New Semester
Started
Get
50% OFF
Study Help!
--h --m --s
Claim Now
Question Answers
Textbooks
Find textbooks, questions and answers
Oops, something went wrong!
Change your search query and then try again
S
Books
FREE
Study Help
Expert Questions
Accounting
General Management
Mathematics
Finance
Organizational Behaviour
Law
Physics
Operating System
Management Leadership
Sociology
Programming
Marketing
Database
Computer Network
Economics
Textbooks Solutions
Accounting
Managerial Accounting
Management Leadership
Cost Accounting
Statistics
Business Law
Corporate Finance
Finance
Economics
Auditing
Tutors
Online Tutors
Find a Tutor
Hire a Tutor
Become a Tutor
AI Tutor
AI Study Planner
NEW
Sell Books
Search
Search
Sign In
Register
study help
computer sciences
systems analysis and design
Corporate Computer Security 4th edition Randy Boyle, Raymond Panko - Solutions
(a) What is the main drawback to public key encryption? (b) What is the most popular public key encryption cipher? (c) What is the other commonly used public key encryption cipher? (d) Which need to be longer-symmetric keys or public keys? Justify your answer (e) How long are strong RSA keys?
(a) In public key encryption for authentication, which key does the supplicant use to encrypt? (b) Does the verifier decrypt the ciphertext with the supplicant's public key? (If not, explain what key it does use.) (c) Who is the true party? (d) What does the sender attempt to prove it knows that
(a) In public key authentication, what must the sender know that an impostor should not be able to learn? (b) For what type of authentication is a digital signature used-initial authentication or message-by-message authentication? (c) How does the supplicant create a message digest? (d) How does
(a) Besides authentication, what security benefit does a digital signature provide? (b) Explain what this benefit means. (c) Do most message-by-message authentication methods provide message integrity as a by-product?
(a) Contrast the key the sender uses for encryption in public key encryption for confidentiality and public key encryption for authentication. (b) Contrast the key the receiver uses for decryption in public key encryption for confidentiality and public key encryption for authentication.
(a) From what kind of organization can a verifier receive digital certificates? (b) Are most CAs regulated? (c) Does a digital certificate indicate that the person or firm named in the certificate is trustworthy? Explain.
(a) What are the two most critical fields in the digital certificate? (b) What field in a digital certificate allows the receiver of a certificate to determine if the certificate has been altered? (c) What three things must the receiver of a digital certificate check to ensure that a digital
(a) Does a digital signature by itself provide authentication? Explain why or why not. (b) Does a digital certificate by itself provide authentication? Explain why or why not. (c) How are digital signatures and digital certificates used together in authentication?
(a) What two cryptographic protections does an HMAC provide? (b) Do HMACs use symmetric key encryption, public key encryption, or hashing? (c) What is the benefit of HMACs over digital signatures?
(a) Why can't HMACs provide nonrepudiation? (b) Why is it usually not a problem that HMACs fail to provide nonrepudiation?
(a) What is a replay attack? (b) Can the attacker read the contents of the replayed message? (c) Why are replay attacks attempted? (d) What are the three ways to thwart replay attacks? (e) How do time stamps thwart replay attacks? (f) How do sequence numbers thwart replay attacks? (g) How do
(a) What is quantum key distribution? (b) What are the two advantages of quantum key distribution?
(a) What is the definition of a VPN? (b) Why do companies transmit over the Internet? (c) Why do they transmit over untrusted wireless networks? (d) Distinguish between the three types of VPNs. (e) What does a VPN gateway do for a remote access VPN? (f) What does a VPN gateway do for a
(a) Distinguish between SSL and TLS. (b) For what type of VPN was SSL/TLS developed? (c) For what type of VPN is SSL/TLS increasingly being used?
(a) At what layer does SSL/TLS operate? (b) What types of applications can SSL/TLS protect? (c) What are the two commonly SSL/TLS-aware applications? (d) Why is SSL/TLS popular?
(a) SSL/TLS was created for host-to-host (browser-webserver) communication. What device can turn SSL/TLS into a remote access VPN? (b) In SSL/TLS remote access VPNs, to what device does the client authenticate itself? (c) When a remote client transmits in an SSL/TLS VPN, how far does confidential
(a) At what layer does IPsec operate? (b) What layers does IPsec protect? (c) Compare the amount of cryptographic security in IPsec with that in SSL/TLS. (d) Compare centralized management in IPsec and SSL/TLS. (e) Why is IPsec's transparent protection attractive compared with SSL/TLS'
(a) Distinguish between transport and tunnel modes in IPsec in terms of packet protection. (b) What are the attractions of each? (c) What are the problematic issues of each?
