Information Security Questions and Answers

www.vidyarthiplus.
com RJ Edition
IV CSE – (VIII SEM) NOTES PPG INSTITUTE OF TECHNOLOGY
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
IT2042 INFORMATION SECURITY

(REGULATION 2008)
UNIT I INTRODUCTION
History, What is Information Security?, Critical Characteristics of Information, NSTISSC
Security Model, Components of an Information System, Securing the Components,
Balancing Security and Access, The SDLC, The Security SDLC
UNIT II SECURITY INVESTIGATION

Need for Security, Business Needs, Threats, Attacks, Legal, Ethical and Professional Issues
UNIT III SECURITY ANALYSIS

Risk Management: Identifying and Assessing Risk, Assessing and Controlling Risk
UNIT IV LOGICAL DESIGN

Blueprint for Security, Information Security Policy, Standards and Practices, ISO 17799/BS
7799, NIST Models, VISA International Security Model, Design of Security Architecture,
Planning for Continuity
UNIT V PHYSICAL DESIGN

Security Technology, IDS, Scanning and Analysis Tools, Cryptography, Access Control
Devices, Physical Security, Security and Personnel
16
www.vidyarthiplus.com
www.vidyarthiplus.com RJ Edition
UNIT – I
PART – A (2 Marks)
1. Define information security.

It is a well-informed sense of assurance that the information risks and controls are in
balance.
2. List the critical characteristics of information.

• Availability
• Accuracy
• Authenticity
• Confidentiality
• Integrity
• Utility
• Possession
3. Define security. What are the multiple layers of security?

Security is “the quality or state of being secure-to be free from danger”.
• Physical Security
• Personal Security
• Operations Security
• Communication Security
• Network Security
• Information Security
4. When can a computer be a subject and an object of an attack respectively?

When a computer is the subject of attack, it is used as an active tool to conduct the
attack. When a computer is the object of an attack, it is the entity being attacked.
5. Why is a methodology important in implementing the information security?

Methodology is a formal approach to solve a problem based on a structured sequence
of procedures.
6. Difference between vulnerability and exposure.

Vulnerability Exposure
Weakness or fault in a system or protection The exposure of an information system is a
mechanism that expose information to single instance when the system is open to
attack or damage. damage.
17
7. Sketch the NSTISSC security model.
8. List out the security services.

Three security services:
Confidentiality, integrity, and availability
Threats are divided into four broad classes:
 Disclosure, or unauthorized access to information
 Deception, or acceptance of false data
 Disruption, or interruption or prevention of correct operation
 Usurpation or unauthorized control of some part of a system.
9. Define the snooping and spoofing.

Snooping: The unauthorized interception of information is a form of disclosure. It is
passive, suggesting simply that some entity is listening to (or reading) communications or
browsing through files or system information.
Masquerading or spoofing: An impersonation of one entity by another is a form of
both deception and usurpation.
10. List the components used in security models.

 Software
 Hardware
 Data
 People
 Procedures
 Networks
11. What are the functions of Information Security?

 Protects the organization's ability to function
 Enables the safe operation of applications implemented on the organizations IT
systems
 Protects the data the organization collects and uses
18
 Safeguards the technology assets in use at the organization
12. What are the phases of SDLC Waterfall method?

 Investigation
 Analysis
 Logical Design
 Physical Design
 Implementation
 Maintenance & change
13. What is Rand Report R-609?

The Rand Report was the first widely recognized published document to identify the
role of management and policy issues in computer security.
The scope of computer security grew from physical security to include:
 Safety of the data
 Limiting unauthorized access to that data
 Involvement of personnel from multiple levels of the organization
14. What is meant by balancing Security and Access?

 It is impossible to obtain perfect security - it is not an absolute; it is a process
 Security should be considered a balance between protection and availability
 To achieve balance, the level of security must allow reasonable access
PART – B (16 Marks)
1. Describe the Critical Characteristics of Information. Nov/Dec 2011

Nov/Dec 2012 May/Jun 2012
Availability
Enables authorized users – persons or computer systems – to access information
without interference or obstruction and receive it in the required format.
Accuracy
Information that is free from mistakes or errors and has the value end user expects
(E.g. inaccuracy of your bank account may result in mistakes such as bouncing of a check).
Authenticity
Quality or state of being genuine or original, rather than reproduction or fabrication.
Information is authentic when the contents are original as it was created, placed or
stored or transmitted.( The information receive as e-mail may not be authentic when its
contents are modified what is known as E-mail spoofing)
Confidentiality
19
Confidentiality ensures that only those with the rights and privileges to access
information are able to do so.
When unauthorized individuals or systems can view information, confidentiality is
breached.
Integrity
 Information has integrity when it is whole, complete, and uncorrupted
 The integrity of information is threatened when it is exposed to corruption,
damage, destruction, other disruption of its authentic state
 Many computer virus or worms are designed with the explicit purpose of
corrupting data
 Information integrity is the corner stone of information systems, because
information is of no value or use if users cannot verify its integrity
 Redundancy bits and check bits can compensate for internal and external threats to
integrity of information
Utility
The utility of information is the quality or state of having value for some purpose or
end. (For example, the US census data reveals information about the voters like their gender,
age, race, and so on).
Possession
It is the quality or state of having ownership or control of some object or item. Breach
of possession does not result in breach of confidentiality.
Illegal possession of encrypted data never allows someone to read it without proper
decryption methods.
2. Explain the Components of an Information System. Nov/Dec 2011

Software
The software component of IS comprises applications, operating systems, and
assorted command utilities. Software programs are the vessels that carry the life blood of
information through an organization. Software programs become an easy target of accidental
or intentional attacks.
Hardware
It is the physical technology that houses and executes the software, stores and carries
the data, provides interfaces for the entry and removal of information from the system.
Physical security policies deal with the hardware as a physical asset and with the protection
of these assets from harm or theft.
People
20
People have always been a threat to information security and they are the weakest link
in a security chain. Policy, education and training, awareness, and technology should be
properly employed to prevent people from accidently or intentionally damaging or losing
information.
Data
Data stored, processed, and transmitted through a computer system must be protected.
Data is the most valuable asset possessed by an organization and it is the main target of
intentional attacks.
Procedures
Procedures are written instructions for accomplishing when an unauthorized user
obtains an organization’s procedures; it poses threat to the integrity of the information.
Educating employees about safeguarding the procedures is as important as securing the
information system. Lack in security procedures caused the loss of over ten million dollars
before the situation was corrected.
Networks
Information systems in LANs are connected to other networks such as the internet and
new security challenges are rapidly emerge. Apart from locks and keys which are used as
physical security measures, network security also an important aspect to be considered.
3. Discuss SDLC in detail. May/June 2013

Investigation
What is the problem the system is being developed to solve?
 The objectives, constraints, and scope of the project are specified
 A preliminary cost/benefit analysis is developed
 A feasibility analysis is performed to assesses the economic, technical, and
behavioral feasibilities of the process
Analysis
 Assessments of the organization
 Status of current systems
 Capability to support the proposed systems
 Analysts begin to determine
 What the new system is expected to do

