Question one

1.1) Information security refers to the protection of available information or

information resources from unauthorized access, attack, theft or data damage.
This includes (amongst other things) setting policies to ensure unauthorized
persons cannot access business or personal information.
I would make use these goals involved in the practice of information security:
 Prevention - refers to the protection of available information or information
resources from unauthorized access, attack, theft or data
damage.Responsible individuals and organizations must secure their
confidential information. Due to the presence of a widely connected
business environment, data is now available in a variety of forms such as
digital media and print. Therefore every bit of data that is being used,
shared or transmitted must be protected to minimize business risks and
other consequences of losing crucial data.
 Detection - detection occurs when a user is discovered trying to access
unauthorized data or after information has been lost. It can be
accomplished by investigating individuals or by scanning the data and
networks for any traces left by the intruder in any attack against the
system.
 Recovery - when there is a disaster or an intrusion by unauthorized users,
system data can become compromised or damaged. It is in these cases
that you need to employ a process to recover vital data from a crashed
system or data storage devices. Recovery can also pertain to physical
resources.

1.2) Social engineering refers to means of getting users to reveal confidential

information. Below are some of the principles that social engineers use to gain
confidential information:
 Impersonation
(pretending to be someone else) is one of the basic social engineering
techniques. The classic impersonation attack is for the social engineer to
phone into a department, claim they have to adjust something on the user’s
system remotely and get the user to reveal their password.For this attack to be
successful, the approach must be convincing and persuasive. Mind you, social
engineering is one of the most common and successful malicious techniques
in information security. Because it exploits basic human trust, social
engineering has proven to be a particularly effective way of manipulating
people into performing actions that they might not otherwise perform.

 Familiarity/Liking
Some people have the sort of natural charisma that allows them to persuade
others to do as they request. One of the basic tools of a social engineer is
simply to be affable and likable and to present the requests they make as
completely reasonable and unobjectionable. This approach is relatively
low-risk as even if the request is refused, it is less likely to cause suspicion and
the social engineer may be able to move on to a different target without being
detected.
 Consensus/social proof
The principle of consensus or social proof refers to the fact that without an
explicit instruction to behave in a certain way, many people will act just as they
think others would act. A social engineering attack can use this instinct either
to persuade the target that to refuse a request would be odd (“That’s not
something anyone else has ever said no to”) or to exploit polite behaviour.On
another example, an attacker may be able to fool a user into believing that a
malicious website is actually legitimate by posting numerous fake reviews and
testimonials praising the site. The victim, believing many different people have
judged the site acceptable , takes this as evidence of the site’s legitimacy and
places their trust in it.

 Authority and intimidation

Many people find it difficult to refuse a request by someone they perceive as
superior in rank or expertise. Social engineers can try to exploit this behavior to
intimidate their target by pretending to be someone senior. An attack might be
launched by impersonating someone who would often be deferred to, such as
a police officer or judge. Another technique is using spurious technical
arguments and jargon. Social engineering can exploit the fact that few people
are willing to admit ignorance. Compared to using a familiarity/liking sort of
approach, this sort of adversarial tactic might be riskier to the attacker as there
is a greater chance of arousing suspicion and the target reporting the attack
attempt.

 Tailgating
Refers to means of entering a secure area without authorization by following
close behind the person that has been allowed to open the door or checkpoint.
Like tailgating, piggy backing is a situation where the attacker enters a secure
area with an employee’s permission. For instance, an attacker might
impersonate a member of the cleaning crew and request that an employee
hold the door open while they bring in a cleaning cart. Alternatively, piggy
backing may be a means of an insider thread actor to allow access to
someone without recording it in the building’s entry log. Another technique is to
persuade someone to hold a door open , using an excuse such as “I’ve
forgotten my key.”

 Lunchtime attack
Most authentication methods are dependent on the physical security of the
workstation. If a user leaves a workstation unattended while logged on, an
attacker can physically gain access to the system. Most operating systems are
set to activate a password-protected screen saver after a defined period of no
keyboard or mouse activity. Users should also be trained to lock or log off the
workstation whenever they leave it unattended.

Question two
2.1) I would achieve this by dividing the controls into types according to the
goal or function of the control. AND those controls are:
 Preventive - the control physically or logically restricts unauthorized
access. A directive can be thought of as an administrative version of a
preventive control.
 Deterrent - the control may not physically or logically prevent access, but
psychologically discourages an attacker from attempting an intrusion.
 Detective - the control may not prevent or deter access, but it will identify
and record any attempted or successful intrusion.
 Corrective - the control responds to and fixes and incident and may also
prevent its reoccurrence.
 Compensating - the control does not prevent the attack but restores the
function of the system through some other means, such as using data
backup or an alternative site.

