This assignment has two parts, which are submitted separately in Canvas: Written questions (questions 1-5), which must be submitted as a PDF file, and a Labtainer exercise (question 6), which must be submitted as a Zip file (created by the Labtainer system). Note that Canvas will only accept a PDF file for the written portion, and will only accept a Zip file for the Labtainer portion. Written solutions can be either electronically prepared or neatly handwritten and scanned. If you must use a phone camera rather than a scanner, you should use a “scan to PDF” app to produce a proper and readable PDF document.
If you want to use a tool to electronically create your diagrams, you should use an appropriate tool to draw neat diagrams (e.g., LucidChart or Visio). It is almost impossible to make a neat, professional-looking diagram in Word or some other tool that is not designed for this, so do not try.
On this and all other assignments, remember to fully explain your answers, and cite all sources of information!
Find a news story of a security incident from this year that involved a malicious attacker (that shouldn’t be hard!), and describe what happened. Your description should include a statement about each of the “big three” security goals, indicating whether it was violated (and if it was, how it was violated). Also speculate on what type of attacker was involved and what the attacker’s motive may have been. Make sure that the incident occurred in 2021, and cite your source(s) of information.
In this question, you are to get a feel for how vulnerable modern systems are by exploring the “National Vulnerability Database” that NIST maintains, which is at https://nvd.nist.gov/.
Locate the full list of vulnerabilities, and pick a random month from last year (e.g., maybe your birthday month) and see how many vulnerabilities were reported that month. Report how many there were for the month, and calculate the average number of vulnerabilities reported per day. If you were a security professional, and spent on average 5 minutes looking at each CVE to see if it applied to systems you manage, how much time per week would you spend reviewing CVEs?
Look into some of these vulnerabilities (you can just click randomly on the CVEs in your chosen month) to see how they are reported. Can you find any that give vulnerabilities associated with software or systems that you use? Report on your findings, and describe how you can determine the risk to the “big three” security goals based on the information reported in the CVE entry. Looking into the information reported in a CVE, what is the most important information that can help you identify if the CVE is relevant to your systems?
Consider a chat system, where users connect to a chat server and can send private messages back and forth with other users. Draw out a model of such a system, identify locations for data at rest, data in motion, and data in use, and define confidentiality, integrity, and availability concerns for data and systems in your model (like we did for the payment system in class). Ideally, only the two participants in a chat should be able to understand the messages – in particular, the chat server should not be able know what the users are saying to each other.
Consider the following set of subjects and objects in the Bell-LaPadula model, with clearances and classifications as shown (C, S, and TS stand for “Classified”, “Secret” and “Top Secret”, which is in increasing level of classification):
Subject Clearances:Write out the access control matrix that shows both read and write permissions for all three subjects and three objects (use “R” to denote read permission, and “W” to denote write permission).
Which objects can Woody read?
Is there a file classification and label that would allow Buzz to write to such a file, and Woody to read from it? Why? Is there a way around this?
This is an expanded version of the in-class example of the Chinese Wall model:
Companies: Enron, Exxon, Mobil, Amazon, Barnes and Noble, Target, Walmart, American, Delta, Southwest
Conflict of Interest Classes:Consider a point in time in which I have read Object2 and Object4.
At this point in time, what objects am I be allowed to read? Explain your reasoning.
At this point in time, is there an object that I can read which changes the objects that I will have access to in the future (assume no new objects are created)? Explain your answer.
Labtainer setup and exercise. For this question, you are to set up your computer to run “Labtainer” exercises, and then perform a straightforward lab on basic Unix/Linux commands. This is being assigned so that you go ahead and get the Labtainer virtual machine environment set up and working on your computer, which poses a few challenges: First, the image you need to download is large (4.7 GB), which can take a long time if your Internet connection is slow. If you have a particularly slow or unreliable connection, I would recommend coming to campus or finding some other place with a fast connection in order to do the download. Second, for good VirtualBox performance, you’ll need a decent amount of RAM (at least 8GB, but more is better) and your computer BIOS settings need to have hardware virtualization support enabled. Modern Intel-based systems (meaning anything except the recent M1-based Macs), purchased within the last 4 years, should probably support this without any problems. If you have significant problems, you should talk to me to either get things set up properly on your computer or to arrange an alternative.
Here’s what you need to do: First, install VirtualBox if you do not currently have it installed. If you use Linux, then you can probably use your regular software installation program to install a recent version. If you are using Windows or OSX, see https://www.virtualbox.org/ to download and install this free software.
Next, go to the Labtainer web page ( https://nps.edu/web/c3o/labtainers ), click on “Virtual Machine Images” and download the “VirtualBox VM Appliance” from that page. The one-line “Directions” right below the link to the image is all you need to do in order to get this installed and usable with VirtualBox.
Finally, start the virtual machine image from VirtualBox. After it boots up and stabilizes, you will see a Linux desktop with a terminal window and command prompt. This is the normal “starting point” for Labtainer exercises. You should open the “Student Guide” from the Labtainer web page, and read Section 3 (“Performing a Lab”) to understand how the Labtainer system works in general. Note that the more involved parts of Sections 1 and 2 are not necessary and are simply confusing if you’re using the VirtualBox image - just skip those. It’s worth your time to poke around a little on the Labtainer web site to see what is there – for example, the “Labtainer Lab Summary” and “Lab Manuals” are good things to be familiar with.
Finally, you should complete the nix-commands lab. To do this, you type “labtainer nix-commands” at the command prompt of your Labtainer virtual machine. The first time you run this it will ask for your email address, which is needed to identify your work after you submit it – use your UNCG email address! After the first time, the Labtainer system will remember your email address and present it to you as the default. After getting the lab started, the system will print out some links to the information needed for the lab; alternatively, you can directly access the instructions from the Labtainer web site. Note that the lab starts up a new terminal window with a shell running inside the lab container and this is very different from the shell you just used to start the lab, which is running in the VM system. Keep these separate in your mind because they are two separate and different environments. When you are finished, type “stoplab nix-commands” in your original terminal window (the VM shell).
After you have completed everything, including typing the “stoplab” command, there will be a Zip file created in directory /home/student/labtainer_xfer/nix-commands — you should use the Web browser from insider the Labtainer VM to submit this Zip file in Canvas. From this Zip file, I will be able to see all of the commands you executed, and whether you followed the directions in the lab will be the basis of your grade, so make sure you do everything stated in the lab instructions!