computer security assignment pdf

• Assignment 5
• Assignment 6

Assignment 4 80pts ¶

Deadline: Wednesday, February 19, 2029 by 13:59:59

Early Turn-In: Sunday, February 16, 2019 by 23:59:59(10% bonus)

Overview ¶

The goal of this assignment is to gain hands-on experience exploiting vulnerabilities on websites. This assignment will demonstrate how simple vulnerabilities (often occurring due to the carelessness of the website developer) can be really harmful to the website's owners. Security attacks include but aren't limited to stealing sensitive information, injecting malicious code, and causing the host server to crash.

In this assignment, you have 8 'levels' or 'challenges' (each worth 10 points). In each challenge, you have to find the 'flag'. A flag is just a secret password that you need to find by exploiting certain vulnerabilities. Once you have the password, just enter it in the text box and hit the submit button to move up one level. Every challenge comes with hints and clues (present as text on the web page itself) which will guide you through exploiting a particular vulnerability. You may consult any online references you wish.

Getting Started/Logging In ¶

Visit https://c10-32.sysnet.ucsd.edu/challenges/ . In this page, you will be asked to enter your PID and a password. You can find your password in your Gradescope account for this class (look for the "Assignment 4 userinfo" assignment).

A Word of Caution ¶

Each level comes with a description of its password. As mentioned before, every password is completely randomized for every level, and the fastest way to get to the password is by exploiting the said vulnerability. It should also be noted that brute-force techniques will not work. We have kept limits on the number of ping and http connections that every account can send to our server each day. If you reach this limit, you will be blocked for the rest of the day. So please do not try to DDOS the server with random tries.

Prior Knowledge ¶

During the assignment, you may encounter situations that may require to either execute HTML, Client-side JavaScript or SQL statements. Some levels can be solved with a few lines written in Python. However, no code that you are expected to write in this assignment exceeds 10 (very small) lines. Most of the expected code is pretty generic and can be found with a quick Google search. The aim of the assignment is not to teach you coding in the said languages, but to give you hands-on experience with the tricks that most "hackers" or exploiters use in today's world. During no time are you expected to know "truly fancy" stuff like PHP, ASP, server-side JavaScript, AJAX, JQuery, Flash, CSS or in general - anything beyond the realms of the aforementioned techniques.

Useful Resources ¶

Here are few resources which you may find very helpful while solving the assignment. They are, in no particular order:

• GET and POST requests - https://www.w3schools.com/tags/ref_httpmethods.asp
• Python Requests library - http://docs.python-requests.org/en/master/
• Handling Cookies on your browser - https://kb.iu.edu/d/ajfi
• Intro to JavaScript - https://www.w3schools.com/js/default.asp
• Intro to SQL - https://www.w3schools.com/sql/sql_intro.asp
• Base64 Library (Python) Encoding and Decoding - https://code.tutsplus.com/tutorials/base64-encoding-and-decoding-using-python--cms-25588

Final Notes ¶

Exploiting vulnerabilities on web services is perhaps as old as the web. This assignment is designed to give you a first-hand feel of what people who exploit vulnerabilities look at. It is intended to make you think about these vulnerabilities, whenever you design a web service of your own.

However, since it is intended for academic purposes, it is heavily toned down. Think of it as a toy model of the real world. We have even included hints and descriptions on every level. Just following these and only these should be enough to get you through. In the real world, the "hacker" will not have any hints and will have to systematically try everything. This is often long and meticulous, and not suited for assignment format. Hence, your best friends are the hints present in every level.

Happy hacking!

CSE 509 Computer System Security

What's New This Time

Course description, course topics.

Foundations Cryptographic foundations Identification and Authentication: passwords, biometrics, ... Authorization and Access control: ACLs, capabilities, MLS, DTE, RBAC, ... Operating system security Principles: memory protection, privilege separation, layering, isolation, sharing, ... Case studies: UNIX/Linux, SELinux Database security: encryption, views, delegation, statistical inference Principles and practices for secure system design Contemporary Threats, Vulnerabilities and Defenses Software vulnerabilities Memory corruption: stack-smashing, heap overflows, integer overflows, ... Input validation errors: SQL and command injection, format-string attacks, ... Race conditions and other software vulnerabilities Web server and Browser vulnerabilities Malware and Untrusted software Viruses and worms, Rootkits, Botnets, ... Obfuscation and evasion Defenses for software threats Static analysis for vulnerability detection Code transformation for runtime policy checking Runtime policy enforcement and sandboxing Isolation and information-flow control Virtual machines, TPM, ... Network-layer threats: network probing, scanning, evasion, ... Defenses: Intrusion detection, ... Side-channel attacks: covert channels, timing attacks, power analysis, emanations, remanence and reuse Privacy and Anonymity

# --> --> -->

	, , , ; ROP ,
	, , ,
	, , , , , ,
	, , , ,
	,
	, , , ,
	, , , ,     ,
	, ,
	, Ciphers and algorithms
	Reading: and attacks
	Network-based attacks Intrusion Detection Course summary

Class Place and Time:

Tentative deadlines:.

Dates for assignments and mid-term exams are subject to change.

September 24--> October 1--> October 7, Thursday-->

September 23	Thursday	Exploit assignment
October 5	Tuesday	Quiz I
October 16	Saturday	Lab 2
October 28	Thursday	Mid-term Exam
November 3	Wednesday	Lab 3
November 9	Tuesday	Project selection due
November 16	Tuesday	Quiz II
November 30	Tuesday	Quiz III
December 13	Monday	Project submission
December 15	Wednesday	Final exam

Instructor:

R. Sekar Office: Rm 364 New Computer Science Office Hours: Wed 11:30am to 12:30 on Zoom If you experience difficulties in joining the zoom call, please send me email (my last name at cs.stonybrook.edu).

Rory Bennett Office Hours: Mon, Fri 11am to noon on zoom Email: rmbennett at cs dot stonybrook dot edu

Copying homework solutions or programming assignments from a fellow student or from the Internet, and all other forms of academic dishonesty, are considered serious offenses. They will be prosecuted to the maximum extent permitted by university policies.

