Assignment
.pdf
keyboard_arrow_up
School
Carleton University *
*We aren’t endorsed by this school
Course
4810A
Subject
Computer Science
Date
Jan 9, 2024
Type
Pages
13
Uploaded by ChefOyster3965
Problem
1
2
3
4
5
Total
Points:
25
25
25
25
10
110
Page 1 of 13
SYSC
4810A:
Introduction
to
Network
and
Software
Security
Assignment
Fall
2023
Prof.Hala
Assal
Carleton
University
Department
of
Systems
and
Computer
Engineering
This
assignment
contains
13
pages
(including
this
cover
page)
and
5
problems.
You
are
responsible
for
ensuring
that
your
copy
of
the
assignment
is
complete.
Bring
any
discrepancy
to
the
attention
of
your
instructor.
Special
Instructions:
1.
Start
early
as
this
assignment
is
much
more
time
consuming
than
you
might
initially
think!
2.
The
burden
of
communication
is
upon
you.
Solutions
not
properly
explained
will
not
be
considered
correct.
Part
of
proper
communication
is
the
appearance
and
layout.
If
we
cannot
“decode”
what
you
wrote,
we
cannot
grade
it
as
a
correct
solution.
3.
You
may
consult
outside
sources,
such
as
textbooks,
but
any
use
of
any
source
must
be
documented
in
the
assignment
solutions.
4.
You
are
permitted
to
discuss
general
aspects
of
the
problem
sets
with
other
students
in
the
class,
but
you
must
hand
in
your
own
copy
of
the
solutions.
5.
Your
assignment
solutions
are
due
by
04:59PM
on
the
due
date
and
must
be
submitted
on
BrightSpace.
•
Late
assignments
will
be
graded
with
a
late
penalty
of
20%
of
the
full
grade
per
day
up
to
48
hours
past
the
deadline
.
6.
You
are
responsible
for
ensuring
that
your
assignment
is
submitted
correctly
and
without
corruption.
Posted:
October
29,
2023
Due:
December
4,
2023
Due
on
Monday,
December
4,
2023
by
04:59PM
In this assignment, you will participate in activities related to the operation and use of user authentication
and access control mechanisms. This assignment aims to assess your understanding of security policies, as
well as protocols to implement such policies.
It also aims to assess your ability to develop basic security
enhancements in stand-alone applications by implementing and using basic security tools to enhance and
enforce user authentication and access control policies.
Background Research
A significant portion of this assignment is to do the required background research on working with basic
cryptographic libraries and tools to support user authentication and access control such as Python
Cryptographic Services
and/or the C
OpenSSL
. Keep in mind that a substantial component of any software
or computer systems project is to solve and/or eliminate the underlying technical difficulties.
This often
means exploring user manuals and documentation.
Submission Requirements
Please read the following instructions very carefully and follow them precisely when submitting your assignment!
The following items are required for a complete assignment submission:
1.
PDF Assignment Report
: Submit a detailed report that carefully and concisely describes what
you have done and what you have observed. Include appropriate code snippets and listings, as well
as screenshots of program outputs and results. You also need to provide an adequate explanation of
the observations that are interesting or surprising. You are encouraged to pursue further investigation
beyond what is required by the assignment description.
2.
ZIP Archive of Source Code
: In addition to embedding source code listings in your assignment
report, create and submit a ZIP archive of all programs that you write for this assignment.
Please
name each of your source code files appropriately to indicate the purspose of each file and. A simple
naming scheme may be to name files according to the problem number to which they correspond (e.g.,
for Problem 7(a), the source code file should be named
Problem7a.c
). Your source code must compile
and run in the VM environment, producing the desired output.
Also, please remember to provide
sufficient comments in your code to describe what it does and why.
3.
ZIP Archive of Screenshot Image Files
: In addition to embedding screenshots of program outputs
and results in your assignment report, create and submit a ZIP archive of all of the raw screenshot
images that you capture for this assignment.
Grading Notes
An important part of this assignment is following instructions. As such, the following grade
penalties
will
be applied for failure to comply with the submission requirements outlined above:
•
Failure to submit an Assignment Report will result in a grade of
0
for the assignment.
