This assignment has two parts, which are submitted separately in Canvas: Written questions (questions 1-5), which must be submitted as a PDF file, and a Labtainer exercise (question 6), which must be submitted as a “lab
” file (created by the Labtainer system). Note that Canvas will only accept a PDF file for the written portion, and will only accept a lab file for the Labtainer portion. Written solutions can be either electronically prepared or neatly handwritten and scanned. If you must use a phone camera rather than a scanner, you should use a “scan to PDF” app to produce a proper and readable PDF document. Check the file that Canvas received as your submission. I will grade only what is there, using the timestamp in Canvas. I will not accept a file after the fact because your upload failed or because the file was corrupt or you submitted the wrong file…
If you want to use a tool to electronically create your diagrams, you should use an appropriate tool to draw neat diagrams (e.g., LucidChart or Visio). It is almost impossible to make a neat, professional-looking diagram in Word or some other tool that is not designed for this, so do not try.
On this and all other assignments, remember to fully explain your answers, and cite all sources of information!
Find a news story of a security incident from this past year that involved a malicious attacker (that shouldn’t be hard!), and describe in at least some detail what happened. Your description should include a statement about each of the “big three” security goals, indicating whether it was violated (and if it was, how it was violated). Also speculate on what type of attacker was involved and what the attacker’s motive may have been. Make sure that the incident occurred in 2022, and cite your source(s) of information.
In this question, you are to get a feel for how vulnerable modern systems are by exploring the “National Vulnerability Database” that NIST maintains, which is at https://nvd.nist.gov/.
Locate the full list of vulnerabilities, and pick a random month from last year (e.g., maybe your birthday month) and see how many vulnerabilities were reported that month. Report how many there were for the month, and calculate the average number of vulnerabilities reported per day. If you were a security professional, and spent on average 5 minutes looking at each CVE to see if it applied to systems you manage, how much time per week would you spend reviewing CVEs?
Look into some of these vulnerabilities (you can just click randomly on the CVEs in your chosen month) to see how they are reported. Can you find any that give vulnerabilities associated with software or systems that you use? Report on your findings, and describe how you can determine the risk to the “big three” security goals based on the information reported in the CVE entry. Looking into the information reported in a CVE, what is the most important information that can help you identify if the CVE is relevant to your systems?
Consider an electronic voting system, supporting both voters and election administrators, including components for voter registration, electronic voting, and tabulation/reporting machines, where the later two systems are used primarily at voting precincts (but may be configured or stored when not in use elsewhere). Create a system and threat model for this system, similar to the way we did in class for the point of sale payment system (see the “Larger In-Class Activity” in the “Terminology and Goals” slides for steps and more information). Draw out the system model, identify locations for data at rest, data in motion, and data in use, and define confidentiality, integrity, and availability concerns for data and systems in your model (like we did for the payment system in class). Identify threats and access points.
Consider the following set of subjects and objects in the Bell-LaPadula model, with clearances and classifications as shown (C, S, and TS stand for “Classified”, “Secret” and “Top Secret”, which is in increasing level of classification):
Subject Clearances:
Objects and Object Classifications:
Write out the access control matrix that shows both read and write permissions for all four subjects and three objects (use “R” to denote read permission, and “W” to denote write permission).
Despite his top secret clearance, King Claudius does not have read access to any of these three objects. In one simple sentence (don’t quote rules or break it down to individual cases), describe why not.
Give two different possible object labels that King Claudius would be able to read.
Is there a file classification and label that would allow King Claudius to write to such a file, and Prince Hamlet to read from it? Why? Is there a way around this?
This is similar to the in-class example of the Chinese Wall model:
Companies: Apple, ByteDance, Ebay, Etsy, Lyft, Meta, Microsoft, Shop, Twitter, Uber
Conflict of Interest Classes:
Objects:
Consider a point in time in which I have read Object1 and Object8.
