s.k.p institute of technology tiruvannamalai - 606611. b.e...

S.K.P Institute of TechnologyTiruvannamalai - 606611.

B.E/ B.Tech DEGREE EXAMINATIONEIGHTH SEMESTER - CSE

IT 2042 - INFORMATION SECURITY-QUESTION BANK WITH KEY

PART AUNIT I - INTRODUCTION

MOST IMPORTANT QUESTIONS

1. What is information security? [NOV/DEC 2011] [MAY/JUNE 2013]

It is a well-informed sense of assurance that the information risks and controls are in balance.

2. What is Security? What are the Multiple layers of Security? [NOV/DEC 2012]

Security is the quality or state of being secure-to be free from danger. The multiple layers of Security are asfollows:

• Physical Security

• Personal Security

• Operations Security

• Communication Security

• Network Security

• Information Security

3. What are the critical characteristics of information security? [MAY/JUNE 2013]

• Availability

• Accuracy

• Authenticity

• Confidentiality

• Integrity

• Utility

• Possession

4. sketch and explain what is NSTISSC Security model? [MAY/JUNE 2012]

The NSTISSC Security Model provides a more detailed perspective on security. While the NSTISSC modelcovers the three dimensions of information security, it omits discussion of detailed guidelines and policiesthat direct the implementation of controls.

of 95


Figure 1: NSTISSC Security Model

5. What is the difference between vulnerability and exposure? [MAY/JUNE 2012]

Vulnerability : Vulnerability is a state in which an object can POTENTIALLY be affected by a force oranother object or even a situation but not necessarily is or will be affected.

Exposure : Exposure is a state in which an object is already being affected by a force , an object or situation.

IMPORTANT QUESTIONS

6. What is C.I.A?

C.I.A - Confidentiality, Integrity and Availability.

7. Write a note on the history of information security

• Began immediately after the first mainframes were developed

• Groups developing code-breaking computations during World War II created the first modern computers

• Physical controls to limit access to sensitive military locations to authorized personnel

• Rudimentary in defending against physical theft, espionage, and sabotage

8. What is Rand Report R-609?

Rand Report R609 was commissioned by US department of defense in 1967, published in 1970 and is con-sidered seminal work in area of Information Security. Rand Report is relevant now in 2012. Rand Reportpoints that securing computer is not enough and it is necessary to secure data as well.

9. What is the scope of computer security?

Computer security involves safeguarding computing resources, ensuring data integrity, limiting access toauthorised users, and maintaining data confidentiality. Effective computer security therefore involves takingphysical security measures , minimising the risk and implications of error, failure or loss , appropriate userauthentication , and possibly the encryption of sensitive files.

10. Define Physical security

Physical security describes security measures that are designed to deny unauthorized access to facilities,equipment and resources, and to protect personnel and property from damage or harm

of 95


11. Define Personal Security

The procedures established to ensure that all personnel who have access to any classified information havethe required authorizations as well as the appropriate clearances.

12. Define Operations security

It is a process that identifies critical information to determine if friendly actions can be observed by adversaryintelligence systems, determines if information obtained by adversaries could be interpreted to be useful tothem, and then executes selected measures that eliminate or reduce adversary exploitation of friendly criticalinformation.

13. Define Communications security

Communications security is the discipline of preventing unauthorized interceptors from accessing telecom-munications in an intelligible form, while still delivering content to the intended recipients.

14. Define Network security

It is the implementation of alarm and intrusion systems to make system owners aware of ongoing compro-mises.

15. What are the components of an information system?

• Software

• Hardware

• Data

• People

• Procedures

• Networks

16. What is meant by balancing Security and Access?

Information security cannot be absolute: it is a process, not a goal. Information security should balanceprotection and availability. It is possible to make a system available to anyone, anywhere, anytime, throughany means. However, such unrestricted access poses a danger to the integrity of the information. On the otherhand, a completely secure information system would not allow anyone access.

17. What are the steps used for implementing information security?

• Identification

• Evaluation

• Remediation

• Maintenance

of 95


18. What is SDLC?

The Systems Development Life Cycle is a methodology for the design and implementation of an informationsystem in an organization.

19. Explain different phases of SDLC

• Investigation

• Analysis

• Logical Design

• Physical Design

• Implementation

• Maintenance and change

20. What is Security SDLC?

The Secure Systems Development Life Cycle is a methodology for the design and implementation of aninformation system in an organization.

STANDARD QUESTIONS

21. How information security is viewed as a social science?

Social science deals with How people behave and Social Engineering is one of the technique to defeat Infor-mation Security, it would seem that atleast some aspect of Information Security are related to Social Science.

22. What are the information security roles to be played by various professionals in a typical organization?

• Forensic Specialist

• Security Architect

• Cheif Information Security Officer

• Information Assurance Officer

• IT Security Manager

• Risk Manager

23. What are the three types of data ownwership and their responsibilities?

• Data Owners : - Responsible for security and use of a particular set of information - Usually seniormanagement members, maybe CIOs. - Usually determine the level of data classification and changes tothat classification as required by organizational changes. - Work with subordinate managers to overseedaily data administration.

of 95


• Data Custodians : - Work directly with data owners - Responsible for storage, maintenance, protectionof information. - May be CISO or responsibility of systems admin or technology manager, dependingon organization size. - Duties include overseeing data storage, backups, implementing procedures andpolices laid out in security policies and plans, reporting to data owner

• Data Users : - Work with information to perform assigned roles - Everyone is responsible for securityof data in the organization

24. What is the difference between a threat agent and a threat?

Threat- An object, person or other entity that represents a constant danger to an asset.Threat Agent - A specificinstance or component that represents a danger to an Organization’s asset.

25. What is attack?

An attack is any attempt to destroy, expose, alter, disable, steal or gain unauthorized access to or makeunauthorized use of an asset

26. What is hacking?

Hacking is any technical effort to manipulate the normal behavior of network connections and connectedsystems.

27. What is security blue print?

Information secuity blueprint is to gather an organization’s requirements, provide a visualization of thoserequirements and initiate the process of interweaving information security as part of the organization’s culture.The blueprint explains an organization’s needs, desired results, factors that could influence the outcome anda strategy to execute.

28. What is MULTICS?

Multics (Multiplexed Information and Computing Service) was a mainframe timesharing operating systemthat began at MIT as a research project in 1965. It was an important influence on operating system develop-ment.

29. What is ARPANET?

The Advanced Research Projects Agency Network (ARPANET) was one of the world’s first operationalpacket switching networks, the first network to implement TCP/IP, and the progenitor of what was to becomethe global Internet.

30. Define E-mail spoofing

It is the process of sending an e-mail with a modified field.

of 95


UNIT II - SECURITY INVESTIGATION


31. What are the different categories of threat? [NOV/DEC 2012]

Threats can be classified in four different categories; direct, indirect, veiled, conditional.

• A direct threat identifies a specific target and is delivered in a straightforward, clear and explicit manner.

• An indirect threat tends to be vague, unclear and ambiguous. The plan, the intended victim, the motiva-tion, and other aspects of the threat are masked or equivocal.

• A veiled threat is one that strongly implies but does not specifically threaten violence.

• A conditional threat is the type of threat often seen in extortion cases. It warns that a violent act willhappen unless certain demands or terms are met.

32. What is Intellectual property? [MAY/JUNE 2013]

Intangible property that is the result of creativity, such as patents, copyrights, etc.

33. Differentiate worm and viruses. [MAY/JUNE 2012]

Virus-A computer virus attaches itself to a program or file enabling it to spread from one computer to another,leaving infections as it travels. Worm-A worm is similar to a virus by design and is considered to be a sub-class of a virus. Worms spread from computer to computer, but unlike a virus, it has the capability to travelwithout any human action. A worm takes advantage of file or information transport features on your system,which is what allows it to travel unaided.

34. What is malware? what are it types? [MAY/JUNE 2012]

Malware is a software that does not benefit the computerŠs owner, and may even harm it, and so is purelyparasitic. The different types of malware are Virus, Worm, Trojans, Spyware, Backdoors, exploits and Kaey-loggers etc

35. What is Distributed Denial-of-service (DDoS)? [NOV/DEC 2011]

A distributed denial-of-service (DDoS) attack is one in which a multitude of compromised systems attack asingle target, thereby causing denial of service for users of the targeted system.

36. What is Denial-of-service (DoS) ? [NOV/DEC 2011]

A denial-of-service (DoS) attack is an attempt to make a machine or network resource unavailable to itsintended users.

37. List out the general categories of unethichal and illegal behaviour. [NOV/DEC 2012]

There are three general categories of unethical and illegal behavior that organizations and society should seekto eliminate:

of 95


• Ignorance

• Accident

• Intent

IMPORTANT QUESTIONS

38. What are the four important functions, the information security performs in an organization?

• Assigning an appropriate classification to organization Data.

• Determining the appropriate criteria for obtaining access to organizational Data.

• Assigning day-to-day administrative and operational responsibilities for organizational Data to one ormore Data Custodians.

• Approving standards and procedures related to day-to-day administrative and operational managementof organizational Data.

39. What are threats?

A threat is a possible danger that might exploit a vulnerability to breach security and thus cause possibleharm.

40. What are different acts of Human error or failure?

It includes act performed without intent or malicious purpose by an authorized user. When people use In-formation system, mistakes happen. Inexperience, improper training and incorrect assumptions are just afew things that can cause a misadventures. Regardless of the cause even innocuous mistakes can produceextensive damage.

41. How human error can be prevented?

Much human errors or failures can be prevented with training and ongoing awareness activities.

42. How Intellectual property can be protected?

• Copyright Ordinance

• Prevention of Copyright Privacy Ordinance

• Trade Marks Ordinance

• Trade Descriptions Ordinance

• Patents Ordinance

• Registered Designs Ordinance

43. What is deliberate acts of espionage or trespass?

Unauthorized access and / or data collection is called deliberate acts of espionage or trespass.

of 95


44. Who are Hackers? What are the two hacker levels?

Hacker is someone who seeks and exploits weaknesses in a computer system or computer network. Hackersmay be motivated by a multitude of reasons, such as profit, protest, or challenge. The two levels of hackersare Expert Hackers and Unskilled Hackers.

45. What is information extortion?

Information Extortion is an operation in which information is transported illegally

46. What is deliberate acts of sabotage and vandalism?

Destruction of property or obstruction of normal operations, as by civilians or enemy agents in time of war.

47. What is Cyber terrorism?

Cyberterrorism is the use of Internet based attacks in terrorist activities, including acts of deliberate, large-scale disruption of computer networks, especially of personal computers attached to the Internet, by the meansof tools such as computer viruses.

48. What are the deliberate acts of theft?

Illegal confiscation of equipment or information is called deliberate acts of thefts

49. What are deliberate software attacks?

Deliberate software attacks occur when an individual or group designs and deploys software to attack asystem.

50. What are the forces of Nature affecting information security?

Forces of nature, force majeure, or acts of God are dangerous because they are unexpected and can occurwith very little warning. It can disrupt not only the lives of individuals, but also the storage, transmission, anduse of information. It include fire, flood, earthquake, and lightning as well as volcanic eruption and insectinfestation. Since it is not possible to avoid many of these threats, management must implement controls tolimit damage and also prepare contingency plans for continued operations

51. What are technical hardware failures or errors?

Technical hardware failures or errors occur when a manufacturer distributes to users equipment containingflaws. These defects can cause the system to perform outside of expected parameters, resulting in unreliableservice or lack of availability. Some errors are terminal, in that they result in the unrecoverable loss of theequipment. Some errors are intermittent, in that they only periodically manifest themselves, resulting in faultsthatare not easily repeated

52. What are technical software failures or errors?

This category of threats comes from purchasing software with unrevealed faults. Large quantities of computercode are written, debugged, published, and sold only to determine that not all bugs were resolved. Sometimes,unique combinations of certain software and hardware reveal new bugs. Sometimes, these items arenâAZterrors, but are purposeful shortcuts left by programmers for honest or dishonest reasons.

of 95


53. What is technological obsolescence?

When the infrastructure becomes antiquated or outdated, it leads to unreliable and untrustworthy systems.Management must recognize that when technology becomes outdated, there is a risk of loss of data integrityto threats and attacks. Ideally, proper planning by management should prevent the risks from technologyobsolesce, but when obsolescence is identified, management must take action.

STANDARD QUESTIONS

54. What is an attack?

An attack is the deliberate act that exploits vulnerability. It is accomplished by a threat-agent to damage orsteal an organizationâAZs information or physical asset. An exploit is a technique to compromise a system. Avulnerability is an identified weakness of a controlled system whose controls are not presentor are no longereffective. An attack is then the use of an exploit to achieve the compromise of a controlled system.

55. What is a malicious code?

This kind of attack includes the execution of viruses, worms, Trojan horses, and active web scripts withtheintent to destroy or steal information. The state of the art in attacking systems in 2002 is the multi-vectorworm using up to six attack vectors to exploit a variety of vulnerabilities in commonly found informationsystem devices.

56. Define Virus

Virus - Each infected machine infects certain common executable or script files on all computers to whichitcan write with virus code that can cause infection

57. Define Hoaxes

Hoaxes - A more devious approach to attacking computer systems is the transmission of a virus hoax,with areal virus attached

58. What is Back Door?

Back Doors - Using a known or previously unknown and newly discovered access mechanism, anattacker cangain access to a system or network resource

59. Define Dictionary attack

The dictionary password attack narrows the field by selecting specific accounts to attack and uses a list ofcommonly used passwords (the dictionary) to guide guesses

60. What are the various forms of attacks.

• IP Scan and Attack

• Web Browsing

• Virus

of 95


• Unprotected Shares

• Mass Mail

• SNMP

61. What are the attack replication vectors?

• Social Engineering

• Vulnareability Exploitation

• Piggybacking

62. Define Spoofing

It is a technique used to gain unauthorized access whereby the intruder sends messages to a computerwith anIP address indicating that the message is coming from a trusted host

63. Define Man-in-the-Middle

Man-in-the-middle is an attacker sniffs packets from the network, modifies them, and inserts them back intothe network

UNIT III - QUALITY CONTROL AND RELIABILITY


64. What is risk management? [NOV/DEC 2011] [NOV/DEC 2012]

The process of identifying vulnerabilities in an organization’s information system and taking carefully rea-soned steps to assure the confidentiality, integrity, and availability of all of the components in the InformationSystem.

65. What is Asset valuation? list out the components of Asset valuation. [MAY/JUNE 2012]

Asset valuation - Iterative process; begins with identification of assets, including all elements of an organiza-tionâAZs system The components are as follows:

• people

• procedures

• data and information

• software

• hardware

• networking elements

66. What is Dumpster diving in Information Security? [MAY/JUNE 2013]

Dumpster diving is a technique used to retrieve information that could be used to carry out an attack on acomputer network.

of 95


67. Why does periodic review be a part of Risk management? [MAY/JUNE 2012] [MAY/JUNE 2013]

Periodic review must be part of the risk management strategies because risks from security threats createcompetitive disadvantage to organizations. It is a constant process for safeguards and controls to be devisedand implemented, and not to be install-and-forget devices.

68. How benchmark and baseline differs? [NOV/DEC 2011]

Benchmarking - The process of comparing our system performance against an industry standard that isendorsed by some other organization. Baselining - The process of running a set of tests to capture per-formance information so that we have a point of reference when future changes are made to the applica-tion/infrastructure.

IMPORTANT QUESTIONS

69. What the roles to be played by the communities of interest to manage the risks an organization encounters?

• Information security managers and professionals

• Information technology managers and professionals

• Nontechnical business managers and professionals

70. What is the process of Risk Identification?

Risk identification is the first step in the proactive risk management process. It provides the opportunities,indicators, and information that allows an organization to raise major risks before they adversely affect oper-ations and hence the business.

71. What are asset identification and valuation.

Iterative process; begins with identification of assets, including all elements of an organizationâAZs system(people, procedures, data and information, software, hardware, networking). Assets are then classified andcategorized

72. What is Asset Information for People?

According to people the process of transforming data into profit is called as Asset Information or Informationas an asset.

73. What are Hardware, Software, and Network Asset Identification?

Which attributes of Hardware, software and Network assets should be tracked? It depends on the needs ofthe organization and its risk management efforts, as well as preferences and needs of the Information securityand Information technology communities.

74. What are Asset Information for Procedures?

Description/intended purpose/ relationship to software / hardware and networking elements; storage locationfor update; storage location for reference.

of 95


75. What are the Asset Information for Data?

Classification;owner;creator;manager;size of data structure;data structure used;online/offline/location/backupprocedures employed.