2.2)
 User training (administrative control) could ensure that the media is not left
unattended on a desk and is inserted into a computer system without
scanning it first.
 Endpoint security (technical control) on the laptop could scan the media for
malware or block access automatically.
 Security locks inserted into USB ports (physical control ) on the laptop
could prevent attachment of media without requesting a key, allowing
authorization checks to be performed first.
 Permissions restricting Alan’s user account (technical control) could
prevent the malware from executing successfully.
 The use of encrypted and digitally signed media (technical control) could
prevent or identify an attempt to tamper with it.
 If the laptop were compromised, intrusion detection and logging/alerting
systems (technical control) could detect and prevent the malware
spreading on the network.

Question three
3.1) The netstat command allows you to check the state of ports on the local
machine. Netstat can be used to check for service misconfigurations (perhaps
a host is running a web or FTP server that a user installed without
authorization). You may also be able to identify suspect remote connections to
services on the local host or from the host to remote IP addresses.
If an attempt is made to identify malware, the most useful netstat output is to
show which process is listening on which ports. An Advanced Persistent
Threat (APT) might have been able to compromise the netstat command to
conceal the ports it is using, so a local scan may not be completely reliable.

3.2) One of the most important tools when it comes to network security(both
from the perspective of an adversary and for the security posture assessment)
is the protocol analyzer. This tool facilitates eavesdropping. Eavesdropping is
a valuable counterintelligence technique because it can be used to detect
hostile or malicious traffic passing over unauthorized ports or IP ranges. For
the attacker, the difficulty in performing eavesdropping lies in attaching a
sniffer to the network medium at a suitable point to obtain traffic from hosts of
interest. For the security analyst, all the contents of the network are fully
available (if enough sensors are positioned appropriately) the problem lies in
identifying suspicious traffic.

3.3) A honeypot is a computer system set up to attract attackers, with the

intention of analyzing attack strategies and tools, to provide early warnings of
attack attempts or possibly as a decoy to divert attention from actual computer
systems.
A honeynet on the other hand, is an entire decoy network. This may be set up
as an actual network or simulated using an emulator.

Deploying a honeypot or honeynet can help an organization to improve its

security systems, but there is the risk that the attacker can still learn a great
deal about how the network is configured and protected from analyzing the
honeypot system. Many honeypots are set up by security researchers
investigating malware threats, software exploits, and spammers’ abuse of
open relay mail systems.These systems are generally fully exposed to the
internet. On a production network, a honeypot is more likely to be located in a
protected but untrusted area between the internet and the private network,
referred to as a Demilitarized Zone (DMZ), or on an isolated segment on the
private network. This provides early warning and evidence of whether an
attacker has been able to penetrate to a given security zone.

Question four
Encryption is the process of encoding information. Information is converted
from a plaintext, into ciphertext.
Symmetric encryption is a two-way encryption algorithm in which encryption
and decryption are both performed by a single secret key.
It uses a secret key that can either be a number, a word or a string of random
letters. Alternatively, there may be two keys or multiple subkeys, but these are
easy to derive from possession of the master key. There are two types of this
encryption: stream ciphers and block ciphers.

Advantages are
>It is used for security, making it extremely secure. When it uses algorithm, it
can be extremely secure.
>Key encryption is far faster than the asymmetric encryption.
>Ease of use. It only requires you to maintain and remember a single key and
only requires a single decryption step to return the data to a readable format.
>Uses less computer resources, single-key encryption does not require a lot of
computer resources when compared to public key encryption.
>Prevents widespread message security compromise.A different secret key is
used for communication with every different party. If a key is compromised,
only the messages between a particular pair of sender and receiver are
affected. Communications with other people are still secure.
>Provides for non-repudiation, digitally signing a message is akin to physically
signing a document. It is an acknowledgement of the message and thus, the
sender cannot deny it.

Disadvantages
> Secure distribution and storage of the key becomes exponentially greater the
more widespread the key’s distribution needs to be.
>Need for secure channel for secret key exchange. Sharing the secret key in
the beginning is a problem in symmetric key encryption. It has to be
exchanged in a way that ensures it remains secret.
>Too many keys. A new shared key has to be generated for communication
with every different party. This creates a problem with managing and ensuring
the security of all these keys.
>Origin and authenticity of message cannot be guaranteed. Since both sender
and receiver use the same key, messages cannot be verified to have come
from a particular user. This may be a problem if there is a dispute.

>There is more damage if the key is compromised. Should the key be in the
hands of the wrong person, they have the power to decrypt everything.

Asymmetric encryption, also referred to as public-key cryptography, which is

a relatively new method uses two different keys, one public and one private.
The public key may be shared with everyone, but the private key must be
protected.