Special Needs

If you have special needs, concerns or a disability, please contact the staff at Student Accessibility Support Center (SASC). SASC staff will review your concerns and determine, with you, what accommodations are necessary and appropriate. All information and documentation will remain confidential.

• Computer Science and Engineering
• Computer Security and Reliability
• Cybersecurity

Basic Concepts and Models of Cybersecurity

• February 2020
• In book: The Ethics of Cybersecurity (pp.11-44)

• Otto-Friedrich-Universität Bamberg
• This person is not on ResearchGate, or hasn't claimed this research yet.

Abstract and Figures

Discover the world's research

• 25+ million members
• 160+ million publication pages
• 2.3+ billion citations

• Strat Change
• Florian Maurer

• COMPUT SECUR

• Aykut Yilmaz

• Jonathan S Sarwono
• Fachry Adam E Y Mucharam
• Ihsan Nur Falah

• Sudeep Jadey

• K. Raghavendra
• Anilkumar K. M.

• Murugiah Souppaya

• Louis Waked
• Mohammad Mannan
• Amr Youssef

• L. Spitzner
• Eric M Hutchins
• Michael J Cloppert
• Rohan M Amin
• Richard E. Smith
• C. P. Pfleeger
• J. Erickson
• Dafydd Stuttard
• Marcus Pinto
• Recruit researchers
• Join for free
• Login Email Tip: Most researchers use their institutional email address as their ResearchGate login Password Forgot password? Keep me logged in Log in or Continue with Google Welcome back! Please log in. Email · Hint Tip: Most researchers use their institutional email address as their ResearchGate login Password Forgot password? Keep me logged in Log in or Continue with Google No account? Sign up

Academia.edu no longer supports Internet Explorer.

To browse Academia.edu and the wider internet faster and more securely, please take a few seconds to  upgrade your browser .

Enter the email address you signed up with and we'll email you a reset link.

• We're Hiring!
• Help Center

Computer Security Assignment 1

Related Papers

Masauko Kazembe

Prof. Dr.J.R. Arun kumar

Peace Harmony7

Computer security has evolved over the years, as technological ingenuity has improved and threats to cyberspace have evolved and developed. Information security began with computer security, during World War II (WW2). (Whitman & Mattord, 2018, pp. 3) Data could be stored in a computerized format, and information could be shared across multiple formats and channels. Attackers became more adept at breaking through systems, accessing and retrieving information that was otherwise, secure and meant to be confidential. Computer technology made it possible for communication channels to improve their connections, and for the speed of information, to progressively develop. Accessibility also increased the need to historically develop information security plans and policies that would address potential cyberattacks and threats to information privacy. In Academic Libraries, librarians could work with Information Technology (IT) professionals to develop an effective Information Security Policy, in order to prepare for and prevent potential attacks. The history of information security policies in Academic Libraries has developed, alongside the computer technology generation; libraries have adapted and developed over the years, as a result of the various technological changes influencing their learning environments. This paper will review the historical developments and changes that have occurred in the information technology field, while connecting these advancements to Academic Libraries, and reviewing how the changes have transformed these learning centers, into next generation libraries, challenged by the ongoing threats of cyberattacks.

Indian Journal of Science and Technology

Ayush sharma

Maciej Szmit

The article is a try to discussion of a few specific IT security-related terms, with explanation what do they means, from where they were presumably borrowed and suggestion how they should be used (or why should not be used at all).

Issues in Informing Science and Information Technology

pramod pandya

International Journal of Advance Research in Computer Science and Management Studies [IJARCSMS] ijarcsms.com

Rutgers Journal of Computers and the Law

Ronald Slivka , Joel Darrow

RECOMMENDED STEPS IN ASSESSING SECURITY NEEDS INCLUDE DEFINING THE ASSETS REQUIRING PROTECTION, ENUMERATING POTENTIAL THREATS TO THE SECURITY OF ASSETS, AND ESTIMATING THE DEGREE OF SECURITY EXPOSURE OF EACH ASSET. A SYSTEM FOR REDUCING SECURITY EXPOSURES THROUGH APPLYING ELECTRONIC DATA PROCESSING SYSTEMS CONTROLS, PHYSICAL SECURITY CONTROLS, ADMINISTRATIVE CONTROLS AND LEGAL CONTROLS. A SUGGESTION IS MADE THAT A PERIODIC EVALUATION BY AUDITING TEAMS AND MANAGEMENT BE CONDUCTED. LEGAL AND TECHNOLOGICAL LIMITATIONS ON SECURITY SYSTEMS ARE EXPLAINED. A SELECT BIBLIOGRAPHY OF BOOKS AND ARTICLES ON COMPUTER SECURITY FROM SOURCES GENERALLY UNFAMILIAR TO MOST LAWYERS AND MANY OF WHICH CONTAIN REFERENCES TO LEGAL ISSUES AND CASE CITATIONS IS INCLUDED.

Loading Preview

Sorry, preview is currently unavailable. You can download the paper by clicking the button above.

RELATED PAPERS

Dennis Backherms

Michael Whitman

Paola Patricia GUZMAN FERNANDEZ

SAMSON ABIYE

IJAR Indexing

Thoma Llambro

Dusan Lesjak

Dhiyab Al Waail

Unauthorized Hacking and its consequences its good or bad?”.

Arjan Poudel

teresa pereira

prakash a s

Nikola Schmidt

IRJET Journal

Lecture Notes in Computer Science

shyamasundar R.K.

