers today? (d) Describe how directly propagating worms move between computers. (e) Why are directly propagating worms especially dangerous? (f) What is a virus or worm payload?
(a) How can nonmobile malware be delivered to computers? (b) What is a Trojan horse? (c) What is a RAT? (d) What is a downloader? (e) What is spyware? (f) Why can cookies be dangerous? (g) Distinguish between keystroke loggers, password-stealing spyware, and data mining spyware. (h)
(a) What is mobile code? (b) What is social engineering? (c) What is spam? (d) What is phishing? (e) Distinguish between normal phishing and spear phishing. (f) Why are hoaxes bad?
(a) Distinguish between IP address scanning and port scanning. (b) What is an exploit? (c) What does "owning" a computer mean? (d) What is IP address spoofing? (e) Why is IP address spoofing done? (f) When can an attacker not use IP address spoofing? (g) When attackers must use valid IP
(a) How can social engineering be used to get access to a sensitive file? (b) What is piggybacking? (c) What is shoulder surfing? (d) What is pretexting?
(a) If you accidentally find someone's password and use it to get into a system, is this hacking? Explain. (b) Someone sends you a "game." When you run it, it logs you into an IRS server. Is this hacking? Explain. (c) Could you be prosecuted for doing this? (d) You have access to your home page
Addamark Technologies found that its webservers had been accessed without authorization by an employee of competitor Arcsight. Arcsight's vice president for marketing dismissed the hacking, saying, "It's simply a screen that asked for a username and password. The employee didn't feel like he did
Give three examples of social engineering not listed in the text.
Why would using a script created by a hacker not give you the experience of expert hacking?
What do you think are the pros and cons of paying off extortionists?
A competitor goes to your public website and discovers that they can get into a directory that you did not know could be reached. There they find a list of customer and use the list to their advantage. Have they hacked your webserver? What problem may you encounter in suing them for the theft of
How much time does your employer give you to read about current events related to your job?
How does reading current news articles help IT security professionals in their daily jobs?
How could the banks mentioned in this case have mitigated or prevented the thefts?
How would smart cards be safer than magnetic swipe cards? Why?
Why would this type of distributed bank theft be faster and incur larger losses than a traditional strong-arm bank robbery?
Are cybercrime efforts becoming more targeted? Why?
Why are organizations hesitant to report losses related to cybercrime?
Why are malicious insiders a focus of security experts?
Can IT Security be too secure? How?
(a) What do data breach notification laws require? (b) Why has this caused companies to think more about security?
(a) When can the Federal Trade Commission act against companies? (b) What financial burdens can the FTC place on companies that fail to take reasonable precautions to protect private information?
Besides HIPAA, what external compliance rules must hospitals consider when planning their security?
(a) Who is subject to FISMA? (b) Distinguish between certification and accreditation in FISMA. (c) Why has FISMA been criticized?
(a) What are the advantages of placing security within IT? (b) What are the disadvantages of placing security within IT? (c) What do most IT security analysts recommend about placing or not placing IT security within IT?
(a) Why is top management support important? (b) What three things must top management do to demonstrate support?
(a) Why is the human resources department important to IT security? (b) Distinguish between the three main types of corporate auditing units. (c) What is the advantage of placing IT security auditing in one of these three auditing departments? (d) What relationships can the IT security have to
(a) What is an MSSP? (b) What are the two main benefits of using an MSSP? (c) Why are MSSPs likely to do a better job than IT security department employees? (d) What security functions typically are outsourced? (e) What security functions usually are not outsourced? (f) What should a firm look
(a) For what reasons is security management hard? (b) What is comprehensive security, and why is it needed? (c) What are weakest-link failures?
(a) Why is information assurance a poor name for IT security? (b) Why is reasonable risk the goal of IT security? (c) What are some negative consequences of IT security?
(a) Why do we annualize costs and benefits in risk analysis computations? (b) How do you compute the ALE?
[Revised Question] An asset has a value of $1,000,000. In an attack, it is expected to lose 60 percent of its value. An attack is expected to be successful once every ten years. Countermeasure X will cut the amount lost per incident by two-thirds. Counter measure Y will cut the frequency of
(a) Why is it a problem if benefits and costs both occur over several years? (b) Why should the total cost of an incident (TCI) be used in place of exposure factors and asset values? (c) Why is it not possible to use classic risk analysis calculations for firewalls? (d) What is the worst problem
(a) What are the four ways of responding to risk? (b) Which involves doing nothing? (c) Which involves insurance? (d) Why is insurance not a way to not deal with security protections? (e) What is risk avoidance? (f) Why does risk avoidance not endear IT security to the rest of the firm?