 How the new system will interact with existing systems
 Ends with the documentation of the findings and a feasibility analysis update
Logical Design
 Based on business need, applications are selected capable of providing needed
services
21
 Based on applications needed, data support and structures capable of providing the
needed inputs are identified
 Select specific ways to implement the physical solution are chosen
 Another feasibility analysis is performed
Physical Design
 Specific technologies are selected to support the alternatives identified and
evaluated in the logical design
 Selected components are evaluated based on a make-or-buy decision
 Entire solution is presented to the end-user representatives for approval
Implementation
 Components are ordered, received, assembled, and tested
 Users are trained and documentation created
 Users are then presented with the system for a performance review and acceptance
test
Maintenance and Change
 Tasks necessary to support and modify the system for the remainder of its useful
life
 The life cycle continues until the process begins again from the investigation
phase
 When the current system can no longer support the mission of the organization, a
new project is implemented
4. Describe SecSDLC in detail. Nov/Dec 2011

Security Systems Development Life Cycle
 Same phases used in the traditional SDLC adapted to support the specialized
implementation of a security project
 Basic process is identification of threats and controls to counter them
 SecSDLC is a coherent program rather than a series of random, seemingly
unconnected actions
Investigation
 Identifies process, outcomes and goals of the project, and constraints
 Begins with a statement of program security policy
 Teams are organized, problems analyzed, and scope defined, including objectives,
and constraints not covered in the program policy
 An organizational feasibility analysis is performed
Analysis
 Analysis of existing security policies or programs, along with documented current
threats and associated controls
22
 Includes an analysis of relevant legal issues that could impact the design of the
security solution
 The risk management task (identifying, assessing, and evaluating the levels of
risk) also begins
Logical & Physical Design
 Creates blueprints for security
 Critical planning and feasibility analyses to determine whether or not the project
should continue
 In physical design, security technology is evaluated, alternatives generated, and
final design selected
 At end of phase, feasibility study determines readiness so all parties involved have
a chance to approve the project
Implementation
 The security solutions are acquired (made or bought), tested, and implemented,
and tested again
 Personnel issues are evaluated and specific training and education programs
conducted
 Finally, the entire tested package is presented to upper management for final
approval
Maintenance and Change
 The maintenance and change phase is perhaps most important, given the high
level of ingenuity in today’s threats
 The reparation and restoration of information is a constant duel with an often
unseen adversary
 As new threats emerge and old threats evolve, the information security profile of
an organization requires constant adaptation
5. Explain the NSTISSC security model and the top down approach to security
implementation. Nov/Dec 2011
23
Top-down Approach
 Initiated by upper management:

 issue policy, procedures, and processes
 dictate the goals and expected outcomes of the project
 determine who is accountable for each of the required actions
 Strong upper management support, a dedicated champion, dedicated funding,
clear planning, and the chance to influence organizational culture
 May also involve a formal development strategy referred to as a systems
development life cycle
 Most successful top-down approach
6. Describe the NSTISSC security model and the bottom up approach to security
implementation.
Bottom Up Approach
 Security from a grass-roots effort - systems administrators attempt to improve the
security of their systems
 Key advantage - technical expertise of the individual administrators
24
 Seldom works, as it lacks a number of critical features:

 Participant support
 Organizational staying power
7. Explain any five professional in information security with their role and focus.
Senior Management
 Chief Information Officer
 The senior technology officer
 Primarily responsible for advising the senior executive(s) for strategic
planning
 Chief Information Security Officer
 Responsible for the assessment, management, and implementation of
securing the information in the organization
 Referred to as the Manager for Security
Security Project Team

 A number of individuals who are experienced in one or multiple requirements of
both the technical and non-technical areas:
 The champion
 The team leader
 Security policy developers
 Risk assessment specialists
 Security professionals
 Systems administrators
 End users
Data Ownership
 Data owner: responsible for the security and use of a particular set of information
 Data custodian: responsible for storage, maintenance, and protection of
information
 Data users: end users who work with information to perform their daily jobs
supporting the mission of the organization
UNIT – II
1. Why is information security a management problem?

Management is responsible for implementing information security to protect the
ability of the organization to function.
25
They must set policy and operate the organization in a manner that complies with the
laws that govern the use of technology.
2. Distinguish between Dos and DDos.

Dos DDos
Denial of service attack -The Distributed Denial of service is an
attacker sends a large number of attack in which a coordinated stream
connection or information requests of requests is launched against a
to a target. target from many locations at the
same time.
3. What is intellectual property?

It is the ownership of ideas and control over the tangible or virtual representation of
those ideas.
4. What is a policy? How it is differ from law?

Policies: A body of expectations that describe acceptable and unacceptable employee
behaviours in the workplace.
It functions as organizational laws, complete with penalties, judicial practices, and
sanctions to require complaints.
The difference between policy and a law, however, is that ignorance of a policy is an
acceptable defence.
5. What is a threat? What are the threats to Information Security?

Threat is an object, person or other entity that represents a constant danger to an asset.
 Acts of Human error or failure.
 Compromises to Intellectual Property
 Deliberate acts of espionage or trespass
 Deliberate acts of information extortion
 Deliberate acts of sabotage and vandalism
 Deliberate acts of theft
 Deliberate Software Attacks
 Forces of Nature
 Deviations in quality of service from service providers
 Technical Hardware Failures or Errors
 Technical Software Failures or Errors
 Technological Obsolescence
6. What are the general categories of unethical and illegal behaviour?
26
There are three general categories of unethical behaviour that organizations and
society should seek to eliminate:
 Ignorance
 Accident
 Intent
7. What are the various types of malware? How do worms differ from Virus?
 Viruses
 Worms
 Trojan horses
 Active web scripts
Virus Worm
A virus attaches itself to s a computer A worm is similar to virus by design. It
program and spreads from one computer also spreads from one computer to
to another. another.
Spreads with uniform speed as Worms spread more rapidly than virus.
programmed.
It can be attached to .EXE, .COM , .XLS It can be attached to any attachments of
etc email or any file on network.
Ex Melisca, cascade etc Ex Blaster Worm
It requires the spreading of an infected It replicates them without the host file.
host file.
8. Who are hackers? What are the levels of hackers?

Hackers are people who use and create computer software for enjoyment or to gain
access to information illegally.
There are two levels of hackers.
 Expert Hacker - Develops software codes
 Unskilled Hacker - Uses the codes developed by the experts
9. What is security blue print?

The security blue print is the plan for the implementation of new security measures in
the organization. Sometimes called a framework, the blue print presents an organized
approach to the security planning process.
10. What are the types of virus?

 Macro virus
 Boot virus
27
11. Distinguish between attack and threat.

Attack Threat
An act which is in process. A promise of an attack to come.
An attack is intentional. Threat can be either intentional or
unintentional.
Attack to information might have a Threat to information does not mean that
chance to alter or damage the it is damaged or changed
information when it is successful.
12. Define Information Extortion.