Educause Quarterly

Carol Woody

Security & Privacy, IEEE

Rutuja Patil

randy marchany

European Conference on Cyber Warfare and Security

Ilkka Tikanmäki

Diplofoundation

Stefano Baldi

Jigish Zaveri

Handbook of Research on Civil Society and National Security in the Era of Cyber Warfare

Predrag Pale

CIZA THOMAS

adamz bontoh

•   We're Hiring!
•   Help Center
• Find new research papers in:
• Health Sciences
• Earth Sciences
• Cognitive Science
• Mathematics
• Computer Science
• Academia ©2024

NIST, Computer Security Division, Computer Security Resource Center

• Cryptographic Technology
• Secure Systems and Applications
• Security Components and Mechanisms
• Security Outreach and Integration
• Security Testing, Validation, and Measurement
• Education & Outreach
• FISMA & Cybersecurity Initiatives
• Identity Management & Access Control
• Security Automation & Vulnerability Management
• Systems & Emerging Technologies
• Validation Programs & Testing
• A-Z List of Projects
• Past Projects
• Draft Publications
• FIPS Publications
• NIST Special Publications (SPs)
• ITL Bulletins
• By Topic/Project
• By Security Control Family
• By Legal Requirement
• Journal Articles and Other Papers
• Early Computer Security Papers (1970-1985)
• Other Historical Papers
• Federal Register Notices
• Federal Register Notices Archives
• News Archive
• Events Archive

special publication 800-12 chapters:

• Table of Contentes
• Chapter 1: Introduction
• Chapter 2: Elements of Computer Security
• Chapter 3: Roles & Responsibilities
• Chapter 4: Common Threats: A Brief Overview
• Chapter 5: Computer Security Policy
• Chapter 6: Computer Security Program Management
• Chapter 7: Computer Security Risk Management
• Chapter 8: Security & Planning in the Computer Security Life Cycle
• Chapter 9: Assurance
• Chapter 10: Personnel / User Issues
• Chapter 11: Preparing for Contingencies and Disasters
• Chapter 12: Computer Security Incident Handling
• Chapter 13: Awareness, Training and Education
• Chapter 14: Security Considerations in Computer Support and Operations
• Chapter 15: Physical and Environmental Security
• Chapter 16: Identification and Authentication
• Chapter 17: Logical Access Control
• Chapter 18: Audit Trails
• Chapter 19: Cryptography
• Chapter 20: Assessing and Mitigating the Risks to a Hypothetical Computer System
• Interdependencies Cross Reference
• CSRC Home >
• Publications >

special Publication 800-12: An Introduction to Computer Security: The NIST Handbook

Section ii: management controls.

Click here for a printable copy for Chapter 5

CHAPTER 5: Computer Security Policy

In discussions of computer security, the term policy has more than one meaning. 45 Policy is senior management's directives to create a computer security program, establish its goals, and assign responsibilities. The term policy is also used to refer to the specific security rules for particular systems. 46 Additionally, policy may refer to entirely different matters, such as the specific managerial decisions setting an organization's e-mail privacy policy or fax security policy.

means different things to different people. The term "policy" is used in this chapter in a broad manner to refer to important computer security-related decisions.

In this chapter the term computer security policy is defined as the "documentation of computer security decisions"-which covers all the types of policy described above. 47 In making these decisions, managers face hard choices involving resource allocation, competing objectives, and organizational strategy related to protecting both technical and information resources as well as guiding employee behavior. Managers at all levels make choices that can result in policy, with the scope of the policy's applicability varying according to the scope of the manager's authority. In this chapter we use the term policy in a broad manner to encompass all of the types of policy described above-regardless of the level of manager who sets the particular policy.

Managerial decisions on computer security issues vary greatly. To differentiate among various kinds of policy, this chapter categorizes them into three basic types:

• Issue-specific policies address specific issues of concern to the organization.  
• System-specific policies focus on decisions taken by management to protect a particular system. 48  

Procedures, standards, and guidelines are used to describe how these policies will be implemented within an organization. (See following box.)

(not to be confused with American National Standards, FIPS, Federal Standards, or other national or international standards) specify uniform use of specific technologies, parameters, or procedures when such uniform use will benefit an organization. Standardization of organization wide identification badges is a typical example, providing ease of employee mobility and automation of entry/exit systems. Standards are normally compulsory within an organization. assist users, systems personnel, and others in effectively securing their systems. The nature of guidelines, however, immediately recognizes that systems vary considerably, and imposition of standards is not always achievable, appropriate, or cost-effective. For example, an organizational guideline may be used to help develop system-specific standard procedures. Guidelines are often used to help ensure that specific security measures are not overlooked, although they can be implemented, and correctly so, in more than one way. normally assist in complying with applicable security policies, standards, and guidelines. They are detailed steps to be followed by users, system operations personnel, or others to accomplish a particular task (e.g., preparing new user accounts and assigning the appropriate privileges). Some organizations issue overall computer security manuals, regulations, handbooks, or similar documents. These may mix policy, guidelines, standards, and procedures, since they are closely linked. While manuals and regulations can serve as important tools, it is often useful if they clearly distinguish between policy and its implementation. This can help in promoting flexibility and cost-effectiveness by offering alternative implementation approaches to achieving policy goals.

Familiarity with various types and components of policy will aid managers in addressing computer security issues important to the organization. Effective policies ultimately result in the development and implementation of a better computer security program and better protection of systems and information.

These types of policy are described to aid the reader's understanding. 49 It is not important that one categorizes specific organizational policies into these three categories; it is more important to focus on the functions of each.

5.1 Program Policy

A management official, normally the head of the organization or the senior administration official, issues program policy to establish (or restructure) the organization's computer security program and its basic structure. This high-level policy defines the purpose of the program and its scope within the organization; assigns responsibilities (to the computer security organization) for direct program implementation, as well as other responsibilities to related offices (such as the Information Resources Management [IRM] organization); and addresses compliance issues.

Program policy sets organizational strategic directions for security and assigns resources for its implementation.

5.1.1 Basic Components of Program Policy

Components of program policy should address:

Purpose . Program policy normally includes a statement describing why the program is being established. This may include defining the goals of the program. Security-related needs, such as integrity, availability, and confidentiality, can form the basis of organizational goals established in policy. For instance, in an organization responsible for maintaining large mission-critical databases, reduction in errors, data loss, data corruption, and recovery might be specifically stressed. In an organization responsible for maintaining confidential personal data, however, goals might emphasize stronger protection against unauthorized disclosure.

Scope. Program policy should be clear as to which resources-including facilities, hardware, and software, information, and personnel - the computer security program covers. In many cases, the program will encompass all systems and organizational personnel, but this is not always true. In some instances, it may be appropriate for an organization's computer security program to be more limited in scope.

