How to Prepare for the Fall Exam

1
How to Prepare for the Fall Exam

• COM380/CIT304
• Harry Erwin, PhD
• University of Sunderland

2
Exam Structure

• Two parts
• Fall Exam (Harry Erwin)
• Security, with three questions of 20 marks each.
  You answer two.
• Server Side Technology, with two questions of 10
  marks each. You answer one.
• Spring Exam (John Wraith) worth 50 marks on
  e-commerce management.
• John has briefed you separately.

3
Exam Ground Rules

• We are aware some of you are relatively
  non-technical.
• We are aware that even those of you who are
  technical come from a number of courses.
• The exam is designed to be passable by all of
  you. It tests critical thinking.
• The exam is hard, but the marking takes that into
  account.
• You need to pass the exam as a whole, not each
  part individually.

4
Reread

• Schneier, Beyond Feardiscusses how to think
  critically about security. Know his five-step
  analysis process and be able to apply it.
• Schneier, Secrets and Liesthe threat
  environment. Understand what it may mean for your
  organization.
• Anderson, Security Engineeringthe technology
  (Dont memorizebut know how it fits in!)
• Erwin, COM380 Lecture Slidesthinking about
  security requirements and solutions

5
Be Able To

• Define the terms used in security
• Describe what a security analyst does.
• Write a job description for a security analyst.
• Conduct a job interview for a security engineer/
  analyst in your field.
• Identify snake-oil when someone tries to sell you
  some technology.
• Know what probing questions to ask as a skeptical
  manager with some money to spend on security.
• Know what each security technology is good for.

6
For Example

• Suppose someone tries to sell you an intrusion
  detection system as a security solution.
• Know what an IDS is good (and bad) for.
• Know the two basic IDS technologies and their
  strengths and weaknesses.

7
Another Example

• Do ID cards solve the terrorism problem?
• What do ID cards do?
• What are their risks?
• What are the threats to ID cards?
• What do they not do?
• Do they solve the problem?

8
Likely Exam Areas

• The Threat
• Risk Analysis
• Trust Analysis
• Policies (particularly legal areas)
• Assumptions of Secure Operation
• Security Objectives
• Security Mechanisms
• Securing E-Commerce

9
The Server-Side Technology Questions

• Read up on server side technology (see Bergsten,
  JavaServer Pages and my lectures for a start).
• Be prepared to evaluate it critically.

10
Some Questions from Previous Years

• The 25-mark security questions are from 2003, the
  20-mark security questions from 2004, and the
  10-mark server-side questions from 2004.
• You wont see these specific questions on the
  exam.

11
Risk Analysis (25 marks total)

• What is a risk and how does it differ from a
  vulnerability or threat? (10 marks)
• Describe the risk analysis process in detail
  using an example. (10 marks)
• What information does a complete risk analysis
  give a manager? How can he use it in risk
  management? (5 marks)

12
Security Mechanisms (25 marks total)

• Audit describes a specific family of security
  mechanisms. In an essay,
• a) Explain what an audit mechanism does and
  describe the possible uses of audit log data (5
  marks)
• b) Describe and critically justify against
  alternatives an approach to audit in a
  distributed environment. (10 marks)
• c) Describe the risks associated with the storage
  of audit log data and how to mitigate those
  risks. Critically justify your recommended
  approach. (10 marks)

13
Intrusion Detection (25 marks total)

• a) Explain what an intrusion detection system
  does. (6 marks)
• b) Describe in detail the three problems that
  developers of intrusion detection systems must
  solve
• i) The timely notification problem (3 marks)
• ii) The false alarm problem (3 marks)
• iii) The response problem (3 marks)
• c) Name and describe two general approaches to
  intrusion detection, compare them critically, and
  explain how they address the three problems
  listed under (b). (10 marks)

14
Job Description (20 marks)

• What questions does a computer security analyst
  have to answer about a system? Discuss in detail
  using an example of a specific kind of business
  or service, e.g., an e-mail provider, a business
  web-site, a human resources department of a
  company, an electronic voting system, or an
  on-line bank. Describe critically how the analyst
  might approach each question.

15
Threat Environment (20 marks)

• Critically evaluate the current threat
  environment for a specific kind of business or
  service, for example an e-mail provider, a
  business web-site, a human resources department
  of a company, an electronic voting system, or an
  on-line bank. In other words, what are the
  threats, what is their relative importance, why
  did you come up with that rank-ordering, and how
  can the system be protected against those threats?

16
Privacy (20 marks)

• Describe the EU and US legal positions on
  individual privacy, and critically compare them.
  Critically discuss the possible ways that a US
  business has to address the requirements of the
  EU Data Protection Directive.

17
Job Description (20 marks)

• Assume you are hiring a security analyst.
  Describe and critically justify the required
  knowledge (10 marks) and skills (10 marks) you
  would list on the job description.

18
Trust Analysis (20 marks)

• Explain how to do a trust analysis (10 marks) and
  critically discuss mechanisms to enforce trust.
  (10 marks)

19
ID Cards (20 marks)

• Discuss in a short critical essay the Home Office
  proposal on identification cards.

20
Server-Side Technology (10 marks)

• Four example technologies were given and the
  following choices of question posed
• Describe and evaluate in detail the technical
  pros and cons of these four approaches. That is,
  from a technical perspective, what are the issues
  that affect the choice of approach and what
  factors need to be assessed in making that choice?

21
SST Question Continued

• Describe and evaluate in detail the security pros
  and cons of these four approaches. That is, from
  a security perspective, what are the issues that
  affect the choice of approach and what factors
  need to be assessed in making that choice?
• Describe and evaluate in detail the managerial
  pros and cons of these four approaches. That is,
  from the perspective of a non-technical manager,
  what are the issues that affect the choice of
  approach and what factors need to be assessed in
  making that choice?

22
Server-Side Technology

• The ref-def question used another example, web
  services, but asked the same questions.

23
Changes this year

• The security questions remain similar. One will
  be on security in general that can be answered
  based on Schneier and the lectures, a second on
  some specific technology discussed in Anderson,
  and the third will be a critical analysis of a
  current security proposal.
• The server-side question now asks for a critical
  comparison of technical approaches. You will have
  a choice of question here.

24
Questions?