Professional Documents
Culture Documents
Information Security Questions and Answers
Information Security Questions and Answers
Information Security Questions and Answers
com RJ Edition
IV CSE – (VIII SEM) NOTES PPG INSTITUTE OF TECHNOLOGY
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
UNIT I INTRODUCTION
History, What is Information Security?, Critical Characteristics of Information, NSTISSC
Security Model, Components of an Information System, Securing the Components,
Balancing Security and Access, The SDLC, The Security SDLC
16
www.vidyarthiplus.com
www.vidyarthiplus.com RJ Edition
IV CSE – (VIII SEM) NOTES PPG INSTITUTE OF TECHNOLOGY
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
UNIT – I
PART – A (2 Marks)
17
www.vidyarthiplus.com
www.vidyarthiplus.com RJ Edition
IV CSE – (VIII SEM) NOTES PPG INSTITUTE OF TECHNOLOGY
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
18
www.vidyarthiplus.com
www.vidyarthiplus.com RJ Edition
IV CSE – (VIII SEM) NOTES PPG INSTITUTE OF TECHNOLOGY
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
19
www.vidyarthiplus.com
www.vidyarthiplus.com RJ Edition
IV CSE – (VIII SEM) NOTES PPG INSTITUTE OF TECHNOLOGY
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
Confidentiality ensures that only those with the rights and privileges to access
information are able to do so.
When unauthorized individuals or systems can view information, confidentiality is
breached.
Integrity
Information has integrity when it is whole, complete, and uncorrupted
The integrity of information is threatened when it is exposed to corruption,
damage, destruction, other disruption of its authentic state
Many computer virus or worms are designed with the explicit purpose of
corrupting data
Information integrity is the corner stone of information systems, because
information is of no value or use if users cannot verify its integrity
Redundancy bits and check bits can compensate for internal and external threats to
integrity of information
Utility
The utility of information is the quality or state of having value for some purpose or
end. (For example, the US census data reveals information about the voters like their gender,
age, race, and so on).
Possession
It is the quality or state of having ownership or control of some object or item. Breach
of possession does not result in breach of confidentiality.
Illegal possession of encrypted data never allows someone to read it without proper
decryption methods.
20
www.vidyarthiplus.com
www.vidyarthiplus.com RJ Edition
IV CSE – (VIII SEM) NOTES PPG INSTITUTE OF TECHNOLOGY
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
People have always been a threat to information security and they are the weakest link
in a security chain. Policy, education and training, awareness, and technology should be
properly employed to prevent people from accidently or intentionally damaging or losing
information.
Data
Data stored, processed, and transmitted through a computer system must be protected.
Data is the most valuable asset possessed by an organization and it is the main target of
intentional attacks.
Procedures
Procedures are written instructions for accomplishing when an unauthorized user
obtains an organization’s procedures; it poses threat to the integrity of the information.
Educating employees about safeguarding the procedures is as important as securing the
information system. Lack in security procedures caused the loss of over ten million dollars
before the situation was corrected.
Networks
Information systems in LANs are connected to other networks such as the internet and
new security challenges are rapidly emerge. Apart from locks and keys which are used as
physical security measures, network security also an important aspect to be considered.
21
www.vidyarthiplus.com
www.vidyarthiplus.com RJ Edition
IV CSE – (VIII SEM) NOTES PPG INSTITUTE OF TECHNOLOGY
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
Based on applications needed, data support and structures capable of providing the
needed inputs are identified
Select specific ways to implement the physical solution are chosen
Another feasibility analysis is performed
Physical Design
Specific technologies are selected to support the alternatives identified and
evaluated in the logical design
Selected components are evaluated based on a make-or-buy decision
Entire solution is presented to the end-user representatives for approval
Implementation
Components are ordered, received, assembled, and tested
Users are trained and documentation created
Users are then presented with the system for a performance review and acceptance
test
Maintenance and Change
Tasks necessary to support and modify the system for the remainder of its useful
life
The life cycle continues until the process begins again from the investigation
phase
When the current system can no longer support the mission of the organization, a
new project is implemented
Analysis
Analysis of existing security policies or programs, along with documented current
threats and associated controls
22
www.vidyarthiplus.com
www.vidyarthiplus.com RJ Edition
IV CSE – (VIII SEM) NOTES PPG INSTITUTE OF TECHNOLOGY
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
Includes an analysis of relevant legal issues that could impact the design of the
security solution
The risk management task (identifying, assessing, and evaluating the levels of
risk) also begins
Logical & Physical Design
Creates blueprints for security
Critical planning and feasibility analyses to determine whether or not the project
should continue
In physical design, security technology is evaluated, alternatives generated, and
final design selected
At end of phase, feasibility study determines readiness so all parties involved have
a chance to approve the project
Implementation
The security solutions are acquired (made or bought), tested, and implemented,
and tested again
Personnel issues are evaluated and specific training and education programs
conducted
Finally, the entire tested package is presented to upper management for final
approval
Maintenance and Change
The maintenance and change phase is perhaps most important, given the high
level of ingenuity in today’s threats
The reparation and restoration of information is a constant duel with an often
unseen adversary
As new threats emerge and old threats evolve, the information security profile of
an organization requires constant adaptation
5. Explain the NSTISSC security model and the top down approach to security
implementation. Nov/Dec 2011
23
www.vidyarthiplus.com
www.vidyarthiplus.com RJ Edition
IV CSE – (VIII SEM) NOTES PPG INSTITUTE OF TECHNOLOGY
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
Top-down Approach
6. Describe the NSTISSC security model and the bottom up approach to security
implementation.