Responsibilities. Once the computer security program is established, its management is normally assigned to either a newly-created or existing office. 50

The responsibilities of officials and offices throughout the organization also need to be addressed, including line managers, applications owners, users, and the data processing or IRM organizations. This section of the policy statement, for example, would distinguish between the responsibilities of computer services providers and those of the managers of applications using the provided services. The policy could also establish operational security offices for major systems, particularly those at high risk or most critical to organizational operations. It also can serve as the basis for establishing employee accountability.

At the program level, responsibilities should be specifically assigned to those organizational elements and officials responsible for the implementation and continuity of the computer security policy. 51

Compliance. Program policy typically will address two compliance issues:

• General compliance to ensure meeting the requirements to establish a program and the responsibilities assigned therein to various organizational components. Often an oversight office (e.g., the Inspector General) is assigned responsibility for monitoring compliance, including how well the organization is implementing management's priorities for the program.  
• The use of specified penalties and disciplinary actions. Since the security policy is a high-level document, specific penalties for various infractions are normally not detailed here; instead, the policy may authorize the creation of compliance structures that include violations and specific disciplinary action(s). 52

Those developing compliance policy should remember that violations of policy can be unintentional on the part of employees. For example, nonconformance can often be due to a lack of knowledge or training.

5.2 Issue-Specific Policy

Whereas program policy is intended to address the broad organizationwide computer security program, issue-specific policies are developed to focus on areas of current relevance and concern (and sometimes controversy) to an organization. Management may find it appropriate, for example, to issue a policy on how the organization will approach contingency planning (centralized vs. decentralized) or the use of a particular methodology for managing risk to systems. A policy could also be issued, for example, on the appropriate use of a cutting-edge technology (whose security vulnerabilities are still largely unknown) within the organization. Issue-specific policies may also be appropriate when new issues arise, such as when implementing a recently passed law requiring additional protection of particular information. Program policy is usually broad enough that it does not require much modification over time, whereas issue-specific policies are likely to require more frequent revision as changes in technology and related factors take place.

In general, for issue-specific and system-specific policy, the issuer is a senior official; the more global, controversial, or resource-intensive, the more senior the issuer.

5.2.1 Example Topics for Issue-Specific Policy 53

There are many areas for which issue-specific policy may be appropriate. Two examples are explained below.

Internet Access . Many organizations are looking at the Internet as a means for expanding their research opportunities and communications. Unquestionably, connecting to the Internet yields many benefits - and some disadvantages. Some issues an Internet access policy may address include who will have access, which types of systems may be connected to the network, what types of information may be transmitted via the network, requirements for user authentication for Internet-connected systems, and the use of firewalls and secure gateways.

E-Mail Privacy . Users of computer e-mail systems have come to rely upon that service for informal communication with colleagues and others. However, since the system is typically owned by the employing organization, from time-to-time, management may wish to monitor the employee's e-mail for various reasons (e.g., to be sure that it is used for business purposes only or if they are suspected of distributing viruses, sending offensive e-mail, or disclosing organizational secrets.) On the other hand, users may have an expectation of privacy, similar to that accorded U.S. mail. Policy in this area addresses what level of privacy will be accorded e-mail and the circumstances under which it may or may not be read.

5.2.2 Basic Components of Issue-Specific Policy

As suggested for program policy, a useful structure for issue-specific policy is to break the policy into its basic components.

Issue Statement. To formulate a policy on an issue, managers first must define the issue with any relevant terms, distinctions, and conditions included. It is also often useful to specify the goal or justification for the policy - which can be helpful in gaining compliance with the policy. For example, an organization might want to develop an issue-specific policy on the use of "unofficial software," which might be defined to mean any software not approved, purchased, screened, managed, and owned by the organization. Additionally, the applicable distinctions and conditions might then need to be included, for instance, for software privately owned by employees but approved for use at work, and for software owned and used by other businesses under contract to the organization.

Statement of the Organization's Position . Once the issue is stated and related terms and conditions are discussed, this section is used to clearly state the organization's position (i.e., management's decision) on the issue. To continue the previous example, this would mean stating whether use of unofficial software as defined is prohibited in all or some cases, whether there are further guidelines for approval and use, or whether case-by-case exceptions will be granted, by whom, and on what basis.

Applicability. Issue-specific policies also need to include statements of applicability. This means clarifying where, how, when, to whom, and to what a particular policy applies. For example, it could be that the hypothetical policy on unofficial software is intended to apply only to the organization's own on-site resources and employees and not to contractors with offices at other locations. Additionally, the policy's applicability to employees traveling among different sites and/or working at home who need to transport and use disks at multiple sites might need to be clarified.

To be effective, policy requires visibility. Visibility aids implementation of policy by helping to ensure policy is fully communicated throughout the organization. Management presentations, videos, panel discussions, guest speakers, question/answer forums, and newsletters increase visibility. The organization's computer security training and awareness program can effectively notify users of new policies. It also can be used to familiarize new employees with the organization's policies. Computer security policies should be introduced in a manner that ensures that management's unqualified support is clear, especially in environments where employees feel inundated with policies, directives, guidelines, and procedures. The organization's policy is the vehicle for emphasizing management's commitment to computer security and making clear their expectations for employee performance, behavior, and accountability. To be effective, policy should be consistent with other existing directives, laws, organizational culture, guidelines, procedures, and the organization's overall mission. It should also be integrated into and consistent with other organizational policies (e.g., personnel policies). One way to help ensure this is to coordinate policies during development with other organizational offices.

Roles and Responsibilities . The assignment of roles and responsibilities is also usually included in issue-specific policies. For example, if the policy permits unofficial software privately owned by employees to be used at work with the appropriate approvals, then the approval authority granting such permission would need to be stated. (Policy would stipulate, who, by position, has such authority.) Likewise, it would need to be clarified who would be responsible for ensuring that only approved software is used on organizational computer resources and, perhaps, for monitoring users in regard to unofficial software.

Compliance . For some types of policy, it may be appropriate to describe, in some detail, the infractions that are unacceptable, and the consequences of such behavior. Penalties may be explicitly stated and should be consistent with organizational personnel policies and practices. When used, they should be coordinated with appropriate officials and offices and, perhaps, employee bargaining units. It may also be desirable to task a specific office within the organization to monitor compliance.