76. How information assets are classified?

• Published

• Limited

• Restricted

• Critical

77. Define the process of Information asset valuation.

Assigning weighted scores for the value to the organization of each Information asset. The National Instituteof Standards and Technology gives some standards.

78. What are the Questions to assist in developing the criteria to be used for asset valuation?

• Which threats present a danger to the Organization’s asset in the given environment?

• How much would it cost to recover from a successful attack?

• Which of the threats would require greatest expenditure to prevent?

• Critical

79. Define data classification and management.

In the field of data management, data classification as a part of Information Lifecycle Management (ILM)process can be defined as a tool for categorization of data to enable/help organization to effectively answerfollowing questions:

• What data types are available?

• Where are certain data located?

• What access levels are implemented?

• What protection level is implemented and does it adhere to compliance regulations?

80. What are security clearances?

A security clearance is a status granted to individuals allowing them access to classified information, i.e.,state secrets, or to restricted areas after completion of a thorough background check.

81. Explain the process of threat identification?

Based on the past experience, forcasting, expert judgment and available resources identify a list of the threatsand hazards of concern to the community.

of 95


82. How to identify and Prioritize Threats?

Based on the past experience, forcasting, expert judgment and available resources identify a list of the threatsand hazards of concern to the community. Threats can be prioritized by using the formula Risk = Probability* Damage Potential. This formula indicates that the risk posed by a particular threat is equal to the probabilityof the threat occurring multiplied by the damage potential, which indicates the consequences to our system ifan attack were to occur.

83. What is Risk assessment?

Risk assessment is the determination of quantitative or qualitative value of risk related to a concrete situationand a recognized threat (also called hazard).

84. What are the different threats faced by an information system in an Organization?

• Spoofing of user identity

• Tampering

• Repudiation

• Information disclosure (privacy breach or Data leak)

• Denial of Service

• Elevation of privilege

85. What is Vulnerability Identification?

This process identifies the probable risks impacting an organization and provides the information required toimplement cost-effective security practices and procedures.

86. Mention the Risk Identification Estimate Factors

Risk is the likelihood of the occurrence of a vulnerability Multiplied by The value of the information assetMinus The percentage of risk mitigated by current controls Plus The uncertainty of current knowledge of thevulnerability.

STANDARD QUESTIONS

87. Give an example of Risk determination.

The shop manager carried out the risk assessment in the convenience store, which is located on a busy highstreet and has a weekly turnover of about Âc15,000. It sells newspapers and magazines (but does not dodeliveries), alcohol, tobacco, greetings cards, household essentials and tinned, frozen and other pre-packedfoods. Twelve staff are employed, most of them part-time, working a variety of morning, afternoon andevening shifts. One member of staff is four months pregnant. At the rear of the shop there is a staff toilet andbathroom, staff rest room where drinks etc can be made, and a stockroom. The store is open from 7.00 am to10.00 pm, seven days a week.

of 95


88. What is residual risk?

The residual risk is the risk or danger of an action or an event, a method or a (technical) process that, althoughbeing abreast with science, still conceives these dangers, even if all theoretically possible safety measureswould be applied (scientifically conceivable measures).

89. What is access control?

Access control is the selective restriction of access to a place or other resource

90. What are the different types of Access Controls?

• Discretionary

• Mandatory

• Non-Discretionary (Role Based)

91. What is the goal of documenting results of the risk assessment?

The main goal of documenting the results of the risk assessment is to forcast the risk with reference to theprvoius experience.

92. Mention the strategies to control the vulnerable risks.

An organization must choose one of four basic strategies to control risks:

• Avoidance: applying safeguards that eliminate or reduce the remaining uncontrolled risks for the vul-nerability

• Transference: shifting the risk to other areas or to outside entities

• Mitigation: reducing the impact should the vulnerability be exploited

• Acceptance: understanding the consequences and accept the risk without control or mitigation

93. What are the different risk control strategies?

An organization must choose one of four basic strategies to control risks:

• Avoidance: applying safeguards that eliminate or reduce the remaining uncontrolled risks for the vul-nerability

• Transference: shifting the risk to other areas or to outside entities

• Mitigation: reducing the impact should the vulnerability be exploited

• Acceptance: understanding the consequences and accept the risk without control or mitigation

94. Write short notes on Incidence Response Plan

A set of predetermined and documented procedures to detect and respond to a cyber incident

of 95


95. Define Disaster Recovery Plan

A disaster recovery plan (DRP) is a documented process or set of procedures to recover and protect a businessIT infrastructure in the event of a disaster

96. Define Business Continuity Plan

Business continuity planning (BCP) identifies an organization’s exposure to internal and external threats andsynthesizes hard and soft assets to provide effective prevention and recovery for the organization, whilemaintaining competitive advantage and value system integrity.

97. What are different categories of controls?

• Preventive control

• Detective control

• corrective control

UNIT IV - LOGICAL DESIGN


98. What is a policy? [MAY/JUNE 2013]

Course of action used by an organization to convey instructions from management to those who performduties.

99. What is information security policy? [NOV/DEC 2011]

Information security policy is a set of policies issued by an organization to ensure that all information tech-nology users within the domain of the organization or its networks comply with rules and guidelines relatedto the security of the information stored digitally at any point in the network or within the organization’sboundaries of authority.

100. What are the three types of security policies? [NOV/DEC 2012]

• Enterprise Information Security Program Policy (EISP)

• Issue - specific Information Security Policy (ISSP)

• System - specific Information Security Policy (SysSp)

101. Define Standards. [MAY/JUNE 2013]

More detailed statements of what must be done to comply with policy.

102. Define ISO 17799/BS 7799 Standards.[MAY/JUNE 2013]

Initially developed from BS7799-1, ISO 17799 is an international standard that sets out the requirements ofgood practice for Information Security Management.

of 95


103. Mention the Drawbacks of ISO 17799/BS 7799 [NOV/DEC 2011]

• 17799 lacks âAIJthe necessary measurement precision of a technical standardâAI

• 17799 is not as complete as other frameworks available

• 17799 is perceived to have been hurriedly prepared given the tremendous impact its adoption could haveon industry information security controls

104. What is contingency policy? [NOV/DEC 2012]

A contingency policy is a conventional policy providing the protection of conventional insurance, but withthe added benefit of allowing the client to share in underwriting profits based on favourable claims experienceand implementation of sound risk management principles.

IMPORTANT QUESTIONS

105. What is Security Program Policy?

An IT Security Program policy is both a comprehensive plan and operational services, based on a risk man-agement process, to protect critical applications and IT infrastructure, ensure systems availability and dataintegrity, comply with external regulations, and protect individual privacy.

106. Define Issue-Specific Security Policy (ISSP)

The ISSP:Addresses specific areas of technology, it requires frequent updates and contains statement onposition on specific issue

107. What are ACL Policies?

ACL is a list of permissions attached to an object. An ACL specifies which users or system processes aregranted access to objects, as well as what operations are allowed on given objects

108. What is Information Security Blueprint?

It is the basis for the design, selection, and implementation of all security policies, education and training pro-grams, and technological controls. âAc More detailed version of security framework, which is an outline ofoverall information security strategy for organization and a road map for planned changes to the informationsecurity environment of the organization.

109. What are the objectives of ISO 17799?

Organizational Security Policy is needed to provide management direction and support.

110. What is the alternate Security Models available other than ISO 17799/BS 7799?

The National Security Telecommunications and Information systems Security Committee - NIST SecurityModel is the alternate Security Models which is available other than ISO 17799/BS 7799.

111. List the management controls of NIST SP 800-26

of 95


• Risk Assessment and Management

• Review of Security Controls

• Rules of behavior

• Planning for security in the life cycle

• Authorization of Processing (Certification and Accreditation)

• System Security Plan

112. Mention the Operational Controls of NIST SP 800-26

• Personnel Security


• Production, Input/Output Controls

• Contingency Planning

• Hardware and Systems Software

• Data Integrity

STANDARD QUESTIONS

113. What are the Technical Controls of NIST 800-26?

• Identification and Authentication

• Logical Access Controls

• Audit Trails

114. What is Sphere of protection?

The âAIJsphere of protectionâAI overlays each of the levels of the âAIJsphere of useâAI with a layer ofsecurity, protecting that layer from direct or indirect use through the next layer

115. What is Defense in Depth?

One of the basic foundations of security architectures is the implementation of security in layers. This layeredapproach is called defense in depth.

116. What is Security perimeter?

A Security Perimeter is the first level of security that protects all internal systems from outside threats

117. What are the key technological components used for security implementation?

• Firewall

• Gateway Router

of 95


• DMZ

118. What is Systems-Specific Policy (SysSP)?

SysSPs are frequently codified as standards and procedures to be used when configuring or maintainingsystems

119. What is the importance of blueprint?

It specify tasks to be accomplished and the order in which they are to be realized. It also serve as scalable,upgradeable, and comprehensive plan for information security needs for coming years.

120. What are the approaches of ISSP?

• Create number of independent ISSP documents

• Create a single comprehensive ISSP document

• Create a modular ISSP document

UNIT V - PHYSICAL DESIGN


121. List the types of Physical control. [MAY/JUNE 2013]

• CCTV surveillance

• security guards

• protective barriers

• locks

• access control protocols

122. What are the sources for physical loss? [NOV/DEC 2012]

• Extreme Temperature

• Gases

• Liquids

• Living organisms

• Projectiles

• Movement

• Energy anomalies

of 95


123. Differentiate Symmetric and Asymmetric encryption. [NOV/DEC 2011]

Symmetric encryption is the oldest and best-known technique. A secret key, which can be a number, a word,or just a string of random letters, is applied to the text of a message to change the content in a particular way.

Asymmetric encryption consist of 2 keys. A public key is made freely available to anyone who might wantto send you a message. A second, private key is kept secret, so that only you know it.

124. What is content filtering? [MAY/JUNE 2013]

Content filtering, in the most general sense, involves using a program to prevent access to certain items, whichmay be harmful if opened or accessed. The most common items to filter are executables, emails or websites.Content filters can be implemented either as software or via a hardware-based solution.

125. What are the advantages and disadvantages of using honey pot or padded cell approach? [NOV/DEC 2012]

The advantage of honypots though is that they are designed to only have interaction with attackers. This way,honeypots collect smaller sets of data with very high value. Also, by capturing anything they come in contactwith, honeypots can detect any new tools or technologies used by attackers. The most important and usefuladvantage is its simplicity.

The disadvantage of honeypots is that it can only track activity that interacts with it. It cannot capture attacksagainst other systems unless it interacts with the honeypot as well. As with other security technologies,honeypots are also at risk of being taken over by attackers and used to harm other systems. Different types ofhoneypots have different levels of risk.

126. What are the criterias for selecting information security personnel. [MAY/JUNE 2012]

• General requirements

• Criminal History

• Education

• Citizenship

• Fingerprints

• Photographs

• Personal Information

• Drug screening

• Social Security Number.

127. List the credentials of Information Security professionals. [NOV/DEC 2011]

• ISSAP - Information System Security Architecture Professional

• ISSMP - Information System Security Management Professional

• SSCP - System Security Certified Practitioner

• Security Administration.

of 95


IMPORTANT QUESTIONS

128. What are firewalls?

Firewall is a device that keeps certain kinds of network traffic out of a private network.

129. Explain different generations of firewalls.

• First Generation Firewall

• Second generation Firewall

• Third genration Firewall

• Fourth generation Firewall

• Fifth generation Firewall.

130. Mention the functions of first generation firewall

The First Generation Firewall is also called as Packet Filter. This Packet filters act by inspecting the "packets"which transfer between computers on the Internet. If a packet matches the packet filter’s set of rules, thepacket filter will drop (silently discard) the packet or reject it (discard it, and send "error responses" to thesource).

131. What are the restrictions of first generation firewall?

The restrictions most commonly implemented are based on : IP source and Destination address direction(inbound or outbound).

132. What is the advantage of Second Generation firewalls?

Second Genration Firewalls are called as Application level Firewall. It is often a deicated computer separatefrom the filter router. Additional filtering routers can be implemented behind the proxy servers.

133. Define stateful inspection firewall

Stateful Inspection Firewall - keep track of each network connection established between internal and externalsystem using a stable table which tracks the state and context of each packet in the conversation by recordingwhich station sent what packet.

134. What is the disadvantage of third generation firewalls?

The most difficult element of this third generation firewall is maintaining the firewall’s simplicity (and henceits maintainability and security) without compromising flexibility.

135. What is the function of Fifth Generation firewall?

The Fifth generation firewall eveluates packets at multiple layers of the protocol stack by checking securityin the kernel as data is passed up and down the stack.

136. How firewalls are categorized by processing mode?

The five processing modes are:

of 95


• Packet filtering

• Application gateway

• circuit gateways

• MAC layer firewalls

• Hybrids

137. What is the drawback of packet-filtering router?

lack of auditing and strong authentication are the main drawbacks of Packet filtering router.

138. What are Screened-Host Firewall Systems

Combined the packet filtering router with a seperate dedicated firewall such as an application proxy server.

139. What are dual homed host firewalls?

The Bastion-host contains two NICs .One NIC is connected to external network and the another one is con-nected to internal network. With two NICs all traffic must go through the firewall to move between theexternal and internal networks.

140. What is the use of NAT?

Network Address Translation - NAT is used to map from real, valid exteranl IP address to ranges of internalIP addresses that are non-routable

141. What are Screened-Subnet Firewalls?

A screened subnet (also known as a "triple-homed firewall") is a network architecture that uses a singlefirewall with three network interfaces.Interface 1 is the public interface and connects to the Internet.Interface2 connects to a DMZ (demilitarized zone) to which hosted public services are attached.Interface 3 connectsto an intranet for access to and from internal networks.

142. What are the factors to be considered while selecting a right firewall?

• What type of firewall technology offers the right balance of protection fetures and cost for the need ofan organization?

• What features are included in the base price? What features are available at extra cost? Are all costfactors known?

• How easy is it to set up and configure the firewall? How accessible are staff technicians with the masteryto do it well?

• Can the candidate firewall adapt to the growing network in the target organization?

143. What are Sock Servers?

The SOCKS system is a proprietary circuit-level proxy server that places special SOCKS client-side agentson each workstation . It places the filtering requirements on the individual workstation, rather than on a singlepoint of defense (and thus point of failure)

of 95


144. What are the recommended practices in designing firewalls?

• All traffic from the trusted network is allowed out

• All Internet ControlMessage Protocol (ICMP) data should be denied

• Block telnet (terminal emulation) access to all internal servers from the public networks

• When Web services are offered outside the firewall, deny HTTP traffic from reaching your internalnetworks by using some form of proxy access or DMZ architecture

145. What are intrusion detection systems(IDS)?

An IDS operates as either network-based, when the technology is focused on protecting network informationassets, or host-based, when the technology is focused on protecting server or host information assets .IDSsuse one of two detection methods, signature-based or statistical anomaly-based

146. What are different types of IDSs?

• Network based IDS

• Host based IDS

• Application based IDS

• Signature based IDS

• Anamoly based IDS

147. Define NIDS

A network-based IDS(NIDS) resides on a computer or an appliance connected to a segment of an orga-nizationâAŸs network and monitors traffic on that network segment,looking for indications of ongoing orsuccessful attacks.

148. What is HIDS?

HIDs are also known as System Integrity Verifiers as they benchmark and monitor the status of key systemfiles and detect when an intruder creates, modifies or deletes monitored files.

149. What is the use of HIDS?

A HIDs is capable of monitoring system configuration databases, such as windows registries, in addition tostored configuration files like .ini, .cfg, and .dat files.

150. What is Application-based IDS?

A refinement of Host-based IDs is the application-based IDS(AppIDS). Whereas the HIDs examines a singlesystem for file modification, the application based IDs examines an application for abnormal incidents. Itlooks for anomalous occurrences such as users exceeding their authorization, invalid file executions etc.

of 95


151. What is Signature-based IDS?

It is based on detection methods. A signature-based IDS (also called Knowledge- based IDs) examines datatraffic in search of patterns that match known signatures âAS that is, preconfigured, predetermined attackpatterns. Many attacks have clear and distinct signatures such as (i) footprinting and fingerprinting activities,have an attack pattern that includes the use of ICMP,DNS querying,and e-mail routing analysis (ii) Exploitsinvolve a specific attack sequence designed to take advantage of a vulnerability to gain access to a system (iii)Denial of Service(DoS) and Distributed Denial of Service(DDoS) attacks.

