CS671 Spring 2022 Homework 3

Access Control, Cybersecurity Law

Dr. Greg M. Bernstein

Due Wednesday, February 9th, 2022 by 11:59PM, 50 points.

General Instructions

The goals of this assignment are getting hands on with some indicators of compromise (IoC), delve into access control and the law related to cybersecurity.

Create and Use a new Branch hw3

We will create a new git branch called hw3 for use in this assignment. The branch you create must exactly match the one I’ve given you for you to receive any credit for this homework.

Prior to creating this new branch make sure your working directory is “clean”, i.e., consistent with the last commit you did when you turned in homework 2. Follow the procedures in GitHub for Classroom Use to create the new branch, i.e., git checkout -b hw3. Review the section on submission for using push with a new branch.

Use README.md for Answers

You will modify the README.md file in your repo to contain the answers to this homework.

Questions

Question 1. (10 pts)

1(a) IoC Types

In the Talos ObliqueRAT Analysis what are the types of IoC that they give for this malware family (you’ll find these at the end of the report, you don’t need to rea the entire report). Just list the types not all the data in each type.

1(b) File IoCs

For the file types what is the weird 64 character string they give? E.g., 2ad362e25989b0b1911310345da90473df9053190737c456494b0c26613c8d1f? Have you every seen anything like this before (say in homework #1)? What is this (in general)?

Question 2. (10 pts)

2(a)

In the CyBOK reference on AAA what are the Subject and Object in access control?

2(b)

What is an Access Control Matrix? In particular do the rows, columns, and contents signify?

2(c)

What are the two tasks performed by a reference monitor according to CyBOK?

2(d)

In our discussion of access control (and CyBOK) what are the two meanings of authorization?

2(e)

What are the three general types of information used to authenticate a person?

Question 3. (10 pts)

3(a)

What are the two meanings of security policy as given in the CyBOK reference? In the context of access control what does the acronym RBAC mean? Give an example of a system using RBAC.

3(b)

In the context of access control what does the acronym ABAC mean? How is this different from RBAC? Which supports the most general access controls? Given an example of a situation covered by one but not the other.

3(c)

Since we don’t use “dial-in” or “dial-up” to access networks anymore why/when would you ever use the Remote Authentication Dial-In User Service (RADIUS)? Similarly why would you ever touch the mysterious sounding IEEE 802.1X protocol. Would these ever be used together?

3(d)

As a member of a red team would you ever want to modify or delete system logs? Why? Which would be better some type of modification or deletion of the entire log (explain)? What part of the CIA triange is log modification/deletion attacking in particular?

Question 4. (10 pts)

4(a)

What are the two main types of Law? Who is responsible for instigating legal action in these two different types of law? Give an example of a type of case for each.

4(b)

Review the beginning of Understanding Law and the Rule of Law: A Plea to Augment CS Curricula. What is the different between rule by law and the rule of law? Who sets the rules? In this class the syllabus sets the rules, but I’m not allowed to change the syllabus after the class starts. In your opinion is this rule of law or rule by law. If I was allowed to change the syllabus after class started to give preference to a particular student or group of students would this be rule of law, rule by law, or neither?

4(c)

In mathematics and some areas of computer science we prove assertions (theorems, lemma, corollaries, etc.) via logic starting from postulates. Such proofs are absolute and once something is proved it is always true. In science like law we don’t get to prove things with logic but we gather evidence and claim something is true based on that evidence. Different fields of science, technology, and medicine use different levels of proof and so does law.

Is “Beyond a shadow of a doubt” a legal standard of proof? Give two examples of legal standards of proof and give examples of where they are typically used.

4(d)

What in essence is a Bulletproof Host? Who generally uses them? How would the price for the equivalent service compare with normal hosting services such as AWS, Azure, Digital Ocean, etc.? What does bulletproof hosting have to do with the legal concept of jurisdiction? (explain)

Question 5. (10 pts)

5(a) Privacy

In your own words restate the definition of privacy from section 3 of the CyBOK Law and Regulation Knowledge Area Issue 1.0. Is privacy considered an international human right? Is the right to privacy absolute?

5(b) Personal data and PII

This website from the Department of Homeland Security (DHS) has a definition of Personally Identifiable Information how does this compare with the GDPR definition of personal data (See 4.1.1 section 3 of the CyBOK Law and Regulation Knowledge Area)

5(c) Limitation of Purpose

In your own words what does the GDPR’s principle of limitation of purpose say?

5(d) Data Minimization

In your own words what does the the GDPR’s principle of data minimization say?

5(e) Storage Limitation

In your own words what does the the GDPR’s principle of storage limitation say?