Points of Contact and Supplementary Information. For any issue-specific policy, the appropriate individuals in the organization to contact for further information, guidance, and compliance should be indicated. Since positions tend to change less often than the people occupying them, specific positions may be preferable as the point of contact. For example, for some issues the point of contact might be a line manager; for other issues it might be a facility manager, technical support person, system administrator, or security program representative. Using the above example once more, employees would need to know whether the point of contact for questions and procedural information would be their immediate superior, a system administrator, or a computer security official.

Guidelines and procedures often accompany policy. The issue-specific policy on unofficial software, for example, might include procedural guidelines for checking disks brought to work that had been used by employees at other locations.

5.3 System-Specific Policy

Program policy and issue-specific policy both address policy from a broad level, usually encompassing the entire organization. However, they do not provide sufficient information or direction, for example, to be used in establishing an access control list or in training users on what actions are permitted. System-specific policy fills this need. It is much more focused, since it addresses only one system.

Many security policy decisions may apply only at the system level and may vary from system to system within the same organization. While these decisions may appear to be too detailed to be policy, they can be extremely important, with significant impacts on system usage and security. These types of decisions can be made by a management official, not by a technical system administrator. 54 (The impacts of these decisions, however, are often analyzed by technical system administrators.)

To develop a cohesive and comprehensive set of security policies, officials may use a management process that derives security rules from security goals. It is helpful to consider a two-level model for system security policy: security objectives and operational security rules, which together comprise the system-specific policy. Closely linked and often difficult to distinguish, however, is the implementation of the policy in technology.

5.3.1 Security Objectives

The first step in the management process is to define security objectives for the specific system. Although, this process may start with an analysis of the need for integrity, availability, and confidentiality, it should not stop there. A security objective needs to more specific; it should be concrete and well defined. It also should be stated so that it is clear that the objective is achievable. This process will also draw upon other applicable organization policies.

Security objectives consist of a series of statements that describe meaningful actions about explicit resources. These objectives should be based on system functional or mission requirements, but should state the security actions that support the requirements.

Development of system-specific policy will require management to make trade-offs, since it is unlikely that all desired security objectives will be able to be fully met. Management will face cost, operational, technical, and other constraints.

5.3.2 Operational Security Rules

After management determines the security objectives, the rules for operating a system can be laid out, for example, to define authorized and unauthorized modification. Who (by job category, organization placement, or name) can do what (e.g., modify, delete) to which specific classes and records of data, and under what conditions.

The degree of specificity needed for operational security rules varies greatly. The more detailed the rules are, up to a point , the easier it is to know when one has been violated. It is also, up to a point , easier to automate policy enforcement. However, overly detailed rules may make the job of instructing a computer to implement them difficult or computationally complex.

In addition to deciding the level of detail, management should decide the degree of formality in documenting the system-specific policy. Once again, the more formal the documentation, the easier it is to enforce and to follow policy. On the other hand, policy at the system level that is too detailed and formal can also be an administrative burden. In general, good practice suggests a reasonably detailed formal statement of the access privileges for a system. Documenting access controls policy will make it substantially easier to follow and to enforce. (See Chapters 10 and 17, Personnel/User Issues and Logical Access Control.) Another area that normally requires a detailed and formal statement is the assignment of security responsibilities. Other areas that should be addressed are the rules for system usage and the consequences of noncompliance.

Policy decisions in other areas of computer security, such as those described in this handbook, are often documented in the risk analysis, accreditation statements, or procedural manuals. However, any controversial, atypical, or uncommon policies will also need formal statements. Atypical policies would include any areas where the system policy is different from organizational policy or from normal practice within the organization, either more or less stringent. The documentation for a typical policy contains a statement explaining the reason for deviation from the organization's standard policy.

5.3.3 System-Specific Policy Implementation

Technology plays an important - but not sole - role in enforcing system-specific policies. When technology is used to enforce policy, it is important not to neglect nontechnology-based methods. For example, technical system-based controls could be used to limit the printing of confidential reports to a particular printer. However, corresponding physical security measures would also have to be in place to limit access to the printer output or the desired security objective would not be achieved.

Technical methods frequently used to implement system-security policy are likely to include the use of logical access controls . However, there are other automated means of enforcing or supporting security policy that typically supplement logical access controls. For example, technology can be used to block telephone users from calling certain numbers. Intrusion-detection software can alert system administrators to suspicious activity or can take action to stop the activity. Personal computers can be configured to prevent booting from a floppy disk.

Technology-based enforcement of system-security policy has both advantages and disadvantages. A computer system, properly designed, programmed, installed, configured, and maintained, 55 consistently enforces policy within the computer system, although no computer can force users to follow all procedures. Management controls also play an important role - and should not be neglected. In addition, deviations from the policy may sometimes be necessary and appropriate; such deviations may be difficult to implement easily with some technical controls. This situation occurs frequently if implementation of the security policy is too rigid (which can occur when the system analysts fail to anticipate contingencies and prepare for them).

5.4 Interdependencies

Policy is related to many of the topics covered in this handbook:

Program Management . Policy is used to establish an organization's computer security program, and is therefore closely tied to program management and administration. Both program and system-specific policy may be established in any of the areas covered in this handbook. For example, an organization may wish to have a consistent approach to incident handling for all its systems - and would issue appropriate program policy to do so. On the other hand, it may decide that its applications are sufficiently independent of each other that application managers should deal with incidents on an individual basis.

Access Controls. System-specific policy is often implemented through the use of access controls. For example, it may be a policy decision that only two individuals in an organization are authorized to run a check-printing program. Access controls are used by the system to implement (or enforce) this policy.

Links to Broader Organizational Policies . This chapter has focused on the types and components of computer security policy. However, it is important to realize that computer security policies are often extensions of an organization's information security policies for handling information in other forms (e.g., paper documents). For example, an organization's e-mail policy would probably be tied to its broader policy on privacy. Computer security policies may also be extensions of other policies, such as those about appropriate use of equipment and facilities.

5.5 Cost Considerations

A number of potential costs are associated with developing and implementing computer security policies. Overall, the major cost of policy is the cost of implementing the policy and its impacts upon the organization. For example, establishing a computer security program, accomplished through policy, does not come at negligible cost.

