Question 1. Authentication and Access Control

Consider a scenario where you are responsible for IT security in a small company. The company is expected to have around 40 employees over the next few years. The employees are classified into the following roles:

CEO Executive Group (including CEO and other employees in leadership positions, e.g. leader of the Finance team) Finance Software Engineering Graphic Design Web Development Sales and Marketing Human Resources IT Administration

Some employees may take on multiple roles, e.g. an employee may be both in Software Engineering and Web Development.

The key data resources of the company are classified as:

Web Content Source Code (e.g. for non-web software) Multimedia Assets (e.g. images, videos, artwork) Trade Secrets (e.g. algorithms, formulas that give the company a significant commercial advantage over competitors) Financial Accounts Personnel Records Marketing Material Company Policies Meeting Records

Assume role-based access control is to be used for users in different roles to access the above listed resources. The access rights are:

Own: can change the access rights on the resource Read: can view the resource Write: can create, delete and modify the resource

(a) Create a table that shows the mappings from Role to Resource. Provide a brief explanation of why you choose this particular mapping.

(b) One principle in access control is that of least privilege. Explain what the principle is, and explain an example by referring to your mapping above. The company has many trade secrets, some of which are very valuable and known only by the Executive Group (e.g. it would be a significant financial loss if a competing company knew them), some are also know by Software Engineers that implement the algorithms, while other trade secrets are important but known by a wider number of employees. The CEO has asked you to consider implementing Mandatory Access Control on the trade secrets.

(c) Explain how you could apply MAC to the trade secrets, including the levels you would use and the assignment of roles to security clearance levels.

The company is planning to use only passwords as the authentication mechanism for access computing systems. There will be no token-based or biometric authentication.

(d) Write a password policy for the company. The policy must give rules for how new users are registered with the systems, as well as how existing users change their passwords (including forgotten or wrong passwords). Each rule in the policy must be classified as must (it is required), should (it is required unless there is a good reason for not applying it), or may (optional). Each rule be justified/explained. The policy must make a reasonable trade-off between security and convenience. For example, All users must use a 30 character random password is a poor policy design (too inconvenient), as is All users must use their last name as a password (too insecure).

(e) Assume a malicious user knew your password policy. Select and explain two different attacks that the malicious user may use try to defeat the password-based authentication. For each attack, provide details of what the malicious user would do (e.g. list of steps, example techniques or software to use).

While passwords were originally planned for the main computer systems, the company is considering using other authentication systems for high importance assets (e.g. finance, trade secrets). For these, the company is considering between:

USB tokens Fingerprint scanning Voice recognition

(f) Explain how USB tokens can be used to allow users to login to a computer. Your explanation may include steps that the user must take, and any setup the IT administrator must perform in advance to allow USB tokens to work.

(g) Compare the three techniques with respect to security, convenience and cost. For security you should discuss their strengths and weaknesses against different attacks. For convenience you should consider the additional burden then place on users. For cost, you do not need to give exact prices, but should discuss what additional infrastructure is needed to deploy each system.

Question 4. WiFi Security

(a) Explain how a MAC address filter for a WiFi access point works. Discuss the role of MAC address filters in security, and issues or limitations of MAC address filters.

(b) WPA is recommended for encryption and authentication in WiFi. WPA can use AES for encryption, which uses key lengths of 128 bits or 256 bits. However when users setup WPA/AES in their home WiFi access point, then often select a passphrase. Explain the difference between the passphrase and 128 bit key and discuss the advantages and disadvantages of using a passphrase (compared to a 128 bit or longer key). Also discuss the potential for successful brute force attacks on passphrases and 128 bit keys.

(c) While WPA is considered secure when configured correctly, it is recommended that WiFi users use a VPN when connecting via public WiFi hot spots. Explain why a VPN is recommended in these cases, what is required to be setup in advance to use a VPN, and what security the VPN provides.