Q1: A company took a SaaS option from a cloud service provider. The cloud service provider alerted the company of several suspicious behaviors from two employees in which large amounts of data were transferred and changed.

(1) To avoid the situation underlined above, what kinds of short-term and long-term control methods does the company need to adopt?

(2) Suppose that the two employees denied that they took the aforementioned suspicious actions. Which attack(s) could have been exploited by outside attackers that would have caused large amounts of data to be transferred and changed?

Q2: (1) What is a control used to reduce the chance of anyone individual violating information security and breaching the confidentiality, integrity, or availability of information? Specifically, the principle behind this policy is that any major task that involves sensitive information should require two people to complete.

(2) Provide an example describing a situation in which this policy should be adopted?

Q3: You receive an email message that purports to come from the Centers for Disease Control and Prevention (CDC). It asks you to click a link or image attached in the email to order N95 masks from the CDC. The email says that, through the attached link, each recipient can order a maximum of five masks. How can you verify whether the message came from the CDC or not?

Q4: For a tech company (e.g., Apple), (1) what are its most valuable assets? They use technical and physical controls, as well as policies and security awareness programs, to secure their assets from inside and outside threats, which occurred in several contexts (e.g., web application, cloud, network, wireless, physical, and insider).

(2) Which context, among several possible contexts, is the most vulnerable environment to them?

(3) Please explain why you think the context is the most vulnerable.

(4) Please suggest potential safeguards to protect against the issue.

Q5: How does hybrid encryption differ from asymmetric encryption? From symmetric encryption?

Q6: You entered your ID and password and were able to log into a website successfully. Even after that, sometimes

(a) the site asks you to enter your 4-digit passcode; other times,

(b) it sends a (temporary) token number to your mobile phone and asks you to enter the token number on the website. Which approach (a or b) is better than the other? Explain why.

Q7: Your company is planning to implement physical security inside the building. Which control methods could be employed, especially for high-security areas (e.g., server rooms)? Please list the three best methods and explain why these methods are best.

Q8: The problem of cross-site scripting (XSS) is not that scripts execute, for they do in many sites. The problem is that the script is included in the URL communicated between sites, and thus the user (or a malicious process) can rewrite the URL before it goes to its intended destination. Suggest a way by which scripts can be communicated more securely