![Part 1 - Questions (40 marks)
Instructions: You will be given a short set of questions to answer that will assess your
comprehension of the material covered during the first two weeks of this module. There are a
total of (40 marks) that can be obtained, and the number of marks for each question is provided
next to the question, so please make sure you consider this while working on your answers.
1. Describe the elements of the CIA Triad and why they are important principles of
computer security [6 Marks]
Answer: The acronym CIA, which stands for Confidentiality, Integrity, and Availability,
is the foundation for information security and the design of information systems within
an organization.
• Confidentiality: The word Confidentiality is synonymous with the word privacy,
which involves the measures taken to safeguard sensitive data from unauthorized
access, copying, sharing, and dissemination. Data confidentiality is an essential
component of computer security because it restricts access to sensitive data to
only those with the proper authorization while denying access to those without the
proper authorization. One method of ensuring data confidentiality is the use of
Windows Active Directory group policy.
• Integrity: Data integrity refers to the measures put in place to ensure that while
data is at rest or in transit it is not being compromised or tampered with. Data
integrity is an important principle in computer security since it ensures the
authenticity, accuracy, and reliability of the data. To ensure data integrity
nonrepudiation methods are employed such as the use of hashing algorithms,
cryptography, and digital signatures.
• Availability: The availability of data refers to measures put in place to ensure that
access to data and information systems is consistent and readily available to
individuals with authorized access. Data availability is an important element in
computer security since it ensures business continuity and network redundancy
within an organization. Without data availability, the confidentiality and integrity
of data is meaningless.](https://image.slidesharecdn.com/formativeassessment1-240210175730-e39c2355/85/Identity-Authentication-and-Access-Control-2-320.jpg)
![2. What security principle describes a situation where a user of a system cannot deny having
performed a certain action at a certain time? Describe what mechanisms can be used to
implement it. [4 Marks]
• Answer: The security principle in question is called nonrepudiation which is
based on the concept that if John sends a secure encrypted message to Larry using
his private key, and if Larry is able to decrypt that encrypted message using only
John’s public key, then it proves that John must have sent that message.
Therefore, John cannot deny nor refute sending the encrypted message. Also, in
this scenario John’s public and private key acts as a signature which provides
authentication and integrity for what was signed and sent to Larry. In this case,
the mechanism that can be used to implement nonrepudiation is cryptography and
digital signatures.
3. Which element of the CIA Triad is affected most in the event of a targeted DDoS attack?
Explain your reasoning. [2 Marks]
• Answer: Availability is the element of the CIA Triad that will be affected the
most. In a DDoS attack, the intruder simultaneously initiates multiple attacks
against a server or network by overwhelming the target with a constant flood of
malicious traffic in order to overload the system, thereby causing a disruption or
denying service to legitimate traffic.
4. A top-level executive at Apple is at an internet café reviewing a secret document about
their latest R&D on their personal laptop. Someone in the Internet cafe manages to spot
an image of a patent on the laptop and unsuspectingly takes a photo of it. [7 Marks]:
a) Which element of the CIA triad is most affected (1 Mark)
• Answer: Confidentiality is the element of the CIA Triad that will be affected.
b) Explain the security flaws in this scenario from the perspective of the Apple company
itself and the Apple executive (6 Marks)
• From Apple’s perspective: In this scenario, the top-level executive may have
been granted access to the secret document in the first place. However, a blunder
at this level is a clear indication that either there is no information security policy](https://image.slidesharecdn.com/formativeassessment1-240210175730-e39c2355/85/Identity-Authentication-and-Access-Control-3-320.jpg)
![to govern data confidentiality, or if there is one the executive does not think the
rules apply to him or her. Since data confidentiality is compromised, Apple
should have ensured that authorized users cannot access classified company
documents on their personal devices. This can be accomplished by configuring
user access controls and access rights on certain devices and blocking access to
unauthorized devices. Apple should also enforce security policies to govern the
likelihood of a data breach and prohibit the use of unsecured public Wi-Fi to do
company-related tasks.
• From the Executive perspective: The security flaw on the part of the executive
is that if there is an information security policy in place, then the executive failed
to adhere to company policies. Furthermore, using a personal device on an
unsecured public Wi-Fi puts the executive at risk of a cyber-attack whereby an
attacker can use the personal laptop as a point of entry to infiltrate Apple’s
network with malware and viruses. The stolen information from the personal
laptop could also be used to damage Apple’s image, reputation, or relationship
with competitors.