Bottom Up Approach
Security from a grass-roots effort - systems administrators attempt to improve the
security of their systems
Key advantage - technical expertise of the individual administrators
24
www.vidyarthiplus.com
www.vidyarthiplus.com RJ Edition
IV CSE – (VIII SEM) NOTES PPG INSTITUTE OF TECHNOLOGY
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
7. Explain any five professional in information security with their role and focus.
Senior Management
Chief Information Officer
The senior technology officer
Primarily responsible for advising the senior executive(s) for strategic
planning
Chief Information Security Officer
Responsible for the assessment, management, and implementation of
securing the information in the organization
Referred to as the Manager for Security
Data Ownership
Data owner: responsible for the security and use of a particular set of information
Data custodian: responsible for storage, maintenance, and protection of
information
Data users: end users who work with information to perform their daily jobs
supporting the mission of the organization
UNIT – II
PART – A (2 Marks)
They must set policy and operate the organization in a manner that complies with the
laws that govern the use of technology.
26
www.vidyarthiplus.com
www.vidyarthiplus.com RJ Edition
IV CSE – (VIII SEM) NOTES PPG INSTITUTE OF TECHNOLOGY
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
There are three general categories of unethical behaviour that organizations and
society should seek to eliminate:
Ignorance
Accident
Intent
7. What are the various types of malware? How do worms differ from Virus?
Viruses
Worms
Trojan horses
Active web scripts
Virus Worm
A virus attaches itself to s a computer A worm is similar to virus by design. It
program and spreads from one computer also spreads from one computer to
to another. another.
Spreads with uniform speed as Worms spread more rapidly than virus.
programmed.
It can be attached to .EXE, .COM , .XLS It can be attached to any attachments of
etc email or any file on network.
Ex Melisca, cascade etc Ex Blaster Worm
It requires the spreading of an infected It replicates them without the host file.
host file.
27
www.vidyarthiplus.com
www.vidyarthiplus.com RJ Edition
IV CSE – (VIII SEM) NOTES PPG INSTITUTE OF TECHNOLOGY
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
28
www.vidyarthiplus.com
www.vidyarthiplus.com RJ Edition
IV CSE – (VIII SEM) NOTES PPG INSTITUTE OF TECHNOLOGY
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
Protecting Data
One of the most valuable assets is data
Without data, an organization loses its record of transactions and/or its ability to
deliver value to its customers
An effective information security program is essential to the protection of the
integrity and value of the organization’s data
Safeguarding Technology Assets
Organizations must have secure infrastructure services based on the size and
scope of the enterprise
Additional security services may have to be provided
More robust solutions may be needed to replace security programs the
organization has outgrown
30
www.vidyarthiplus.com
www.vidyarthiplus.com RJ Edition
IV CSE – (VIII SEM) NOTES PPG INSTITUTE OF TECHNOLOGY
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
31
www.vidyarthiplus.com
www.vidyarthiplus.com RJ Edition
IV CSE – (VIII SEM) NOTES PPG INSTITUTE OF TECHNOLOGY
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
worms
Trojan horses
logic bombs
back door or trap door
denial-of-service attacks
polymorphic
hoaxes
Forces of Nature
Forces of nature, force majeure, or acts of God are dangerous because they are
unexpected and can occur with very little warning
Can disrupt not only the lives of individuals, but also the storage, transmission,
and use of information
Include fire, flood, earthquake, and lightning as well as volcanic eruption and
insect infestation
Since it is not possible to avoid many of these threats, management must
implement controls to limit damage and also prepare contingency plans for
continued operations
Technical Hardware Failures or Errors
Technical hardware failures or errors occur when a manufacturer distributes to
users equipment containing flaws
These defects can cause the system to perform outside of expected parameters,
resulting in unreliable service or lack of availability
Some errors are terminal, in that they result in the unrecoverable loss of the
equipment
Some errors are intermittent, in that they only periodically manifest themselves,
resulting in faults that are not easily repeated
Technical Software Failures or Errors
This category of threats comes from purchasing software with unrevealed faults
