1. Consider an automated teller teller machine (ATM) in which which users provide a personal identification number number (PIN) and a card for account access. Give examples of confidentiality, confidentiality, integrity, and availability requirements requirements associated with the system. In each case, c ase, indicated the degree of importance of the requirement.
The system must keep personal identification numbers confidential, both in the host system and during transmission for a transaction transaction.. It must protect the integrity of account records and of individual transactions. Availability of the host system is important to the economic well being of the bank, but not to its fiduciary responsibility. The availability of individual teller machines is of less concern.
1.1 Consider an automated tell machine (ATM) in which users provide a personal identification identification number (PIN) and a card for account access. Give examples of confidentiality, confidentiality, integrity, and availability requirements requirements associated with the system and, in each case, indicate the degree of importance of the requirement. requirement.
the communication channel between the ATM and the bank must be encrypted the PIN must be encrypted (wherever it is stored)
the actions performed via the ATM must be associated to the account associated with the card
the system must be able to serve at least X concurrent users at any given time
the system must be available 99.9% of the time
3. Consider a desktop publishing system used to produce documents for various organizations. Give an example of a type of publication: a) For which confidentiality of the stored data is the most important requirement. b) In which data integrity is the most important requirement. c) In which system availability is the most important requirements.
a. The system will have to assure confidentiality if it is being used to publish corporate proprietary material. b. The system will have to assure integrity if it is being used to laws or regulations. c. The system will have to assure availability if it is being used to publish a daily paper.
The protection offered to a computerized system in order to provide integrity, reliability, availability and confidentiality of information in the system resources (including software, hardware, data, software based on hardware) - the triangle.
Active - an attack aimed at changing resources in the system and data in it Passives - an attack intended to learn about the system without changing the information and resources of the system - the integrity of the information in it is not compromised, breaking confidentiality - such as spying on data in the system, For example: '
Deception- - Fraud:
Release of message contents - The attacker learns the contents of sensitive messages that are passing through the system, or out / entering the system Traffic analysis - analysis of information flowing in the system in order to obtain more data on how it operates
Masquerade - When one entity impersonates another entity and uses its id entity / permissions to affect the system Replay - Passive perception of information and transmission once again (eg replay of a message about transferring money from account to account - will pass 2 times more money) Modification of messages - Changes messages sent to the system to obtain permissions / sensitive information Denial of service - preventing normal use or management of communication objects or dropping the entire network