Question $1($Mandatory$)(10$ points$)$

New Brooklyn Bank employees have a problem sometimes. They complain that the customers are unhappy when they tell them that they have to wait for other people to do parts of the acount management job. The employees say that each of them should be able to complete all parts of account management so that it can be done by one person in one meeting with the client. The bank claims that it is necessary that different employees are responsible for different parts of the job so that if there is a security flaw in the process, it can be identified as relating to one specific employee. They say this design practice is called

Question $1$ options:

access control.

least privilege.

separation of domains.

minimization of implementation.

Question $2($Mandatory$)(10$ points$)$

Our company just acquired a new software that requires two of three methods to login to use it$.$ It says that one should use two of the following three: 'something you are', 'something you have', or 'something you know'.

This is a best practice to implement

Question $2$ options:

usability.

modularity.

minimization of implementation.

authentication which is part of access control.

Question $3($Mandatory$)(10$ points$)$

Our company executives have two types of accounts, in one type they can access all company resources, and in the other one they use a small subset of resources, such as just the email. The idea is not to use a highly privileged account for something that does not require access to everything. This is an example of implementing

Question $3$ options:

separation of domains.

least privilege.

account auditing.

usability.

Question $4($Mandatory$)(10$ points$)$

The new database system that our bank has acquired has an interesting behavior. If even a legitimate user causes a system failure, the whole system shuts out until the administrator verifies that there is no attack going on and restarts the database system. We are told that this is an example of security design practice called

Question $4$ options:

separation of domains.

least astonishment.

access control.

fail secure$.$

Question $5($Mandatory$)(10$ points$)$

Our company redesigned the user interface for our best seller security app. The display showed all the previous functions with some differences from the previous version in that the icons were on different places on the screen. Some of our customers complained that we have not cared about the design principle called

Question $5$ options:

least astonishment.

updates and patches.

modularity.

access control.

Question $6($Mandatory$)(10$ points$)$

Our company has completely redesigned our main security app so that it is broken down into independent parts that have well$-$defined interfaces with exactly two other parts, one to get information and the other to provide information to$.$ In this way, our future versions will not need to be designed and replaced in entirety. Instead, only the part undergoing improvement is replaced by update, just like major operating systems do$.$ This is design practice called

Question $6$ options:

modularity.

open design.

separation of domain.

least privilege.

Question $7($Mandatory$)(10$ points$)$

Arguably, the most secure encryption $/$ decryption algorithm, called Rijndael, that is used for the advanced encryption system $($AES$)$ in USA is not a secret. It is available in public domain which makes it more secure because the adversary can try breaking it if they can. Having an algorithm in public domain like this is an example of the security design practice called

Question $7$ options:

minimization of implementation.

least astonishment.

authorization.

open design.

Question $8($Mandatory$)(10$ points$)$

Vulnerabilities in a software or hardware system are not always known. The ones that are not known are called zero$-$day vulnerabilities because once they are discovered by the adversary, you have zero days to do something. The vendors usually find a solution as soon as they discover a zero$-$day vulnerability and contact the buyers directly to either update their software or send them the solution. This design practice is called

Question $8$ options:

logging and auditing.

updates and patches.

backups and restorations.

usability.

Question $9($Mandatory$)(10$ points$)$

Saved

The router that we bought had the options to have secure communications with multiple brands, but we use only one brand. Therefore, we turned off the security features regarding all other brands. This is an example of a design practice called

Question $9$ options:

updates and patching.

separation of domain.

least privilege.

minimization of implementation.

Question $10($Mandatory$)(10$ points$)$

Earlier versions of our software had only one user account and password combination for the administrator. Now, we ship it with a hiera