At this point in time, what objects am I be allowed to read? Explain your reasoning.
At this point in time, is there an object that I can read which changes the objects that I will have access to in the future (assume no new objects are created)? Explain your answer.
Labtainer setup and exercise. For this question, you are to set up your computer to run “Labtainer” exercises, and then perform a straightforward lab on basic Unix/Linux commands. This is being assigned so that you go ahead and get the Labtainer virtual machine environment set up and working on your computer, which poses a few challenges: First, the image you need to download is large (3.9 GB), which can take a long time if your Internet connection is slow. Second, if you have a recent Apple mac, using an Apple Silicon (M1 or M2) CPU, you cannot do this without emulation and a serious performance hit. We have other solutions if you are in this situation, but you must let me know ASAP.
If you have a particularly slow or unreliable connection, I would recommend coming to campus or finding some other place with a fast connection in order to do the download. Second, for good VirtualBox performance, you’ll need a decent amount of RAM (at least 8GB, but more is better) and your computer BIOS settings need to have hardware virtualization support enabled. Modern Intel-based systems (meaning anything except the recent Apple Silicon-based Macs), purchased within the last 4 years, should probably support this without any problems. If you have significant problems, you should talk to me to either get things set up properly on your computer or to arrange an alternative.
Here’s what you need to do: First, if you don’t already have it installed, install VirtualBox – see https://www.virtualbox.org/ to download and install this free software.
Next, go to the Labtainer web page ( https://nps.edu/web/c3o/labtainers ), click on “Virtual Machine Images” and download the “VirtualBox VM Appliance” from that page. The one-line “Directions” right below the link to the image is all you need to do in order to get this installed and usable with VirtualBox.
For some reason, the latest version of the Labtainer VM image is set up by default using display scaling, which makes it look horrible on my system. Look at the VM settings, and if it has a “Scale-factor” other than 1 listed, consider changing it to 1 (or 100%). You can adjust this to your preference later.
Finally, start the virtual machine image from VirtualBox. After it boots up and stabilizes, you will see a Linux desktop with a terminal window and command prompt. This is the normal “starting point” for Labtainer exercises. You should open the “Student Guide” from the Labtainer web page, and read Section 3 (“Performing a Lab”) to understand how the Labtainer system works in general. Note that the more involved parts of Sections 1 and 2 are not necessary and are simply confusing if you’re using the VirtualBox image - just skip those. It’s worth your time to poke around a little on the Labtainer web site to see what is there – for example, the “Labtainer Lab Summary” and “Lab Manuals” are good things to be familiar with.
Finally, you should complete the nix-commands
lab. To do this, you type “labtainer nix-commands
” at the command prompt of your Labtainer virtual machine. The first time you run this it will ask for your email address, which is needed to identify your work after you submit it – use your UNCG email address! After the first time, the Labtainer system will remember your email address and present it to you as the default. After getting the lab started, the system will print out some links to the information needed for the lab; alternatively, you can directly access the instructions from the Labtainer web site. Note that the lab starts up a new terminal window with a shell running inside the lab container and this is very different from the shell you just used to start the lab, which is running in the VM system. Keep these separate in your mind because they are two separate and different environments. While the two windows look almost the same, you can tell the difference in the window’s title bar – the labtainer window(s) will have a title that looks like “student@nix-commands
” (or whatever other lab you’re running later), while the VM window will have a title that looks like “student@LabtainersVM
”. Yes, it can get confusing…. When you are finished, type “stoplab nix-commands
” in your original terminal window (the VM window).
After you have completed everything, including typing the “stoplab
” command, there will be a file with a .lab
extension created in directory /home/student/labtainer_xfer/nix-commands
— you should use the Web browser from insider the Labtainer VM to submit this file in Canvas. From this file, I will be able to see all of the commands you executed, and whether you followed the directions in the lab will be the basis of your grade, so make sure you do everything stated in the lab instructions!