5. Describe the 3 authentication factors [3 Marks]
• Answer: The three authentication factors are described as:
▪ Inherent Factor: Something you are such as biometric fingerprints, face
recognition, or iris scan.
▪ Knowledge Factor: Something you know such as a password, security
question, or PIN.
▪ Possession Factor: Something you have such as a smartcard, smartphone, or
hardware Token,
6. Describe the Role-Based Access Control (RBAC) model [6 Marks]
• Answer: Role-Based Access Control (RBAC) is a security policy mechanism that
ensures individuals within a specified group have the proper permission and
privileges to gain access to certain data, information systems, or applications
within an enterprise organization. The fundamental principle of RBAC is not](https://image.slidesharecdn.com/formativeassessment1-240210175730-e39c2355/85/Identity-Authentication-and-Access-Control-4-320.jpg)
![determined by the user, but rather by the job function or the role the user assumes.
In other words, once a user changes roles, their access changes accordingly. For
example, an IT client support officer assumes the role of acting network
administrator for a period of four weeks. While acting in that position, the IT
client support office will be granted enterprise-level permission and privileges to
carry out the duties of a network administrator. After four weeks, the IT client
support officer will no longer have enterprise-level access because he or she is no
longer assuming the role of the network administrator.
7. Explain the advantages and disadvantages of password-based authentication [8 Marks]
• Advantages: The advantages of password-based authentication are
▪ Simple and convenient. Since most users rely on memory to retain their
credentials, this authentication method is typically the most convenient.
▪ Flexible and dynamic. The use of passwords provides the user with a sense
of control over the method of creating their own passwords, as well as the
option to change their password at their convenience.
▪ Cost-Effective. Most small businesses find the use of passwords to be cost-
effective, especially when compared to the expense of implementing more
sophisticated authentication mechanisms in much larger organizations.
• Disadvantages: The disadvantages of password-based authentications are:
▪ Vulnerable. The use of password-based authentication alone is not
invulnerable to cyberattacks and poses a security risk. For instance, simple
passwords which contain a person’s name, date of birth, or any dictionary
words can be easily hacked with brute force or a dictionary attack.
▪ Predictable. Password-based authentication can be easily predicted since
users often choose simple passwords to remember. Also, the use of social
engineering and brute force attacks can effortlessly predict passwords
comprised of alphanumeric and special characters.
▪ Complex. Since users rely on memory to recall their passwords, password-
based authentication can occasionally be difficult to remember.](https://image.slidesharecdn.com/formativeassessment1-240210175730-e39c2355/85/Identity-Authentication-and-Access-Control-5-320.jpg)
![8. How does a brute-force password attack work? [4 Marks]
• Answer: A brute force attack works in the following order:
▪ First the attacker decides which brute force tool to use to carry out the attack,
these tools are available on the dark web or come pre-installed on certain
Linux distributions for penetration testing purposes.
▪ Secondly, after deciding what tool to use, the attacker configures it to generate
a combination of usernames and passwords using digits, alphabets, and
symbols.
▪ Thirdly, the attacker runs a combination of usernames and passwords against a
target system of devices. For example, if the attacker is trying to break into a
Wi-Fi router, the attacker uses the brute force tool to automate the process of
running the generated passwords against the Wi-Fi connection. If a password
doesn’t match, the automated brute force tool simply discards that password
and moves on to the next. This process is repeated over and over until the
right password unlocks the Wi-Fi router.