(a) What does an SA specify? (Do not just spell SA out.) (b) When two parties want to communicate in both directions with security, how many IPsec SAs are necessary? (c) May there be different SAs in the two directions? (d) What is the advantage of this? (e) Why do companies wish to create
(a) In codes, what do code symbols represent? (b) What is the advantage of codes? (c) What are the disadvantages?
(a) Why is the word symmetric used in symmetric key encryption? (b) When two parties communicate with each other using symmetric key encryption, how many keys are used in total? (c) What type of encryption cipher is almost always used in encryption for confidentiality?
(a) What is the best way to thwart exhaustive searches by cryptanalysts? (b) If a key is 43 bits long, how much longer will it take to crack it by exhaustive search if it is extended to 45 bits? (c) If it is extended to 50 bits? (d) If a key is 40 bits long, how many keys must be tried, on
Why is cryptography not an automatic protection?
Identify potential security threats associated with authentication via digital signatures and digital certificates. Explain each and describe how you would address each threat.
The chapter described how public key authentication is used for message-by-message authentication in digital signatures. However, public key authentication is widely used for initial authentication. Describe the processes that the supplicant and verifier would use if public key encryption were used
If a supplicant gives you a digital certificate, should you accept it? Explain. (Think about this carefully. The answer is not obvious.)
Pretty Good Privacy (PGP) uses public key encryption and symmetric key encryption to encrypt long documents. How might this be possible?
Longer keys are more difficult to crack. Most symmetric keys today are 100 to 300 bits long. Why don't systems use far longer symmetric keys-say, 1,000 bit keys?
Brute force is used to crack a 100-bit key. The key is cracked in only 5,000 tries. How can this be?
In practice, public key authentication is used heavily for initial authentication but rarely for message-by-message authentication. Given the intense processing power required for public key authentication and the fact that public key authentication gives the strongest authentication, explain these
Describe the entries in the second row of Figure 3-9. Comment on the strengths of the choices it uses. Uses public key authentication (RSA) for initial authentication. Only export-grade authentication, so not strong initial authentication. The same for digital signatures. For symmetric key
How are digital certificates and drivers' licenses similar, and how are they different?
Even if you encrypted a file with AxCrypt, wouldn't someone be able to recover a previous version of the file with a file recovery program?
Could your network administrator open these files after you encrypted them with AxCrypt? Why not?
How could Bloomberg insiders use terminal data to front-run traders?
How should Bloomberg handle questions about its ability to protect traders' data?
How could Bloomberg use encryption to calm trader's fears?
Why is confidentiality important in a business-to-business relationship?
Why does EFF publish a report about consumer privacy at large Internet companies?
How might privacy concerns affect customer loyalty and new product adoption?
(a) Explain the four general goals for secure networking. (b) How can information be gathered from encrypted network traffic? (c) Give an example of how new technology has made networks less secure. (d) How does the castle model relate to secure networking? (e) What is meant by "death of the
(a) What is the main access threat to Ethernet LANs? (b) What is the main access threat to wireless LANs? (c) Why is the access threat to wireless LANs more severe? (d) Is eavesdropping usually a concern for wired LANs, wireless LANs, or both?
(a) Why is 802.1X called Port-Based Access Control? (b) Where is the heavy authentication work done? (c) What are the three benefits of using a central authentication server? (d) Which device is the verifier? Explain. (Tricky question) (e) Which device is called the authenticator?
(a) How does an EAP session start? (b) What types of messages carry requests for authentication information and responses to these requests? (c) Describe how the central authentication server tells the authenticator that the supplicant is acceptable. (d) How does the authenticator pass this
(a) What standard do most central authentication servers follow? (b) How are EAP and RADIUS related in terms of functionality? (c) What authentication method does RADIUS use?
(a) What is the most common attack against wireless networks? Why? (b) Which IEEE standard governs WLAN transmission? (c) Which device acts as a relay between wired and wireless networks? (d) What is the typical range of a WLAN? (e) What is the difference between an open network and a private
(a) What man-in-the-middle attack is a danger for 802.11 WLANs? (b) Physically, what is an evil twin access point? (c) What happens when the legitimate supplicant sends credentials to the legitimate access point? (d) In what two types of attacks can the evil twin engage? (e) Are evil twin attacks
(a) How would a wireless DoS attack be carried out? (b) What type of devices could be used to flood the transmission frequency for a WLAN? (c) What device could be used to identify a DoS flood if the entire frequency is being flooded by EMI? (d) What type of attack commands could be sent to cause a
(a) Why is it impossible to extend 802.1X operation using EAP directly to WLANs? (b) What standard did the 802.3 Working Group create to extend 802.1X operation to WLANs with security for EAP? (c) For 802.11i, distinguish between outer and inner authentication. (d) What authentication method or
(a) What was the first core wireless security standard? (b) What encryption algorithm does it use? (c) Why are permanent shared keys undesirable? (d) What per-frame key does a WEP computer or access point use to encrypt when it transmits? (e) What mistake did the 802.11 Working Group make in
(a) What prompted the Wi-Fi Alliance to create WPA? (b) Compare WPA and 802.11i security. (c) What does the Wi-Fi Alliance call 802.11i? (d) Despite its security weaknesses, why do many companies continue to use WPA instead of 802.11i?