Large quantities of computer code are written, debugged, published, and sold only
to determine that not all bugs were resolved
Sometimes, unique combinations of certain software and hardware reveal new
bugs
Sometimes, these items aren’t errors, but are purposeful shortcuts left by
programmers for honest or dishonest reasons
Technological Obsolescence
When the infrastructure becomes antiquated or outdated, it leads to unreliable and
untrustworthy systems
Management must recognize that when technology becomes outdated, there is a
risk of loss of data integrity to threats and attacks
Ideally, proper planning by management should prevent the risks from technology
32
www.vidyarthiplus.com
www.vidyarthiplus.com RJ Edition
IV CSE – (VIII SEM) NOTES PPG INSTITUTE OF TECHNOLOGY
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
4. Write about the attack replication vectors in detail. Nov/ Dec 2011
IP Scan and attack – The infected system scans a random or local range of IP
addresses and targets any of the vulnerabilities known to hackers.
Web browsing –If the infected system has right access to any web pages, it makes
all web content files infectious, so that users who browse the web pages become infected.
Virus – Each infected machine infects certain common executable or script files on
all computers to which it can write with virus code that can cause infection
Unprotected shares –Using vulnerabilities in file system and the way many
organizations configure them, the infected machine copies the viral content to all locations it
can reach.
Mass mail – By sending email infections to addresses found in the address book, the
infected machine infects the users whose mail reading programs also automatically run the
program and infect other systems.
SNMP – By using the widely known and common passwords that were employed in
earlier versions of this protocol, the attacking program can gain control of the device.
33
www.vidyarthiplus.com
www.vidyarthiplus.com RJ Edition
IV CSE – (VIII SEM) NOTES PPG INSTITUTE OF TECHNOLOGY
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
education
Employees must be trained in expected behaviours of an ethical employee,
especially in areas of information security
Proper ethical training vital to creating informed, well prepared, and low-risk
system user
Deterrence to Unethical and Illegal Behaviour
Deterrence: best method for preventing an illegal or unethical activity; e.g., laws,
policies, technical controls
Laws and policies only deter if three conditions are present:
Fear of penalty
Probability of being caught
Probability of penalty being administered
6. List and discuss the role and focus of any four professional organizations providing
information security. May/June 2012 May/June 2013
Several professional organizations have established codes of conduct/ethics
Codes of ethics can have positive effect; unfortunately, many employers do not
encourage joining of these professional organizations
Responsibility of security professionals to act ethically and according to policies
of employer, professional organization, and laws of society.
ACM established in 1947 as “the world's first educational and scientific
computing society”
Code of ethics contains references to protecting information confidentiality,
causing no harm, protecting others’ privacy, and respecting others’ intellectual
property. International Information Systems Security Certification Consortium,
Inc.
Non-profit organization focusing on development and implementation of
information security certifications and credentials
Code primarily designed for information security professionals who have
certification from
Code of ethics focuses on four mandatory canons
System Administration, Networking, and Security Institute (SANS)
Professional organization with a large membership dedicated to protection of
information and systems
SANS offers set of certifications called Global Information Assurance
Certification (GIAC) Information Systems Audit and Control Association
(ISACA)
Professional association with focus on auditing, control, and security
Concentrates on providing IT control practices and standards
ISACA has code of ethics for its professionals.
34
www.vidyarthiplus.com
www.vidyarthiplus.com RJ Edition
IV CSE – (VIII SEM) NOTES PPG INSTITUTE OF TECHNOLOGY
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
UNIT – III
PART – A (2 Marks)
5. Define benchmarking.
Benchmarking is a process of seeking out and studying the practices used in other
organizations that produce results you would like to duplicate in your organization.
