• capability

• capability-based security

• censorware

• compact access rules

• content control software

• default permit

• Deny by Default

• directory path

• drive-by download

• execute right

• exploit

• file folder

• file-sharing policy

• global policy

• hierarchical directory

• information states

• interpreter

• isolation policy

• macro

• object

• owner rights

• permission flags

• processing state

• rights

• root directory

• sandbox

• scripting language

• security policy

• seek right

• shell script

• software patch

• state

• state diagram

• storage state

• subject

• system rights

• tailored policy

• transmission state

• Trojan

• window of vulnerability

• world rights

• zero-day exploit

• CRUD—create, read, update, delete access rights

• MBR—Master Boot Record

• RWX—read, write, and execute access rights

1. R1.     Explain the role of a file name and path in locating a file on a hard drive.

2. R2.     Describe the four basic access rights for files and other resources in general.

3. R3.     Give reasons a user would protect a file from read or write access by other users.

4. R4.     How does the operating system decide what permissions to apply when a user creates a new file?

5. R5.     Explain how the four basic access rights of files and directories interact.

6. R6.     What does it mean to have “Execute” access to a file?

7. R7.     What is “Seek” access and how is it different from “Read” access?

8. R8.     Describe the format of an executable file.

9. R9.     Why would we restrict access to executable files?

10. R10.   Describe how a virus operates and spreads.

11. R11.   Explain the difference between a virus, a worm, and a Trojan.

12. R12.   Summarize the policy for enforcing isolation among users.

13. R13.   Summarize the policy to provide file sharing among users.

14. R14.   When we wish to specify file-access rights, which elements serve as subjects and objects in the access matrix?

15. R15.   Explain the difference between a default permit policy and one that enforces Deny by Default.

16. R16.   Name the two requirements that must remain true in order for an operating system to enforce its policy.

17. R17.   Do most modern operating systems specify file permissions with a “cluster by row” or “cluster by column” strategy?

18. R18.   Summarize the information needed to specify a file’s access rights using permission flags.

19. R19.   Describe the differences between listing customary security controls (Table 3.6) and compact access rules (Table 3.7).

20. R20.   Describe the differences between an access matrix and a table of compact access rules.

21. R21.   Explain how the Morris worm took advantage of a failure to use Least Privilege.

22. R22.   Describe the components of a state diagram.

23. R23.   List the typical steps a vendor follows to release a software patch.

24. R24.   Explain two different situations in which a window of vulnerability might arise.

1. E1.     Search the directory on your computer.

             Locate the root folder. From there, locate the following files and provide the full path and file name for each:

   1. The word-processing program you typically use.

   2. A text or word-processing file in your “documents” directory (the directory in which programs typically save files for you).

   3. A file containing your “preferences” for a program like a web browser or word processor.

   4. A file you downloaded from the internet using your browser.

2. E2.     Can you create files in the root directory of your system? If so, create a file or folder and then delete it. If the attempt fails, describe the error message displayed.

3. E3.     Determine whether the system you use implements an isolation policy or a user-sharing policy. Describe the steps you took to verify your conclusion.

4. E4.     Determine whether the system you use will allow a file’s owner to block access to an owned file. Create a file and try to remove the owner’s Read or Write permission from the file. Did the system remove the right or not? How could you tell?

5. E5.     Find out about antivirus software on the computer you use.

   1. Is antivirus software installed?

   2. What kind is it?

   3. Can you tell if it works? Why or why not?

   4. Has it ever reported a virus to you? If so, describe how it handled the virus.

6. E6.     Search the internet for information on different malware packages, like those discussed in the text. Find a description of a malware package not described in the text. Provide the following information about the malware:

   1. What is the malware called?

   2. How does it propagate?

   3. What does it do to the computers it infects?

7. E7.     Bob would like to be able to look at his employees’ files and folders without having to log in as administrator. How can we do this with compact access rules? How does this improvement for Bob affect the other users?

8. E8.     Create a diagram portraying access rules that enforces the file-sharing policy described in Table 3.5.

9. E9.     Create a table of compact access rules that enforces the file-sharing policy described in Table 3.5. The compact access rules should use the same format as Table 3.7.

10. E10.   Alice’s computer was infected by Virus X, which attached itself to all of her applications. Bob lent her a file-searching utility, which was stored on a USB stick. This utility, however, was infected by Virus Y, which then infected all of Alice’s applications, too. Thus, each application contained two virus infections. Draw a diagram based on Figure 3.7 to show both infections in a single application file.

Riko is writing a program. Bob’s computer contains a compiler that will take Riko’s source code (the program she’s written) and produce an executable program file (with an “.exe” suffix). Thus, we have three users of interest: Bob, Riko, and everyone else, and these files: the compiler, Riko’s written program, and the executable program built by the compiler. We need to implement the policy in TABLE 3.8. Answer the following questions based on the scenario just described.

1. E11.   Draw a diagram showing the user and file access rights that implement the file-sharing policy in Table 3.8. Create a diagram similar to Figure 3.12 that includes the correct users, files, and permissions. Indicate access rights with arrows and labels (RWX). Be sure the access rights allow the work just described and still achieve Least Privilege.

2. E12.   Construct an access matrix that provides the user and file access rights needed to implement the policy in Table 3.8.