Other costs may be those incurred through the policy development process. Numerous administrative and management activities may be required for drafting, reviewing, coordinating, clearing, disseminating, and publicizing policies. In many organizations, successful policy implementation may require additional staffing and training - and can take time. In general, the costs to an organization for computer security policy development and implementation will depend upon how extensive the change needed to achieve a level of risk acceptable to management.

Howe, D. "Information System Security Engineering: Cornerstone to the Future." Proceedings of the 15th National Computer Security Conference . Baltimore, MD, Vol. 1, October 15, 1992. pp. 244-251.

Fites, P., and M. Kratz. "Policy Development." Information Systems Security: A Practitioner's Reference . New York, NY: Van Nostrand Reinhold, 1993. pp. 411-427.

Lobel, J. "Establishing a System Security Policy." Foiling the System Breakers . New York, NY: McGraw-Hill, 1986. pp. 57-95.

Menkus, B. "Concerns in Computer Security." Computers and Security . 11(3), 1992. pp. 211-215.

Office of Technology Assessment. "Federal Policy Issues and Options." Defending Secrets, Sharing Data: New Locks for Electronic Information . Washington, DC: U.S Congress, Office of Technology Assessment, 1987. pp. 151-160.

Office of Technology Assessment. "Major Trends in Policy Development." Defending Secrets, Sharing Data: New Locks and Keys for Electronic Information . Washington, DC: U.S. Congress, Office of Technology Assessment, 1987. p. 131-148.

O'Neill, M., and F. Henninge, Jr. "Understanding ADP System and Network Security Considerations and Risk Analysis." ISSA Access . 5(4), 1992. pp. 14-17.

Peltier, Thomas. "Designing Information Security Policies That Get Results." Infosecurity News . 4(2), 1993. pp. 30-31.

President's Council on Management Improvement and the President's Council on Integrity and Efficiency. Model Framework for Management Control Over Automated Information System . Washington, DC: President's Council on Management Improvement, January 1988.

Smith, J. "Privacy Policies and Practices: Inside the Organizational Maze." Communications of the ACM . 36(12), 1993. pp. 104-120.

Sterne, D. F. "On the Buzzword `Computer Security Policy.'" In Proceedings of the 1991 IEEE Symposium on Security and Privacy , Oakland, CA: May 1991. pp. 219-230.

Wood, Charles Cresson. "Designing Corporate Information Security Policies." DATAPRO Reports on Information Security , April 1992.

45. There are variations in the use of the term policy , as noted in a 1994 Office of Technology Assessment report, Information Security and Privacy in Network Environments: "Security Policy refers here to the statements made by organizations, corporations, and agencies to establish overall policy on information access and safeguards. Another meaning comes from the Defense community and refers to the rules relating clearances of users to classification of information. In another usage, security policies are used to refine and implement the broader, organizational security policy...." 46. These are the kind of policies that computer security experts refer to as being enforced by the system's technical controls as well as its management and operational controls. 47. In general, policy is set by a manager. However, in some cases, it may be set by a group (e.g., an intraorganizational policy board). 48. A system refers to the entire collection of processes, both those performed manually and those using a computer (e.g., manual data collection and subsequent computer manipulation), which performs a function. This includes both application systems and support systems, such as a network. 49. No standard terms exist for various types of policies. These terms are used to aid the reader's understanding of this topic; no implication of their widespread usage is intended. 50. The program management structure should be organized to best address the goals of the program and respond to the particular operating and risk environment of the organization. Important issues for the structure of the computer security program include management and coordination of security-related resources, interaction with diverse communities, and the ability to relay issues of concern, trade-offs, and recommended actions to upper management. (See Chapter 6, Computer Security Program Management.) 51. In assigning responsibilities, it is necessary to be specific; such assignments as "computer security is everyone's responsibility," in reality, mean no one has specific responsibility. 52. The need to obtain guidance from appropriate legal counsel is critical when addressing issues involving penalties and disciplinary action for individuals. The policy does not need to restate penalties already provided for by law, although they can be listed if the policy will also be used as an awareness or training document. 53. Examples presented in this section are not all-inclusive nor meant to imply that policies in each of these areas are required by all organizations. 54. It is important to remember that policy is not created in a vacuum. For example, it is critical to understand the system mission and how the system is intended to be used. Also, users may play an important role in setting policy. 55. Doing all of these things properly is, unfortunately, the exception rather than the rule. Confidence in the system's ability to enforce system-specific policy is closely tied to assurance. (See Chapter 9, Assurance.)  

Committed to connecting the world

• Media Centre
• Publications
• Areas of Action
• Regional Presence
• General Secretariat
• Radiocommunication
• Standardization
• Development
• Members' Zone

ITU: Committed to connecting the world

Standardization takes centre stage

​Inclusive standards are key for global technology governance and a better future for humanity, says ITU Secretary-General Doreen Bogdan-Martin.

Read more ​

SDG Digital GameChangers Award

​​​​Submit your digital solutions to accelerate progress on the global goals. Deadline 11 August.

Learn more ​

Lunar exploration poised to intensify

​​​​​​​Five and a half decades after the historic Apollo 11 landing, ITU continues securing radio spectrum for future Moon missions.

Key findings on global AI governance

​​​​​​​​​The AI Governance Day Report aims to guide stakeholders in developing effective AI governance strategies.