35
www.vidyarthiplus.com
www.vidyarthiplus.com RJ Edition
IV CSE – (VIII SEM) NOTES PPG INSTITUTE OF TECHNOLOGY
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
When deciding which information assets to track, consider including these asset
attributes:
Name
IP address
MAC address
Element type
Serial number
Manufacturer name
Manufacturer’s model number or part number
Software version, update revision, or FCO number
Physical location
Logical location
Controlling entity
37
www.vidyarthiplus.com
www.vidyarthiplus.com RJ Edition
IV CSE – (VIII SEM) NOTES PPG INSTITUTE OF TECHNOLOGY
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
Risk Assessment
To determine the relative risk for each of the vulnerabilities through a process
called risk assessment
Risk assessment assigns a risk rating or score to each specific information asset,
useful in gauging the relative risk introduced by each vulnerable information asset
and making comparative ratings later in the risk control process
Risk Identification Estimate Factors
Likelihood
Value of Information Assets
Percent of Risk Mitigate
3. Explain the process of Risk assessment. Nov/Dec 2011 Nov/Dec 2012
Risk assessment assigns a risk rating or score to each specific information asset,
useful in gauging the relative risk introduced by each vulnerable information asset
and making comparative ratings later in the risk control process.
Risk Identification Estimate Factors
Likelihood
Value of Information Assets
Percent of Risk Mitigated
Uncertainty
40
www.vidyarthiplus.com
www.vidyarthiplus.com RJ Edition
IV CSE – (VIII SEM) NOTES PPG INSTITUTE OF TECHNOLOGY
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
.
Before deciding on the strategy for a specific vulnerability all information about
the economic and non-economic consequences of the vulnerability facing the
information asset must be explored
Cost Benefit Analysis (CBA)
The most common approach for a project of information security controls and
safeguards is the economic feasibility of implementation
Begins by evaluating the worth of the information assets to be protected and the
loss in value if those information assets are compromised
It is only common sense that an organization should not spend more to protect an
asset than it is worth
The formal process to document this is called a cost benefit analysis or an
economic feasibility study
Some of the items that impact the cost of a control or safeguard include:
Cost of development or acquisition
Training fees
Cost of implementation
Service costs
Cost of maintenance
41
www.vidyarthiplus.com
www.vidyarthiplus.com RJ Edition
IV CSE – (VIII SEM) NOTES PPG INSTITUTE OF TECHNOLOGY
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
Asset valuation
It is the process of assigning financial value or worth to each information asset
The valuation of assets involves estimation of real and perceived costs associated
with the design, development, installation, maintenance, protection, recovery, and
defense against market loss and litigation
These estimates are calculated for each set of information bearing systems or
information assets
The expected value of a loss can be stated in the following equation:
Annualized Loss Expectancy (ALE) = Single Loss Expectancy (SLE) x Annualized
Rate of Occurrence (ARO)
SLE = asset value x exposure factor (EF)
ARO is simply how often you expect a specific type of attack to occur, per year.
SLE is the calculation of the value associated with the most likely loss from an attack.
EF is the percentage loss that would occur from a given vulnerability being exploited.
When benchmarking, an organization typically uses one of two measures:
Metrics-based measures are comparisons based on numerical standards
Process-based measures examine the activities performed in pursuit of its goal,
rather than the specifics of how goals were attained
Organizational feasibility examines how well the proposed information security
alternatives will contribute to the efficiency, effectiveness, and overall operation of an
organization
Operational Feasibility addresses user acceptance and support, management
acceptance and support, and the overall requirements of the organization’s
stakeholders. Sometimes known as behavioural feasibility, because it measures the
behaviour of users.
42
www.vidyarthiplus.com
www.vidyarthiplus.com RJ Edition
IV CSE – (VIII SEM) NOTES PPG INSTITUTE OF TECHNOLOGY
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
UNIT – IV
PART – A (2 Marks)
3. What is the difference between the management, technical and operational control?
When would each be applied as a part of a security framework? May/June 2012
Managerial controls cover security processes that are designed by strategic planners
and implemented by the security administration of the organization.
43
www.vidyarthiplus.com
www.vidyarthiplus.com RJ Edition
IV CSE – (VIII SEM) NOTES PPG INSTITUTE OF TECHNOLOGY
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
44
www.vidyarthiplus.com
www.vidyarthiplus.com RJ Edition
IV CSE – (VIII SEM) NOTES PPG INSTITUTE OF TECHNOLOGY
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
Technical Controls
Identification and Authentication
Logical Access Controls
Audit Trails
47
www.vidyarthiplus.com
www.vidyarthiplus.com RJ Edition
IV CSE – (VIII SEM) NOTES PPG INSTITUTE OF TECHNOLOGY
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
Before any planning begins, a team has to plan the effort and prepare resulting
documents
Champion: high-level manager to support, promote, and endorse findings of the
project
Project manager: leads project and makes sure a sound project planning process is
used, a complete and useful project plan is developed, and project resources are
prudently managed
Team members: should be managers or their representatives from various
communities of interest (business, IT, and information security).
