Answer more questions

1 files changed, 36 insertions, 13 deletions

diff --git a/assignments/3/README.md b/assignments/3/README.md
index 7f27687..ed4c03a 100644
--- a/assignments/3/README.md
+++ b/assignments/3/README.md
@@ -92,29 +92,52 @@ Suggest the most appropriate security measures for each of the situations descri
 
 **The Western Union bank uses an electronic funds transfer (EFT) system to transmit sensitive financial data between its branches all over the world.**
 
-**A fighter jet simulation company has set up an off-site computer-based training centre for the F35. The company wishes to restrict access to the site to authorized employees. Since each employee's use of the centre is occasional, it does not wish to provide the employees with keys to access the centre.**
+* Server security: Ensure all servers are patched and hardened appropriately. Ideally data is transmitted over an authenticated and authorized API endpoints with short lived authn/authz tokens that can be revoked.
+* Network security: Ensure that all data is transported over an encrypted transport layer like TLS and that the forward secrecy and that only trusted cipher suites are enabled on server. Mutual TLS handshake for client/server would be nice as well.
+* Data Privacy: Consider storing the data on disk in an encrypted form and restrict access to the data via the proper access controls.
 
-**A golf club uses a simple password system to protect its database. The club has created a new Web site to allow both its members and its employees to use the new Web-based system to access and update information. The club finds that it needs a more comprehensive security system to grant different privileges (such as read-only versus create or update) to different users.**
+**A fighter jet simulation company has set up an off-site computer-based training centre for the F35.
+The company wishes to restrict access to the site to authorized employees.
+Since each employee's use of the centre is occasional, it does not wish to provide the employees with keys to access the centre.**
+
+Physical access to the data should not be the only way to restrict access.
+Data should be protected by multiple layers of security in the event that there is a breach in the physical facility.
+
+The physical location should be secured via some form of physical access controls such as proximity access cards that can be configured to provided
+access during specific operational hours. Installation of physical cameras with on-premise security might be worth considering. 
+Access to and from the facility should be recorded. Employees should wear their badges so that an image of their face with a name and clearance level
+can clearly be seen. It should be easy to identify people in the facility that do not belong in the facility.
+
+**A golf club uses a simple password system to protect its database.
+The club has created a new Web site to allow both its members and its employees to use the new Web-based system to access and update information.
+The club finds that it needs a more comprehensive security system to grant different privileges (such as read-only versus create or update) to different users.**
+
+Considering adding roles based access controls or permissions based access controls at the application layer if possible.
+
+Otherwise, you can use the access controls built into most databases.
+Databases offer the ability to create different users/roles with different levels of access to perform specific operations on the specific tables.
+You could create separate users for each member and employee and separate roles for members and employees.
+You could control access by specifying individual permissions for a user or role.
+Then ensure that users are attached to the appropriate role.
 
 **A training centre at the Northern Technical University has experienced considerable difficulty with unauthorized users who access files and databases by appropriating passwords from legitimate users.**
 
+Require a second factor of authentication for all users of the system. If passwords are continuously being compromised it's possible that a stronger password policy is necessary
+but adding a second factor of authentication such as a time based one time password ([TOTP](https://tools.ietf.org/html/rfc6238)) should aid in blocking unprivileged access.
+
 ## Question 4
 
-The UBS broker company has a database server with three disks.
+**The UBS broker company has a database server with three disks.
 Both the accounting and stock exchange applications share the same disk, and they are experiencing performance problems.
-Discuss potential reasons for the performance problem, and suggest how to reduce I/O contention.
+Discuss potential reasons for the performance problem, and suggest how to reduce I/O contention.**
 
-If the database server has three separate disks serving two different applications then it might make sense to allocate a separate disk for each application.
-At the moment the database server is performing all I/O operations a single disk which will bottleneck all read/writes from each application because
-hdd disk needs to seek back and forth to the appropriate portions on the disk to read/write the necessary data. 
+All I/O operations are occurring on a single disk which is causing a bottleneck. Specific tables or datafiles can be moved to distribute the I/O across the 3 disks
+or the data can be striped across the three disks ensuring that the I/O is equally balanced across all three disks.
 
-If the applications are read heavy applications then it would make sense to ensure that solid state drives are used to optimize the reads.
-Splitting the database files across disks will also allow for better parallelization of responding to read/write requests.
-If possible it might be worth dedicating one disk as a primary that will serve only writes and replicate the primary to the other two disks to utilize them
-specifically for reads.
+Another area to look at, is the query logs. The query logs will allow the DBA to see if there are expensive queries due to many disk seeks due to a missing database index.
+An index can help by trying to make sure related data is logically grouped on disk to reduce disk seeks back and forth.
 
-Other areas to look at is the query logs to see if there are expensive queries due to many disk seeks on disk to respond with all the data.
-In this case it might make sense to add missing indexes to try to make sure as much of the related data is logically grouped on disk to reduce disk seeks back and forth.
+If the applications are read heavy applications then it would make sense to ensure that solid state drives are used to optimize the reads.
 
 ## Question 5