(a) What is a firm's technical security architecture? (b) Why is a technical security architecture needed? (c) When is the best time to create one? (d) Why do firms not simply replace their legacy security technologies immediately?
(a) Why is defense in depth important? (b) Distinguish between defense in depth and weakest-link problems. (c) Why are central security management consoles dangerous? (d) Why are they desirable? (e) Why is it important to minimize the burdens that security places on functional units in the
(a) Why is border management important?
(a) What are policies? (b) Distinguish between policies and implementation. (c) Why should policies not specify implementation in detail?
(a) Distinguish between the corporate security policy and major security policies. (b) Distinguish between major security policies and the acceptable use policies. (c) What are the purposes of requiring users to sign the AUP? (d) Why are policies for individual countermeasures and resources
(a) Why are processes necessary in security management? (b) What is driving firms to use formal governance frameworks to guide their security processes?
Why is it important to have corporate teams write policies?
(a) Distinguish between standards and guidelines. (b) For guidelines, what is mandatory? (c) When are guidelines appropriate?
(a) Distinguish between procedures and processes. (b) When would each be used? (c) What is the segregation of duties, and what is its purpose? (d) When someone requests to take an action that is potentially dangerous, what protections should be put into place? (e) Why is it important to enforce
(a) Why is ethics unpredictable? (b) Why do companies create codes of ethics? (c) Why is good ethics important in a firm? (d) To whom do codes of ethics apply? (e) Do senior officers often get an additional code of ethics? (f) If an employee has an ethical concern, what must he or she do? (g) What
(a) Why shouldn't exceptions be absolutely forbidden? (b) Why is implementation guidance for exception handling necessary? (c) What are the first three rules for exceptions? (d) Why would documentation and periodic auditing be important? (e) What is an example of a dangerous exception that would
(a) What is oversight? (b) How is oversight related to policy? (c) What is promulgation? (d) What is stinging employees? (e) What are its costs and benefits? (f) Is electronic employee monitoring widely done? (g) What should you tell employees before your begin monitoring? (h) What are
(a) What is the purpose of auditing? (b) Distinguish between log files and documentation. (c) Why is the avoidance of compliance a serious red flag? (d) Distinguish between internal and external auditing. (e) Why is regularly scheduled auditing good? (f) Why are unscheduled audits done?
(a) Why should companies install anonymous protected hotlines? (b) Why are anonymity and protection against reprisals importance when hotlines are used? (c) Why should general employee misbehavior be a concern? (d) What are the three elements in the fraud and abuse triangle? (e) Give an example
(a) What is a vulnerability test? (b) Why should you never engage in a vulnerability test without a signed contract? (c) What should be in the contract? (d) What should you look for in an external vulnerability testing company? (e) Why is follow-up needed on recommended fixes?
(a) List the three stages in the plan-protect-respond cycle. (b) Is there a sequential flow between the stages? (c) What stage consumes the most time? (d) How does this book define protection? (e) How does the book define response?
(a) What is a governance framework? (b) Compare the focus of COSO with that of CobiT. (c) Compare the focus of CobiT with that of the ISO/IEC 27000 family of standards.
(a) What are the four objectives of COSO? (b) List COSO's eight components. (c) What is the control activity, and why is it important?
(a) Distinguish between the focuses of COSO and CobiT. (b) List the four CobiT domains. (c) How many high-level control objectives does CobiT have? (d) Which domain has the most control objectives? (e) How many detailed control objectives does CobiT have? (f) Why is CobiT strongly preferred by
(a) In the 27000 standards family, what is the function of ISO/IEC 27001? (b) In the 27000 standards family, what is the function of ISO/IEC 27002? (c) List the 11 broad areas in 27002. (d) Why is ISO/IEC 27000 certification more attractive to firms than COSO or CobiT certification?
(a) How can good security be an enabler? (b) What is the key to being an enabler? (c) Why is a negative view of users bad? (d) Why is viewing the security function as a police force or military organization a bad idea?