152. What is LFM?

Log File Monitor(LFM) is an approach to IDS that is similar to NIDS. Using L Fm the system reviews thelog files generated by servers, network devices, and when other IDSs. These systems look for patterns andsignatures in the log files that may indicate an attack or intrusion is in process or has already succeeded.

153. What are Honey Pots?

Honey pots are decoy systems designed to lure potential attackers away from critical systems and encourageattacks against the themselves. These systems are created for the sole purpose of deceiving potential attackers.

154. What are Honey Nets?

A class of powerful security tools that go beyond routine intrusion detection is known as honey nets.

155. What are Padded Cell Systems?

A Padded Cell is a honey pot that has been protected so that it cannot be easily compromised. In otherwords,a padded cell is a hardened honey spot

156. What are foot printing and finger printing?

One of the preparatory part of the attack protocol is the collection of publicly available information about apotential target,a process known as footprinting.

Footprinting is the organized research of the Internet addresses owned or controlled by the target organization.The attacker uses public Internet data sources to perform keyword searches to identify the network addressesof the organization.

STANDARD QUESTIONS

157. What are Vulnerability Scanners?

Vulnerability scanners are capable of scanning networks for very detailed information . As a class, theyidentify exposed usernames and groups, show open network shares,expose configuration problems, and othervulnerabilities in servers.

158. Define Packet Sniffers

A network tool that collects copies of packets from the network and analyzes them . It can be used to eaves-drop on the network traffic .To use a packet sniffer legally, you must be: on a network that the organization

of 95


owns , under direct authorization of the owners of the network, have knowledge and consent of the contentcreators (users)

159. What is Cryptography?.

Cryptography ,which comes from the Greek work kryptos,meaning âAThidden,and graphein, meaning âATtowrite,is aprocess of making and using codes to secure the transmission of information.

160. What is Cryptoanalysis?

Cryptoanalysis is the process of obtaining the original message (called plaintext) from an encrypted message(called the cipher ext) without knowing the algorithms and keys used to perform the encryption.

161. Define Encryption

Encryption is the process of converting an original message into a form that is unreadable to unauthorizedindividuals-that is; to anyone without the tools to convert the encrypted message back to its original format.

162. Define Decryption

Decryption is the process of converting the cipher text into a message that conveys readily understood mean-ing.

163. What is Public Key Infrastructure (PKI)?

Public Key Infrastructure is an integrated system of software, encryption methodologies and legal agreementsthat can be used to support the entire information infrastructure of an organization.

164. What are the PKI Benefits

public key infrastructure (also known as a PKI) provides the framework of services, technology, protocols,and standards that enable us to deploy and manage a strong information security system that is based onpublic key technology. we can deploy our public key infrastructure to support a wide range of network andinformation security needs.

165. How E-mail systems are secured?

The protection of email from unauthorized access and inspection is known as electronic privacy. In countrieswith a constitutional guarantee of the secrecy of correspondence, email is equated with letters and thus legallyprotected from all forms of eavesdropping.

166. What are the seven major sources of physical loss?

• Extreme Temperature

• Gases

• Liquids

• Living organisms

• Projectiles

of 95


• Movement

• Energy anomalies

167. What is a Secure Facility?

A secure facility is a physical location that has been engineered with controls designed to minimize the risk ofattacks from physical threats A secure facility can use the natural terrain; traffic flow, urban development, andcan complement these features with protection mechanisms such as fences, gates, walls, guards, and alarms

168. What are the controls used in a Secure Facility?

• Walls, fencing and gate

• Dogs, ID cards and Badges

• Guard

• Lock and Keys

• Mantraps

• Electronic Monitoring

• Alarm and Alarm System

169. What are the functions of Chief Information Security officer?

Manages the overall InfoSec program , Drafts or approves information security policies , Works with the CIOon strategic plans, develops tactical plans and works with security managers on operational plans , DevelopsInfoSec budgets based on funding , Sets priorities for InfoSec projects and technology , Makes decisions inrecruiting, hiring, and firing of security staff , Acts as the spokesperson for the security team.

PART B - (5 X 16 = 80 Marks)

UNIT I - INTRODUCTION


170. Explain in detail about software development life cycle process. [NOV/DEC 2011] [MAY/JUNE 2013][MAY/JUNE 2012] (16)

SDLC Waterfall Methodology

SDLC-is a methodology for the design and implementation of an information system in an organization.

• A methodology is a formal approach to solving a problem based on a structured sequence of procedures.

• - SDLC consists of 6 phases.

Investigation

of 95


• It is the most important phase and it begins with an examination of the event or plan that initiates theprocess.

• During this phase, the objectives, constraints, and scope of the project are specified.

• At the conclusion of this phase, a feasibility analysis is performed, which assesses the economic, tech-nical and behavioral feasibilities of the process and ensures that implementation is worth the organiza-tionâAZs time and effort. Analysis

• It begins with the information gained during the investigation phase.

• It consists of assessments (quality) of the organization, the status of current systems, and the capabilityto support the proposed systems.

• Analysts begin by determining what the new system is expected to do, and how it will interact withexisting systems.

• This phase ends with the documentation of the findings and an update of the feasibility analysis.

Logical Design

• In this phase, the information gained from the analysis phase is used to begin creating a systems solutionfor a business problem.

• Based on the business need, applications are selected that are capable of providing needed services.

• Based on the applications needed, data support and structures capable of providing the needed inputsare then chosen.

• In this phase, analysts generate a number of alternative solutions, each with corresponding strengths andweaknesses, and costs and benefits.

• At the end of this phase, another feasibility analysis is performed.

Physical design

• In this phase, specific technologies are selected to support the solutions developed in the logical design.

• The selected components are evaluated based on a make-or-buy decision.

• Final designs integrate various components and technologies.

Implementation

• In this phase, any needed software is created.

• Components are ordered, received and tested.

• Afterwards, users are trained and supporting documentation created.

• Once all the components are tested individually, they are installed and tested as a system.

• Again a feasibility analysis is prepared, and the sponsors are then presented with the system for aperformance review and acceptance test.

of 95


Maintenance and change

• It is the longest and most expensive phase of the process.

• It consists of the tasks necessary to support and modify the system for the remainder of its useful lifecycle.

• Periodically, the system is tested for compliance, with business needs.

• Upgrades, updates, and patches are managed.

• As the needs of the organization change, the systems that support the organization must also change.

• When a current system can no longer support the organization, the project is terminated and a newproject is implemented.

Figure 2: Software Development Life Cycle

171. Explain in detail about components of information system. [NOV/DEC 2011] [NOV/DEC 2012] [MAY/JUNE2013] (16)

Components of an Information System

• Software

• Hardware

• Data

• People

• Procedures

• Networks

Software

The software components of IS comprises applications, operating systems, and assorted command utilities.Software programs are the vessels that carry the lifeblood of information through an organization. These areoften created under the demanding constraints of project management, which limit time, cost, and manpower.

of 95


Hardware

Hardware is the physical technology that houses and executes the software, stores and carries the data, andprovides interfaces for the entry and removal of information from the system. Physical security policiesdeal with hardware as a physical asset and with the protection of these physical assets from harm or theft.Applying the traditional tools of physical security, such as locks and keys, restricts access to and interactionwith the hardware components of an information system. Securing the physical location of computers and thecomputers themselves is important because a breach of physical security can result in a loss of information.Unfortunately, most information systems are built on hardware platforms that cannot guarantee any level ofinformation security if unrestricted access to the hardware is possible.

Data

• Data stored, processed, and transmitted through a computer system must be protected.

• Data is often the most valuable asset possessed by an organization and is the main target of intentionalattacks.

• The raw, unorganized, discrete(separate, isolated) potentially-useful facts and figures that are later pro-cessed(manipulated) to produce information.

People

There are many roles for people in information systems. Common ones include

• Systems Analyst

• Programmer

• Technician

• Engineer

• Network Manager

• MIS ( Manager of Information Systems )

• Data entry operator

Procedures

A procedure is a series of documented actions taken to achieve something. A procedure is more than a singlesimple task. A procedure can be quite complex and involved, such as performing a backup, shutting down asystem, patching software.

Networks

• When information systems are connected to each other to form Local Area Network (LANs), and theseLANs are connected to other networks such as the Internet, new security challenges rapidly emerge.

• Steps to provide network security are essential, as is the implementation of alarm and intrusion systemsto make system owners aware of ongoing compromises.

of 95


Securing Components

Protecting the components from potential misuse and abuse by unauthorized users. Subject of an attack:Computeris used as an active tool to conduct the attack. Object of an attack:Computer itself is the entity being attacked

Two types of attacks

• Direct attack

• Indirect attack

Figure 3: Attacks in a system

Direct attack : When a Hacker uses his personal computer to break into a system.[Originate from the threatitself]

Indirect attack : When a system is compromised and used to attack other system. [Originate from a systemor resource that itself has been attacked, and is malfunctioning or working under the control of a threat].

A computer can, therefore, be both the subject and object of an attack when ,for example, it is first the objectof an attack and then compromised and used to attack other systems, at which point it becomes the subject ofan attack.

Balancing Information Security and Access

• Has to provide the security and is also feasible to access the information for its application.

• Information Security cannot be an absolute: it is a process, not a goal.

• Should balance protection and availability.

172. What is Information Security? Describe critical characteristics of information security. [ NOV/DEC 2011][NOV/DEC 2012] [MAY/JUNE 2012] (16)

Information Security

It is a well-informed sense of assurance that the information risks and controls are in balance.

Characteristics of Information Security:

• Confidentiality

• Integrity

• Availability

of 95


• Privacy

• Identification

• Authentication

• Authorization

• Accountability

• Accuracy

• Utility

• Possession

Confidentiality

Confidentiality of information ensures that only those with sufficient privileges may access certain infor-mation. When unauthorized individuals or systems can access information, confidentiality is breached. Toprotect the confidentiality of information, a number of measures are used:

• Information classification

• Secure document storage

• Application of general security policies

• Education of information custodians and end users

Integrity

Integrity is the quality or state of being whole, complete, and uncorrupted. The integrity of information isthreatened when it is exposed to corruption, damage, destruction, or other disruption of its authentic state.Corruption can occur while information is being compiled, stored, or transmitted.

Integrity means that data cannot be modified without authorization.

Eg: Integrity is violated when an employee deletes important data files, when a computer virus infects acomputer, when an employee is able to modify his own salary in a payroll database, when an unauthorizeduser vandalizes a website, when someone is able to cast a very large number of votes in an online poll, and soon.

Availability

Availability is the characteristic of information that enables user access to information without interferenceor obstruction and in a required format. A user in this definition may be either a person or another computersystem. Availability does not imply that the information is accessible to any user; rather, it means availabilityto authorized users.

For any information system to serve its purpose, the information must be available when it is needed.

Eg: High availability systems aim to remain available at all times, preventing service disruptions due to poweroutages, hardware failures, and system upgrades.

Privacy

of 95


The information that is collected, used, and stored by an organization is to be used only for the purposesstated to the data owner at the time it was collected. This definition of privacy does focus on freedom fromobservation (the meaning usually associated with the word), but rather means that information will be usedonly in ways known to the person providing it.

Identification

An information system possesses the characteristic of identification when it is able to recognize individualusers. Identification and authentication are essential to establishing the level of access or authorization thatan individual is granted.

Authentication

Authentication occurs when a control provides proof that a user possesses the identity that he or she claims.

In computing, e-Business and information security it is necessary to ensure that the data, transactions,communications or documents(electronic or physical) are genuine(i.e. they have not been forged or fabri-cated)Authorization

After the identity of a user is authenticated, a process called authorization provides assurance that the user(whether a person or a computer) has been specifically and explicitly authorized by the proper authority toaccess, update, or delete the contents of an information asset.

Accountability

The characteristic of accountability exists when a control provides assurance that every activity undertakencan be attributed to a named person or automated process. For example, audit logs that track user activity onan information system provide accountability.

Accuracy

Information should have accuracy. Information has accuracy when it is free from mistakes or errors and it hasthe value that the end users expects. If information contains a value different from the userâAZs expectations,due to the intentional or unintentional modification of its content, it is no longer accurate.

Utility

Information has value when it serves a particular purpose. This means that if information is available, but notin a format meaningful to the end user, it is not useful. Thus, the value of information depends on its utility.

Possession

The possession of Information security is the quality or state of having ownership or control of some objector item.

IMPORTANT QUESTIONS

173. What is SDLC? Illustrate the security of SDLC.[NOV/DEC 2012] [MAY/JUNE 2012] (16)

SDLC-is a methodology for the design and implementation of an information system in an organization.

The same phases used in the traditional SDLC can be adapted to support the implementation of an informationsecurity project.

Investigation

of 95


• This phase begins with a directive from upper management, dictating the process, outcomes, and goalsof the project, as well as its budget and other constraints.

• Frequently, this phase begins with an enterprise information security policy, which outlines the imple-mentation of a security program within the organization.

• Teams of responsible managers, employees, and contractors are organized.

• Problems are analyzed.

• Scope of the project, as well as specific goals and objectives, and any additional constraints not coveredin the program policy, are defined.

• Finally, an organizational feasibility analysis is performed to determine whether the organization hasthe resources and commitment necessary to conduct a successful security analysis and design.

Analysis

• In this phase, the documents from the investigation phase are studied.

• The developed team conducts a preliminary analysis of existing security policies or programs, alongwith that of documented current threats and associated controls.

• The risk management task also begins in this phase.

• Risk management is the process of identifying, assessing, and evaluating the levels of risk facing theorganization, specifically the threats to the organizationâAZs security and to the information stored andprocessed by the organization.

Logical design

• This phase creates and develops the blueprints for information security, and examines and implementskey policies.

• The team plans the incident response actions.

• Plans business response to disaster.

• Determines feasibility of continuing and outsourcing the project.

Physical design

• In this phase, the information security technology needed to support the blueprint outlined in the logicaldesign is evaluated.

• Alternative solutions are generated.

• Designs for physical security measures to support the proposed technological solutions are created.

• At the end of this phase, a feasibility study should determine the readiness of the organization for theproposed project.

• At this phase, all parties involved have a chance to approve the project before implementation begins.

Implementation

of 95


• Similar to traditional SDLC

• The security solutions are acquired ( made or bought ), tested, implemented, and tested again

• Personnel issues are evaluated and specific training and education programs are conducted.

• Finally, the entire tested package is presented to upper management for final approval.

Maintenance and change

Constant monitoring, testing, modification, updating, and repairing to meet changing threats have been donein this phase.

174. Discuss in detail NSTISSC security model. [NOV/DEC 2011] [NOV/DEC 2012] (8)

NSTISSC Security Model

National Security Telecommunications and Information systems security committee document.

It is now called the National Training Standard for Information security professionals.

The NSTISSC Security Model provides a more detailed perspective on security. While the NSTISSC modelcovers the three dimensions of information security, it omits discussion of detailed guidelines and policiesthat direct the implementation of controls.

Another weakness of using this model with too limited an approach is to view it from a single perspective.

• The 3 dimensions of each axis become a 3x3x3 cube with 27 cells representing areas that must beaddressed to secure todayâAZs Information systems.

• To ensure system security, each of the 27 cells must be properly addressed during the security process.

• For ex,the intersection between technology, Integrity and storage areas requires a control or safeguardthat addresses the need to use technology to protect the Integrity of information while in storage.

Figure 4: NSTISSC Security Model

of 95


PART B - UNIT-II - SECURITY INVESTIGATION


175. Discuss in detail the Ethical issues during security investigation. [NOV/DEC 2011] [NOV/DEC 2012] (8)

Information system security refers to the way the system is defended against unauthorized access, use, dis-closure, disruption, modification, perusal, inspection, recording or destruction.

There are two major aspects of information system security:

• Security of the information technology used - securing the system from malicious cyber-attacks thattend to break into the system and to access critical private information or gain control of the internalsystems.

• Security of data - ensuring the integrity of data when critical issues, like natural disasters, computer/servermalfunction, physical theft etc. arise. Generally an off-site backup of data is kept for such problems.

Information Systems and Ethics

Information systems bring about immense social changes, threatening the existing distributions of power,money, rights, and obligations.It also raises new kinds of crimes,like cyber-crimes.