•
Failure to submit the Source Code files will result in deduction of
10%
of the full grade of the assignment.
•
Failure to submit the Screenshot Image files will result in deduction of
10%
of the full grade of the
assignment.
•
Failure of Source Code to compile/run will result in a grade of
0
for the corresponding problem(s).
–
You are required to ensure that your code will compile and run in the VM!
•
Failure to submit any deliverable in the required format (PDF or ZIP) will result in deduction of
5%
of the full grade of the assignment.
Page 2 of 13
SYSC
4810A
—
Assignment
Due
Date:
December
4,
2023
Part I
Assignment Challenge
1
Introduction
Imagine that you are an employee of a computer security consulting firm. Your consulting firm has recently
been approached and contracted by a company called
Finvest Holdings
, which has requested the design and
implementation of a user authentication and access control system prototype for their proprietary financial
software and data systems to better support their clients. You have been assigned as the lead developer for
this contract and are responsbile for developing and documenting the prototype design and implementation
to fulfill the contractual obligations of your consulting firm with
Finvest Holdings
.
The details of these
contractual obligations are provided in the sections below.
The different parts of this assignment are designed to guide your investigation into the client’s concerns. At
the end of the assignment, you will be required to summarize your findings and provide recommendations
to
Finvest Holdings
addressing their concerns.
2
Context
Finvest Holdings
specializes in financial planning and investment banking, with access to numerous financial
instruments. Financial instruments are assets that can be traded, or they can also be seen as packages of
capital that may be traded. Most types of financial instruments provide efficient flow and transfer of capital
all throughout the world’s investors. These assets can be cash, a contractual right to deliver or receive cash
or another type of financial instrument, or evidence of one’s ownership of an entity.
Finvest Holdings
operates
numerous computer applications to manage and assist clients. They seek to have a new user authentication
and access control system for their proprietary financial software and data systems. Details of their previous
user authentication and access control system have not been provided.
It is clearly stated in the contract that the following access control policy must be enforced:
1. Clients can view their account balance, view their investments portfolio, and view the contact details
of their Financial Advisor.
2. Premium Clients can modify their investment portfolio and view the contact details of their Financial
Planner and Investment Analyst.
3. All
Finvest Holdings
employees (except for Technical Support) can view a client’s account balance and
investment portfolio, but only Financial Advisors, Financial Planners, and Investment Analysts can
modify a client’s investment portfolio.
4. Financial Planners can view money market instruments.
5. Financial Advisors and Financial Planners can view private consumer instruments.
6. Investment Analysts can view money market instruments, derivatives trading, interest instruments,
and private consumer instruments.
7. Technical Support can view a client’s information and request client account access to troubleshoot
client’s technical issues.
8. Tellers can only access the system during business hours from 9:00AM to 5:00PM.
9. Compliance Officers can validate modifications to investment portfolios.
Page 3 of 13
Due
Date:
December
4,
2023
SYSC
4810A
—
Assignment
In addition to the access control policy, the prototype must implement a proactive password checker that
ensures all passwords adhere to the following password policy:
•
Passwords must be least 8-12 characters in length
•
Password must include at least:
–
one upper-case letter;
–
one lower-case letter;
–
one numerical digit, and
–
one special character from the set:
{
!
,
@
,
#
,
$
,
%
,
?
,
∗}
•
Passwords found on a list of common weak passwords (e.g.,
Password1
,
Qwerty123
, or
Qaz123wsx
)
must be prohibited
–
Special Note
: The list should be flexible to allow for the addition of new exclusions over time.
•
Passwords matching the format of calendar dates, license plate numbers, telephone numbers, or other
common numbers must be prohibited
•
Passwords matching the user ID must be prohibited
In addition, to the access control and password policies described above,
Finvest Holdings
has expressed the
following requirements and constraints of their system, which must be considered in the eventual design and
implementation of the prototype.