(a) In developing an IT security plan, what should a company do first? (b) What are the major categories of driving forces that a company must consider for the future? (c) What should the company do for each resource? (d) For what should a company develop remediation plans? (e) How should the IT
(a) What are driving forces? (b) What do compliance laws do? (c) Why can compliance laws and regulations be expensive for IT security?
(a) In Sarbanes-Oxley, what is a material control deficiency? (b) Why was Sarbanes-Oxley important for IT security?
(a) What have privacy protection laws forced companies to do? (b) What did they find when they did so? (c) What institutions are subject to the Gramm-Leach-Bliley Act? (d) What institutions are subject to HIPAA?
List the 12 PCI-DSS control objectives. You will have to look this up on the Internet.
The chapter discussed three ways to view the IT security function-as a police force, as a military organization, and as a loving mother. Name another view and describe why it is good.
A company has a resource XYZ. If there is a breach of security, the company may face a fine of $100,000 and pay another $20,000 to clean up the breach. The company believes that an attack is likely to be successful about once in five years. A proposed countermeasure should cut the frequency of
Does your employer/spouse/roommate monitor your activities with a keylogger? Are you sure?
Why would someone want to install a keylogger on their own computer?
How would you know if you had a keylogger on your computer? How would you get rid of it?
Why was the navigational data on the Japanese Coast Guard vessel not securely deleted?
How could the lost navigational data compromise national security?
How could the Japanese Coast Guard write an effective data disposal policy?
Is a self-assessment of effective security policy a good predictor of actual security? Why or why not?
How might broad economic concerns make an organization's information systems less secure?
How might widespread adoption of new technology affect an organization's security efforts?
(a) Define cryptography. (b) What is confidentiality? (c) Distinguish between plaintext and ciphertext. (d) Which is transmitted across the network-the plaintext or the ciphertext? (e) What is a cipher? (f) What is a key? (g) What must be kept secret in encryption for confidentiality? (h)
(a) What are the two advantages of RC4? (b) Why is an RC4 key length of 40 bits commonly used? (c) Is this a strong key?
(a) How long is a DES key? (b) Is this a strong length? (c) Describe block encryption with DES.
(a) How does 3DES work? (b) What are the two common effective key lengths in 3DES? (c) Are these lengths strong enough for communication in corporations? (d) What is the disadvantage of 3DES?
(a) What is the big advantage of AES over 3DES? (b) What are the three key lengths offered by AES? (c) Which strong symmetric key encryption cipher can be used with small mobile devices? (d) Which symmetric key encryption cipher probably will dominate symmetric key encryption in the near future?
(a) It is claimed that new and proprietary encryption ciphers are good because cryptanalysts will not know them. Comment on this. (b) What is security through obscurity, and why is it bad?
(a) Distinguish between cryptography and cryptographic systems. (b) Distinguish between cryptographic systems and cryptographic system standards. (c) Why is the first handshaking stage the negotiation of security methods and options? (d) What is an impostor? (e) What is authentication? (f)
(a) What three protections do cryptographic systems provide on a message-by-message basis? (b) What is an electronic signature? (c) What two protections do electronic signatures usually provide? (d) Distinguish between the handshaking stages and ongoing communication.
(a) In SSL/TLS, what is a cipher suite? (b) Why do companies wish to create policies that define security methods and options for a particular application that is used between corporate partners?
(a) In authentication, distinguish between the supplicant and the verifier. (b) What are credentials? (c) How many supplicants and verifiers are there in mutual authentication between two parties? Explain.
(a) In hashing, what is the hash? (b) Is encryption reversible? (c) Is hashing reversible? (d) Is hashing repeatable? (e) When a hashing algorithm is applied, does the hash have a fixed length or a variable length? (f) What is the hash size of MD5? (g) What is the hash size of SHA-1? (h)
(a) Is MS-CHAP used for initial authentication or message-by-message authentication? (b) How does the supplicant create the response message? (c) How does the verifier check the response message? (d) What type of encryption does MS-CHAP use? (This is a tricky question but an important one.) (e)
(a) When Alice sends a message to Bob, what key will she use to encrypt the message? (b) Why is "the public key" not a good answer to Question 21a? (c) What key will Bob use to decrypt the message? (d) Why is "the private key" not a good answer to Question 21b? (e) In a classroom with 30

Showing 2700 - 2800 of 3385

First
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34

Corporate Computer Security 4th edition Randy Boyle, Raymond Panko - Solutions

Step by Step Answers