▪ The effectiveness of the brute force attack depends on the complexity of the
password. If the password is too simple and short, then the attack will be
successful in a matter of minutes.](https://image.slidesharecdn.com/formativeassessment1-240210175730-e39c2355/85/Identity-Authentication-and-Access-Control-6-320.jpg)
Identity, Authentication, and Access Control
- 1. Computer Security (46349) Formative Assessment 1 Identity, Authentication, and Access Control (Overview) Damaine Fabion Franklin Student #: R2104D12054733 06/23/2023
- 2. Part 1 - Questions (40 marks) Instructions: You will be given a short set of questions to answer that will assess your comprehension of the material covered during the first two weeks of this module. There are a total of (40 marks) that can be obtained, and the number of marks for each question is provided next to the question, so please make sure you consider this while working on your answers. 1. Describe the elements of the CIA Triad and why they are important principles of computer security [6 Marks] Answer: The acronym CIA, which stands for Confidentiality, Integrity, and Availability, is the foundation for information security and the design of information systems within an organization. • Confidentiality: The word Confidentiality is synonymous with the word privacy, which involves the measures taken to safeguard sensitive data from unauthorized access, copying, sharing, and dissemination. Data confidentiality is an essential component of computer security because it restricts access to sensitive data to only those with the proper authorization while denying access to those without the proper authorization. One method of ensuring data confidentiality is the use of Windows Active Directory group policy. • Integrity: Data integrity refers to the measures put in place to ensure that while data is at rest or in transit it is not being compromised or tampered with. Data integrity is an important principle in computer security since it ensures the authenticity, accuracy, and reliability of the data. To ensure data integrity nonrepudiation methods are employed such as the use of hashing algorithms, cryptography, and digital signatures. • Availability: The availability of data refers to measures put in place to ensure that access to data and information systems is consistent and readily available to individuals with authorized access. Data availability is an important element in computer security since it ensures business continuity and network redundancy within an organization. Without data availability, the confidentiality and integrity of data is meaningless.
- 3. 2. What security principle describes a situation where a user of a system cannot deny having performed a certain action at a certain time? Describe what mechanisms can be used to implement it. [4 Marks] • Answer: The security principle in question is called nonrepudiation which is based on the concept that if John sends a secure encrypted message to Larry using his private key, and if Larry is able to decrypt that encrypted message using only John’s public key, then it proves that John must have sent that message. Therefore, John cannot deny nor refute sending the encrypted message. Also, in this scenario John’s public and private key acts as a signature which provides authentication and integrity for what was signed and sent to Larry. In this case, the mechanism that can be used to implement nonrepudiation is cryptography and digital signatures. 3. Which element of the CIA Triad is affected most in the event of a targeted DDoS attack? Explain your reasoning. [2 Marks] • Answer: Availability is the element of the CIA Triad that will be affected the most. In a DDoS attack, the intruder simultaneously initiates multiple attacks against a server or network by overwhelming the target with a constant flood of malicious traffic in order to overload the system, thereby causing a disruption or denying service to legitimate traffic. 4. A top-level executive at Apple is at an internet café reviewing a secret document about their latest R&D on their personal laptop. Someone in the Internet cafe manages to spot an image of a patent on the laptop and unsuspectingly takes a photo of it. [7 Marks]: a) Which element of the CIA triad is most affected (1 Mark) • Answer: Confidentiality is the element of the CIA Triad that will be affected. b) Explain the security flaws in this scenario from the perspective of the Apple company itself and the Apple executive (6 Marks) • From Apple’s perspective: In this scenario, the top-level executive may have been granted access to the secret document in the first place. However, a blunder at this level is a clear indication that either there is no information security policy
- 4. to govern data confidentiality, or if there is one the executive does not think the rules apply to him or her. Since data confidentiality is compromised, Apple should have ensured that authorized users cannot access classified company documents on their personal devices. This can be accomplished by configuring user access controls and access rights on certain devices and blocking access to unauthorized devices. Apple should also enforce security policies to govern the likelihood of a data breach and prohibit the use of unsecured public Wi-Fi to do company-related tasks. • From the Executive perspective: The security flaw on the part of the executive is that if there is an information security policy in place, then the executive failed to adhere to company policies. Furthermore, using a personal device on an unsecured public Wi-Fi puts the executive at risk of a cyber-attack whereby an attacker can use the personal laptop as a point of entry to infiltrate Apple’s network with malware and viruses. The stolen information from the personal laptop could also be used to damage Apple’s image, reputation, or relationship with competitors. 5. Describe the 3 authentication factors [3 Marks] • Answer: The three authentication factors are described as: ▪ Inherent Factor: Something you are such as biometric fingerprints, face recognition, or iris scan. ▪ Knowledge Factor: Something you know such as a password, security question, or PIN. ▪ Possession Factor: Something you have such as a smartcard, smartphone, or hardware Token, 6. Describe the Role-Based Access Control (RBAC) model [6 Marks] • Answer: Role-Based Access Control (RBAC) is a security policy mechanism that ensures individuals within a specified group have the proper permission and privileges to gain access to certain data, information systems, or applications within an enterprise organization. The fundamental principle of RBAC is not
