How to Prepare for the Fall Exam COM380/CIT304 Harry Erwin, PhD University of Sunderland.

Slides:



Advertisements
Similar presentations
AS Sociology Exam Technique.
Advertisements

What to ask during an interview. Always prepare questions to ask. Having no questions prepared sends the message that you have no independent thought.
Unit 4 – Assignment 3 Today you will know the requirements of assignment 3. You will understand the assessment criteria for P4, M1 & D1. You will be able.
TCSEC: The Orange Book. TCSEC Trusted Computer System Evaluation Criteria.
Chapter 1  Introduction 1 Chapter 1: Introduction.
Grade 6 EQAO Parent Information Session Malvern Junior P.S. Presented by Mrs. Frendjian, Mr. Melchiorre and Mrs. Shuttin.
The Security Analysis Process University of Sunderland CIT304 Harry R. Erwin, PhD.
Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.
CSCD 555 Research Methods for Computer Science
Chapter 1  Introduction 1 Chapter 1: Introduction “Begin at the beginning,” the King said, very gravely, “and go on till you come to the end: then stop.”
IACT303 – INTI 2005 World Wide Networking Welcome and Introduction to Subject. Penney McFarlane The University of Wollongong.
WF SEM II 4.05 C Employ marketing-information to develop a marketing plan.
Information Technology Professionals Overview and Job Roles Mr. Gallagan.
E-commerce Unit 2.
Teaching Security via Problem- based Learning Scenarios Chris Beaumont Senior Lecturer Learning Technology Research Group Liverpool Hope University College.
Case Study The PDST is funded by the Department of Education and Skills under the National Development Plan,
Welcome to the fourth LB720 Elluminate tutorial! Discussing and identifing problems Microsoft Office.
SEC835 Database and Web application security Information Security Architecture.
Career Development Anita DeIure 30 hours PHASE 1: Exploration of Employment Opportunities in Accounting n Preparing a personal assessment describing.
G53SEC Computer Security Introduction to G53SEC 1.
The Security Analysis Process University of Sunderland CSEM02 Harry R. Erwin, PhD.
S-vector for Web Application Security Assessment Review of Term Project Requirements and PDR Results CS996 ISM Spring 2005 Dr. William Hery.
Digital Citizenship Grade Why are we here and what is Digital Citizenship? Part 1: What is Private Online? Part 2: Passwords Part 3: Responsibilities.
Introduction University of Sunderland CIT304 Harry R Erwin, PhD.
1 CHE 594 Lecture 28 Hints For a Prospective Faculty Candidate.
Introduction University of Sunderland CSEM02 Harry R Erwin, PhD Peter Dunne, PhD.
Chapter 1  Introduction 1 Chapter 1: Introduction.
Administrivia Constitutional Law II. Introduction Website:
Copyright © 2009 by The McGraw-Hill Companies, Inc. All Rights Reserved. McGraw-Hill Chapter 6 The Privacy and Security of Electronic Health Information.
COMP1321 Networks in Organisations Richard Henson March 2014.
Bloom’s Taxonomy.
MIS Week 6 Site:
McGraw-Hill/Irwin © 2013 The McGraw-Hill Companies, Inc., All Rights Reserved. Chapter 11 Computer Crime and Information Technology Security.
The IT Vendor: HIPAA Security Savior for Smaller Health Plans?
06/02/06 Workshop on knowledge sharing using the new WWW tools May 30 – June 2, 2006 GROUP Presentation Group 5 Group Members Ambrose Ruyooka Emmanuel.
Unit 2 AS Sociology Research Methods Examination Technique.
Welcome to A Level Physics. Course Content  Core content – Year 1 of A level/ AS Physics 1. Measurements and their errors 2. Particles and radiation.
Assumptions of Secure Operation University of Sunderland CIT304 Harry R. Erwin, PhD.
1 Managing the Security Function Chapter 11 2 Figure 11-1: Organizational Issues Top Management Support  Top-Management security awareness briefing.
Engineering and Management of Secure Computer Networks School of Engineering © Steve Woodhead 2009 Corporate Governance and Information Security (InfoSec)
The Art of Deception: Controlling the Human Element of Security by Kevin D. Mitnick, William L. Simon, Steve Wozniak Kevin D. MitnickWilliam L. SimonSteve.
What’s the Big Deal About Internet Privacy?. Today’s Objective I can explain to Mr. Bates why companies collect information about visitors on their websites.
 List as many websites as you can think of  E-commerce is short for ‘electronic commerce’  It means buying and selling goods using the Internet.
Basic Security Concepts University of Sunderland CSEM02 Harry R Erwin, PhD.
Basic Security Concepts University of Sunderland CIT304 Harry R Erwin, PhD.
June REU 2003 How to Conduct Research Some Rules of Thumb.
E-Commerce E-Commerce Security?? Instructor: Safaa S.Y. Dalloul E-Business Level Try to be the Best.
By: WenHao Wu. A current situation that I have is that I cannot decide if a computer career is for me. I am considering any career in computers, but I.
Assumptions of Secure Operation University of Sunderland CSEM02 Harry R. Erwin, PhD.
General exam advice Do not write too much on ‘give’, ‘outline’, ‘identify’ or ‘state’ questions as you WILL run out of time. E.g. a three mark question.
CMGT 400 Entire Course CMGT 400 Week 1 DQ 1  CMGT 400 Week 1 Individual Assignment Risky Situation  CMGT 400 Week 1 Team Assignment Kudler Fine Foods.
Lecturer: Eng. Mohamed Adam Isak PH.D Researcher in CS M.Sc. and B.Sc. of Information Technology Engineering, Lecturer in University of Somalia and Mogadishu.
Why apply to graduate programs? Better job choices Ability to have more control over your career Enriching research that can have long lasting affects.
BIS 375 MASTER Leading through innovation/bis375masterdotcom.
CET4884 Dr. Nabeel Yousef.  Dr. Nabeel Yousef  Located at the ATC campus room 107Q  Phone number 
TCSEC: The Orange Book.
Steven M. Bellovin, Jason Healey, Matt Waxman Fall 2017
Strengths & Weaknesses:
Revision list for Year 11 Mock Exam Revision section Tick
Unit 7 – Organisational Systems Security
Unfortunately, any small business could face the risk of a data breach or cyber attack. Regardless of how big or small your business is, if your data,
SEC 400 Competitive Success/snaptutorial.com
SEC 400 Education for Service-- snaptutorial.com.
Welcome to Naviance at Lowell High School
Managing the Security Function
Welcome to Naviance at Lowell High School
Welcome to Naviance at Lowell High School
What’s the Big Deal About Internet Privacy?
Units 3 & 4 Business management transition
Presentation transcript:

How to Prepare for the Fall Exam COM380/CIT304 Harry Erwin, PhD University of Sunderland

Exam Structure Two parts –Fall Exam (Harry Erwin) Security, with three questions of 20 marks each. You answer two. Server Side Technology, with two questions of 10 marks each. You answer one. –Spring Exam (John Wraith) worth 50 marks on e-commerce management. John has briefed you separately.

Exam Ground Rules We are aware some of you are relatively non- technical. We are aware that even those of you who are technical come from a number of courses. The exam is designed to be passable by all of you. It tests critical thinking. The exam is hard, but the marking takes that into account. You need to pass the exam as a whole, not each part individually.

Reread: Schneier, Beyond Fear—discusses how to think critically about security. Know his five-step analysis process and be able to apply it. Schneier, Secrets and Lies—the threat environment. Understand what it may mean for your organization. Anderson, Security Engineering—the technology (Don’t memorize—but know how it fits in!) Erwin, COM380 Lecture Slides—thinking about security requirements and solutions

Be Able To: Define the terms used in security Describe what a security analyst does. Write a job description for a security analyst. Conduct a job interview for a security engineer/ analyst in your field. Identify snake-oil when someone tries to sell you some technology. –Know what probing questions to ask as a skeptical manager with some money to spend on security. –Know what each security technology is good for.