(a) What is a denial-of-service attack? (b) Other than a DoS attack, what could cause a company's webserver crash? (c) What are the main goals of DoS attacks? (d) Is a slow degradation of service worse than a total stoppage? Why?
(a) Why is 802.1X mode unsuitable for homes and small offices? (b) What mode was created for homes or very small businesses with a single access point? (c) How do users in this mode authenticate themselves to the access point? (d) Why is using a shared initial key not dangerous? (e) How are
(a) What is the purpose of a wireless IDS? (b) How do wireless IDSs get their data? (c) What is a rogue access point? (d) What are the two alternatives to using a centralized wireless IDS? (e) Why are they not attractive?
(a) Does the use of spread spectrum transmission in 802.11 create security? (b) What are SSIDs? (c) Does turning off SSID broadcasting offer real security? Explain. (d) What are MAC access control lists? (e) Do they offer real security? Explain.
(a) What is the difference between a direct and indirect DoS attack? (b) What is backscatter? (c) What types of packets can be sent as part of a DoS attack? (d) Describe a SYN flood. (e) How does a DDoS attack work? (f) What does a handler do?
(a) How does a P2P attack work? (b) How does a reflected attack work? (c) What is a DRDoS attack, and how does it work? (d) What is a Smurf flood? (e) What type of packet is sent in a Smurf flood? Why? (f) How could a malformed packet cause a host to crash?
(a) What is black holing? (b) Is black holing an effective defense against DoS attacks? Why? (c) How can the effects of SYN floods be mitigated? (d) What is a false opening? (e) Why is rate limiting a good way to reduce the damage of some DoS attacks? (f) Why is it limited in effectiveness? (g) Why
(a) Why do hosts use ARP? (b) Can ARP poisoning be used outside the LAN? Why not? (c) Why do hosts send ARP requests? (d) What is ARP spoofing? (e) How could an attacker use ARP spoofing to manipulate host ARP tables?
(a) Explain ARP poisoning? (b) Why does the attacker have to send a continuous stream of unrequested ARP replies? (c) Do switches record IP addresses? Why not? (d) Does the attacker have to poison the gateway's ARP tables too? Why? (e) Why does all network traffic go through the attacker after
(a) How can ARP poisoning be used as a DoS attack? (b) How can static IP and ARP tables be used to prevent ARP poisoning? (c) Can static IP and ARP tables be effectively used in large networks? Why not? (d) Why would limiting local access prevent DoS attacks?
(a) What is a SLAAC attack? (b) Why do host automatically prefer IPv6 addressing? (c) What has to be introduced to a network for a SLAAC attack to work? (d) Would a SLAAC attack work on an existing IPv6 network? Why not? (e) Could a rogue router direct internal traffic to an outside rogue DNS
Why would it be desirable to protect all of a corporation's IP traffic by IPsec? Give multiple reasons.
What wireless LAN security threats do 802.11i and WPA not address?
Given the weakness of commercial WAN security, why do you think companies continue to use WAN technology without added cryptographic protections?
The 802.1X standard today is being applied primarily to wireless LANs rather than to wired LANs. Why do you think that is?
What are channels? Would one be better than another?
Why would someone want to use a Tor network?
What do relay servers do in a Tor network?
How do Tor networks provide anonymity?
Why is it still important to use an HTTPS connection if you are using a Tor network?
Why would Spamhaus be the target of such a large DDoS attack?
How could Spamhaus avoid similar attacks in the future?
Why would state-sponsored APTs be worrisome?
Why would a nation engage in cyber espionage?
What are the costs and benefits of a nation engaging in cyber espionage?
Should governments provide support to businesses to prevent cyber espionage? How?
(a) List the AAA access controls. (b) Explain each in a sentence. (c) What are the four bases for authentication credentials? (d) What is two-factor authentication's promise? (e) How can a Trojan horse defeat this promise? (f) How can a man-in-the-middle attack defeat this promise? (g) What
(a) Distinguish between magnetic stripe cards and smart cards. (b) What are one-time-password tokens? (c) What are USB tokens? (d) What is the advantage of USB tokens compared to cards? (e) What is the attraction of proximity tokens?