 Information extortion is an attacker or formerly trusted insider stealing
information from a computer system and demanding compensation for its return
or non-use
 Extortion found in credit card number theft
13. Define Hoax.

 A computer virus hoax is a message warning the recipient of a non-existent
computer virus threat
 The message is usually a chain e-mail that tells the recipient to forward it to
everyone they know
1. Explain the functions of an Information security organization.

Nov/Dec 2011 Nov/Dec2012
Protecting the Ability to Function
 Management is responsible
 Information security
 Management issue
 People issue
 Communities of interest must argue for information security in terms of impact
and cost
Enabling Safe Operation
 Organizations must create integrated, efficient, and capable applications
 Organization need environments that safeguard applications
 Management must not abdicate to the IT department its responsibility to make
choices and enforce decisions
28
Protecting Data
 One of the most valuable assets is data
 Without data, an organization loses its record of transactions and/or its ability to
deliver value to its customers
 An effective information security program is essential to the protection of the
integrity and value of the organization’s data
Safeguarding Technology Assets
 Organizations must have secure infrastructure services based on the size and
scope of the enterprise
 Additional security services may have to be provided
 More robust solutions may be needed to replace security programs the
organization has outgrown
2. Describe about various forms of attacks. Nov/Dec 2012

IP Scan and Attack: Compromised system scans random or local range of IP addresses and
targets any of several vulnerabilities known to hackers or left over from previous exploits.
Web Browsing: If the infected system has write access to any Web pages, it makes all Web
content files infectious, so that users who browse to those pages become infected.
Virus: Each infected machine infects certain common executable or script files on all
computers to which it can write with virus code that can cause infection.
Unprotected Shares: Using file shares to copy viral component to all reachable locations.
Mass Mail: Sending e-mail infections to addresses found in address book.
SMTP: Simple Network Management Protocol - SNMP vulnerabilities used to compromise
and infect.
Hoaxes: A more devious approach to attacking computer systems is the transmission of a
virus hoax, with a real virus attached.
Back Doors: Using a known or previously unknown and newly discovered access
mechanism.
Password Crack: Attempting to reverse calculates a password.
Brute Force: The application of computing and network resources to try every possible
combination of options of a password.
Dictionary: The dictionary password attack narrows the field by selecting specific accounts
to attack and uses a list of commonly used passwords (the dictionary) to guide guesses.
Denial-of-service (DoS)
 attacker sends a large number of connection or information requests to a
target
 so many requests are made that the target system cannot handle them
successfully along with other, legitimate requests for service
 may result in a system crash, or merely an inability to perform ordinary
functions
Distributed Denial-of-service (DDoS) - an attack in which a coordinated stream of requests
29
is launched against a target from many locations at the same time.

 Spoofing - technique used to gain unauthorized access whereby the intruder sends
messages to a computer with an IP address indicating that the message is coming
from a trusted host
 Man-in-the-Middle - an attacker sniffs packets from the network, modifies them,
and inserts them back into the network
 Spam - unsolicited commercial e-mail - while many consider spam a nuisance
rather than an attack, it is emerging as a vector for some attacks
Buffer Overflow
 Application error occurs when more data is sent to a buffer than it can handle
 When the buffer overflows, the attacker can make the target system execute
instructions, or the attacker can take advantage of some other unintended
consequence of the failure
Timing Attack
 Relatively new works by exploring the contents of a web browser’s cache can
allow collection of information on access to password-protected sites
 Another attack by the same name involves attempting to intercept cryptographic
elements to determine keys and encryption algorithms
3. Explain the different categories of threat. Give Examples.

Nov/Dec 2011 May/June 2012
Acts of Human Error or Failure
 Includes acts done without malicious intent
 Caused by:
 Inexperience
 Improper training
 Incorrect
 Employee mistakes can easily lead to the following :
 revelation of classified data
 entry of erroneous data
 accidental deletion or modification of data
 storage of data in unprotected areas
 failure to protect information
Much human error or failure can be prevented with training and ongoing awareness
activities.
Compromises to Intellectual Property
 Intellectual property is “the ownership of ideas and control over the tangible or
virtual representation of those ideas”
 Many organizations are in business to create intellectual property trade secrets,
copyrights, trademarks, patents
30
 Watchdog organizations investigate:

 Software & Information Industry Association (SIIA)
 Business Software Alliance (BSA)
Protective measures
Enforcement of copyright has been attempted with technical security mechanisms,
such as using digital watermarks and embedded code.
The most common reminder of the individual’s obligation to fair and responsible use
is the license agreement window that usually pops up during the installation of new
software.
Deliberate acts of espionage or trespass
Espionage/Trespass
 Broad category of activities that breach confidentiality
 Unauthorized accessing of information
 Competitive intelligence vs. espionage
 Shoulder surfing can occur any place a person is accessing confidential
information
Sabotage or Vandalism
Attack on the image of an organization can be serious like defacing a web site.
 Individual or group who want to deliberately sabotage the operations of a
computer system or business, or perform acts of vandalism to either destroy an
asset or damage the image of the organization
 These threats can range from petty vandalism to organized sabotage
 Organizations rely on image so Web defacing can lead to dropping consumer
confidence and sales
 Rising threat of activist or cyber-activist operations - the most extreme version is
cyber-terrorism
Deliberate acts of theft
 Illegal taking of another’s property - physical, electronic, or intellectual
 The value of information suffers when it is copied and taken away without the
owner’s knowledge
 Physical theft can be controlled - a wide variety of measures used from locked
doors to guards or alarm systems
 Electronic theft is a more complex problem to manage and control - organizations
may not even know it has occurred
Deliberate Software Attacks
 When an individual or group designs software to attack systems, they create
malicious code/software called malware
 Includes:
 macro virus
 boot virus
31
 worms
 Trojan horses
 logic bombs
 back door or trap door
 denial-of-service attacks
 polymorphic
 hoaxes
Forces of Nature
 Forces of nature, force majeure, or acts of God are dangerous because they are
unexpected and can occur with very little warning
 Can disrupt not only the lives of individuals, but also the storage, transmission,
and use of information
 Include fire, flood, earthquake, and lightning as well as volcanic eruption and
insect infestation
 Since it is not possible to avoid many of these threats, management must
implement controls to limit damage and also prepare contingency plans for
continued operations
Technical Hardware Failures or Errors
 Technical hardware failures or errors occur when a manufacturer distributes to
users equipment containing flaws
 These defects can cause the system to perform outside of expected parameters,
resulting in unreliable service or lack of availability
 Some errors are terminal, in that they result in the unrecoverable loss of the
equipment
 Some errors are intermittent, in that they only periodically manifest themselves,
resulting in faults that are not easily repeated
Technical Software Failures or Errors
 This category of threats comes from purchasing software with unrevealed faults
 Large quantities of computer code are written, debugged, published, and sold only
to determine that not all bugs were resolved
 Sometimes, unique combinations of certain software and hardware reveal new
bugs
 Sometimes, these items aren’t errors, but are purposeful shortcuts left by
programmers for honest or dishonest reasons
Technological Obsolescence
 When the infrastructure becomes antiquated or outdated, it leads to unreliable and
untrustworthy systems
 Management must recognize that when technology becomes outdated, there is a
risk of loss of data integrity to threats and attacks
 Ideally, proper planning by management should prevent the risks from technology
32
obsolesce, but when obsolescence is identified, management must take action
4. Write about the attack replication vectors in detail. Nov/ Dec 2011
IP Scan and attack – The infected system scans a random or local range of IP
addresses and targets any of the vulnerabilities known to hackers.
Web browsing –If the infected system has right access to any web pages, it makes
all web content files infectious, so that users who browse the web pages become infected.
Virus – Each infected machine infects certain common executable or script files on
all computers to which it can write with virus code that can cause infection
Unprotected shares –Using vulnerabilities in file system and the way many
organizations configure them, the infected machine copies the viral content to all locations it
can reach.
Mass mail – By sending email infections to addresses found in the address book, the
infected machine infects the users whose mail reading programs also automatically run the
program and infect other systems.
SNMP – By using the widely known and common passwords that were employed in
earlier versions of this protocol, the attacking program can gain control of the device.
5. Discuss the ethical concepts in information security.

