(Due April 14, 2021 – 10 points)
Submission guidelines: The homework must be submitted by the deadline (earlier submissions
are encouraged) in PDF format. The assignment must be typewritten.
This homework is individual work; any overlap between homework reports will be penalized.
1. What is the ISO 27001? how does it vary from NIST Cybersecurity Framework? 
2. What is the SANS/ CIS Critical Security Controls? how does it vary from NIST Cybersecurity
3. A bank requires for their customers to access their online banking accounts to provide as User
Id (or user name) the last 8 digits of their bank card number, and a password with a length
between 8 and 12 ASCII characters, including the following restrictions (posted on their
Passwords must have at least 8 characters long and at most 12 characters long, and must include at
least one character from each of the following four character types:
• Upper case letters – A B C D E F
• Lower case letters – g h i j k l
• Numbers – 1 2 3 4 5 6 7 8 9 0
• Special characters – ! @ # $ % ^ & * ( + ) = ~
The remaining characters of the password must be selected from the above character set (and can be from
any of the character type).
For example, an acceptable password sample is gB21@hill while gPanth2! and
A@a#CDEF&* will be considered unacceptable (with respect to the prescribed format).
The bank also requires that each password be changed at least once every five years.
A. Assume that 1,000,000 passwords can be tested per second, calculate the probability
that a hacker can guess a password in the timeframe between two consecutive
B. A hacker controls a network of compromised machines (botnet) that can be used to
launch the attack. The network consists of 500,000 compromised machines (bots)
located in different countries around the globe. Assume that the machines have approximately the same computing capability. The hacker uses a simple strategy
consisting of slicing the username space in subsets of equal size, and assigning a
subset to each of the bots to conduct the attack in parallel. Calculate the probability
that a successful password guess can be obtained in the timeframe between two
consecutive changes. Briefly comment the results. 
C. In order to strengthen the above password scheme, the bank investigates the
following two different solutions:
a. Using an exponential backoff scheme, i.e., introduces a delay of xn between
consecutive failed authentications. The backoff scheme begins when a user
attempts to authenticate and fails.
b. Using One-Time Password (OTP) tokens. A standard token displays a
variable password consisting of 6 digits.
Discuss the benefits and limitations of each solutions (a and b) and indicate (in your
opinion) the best option. 
Useful information: The probability that a dictionary attack succeeds in a specified
time period is expressed as:
T × G
-P is the probability that the attack succeeds
-T is the time period during which the attack takes place
-N is the total number of possible passwords
-G is the number of guesses that can be tested in one time uni
Such a cheap price for your free time and healthy sleep
All online transactions are done using all major Credit Cards or Electronic Check through PayPal. These are safe, secure, and efficient online payment methods.