Following organizations promote ethical issues:

• The Association of Information Technology Professionals (AITP)

• The Association of Computing Machinery (ACM)

• The Institute of Electrical and Electronics Engineers (IEEE)

• Computer Professionals for Social Responsibility (CPSR)

The ACM Code of Ethics and Professional Conduct

• Strive to achieve the highest quality, effectiveness, and dignity in both the process and products ofprofessional work.

• Acquire and maintain professional competence.

• Know and respect existing laws pertaining to professional work.

• Accept and provide appropriate professional review.

• Give comprehensive and thorough evaluations of computer systems and their impacts, including analysisand possible risks.

• Honor contracts, agreements, and assigned responsibilities.

• Improve public understanding of computing and its consequences.

• Access computing and communication resources only when authorized to do so

of 95


The IEEE Code of Ethics and Professional Conduct

IEEE code of ethics demands that every professional vouch to commit themselves to the highest ethical andprofessional conduct and agree:

• to accept responsibility in making decisions consistent with the safety, health and welfare of the public,and to disclose promptly factors that might endanger the public or the environment;

• to avoid real or perceived conflicts of interest whenever possible, and to disclose them to affected partieswhen they do exist;

• to be honest and realistic in stating claims or estimates based on available data;

• to reject bribery in all its forms;

• to improve the understanding of technology, its appropriate application, and potential consequences;

• to maintain and improve our technical competence and to undertake technological tasks for others onlyif qualified by training or experience, or after full disclosure of pertinent limitations;

• to seek, accept, and offer honest criticism of technical work, to acknowledge and correct errors, and tocredit properly the contributions of others;

• to treat fairly all persons regardless of such factors as race, religion, gender, disability, age, or nationalorigin;

• to avoid injuring others, their property, reputation, or employment by false or malicious action;

• to assist colleagues and co-workers in their professional development and to support them in followingthis code of ethics.

The Association of Information Technology Professionals (AITP)

The Association of Information Technology Professionals (AITP) is a professional association that focuseson information technology education for business professionals. The group is a non-profit US-oriented group,but its activities are performed by about 200 local chapters organized on a geographic basis worldwide, and asimilar number of student chapters at college and universities.

The Association requires its members to abide by a code of ethics[3] that has been in place for decades,predating both the HIPAA and Sarbanes-Oxley legislation. The Association also requires members to operateby a "Standards of Conduct" for IT Professionals, which adds specifics.

Computer Professionals for Social Responsibility (CPSR)

Computer Professionals for Social Responsibility (CPSR) was a global organization promoting the responsi-ble use of computer technology.

CPSR Ethics:

• Thou shalt not use a computer to harm other people.

• Thou shalt not interfere with other people’s computer work.

• Thou shalt not snoop around in other people’s computer files.

of 95


• Thou shalt not use a computer to steal.

• Thou shalt not use a computer to bear false witness.

• Thou shalt not copy or use proprietary software for which you have not paid.

• Thou shalt not use other people’s computer resources without authorization or proper compensation.

• Thou shalt not appropriate other people’s intellectual output.

• Thou shalt think about the social consequences of the program you are writing or the system you aredesigning.

• Thou shalt always use a computer in ways that ensure consideration and respect for your fellow humans.

176. Explain in detail about different type of threats. [NOV/DEC 2011] [MAY/JUNE 2012] (8)

Threats to Information Security

Categories of threat with Examples

Acts of human error or failure – Accidents, employee mistakes Compromises to intellectual property – Piracy,copyright infringement Deliberate acts of espionage or trespass– Unauthorized access and/or/data collectionDeliberate acts of information extortion– Blackmail or information disclosure Deliberate acts of sabotage orvandalism – Destruction of systems or information Deliberate acts of theft – Illegal confiscation of equipmentor information Deliberate software attacks – Viruses, worms, macros, denial-of-service Forces of nature –Fire, flood, earthquake, lightning Deviations in quality of service – ISP, power ,or WAN service providersTechnical hardware failures or errors – Equipment failure Technical software failures or errors – Bugs, codeproblems, unknown loopholes Technological obsolescence – Antiquated or outdated technologies

Threats

Acts of Human Error or Failure:

• Acts performed without intent or malicious purpose by an authorized user.

• because of in experience ,improper training,

• Making of incorrect assumptions. One of the greatest threats to an organizationâAZs information secu-rity is the organizationâAZs own employees.

• Entry of erroneous data

• accidental deletion or modification of data

• storage of data in unprotected areas.

• Failure to protect information can be prevented with

– Training– Ongoing awareness activities– Verification by a second party– Many military applications have robust, dual- approval controls built in .

Compromises to Intellectual Property

of 95


• is defined as the ownership of ideas and control over the tangible or virtual representation of those ideas.• Intellectual property includes trade secrets, copyrights, trademarks, and patents.• Once intellectual property has been defined and properly identified, breaches to IP constitute a threat to

the security of this information.• Organization purchases or leases the IP of other organizations.• Most Common IP breach is the unlawful use or duplication of software based intellectual property more

commonly known as software Piracy.• Software Piracy affects the world economy.• U.S provides approximately 80 percent of worldâAZs software. In addition to the laws surrounding

software piracy, two watch dog organizations investigate allegations of software abuse. Software andInformation Industry Association (SIIA) (i.e)Software Publishers Association Business Software Al-liance (BSA)

• Another effort to combat (take action against) piracy is the online registration process.

Deliberate Acts of Espionage or Trespass

• Electronic and human activities that can breach the confidentiality of information.• When an unauthorized individualâAZs gain access to the information an organization is trying to protect

is categorized as act of espionage or trespass.• Attackers can use many different methods to access the information stored in an information system.

Competitive Intelligence[use web browser to get information from market research]Industrial espionage(spying)Shoulder Surfing(ATM)

Trespass

• Can lead to unauthorized real or virtual actions that enable information gatherers to enter premises orsystems they have not been authorized to enter.

• Sound principles of authentication and authorization can help organizations protect valuable informationand systems.

• Hackers-> âAIJPeople who use and create computer software to gain access to information illegallyâAI• There are generally two skill levels among hackers.• Expert Hackers-> Masters of several programming languages, networking protocols, and operating sys-

tems .• Unskilled Hackers

Deliberate Acts of information Extortion (obtain by force or threat)

Possibility of an attacker or trusted insider stealing information from a computer system and demandingcompensation for its return or for an agreement not to disclose the information.

Deliberate Acts of sabotage or Vandalism

of 95


• Destroy an asset or

• Damage the image of organization

• Cyber terrorism-Cyber terrorists hack systems to conduct terrorist activities through network or internetpathways.

Deliberate Acts of Theft

• Illegal taking of anotherâAZs property– is a constant problem.

• Within an organization, property can be physical, electronic, or intellectual.

• Physical theft can be controlled by installation of alarm systems.

• Trained security professionals.

• Electronic theft control is under research.

Deliberate Software Attacks

• Because of malicious code or malicious software or sometimes malware.

• These software components are designed to damage, destroy or deny service to the target system.

• More common instances are Virus, Worms, Trojan horses, Logic bombs, Backdoors.

• The British Internet Service Provider Cloudnine be the first business hacked out of existence

177. Explain the four important function of Information security in an organization. [NOV/DEC 2011] [NOV/DEC2012] (16)

Business Needs First

Information security performs four important functions for an organization:

• Protects the organizationâAZs ability to function

• Enables the safe operation of applications implemented on the organizationâAZs IT systems.

• Protects the data the organization collects and uses.

• Safeguards the technology assets in use at the organization.

Protecting the functionality of an organization

Decision makers in organizations must set policy and operate their organizations in compliance with thecomplex, shifting legislation that controls the use of technology.

Enabling the safe operation of applications

• Organizations are under immense pressure to acquire and operate integrated, efficient, and capableapplications

• The modern organization needs to create an environment that safeguards applications using the orga-nizationâAZs IT systems, particularly those applications that serve as important elements of the infras-tructure of the organization.

of 95


Protecting data that organizations collect and use

• Protecting data in motion

• Protecting data at rest

• Both are critical aspects of information security.

• The value of data motivates attackers to seal, sabotage, or corrupt it.

• It is essential for the protection of integrity and value of the organizationâAZs data

Safeguarding Technology assets in organizations

• Must add secure infrastructure services based on the size and scope of the enterprise.

• Organizational growth could lead to the need for public key infrastructure, PKI, an integrated system ofsoftware, encryption methodologies.

178. Explain the major types of attacks in detail. [NOV/DEC 2012] [MAY/JUNE 2013] (8)

Attack

An attack is an act of or action that takes advantage of a vulnerability to compromise a controlled system

The following sections discuss each of the major types of attacks used against controlled systems:

Malicious code

• The malicious code attack includes the execution of viruses, worms, Trojan horses, and active Webscripts with the intent to destroy or steal information.

• The state âASof-the-art malicious code attack is the polymorphic or multivector, worm.

• These attack programs use up to six known attack vectors to exploit a variety of vulnerabilities incommonly found information system devices.

Hoaxes

• A more devious approach to attacking the computer systems is the transmission of a virus hoax with areal virus attached.

• Even though these users are trying to avoid infection, they end up sending the attack on to their co-workers.

Backdoors

• Using a known or previously unknown and newly discovered access mechanism, an attacker can gainaccess to a system or network resource through a back door.

• Sometimes these entries are left behind by system designers or maintenance staff, and thus referred toas trap doors.

• A trap door is hard to detect, because very often the programmer who puts it in place also makes theaccess exempt from the usual audit logging features of the system.

of 95


Password Crack

• Attempting to reverse calculate a password is often called cracking.

• A password can be hashed using the same algorithm and compared to the hashed results, If they aresame, the password has been cracked.

• The (SAM) Security Account Manager file contains the hashed representation of the userâAZs pass-word.

Brute Force

• The application of computing and network resources to try every possible combination of options of apassword is called a Brute force attack.

• This is often an attempt to repeatedly guess passwords to commonly used accounts, it is sometimescalled a password attack.

Dictionary

• This is another form of the brute force attack noted above for guessing passwords.

• The dictionary attack narrows the field by selecting specific accounts to attack and uses a list of com-monly used passwords instead of random combinations.

Denial âASof- Services(DOS) and Distributed Denial âASof- Service(DDOS)

• The attacker sends a large number of connection or information requests to a target.

• This may result in the system crashing, or simply becoming unable to perform ordinary functions.

• DDOS is an attack in which a coordinated stream of requests is launched dagainst a target from manylocations at the same.

Spoofing

It is a technique used to gain unauthorized access to computers, where in the intruder sends messages to acomputer that has an IP address that indicates that the messages are coming from a trusted host.

Figure 5: IP Spoofing

of 95


179. List and discuss about any four professional organizations in providing information security. [MAY/JUNE2013] [MAY/JUNE 2012] (16)

The following are the four important professional organizations in providing Information Security:

• The Association of Information Technology Professionals (AITP)

• The Association of Computing Machinery (ACM)

• The Institute of Electrical and Electronics Engineers (IEEE)

• Computer Professionals for Social Responsibility (CPSR)

The ACM Code of Ethics and Professional Conduct

• Strive to achieve the highest quality, effectiveness, and dignity in both the process and products ofprofessional work.

• Acquire and maintain professional competence.

• Know and respect existing laws pertaining to professional work.

• Accept and provide appropriate professional review.

• Give comprehensive and thorough evaluations of computer systems and their impacts, including analysisand possible risks.

• Honor contracts, agreements, and assigned responsibilities.

• Improve public understanding of computing and its consequences.

• Access computing and communication resources only when authorized to do so

The IEEE Code of Ethics and Professional Conduct

IEEE code of ethics demands that every professional vouch to commit themselves to the highest ethical andprofessional conduct and agree:

• to accept responsibility in making decisions consistent with the safety, health and welfare of the public,and to disclose promptly factors that might endanger the public or the environment;

• to avoid real or perceived conflicts of interest whenever possible, and to disclose them to affected partieswhen they do exist;

• to be honest and realistic in stating claims or estimates based on available data;

• to reject bribery in all its forms;

• to improve the understanding of technology, its appropriate application, and potential consequences;

• to maintain and improve our technical competence and to undertake technological tasks for others onlyif qualified by training or experience, or after full disclosure of pertinent limitations;

• to seek, accept, and offer honest criticism of technical work, to acknowledge and correct errors, and tocredit properly the contributions of others;

of 95


• to treat fairly all persons regardless of such factors as race, religion, gender, disability, age, or nationalorigin;

• to avoid injuring others, their property, reputation, or employment by false or malicious action;

• to assist colleagues and co-workers in their professional development and to support them in followingthis code of ethics.

The Association of Information Technology Professionals (AITP)

The Association of Information Technology Professionals (AITP) is a professional association that focuseson information technology education for business professionals. The group is a non-profit US-oriented group,but its activities are performed by about 200 local chapters organized on a geographic basis worldwide, and asimilar number of student chapters at college and universities.

The Association requires its members to abide by a code of ethics[3] that has been in place for decades,predating both the HIPAA and Sarbanes-Oxley legislation. The Association also requires members to operateby a "Standards of Conduct" for IT Professionals, which adds specifics.

Computer Professionals for Social Responsibility (CPSR)

Computer Professionals for Social Responsibility (CPSR) was a global organization promoting the responsi-ble use of computer technology.

CPSR Ethics:

• Thou shalt not use a computer to harm other people.

• Thou shalt not interfere with other people’s computer work.

• Thou shalt not snoop around in other people’s computer files.

• Thou shalt not use a computer to steal.

• Thou shalt not use a computer to bear false witness.

• Thou shalt not copy or use proprietary software for which you have not paid.

• Thou shalt not use other people’s computer resources without authorization or proper compensation.

• Thou shalt not appropriate other people’s intellectual output.

• Thou shalt think about the social consequences of the program you are writing or the system you aredesigning.

• Thou shalt always use a computer in ways that ensure consideration and respect for your fellow humans.

IMPORTANT QUESTIONS

180. Explain in detail the different types of cryptanalytic attacks. [Expected] (8)

Methods of cryptanalytic attacks

Cryptanalytic attacks are keys that have been compromised by decipherment to find out the keys. The goal ofcryptanalysis is to decipher the private key or secret key. The amount of information provided to the analyst,as well as the type of information provided, determines the type of attacks possible.

of 95


The following are six possible attack scenarios.

Ciphertext only attack:

This type of attack refers to the availability of the ciphertext (encrypted text) to the cryptanalyst. With largeciphertext data, it may be possible to decipher the ciphertext by analyzing the pattern.

Known-plaintext attack:

This type of attack happens when a cryptanalyst obtains a ciphertext as well as the corresponding plaintext.In this scenario, even if the data is small, it is possible to understand the algorithm;

Chosen-plaintext attack:

This type of attack refers to the availability of a corresponding ciphertext to the block of plaintext chosen bythe analyst.

Adaptive-chosen-plaintext attack:

This type of cryptanalytic attack is known as an adaptive-chosen-plaintext attack if the cryptanalyst canchoose the samples of the plaintext based on the results of previous encryptions in a dynamic passion.

Chosen-ciphertext attack:

This type of attack is used to obtain the plaintext by choosing a sample of ciphertext by the cryptanalyst;

Adaptive-chosen-ciphertext attack:

This type of attack is similar to the chosen-ciphertext attack, but the samples of ciphertext are dynamicallyselected by the cryptanalyst and the selection can be based on the previous results as well.

STANDARD QUESTIONS

181. Describe the attack replication vectors and the major type of attacks. (8)

Attack Replication Vectors

• IP scan and attack

• Web browsing

• Virus

• Unprotected shares

• Mass mail

• Simple Network Management Protocol(SNMP)

IP scan and attack

The infected system scans a random or local range of IP addresses and targets any of several vulnerabilitiesknown to hackers.

Web browsing

of 95


If the infected system has write access to any Web pages, it makes all Web content files (.html,.asp,.cgi andothers) infectious, so that users who browse to those pages become infected.

Virus

Each infected machine infects certain common executable or script files on all computers to which it can writewith virus code that can cause infection.

Unprotected shares

Using vulnerabilities in file systems and the way many organizations configure them, the infected machinecopies the viral component to all locations it can reach.

Mass Mail

By sending E-mail infections to addresses found in the address book, the infected machine infects many users,whose mail -reading programs also automatically run the program and infect other systems.

Simple Network Management Protocol (SNMP)

By using the widely known and common passwords that were employed in early versions of this protocol,the attacking program can gain control of the device. Most vendors have closed these vulnerabilities withsoftware upgrades.