 Thou shalt not use a computer to harm other people
 Thou shalt not interfere with other people's computer work
 Thou shalt not snoop around in other people's computer files
 Thou shalt not use a computer to steal
 Thou shalt not use a computer to bear false witness
 Thou shalt not copy or use proprietary software for which you have not paid
 Thou shalt not use other people's computer resources without authorization or
proper compensation
 Thou shalt not appropriate other people's intellectual output
 Thou shalt think about the social consequences of the program you are writing or
the system you are designing
 Thou shalt always use a computer in ways that insure consideration and respect
for your fellow humans
Ethical Differences across Cultures
 Cultural differences create difficulty in determining what is and is not ethical
 Difficulties arise when one nationality’s ethical behaviour conflicts with ethics of
another national group
 Example: many of ways in which Asian cultures use computer technology is
software piracy
Ethics and Education
 Overriding factor in levelling ethical perceptions within a small population is
33
education
 Employees must be trained in expected behaviours of an ethical employee,
especially in areas of information security
 Proper ethical training vital to creating informed, well prepared, and low-risk
system user
Deterrence to Unethical and Illegal Behaviour
 Deterrence: best method for preventing an illegal or unethical activity; e.g., laws,
policies, technical controls
 Laws and policies only deter if three conditions are present:
 Fear of penalty
 Probability of being caught
 Probability of penalty being administered
6. List and discuss the role and focus of any four professional organizations providing
information security. May/June 2012 May/June 2013
 Several professional organizations have established codes of conduct/ethics
 Codes of ethics can have positive effect; unfortunately, many employers do not
encourage joining of these professional organizations
 Responsibility of security professionals to act ethically and according to policies
of employer, professional organization, and laws of society.
 ACM established in 1947 as “the world's first educational and scientific
computing society”
 Code of ethics contains references to protecting information confidentiality,
causing no harm, protecting others’ privacy, and respecting others’ intellectual
property. International Information Systems Security Certification Consortium,
Inc.
 Non-profit organization focusing on development and implementation of
information security certifications and credentials
 Code primarily designed for information security professionals who have
certification from
 Code of ethics focuses on four mandatory canons
System Administration, Networking, and Security Institute (SANS)
 Professional organization with a large membership dedicated to protection of
information and systems
 SANS offers set of certifications called Global Information Assurance
Certification (GIAC) Information Systems Audit and Control Association
(ISACA)
 Professional association with focus on auditing, control, and security
 Concentrates on providing IT control practices and standards
 ISACA has code of ethics for its professionals.
34
UNIT – III
1. In risk management strategies why does a periodic review have to be a part of

process? May/June 2012 May/June 2013
 The first focus is asset inventory
 The completeness and accuracy of the asset inventory has to be verified
 The threats and vulnerabilities that are dangerous to asset inventory must be
verified
2. What is asset valuation? List any 2 components of asset valuation.

May/June 2012
A method of assessing the worth of a company, real property, security, antique or
other item of worth. Asset valuation is commonly performed prior to the sale of an asset or
prior to purchasing insurance for an asset.
 Questions to assist in developing the criteria to be used for asset valuation:
 Which information asset is the most critical to the success of the organization?
 Which information asset generates the most revenue?
3. Define dumpster driving. May/June 2013

To retrieve information that could embarrass a company or compromise information
security.
4. What is risk management? Nov/Dec 2012

Risk management is the process of identifying vulnerabilities in an organization’s
information systems and taking carefully reasoned steps to assure Confidentiality, Integrity,
and Availability.
5. Define benchmarking.
Benchmarking is a process of seeking out and studying the practices used in other
organizations that produce results you would like to duplicate in your organization.
6. What are the different types of Access Controls?

 Discretionary Access Controls (DAC)
 Mandatory Access Controls (MACs)
 Nondiscretionary Controls
 Role-Based Controls
 Task-Based Controls
 Lattice-based Control
35
7. Define Disaster Recovery Plan.

The most common mitigation procedure is Disaster Recovery Plan (DRP). The DRP
includes the entire spectrum of activities used to recover from the incident and strategies to
limit losses before and after the disaster. DRP usually include all preparations for the
recovery process, strategies to limit losses during the disaster.
8. What is residual risk?

Exposure to loss remaining after other known risks have been countered, factored in,
or eliminated. It is simply seen as the risk that remains after safeguards have been
implemented.
9. Mention the Risk Identification Estimate Factors.

 Likelihood
 Value of Information Assets
 Percent of Risk Mitigated
 Uncertainty
10. What is the formula for calculating risk?

Risk = Threat x Vulnerability x Cost
Risk Assessment = ((Likelihood + Impact + Current Impact)/3) * 2 - 1
1. Explain in detail the process of asset identification for different categories.

Nov/Dec 2012
People, Procedures, and Data Asset Identification
 Human resources, documentation, and data information assets are not as readily
discovered and documented
 These assets should be identified, described, and evaluated by people using
knowledge, experience, and judgment
 As these elements are identified, they should also be recorded into some reliable
data handling process
Asset Information for People
 Position name/number/ID – try to avoid names and stick to identifying positions,
roles, or functions
 Supervisor
 Security clearance level
 Special skills
Hardware, Software, and Network Asset Identification
 What attributes of each of these information assets should be tracked?
36
 When deciding which information assets to track, consider including these asset
attributes:
 Name
 IP address
 MAC address
 Element type
 Serial number
 Manufacturer name
 Manufacturer’s model number or part number
 Software version, update revision, or FCO number
 Physical location
 Logical location
 Controlling entity
Asset Information for Procedures

 Description
 Intended purpose
 What elements is it tied to
 Where is it stored for reference
 Where is it stored for update purposes
 Security clearance level
 Special skills
Asset Information for Data
 For Data:
 Classification
 Owner/creator/manager
 Size of data structure
 Data structure used – sequential, relational
 Online or offline
 Where located
 Backup procedures employed
2. What are risk control strategies? Nov/Dec 2011 May/June 2012

