With cybercrime on the rise, both organisations and individuals are experiencing increasingly sophisticated cyber-attacks. To respond to this threat, methods adapted from formal security assessment frameworks might be suitable.
(a) Define the terms “cyber security”, “asset”, “vulnerability”, “threat” and “control”. Clarify the relationship between threats, vulnerabilities and controls and use this to formulate the basic methodology in computer security.
(b) A more formal security assessment methodology determines risk as a function of attack probability and impact on an asset. Explain this approach – you may draw a table to illustrate your answer. According to this, when would you make plans for disaster recovery?
(c) In order to adapt formal security assessment to combat cybercrime, one observes that people are often the weakest link in cyber scenarios. This motivates the consideration of people as a specific asset category.
(i) Discuss further categorisations of the people asset in preparation of assessing security.
(ii) Choose a specific example of a “people” asset and use your taxonomy from the previous question part in order to derive one typical vulnerability and one corresponding threat.
(iii) Devise an appropriate control for your people asset example, and justify how it mitigates the vulnerability and threat that you have found.
(iv) Briefly assess your own security awareness, following the same steps as for your fictitious example.
Symmetric encryption is a popular technique for protecting information.
(a) Describe the Caesar cipher. In what way may other substitution ciphers differ from the Caesar cipher?
(b) Substitution ciphers such as ROT13 are a quick and easy way of disguising a message (and reading it too).
(i) ROT13 works by shifting letters by 13 places. Demonstrate how ROT-5 (shift backwards by 5 places) works by encrypting plaintext “VERYMETAL”.
(ii) What would be the easiest way to break a shift cipher, if you are given a piece of ciphertext about a paragraph long? Suggest a modification of the cipher that would make it more difficult to break.
(c) The Gronsfeld cipher works like the Vigenère cipher, but with a numeric key to specify shift amounts rather than letters. For example, key 01234 is equivalent to key ABCDE in the Vigenère cipher. Encrypt plaintext “HERESNOTHERE” using the Gronsfeld cipher, with the last 5 digits of your K-number as the key.
Reliability impacts the availability of computer hardware and software, and is therefore an integral part of the CIA triad.
(a) (i) Explain the meaning of the term “reliability function”. How is this related to the probability of failure?
(ii) Explain what is meant by the terms “failure density function” and “hazard rate”.
(iii) One thousand components begin operation at the same instant, and one thousand hours later four of them have failed. Estimate the value of the reliability function at t = 1000 hrs. Is this information sufficient to determine the hazard rate? Give a reason for your answer.
(b) An engineer places 300 identical routers on life-test. After 5,000 hours of continuous operation, 267 of them are still working. (Assume that the hazard rate is approximately constant.)
(i) Estimate the Mean Time to Failure (MTTF) for the routers.
(ii) Why would the engineer not “guarantee” this value of MTTF to customers? How could a guaranteed mean failure time be computed?
(iii) Given that the MTTF computed in (i) was correct, estimate the probability that one of these routers would operate successfully for an uninterrupted period of one year?
(c) A connection between a client and a server passes through two routers in “series” (Figure Q3a) with MTTFs of 11,000 and 15,000 hours. No other components are prone to failure.
(i) Assuming constant hazard rates for both routers, calculate the expected length of time before the connection fails.