This assignment has two parts, which are submitted separately in Canvas: Written questions (questions 1-5), which must be submitted as a PDF file, and a Labtainer exercise (question 6), which must be submitted as a “lab” file (created by the Labtainer system). Note that Canvas will only accept a PDF file for the written portion, and will only accept a lab file for the Labtainer portion. Written solutions can be either electronically prepared or neatly handwritten and scanned. If you must use a phone camera rather than a scanner, you should use a “scan to PDF” app to produce a proper and readable PDF document. Check the file that Canvas received as your submission. I will grade only what is there, using the timestamp in Canvas. I will not accept a file after the fact because your upload failed or because the file was corrupt or you submitted the wrong file…
If you want to use a tool to electronically create your diagrams, you should use an appropriate tool to draw neat diagrams (e.g., LucidChart or Visio). It is almost impossible to make a neat, professional-looking diagram in Word or some other tool that is not designed for this, so do not try.
On this and all other assignments, remember to fully explain your answers, and cite all sources of information!
Find a news story of a security incident from this past year that involved a malicious attacker (that shouldn’t be hard!), and describe in at least some detail what happened. Your description should include a statement about each of the “big three” security goals, indicating whether it was violated (and if it was, how it was violated). Also speculate on what type of attacker was involved and what the attacker’s motive may have been. Make sure that the incident occurred in 2023, and cite your source(s) of information.
In this question, you are to get a feel for how vulnerable modern systems are by exploring the “National Vulnerability Database” that NIST maintains, which is at https://nvd.nist.gov/.
Locate the full list of vulnerabilities, and pick a random month from last year (e.g., maybe your birthday month) and see how many vulnerabilities were reported that month. Report how many there were for the month, and calculate the average number of vulnerabilities reported per day. If you were a security professional, and spent on average 5 minutes looking at each CVE to see if it applied to systems you manage, how much time per week would you spend reviewing CVEs?
Look into some of these vulnerabilities (you can just click randomly on the CVEs in your chosen month) to see how they are reported. Can you find any that give vulnerabilities associated with software or systems that you use? Report on your findings, and describe how you can determine the risk to the “big three” security goals based on the information reported in the CVE entry. Looking into the information reported in a CVE, what is the most important information that can help you identify if the CVE is relevant to your systems?
Consider an electronic voting system, supporting both voters and election administrators, including components for ongoing voter registration and voter roll maintainance, as well as election day polling place voter check-in, voting, and tabulation/reporting. Create a system and threat model for this system, similar to the way we did in class for the point of sale payment system (see the “Larger In-Class Activity” in the “Terminology and Goals” slides for steps and more information – the following slide was also used for our in-class overview of how voting works in the U.S.).
Draw out the system model, identify locations for data at rest, data in motion, and data in use, and define confidentiality, integrity, and availability concerns for data and systems in your model (like we did for the payment system in class). Identify threats and access points.
Consider the following set of subjects and objects in the Bell-LaPadula model, with clearances and classifications as shown (C, S, and TS stand for “Classified”, “Secret” and “Top Secret”, which is in increasing level of classification):
Subject Clearances:
Objects and Object Classifications:
Write out the access control matrix that shows both read and write permissions for all four subjects and three objects (use “R” to denote read permission, and “W” to denote write permission).
What label could an object have such that Dumbledore could write to it without any difficulties?
Let’s say Dumbledore wanted to post a new event to the “Events” object (which requires writing to the object), but the clearance shown above does not allow it. Is there a way around this?
These questions relate to the “Secure Design Principles” from Section 1.1.4 in the textbook (and that we discussed in class).
Using compartments and need-to-know labels in the Bell-LaPadula model is similar to one of the secure design principles. State which one, and describe how these two concepts are related.
Back in the 1800’s, Auguste Kerckhoffs stated that the security of a cryptographic systems should not require the secrecy of the algorithm (only the key used) – this is now known as “Kerckhoffs’s Principle.” This is similar to one of the secure design principles. State which one, and describe how these two concepts are related.