 When risks from information security threats are creating a competitive
disadvantage
 Information technology and information security communities of interest take
control of the risks
 Four basic strategies are used to control the risks that result from vulnerabilities:
 Apply safeguards (avoidance)
 Transfer the risk (transference)
37
 Reduce the impact (mitigation)

 Inform themselves of all of the consequences and accept the risk without
control or mitigation (acceptance)
Risk Control Strategies:
Avoidance
 Avoidance attempts to prevent the exploitation of the vulnerability
 Accomplished through countering threats removing vulnerabilities in assets
limiting access to assets adding protective safeguards
 Three areas of control:
 Policy
 Training and education
 Technology
Transference
 Transference is the control approach that attempts to shift the risk to other assets,
other processes, or other organizations
 If an organization does not already have quality security management
and administration experience, it should hire individuals or firms that
provide such expertise
 This allows the organization to transfer the risk associated with the
management of these complex systems to another organization with
established experience in dealing with those risks
Mitigation
 Mitigation attempts to reduce the impact of exploitation through planning and
preparation
 Three types of plans:
 disaster recovery planning (DRP)
 business continuity planning (BCP)
 incident response planning (IRP)
Acceptance
 Acceptance of risk is doing nothing to close a vulnerability and to accept the
outcome of its exploitation
 Acceptance is valid only when:
 Determined the level of risk
 Assessed the probability of attack
 Estimated the potential damage
 Performed a thorough cost benefit analysis
 Evaluated controls using each appropriate feasibility
 Decided that the particular function, service, information, or asset did not
justify the cost of protection
 Risk appetite describes the degree to which an organization is willing to accept
risk as a trade-off to the expense of applying controls
38
Risk Assessment
 To determine the relative risk for each of the vulnerabilities through a process
called risk assessment
 Risk assessment assigns a risk rating or score to each specific information asset,
useful in gauging the relative risk introduced by each vulnerable information asset
and making comparative ratings later in the risk control process
 Risk Identification Estimate Factors
 Likelihood
 Value of Information Assets
 Percent of Risk Mitigate
3. Explain the process of Risk assessment. Nov/Dec 2011 Nov/Dec 2012
 Risk assessment assigns a risk rating or score to each specific information asset,
useful in gauging the relative risk introduced by each vulnerable information asset
and making comparative ratings later in the risk control process.
 Risk Identification Estimate Factors
 Likelihood
 Value of Information Assets
 Percent of Risk Mitigated
 Uncertainty
4. Write short notes on a) Incidence Response Plan b) Disaster Recovery Plan

c) Business continuity plan.
Incidence Response Plan
The actions an organization can perhaps should take while the incident is in progress
are documented in what is known as Incident Response Plan(IRP) IRP provides answers to
questions victims might pose in the midst of the incident ,such as “What do I do now?”.
 What should the administrator do first?
 Whom should they contact?
 What should they document?
For example, in the event of serious virus or worm outbreak, the IRP may be used to
assess the likelihood of imminent damage and to inform key decision makers in the various
communities of interest.
Disaster Recovery Plan

The most common mitigation procedure is Disaster Recovery Plan(DRP). The DRP
includes the entire spectrum of activities used to recover from the incident. DRP can include
strategies to limit losses before and after the disaster. These strategies are fully deployed
once the disaster has stopped.
DRP usually include all preparations for the recovery process, strategies to limit
losses during the disaster, and detailed steps to follow when the smoke clears, the dust settles,
or the floodwaters recede.
39
Business Continuity Plan

The BCP is the most strategic and long term of the three plans. It encompasses the
continuation of business activities if a catastrophic event occurs, such as the loss of an entire
database, building or entire operations centre. The BCP includes the planning the steps
necessary to ensure the continuation of the organization when the scope or scale of a disaster
exceeds the ability of the DRP to restore operations. This can include preparation steps for
activation of secondary data centres, hot sites, or business recovery sites.
5. Explain the process of vulnerability identification and assessment for different

threats faced by an information security system.
Vulnerability Identification
 Vulnerabilities are specific avenues that threat agents can exploit to attack an
information asset
 Examine how each of the threats that are possible or likely could be perpetrated
and list the organization’s assets and their vulnerabilities
 The process works best when groups of people with diverse backgrounds
within the organization work iteratively in a series of brainstorming sessions
 At the end of the process, an information asset / vulnerability list has been
developed
 This is the starting point for the next step, risk assessment
6. Discuss briefly data classification and management.

Data Classification and Management
 A variety of classification schemes are used by corporate and military
organizations
 Information owners are responsible for classifying the information assets for
which they are responsible
 Information owners must review information classifications periodically
 The military uses a five-level classification scheme but most organizations do not
need the detailed level of classification used by the military or federal agencies
Management of Classified Data
 Includes the storage, distribution, portability, and destruction of classified
information
 Clean desk policies require all information to be stored in its appropriate storage
container at the end of each day
 Proper care should be taken to destroy any unneeded copies
 Dumpster diving can prove embarrassing to the organization.
40
7. Explain the risk control cycle process.

Once a control strategy has been implemented, it should be monitored and measures
on an ongoing basis to determine the effectiveness of the security controls and the accuracy
of the estimate of the residual risk. The following flowchart shows how this cyclical process
is continuously used to ensure that risks are controlled.
.
 Before deciding on the strategy for a specific vulnerability all information about
the economic and non-economic consequences of the vulnerability facing the
information asset must be explored
 Cost Benefit Analysis (CBA)
 The most common approach for a project of information security controls and
safeguards is the economic feasibility of implementation
 Begins by evaluating the worth of the information assets to be protected and the
loss in value if those information assets are compromised
 It is only common sense that an organization should not spend more to protect an
asset than it is worth
 The formal process to document this is called a cost benefit analysis or an
economic feasibility study
 Some of the items that impact the cost of a control or safeguard include:
 Cost of development or acquisition
 Training fees
 Cost of implementation
 Service costs
 Cost of maintenance
41
 Asset valuation
 It is the process of assigning financial value or worth to each information asset
 The valuation of assets involves estimation of real and perceived costs associated
with the design, development, installation, maintenance, protection, recovery, and
defense against market loss and litigation
 These estimates are calculated for each set of information bearing systems or
information assets
 The expected value of a loss can be stated in the following equation:
Annualized Loss Expectancy (ALE) = Single Loss Expectancy (SLE) x Annualized
Rate of Occurrence (ARO)
SLE = asset value x exposure factor (EF)
ARO is simply how often you expect a specific type of attack to occur, per year.
SLE is the calculation of the value associated with the most likely loss from an attack.
EF is the percentage loss that would occur from a given vulnerability being exploited.
 When benchmarking, an organization typically uses one of two measures:
 Metrics-based measures are comparisons based on numerical standards
 Process-based measures examine the activities performed in pursuit of its goal,
rather than the specifics of how goals were attained
 Organizational feasibility examines how well the proposed information security
alternatives will contribute to the efficiency, effectiveness, and overall operation of an
organization
 Operational Feasibility addresses user acceptance and support, management
acceptance and support, and the overall requirements of the organization’s
stakeholders. Sometimes known as behavioural feasibility, because it measures the
behaviour of users.
42
UNIT – IV
1. What measurement do you use when preparing a potential damage assessment?

