| 1. | List three ways authorities at Churchill High School might have discovered the installed key logger device. |
| 2. | In similar situations, authorities have responded by banning use of all USB devices. Would that have been an effective countermeasure in the Churchill High School case? Why or why not? |
| 3. | In similar situations, authorities have responded by disabling or sealing off all USB ports. Would that have been an effective countermeasure in the Churchill High School case? Why or why not? |
| 4. | Churchill High School responded to this incident by requiring all faculty members to change their passwords for the grade management application at least every 120 days. Was that an effective countermeasure? Why or why not? Suppose the frequency of password change was different, for example, 7, 30, or 60 days; would each of those numbers have been more or less effective? Justify your answer. |
| 5. | In this chapter an example social engineering attack was given as someone who called a company IT administrator, alleging to be a senior executive who could not access a necessary file. Describe how the administrator should have responded. |
| 6. | Another social engineering example described in this chapter involved someone who called an ordinary employee (not an administrator) asking the employee to run a particular command. What steps could or should an ordinary employee take in such a situation? Because of their training, experience, and responsibilities, we might expect IT administrators to be more skeptical of social engineering attacks than ordinary employees. How could a company improve its ordinary employees’ reactions to social engineering attacks? |
| 7. | Assume Churchill High School has called you in to help analyze the situation after it became aware that improper grade modifications might have occurred. Your job is to determine what might have gone on, what actually did go on, when, how, and to what degree. Focus only on the technical aspects of the issue, not on whether the students were guilty or how they should be dealt with. What steps would you take, and in what order? Be careful that your actions do not harm data that may be needed for later analysis. What can you conclude definitively, and what can you infer with partial confidence? |
| 8. | A grade management program might have several roles for users, such as administrator, department head, teacher, guidance counselor, student. For each role, list briefly the actions a person in that role should be able to perform; for example, a single student should be able to see but not modify his or her grades, or a department head should be able to see the grades for each student in any class. It may be useful to start with one role and then consider adding or deleting actions for the next role. Are the actions of any role a subset of any other? If so, which? Is the suggested set of roles complete; that is, are there other roles with other actions? If so, what? |
| 9. | Synchronous password-generating tokens are subject to a condition called clock drift: One token’s clock may run slightly faster than another, so the token generates password n + 1 when the base authentication system expects password n. Present an algorithm for addressing drift. In your algorithm, consider two cases: normal, slight drift (for example, less than 1% variance), and massive drift (for example, changing every 10 seconds instead of 60). |
| 10. | For purposes of this question, assume the students did what they were alleged to have done at Churchill High School. Clearly, the students’ actions were unethical and perhaps even illegal. It would be infeasible for a school to enumerate all unethical things students might do and present a comprehensive list at the start of school. Suppose the school communicated nothing to students at the start of the school year about proper behavior. Would the school be justified in punishing these students? Why or why not? Under what conditions would the school have been justified in punishing a faculty member or school administrator? Under what conditions would the school have been justified in seeking recourse against the company that manufactured the grade management program? Justify your answer. |
| 11. | Design a scheme by which a credit card user can authenticate to a credit card processing company so that a merchant could be confident the user was the rightful owner of the credit card. Your scheme should have three aspects: first, for a face-to-face transaction, for example, a purchase in a store; second, for a voice transaction, for example, a purchase by telephone; third, for an electronic transaction, for example, a purchase on the Internet. Describe the difficulty for the user, for example, your scheme might require the user to carry a token that might be inconvenient to carry. Describe the delay factor, if any, in the merchant’s seeking authentication. This question is focused on providing assurance to the merchant. Does it also protect the user or the credit card processor? Why or why not? |
| 12. | Countermeasure actions are described with words such as prevent, detect, and deter. For example, using a one-time password might prevent certain kinds of attacks, whereas changing passwords from time to time deters some attacks. Suggest three countermeasures Churchill High School might take and indicate whether each can prevent, detect, or deter an incident. In the Churchill High School example, describe a situation in which deterring an incident may be adequate; describe another situation in which detecting an incident after it has occurred may be adequate; describe another situation in which preventing an incident is necessary. Explain your answers, justifying why deter, detect, or prevent is appropriate. |
| 13. | In this chapter, we have presented the students at Churchill High School as having obtained physical access to a computer. Could they have changed grades without physical access? Why or why not? |
| 14. | Give an example of security through obscurity in a computer situation. Give an example of security through obscurity in a situation not involving computers. Is security through obscurity an effective countermeasure in either example? Why or why not? |