1. A balance between performance and security is required.
2. Selected algorithms should not have any well-known weaknesses or vulnerabilities.
Finvest Holdings
has provided a sketch of what is expected from the prototype system (see Figure
1
). Once a
user logs in, the prototype shall display a list of the operations that the user is able to perform in the system
(these do not need to be implemented).
Finvest Holdings
has expressed that the prototype does not require
any “fancy” user interface as they have already contracted another firm for that purpose. Instead, they are
interested specifically in the design and implementation of the security mechanisms and a prototype that is
able to demonstrate that the system will meet their needs.
Figure 1: Sample prototype interface for the
Finvest Holdings
system
Page 4 of 13
Due
Date:
December
4,
2023
SYSC
4810A
—
Assignment
To assist with testing and validation of the system,
Finvest Holdings
has provided the following sample list
of employees and clients:
Name
Role
Name
Role
Mischa Lowery
Regular Client
Willow Garza
Premium Client
Veronica Perez
Regular Client
Nala Preston
Premium Client
Winston Callahan
Teller
Stacy Kent
Investment Analyst
Kelan Gough
Teller
Keikilana Kapahu
Investment Analyst
Nelson Wilkins
Financial Advisor
Kodi Matthews
Financial Plannerr
Kelsie Chang
Financial Advisor
Malikah Wu
Financial Planner
Howard Linkler
Compliance Officer
Caroline Lopez
Technical Support
Stefania Smart
Compliance Officer
Pawel Barclay
Technical Support
3
Obligations
At the end of this assignment, you will be required to deliver the following information and outcomes to
Finvest Holdings
:
1. Provide a detailed report documenting the design choices and details of the prototype implementation.
This is necessary to enable
Finvest Holdings
to make important decisions about whether to proceed
with the implementation of the prototype.
2. Provide a functioning prototype system. You must demonstrate and provide a convincing argument
that the system satisfies all of the requirements outlined by
Finvest Holdings
.
Page 5 of 13
Due
Date:
December
4,
2023
SYSC
4810A
—
Assignment
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
Related Questions
Write a 3 page paper titled “Hospital Information Systems SecurityWrite a 3 page paper (excluding title and reference pages) titled “Hospital Information Systems Security”. The assignment must include 2-3 APA references. Discuss the following in your paper:The fundamental concepts of information The principles associated with information securitySecurity conceptsPrinciples and models and education for the personnelAccess controlsBasic cryptography and its applicationsIntrusion detection and prevention …………………………
Added to cart
arrow_forward
A security policy is a document that provides employees with clear instructions about acceptable use of company confidential information, explains how the company secures data resources and what it expects of the people who work with this information. Most importantly, the policy is designed with enough flexibility to be amended when necessary.
You are working in organization X, and you are supposed to develop an issue-specific security policy, you can pick one issue from Table.1 [1] (In the photos)
Your Task is:
To develop the different sections of your policy and adequate procedure(s), you can refer to SANS Policy Templates [2].
References:
[1] Developing an Information Security Policy: A Case Study Approach, Fayez Hussain Alqahtani. 4th Information Systems International Conference 2017, ISICO 2017, 6-8 November 2017, Bali, Indonesia.
[2] https://www.sans.org/information-security-policy/
arrow_forward
Suppose we had to put our current Yoga application into production, and despite the fact that we had installed a firewall, we had to identify three (3) significant and distinct areas in which our application and its environment were still vulnerable, and then list some possible ways in which we would have to protect those vulnerabilities. What would we do if we had to do this? Keep your writing specific, comprehensive, and critical-thinking-intensive. Consider that you're writing this for your bosses and that your job is on the line. However, keep it to three paragraphs or less. Each paragraph should include a clear list of vulnerabilities, as well as at least one mitigation for each vulnerability. Predicted word count: three well-structured yet succinct paragraphs
arrow_forward
Methods of categorising access control measures are discussed. The various types of controls that can be found in each will be discussed.