May/June 2012
Identify what must be done to recover from each possible case. The costs include the
actions of the response team(s) as they act to recover quickly and effectively from an incident
or disaster.
2. Define policy and standards. May/June 2012

A policy is a plan or course of action, as of a government, political party, or business,
intended to influence and determine decisions, actions, and other matters. Standards, on the
other hand, are more detailed statements of what must be done to comply with policy.
3. What is the difference between the management, technical and operational control?
When would each be applied as a part of a security framework? May/June 2012
Managerial controls cover security processes that are designed by strategic planners
and implemented by the security administration of the organization.
4. Give any 5 major sections of ISO/IEC 17799 standards. May/June 2013

 Organizational Security Policy
 Organizational Security Infrastructure
 Asset Classification and Control
 Personnel Security
 Compliance
5. What are the three types of security policies? Nov/Dec 2012

 General or security program policy
 Issue-specific security policies
 Systems-specific security policies
6. Mention the Drawbacks of ISO 17799/BS 7799. Nov/Dec 2011

 The global information security community has not defined any justification for a
code of practice as identified in the ISO/IEC 17799
 17799 lacks “the necessary measurement precision of a technical standard”
 There is no reason to believe that 17799 is more useful than any other approach
currently available
 17799 is not as complete as other frameworks available
 17799 is perceived to have been hurriedly prepared given the tremendous impact
its adoption could have on industry information security controls
43
7. What is Defense in Depth?

One of the foundations of security architectures is the requirement to implement
security in layers .Defense in depth requires that the organization establish sufficient security
controls and safeguards, so that an intruder faces multiple layers of controls.
8. What is contingency planning? Nov/Dec 2012

It is the entire planning conducted by the organization to prepare for, react to, and
recover from events that threaten the security of information and information assets in the
organization.
9. What are the approaches of ISSP?

 Create a number of independent ISSP documents
 Create a single comprehensive ISSP document
 Create a modular ISSP document
10. What is Sphere of protection?

 The “sphere of protection” overlays each of the levels of the “sphere of use” with
a layer of security, protecting that layer from direct or indirect use through the
next layer
 The people must become a layer of security, a human firewall that protects the
information from unauthorized access and use
 Information security is therefore designed and implemented in three layers
 Policies
 People (education, training, and awareness programs)
 Technology
11. What is Security perimeter?

The point at which an organization’s security protection ends, and the outside world
begins is referred to as the security perimeter.
12. Mention the Operational Controls of NIST SP 800-26.

 Physical Security
 Production, Input/output Controls
 Contingency Planning
 Hardware and Systems Software
 Data Integrity
 Documentation
 Security Awareness, Training, and Education
 Incident Response Capability .
44
13. What is Information Security Blueprint?

The Security Blue Print is the basis for Design, Selection and Implementation of
Security Policies, education and training programs, and technology controls.
14. What are ACL Policies?

 Who can use the system
 What authorized users can access
 When authorized users can access the system
 Where authorized users can access the system from
 How authorized users can access the system
15. Define Issue-Specific Security Policy (ISSP).

 addresses specific areas of technology
 requires frequent updates
 contains an issue statement on the organization’s position on an issues
16. What is Security Program Policy?

 A general security policy
 IT security policy
 Information security policy
1. Describe NIST SP 800-26.

Management Controls
 Risk Management
 Review of Security Controls
 Life Cycle Maintenance
 Authorization of Processing (Certification and Accreditation)
 System Security Plan
Operational Controls
 Physical Security
 Production, Input / Output Controls
 Contingency Planning
 Hardware and Systems Software
 Data Integrity
 Documentation
 Security Awareness, Training, and Education
45
 Incident Response Capability
Technical Controls
 Identification and Authentication
 Logical Access Controls
 Audit Trails
2. Explain the design of security architecture in detail. May/June 2013

 Host-based Ids
 Network-based Ids
 Signature-based Ids
 Statistical anomaly based Ids
3. Discuss the types of information security policies in detail. Nov/Dec 2011

 General or security program policy
 Issue-specific security policies
 Systems-specific security policies
Security Program Policy
 Sets the strategic direction, scope, and tone for all security efforts within the
organization
 An executive-level document, usually drafted by or with, the CIO of the
organization and is usually 2 to 10 pages long
Issue-Specific Security Policy (ISSP)
 As various technologies and processes are implemented, certain guidelines are
needed to use them properly
 ISSP:
 addresses specific areas of technology
 requires frequent updates
 contains an issue statement on the organization’s position on an issue
 Three approaches:
 Create a number of independent ISSP documents
 Create a single comprehensive ISSP document
 Create a modular ISSP document
Systems-Specific Policy (SysSP)
 SysSPs are frequently codified as standards and procedures used when
configuring or maintaining systems
 Access control lists (ACLs) consist of the access control lists, matrices, and
capability tables governing the rights and privileges of a particular user to a
particular system
 Configuration rules comprise the specific configuration codes entered into
46
security systems to guide the execution of the system
4. Explain NIST security model in detail. Nov/Dec 2011

 NIST special publication SP 800-12
5. Discuss VISA International security models in detail. Nov/Dec 2012

 VISA International promotes strong security measures and has security guidelines
 Developed two important documents that improve and regulate information
systems: “Security Assessment Process”; “Agreed Upon Procedures”
 Using the two documents, security team can develop sound strategy the design of
good security architecture
 Only down side to this approach is very specific focus on systems that can or do
integrate with VISA’s systems
6. Describe the major steps in contingency planning. Nov/Dec 2012

 Plans for events of this type are referred to in a number of ways:
 Business continuity plans (BCPs)
 Disaster recovery plans (DRPs)
 Incident response plans (IRPs)
 Contingency plans
 Large organizations may have many types of plans and small organizations may
have one simple plan, but most have inadequate planning
47
 Before any planning begins, a team has to plan the effort and prepare resulting
documents
 Champion: high-level manager to support, promote, and endorse findings of the
project
 Project manager: leads project and makes sure a sound project planning process is
used, a complete and useful project plan is developed, and project resources are
prudently managed
 Team members: should be managers or their representatives from various
communities of interest (business, IT, and information security).
Major steps in contingency planning:
48
 CP team conducts BIA in the following stages:

 Threat attack identification
 Business unit analysis
 Attack success scenarios
 Potential damage assessment
 Subordinate plan classification
 Incident response planning covers identification of, classification of, and response
to an incident
 Incident is attack against an information asset that poses clear threat to the
confidentiality, integrity, or availability of information resources
 IR team consists of those individuals needed to handle systems as incident takes
place
 IR consists of the following four phases:
 Planning
 Detection
 Reaction
 Recovery
Disaster recovery planning (DRP) is planning the preparation for and recovery from a
disaster.
Contingency planning team must decide which actions constitute disasters and which
constitute incidents.
DRP Steps:
 There must be a clear establishment of priorities
 There must be a clear delegation of roles and responsibilities
 Someone must initiate the alert roster and notify key personnel
 Crisis management occurs during and after a disaster and focuses on the people
49
involved and addressing the viability of the business