(a) Why is it important to disable lost or stolen access devices? (b) What is a PIN? (d) Why can PINs be short-only four to six digits-while passwords must be much longer?
(a) What is biometric authentication? (b) On what two things about you is biometric authentication based? (c) What is the major promise of biometrics?
(a) Describe the three scanner actions in the enrollment process. (b) What are key features? (c) Why are they necessary? (d) What does the server do with the key features created by the enrollment scan? (e) What is a template? (f) What is user access data? (g) What are match indices, and how
(a) In biometrics, what is a match? (b) Distinguish between false acceptances and false rejections. (c) What are false acceptance rates (FARs) and false rejection rates (FRRs)? (d) For computer access, why is a false acceptance bad? (e) Why is a false rejection bad? (f) Which is worse from a
(a) For watch lists of criminals, what is a false acceptance? (b) For watch lists of criminals, which is worse from a security viewpoint, a false acceptance or a false rejection? Explain. (c) For watch lists of people who should be allowed to enter a room, which is worse from a security viewpoint,
(a) Distinguish between verification and identification. (b) Which requires more matches against templates? (c) Which is more likely to generate a false acceptance? Why? (d) Compare identification with watch list matching. (e) Which is more likely to generate a false match? Why?
(a) Suppose that the probability of a false acceptance is one in a million, that there are 10,000 identities in the database, and that there is a watch list with 100 people. What will be the FAR for verification? (b) For identification? (c) For the watch list?
(a) Distinguish between error rates and deception in biometrics. (b) Why may fingerprint scanning, which is often deceived, be acceptable for entry into a supplies cabinet? (c) When may it not be sufficient?
(a) Distinguish between mandatory access controls and discretionary access controls. (b) What is multilevel security? (c) What are SBU documents? (d) Do they need to be considered in access controls? (e) Why are access control models needed?
(a) What is the advantage of fingerprint recognition? (b) What are the disadvantages? (c) For what type of use is fingerprint recognition sufficient? (d) What is the advantage of iris recognition? (e) What are the disadvantages? (f) Does iris scanning shoot light into your eye?
(a) What is the advantage of face recognition? (b) What does surreptitious mean? (c) Where is hand geometry recognition used? (d) What are the disadvantages of voiceprint recognition? (e) What are the most widely used forms of biometric authentication? (f) What is the most widely used form of
(a) What is the strongest form of authentication? (b) List the functions of a PKI. (c) Can a firm be its own certificate authority? (d) What is the advantage of doing so? (e) Who creates a computer's private key/public key pair? (f) How do CAs distribute public keys? (g) What is provisioning? (h)
(a) Why are authorizations needed after a person is authenticated? (b) What is another name for authorizations? (c) What is the principle of least permissions? (d) Why is it a good way to assign initial permissions? (e) What is bad about assigning all permissions and then taking away the
(a) What is auditing? (b) Why is it necessary? (c) Why is log reading important? (d) What are the three types of actions that should be taken on log files? (e) Why are automatic alerts desirable?
(a) What are the three devices in central authentication using RADIUS servers? (b) What is the role of the authenticator? (c) What is the role of the central authentication server?
(a) In Kerberos, distinguish between the ticket granting ticket and the service ticket. (b) What information does the service ticket give the verifier? (c) How does the supplicant get the symmetric session key? (d) Is the verifier notified explicitly that the supplicant has been authenticated?
(a) How is information in directory servers organized? (b) What are the top two levels of the organization? (c) Do directory servers only hold information about people?
(a) Why is having a single point of building entry important? (b) Why are emergency exits important? (c) What should be done about them? (d) List the four elements of entry authorization in CobiT. (e) Why is loading dock security important? (f) What access control rules should be applied to
(a) What is Microsoft's directory server product? (b) What is the smallest organizational unit in active directory? (c) What two things does a domain controller contain? (d) Can a domain have multiple domain controllers? (e) What is the advantage of having multiple domain controllers? (f) Into what
(a) Distinguish between mutual and one-way trust among AD domains. (b) Distinguish between transitive and intransitive trust. (c) What principle should companies follow in making trust assignments?
(a) In federated identity management, do firms query one another's identity management databases? (b) What do they do instead? (c) What risk does this method avoid for the firm sending the security assertion? (d)How are risks to Firm B reduced? (e) What is a security assertion? (f) What three
Showing 2800 - 2900
of 3385
First
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
Step by Step Answers
Get 50% OFF
Claim Now
