Information Systems Risk & Cybersecurity Risk – March, 2022
You must do Q1 and then you must do two out of the three problems Q2, Q3, and Q4.
1. (Cryptography - 40 points – maximum 3 pages (1.5 spaced))
a.) Describe the functioning of
(i) symmetric-key cryptosystems
(ii) asymmetric-key cryptosystems
(iii) Message Authentication Codes (MAC)
For (i) and (ii), please list two examples of the currently important methods.
b.) Explain the role of Hardware Security Modules for Key Management.
c.) What is a digital certificate and a certification authority? For which purposes are digital certificates being used in current network infrastructures? How can a sophisticated threat actor use compromised digital certificates for attacks?
d.) Explain the concept of authenticity and integrity and how this can be implemented with cryptographic hash-functions and digital certificates.
e.) What is the major shortcoming of the Vernam Code and why can quantum cryptography mitigate this shortcoming?
f.) How can asymmetric-key cryptosystems being used to ensure non repudiation?
g.) Some users of asymmetric-key cryptosystems are publishing the public key on their web site. Explain how this can be exploited by an attacker. How can this exploit risk being mitigated by the involvement of a Certification Authority and a digital certificate.
h.) How can a virus use cryptographic routines to avoid detection by antivirus programs? Explain the term “polymorphic virus”.
i.) Explain technical building blocks like Firewalls, IDS and SIEM and how this can be used to implement a concept of multilevel security.
j.) Briefly explain the difference between Steganograpy and Cryptography.
k.) Explain the meaning of Cyber Threat Intelligence.
2. (TCP/IP – 30 points - maximum 2 pages (1.5 spaced))
a) Explain the different levels of the DoD-architecture.
b) Explain the differences between UDP and TCP.
c) Explain how TCP/IP stack breed critical vulnerabilities in IoT devices.
d) Why this is relevant for Real Time Operating Systems?
e) Describe the service provided by the Internet-Protocol (IP).
f) Explain the security architecture IPsec for IP. What are the main differences between IPsec and SSL/TLS?
g) What is the meaning of tunneling and what are virtual private networks (VPNs) ?
h) How can VPNs being used to provide remote access ?
i) How can IPsec being used for tunneling and the set up of VPNs?
j) What is the difference of HTTPS and HTTP and what is the role of SSL/TLS?
k) Give an example how tunneling can be used for circumventing firewall policies.
l) What is the role of the Diffie Hellman Key Exchange for network security?
m) How are Man in the Middle Attacks mitigated in relevant protocols for network security?
3. (System Development Life Cycle – 30 points - maximum 2 pages (1.5 spaced))
Explain term Data Governance and the role of this term for firms with data driven business models and changing digital infrastructures.
In your role of the Chief Information Officer of a financing institution, you realize that the dynamic growth of the firm’s equipment leasing business threatens to overstretch the capacities of the existing database in which the information on client master data, key contract specifications, ratings, collateral values, and payment transactions is being managed. You reach the conclusion that a major redesign of the existing system, in which both the scalability of the system and the scope of the analytical functionalities it offers need to be greatly enhanced, is required.
a) Please name the successive phases of developing a successor system to the current solution.
b) Explain the terms DevOps and DecSecOps.
c) Please enumerate, and briefly explain, two weaknesses that are frequently encountered in such projects.
d) Explain the term Backdoor and applicable countermeasures.
e) Please explain how security aspects integrated into the different stages of the review process.
f) Please summarize the key characteristics of the “agile” approach to software development.
4. (Security controls – 30 points - maximum 2 pages (1.5 spaced))
Discuss the relationship of Cybersecurity Risk, Operational Risk and Reputational Risk.
Startled by recent news about “cyberattacks” on financial institutions, the directors of your company have commissioned a comprehensive assessment of the effectiveness and quality of existing controls directed at safeguarding data security and integrity inside the organization.
Please briefly describe
• the nature and purpose of the related testing procedures,
• the key prerequisites to be ensured prior to the performance of such an assessment, and
• the key conditions that must be met to ensure its effectiveness.
Briefly explain how the outcomes of such an assessment relate to the concept of “platform hardening”.
Your company has decided to shift critical business processes to the cloud. Briefly describe the concept of shared responsibility for security in the cloud.