 Business continuity planning outlines reestablishment of critical business
operations during a disaster that impacts operations
UNIT – V
1. Distinguish between symmetric and asymmetric encryption. Nov/Dec 2011

Symmetric Asymmetric
Uses the same secret (private) key to Uses both a public and private key.
encrypt and decrypt its data
Requires that the secret key be known by Asymmetric allows for distribution of
the party encrypting the data and the your public key to anyone with which
party decrypting the data. they can encrypt the data they want to
send securely and then it can only be
decoded by the person having the private
key.
Fast 1000 times slower than symmetric
2. What is content filter? May/June 2013

A content filter is software filter-technically not a firewall-that allows administrators
to restrict access to content from within a network.
3. List all physical security controls. May/June 2013

 guards
 dogs
 lock and keys
 electronic monitoring
 ID cards and badges
 man traps
 alarms and alarm systems
4. What are the seven major sources of physical loss?

 Temperature extremes
 Gases
 Liquids
 Living organisms
 Projectiles
50
 Movement
 Energy anomalies
5. What are the advantages and disadvantages of using honey pot or padded cell
approach?
Advantages:
 Attackers can be diverted to targets that they cannot damage
 Administrators have time to decide how to respond to an attacker
 Attackers action can be easily and extensively monitored
 Honey pots may be effective at catching insiders who are snooping around a
network
Disadvantages:
 The legal implications of using such devices are not well defined
 Honey pots and Padded cells have not yet been shown to be generally useful
security technologies
 An expert attacker, once diverted into a decoy system, may become angry
and launch a hostile attack against an organization’s systems
 Security managers will need a high level of expertise to use these systems
6. Define encryption and decryption.

Encryption is the process of converting an original message into a form that is
unreadable to unauthorized individuals-that is, to anyone without the tools to convert the
encrypted message back to its original format.
Decryption is the process of converting the cipher text into a message that conveys
readily understood meaning.
7. What are different types of IDSs?

 Network-based IDS
 Host-based IDS
 Application-based IDS
 Signature-based IDS
 Statistical Anomaly-Based IDS
8. What are firewalls?

A firewall is any device that prevents a specific type of information from moving
between the un-trusted network outside and the trusted network inside. The firewall may be:
 a separate computer system
51
 a service running on an existing router or server

 a separate network containing a number of supporting devices
9. What is Application-based IDS?

A refinement of Host-based IDs is the application-based IDS (AppIDS). The
application based IDs examines an application for abnormal incidents. It looks for anomalous
occurrences such as users exceeding their authorization, invalid file executions etc.
10. What are Digital signatures?

 An interesting thing happens when the asymmetric process is reversed, that is the
private key is used to encrypt a short message
 The public key can be used to decrypt it, and the fact that the message was sent by
the organization that owns the private key cannot be reputed
 This is known as non-repudiation, which is the foundation of digital signatures
 Digital Signatures are encrypted messages that are independently verified by a
central facility (registry) as authentic
11. What are dual homed host firewalls?

 The bastion-host contains two NICs (network interface cards)
 One NIC is connected to the external network, and one is connected to the internal
network
 With two NICs all traffic must physically go through the firewall to move between
the internal and external networks
 A technology known as network-address translation (NAT) is commonly
implemented with this architecture to map from real, valid, external IP addresses
to ranges of internal IP addresses that are non-routable
12. How firewalls are categorized by processing mode?

 Packet filtering
 Application gateways
 Circuit gateways
 MAC layer firewalls
 Hybrids
13. What is Cryptanalysis?

Cryptanalysis is the process of obtaining the original message (called plaintext) from
an encrypted message (called the cipher text) without knowing the algorithms and keys used
to perform the encryption.
14. What is Public Key Infrastructure (PKI)?
52
Public Key Infrastructure is the entire set of hardware, software, and cryptosystems
necessary to implement public key encryption.
PKI systems are based on public-key cryptosystems and include digital certificates
and certificate authorities (CAs) and can:
 Issue digital certificates
 Issue crypto keys
1. Write about the different generations of firewalls.

First Generation
 Called packet filtering firewalls
 Examines every incoming packet header and selectively filters packets based on
address, packet type, port request, and others factors
 The restrictions most commonly implemented are based on:
 IP source and destination address
 Direction (inbound or outbound)
 TCP or UDP source and destination port-requests
Second Generation
 Called application-level firewall or proxy server
 Often a dedicated computer separate from the filtering router
 With this configuration the proxy server, rather than the Web server, is exposed to
the outside world in the DMZ
 Additional filtering routers can be implemented behind the proxy server
 The primary disadvantage of application-level firewalls is that they are designed
for a specific protocol and cannot easily be reconfigured to protect against attacks
on protocols for which they are not designed
Third Generation
 Called stateful inspection firewalls
 Keeps track of each network connection established between internal and external
systems using a state table which tracks the state and context of each packet in the
conversation by recording which station sent what packet and when
 If the stateful firewall receives an incoming packet that it cannot match in its state
table, then it defaults to its ACL to determine whether to allow the packet to pass
 The primary disadvantage is the additional processing requirements of managing
and verifying packets against the state table which can possibly expose the system
to a DoS attack
 These firewalls can track connectionless packet traffic such as UDP and remote
procedure calls (RPC) traffic
53
Fourth Generation
 While static filtering firewalls, such as first and third generation, allow entire sets
of one type of packet to enter in response to authorized requests, a dynamic packet
filtering firewall allows only a particular packet with a particular source,
destination, and port address to enter through the firewall
 It does this by understanding how the protocol functions, and opening and closing
“doors” in the firewall, based on the information contained in the packet header. In
this manner, dynamic packet filters are an intermediate form, between traditional
static packet filters and application proxies
Fifth Generation
 The final form of firewall is the kernel proxy, a specialized form that works under
the Windows NT Executive, which is the kernel of Windows NT
 It evaluates packets at multiple layers of the protocol stack, by checking security
in the kernel as data is passed up and down the stack
2. Explain briefly the basic Encryption definitions.

