WEEK 1 TUTORIAL 1: INTRODUCTION TO INFORMATION SECURITY

Answers to exercise 1 & 2.

EXCERCISE 1

An example of an attack that violates the confidentiality goal of information

system is:

PHISHING- Phishing refers to the process of tricking recipients into sharing

sensitive information with an unknown third party. Typically you’ll receive an
email that appears to come from one of your email contacts or a reputable
organisation such as Banks departments in your organisation etc. The email
also includes a link such when you follow that link, you get connected to a
phony copy of the website. Any details you enter, such as account number,
PINs or passwords can be stolen and used by the hackers who created the
bogus site.

This will definitely violate the confidentiality goal of information.

An example of an attack that may violate the integrity goal of information

security is:

COMPUTER VIRUS- viruses are computer programmes that can spread by

making copies of them, computer viruses spread from one computer to
another and from one network to another by making copies of them, usually
without your knowledge. Viruses can steal your data or give hackers control
over your complete or network. They can attack themselves to other
programmes or hide in codes that run automatically when you open certain
files. This will definitely violates the integrity of information security.
Sometimes they can exploit security flaws in your computers operating system
to run and spread automatically.

An example of an attack that violates the availability goal of information

security is:

DOS (Denial –of –Service) - denial of service attack prevents users from
accessing a computer or website. A hacker attempts to overload or shut down
a service so that legitimate users can no longer access it. DOS attack targets
servers and aim to make websites unavailable. Sometimes a hacker will
saturate the target machine with external communication requests such that it
cannot respond to legitimate traffic, therefore violating the availability goal of
information.

EXERCISE 2

Below are the 4 most interesting tools i have found.

Microsoft Baseline Security Analyser (MBSA) - MBSA is an easy to use tool

designed for the IT professional that helps small and medium sized businesses
determine their security state in accordance with Microsoft Security
recommendations and offers specific remediation guidance. What i like about
MBSA is that it is built on the window update agent and Microsoft update
infrastructure allowing it to be consistency with other Microsoft management
products including Microsoft Update, windows Server Update Service, System
Management server and Microsoft operations management. Apparently it
scans more than 3 million computers each week.

FIREFOX- Firefox is a web browser, a descendent of Mozilla. It emerged as a

serious competitor to internet explorer with improved security as one of its
features , while Firefox no longer has a stellar security , users still appreciate it
for its wide selection of security related Add-ons. What i like about Firefox is
that it has an Add-on called temper data that lets you view and -modifies HTTP
requests before they are sent. It shows what information the web browser is
sending on your behalf, such as cookies and hidden form field.

VMWARE- VMware virtualisation software lets you run one operating system
within another. This is quite useful for security researchers who commonly
need to test code, exploits, etc on multiple platforms. It runs on windows and
Linux as the host OS. The good thing about VMware is that it’s also useful for
setting up sandboxes. You can browse from within a VMware window so that
even if you are infected with malware, it cannot reach your host OS.
 GOOGLE- while it is far more than a security tool, Google’s massive database is
a gold mine for security researchers and penetration testers. You can use it to
dig up information about a target company by using directives such as “site:
target-domain.com” and find employee names, sensitive information that they
wrongly thought was hidden.

ANSWERS TO QUESTIONS EMBEDDED IN THIS WEEK'S PRESENTATION

Exercise 1

a) In your learning journal write down the main objective – sometimes

called the mission- of your organization.

My organization is ZESCO a utility company and its mission read, “ZESCO is

committed to providing safe and reliable electricity to improve the quality of
life for all”.

b) List the main kinds of information your organization requires to meet its
mission. Note down any areas in which the mission makes preserving
the value of information difficult.

The main kinds of information my organization requires to meet its mission

are:

 Being honest in all our dealings

 Ensuring a healthy working environment
 Supporting each other through hard work
 Having a balance in our lives

Exercise 2

The use of latest security gadgets cannot be the only way to protect
applications and organization resources but rather a good organization’s
security policy will. The use of electronic doors, use of access cards and other
security control measures will only ensure protection of physical equipment
and gaining access to information by unauthorized personnel and other
intruders. But a good information security policy will ensure the following.
  An ‘Acceptable Use’ policy ensures that employees understand the way
in which information should be used.
 It enables both employees and the business organization to gain the
maximum value from the internet.
 It alerts all users to the technical and commercial risks that can arise if
the technology is misused.
 It informs all users of the consequences of misuse by employees.

Exercise 6

a. As building a good security policy provides the foundations for the

successful implementation of security related projects in the future, this
is without a doubt the first measure that must be taken to reduce the
risk of unacceptable use of any of the company's information resources.

The first step towards enhancing a company's security is the

introduction of a precise yet enforceable security policy, informing staff
on the various aspects of their responsibilities, general use of company
resources and explaining how sensitive information must be handled.
The policy will also describe in detail the meaning of acceptable use, as
well as listing prohibited activities.

The development (and the proper implementation) of a security policy is

highly beneficial as it will not only turn all of your staff into participants
in the company's effort to secure its communications but also help
reduce the risk of a potential security breach through "human-factor"
mistakes. These are usually issues such as revealing information to
unknown (or unauthorized sources), the insecure or improper use of the
Internet and many other dangerous activities.

Additionally the building process of a security policy will also help define
a company's critical assets, the ways they must be protected and will
also serve as a centralized document, as far as protecting Information
Security Assets is concerned.

Sources: www.air-it.uk; Building and Implementing a Successful Information Security Policy by

Dancho Danchev