Labtainer setup and exercise. For this question, you are to set up your computer to run “Labtainer” exercises, and then perform a straightforward lab on basic Unix/Linux commands. This is being assigned so that you go ahead and get the Labtainer virtual machine environment set up and working on your computer, which poses a few challenges: First, the image you need to download is large (3.9 GB), which can take a long time if your Internet connection is slow. Second, if you have a recent Apple mac, using an Apple Silicon (M1 or M2) CPU, you cannot do this without emulation and a serious performance hit. We have other solutions if you are in this situation, but you must let me know ASAP.
If you have a particularly slow or unreliable connection, I would recommend coming to campus or finding some other place with a fast connection in order to do the download. Second, for good VirtualBox performance, you’ll need a decent amount of RAM (at least 8GB, but more is better) and your computer BIOS settings need to have hardware virtualization support enabled. Modern Intel-based systems (meaning anything except the recent Apple Silicon-based Macs), purchased within the last 4 years, should probably support this without any problems. If you have significant problems, you should talk to me to either get things set up properly on your computer or to arrange an alternative.
Here’s what you need to do: First, if you don’t already have it installed, install VirtualBox – see https://www.virtualbox.org/ to download and install this free software.
Next, go to the Labtainer web page ( https://nps.edu/web/c3o/labtainers ), click on “Virtual Machine Images” and download the “VirtualBox VM Appliance” from that page. The one-line “Directions” right below the link to the image is all you need to do in order to get this installed and usable with VirtualBox.
For some reason, the latest version of the Labtainer VM image is set up by default using display scaling, which makes it look horrible on my system. Look at the VM settings, and if it has a “Scale-factor” other than 1 listed, consider changing it to 1 (or 100%). You can adjust this to your preference later. If you have any issues with the virtual system crashing/logging you out, try powering the virtual system off and changing the “Graphics Controller” in the Display settings from VMSVGA to VBoxVGA — I had to do that on one system for some reason, but that corrected the problem.
Finally, start the virtual machine image from VirtualBox. After it boots up and stabilizes, you will see a Linux desktop with a terminal window and command prompt. This is the normal “starting point” for Labtainer exercises. You should open the “Student Guide” from the Labtainer web page, and read Section 3 (“Performing a Lab”) to understand how the Labtainer system works in general. Note that the more involved parts of Sections 1 and 2 are not necessary and are simply confusing if you’re using the VirtualBox image - just skip those. It’s worth your time to poke around a little on the Labtainer web site to see what is there – for example, the “Labtainer Lab Summary” and “Lab Manuals” are good things to be familiar with.
Finally, you should complete the nix-commands lab. To do this, you type “labtainer nix-commands” at the command prompt of your Labtainer virtual machine. The first time you run this it will ask for your email address, which is needed to identify your work after you submit it – use your UNCG email address! After the first time, the Labtainer system will remember your email address and present it to you as the default. After getting the lab started, the system will print out some links to the information needed for the lab; alternatively, you can directly access the instructions from the Labtainer web site. Note that the lab starts up a new terminal window with a shell running inside the lab container and this is very different from the shell you just used to start the lab, which is running in the VM system. Keep these separate in your mind because they are two separate and different environments. While the two windows look almost the same, you can tell the difference in the window’s title bar – the labtainer window(s) will have a title that looks like “student@nix-commands” (or whatever other lab you’re running later), while the VM window will have a title that looks like “student@LabtainersVM”. Yes, it can get confusing…. When you are finished, type “stoplab nix-commands” in your original terminal window (the VM window).
After you have completed everything, including typing the “stoplab” command, there will be a file with a .lab extension created in directory /home/student/labtainer_xfer/nix-commands — you should use the Web browser from insider the Labtainer VM to submit this file in Canvas. From this file, I will be able to see all of the commands you executed, and whether you followed the directions in the lab will be the basis of your grade, so make sure you do everything stated in the lab instructions!