PART B -UNIT-III - QUALITY CONTROL AND RELAIBILITY


182. Sketch and explain the components of Risk identification process. [NOV/DEC 2011] [NOV/DEC 2012][MAY/JUNE 2013] [MAY/JUNE 2012] (16)

Risk Identification

• IT professionals to know their organizationâAZs information assets through identifying, classifying andprioritizing them.

• Assets are the targets of various threats and threat agents, and the goal is to protect the assets from thethreats.

• Once the organizational assets have been identified, a threat identification process is undertaken.

• The circumstances and settings of each information asset are examined to identify vulnerabilities.

• When vulnerabilities are found, controls are identified and assessed as to their capability to limit possiblelosses in the eventuality of attack.

• The process of Risk Identification begins with the identification of the organizationâAZs informationassets and an assessment of their value.

• The Components of this process are shown in figure

Asset Identification and Valuation:

Includes all the elements of an organizationâAZs system, such as people, procedures, data and information,software, hardware, and networking elements.Then, you classify and categorize the assets, adding details.

of 95


Figure 6: Components of Risk Identification Process

• People include employees and nonemployees. There are two categories of employees: those who holdtrusted roles and have correspondingly greater authority and accountability, and other staff who haveassignments without special privileges. Nonemployees include contractors and consultants, members ofother organizations with which the organization has a trust relationship, and strangers.

• Procedures fall into two categories: IT and business standard procedures, and IT and business sensitiveprocedures. The business sensitive procedures are those that may assist a threat agent in crafting anattack against the organization or that have some other content or feature that may introduce risk to theorganization.

• Data Components have been expanded to account for the management of information in all stages:Transmission, Processing, and Storage.

• Software Components can be assigned to one of three categories: Applications, Operating Systems,or security components. Software Components that provide security controls may span the range ofoperating systems and applications categories, but are differentiated by the fact that they are the part ofthe information security control environment and must be protected more thoroughly than other systemcomponents.

• Hardware is assigned to one of two categories: the usual systems devices and their peripherals, andthe devices that are part of information security control systems. The latter must be protected morethoroughly than the former.

People, Procedures,and Data Asset Identification:

• People : Position name/number/ID: Supervisor; Security clearance level; special skills.

• Procedures : Description/intended purpose/relationship to software / hardware and networking ele-ments; storage location for update; storage location for reference.

of 95


• Data : Classification; owner; Creator; Manager; Size of data structure; data structure used; online/offline/location/backupprocedures employed.

Hardware, Software, and Network Asset Identification

Depends on the needs of the organization and its risk management efforts.

• Name: Should adopt naming standards that do not convey information to potential system attackers.• IP address: Useful for network devices and Servers. Many organizations use the dynamic host control

protocol (DHCP) within TCP/IP that reassigns IP numbers to devices as needed, making the use of IPnumbers as part of the asset identification process problematic. IP address use in inventory is usuallylimited to those devices that use static IP addresses.

• Media Access Control (MAC) address: Electronic serial numbers or hardware addresses. All networkinterface hardware devices have a unique number. The MAC address number is used by the networkoperating system as a means to identify a specific network device. It is used by the clientâAZs networksoftware to recognize traffic that it must process.

• Element Type: Document the function of each Element by listing its type. For hardware, a list ofpossible element types, such as servers, desktops, networking devices or test equipment.

• Serial Number: For hardware devices, the serial number can uniquely identify a specific device.• Manufacturer Name: Record the manufacturer of the device or software component. This can be useful

when responding to incidents that involve these devices or when certain manufacturers announce specificvulnerabilities.

• ManufacturerâAZs Model No or Part No: Record the model or part number of the element. This recordof exactly what the element is can be very useful in later analysis of vulnerabilities, because somevulnerability instances only apply to specific models of certain devices and software components.

• Software Version, Update revision, or FCO number: Document the specific software or firmware re-vision number and, for hardware devices, the current field change order (FCO) number. An FCO isan authorization issued by an organization for the repair, modification, or update of a piece of equip-ment. Documenting the revision number and FCO is particularly important for networking devices thatfunction mainly through the software running on them. For example, firewall devices often have threeversions: an operating system (OS) version, a software version, and a basic input/output system (BIOS)firmware version.

• Physical location: Note where this element is located physically (Hardware)• Logical Location: Note where this element can be found on the organizationâAZs network. The logical

location is most useful for networking devices and indicates the logical network where the device isconnected.

• Controlling Entity: Identify which organizational unit controls the element.

of 95


Figure 7: Categorization of IT components

183. Explain in detail about Risk Control strategy. [NOV/DEC 2011] [NOV/DEC 2012] [MAY/JUNE 2012] (8)

Risk Control Strategies

Four basic strategies to control each of the risks that result from these vulnerabilities.

• Apply safeguards that eliminate the remaining uncontrolled risks for the vulnerability [Avoidance]

• Transfer the risk to other areas (or) to outside entities[transference]

• Reduce the impact should the vulnerability be exploited[Mitigation]

• Understand the consequences and accept the risk without control or mitigation[Acceptance]

Avoidance

It is the risk control strategy that attempts to prevent the exploitation of the vulnerability, and is accomplishedby means of

• Countering threats

• Removing Vulnerabilities in assets

• Limiting access to assets

• Adding protective safeguards.

Three common methods of risk avoidance are

• Application of policy

• Application of Training and Education

• Application of Technology

of 95


Transference

• Transference is the control approach that attempts to shift the risk to other assets, other processes, orother organizations.

• It may be accomplished through rethinking how services are offered, revising deployment models, out-sourcing to other organizations, purchasing Insurance, Implementing Service contracts with providers.

Top 10 Information Security mistakes made by individuals.

• Passwords on Post-it-Notes

• Leaving unattended computers on.

• Opening e-mail attachments from strangers.

• Poor Password etiquette

• Laptops on the loose (unsecured laptops that are easily stolen)

• Blabber mouths ( People who talk about passwords)

• Plug and Play[Technology that enables hardware devices to be installed and configured without theprotection provided by people who perform installations]

• Unreported Security Violations

• Always behind the times.

• Not watching for dangers inside the organization

Mitigation

- It is the control approach that attempts to reduce the impact caused by the exploitation of vulnerabilitythrough planning and preparation.

Mitigation begins with the early detection that an attack is in progress and the ability of the organization torespond quickly, efficiently and effectively.

- Includes 3 types of plans.

• Incident response plan (IRP) -Actions to take while incident is in progress

• Disaster recovery plan (DRP) - Most common mitigation procedure.

• Business continuity plan (BCP) - Continuation of business activities if catastrophic event occurs.

Incident Response Plan (IRP)

This IRP Plan provides answers to questions such as

• What do I do now?

• What should the administrator do first?

• Whom should they contact?

of 95


• What should they document?

The IRP Supplies answers.

For example, a systemâAZs administrator may notice that someone is copying information from the serverwithout authorization, signaling violation of policy by a potential hacker or an unauthorized employee. TheIRP also enables the organization to take coordinated action that is either predefined and specific or ad hocand reactive. Disaster Recovery Plan (DRP)

• Can include strategies to limit losses before and during the disaster.

• Include all preparations for the recovery process, strategies to limit losses during the disaster, and de-tailed steps to follow when the smoke clears, the dust settles, or the floodwater recede.

• DRP focuses more on preparations completed before and actions taken after the incident, whereas theIRP focuses on intelligence gathering, information analysis, coordinated decision making, and urgent,concrete actions.

Business Continuity Plan (BCP)

• BCP is the most strategic and long term of the three plans.

• It encompasses the continuation of business activities if a catastrophic event occurs, such as the loss ofan entire database, building or operations center.

• The BCP includes planning the steps necessary to ensure the continuation of the organization when thescope or scale of a disaster exceeds the ability of the DRP to restore operations.

• Many companies offer this service as a contingency against disastrous events such as fires. Floods,earthquakes, and most natural disasters.

Acceptance

• It is the choice to do nothing to protect a vulnerability and do accept the outcome of its exploitation.

• This strategy occurs when the organization has: - Determined the level of risk. - Assessed the probabilityof attack. - Estimated the potential damage that could occur from attacks. - Performed a thorough costbenefit analysis. - Evaluated controls using each appropriate type of feasibility. - Decided that theparticular function, service, information, or asset did not justify the cost of protection.

Selecting a Risk Control Strategy

-Level of threat and value of asset play major role in selection of strategy -Rules of thumb on strategy selectioncan be applied:

• When vulnerability (flaw or weakness) exists: Implement security controls to reduce the likelihood of avulnerability being exercised.

• When vulnerability can be exploited: Apply layered protections, architectural designs, and administra-tive controls to minimize the risk.

of 95


• When the attackerâAZs cost is less than his potential gain: Apply protections to increase the attack-erâAZs cost.

• When potential loss is substantial: Apply design principles, architectural designs, and technical andnon-technical protections to limit the extent of the attack, thereby reducing the potential for loss.

184. Explain in detail about Risk assessing method. [NOV/DEC 2011] [NOV/DEC 2012] [MAY/JUNE 2012](8)

Risk Assessment

• Assigns a risk rating or score to each Information asset.

• It is useful in gauging the relative risk to each Vulnerable asset.

Valuation of Information assets

• Assign weighted scores for the value to the organization of each Information asset.

• National Institute of Standards and Technology (NIST) gives some standards.

• To be effective, the values must be assigned by asking he following questions.

• Which threats present a danger to an organizationâAZs assets in the given environment?

• Which threats represent the most danger to the organizationâAZs Information?

• How much would it cost to recover from a successful attack?

• Which of the threats would require the greatest expenditure to prevent?

Likelihood

• It is the probability of specific vulnerability within an organization will be successfully attacked.

• NIST gives some standards.

• 0.1 = Low ; 1.0 = High

• Eg: Number of network attacks can be forecast based on how many network address the organizationhas assigned.

Risk Determination

Risk = [ ( Likelihood of vulnerability occurrence ) X (Value of information Asset )] - ( percentage of riskmitigated by current controls) + uncertainty of current knowledge of the Vulnerability

For the purpose of relative risk assessment, risk equals:

• Likelihood of vulnerability occurrence TIMES value (or impact)

• MINUS percentage risk already controlled

• PLUS an element of uncertainty

of 95


Identify Possible Controls ( For Residual Risk)

Residual risk is the risk that remains to the information asset even after the existing control has been applied.

Three general categories of controls

• Policies

• Programs

• Technologies

Policies

• General Security Policy

• Program Security Policy

• Issue Specific Policy

• Systems Specific Policy

Programs

• Education

• Training

• Awareness

Security Technologies

Technical Implementation Policies

Access Controls

• Specially addresses admission of a user into a trusted area of the organization.

• Eg: Computer rooms, Power Rooms.

• Combination of policies , Programs, and Technologies

Types of Access controls

Mandatory Access Controls (MACs)

• Give users and data owners limited control over access to information resources. NondiscretionaryControls

• Managed by a central authority in the organization; can be based on individualâAZs role (role-basedcontrols) or a specified set of assigned tasks (task-based controls)

of 95


Discretionary Access Controls ( DAC)

Implemented at discretion or option of the data user Lattice-based Access Control

Variation of MAC - users are assigned matrix of authorizations for particular areas of access.

Documenting the Results of Risk Assessment

By the end of the Risk Assessment process, we probably have a collection of long lists of information assetswith data about each of them. The goal of this process is to identify the information assets that have specificvulnerabilities and list them, ranked according to those most needing protection. we should also have col-lected some information about the controls that are already in place. The final summarized document is theranked vulnerability risk worksheet, a sample of which is shown in the following table.

Figure 8: Sample Ranked Vulnerability Risk Worksheet

IMPORTANT QUESTIONS

185. Explain in detail about Risk Control Cycle. [MAY/JUNE 2012] (8)

Categories of Controls

• Controlling risk through avoidance, Mitigation or Transference may be accomplished by implementingcontrols or safeguards. Four ways to categorize controls have been identified.

• Control function

– Preventive or detective

of 95


• Architectural layer

– One or more layers of technical architecture

• Strategy layer

– Avoidance, mitigation

• Information security principle

Control Function

• Safeguards designed to defend systems are either preventive or detective.

• Preventive controls stop attempts to exploit a vulnerability by implementing a security principle, suchas authentication, or Confidentiality.

• Preventive controls use a technical procedure, such as encryption, or some combination of technicalmeans and enforcement methods.

• Detective controls âAS warn organizations of violations of security principles, organizational policies,or attempts to exploit vulnerabilities.

• Detective controls use techniques such as audit trails, intrusion detection and configuration monitoring.

Architectural Layer

- Controls apply to one or more layers of an organizationâAZs technical architecture.

- The following entities are commonly regarded as distinct layers in an organizationâAZs Information archi-tecture.

• Organizational policy.

• External Networks.

• Extranets ( or demilitarized zones )

• Intranets ( WANs and LANs )

• Network devices that interface network zones.(Switches, Routers, firewalls and hubs)

• Systems [ Mainframe, Server, desktop]

• Applications.

Strategy Layer

Controls are sometimes classified by the risk control strategy they operate within:

• Avoidance

• Mitigation

• transference

Characteristics of Secure Information

of 95


• Confidentiality

• Integrity

• Availability

• Authentication

• Authorization

• Accountability

• Privacy

Confidentiality: The control assures the confidentiality of data when it is stored, processed, or transmitted.An example of this type of control is the use of Secure Sockets Layer (SSL) encryption technology to secureWeb content as it moves from Web server to browser.

Integrity: The control assures that the information asset properly, completely, and correctly receives, pro-cesses, stores, and retrieves data in a consistent and correct manner .Ex: Use of parity or cyclical redundancychecks in data transmission protocols.

Availability: The control assures ongoing access to critical information assets. Ex: Deployment of a networkoperations center using a sophisticated network monitoring toolset.

Authentication: The control assures that the entity (person or computer) accessing information assets is infact the stated entity. Ex: The use of cryptographic certificates to establish SSL connections, or the use ofcryptographic hardware tokens such as SecurID cards as a second authentication of identity.

Authorization: The control assures that a user has been specifically and explicitly authorized to access, update,or delete the contents of an information asset. Ex: Use of access control lists and authorization groups in theWindows networking environment. Another example is the use of a database authorization scheme to verifythe designated users for each function.

Accountability: The control assures that every activity undertaken can be attributed to a specific namedperson or automated process. Ex: Use of audit logs to track when each user logged in and logged out ofeach computer. Privacy: The control assures that the procedures to access, update, or remove personallyidentifiable information comply with the applicable laws and policies for that kind of information.

of 95


Figure 9: Risk Control Cycle

186. Explain the various feasibility studies consider for a project of Information Security controls and safe guards.[NOV/DEC 2011] (16)

Feasibility Studies

• Before deciding on the strategy (Avoidance, transference, mitigation, or acceptance), for a specific vul-nerability, all the economic and non-economic consequences of the vulnerability facing the informationasset must be explored.

• Cost Avoidance- It is the process of avoiding the financial impact of an incident by implementing acontrol.

• Includes

– Cost Benefit analysis– Organizational feasibility– Operational Feasibility– Technical Feasibility– Political feasibility.

Cost Benefit Analysis (CBA)

Organizations are urged to begin the cost benefit analysis by evaluating the worth of the information assetsto be protected and the loss in value if those information assets were compromised by the exploitation of aspecific vulnerability.

of 95


The formal process to document this decision making process is called a Cost Benefit analysis or an economicfeasibility study.

Cost Benefit Analysis or an Economic Feasibility study

- Some of the items that affect the cost of a control or safeguard include:

• Cost of development or acquisition [purchase cost] of hardware, software and services.

• Training Fees(cost to train personnel)

• Cost of Implementation[Cost to install, Configure, and test hardware, software and services]

• service Costs[Vendor fees for maintenance and upgrades]

• Cost of maintenance[Labor expense to verify and continually test, maintain and update]

Benefit is the value that an organization realizes by using controls to prevent losses associated with a specificvulnerability.

Amount of benefit = Value of the Information asset and Value at risk.

Asset Valuation is the process of assigning financial value or worth to each information asset. Some of thecomponents of asset valuation include:

• Value retained from the cost of creating the information asset.

• Value retained from past maintenance of the information asset.

• Value implied by the cost of replacing the information.

• Value from providing the information.

• Value incurred from the cost of protecting the information.

• Value to owners.

The organization must be able to place a dollar value on each collection of information and the informationassets it owns. This value is based on the answers to these questions:

• How much did it cost to create or acquire this information?

• How much would it cost to recreate or recover this information?

• How much does it cost to maintain this information?

• How much is this information worth to the organization?