Machine translation by ITU Translate. See full disclaimer . Provide feedback .​​

News and views ​ ​

​​​CIS regulatory concerns addressed​

​​ Giga Connectivity Forum highlights​ ​

​​ Including women for responsible AI

In depth​​​

United Nations Activities on Artificial Intelligence (AI)​​

​ ITU Council 2024 snapshot report ​

Space Sustainability Forum 2024

GameChangers Award

• ​ Who we are ​
• Our regional presence
• ITU Strategic Plan​​
• ​ Connect 2030 Agenda
• ITU Activities 2023-2024​ (PDF version)
• ​​World Telecommunication & Information Society Day​​ | ITU's 160th anniversary
• Gender equality ​
• ​ History of ITU ​
• ITU Headquarters: New Building Project
• Procurement
• ​ Ethics Office​
• ITU Plenipotentiary Conference
• ITU Council ​​
• ​ Basic Texts​ of the Union
• ITU Information/Document Access Policy
• Regional Telecommunication Organizations
• C​onferences ​​

​​​Geneva, Switzerland, 10-11 September 2024​ ​Manama, Bahrain, 17-19 September ​New York, USA, 20-21 September, 2024​​​​ ​​​​​New Delhi, India, 14 October 2024​​ ​​​New Delhi, India, 15-24 October 2024​

© ITU All Rights Reserved

• Privacy notice
• Accessibility
• Report misconduct

CSE 484 / CSE M 584: Computer Security (Spring 2017)

Assignments and labs will be posted on this page throughout the quarter. All dates are tentative until the assignment/lab is officially posted.

In-Class Activities

In-class activities are just that -- worksheets or activities done in class. Be sure to write your name, email address, UWNetID, and the date on each activity when you turn it in.

You are given at least three free in-class activity days, which you can use while you’re traveling, etc. We will clarify this description in class. The use of the words “at least” is because we currently do not know exactly how many days we’ll have in-class activities, and we may allow additional free days depending on the total number of days with in-class activities.

I will keep complete in-class worksheets until after the quarter ends -- feel free to stop by my office to pick yours up anytime.

• Worksheet - Lecture 1
• Worksheet - Lecture 2
• Worksheet - Lecture 3
• Worksheet - Lecture 5
• Worksheet - Lecture 6
• Worksheet - Lecture 7
• Worksheet - Lecture 8
• Worksheet - Guest Lecture
• Worksheet - Lecture 10
• Worksheet - Lecture 11
• Worksheet - Jared Lecture and Lab 2 [ solution ]
• Worksheet - Lecture 13
• Worksheet - Lecture 15
• Worksheet - Lecture 18
• Worksheet - Lecture 19
• Worksheet - Lecture 21
• Worksheet #1
• Worksheet #2
• Worksheet #3
• Worksheet #4
• Worksheet #5
• Worksheet #6
• Worksheet #7
• Worksheet #8
• Worksheet #9

Unless otherwise specified, all submissions must be typed and submitted as PDF files; handwritten assignments and non-PDF files will not be accepted. Unless otherwise specified, submit homeworks online at the following URL: https://catalyst.uw.edu/collectit/dropbox/franzi/40080 .

At the top of your assignment, be sure to write your name, email address, UWNetID, the homework assignment number (e.g. "Homework 1"), due date, any references that you used (besides the course texts and assigned readings), and the names of any people that you discussed the assignment with.

Include your name and UWNetID on each page.

Unless otherwise specified, submit labs online at the following URL: https://catalyst.uw.edu/collectit/dropbox/franzi/40080 .

• Lab 1: Software Security
• Out: April 4
• Checkpoint: April 14, 11:59pm
• Due: April 28, 11:59pm
• Lab 2: Web Security
• Due: May 19, 8pm
• Lab 3: Mobile Security
• Out: May 22
• Due: June 2, 8pm
• Due: May 20, 8pm
• Out: May 23
• Due: June 3, 8pm

Final Project

Final project instructions here .

CSE M 584 Research Component

If you are enrolled in CSE M 584, then you must also read the following papers and submit written reviews by the specified deadline. The usual late submission policy applies. Your evaluations should have the following form:

• Paper title and author(s).
• What problem does the paper address?
• Two (or more) most important new ideas in the paper, and why .
• What is the approach used to solve the problem?
• How does the paper support or otherwise justify its arguments and conclusions?
• Two ways the paper could be improved, and why .
• Two important, open research questions on the topic, and why they matter.

You can find one version of advice on how to read a CS research paper here . You are also welcome to come discuss the reading process or the papers themselves with the course staff.

You must submit evaluations as a PDF file. You should upload the evaluations to the online Catalyst dropbox. Your evaluation for each reading must be less than one page long, be single-spaced, use 12pt font, and have at least 1 inch margins; We expect for most paper evaluations to be approximately 1/2 to 3/4 pages long.

You are welcome to, and in fact encouraged to, discuss the papers with other students in the class or the course instructors. However, you must write the evaluations on your own.

• April 6, 11:59pm -- " Comprehensive Experimental Analyses of Automotive Attack Surfaces " (USENIX Security 2011)
• April 13, 11:59pm -- " Re: CAPTCHAs -- Understanding CAPTCHA-Solving Services in an Economic Context " (USENIX Security 2010)
• April 20, 11:59pm -- " The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes " (Oakland 2012)
• April 27, 11:59pm -- " An Empirical Study of Cryptographic Misuse in Android Applications " (CCS 2013)
• May 4, 11:59pm -- " The Security Architecture of the Chromium Browser " (2008)
• May 11, 11:59pm -- " Detecting and Defending Against Third-Party Tracking on the Web " (NSDI 2012)
• May 18, 11:59pm -- " Analyzing Inter-Application Communications in Android " (MobiSys 2011)
• May 25, 11:59pm -- " Tor: The Second-Generation Onion Router " (USENIX Security 2004)
• June 1, 11:59pm -- " Enabling Fine-Grained Permissions for Augmented Reality Applications with Recognizers " (USENIX Security 2013)

You are allowed to look at other top computer security conferences, like USENIX Security 2016 ( https://www.usenix.org/conference/usenixsecurity16/technical-sessions ), for more recent papers. You can substitute any paper from this conference for one of the papers above, if one of these papers interest you. You may also check with the instructor for additional options/suggestions for substitute papers.

Extra Credit: You may also read up to five additional papers for extra credit. CSE 484 students may also read up to five papers, from USENIX Security 2016, from the above list, or other papers approved by the instructor, for extra credit. All extra credit readings are due on June 1, 11:59pm.

Navigation Menu

Search code, repositories, users, issues, pull requests..., provide feedback.

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly.

To see all available qualifiers, see our documentation .