- 5. determined by the user, but rather by the job function or the role the user assumes. In other words, once a user changes roles, their access changes accordingly. For example, an IT client support officer assumes the role of acting network administrator for a period of four weeks. While acting in that position, the IT client support office will be granted enterprise-level permission and privileges to carry out the duties of a network administrator. After four weeks, the IT client support officer will no longer have enterprise-level access because he or she is no longer assuming the role of the network administrator. 7. Explain the advantages and disadvantages of password-based authentication [8 Marks] • Advantages: The advantages of password-based authentication are ▪ Simple and convenient. Since most users rely on memory to retain their credentials, this authentication method is typically the most convenient. ▪ Flexible and dynamic. The use of passwords provides the user with a sense of control over the method of creating their own passwords, as well as the option to change their password at their convenience. ▪ Cost-Effective. Most small businesses find the use of passwords to be cost- effective, especially when compared to the expense of implementing more sophisticated authentication mechanisms in much larger organizations. • Disadvantages: The disadvantages of password-based authentications are: ▪ Vulnerable. The use of password-based authentication alone is not invulnerable to cyberattacks and poses a security risk. For instance, simple passwords which contain a person’s name, date of birth, or any dictionary words can be easily hacked with brute force or a dictionary attack. ▪ Predictable. Password-based authentication can be easily predicted since users often choose simple passwords to remember. Also, the use of social engineering and brute force attacks can effortlessly predict passwords comprised of alphanumeric and special characters. ▪ Complex. Since users rely on memory to recall their passwords, password- based authentication can occasionally be difficult to remember.
- 6. 8. How does a brute-force password attack work? [4 Marks] • Answer: A brute force attack works in the following order: ▪ First the attacker decides which brute force tool to use to carry out the attack, these tools are available on the dark web or come pre-installed on certain Linux distributions for penetration testing purposes. ▪ Secondly, after deciding what tool to use, the attacker configures it to generate a combination of usernames and passwords using digits, alphabets, and symbols. ▪ Thirdly, the attacker runs a combination of usernames and passwords against a target system of devices. For example, if the attacker is trying to break into a Wi-Fi router, the attacker uses the brute force tool to automate the process of running the generated passwords against the Wi-Fi connection. If a password doesn’t match, the automated brute force tool simply discards that password and moves on to the next. This process is repeated over and over until the right password unlocks the Wi-Fi router. ▪ The effectiveness of the brute force attack depends on the complexity of the password. If the password is too simple and short, then the attack will be successful in a matter of minutes.
- 7. Part 2 - Practical Exercises (60 marks) Instructions: For these practical exercises, you will need to demonstrate how to use Linux to create user accounts, set credentials, and permissions, and modify a range of configuration and security settings. Login to your Linux machine and create 4 additional user accounts with the following settings. 9. Creating user 1 with username ‘elliot’ and password ‘mrrobot157’ with no account expiration date. • Verification of user 1 account
- 8. 10. Create user 2 with username: ‘tyrell’ and password: ‘ecorp7’ with no account expiration date. • Verification for user 2 account
- 9. 11. Create user 3 with username: ‘john’ and password: ‘1265’ with an account expiration date: October 25, 2025. • Verification
- 10. 12. Create user 4 with username: 'guest', password: none, and account expiration date: '10 days from the current date'. 13. Add User 1 and User 2 to a group named 'fsociety' Note: I first create the group then add the user to the group followed by a verification. • User 1: elliot • User 2: Tyrell
- 11. 14. Add User 3 and User 4 to a group named 'darkarmy' • User 3: john • User 4: guest 15. Print out to the command line the list of each group and their members.
- 12. Setting Password Policy 16. Locate the '/etc/login.defs' user account configuration file and modify it to meet the following requirements: • Passwords should be a minimum of 6 characters in length. • Passwords should be changed every 3 months. • Users are given a 5-day notice before their password expires. • Modify the user account settings as follows. Note: I used the command nedit /etc/login.defs to access the configuration file. I was able to set the PASS_MIN_DAY to 90 and the PASS_WAR_AGE to 5, however, I was not able to set the PASS_MIN_LEN. I notice that the length of passwords is set to unlimited by default.
- 13. 17. Modify the original user account settings as follows. User 1 - root account • Adding user 1 - elliot to the sudoers group. Step 1 Step 2 Step 3
- 14. User 2 - service account • Encountered challenges with this task. User 3 - change the account expiration date to 10 days from the current date. • Setting user 3 – john account to expire 10 days from today. User 4 - give this user a password. • Configuring user account ‘guest’ account with a password • Password: ‘password123’ END OF LAB