• How much is this information worth to the competition?

A Single loss expectancy (SLE) is the calculation of the value associated with the most likely loss from anattack. It is a calculation based on the value of the asset and the exposure factor (EF), which is the expectedpercentage of loss that would occur from a particular attack, as follows:

• Single Loss Expectancy (SLE) = Asset value x Exposure factor [EF]

of 95


Expected percentage of loss that would occur from a particular attack.

The probability of threat occurring is usually a loosely derived table indicating the probability of an attackfrom each threat type within a given time frame (for example, once every 10 years). This value is commonlyreferred to as the annualized rate of occurrence (ARO)

The expected value of a loss can be stated in the following equation:

Annualized loss Expectancy (ALE) which is calculated from the ARO and SLE.

• ALE = SLE x ARO

Cost Benefit Analysis (CBA)Formula

CBA is whether or not the control alternative being evaluated is worth the associated cost incurred to controlthe specific vulnerability. The CBA is most easily calculated using the ALE from earlier assessments beforethe implementation of the proposed control, which is known as ALE (prior). Subtract the revised ALE,estimated based on control being in place, known as ALE (post). Complete the calculation by subtracting theannualized cost of the safeguard (ACS).

• CBA = ALE (Prior) - ALE (Post) - ACS

Where:

• ALE prior is the Annualized Loss Expectancy of the risk before the implementation of the control.

• ALE post is the ALE examined after the control has been in place for a period of time.

• ACS is the Annual Cost of the Safeguard.

Bench Marking

• An alternative approach to risk management

• Process of seeking out and studying the practices used in other organizations that produce results youwould like to duplicate in your organization.

• One of two measures typically used to compare practices:

– Metrics-based measures– Process-based measures

• Good for potential legal protection.

The difference between an organizationâAZs measures and those of others is often referred to as a perfor-mance gap. The other measures commonly used in benchmarking are process-based measures. Process-basedmeasures are generally less focused on numbers and more strategic than metrics-based-measures.

Due Care/Due Diligence

• When organizations adopt levels of security for a legal defense, they may need to show that they havedone what any prudent organization would do in similar circumstances - this is referred to as a standardof due care

of 95


• Due diligence is the demonstration that the organization is diligent in ensuring that the implementedstandards continue to provide the required level of protection

• Failure to support a standard of due care or due diligence can open an organization to legal liability

Best Business Practices

• Security efforts that provide a superior level of protection of information are referred to as best businesspractices

• Best security practices (BSPs) are security efforts that are among the best in the industry

• When considering best practices for adoption in your organization, consider the following:

– Does your organization resemble the identified target?– Are the resources you can expend similar?– Are you in a similar threat environment?

Problems

• The biggest problem with benchmarking in information security is that organizations donâAZt talk toeach other.

• Another problem with benchmarking is that no two organizations are identical

• A third problem is that best practices are a moving target.

• One last issue to consider is that simply knowing what was going on a few years ago, as in benchmark-ing, doesnâAZt necessarily tell us what.

Baselining

• Baselining is the analysis of measures against established standards,

• In information security, baselining is comparing security activities and events against the organiza-tionâAZs future performance.

• When baselining it is useful to have a guide to the overall process

Feasibility Studies and the Cost Benefit analysis

• Before deciding on the strategy for a specific vulnerability all information about the economic and non-economic consequences of the vulnerability facing the information asset must be explored.

• Fundamentally we are asking âAIJWhat are the actual and perceived advantages of implementing acontrol contrasted with the actual and perceived disadvantages of implementing the control?âAI

Cost Benefit Analysis (CBA)

• The most common approach for a project of information Security controls and safeguards is the eco-nomic feasibility of implementation.

of 95


• Begins by evaluating the worth of information assets are compromised.

• It is only common sense that an organization should not spend more to protect an asset than it is worth.

• The formal process to document this is called a cost benefit analysis or an economic feasibility study.

CBA: Cost Factors

Some of the items that the cost of a control or safeguard include:

• Cost of Development or Acquisition

• Training Fees

• Cost of implementation.

• Service Costs

• Cost of Maintenance

CBA: Benefits

• Benefit is the value that the organization recognizes by using controls to prevent losses associated witha specific vulnerability.

• This is usually determined by valuing the information asset or assets exposed by the vulnerability andthen determining how much of that value is at risk.

CBA: Asset Valuation

• Asset Valuation is the process of assigning financial value or worth to each information asset.

• The valuation of assets involves estimation of real and perceived costs associated with the design, devel-opment, installation, maintenance, protection, recovery, and defense against market loss and litigation.

• These estimates are calculated for each set of information bearing systems or information assets.

• There are many components to asset valuation.

CBA: Loss Estimates

• Once the worth of various assets is estimated examine the potential loss that could occur from theexploitation of vulnerability or a threat occurrence.

• This process results in the estimate of potential loss per risk.

• The questions that must be asked here include:

– What damage could occur, and what financial impact would it have?– What would it cost to recover from the attack, in addition to the costs above?– What is the single loss expectancy for each risk?

of 95


Organizational Feasibility

• Organizational Feasibility examines how well the proposed information security alternatives will con-tribute to the efficiency, effectiveness, and overall operation of an organization.

• Above and beyond the impact on the bottom line, the organization must determine how the proposedalternatives contribute to the business objectives of the organization.

Operational feasibility

• Addresses user acceptance and support, management acceptance and support, and the overall require-ments of the organizationâAZs stake holders.

• Sometimes known as behavioral feasibility, because it measures the behavior of users.

• One of the fundamental principles of systems development is obtaining user buy in on a project and oneof the most common methods for obtaining user acceptance and support is through user involvementobtained through three simple steps:

– Communicate– Educate– Involve

Technical Feasibility

• The project team must also consider the technical feasibilities associated with the design, implementa-tion, and management of controls.

• Examines whether or not the organization has or can acquire the technology necessary to implementand support the control alternatives.

Political feasibility

• For some organizations, the most significant feasibility evaluated may be political

• Within Organizations, political feasibility defines what can and cannot occur based on the consensusand relationships between the communities of interest.

• The limits placed on an organizationâAZs actions or a behavior by the information security controlsmust fit within the realm of the possible before they can be effectively implemented, and that realmincludes the availability of staff resources.

187. Explain the various methods of categorizing the control. [NOV/DEC 2012] (8)

Categories of Controls

• Controlling risk through avoidance, Mitigation or Transference may be accomplished by implementingcontrols or safeguards. Four ways to categorize controls have been identified.

• Control function

of 95


– Preventive or detective

• Architectural layer

– One or more layers of technical architecture

• Strategy layer

– Avoidance, mitigation

• Information security principle

Control Function

• Safeguards designed to defend systems are either preventive or detective.

• Preventive controls stop attempts to exploit a vulnerability by implementing a security principle, suchas authentication, or Confidentiality.

• Preventive controls use a technical procedure, such as encryption, or some combination of technicalmeans and enforcement methods.

• Detective controls âAS warn organizations of violations of security principles, organizational policies,or attempts to exploit vulnerabilities.

• Detective controls use techniques such as audit trails, intrusion detection and configuration monitoring.

Architectural Layer

- Controls apply to one or more layers of an organizationâAZs technical architecture.

- The following entities are commonly regarded as distinct layers in an organizationâAZs Information archi-tecture.

• Organizational policy.

• External Networks.

• Extranets ( or demilitarized zones )

• Intranets ( WANs and LANs )

• Network devices that interface network zones.(Switches, Routers, firewalls and hubs)

• Systems [ Mainframe, Server, desktop]

• Applications.

Strategy Layer

Controls are sometimes classified by the risk control strategy they operate within:

• Avoidance

• Mitigation

• transference

of 95


188. Briefly explain about the data classification and management process. [MAY/JUNE 2013] (16)

Data Classification

• Confidential

• Internal

• External

Confidential: Access to information with this classification is strictly on a need-to-know basis or as requiredby the terms of a contract.

Internal: Used for all internal information that does not meet the criteria for the confidential category and isto be viewed only by authorized contractors, and other third parties.

External: All information that has been approved by management for public release.

The military uses five level classifications

• Unclassified data

• Sensitive But Unclassified data (SBU)

• Confidential data

• Secret data

• Top Secret data

Unclassified data: Information that can generally be distributed to the public without any threat to U.S.National interests.

Sensitive But Unclassified data (SBU) : Any information of which the loss, misuse, or unauthorized access to,or modification of might adversely affect U.S. national interests, the conduct of Department of Defense(DoD)programs, or the privacy of DoD personnel.

Confidential data: Any information or material the unauthorized disclosure of which reasonably could beexpected to cause damage to the national security.

Secret: Any information or material the unauthorized disclosure of which reasonably could be cause seriousdamage to the national security.

Top Secret Data: Any information or material the unauthorized disclosure of which reasonably could beexpected to cause exceptionally grave damage to the national security.

Organization may have

• Research data

• Personnel data

• Customer data

• General Internal Communications

of 95


Some organization may use

• Public data

• For office use only

• Sensitive data

• Classified data

Public: Information for general public dissemination, such as an advertisement or public release.

For Official Use Only: Information that is not particularly sensitive, but not for public release, such as internalcommunications.

Sensitive: Information important to the business that could embarrass the company or cause loss of marketshare if revealed.

Classified: Information of the utmost secrecy to the organization, disclosure of which could severely impactthe well-being of the organization.

Security Clearances

• The other side of the data classification scheme is the personnel security clearance structure.

• Each user of data must be assigned a single authorization level that indicates the level of classificationhe or she is authorized to view.

• Eg: Data entry clerk, development Programmer, Information Security Analyst, or even CIO.

• Most organizations have a set of roles and the accompanying security clearances associated with eachrole.

• Overriding an employeeâAZs security clearance is the fundamental principle of âAIJneed-to-knowâAI.

Management of classified data

• Includes its storage, distribution, portability, and destruction.

• Military uses color coordinated cover sheets to protect classified information from the casual observer.

• Each classified document should contain the appropriate designation at the top and bottom of each page.

• A clean desk policy requires that employees secure all information in appropriate storage containers atthe end of each day.

• When Information are no longer valuable, proper care should be taken to destroy them by means ofshredding, burning or transferring to a service offering authorized document destruction.

• Dumpster diving is to retrieve information that could embarrass a company or compromise informationsecurity.

189. List and explain about the different types of access control. [MAY/JUNE 2013] (16)

Types of Access controls

Mandatory Access Controls (MACs)

of 95


• Give users and data owners limited control over access to information resources. NondiscretionaryControls

• Managed by a central authority in the organization; can be based on individualâAZs role (role-basedcontrols) or a specified set of assigned tasks (task-based controls)

Discretionary Access Controls ( DAC)

Implemented at discretion or option of the data user Lattice-based Access Control

Variation of MAC - users are assigned matrix of authorizations for particular areas of access.

STANDARD QUESTIONS

190. Explain in detail about Risk handling decision points. (8)

Risk Management Discussion Points

Not every organization has the collective will to manage each vulnerability through the application of controls

• Depending on the willingness to assume risk, each organization must define its risk appetite

• Risk appetite defines the quantity and nature of risk that organizations are willing to accept as theyevaluate the tradeoffs between perfect security and unlimited accessibility

Residual Risk

• When we have controlled any given vulnerability as much as we can, there is often risk that has not beencompletely removed or has not been completely shifted or planned for this remainder is called residualrisk.

• To express it another way, âAIJResidual risk is a combined function of

– A threat less the effect of some threat âASreducing safeguards.– Vulnerability less the effect of some vulnerability- reducing safeguards.– an asset less the effect of some asset value-reducing safeguards âAIJ

Documenting Results

• At minimum, each information asset-vulnerability pair should have a documented control strategy thatclearly identifies any residual risk remaining after the proposed strategy has been executed.

• Some organizations document the outcome of the control strategy for each information asset-vulnerabilitypair as an action plan

• This action plan includes concrete tasks, each with accountability assigned to an organizational unit orto an individual

Recommended Practices in Controlling Risk

• We must convince budget authorities to spend up to the value of the asset to protect a particular assetfrom an identified threat

of 95


• Each and every control or safeguard implemented will impact more than one threat-asset pair

Qualitative Measures

• The spectrum of steps described above was performed with real numbers or best guess estimates of realnumbers-this is known as a quantitative assessment.

• However, an organization could determine that it couldnâAZt put specific numbers on these values.

• Fortunately, it is possible to repeat these steps using estimates based on a qualitative assessment.

• Instead of using specific numbers, ranges or levels of values can be developed simplifying the process

Delphi Technique

• One technique for accurately estimating scales and values is the Delphi Technique.

• The Delphi Technique, named for the Oracle at Delphi, is a process whereby a group of individuals rateor rank a set of information

• The individual responses are compiled and then returned to the individuals for another iteration

• This process continues until the group is satisfied with the result.

Figure 10: Risk Residual

of 95


PART B -UNIT-IV - LOGICAL DESIGN


191. Briefly explain the NIST SECURITY MODEL. [NOV/DEC 2011] [MAY/JUNE 2013] (16)

NIST Security Models

• This refers to âAIJThe National Security Telecommunications and Information systems Security Com-mitteeâAI document. This document presents a comprehensive model for information security. Themodel consists of three dimensions.

• Another possible approach available is described in the many documents available from the ComputerSecurity Resource Center of the National Institute for Standards and Technology (csrc.nist.gov).

The following NIST documents can assist in the design of a security framework:

• NIST SP 800-12 : An Introduction to Computer Security: The NIST Handbook

• NIST SP 800-14 : Generally Accepted Security Principles and Practices for Securing IT Systems

• NIST SP 800-18 : The Guide for Developing Security Plans for IT Systems

• NIST SP 800-26: Security Self-Assessment Guide for IT systems.

• NIST SP 800-30: Risk Management for IT systems.

NIST Special Publication SP 800-12

• SP 800-12 is an excellent reference and guide for the security manager or administrator in the routinemanagement of information security.

• It provides little guidance, however, on design and implementation of new security systems, and there-fore should be used only as a valuable precursor to understanding an information security blueprint.


• Generally accepted Principles and practices for Security Information Technology Systems.

• Provides best practices and security principles that can direct the security team in the development ofSecurity Blue Print.

• The scope of NIST SP 800-14 is broad. It is important to consider each of the security principles itpresents, and therefore the following sections examine some of the more significant points in moredetail:

• Security Supports the Mission of the Organization

• Security is an Integral Element of Sound Management

• Security Should Be Cost-Effective

• Systems Owners Have Security Responsibilities Outside Their Own Organizations

of 95


• Security Responsibilities and Accountability Should Be Made Explicit

• Security Requires a Comprehensive and Integrated Approach

• Security Should Be Periodically Reassessed

• Security is Constrained by Societal Factors

• 33 Principles enumerated

NIST SP 800-18

• The Guide for Developing Security plans for Information Technology Systems can be used as the foun-dation for a comprehensive security blueprint and framework.

• It provides detailed methods for assessing, and implementing controls and plans for applications ofvarying size.

• It can serve as a useful guide to the activities and as an aid in the planning process.

• It also includes templates for major application security plans.

• The table of contents for Publication 800-18 is presented in the following. System Analysis

– System Boundaries– Multiple similar systems– System Categories– Plan Development- All Systems– Plan control– System identification– System Operational status– System Interconnection/ Information Sharing– Sensitivity of information handled– Laws, regulations and policies affecting the system

Management Controls







Operational Controls


of 95






• Data Integrity

• Documentation

• Security Awareness, Training, and Education

• Incident Response Capability

Technical Controls



• Audit Trails

NIST SP 800-26: Security Self-Assessment Guide for IT systems

NIST SP 800-26 Table of contents

Management Controls

• Risk Management


• Life Cycle Maintenance









• Data Integrity

• Documentation



of 95


Technical Controls



• Audit Trails

Management controls address the design and implementation of the security planning process and securityprogram management. They also address risk management and security control reviews. They further de-scribe the necessity and scope of legal compliance and the maintenance of the entire security life cycle.

Operational controls deal with the operational functionality of security in the organization. They includemanagement functions and lower level planning, such as disaster recovery and incident response planning.They also address personnel security, physical security, and the protection of production inputs and outputs.They guide the development of education, training and awareness programs for users, administrators, andmanagement. Finally, they address hardware and software systems maintenance and the integrity of data.