• Notifications You must be signed in to change notification settings

Are you looking for NPTEL Week 1 assignment answers for 2024 for July Dec Session ! If you’re enrolled in any of the NPTEL courses, this post will help you find the relevant assignment answers for Week 1. Ensure to submit your assignments by August 8, 2024.

nptel-assignment-answers/NPTEL-Week-1-Assignment-Answers-and-Solutions-2024

Folders and files.

Name		Name
2 Commits

Repository files navigation

Nptel-week-1-assignment-answers-and-solutions-2024, 1. artificial intelligence search methods for problem solving nptel week 1 assignment answers 2024.

Link:  https://progiez.com/artificial-intelligence-search-methods-for-problem-solving-week-1

2. Cloud Computing Nptel Week 1 Assignment Answers 2024

Link:  https://progiez.com/cloud-computing-week-1-assignment-1-nptel-answers

3. Computer Architecture Nptel Week 1 Assignment Answers 2024

Link:  https://progiez.com/computer-architecture-nptel-week-1-assignment-1-answers

4. Cyber Security and Privacy Nptel Week 1 Assignment Answers 2024

Link:  https://progiez.com/cyber-security-and-privacy-week-1-nptel-assignment

5. Data Base Management System Nptel Week 1 Assignment Answers 2024

Link:  https://progiez.com/data-base-management-system-nptel-assignment-1-answers

6. Data Science for Engineers Nptel Week 1 Assignment Answers 2024

Link:  https://progiez.com/data-science-for-engineers-week-1-assignment-nptel

7. Data Structure and Algorithms using Java Nptel Week 1 Assignment Answers 2024

Link:  https://progiez.com/data-structure-and-algorithms-using-java-week-1-nptel

8. Deep Learning for Computer Vision Nptel Week 1 Assignment Answers 2024

Link:  https://progiez.com/deep-learning-for-computer-vision-week-1-nptel-answers

9. Deep Learning IIT Ropar Nptel Week 1 Assignment Answers 2024

Link:  https://progiez.com/deep-learning-iit-ropar-week-1-assignment-1-nptel

10. Ethical Hacking Nptel Week 1 Assignment Answers 2024

Link:  https://progiez.com/ethical-hacking-nptel-week-1-assignment-1-answers

11. Introduction to Internet of Things Nptel Week 1 Assignment Answers 2024

Link:  https://progiez.com/introduction-to-internet-of-things-week-1-nptel-answers

12. Introduction to Machine Learning IITKGP Nptel Week 1 Assignment Answers 2024

Link:  https://progiez.com/introduction-to-machine-learning-iitkgp-week-1-nptel

13. Introduction to Machine Learning Nptel Week 1 Assignment Answers 2024

Link:  https://progiez.com/introduction-to-machine-learning-week-1-nptel-answers

14. Introduction to Operating Systems Nptel Week 1 Assignment Answers 2024

Link:  https://progiez.com/introduction-to-operating-systems-week-1-assignment-1

15. Machine Learning and Deep Learning Fundamentals and Applications Nptel Week 1 Assignment Answers 2024

Link:  https://progiez.com/machine-learning-and-deep-learning-fundamentals-and-applications-week-1

16. Programming Data Structures and Algorithms using Python Nptel Week 1 Assignment Answers 2024

Link:  https://progiez.com/programming-data-structures-and-algorithms-using-python-week-1

17. Programming in Modern C++ Nptel Week 1 Assignment Answers 2024

Link:  https://progiez.com/programming-in-modern-cpp-week-1-assignment-1-nptel

18. Problem Solving Through Programming in C Nptel Week 1 Assignment Answers 2024

Link:  https://progiez.com/problem-solving-through-programming-in-c-week-1-nptel

19. Python for Data Science Nptel Week 1 Assignment Answers 2024

Link:  https://progiez.com/python-for-data-science-week-1-assignment-1-nptel

20. Software Engineering Nptel Week 1 Assignment Answers 2024

Link:  https://progiez.com/software-engineering-week-1-assignment-1-nptel-answers

21. Software Testing Nptel Week 1 Assignment Answers 2024

Link:  https://progiez.com/software-testing-week-1-assignment-1-nptel-answers

22. Soft Skill Development Nptel Week 1 Assignment Answers 2024

Link:  https://progiez.com/nptel-soft-skill-development-week-1-assignment-1-nptel-answer

23. Soft Skills Nptel Week 1 Assignment Answers 2024

Link:  https://progiez.com/soft-skills-week-1-assignment-1-nptel-answers

24. Theory of Computation Nptel Week 1 Assignment Answers 2024

Link:  https://progiez.com/theory-of-computation-week-1-assignment-1-nptel-answers

25. The Joy of Computing Using Python Nptel Week 1 Assignment Answers 2024

Link:  https://progiez.com/the-joy-of-computing-using-python-week-1-nptel-answers

26. Digital Circuits Nptel Week 1 Assignment Answers 2024

Link:  https://progiez.com/digital-circuits-week-1-assignment-1-nptel-answers

27. Programming in Java Nptel Week 1 Assignment Answers 2024

Link:  https://progiez.com/programming-in-java-week-1-assignment-1-nptel-answers

28. Introduction to Industry 4.0 and Industrial Internet of Things Nptel Week 1 Assignment Answers 2024

Link:  https://progiez.com/nptel-introduction-to-industry-4-assignment-1-week-1

Submission Deadline

Don’t forget to submit your assignments by August 8, 2024!

By following the links above, you can easily find and complete your Week 1 assignments for various NPTEL courses. Ensure that your submissions are accurate and submitted before the deadline to avoid any penalties.

Stay tuned for more updates and guides on upcoming assignments and course material.

Browse Course Material

Course info.

• Prof. Ronald Rivest

Departments

• Electrical Engineering and Computer Science

As Taught In

• Computer Networks
• Cryptography
• Security Studies

Learning Resource Types

Network and computer security, assignments.

Some assignments do not have solutions or supporting files.

ASSIGNMENTS	SAMPLE SOLUTIONS	SUPPORTING FILES
	Problem 1:  Problem 2:  Problem 3:
	Problem 1:  Problem 2: No Solutions Problem 3:
	Problem 1: No Solutions Problem 2:  Problem 3:
	No Solutions	No Supporting Files
	No Solutions	No Supporting Files

You are leaving MIT OpenCourseWare