arrow_forward
As part of a website redesign at Sunshine State University, a directory search application was developed. It allows any- one to search for Sunshine State students, staff, and faculty names and email addresses. Before the website is released to the public, you have been asked to work with the team evaluating the security. And you found out this system could possibly be suffering for system misconfiguration. write a paragraph brief (one to two paragraphs) summary of your findings that could be presentedto the administration of Sunshine State University. Make sure to include:a) What vulnerability or vulnerabilities this application suffer from?b) Possible harm that could come from this vulnerability.c) Reasons that you feel this vulnerability is presen
arrow_forward
The proposed answer should only deal with problems that have to do with IT security.
arrow_forward
Choose particular security clearances from the ones we'll go over. Illustrative. DAC,
MAC, RBAC, ABAC, RBAC, RAC, IBAC, OBAC, and RBAC are all forms of access control
systems (RBAC).
arrow_forward
Make sure you submit your proposal for a security education program. Artifacts that have been finished and polished are supposed to have all their parts. The input that was used to create it should be reflected in its final form. The proposal will include an executive summary, a communication plan, an introduction, the proposal's policies and procedures, the proposal's main body, the proposal's main body, the policies and procedures, the recommended remedies to security weaknesses, and the strategies to constantly monitor the company for hostile conduct.
arrow_forward
Describe an access control situation using one of the four techniques. What makes this choice unique?
arrow_forward
What is the “DE” function in the National Institute of Standards Technology (NIST) Cybersecurity Framework?
Multiple Choice
detect function
develop function
determine function
arrow_forward
Provide an example of a situation in which one of the four different methods of access control may be put into practice. What makes this choice different from the others that are available in this category?
arrow_forward
▾ Topic 1
(Refers to Lesson #1) Discuss how the definition of privacy that is commonly used (freedom from observation) may differ from the
definition of privacy from the information security perspective (freedom from unsanctioned intrusion).
Topic 2
▸ Topic 3
8
f
ion_topics/2947715?module_item_id=12935597#
Q Search
S
T
Q Search entries or author
G
H
N
& 7
M
Unread
hp
3
K
fo
↑
©
E
fo
F11
P
alt
112
C
**
ļ
Insert
ctn
E
pause
10:14
10/30/20
backspace
arrow_forward
Book title: Cybersecurity Essentials - Charles J. BrooksChapter 1 - Infrastructure security in the Real world
From the information provided in the first scenario, consider the National Institute of Standards and Technology (NIST) functions detailed in this section and observe how they relate to each category.
1. Which steps could be put in place to recover from actions intended to access, disable, degrade, or destroy the assets that has been previously identified (NIST RC.RP-1)?
(Refer to screenshot for reference)
arrow_forward
1. What is scope? Explain how the SDIP differs from the PMBOK.
2. What is scope creep? Explain how the SDIP differs from the PMBOK.
3. What is “creep control?”
arrow_forward
You have been entrusted with the responsibility of developing a security architecture for a large corporation.
Make a list of all of the components (hardware and software) that you will need in order to create a secure network. Give a rationale for your selection of a certain component.
Draw a diagram to depict a potential architecture, including the location of the component specified in the previous step (a). Include a description of the architecture you've created and the positioning of components in the design.
arrow_forward
Question 3
Miss Low, an IT expert from Embedded System Integrator Company (ESIC), had secretly transferred
the most recent smartphone design blueprint and other material into her company's smartphone and
emailed them to a competitor. Her manager had discovered her, and she had attempted to destroy all
traces of the activity, including her communications with the competing company. Her boss then
informed higher management about the situation. The matter was investigated by a Digital Forensics
Specialist (DFS). On the IT engineer's smartphone, the expert performed forensic investigation and
analysis.
Based on the above scenario, answer the following questions:
a)
Once the phone is in airplane mode and in Faraday's bag, list THREE (3) tools that you can
use to gather evidence.
b)
Planning, Acquisition, Analysis, and Reporting are the four main processes in a forensic
inquiry. Analyse what DFS should do at each stage.
arrow_forward
Answer the given question with a proper explanation and step-by-step solution.