For Example Suppose someone tries to sell you an intrusion detection system as a security solution. –Know what an IDS is good (and bad) for. –Know the two basic IDS technologies and their strengths and weaknesses.

Another Example Do ID cards solve the terrorism problem? –What do ID cards do? –What are their risks? –What are the threats to ID cards? –What do they not do? –Do they solve the problem?

Likely Exam Areas The Threat Risk Analysis Trust Analysis Policies (particularly legal areas) Assumptions of Secure Operation Security Objectives Security Mechanisms Securing E-Commerce

The Server-Side Technology Questions Read up on server side technology (see Bergsten, JavaServer Pages and my lectures for a start). Be prepared to evaluate it critically.

Some Questions from Previous Years The 25-mark security questions are from 2003, the 20-mark security questions from 2004, and the 10-mark server-side questions from You won’t see these specific questions on the exam.

Risk Analysis (25 marks total) What is a risk and how does it differ from a vulnerability or threat? (10 marks) Describe the risk analysis process in detail using an example. (10 marks) What information does a complete risk analysis give a manager? How can he use it in risk management? (5 marks)

Security Mechanisms (25 marks total) “Audit” describes a specific family of security mechanisms. In an essay, a)Explain what an audit mechanism does and describe the possible uses of audit log data (5 marks) b)Describe and critically justify against alternatives an approach to audit in a distributed environment. (10 marks) c)Describe the risks associated with the storage of audit log data and how to mitigate those risks. Critically justify your recommended approach. (10 marks)

Intrusion Detection (25 marks total) a)Explain what an intrusion detection system does. (6 marks) b)Describe in detail the three problems that developers of intrusion detection systems must solve –i)The timely notification problem (3 marks) –ii)The false alarm problem (3 marks) –iii)The response problem (3 marks) c)Name and describe two general approaches to intrusion detection, compare them critically, and explain how they address the three problems listed under (b). (10 marks)

Job Description (20 marks) What questions does a computer security analyst have to answer about a system? Discuss in detail using an example of a specific kind of business or service, e.g., an provider, a business web-site, a human resources department of a company, an electronic voting system, or an on-line bank. Describe critically how the analyst might approach each question.

Threat Environment (20 marks) Critically evaluate the current threat environment for a specific kind of business or service, for example an provider, a business web-site, a human resources department of a company, an electronic voting system, or an on-line bank. In other words, what are the threats, what is their relative importance, why did you come up with that rank-ordering, and how can the system be protected against those threats?

Privacy (20 marks) Describe the EU and US legal positions on individual privacy, and critically compare them. Critically discuss the possible ways that a US business has to address the requirements of the EU Data Protection Directive.

Job Description (20 marks) Assume you are hiring a security analyst. Describe and critically justify the required knowledge (10 marks) and skills (10 marks) you would list on the job description.

Trust Analysis (20 marks) Explain how to do a trust analysis (10 marks) and critically discuss mechanisms to enforce trust. (10 marks)

ID Cards (20 marks) Discuss in a short critical essay the Home Office proposal on identification cards.

Server-Side Technology (10 marks) Four example technologies were given and the following choices of question posed: Describe and evaluate in detail the technical pros and cons of these four approaches. That is, from a technical perspective, what are the issues that affect the choice of approach and what factors need to be assessed in making that choice?

SST Question Continued Describe and evaluate in detail the security pros and cons of these four approaches. That is, from a security perspective, what are the issues that affect the choice of approach and what factors need to be assessed in making that choice? Describe and evaluate in detail the managerial pros and cons of these four approaches. That is, from the perspective of a non-technical manager, what are the issues that affect the choice of approach and what factors need to be assessed in making that choice?

Server-Side Technology The ref-def question used another example, web services, but asked the same questions.

Changes this year The security questions remain similar. One will be on security in general that can be answered based on Schneier and the lectures, a second on some specific technology discussed in Anderson, and the third will be a critical analysis of a current security proposal. The server-side question now asks for a critical comparison of technical approaches. You will have a choice of question here.

Questions?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.