 Algorithm: mathematical formula used to convert an unencrypted message into
an encrypted message
 Cipher: transformation of the individual components (characters, bytes, or bits) of
an unencrypted message into encrypted components
 Ciphertext or cryptogram: unintelligible encrypted or encoded message
resulting from an encryption
 Code: transformation of the larger components (words or phrases) of an
unencrypted message into encrypted components
 Cryptosystem: set of transformations necessary to convert an unencrypted
message into an encrypted message
 Decipher: decrypt or convert ciphertext to plaintext
 Encipher: encrypt or convert plaintext to ciphertext
 Key or cryptovariable: information used in conjunction with the algorithm to
create ciphertext from plaintext
 Keyspace: entire range of values that can possibly be used to construct an
individual key
 Link encryption: a series of encryptions and decryptions between a number of
systems, whereby each node decrypts the message sent to it and then re-encrypts it
using different keys and sends it to the next neighbor, until it reaches the final
destination
 Plaintext: original unencrypted message that is encrypted and results from
successful decryption
 Steganography: process of hiding messages in a picture or graphic
54
 Work factor: amount of effort (usually in hours) required to perform

cryptanalysis on an encoded message
3. Explain about RSA algorithm.

 public key encryption technique
 encryption algorithm
 decryption algorithm
 security in RSA
RSA Algorithm
Rivest-Shamir-Adleman (RSA) algorithm is one of the most popular and secures
public-key encryption methods. The algorithm capitalizes on the fact that there is no efficient
way to factor very large (100-200 digit) numbers.
Using an encryption key (e,n), the algorithm is as follows:
 Represent the message as an integer between 0 and (n-1). Large messages can be
broken up into a number of blocks. Each block would then be represented by an
integer in the same range
 Encrypt the message by raising it to the eth power modulo n. The result is a cipher
text message C
 To decrypt cipher text message C, raise it to another power d modulo n
The encryption key (e,n) is made public. The decryption key (d,n) is kept private by
the user.
How to Determine Appropriate Values for e, d, and n
 Choose two very large (100+ digit) prime numbers. Denote these numbers as p
and q.
 Set n equal to p * q.
 Choose any large integer, d, such that GCD(d, ((p-1) * (q-1))) = 1
 Find e such that e * d = 1 (mod ((p-1) * (q-1)))
4. What are the different types of intrusion detection systems (IDS)? Explain Ids.
May/June 2013
Intrusion Detection Systems (IDSs)
 IDSs work like burglar alarms
 IDSs require complex configurations to provide the level of detection and
response desired
 An IDS operates as either network-based, when the technology is focused on
protecting network information assets, or host-based, when the technology is
focused on protecting server or host information assets
 IDSs use one of two detection methods, signature-based or statistical anomaly-
based
55
A network-based IDS (NIDS) resides on a computer or an appliance connected to a

segment of an organization’s network and monitors traffic on that network segment, looking
for indications of ongoing or successful attacks.
5. What are the recommended practices in designing firewalls?

 All traffic from the trusted network is allowed out
 The firewall device is always inaccessible directly from the public network
 Allow Simple Mail Transport Protocol (SMTP) data to pass through your firewall,
but insure it is all routed to a well-configured SMTP gateway to filter and route
messaging traffic securely
 All Internet Control Message Protocol (ICMP) data should be denied
 Block telnet (terminal emulation) access to all internal servers from the public
networks
 When Web services are offered outside the firewall, deny HTTP traffic from
reaching your internal networks by using some form of proxy access or DMZ
architecture
6. Explain different types of Scanning and Analysis tools available.

Port Scanners
 Port scanners fingerprint networks to find ports and services and other
useful information
 Why secure open ports?
 An open port can be used to send commands to a computer, gain access to a
server, and exert control over a networking device
 The general rule of thumb is to remove from service or secure any port not
absolutely necessary for the conduct of business
Vulnerability Scanners
 Vulnerability scanners are capable of scanning networks for very detailed
56
information
 As a class, they identify exposed usernames and groups, show open network
shares, expose configuration problems, and other vulnerabilities in servers
Packet Sniffers
 on a network that the organization owns
 under direct authorization of the owners of the network
 have knowledge and consent of the content creators (users)
Content Filters
 Although technically not a firewall, a content filter is a software filter that allows
administrators to restrict accessible content from within a network
 The content filtering restricts Web sites with inappropriate content
Trap and Trace
 Trace: determine the identity of someone using unauthorized access
 Better known as honey pots, they distract the attacker while notifying the
administrator
7. What is Cryptography? Explain the key terms associated with cryptography.

Cryptography, which comes from the Greek work kryptos, meaning “hidden”,
meaning “to write”, is a process of making and using codes to secure the transmission of
information.
Cryptanalysis is the process of obtaining the original message (called plaintext) from
an encrypted message (called the cipher text) without knowing the algorithms and keys used
to perform the encryption.
Encryption is the process of converting an original message into a form that is
unreadable to unauthorized individuals-that is, to anyone without the tools to convert the
encrypted message back to its original format.
Decryption is the process of converting the cipher text into a message that conveys
readily understood meaning.
57

Information Security Questions and Answers

Uploaded by

Copyright:

Available Formats

You might also like

Information Security Questions and Answers

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Information Security Questions and Answers

Uploaded by

Copyright:

Available Formats

www.vidyarthiplus.

IT2042 INFORMATION SECURITY

UNIT II SECURITY INVESTIGATION

UNIT III SECURITY ANALYSIS

UNIT IV LOGICAL DESIGN

UNIT V PHYSICAL DESIGN

1. Define information security.

2. List the critical characteristics of information.

3. Define security. What are the multiple layers of security?

4. When can a computer be a subject and an object of an attack respectively?

5. Why is a methodology important in implementing the information security?

6. Difference between vulnerability and exposure.

7. Sketch the NSTISSC security model.

8. List out the security services.

9. Define the snooping and spoofing.

10. List the components used in security models.

11. What are the functions of Information Security?

 Safeguards the technology assets in use at the organization

12. What are the phases of SDLC Waterfall method?

13. What is Rand Report R-609?

14. What is meant by balancing Security and Access?

PART – B (16 Marks)

1. Describe the Critical Characteristics of Information. Nov/Dec 2011

2. Explain the Components of an Information System. Nov/Dec 2011

3. Discuss SDLC in detail. May/June 2013

 What the new system is expected to do

4. Describe SecSDLC in detail. Nov/Dec 2011

 Initiated by upper management:

 Seldom works, as it lacks a number of critical features:

Security Project Team

1. Why is information security a management problem?

2. Distinguish between Dos and DDos.

3. What is intellectual property?

4. What is a policy? How it is differ from law?

5. What is a threat? What are the threats to Information Security?

6. What are the general categories of unethical and illegal behaviour?

8. Who are hackers? What are the levels of hackers?

9. What is security blue print?

10. What are the types of virus?

11. Distinguish between attack and threat.

12. Define Information Extortion.

13. Define Hoax.

PART – B (16 Marks)

1. Explain the functions of an Information security organization.

2. Describe about various forms of attacks. Nov/Dec 2012

is launched against a target from many locations at the same time.

3. Explain the different categories of threat. Give Examples.

 Watchdog organizations investigate:

obsolesce, but when obsolescence is identified, management must take action

5. Discuss the ethical concepts in information security.

1. In risk management strategies why does a periodic review have to be a part of

2. What is asset valuation? List any 2 components of asset valuation.

3. Define dumpster driving. May/June 2013

4. What is risk management? Nov/Dec 2012

6. What are the different types of Access Controls?

7. Define Disaster Recovery Plan.

8. What is residual risk?

9. Mention the Risk Identification Estimate Factors.

10. What is the formula for calculating risk?