Technical controls address the tactical and technical issues related to designing and implementing security inthe organization, as well as issues related to examining and selecting the technologies appropriate to protect-ing information. They address the specifics of technology selection and the acquisition of certain technicalcomponents. They also include logical access controls, such as identification, authentication, authorization,and accountability. They cover cryptography to protect information in storage and transit. Finally, theyinclude the classification of assets and users, to facilitate the authorization levels needed.

Using the three sets of controls, the organization should be able to specify controls to cover the entire spectrumof safeguards, from strategic to tactical, and from managerial to technical.

192. Explain in detail about designing of security architecture. [NOV/DEC 2011] [MAY/JUNE 2013] (16)

Design of Security Architecture

Sphere of Protection

• The âAIJsphere of protectionâAI overlays each of the levels of the âAIJsphere of useâAI with a layer ofsecurity, protecting that layer from direct or indirect use through the next layer

• The people must become a layer of security, a human firewall that protects the information from unau-thorized access and use

• Information security is therefore designed and implemented in three layers

– policies– people (education, training, and awareness programs)– technology

• As illustrated in the sphere of protection, a variety of controls can be used to protect the information.

• The items of control shown in the figure are not intended to be comprehensive but rather illustrateindividual safeguards that can protect the various systems that are located closer to the center of thesphere.

of 95


Figure 11: Sphere of Protection

• However, because people can directly access each ring as well as the information at the core of themodel, the side of the sphere of protection that attempt to control access by relying on people requires adifferent approach to security than the side that uses technology.

Defense in Depth

• One of the basic foundations of security architectures is the implementation of security in layers. Thislayered approach is called defense in depth.

• Defense in depth requires that the organization establish sufficient security controls and safeguards, sothat an intruder faces multiple layers of controls.

• These layers of control can be organized into policy, training and education and technology as per theNSTISSC model.

• While policy itself may not prevent attacks, they coupled with other layers and deter attacks.

• Training and Education are similar.

• Technology is also implemented in layers, with detection equipment, all operating behind access controlmechanisms.

• Implementing multiple types of technology and thereby preventing the failure of one system from com-promising the security of the information is referred to as redundancy.

• Redundancy can be implemented at a number of points throughout the security architecture, such asfirewalls, proxy servers, and access controls.

The figure shows the use of firewalls and intrusion detection systems(IDS) that use both packet-level rulesand data content analysis.

Security Perimeter

• A Security Perimeter is the first level of security that protects all internal systems from outside threats.

• Unfortunately, the perimeter does not protect against internal attacks from employee threats, or on-sitephysical threats.

of 95


Figure 12: Defense in Depth

• Security perimeters can effectively be implemented as multiple technologies that segregate the protectedinformation from those who would attack it.

• Within security perimeters the organization can establish security domains, or areas of trust withinwhich users can freely communicate.

• The presence and nature of the security perimeter is an essential element of the overall security frame-work, and the details of implementing the perimeter make up a great deal of the particulars of thecompleted security blueprint.

• The key components used for planning the perimeter are presented in the following sections on firewalls,DMZs, proxy servers, and intrusion detection systems.

Key Technology Components

Other key technology components

• A firewall is a device that selectively discriminates against information flowing into or out of the orga-nization.

• Firewalls are usually placed on the security perimeter, just behind or as part of a gateway router.

• Firewalls can be packet filtering, stateful packet filtering, proxy, or application level.

• A Firewall can be a single device or a firewall subnet, which consists of multiple firewalls creating abuffer between the outside and inside networks.

• The DMZ (demilitarized zone) is a no-manâAZs land, between the inside and outside networks, wheresome organizations place Web servers

• These servers provide access to organizational web pages, without allowing Web requests to enter theinterior networks.

• Proxy server- An alternative approach to the strategies of using a firewall subnet or a DMZ is to use aproxy server, or proxy firewall.

of 95


Figure 13: Security Perimeter and Domain

Figure 14: Firewall, Proxy servers and DMZ

• When an outside client requests a particular Web page, the proxy server receives the request as if it werethe subject of the request, then asks for the same information from the true Web server(acting as a proxyfor the requestor), and then responds to the request as a proxy for the true Web server.

• For more frequently accessed Web pages, proxy servers can cache or temporarily store the page, andthus are sometimes called cache servers.

193. Describe the features of VISA international security model. [NOV/DEC 2011] [NOV/DEC 2012] (8)

VISA International Security Model

• It promotes strong security measures in its business associates and has established guidelines for the

of 95


security of its information systems.

• It has developed two important documents

– Security Assessment Process– Agreed Upon Procedures.

• Both documents provide specific instructions on the use of the VISA Cardholder Information SecurityProgram.

• The Security Assessment Process document is a series of recommendations for the detailed examinationof an organizationâAZs systems with the eventual goal of integration into the VISA systems.

• The Agreed upon Procedures document outlines the policies and technologies required for securitysystems that carry the sensitive card holder information to and from VISA systems.

• Using the two documents, a security team can develop a sound strategy for the design of good securityarchitecture.

• The only downside to this approach is the specific focus on systems that can or do integrate withVISAâAZs systems with the explicit purpose of carrying the aforementioned cardholder information.

IMPORTANT QUESTIONS

194. Explain in detail about different type of security models. [NOV/DEC 2011] (16)

Security Models

ISO 17799/BS 7799

• One of the most widely referenced and often discussed security models is the Information TechnologyâAS Code of Practice for Information Security Management, which was originally published as BritishStandard BS 7799

• In 2000, this Code of Practice was adopted as an international standard framework for information se-curity by the International Organization for Standardization (ISO) and the International ElectrotechnicalCommission (IEC) as ISO/IEC 17799.

Drawbacks of ISO 17799/BS 7799

• Several countries have not adopted 17799 claiming there are fundamental problems:

– The global information security community has not defined any justification for a code of practiceas identified in the ISO/IEC 17799

– 17799 lacks âAIJthe necessary measurement precision of a technical standardâAI– There is no reason to believe that 17799 is more useful than any other approach currently available– 17799 is not as complete as other frameworks available– 17799 is perceived to have been hurriedly prepared given the tremendous impact its adoption could

have on industry information security controls

of 95


Objectives of ISO 17799


Ten Sections of ISO/IEC 17799

• Organizational Security Policy

• Organizational Security Infrastructure

• Asset Classification and Control


• Physical and Environmental Security

• Communications and Operations Management

• System Access Control

• System Development and Maintenance

• Business Continuity Planning

• Compliance

Alternate Security Models available other than ISO 17799/BS 7799

NIST Security Models

• This refers to âAIJThe National Security Telecommunications and Information systems Security Com-mitteeâAI document. This document presents a comprehensive model for information security. Themodel consists of three dimensions.

• Another possible approach available is described in the many documents available from the ComputerSecurity Resource Center of the National Institute for Standards and Technology (csrc.nist.gov).

The following NIST documents can assist in the design of a security framework:

• NIST SP 800-12 : An Introduction to Computer Security: The NIST Handbook

• NIST SP 800-14 : Generally Accepted Security Principles and Practices for Securing IT Systems

• NIST SP 800-18 : The Guide for Developing Security Plans for IT Systems

• NIST SP 800-26: Security Self-Assessment Guide for IT systems.

• NIST SP 800-30: Risk Management for IT systems.


• SP 800-12 is an excellent reference and guide for the security manager or administrator in the routinemanagement of information security.

• It provides little guidance, however, on design and implementation of new security systems, and there-fore should be used only as a valuable precursor to understanding an information security blueprint.

of 95



• Generally accepted Principles and practices for Security Information Technology Systems.

• Provides best practices and security principles that can direct the security team in the development ofSecurity Blue Print.

• The scope of NIST SP 800-14 is broad. It is important to consider each of the security principles itpresents, and therefore the following sections examine some of the more significant points in moredetail:

• Security Supports the Mission of the Organization

• Security is an Integral Element of Sound Management

• Security Should Be Cost-Effective

• Systems Owners Have Security Responsibilities Outside Their Own Organizations

• Security Responsibilities and Accountability Should Be Made Explicit

• Security Requires a Comprehensive and Integrated Approach

• Security Should Be Periodically Reassessed

• Security is Constrained by Societal Factors

• 33 Principles enumerated

NIST SP 800-18

• The Guide for Developing Security plans for Information Technology Systems can be used as the foun-dation for a comprehensive security blueprint and framework.

• It provides detailed methods for assessing, and implementing controls and plans for applications ofvarying size.

• It can serve as a useful guide to the activities and as an aid in the planning process.

• It also includes templates for major application security plans.

• The table of contents for Publication 800-18 is presented in the following. System Analysis

– System Boundaries– Multiple similar systems– System Categories– Plan Development- All Systems– Plan control– System identification– System Operational status– System Interconnection/ Information Sharing– Sensitivity of information handled

of 95


– Laws, regulations and policies affecting the system

Management Controls













• Data Integrity

• Documentation



Technical Controls



• Audit Trails

NIST SP 800-26: Security Self-Assessment Guide for IT systems

NIST SP 800-26 Table of contents

Management Controls

• Risk Management


• Life Cycle Maintenance



of 95








• Data Integrity

• Documentation



Technical Controls



• Audit Trails

195. Explain in detail about ISO 17799/ BS 7799. [NOV/DEC 2012] (8)

ISO 17799/BS 7799

• One of the most widely referenced and often discussed security models is the Information TechnologyâAS Code of Practice for Information Security Management, which was originally published as BritishStandard BS 7799

• In 2000, this Code of Practice was adopted as an international standard framework for information se-curity by the International Organization for Standardization (ISO) and the International ElectrotechnicalCommission (IEC) as ISO/IEC 17799.

Drawbacks of ISO 17799/BS 7799

• Several countries have not adopted 17799 claiming there are fundamental problems:

– The global information security community has not defined any justification for a code of practiceas identified in the ISO/IEC 17799

– 17799 lacks âAIJthe necessary measurement precision of a technical standardâAI– There is no reason to believe that 17799 is more useful than any other approach currently available– 17799 is not as complete as other frameworks available– 17799 is perceived to have been hurriedly prepared given the tremendous impact its adoption could

have on industry information security controls

of 95


Objectives of ISO 17799


Ten Sections of ISO/IEC 17799

• Organizational Security Policy

• Organizational Security Infrastructure

• Asset Classification and Control


• Physical and Environmental Security

• Communications and Operations Management

• System Access Control

• System Development and Maintenance

• Business Continuity Planning

• Compliance

196. Explain the major steps involved in contingency planning. [NOV/DEC 2012] (8)

Contingency Planning (CP) comprises a set of plans designed to ensure the effective reaction and recoveryfrom an attack and the subsequent restoration to normal modes of business operations.

There are six steps to contingency planning. They are

• Identifying the mission-or business-critical functions,

• Identifying the resources that support the critical functions,

• Anticipating potential contingencies or disasters,

• Selecting contingency planning strategies,

• Implementing the contingencies strategies,

• Testing and revising the strategy.

197. Briefly explain about the elements of an Issue-specific Security policy statement. [MAY/JUNE 2013] (8)

Issue-Specific Security Policy (ISSP)

The ISSP:

• Addresses specific areas of technology

• Requires frequent updates

• Contains statement on position on specific issue

Approaches to creating and managing ISSPs:

of 95


• Create number of independent ISSP documents

• Create a single comprehensive ISSP document

• Create a modular ISSP document

ISSP topics could include:

E-mail, use of Web, configurations of computers to defend against worms and viruses, prohibitions againsthacking or testing organisation security controls, home use of company-owned computer equipment, use ofpersonal equipment on company networks, use of telecommunications technologies(FAX and phone), use ofphotocopiers .

Components of the ISSP

Statement of Policy

• Scope and Applicability

• Definition of Technology Addressed

• Responsibilities

Authorized Access and Usage of Equipment

• User Access

• Fair and Responsible Use

• Protection of Privacy

Prohibited Usage of Equipment

• Disruptive Use or Misuse

• Criminal Use

• Offensive or Harassing Materials

• Copyrighted, Licensed or other Intellectual Property

• Other Restrictions

Systems Management

• Management of Stored Materials

• Employer Monitoring

• Virus Protection


• Encryption

Violations of Policy

of 95


• Procedures for Reporting Violations

• Penalties for Violations

Policy Review and Modification

• Scheduled Review of Policy and Procedures for Modification

Limitations of Liability

• Statements of Liability or Disclaimers

STANDARD QUESTIONS

198. Explain in detail about planning for continuity. (8)

Continuity Strategies

• There are a number of strategies from which an organization can choose when planning for businesscontinuity.

• The determining factor in selection between these options is usually cost.

• In general there are three exclusive options: Hot sites, Warm Sites, and Cold sites; and three sharedfunctions: Time-share, Service bureaus, and Mutual Agreements.

Hot sites: A hot site is a fully configured facility, with all services, communications links, and physical plantoperations including heating and air conditioning. It is the pinnacle of contingency planning, a duplicatefacility that needs only the latest data backups and the personnel to function as a fully operational twin of theoriginal. Disadvantages include the need to provide maintenance for all the systems and equipment in the hotsite, as well as physical and information security.

Warm sites: A warm site includes computing equipment and peripherals with servers but not client workstations. It has many of the advantages of a hot site, but at a lower cost.

Cold Sites: A cold site provides only rudimentary services and facilities, No computer hardware or peripheralsare provided. Basically a cold site is an empty room with heating, air conditioning, and electricity. The mainadvantage of cold site is in the area of cost.

Time-shares: It allows the organization to maintain a disaster recovery and business continuity option, butat a reduced overall cost. The advantages are identical to the type of site selected(hot, warm, or cold). Thedisadvantages are the possibility that more than one organization involved in the time share may need thefacility simultaneously and the need to stock the facility with the equipment and data from all organizationsinvolved, the negotiations for arranging the time-share, and associated arrangements, should one or moreparties decide to cancel the agreement or to sublease its options.

Service bureaus: A service bureau is an agency that provides a service for a fee. In the case of disasterrecovery and continuity planning, the service is the agreement to provide physical facilities in the event of adisaster. These types of agencies also provide off-site data storage for a fee. The disadvantage is that it is aservice, and must be renegotiated periodically. Also, using a service bureau can be quite expensive.

of 95


Mutual Agreements: A mutual agreement is a contract between two or more organizations that specifies howeach will assist the other in the event of a disaster.

PART B -UNIT-V- PHYSICAL DESIGN


199. Explain in detail about IDS and its types.[NOV/DEC 2011] [NOV/DEC 2012] [MAY/JUNE 2013] [MAY/JUNE2012] (16)

An IDS operates as either network-based, when the technology is focused on protecting network informationassets, or host-based, when the technology is focused on protecting server or host information assets.

IDSs use one of two detection methods, signature-based or statistical anomaly-based

Figure 15: Intrusion Detection System

Different types of IDSs

• Network-based IDSA network-based IDS(NIDS) resides on a computer or an appliance connected to a segment of an orga-nizationâAŸs network and monitors traffic on that network segment,looking for indications of ongoingor successful attacks.

• Host-based IDSA Host-based IDS(HIDS) works differently from a network-based version of IDS. While a netwerok-based-IDS resides on a network segment and monitors activities across that segment,a host-based IDSresides on a particular computer or server,known as the host and monitors activity only on that system.HIDs are also known as System Integrity Verifiers as they benchmark and monitor the status of keysystem files and detect when an intruder creates, modifies or deletes monitored files. A HIDs is alsocapable of monitoring system configuration databases, such as windows registries, in addition to storedconfiguration files like .ini, .cfg, and .dat files.

of 95


• Application-based IDSA refinement of Host-based IDs is the application-based IDS(AppIDS). Whereas the HIDs examinesa single system for file modification, the application based IDs examines an application for abnormalincidents. It looks for anomalous occurrences such as users exceeding their authorization, invalid fileexecutions etc.

• Signature-based IDSIt is based on detection methods. A signature-based IDS (also called Knowledge- based IDs) examinesdata traffic in search of patterns that match known signatures âAS that is, preconfigured, predeterminedattack patterns. Many attacks have clear and distinct signatures such as

– footprinting and fingerprinting activities, have an attack pattern that includes the use of ICMP,DNSquerying,and e-mail routing analysis

– Exploits involve a specific attack sequence designed to take advantage of a vulnerability to gainaccess to a system

– Denial of Service(DoS) and Distributed Denial of Service(DDoS) attacks.

• Statistical Anomaly-Based IDS(Also called Behaviour-based IDS)This approach is used for detecting intrusions based on the frequency with which certain network activ-ities takes place. Statistical Anomaly-Based IDS collects statistical summaries by observing traffic thatis known to be normal. A baseline is established based on normal period. The Stats IDs periodicallysample network activity, and using statistical methods ,compares the sampled network activity to thebaseline. When the measured activities are outside the baseline parameters,it is said to be exceeding theclipping level; at this point, the IDS will trigger an alert to notify the administrator.