In this week's lecture, we are looking at the SANS CISO Mind Map and how we focused on Security Operations. Pick one of the items (for example - - Data Loss Prevention (DLP), VPN, Security Gateway, etc.) and research the topic and provide a two-paragraph minimum with references on the topic. Pick something you are interested in or do not know but would like to learn more about the topic. Sell me, make me excited.
arrow_forward
Assig 1
Evaluating Risk Handling Strategies
Learning Objectives and Outcomes
▪ Evaluate appropriate risk-handling strategies for a given scenario.
Assignment Requirements
The X-Axis is a renowned private cancer hospital located in Las Vegas. The hospital maintains a critical database
in-house that includes patient data for all patients.
You are the IT security manager at X-Axis. The power from the city to the company's data center has been unstable
in recent months. The database was offline twice due to power issues, once for 6 hours and once for 10 hours. You
are evaluating the risk to the organization of continued power issues and database availability.
For this assignment:
1. Create a table in Microsoft Word similar to the following for avoidance, transference, and mitigation risk-
handling strategies.
Risk Handling Strategy Description
Avoidance
Transference
Mitigation
Fill in each empty cell with a description of at least two appropriate strategies or actions.
Self-Assessment…
arrow_forward
Developing a security architecture for a big company has been left to you.
Plan out what gear and software you'll need to set up a safe network before you begin. Explain why you choose a certain component.
The component described in the previous phase should be included in a diagram depicting a possible architecture (a). Include a description of your design's architecture, as well as the locations of various components.
arrow_forward
When we talk about the "security of the system," what precisely do we mean when we use that phrase to talk about a certain situation?
arrow_forward
Chain Link Consulting is an information technology consulting company that focuses on system security concerns. When the company's president asks you to assist her with the preparation of a presentation for a group of potential clients at a trade show meeting next month, you say "yes." First and foremost, she would like you to examine system security concerns in light of all six security levels. Afterwards, she wants you to come up with a list of methods that Chain Link might evaluate a client's security procedures in order to obtain an accurate evaluation of their level of exposure.It was her way of making the situation more intriguing by saying that it was fine to be imaginative in your ideas, but that you should avoid proposing anything that would be unlawful or immoral. Example: It might be OK to pretend as a job candidate with phony references to see whether they were being reviewed, but it would be inappropriate to steal a lock and access the computer room to check on things.Your…
arrow_forward
Regarding the administration of leased or borrowed medical equipment in
respect to your MEMP, are there any specific procedures that need to be
adhered to as a matter of protocol?
arrow_forward
Computer theory: What are the changes made in SP 800-100 model in terms of security.
arrow_forward
SEE MORE QUESTIONS
Recommended textbooks for you
![Text book image](https://www.bartleby.com/isbn_cover_images/9781337405713/9781337405713_smallCoverImage.gif)
Management Of Information Security
Computer Science
ISBN:9781337405713
Author:WHITMAN, Michael.
Publisher:Cengage Learning,
![Text book image](https://www.bartleby.com/isbn_cover_images/9781337102063/9781337102063_smallCoverImage.gif)
Principles of Information Security (MindTap Cours...
