CS671 Spring 2021 Homework 6

Principles, Controls, and Applications

Dr. Greg M. Bernstein

Due Friday, April 30th, 2021 by 11:59PM, 50 points.

General Instructions

The goals of this assignment is to reinforce our knowledge of security principles and controls.

Create and Use a new Branch hw6

We will create a new git branch called hw6 for use in this assignment. The branch you create must exactly match the one I’ve given you for you to receive any credit for this homework.

Prior to creating this new branch make sure your working directory is “clean”, i.e., consistent with the last commit you did when you turned in homework 5. Follow the procedures in GitHub for Classroom Use to create the new branch, i.e., git checkout -b hw6. Review the section on submission for using push with a new branch.

Use README.md for Answers

You will modify the README.md file in your repo to contain the answers to this homework.

Questions

Question 1. (10 pts)

Principles: for this problem you will may want to review the CyBOK introduction, and you will need to look up items in NIST SP 800-160 Vol. 1 Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems.

(a) Fail-Safe Defaults

In the context of information security and IP addresses/domain names what is “white listing”? What is “black listing”? Explain how these relate to the principle of fail-safe defaults.

(b) Separation of Privilege

Give an example of separation of privilege different from those discussed in class.

(c) NIST Principle of Continuous Protection

What is the NIST principle of continuous protection? See NIST SP800-160v1 appendix F. Use your own words.

(d) NIST Principle of Accountability and Traceability

What is the NIST principle of accountability and traceability? See NIST SP800-160v1 appendix F. Use your own words.

(e) NIST Defense in Depth

What is NIST’s definition of defense in depth in your own words. See NIST SP800-160v1 appendix F.

Question 2. (10 pts)

NIST Controls: for this question you will need to refer to NIST SP 800-53 Rev. 5 Security and Privacy Controls for Information Systems and Organizations.

(a) NIST Control PS-3

Explain the NIST control PS-3 in your own words for use in a commercial organization. Would this control typically be implemented in software? Explain.

(b) NIST Control SR-3(1)

Explain the NIST control SR-3(1) in your own words. Would this control typically be implemented in software? Explain. What part of the CIA triad is this control aimed at protecting?

(c) NIST Control AU-12

Explain the NIST control AU-12 in your own words. Would this control typically be implemented in software? Explain.

(d) NIST Control AC-2(5)

Explain the NIST control AC-2(5) in your own words. Would this control typically be implemented in software? Explain. Which general systems (don’t put down specifics) that you use frequently implement this control?

Question 3. (10 pts)

CIS Controls: for this question you will need to refer to the CIS Controls and to the more detailed PDF document available for free with registration. When asked a question about home consider you and your home a small business/enterprise.

(a) Defending Against and Recovery from Ransomware

You are the first dedicated cybersecurity employee at a growing business. Which of the 20 CIS controls would you specifically recommend to protect against ransomware attacks? Explain your top four choices to justify the time and expense to the other company executives.

(b) Controls and Principles

What are CIS controls 11.6 and 11.7? Explain what principle corresponds to these controls? What type(s) of organization would implement these controls?

(c) Home Boundary Defense

Which of the CIS control 12 (Boundary Defense) sub-controls are applicable to your home network (by their recommendations)? Which would be automated? What device and software normally does this function?

(d) Home Data Defense

Which of the CIS Control 13: Data Protection sub-controls should you implement for your home (by their recommendations)? Have you implemented any of these? Explain.

Question 4. (10 pts)

Compliance with the Wikipedia: Payment Card Industry Data Security Standard (PCI DSS). For the twelve requirements summarized on the Wikipedia page classify, if possible, by number and name with the corresponding CIS control, i.e., for each PCI DSS requirement give the corresponding CIS control if any.

Question 5. (10 pts)

Project update. What did you work on in the last two weeks on your report? Give a few sentence summary.