• Log File Monitors(LFM) Log File Monitor(LFM) is an approach to IDS that is similar to NIDS. UsingL Fm the system reviews the log files generated by servers, network devices, and when other IDSs.These systems look for patterns and signatures in the log files that may indicate an attack or intrusion isin process or has already succeeded.

200. Discuss the Cryptographic tools used for providing the security.[NOV/DEC 2011] [MAY/JUNE 2013] (16)

The following are the Cryptographic tools used for providing the Security:

• Packet Sniffers

– A network tool that collects copies of packets from the network and analyzes them– Can be used to eavesdrop on the network traffic– To use a packet sniffer legally, you must be:

∗ on a network that the organization owns∗ under direct authorization of the owners of the network∗ have knowledge and consent of the content creators (users)

• Content Filters

– Although technically not a firewall, a content filter is a software filter that allows administrators torestrict accessible content from within a network

of 95


– The content filtering restricts Web sites with inappropriate content

• Trap and Trace

– Trace: determine the identity of someone using unauthorized access– Better known as honey pots, they distract the attacker while notifying the Administrator

• Data Encryption Standard(DES)

– Data Encryption Standard (DES)– Developed in 1977 by IBM Based on the Data Encryption Algorithm (DEA) Uses a 64-bit block

size and a 56-bit key– With a 56-bit key, the algorithm has 256 possible keys to choose from (over quadrillion)– DES is a federally approved standard for non classified data– DES was cracked in 1997 when RSA put a bounty on the algorithm offering 10,000 dollars to the

team to crack the algorithm - fourteen thousand users collaborated over the Internet to finally breakthe encryption

• Triple DES (3DES)

– Developed as an improvement to DES– Uses up to three keys in succession and also performs three different encryption operations:– 3DES encrypts the message three times with three different keys, the most into e-mail:– S/MIME builds on the Multipurpose Internet Mail Extensions (MIME) encoding format by adding

encryption and authentication– Privacy Enhanced Mail (PEM) was proposed by the Internet Engineering Task Force (IETF) as a

standard to function with the public key cryptosystems– PEM uses 3DES symmetric key encryption and RSA for key exchanges and digital signatures– Pretty Good Privacy (PGP) was developed by Phil Zimmerman and uses the IDEA Cipher along

with RSA for key exchange

201. Discuss in detail about the Firewall and its generation. [NOV/DEC 2012] [MAY/JUNE 2012] (16)

Firewalls

A firewall is any device that prevents a specific type of information from moving between the untrustednetwork outside and the trusted network inside

There are five recognized generations of firewalls

The firewall may be:

• a separate computer system

• a service running on an existing router or server

• a separate network containing a number of supporting devices

Different generations of firewalls:.

of 95


• First Generation Called packet filtering firewalls Examines every incoming packet header and selec-tively filters packets based on address, packet type, port request, and others factors The restrictionsmost commonly implemented are based on: IP source and destination address Direction (inbound oroutbound)

• Second Generation TCP or UDP source and destination port-requests Second Generation Called application-level firewall or proxy server

– Often a dedicated computer separate from the filtering router– With this configuration the proxy server, rather than the Web server, is exposed to the outside world

in the DMZ– Additional filtering routers can be implemented behind the proxy server– The primary disadvantage of application-level firewalls is that they are designed for a specific pro-

tocol and cannot easily be reconfigured to protect against attacks on protocols for which they arenot designed

• Third Generation

– Called stateful inspection firewalls– Keeps track of each network connection established between internal and external systems using a

state table which tracks the state and context of each packet in the conversation by recording whichstation sent what packet.

– These firewalls can track connectionless packet traffic such as UDP and remote procedure calls(RPC) traffic

• Fourth GenerationWhile static filtering firewalls, such as first and third generation, allow entire sets of one type of packetto enter in response to authorized requests, a dynamic packet filtering firewall allows only a particularpacket with a particular source, destination,and port address to enter through the firewall , It does thisby understanding how the protocol functions, and opening and closing âATdoorsâAU in the firewall,based on the information contained in the packet header. In this manner, dynamic packet filters are anintermediate form, between traditional static packet filters and application proxies

• Fifth Generation

– The final form of firewall is the kernel proxy, a specialized form that works under the Windows NTExecutive, which is the kernel ofWindows NT

– It evaluates packets at multiple layers of the protocol stack, by checking security in the kernel asdata is passed up and down the stack

Firewalls are categorized by processing modes

The five processing modes are

• Packet filtering

• Application gateways

of 95


• Circuit gateways

• MAC layer firewalls

• Hybrids

• Packet-filtering Routers

– Most organizations with an Internet connection have some form of a router as the interface at theperimeter between the organizationâAŸs internal networks and the external service provider

– Many of these routers can be configured to filter packets that the organization does not allow intothe network

– This is a simple but effective means to lower the organizationâAŸs risk to external attack– The drawback to this type of system includes a lack of auditing and strong authentication– The complexity of the access control lists used to filter the packets can grow and degrade network

performance

Figure 16: Packet Filtering Firewall

• Screened-Host Firewall Systems

– Combine the packet-filtering router with a separate, dedicated firewall such as an application proxyserver

– Allows the router to pre-screen packets to minimize network trafiic and load on the internal proxy.– Application proxy examines an application layer protocol such as HTTP and performs the proxy

services.– This seperated host is called as Bastion - host.

• Dual - homed Host Firewall

– The Bastion host consist of two NIC (Network Interface Card).– One NIC is connected to external network and another one is connected to internal network.– With two NIC all the traffic must physically go through the firewall to move between the external

and internal networks.

• Screened-Subnet Firewalls (with DMZ)

of 95


Figure 17: Screened Host Firewall

Figure 18: Dual - homed Host Firewall

Figure 19: screened - subnet Firewall

– Consists of two or more internal bastion-hosts, behind a packet-filtering router, with each hostprotecting the trusted network

of 95


– The first general model consists of two filtering routers, with one or more dual- homed bastion-hostbetween them

– The second general model involves the connection from the outside or untrusted network goingthrough this path:

– Through an external filtering router– Into and then out of a routing firewall to the separate network segment known as the DMZ.

IMPORTANT QUESTIONS

202. Write short notes on scanning and analysis tools used during design [NOV/DEC 2011] (8)

Scanning and Analysis Tools

• Scanners, sniffers, and other analysis tools are useful to security administrators in enabling them to seewhat the attacker sees

• Scanner and analysis tools can find vulnerabilities in systems

• One of the preparatory parts of an attack is known as footprinting âAS collecting IP addresses and otheruseful data

• The next phase of pre-attack data gathering process is called fingerprinting âAS scanning all knownaddresses to make a network map of the target

What are foot printing and finger printing?

The attack protocol is a series of steps or processes used by an attacker ,in a logical sequence ,to launch anattack against a target system or netweok. One of the preparatory part of the attack protocol is the collectionof publicly available information about a potential target,a process known as footprinting.

Footprinting is the organized research of the Internet addresses owned or controlled by the target organization.The attacker uses public Internet data sources to perform keyword searches to identify the network addressesof the organization. This research ios augmented by browsing the organizationâAŸs web pages.

The next phase of the attack protocol is a second intelligence or data-gathering process called fingerprinting.This is systematic survey of all of the target organizationâAŸs Internet addresses (which are collected duringthe footprinting phase); the survey is conducted to ascertain the network services offered by the hosts in thatrange. Fingerprinting reveals useful information about the internal structure and operational nature of thetarget system or network for the anticipated attack.

Different types of the Scanning and Analysis tools available are,

Port Scanners

Port scanners fingerprint networks to find ports and services and other useful information

Why secure open ports?

An open port can be used to send commands to a computer, gain access to a server, and exert control over anetworking device

of 95


The general rule of thumb is to remove from service or secure any port not absolutely necessary for theconduct of business

Vulnerability Scanners

• Vulnerability scanners are capable of scanning networks for very detailed information

• As a class, they identify exposed usernames and groups, show open network shares,expose configurationproblems, and other vulnerabilities in servers

Packet Sniffers

• A network tool that collects copies of packets from the network and analyzes them

• Can be used to eavesdrop on the network traffic

• To use a packet sniffer legally, you must be:

• on a network that the organization owns

• under direct authorization of the owners of the network

• have knowledge and consent of the content creators (users)

Content Filters

• Although technically not a firewall, a content filter is a software filter that allows administrators torestrict accessible content from within a network

• The content filtering restricts Web sites with inappropriate content

Trap and Trace

• Trace: determine the identity of someone using unauthorized access

• Better known as honey pots, they distract the attacker while notifying the Administrator

203. Describe in detail about the access control used for providing physical control. [NOV/DEC 2011] (8)

Secure facility

A secure facility is a physical location that has been engineered with controls designed to minimize the risk ofattacks from physical threats A secure facility can use the natural terrain; traffic flow, urban development, andcan complement these features with protection mechanisms such as fences, gates, walls, guards, and alarms

Controls for Protecting the Secure Facility

• Walls, Fencing, and Gates

• Guards

• Dogs, ID Cards, and Badges

• Locks and Keys

• Mantraps

of 95


• Electronic Monitoring

• Alarms and Alarm Systems

• Computer Rooms

• Walls and Doors

Controls used in a Secure Facility

ID Cards and Badges

• Ties physical security to information access with identification cards (ID) and/or name badges

• ID card is typically concealed

• Name badge is visible

These devices are actually biometrics (facial recognition) Should not be the only control as they can be easilyduplicated, stolen, and modified Tailgating occurs when unauthorized individuals follow authorized usersthrough the control

Locks and Keys

There are two types of locks

• mechanical

• electro-mechanical

Locks can also be divided into four categories

• manual

• programmable

• electronic

• biometric

Locks fail and facilities need alternative procedures for access

Locks fail in one of two ways:

• when the lock of a door fails and the door becomes unlocked, that is a fail-safe lock

• when the lock of a door fails and the door remains locked, this is a fail-secure lock

Electronic Monitoring

• Records events where other types of physical controls are not practical

• May use cameras with video recorders

Drawbacks:

of 95


• reactive and do not prevent access or prohibited activity

• recordings often not monitored in real time and must be reviewed to have any value

Alarms and Alarm Systems

Alarm systems notify when an event occurs Used for fire, intrusion, environmental disturbance, or an inter-ruption in services These systems rely on sensors that detect the event: motion detectors, smoke detectors,thermal detectors, glass breakage detectors, weight sensors, and contact sensors.

204. Explain the physical security plans to detect and responds to fires and fire hazards. [NOV/DEC 2012] (8)

Fire Safety and Security

Most serious threat to safety of people in an organization is possibily of Fire. Fire accounts for more propertydamage , personal injury and death than any other threat.

Fire Detection and response

Fire supression system are devices that are installed and maintained to detect and respond to fire. Deny anenvironment of heat by

• Water and Water mist system

• carbondioxide system

• soda acid system

• Gas based systems.

Fire Detection

Fire Detection system fall in 2 categories. they are

• Manual

• automatic

part of fire safety program includes: individuals that monitor chaos of fire evacuation to prevent an attackeraccessing officer.

There are 3 types of Fire Detection methods. They are:

• Thermal Detection

• Smoke Detection

• Flame Detection

Fire Suppression

Fire Suppression System consist of Portable, manual or automatic aparatus. portable extinguishers are ratedby fire of

• Class A

of 95


• Class B

• Class C

• Class D

Heating, Ventilation and Air conditioning

Areas within Heating, Ventilation and Air conditioning system can cause damage to Information systeminclude:

• Temperature

• Filtration

• Humidity

• Static Electricity.

Water Problems

Lack of water poses problems to systems, including functionality of Fire suppression systems and ability ofwater chillers to provide air conditioning. It is very important to include Water detection system into alarmsystem that regulates overall facilities oerations.

205. Discuss the role and responsibilities of Information Security staff. [NOV/DEC 2012] (8)

Information Security Staff

Many information security professionals enter the field through one of two career paths:

• Law enforcement and military

• Technical, working on security applications and processes

Information Security Positions

Use of standard job descriptions can increase degree of professionalism and improve the consistency of rolesand responsibilities between organizations .

Chief Information Security Officer (CISO or CSO) is the Top information security position and they havethese typical qualifications:

• accreditation

• graduate degree

• experience

Their major functions are as follows:

• Frequently reports to Chief Information Officer

• Manages the overall information security program

• Drafts or approves information security policies

of 95


• Works with the CIO on strategic plans

• Develops information security budgets

• Sets priorities for information security projects and technology

• Makes recruiting, hiring, and firing decisions or recommendations

• Acts as spokesperson for information security team

206. List and discuss about the various credential certificates. [MAY/JUNE 2013] (8)

ISSAP - Information System Security Architecture Professional

ISSAP requires a candidate to demonstrate two years of professional experience in the area of architectureand is an appropriate credential for Chief Security Architects and Analysts who may typically work as inde-pendent consultants or in similar capacities. The architect plays a key role within the information securitydepartment with responsibilities that functionally fit between the C-suite and upper managerial level and theimplementation of the security program. He/she would generally develop, design, or analyze the overall se-curity plan. Although this role may typically be tied closely to technology this is not necessarily the case, andis fundamentally the consultative and analytical process of information security.

ISSMP - Information System Security Management Professional

Another important information security certification that is also an application of the previously stated CISSPis called the Information Systems Security Management Professional or ISSMP. The examination that oneneeds to take in order to qualify as an ISSMP will ensure that the security expert is actually proficient inthe position as an information security manager. In order for an information security expert to become anaspirant for the ISSMP examination, he or she must have an outstanding record in CISSP. Of course, theindividual must effectively pass the said ISSMP test. Lastly, the good standing of an individual must alwaysbe preserved at all cost.

There are five major fields that will be included in the exam for ISSMP and these are: law, investigation,forensics, and ethics; security compliance management, security management practices; systems developmentsecurity; and, lastly, Understand Business Continuity Planning (BCP) and Disaster Recovery Planning (DRP).

SSCP - System Security Certified Practitioner

The (ISC)2 Systems Security Certified Practitioner (SSCP) is a terrific entry-level information security cer-tification, and it is the ideal precursor for the much sought after Certified Information Systems SecurityProfessional (CISSP). The SSCP certification focuses on seven (7) Common Body of Knowledge (CBK)domains:

• Access Controls

• Cryptography

• Malicious Code and Activity

• Monitoring and Analysis

• Networks and Communications

of 95


• Risk, Response, and Recovery

• Security Operations and Administration

Security Administration.

The security administrator is the focal point for planning security in the installation. RACFÂo gives thesecurity administrator (that is, the user defined with the SPECIAL attribute) many responsibilities both at thesystem level and at the group level.

The security administrator is responsible for:

• Determining which RACF functions to use

• Identifying the level of RACF protection

• Identifying which data RACF is to protect

• Defining administrative structures and users.

A system administrator assigns user IDs and initial passwords and ensures that the passwords are non-trivial,random, and frequently changed. Because the user IDs and passwords are so critically important, special caremust be taken to protect the files that contain them.

207. Explain in detail about the components of Single round DES Encryption algorithm. [MAY/JUNE 2012] (6)

The main parts of the algorithm are as follows:

• Fractioning of the text into 64-bit (8 octet) blocks;

• Initial permutation of blocks;

• Breakdown of the blocks into two parts: left and right, named L and R;

• Permutation and substitution steps repeated 16 times (called rounds);

• Re-joining of the left and right parts then inverse initial permutation.

of 95


Figure 20: DES Algorithm

208. In a public key crypto system using RSA algorithm, you catch the cipher text 11 sent to a user whose publickey is (7, 187). What is the plain text message? [MAY/JUNE 2012] (10)

Given Data:

Key : (7,187)

In General form : Key (d,n)

So the value of d=7 and n=187.

of 95


The given Cipher text value is C= 11

To Find

The value of Plain text M=?

Solution:

As per the RSA algorithm, The plain Text M can be derived by using the formula

M =Cdmodn

M = 117mod187

M = 19487171mod187

M = 88

Figure 21: RSA Algorithm

Prepared By:Mr.N.Gopinath, AP /CSE

Verified By: HODMr.G.Rajaraman

Approved By: PrincipalDr.K.Senthil Kumar

s.k.p institute of technology tiruvannamalai - 606611. b.e...

Documents