Major steps in contingency planning:
48
www.vidyarthiplus.com
www.vidyarthiplus.com RJ Edition
IV CSE – (VIII SEM) NOTES PPG INSTITUTE OF TECHNOLOGY
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
Disaster recovery planning (DRP) is planning the preparation for and recovery from a
disaster.
Contingency planning team must decide which actions constitute disasters and which
constitute incidents.
DRP Steps:
There must be a clear establishment of priorities
There must be a clear delegation of roles and responsibilities
Someone must initiate the alert roster and notify key personnel
Crisis management occurs during and after a disaster and focuses on the people
49
www.vidyarthiplus.com
www.vidyarthiplus.com RJ Edition
IV CSE – (VIII SEM) NOTES PPG INSTITUTE OF TECHNOLOGY
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
UNIT – V
PART – A (2 Marks)
50
www.vidyarthiplus.com
www.vidyarthiplus.com RJ Edition
IV CSE – (VIII SEM) NOTES PPG INSTITUTE OF TECHNOLOGY
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
Movement
Energy anomalies
5. What are the advantages and disadvantages of using honey pot or padded cell
approach?
Advantages:
Attackers can be diverted to targets that they cannot damage
Administrators have time to decide how to respond to an attacker
Attackers action can be easily and extensively monitored
Honey pots may be effective at catching insiders who are snooping around a
network
Disadvantages:
The legal implications of using such devices are not well defined
Honey pots and Padded cells have not yet been shown to be generally useful
security technologies
An expert attacker, once diverted into a decoy system, may become angry
and launch a hostile attack against an organization’s systems
Security managers will need a high level of expertise to use these systems
51
www.vidyarthiplus.com
www.vidyarthiplus.com RJ Edition
IV CSE – (VIII SEM) NOTES PPG INSTITUTE OF TECHNOLOGY
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
52
www.vidyarthiplus.com
www.vidyarthiplus.com RJ Edition
IV CSE – (VIII SEM) NOTES PPG INSTITUTE OF TECHNOLOGY
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
Public Key Infrastructure is the entire set of hardware, software, and cryptosystems
necessary to implement public key encryption.
PKI systems are based on public-key cryptosystems and include digital certificates
and certificate authorities (CAs) and can:
Issue digital certificates
Issue crypto keys
53
www.vidyarthiplus.com
www.vidyarthiplus.com RJ Edition
IV CSE – (VIII SEM) NOTES PPG INSTITUTE OF TECHNOLOGY
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
Fourth Generation
While static filtering firewalls, such as first and third generation, allow entire sets
of one type of packet to enter in response to authorized requests, a dynamic packet
filtering firewall allows only a particular packet with a particular source,
destination, and port address to enter through the firewall
It does this by understanding how the protocol functions, and opening and closing
“doors” in the firewall, based on the information contained in the packet header. In
this manner, dynamic packet filters are an intermediate form, between traditional
static packet filters and application proxies
Fifth Generation
The final form of firewall is the kernel proxy, a specialized form that works under
the Windows NT Executive, which is the kernel of Windows NT
It evaluates packets at multiple layers of the protocol stack, by checking security
in the kernel as data is passed up and down the stack
54
www.vidyarthiplus.com
www.vidyarthiplus.com RJ Edition
IV CSE – (VIII SEM) NOTES PPG INSTITUTE OF TECHNOLOGY
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
4. What are the different types of intrusion detection systems (IDS)? Explain Ids.
May/June 2013
Intrusion Detection Systems (IDSs)
IDSs work like burglar alarms
IDSs require complex configurations to provide the level of detection and
response desired
An IDS operates as either network-based, when the technology is focused on
protecting network information assets, or host-based, when the technology is
focused on protecting server or host information assets
IDSs use one of two detection methods, signature-based or statistical anomaly-
based
55
www.vidyarthiplus.com
www.vidyarthiplus.com RJ Edition
IV CSE – (VIII SEM) NOTES PPG INSTITUTE OF TECHNOLOGY
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
information
As a class, they identify exposed usernames and groups, show open network
shares, expose configuration problems, and other vulnerabilities in servers
Packet Sniffers
on a network that the organization owns
under direct authorization of the owners of the network
have knowledge and consent of the content creators (users)
Content Filters
Although technically not a firewall, a content filter is a software filter that allows
administrators to restrict accessible content from within a network
The content filtering restricts Web sites with inappropriate content
Trap and Trace
Trace: determine the identity of someone using unauthorized access
Better known as honey pots, they distract the attacker while notifying the
administrator
57
www.vidyarthiplus.com