Cybersecurity Strategy and Management
Boston College, ISYS6641, Fall 2022
Homework Assignment #2
Please submit your homework on the day it is due using the homework submission tool on the course
website. You will need to login to submit your homework. Please do not email the document to the instructor.
Your homework should be in PDF or MS Word format and please do not use any fancy layout or
formatting; in other words, the simpler the format the better.
The file name for your homework must include your name and the specific hw#. In addition, you must of
course include your name and your email address as part of the document. (Some students always forget to do
this.) There is a penalty for late homework and the graded homework will be returned online. Your homework
must be your own work, in your own words.
HOMEWORK #2
1.) As you know the CIA Triad is used to describe three important security goals: confidentiality, integrity and
availability.
a.) Briefly describe a specific incident or example from a news story within the past six months that relates to each
of the three goals of the triad. In other words, your answer should describe three different incidents. Although
one incident might (and probably does) include elements of more than one part of the triad, you should state
explicitly which part of the triad each of the three incidents you describe is focused upon. Include the link for the
story and say which part of the triad is relevant to that story. (NOTE – You should not use the examples we have
discussed in class.) [6 points for the entire question]
2.) The Firefox breach monitor website reports whether or not an email address has been part of a data breach. Try
two or more of your email addresses and report the results. The link for the website is:
https://monitor.firefox.com/ [2 points]
3.) The NIST Cybersecurity Framework includes different elements called Core function, categories, subcategories
and informative references. The reason for this division is that each element provides an increasing level of detail to
help explain and manage the specific security requirement. For example, consider the relationship (sometimes
called a mapping) starting from the core function of Protect, to the category of Data Security (PR.DS) and then the
subcategory PR.DS-1 which specifies that Data-at-rest is protected. An example of a product or service that
implements this requirement would be whole disk encryption such as provided by File Vault in OSX or BitLocker
in Windows.
Describe two other examples of this Core/Category/Subcategory mapping, and as part of your description,
include information on a product or service that implements (or supports) the requirement. Your examples should
be chosen from two different core functions.
[6 points for the entire question]
4.) To state the obvious, Zoom usage skyrocketed over the past few years. Assume that you are the CISO for a
large M&A firm that has been using Zoom to discuss their deals, as well as other very sensitive financial
information with clients. You have been asked by the CFO of the firm to research and report on the security
vulnerabilities that were reported about Zoom in the spring of 2020.
More specifically, the CFO wants to know what, in your opinion, were the two most significant security
vulnerabilities that were identified during that time. The CFO assumes that these have been patched since then so
you do not need to discuss their resolution. Your report should be three or four paragraphs long and it should focus
on the vulnerability and what would have happened if the vulnerability was exploited by a bad actor.
Put aside for your report a discussion of Zoom’s privacy policies about user’s personal data which were not
very clearly explained at that time. Also, put aside for this report to the CFO the problem of Zoom bombing since
that issue was very well understood. [4 points for the entire question]
Here are a couple links for background:
https://www.theguardian.com/technology/2020/apr/02/zoom-technology-security-coronavirus-video-conferencing
https://techcrunch.com/2020/04/01/zoom-doom/
© 2022 L. Evenchik Page 2 of 2
5.) As discussed in class all computer operating systems today include software that can generate public/private
(asymmetric) key pairs, and as you would expect, there are websites that demonstrate the same thing.
One of the websites is called the Online RSA Key Generator and the link for it is:
http://travistidwell.com/jsencrypt/demo/
The goal for this question is to demonstrate how keys are generated and what keys of different sizes look like.
Remember that a longer key is “stronger” than a shorter key, but there is a tradeoff, which is related to
performance.
Using this website, create a 512 bit key pair and then a 4096 bit key pair. You can do this by picking the key length
from the pull-down menu and then clicking the “Generate New Key” button.
A.) Study the keys and note any differences between the public and private keys (in a sentence or two)
B.) Discuss the difference in time when generating the longer versus shorter key pair?
[2 points for the entire question]

Published by

Essays

View all posts