Computer Science
ISBN:9781337102063
Author:Michael E. Whitman, Herbert J. Mattord
Publisher:Cengage Learning
Related Questions
- Write a 3 page paper titled “Hospital Information Systems SecurityWrite a 3 page paper (excluding title and reference pages) titled “Hospital Information Systems Security”. The assignment must include 2-3 APA references. Discuss the following in your paper:The fundamental concepts of information The principles associated with information securitySecurity conceptsPrinciples and models and education for the personnelAccess controlsBasic cryptography and its applicationsIntrusion detection and prevention ………………………… Added to cartarrow_forwardA security policy is a document that provides employees with clear instructions about acceptable use of company confidential information, explains how the company secures data resources and what it expects of the people who work with this information. Most importantly, the policy is designed with enough flexibility to be amended when necessary. You are working in organization X, and you are supposed to develop an issue-specific security policy, you can pick one issue from Table.1 [1] (In the photos) Your Task is: To develop the different sections of your policy and adequate procedure(s), you can refer to SANS Policy Templates [2]. References: [1] Developing an Information Security Policy: A Case Study Approach, Fayez Hussain Alqahtani. 4th Information Systems International Conference 2017, ISICO 2017, 6-8 November 2017, Bali, Indonesia. [2] https://www.sans.org/information-security-policy/arrow_forwardSuppose we had to put our current Yoga application into production, and despite the fact that we had installed a firewall, we had to identify three (3) significant and distinct areas in which our application and its environment were still vulnerable, and then list some possible ways in which we would have to protect those vulnerabilities. What would we do if we had to do this? Keep your writing specific, comprehensive, and critical-thinking-intensive. Consider that you're writing this for your bosses and that your job is on the line. However, keep it to three paragraphs or less. Each paragraph should include a clear list of vulnerabilities, as well as at least one mitigation for each vulnerability. Predicted word count: three well-structured yet succinct paragraphsarrow_forward
- Methods of categorising access control measures are discussed. The various types of controls that can be found in each will be discussed.arrow_forwardAs part of a website redesign at Sunshine State University, a directory search application was developed. It allows any- one to search for Sunshine State students, staff, and faculty names and email addresses. Before the website is released to the public, you have been asked to work with the team evaluating the security. And you found out this system could possibly be suffering for system misconfiguration. write a paragraph brief (one to two paragraphs) summary of your findings that could be presentedto the administration of Sunshine State University. Make sure to include:a) What vulnerability or vulnerabilities this application suffer from?b) Possible harm that could come from this vulnerability.c) Reasons that you feel this vulnerability is presenarrow_forwardThe proposed answer should only deal with problems that have to do with IT security.arrow_forward
- Choose particular security clearances from the ones we'll go over. Illustrative. DAC, MAC, RBAC, ABAC, RBAC, RAC, IBAC, OBAC, and RBAC are all forms of access control systems (RBAC).arrow_forwardMake sure you submit your proposal for a security education program. Artifacts that have been finished and polished are supposed to have all their parts. The input that was used to create it should be reflected in its final form. The proposal will include an executive summary, a communication plan, an introduction, the proposal's policies and procedures, the proposal's main body, the proposal's main body, the policies and procedures, the recommended remedies to security weaknesses, and the strategies to constantly monitor the company for hostile conduct.arrow_forwardDescribe an access control situation using one of the four techniques. What makes this choice unique?arrow_forward
- What is the “DE” function in the National Institute of Standards Technology (NIST) Cybersecurity Framework? Multiple Choice detect function develop function determine functionarrow_forwardProvide an example of a situation in which one of the four different methods of access control may be put into practice. What makes this choice different from the others that are available in this category?arrow_forward▾ Topic 1 (Refers to Lesson #1) Discuss how the definition of privacy that is commonly used (freedom from observation) may differ from the definition of privacy from the information security perspective (freedom from unsanctioned intrusion). Topic 2 ▸ Topic 3 8 f ion_topics/2947715?module_item_id=12935597# Q Search S T Q Search entries or author G H N & 7 M Unread hp 3 K fo ↑ © E fo F11 P alt 112 C ** ļ Insert ctn E pause 10:14 10/30/20 backspacearrow_forward
arrow_back_ios
SEE MORE QUESTIONS
arrow_forward_ios
Recommended textbooks for you
- Management Of Information SecurityComputer ScienceISBN:9781337405713Author:WHITMAN, Michael.Publisher:Cengage Learning,Principles of Information Security (MindTap Cours...Computer ScienceISBN:9781337102063Author:Michael E. Whitman, Herbert J. MattordPublisher:Cengage Learning
![Text book image](https://www.bartleby.com/isbn_cover_images/9781337405713/9781337405713_smallCoverImage.gif)
Management Of Information Security
Computer Science
ISBN:9781337405713
Author:WHITMAN, Michael.
Publisher:Cengage Learning,
![Text book image](https://www.bartleby.com/isbn_cover_images/9781337102063/9781337102063_smallCoverImage.gif)
Principles of Information Security (MindTap Cours...
Computer Science
ISBN:9781337102063
Author:Michael E. Whitman, Herbert J. Mattord
Publisher:Cengage Learning