Advantages
>Identification and verification - If you encode a known string of data with your
private key and attach it to a message, anyone who receives that message can
decode it with your public key. Therefore, the encryption serves as a fingerprint,
since only your private key could have encrypted the data. Another technique
involves running a document through a hash function, a one-way
cryptographic encoding that produces a message and encoding the hash
using your private key, you not only prove your identity to the recipient, but you
also ensure that no one was able to tamper with the message, since the hash
would change.
>Convenience, it solves the problem of distributing the key for encryption.
Everyone publishes their public keys and private keys are kept secret.
>Provides for message authentication, public key encryption allows the use
receiver to detect if the message was altered in transit. A digitally signed
message cannot be modified without invalidating the signature.
Provide for non-repudiation, digitally signing a message is akin to physically
signing a document. It is an acknowledgement of the message and thuis, the
sender cannot deny.

Disadvantages
>It involves quite a lot of computing overhead. The message cannot be larger
than the key size.
> The key is slower than other methods, such as secret-key encryption.In
secret-key encryption, a single key provides that only way to encrypt and
decrypt, simplifying and speeding up the process. In public-key encryption, the
encryption and decryption processes have to work with two different keys,
each related to each other by a complex mathematical process involving prime
>The public-key encryption does not have a built-in method for authentication.
>Public key should/must be authenticated , no one can be absolutely sure that
a public key belongs to the person it specifies and so everyone must verify that
their public keys belong to them.
>Widespread security compromise is possible, if an attacker determines a
person’s private key, his or her entire messages can be read.
>Loss of private key may be irreparable, the loss of a private key means that
all received messages cannot be decrypted.

Question five
If a certificate is stolen, the encrypted data cannot be recovered unless backup
of the key has been made. If there is no backup, the certificate authority must
be deliberately told to revoke the certificate, it has no automatic way to know of
compromise. To revoke a certificate, the CA(certificate authority) marks it as
revoked in its own database. It can then issue or update a Certificate
Revocation List (CRL). A CRL has the following attributes:
 Publish period - the date and time on which the CRL is published. Most
CAs are set up to publish the CRL automatically.
 Distribution point(s) - the location(s) to which the CRL is published.
 Validity period - the period during which the CRL is considered
authoritative. This is usually a bit longer than the publish period (for
example, if the publish period was every 24 hours, the validity period might
be 25 hours).
 Signature - the CRL is signed by the CA to verify its authenticity.

The publish period introduces the problem that a certificate might be revoked
but still accepted by clients because an up-to-date CRL has not been
published. Another problem is that the CRL Distribution Point(CDP) may not
be included as a field in the certificate. A further problem is that the browser(or
other applications) may not be configured to perform CRL checking, though
this now tends to be the case only with legacy browser software.

Alternatively, it can make revocation information available to an Online

Certificate Status Protocol responder (OCSP)Rather than return a whole CRL,
this just communicates the status of the requested certificate. Details of the
OCSP responder service should be published in the certificate. One of the
disadvantages of the OCSP is that the job of responding to requests is
resource intensive and can place high demands on the issuing CA running
the OCSP responder. There is also a privacy issue, as the OCSP responder
could be used to monitor and record client browser requests. These issues are
resolved by the OCSP stapling by having the SSL/TLS web server periodically
obtain a time-stamped OCSP response from the CA. When a client submits an
OCSP request, the web server returns the time-stamped response, rather than
making the client contact the OCSP responder itself.

Question six
6.1) There are different ways to identify people. Those ways can be
categorized as physical (fingerprints, eye and facial recognition) or behavioral
(voice, signature and typing pattern matching).Key metrics and considerations
used to evaluate different technologies include the following:

 False negatives (where a legitimate user is not recognized); referred to as

the False Rejection Rate(FRR) or Type I error.
 False positives (where an interloper is accepted); referred to as the False
Acceptance Rate(FAR) or Type II error.
False negatives cause inconveniences to users, but false positives can
lead to security breaches, and so is usually considered the most important
metric.
 Crossover Error Rate (CER) - the point at which FRR and FAR meet. The
lower the CER, the more efficient and reliable the technology.
 Errors are reduced over time by tuning the system. This is typically
accomplished by adjusting the sensitivity of the system until CER is
reached.
 Throughout (speed) - this refers to the time required to create a template
for each user and the time required to authenticate. This is a major
consideration for high traffic access points, such as airports or railway
stations.

6.2)
An authentication product is considered strong if it combines the use of more
than one type of something you know or have are multifactor. A singlefactor
authentication systems can quite easily be compromised: a password could be
written down or shared, a smart card could be lost or stolen, and a biometric
system could be subject to high error rates or spoofing.

Two-Factor Authentication (2FA) combines something like a smart card or

biometric mechanism with something you know, such as a password or PIN.
Three-factor authentication combines all three technologies, or incorporates
an additional location-based factor. An example of this would be a smart card
with integrated fingerprint reader. This means that to authenticate, the user
must possess the card, the user’s fingerprint must match the template stored
on the card and the user must input a PIN or password.