You are on page 1of 42

www.vidyarthiplus.

com

RJ Edition

IV CSE (VIII SEM) NOTES

PPG INSTITUTE OF TECHNOLOGY


DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING

IT2042

INFORMATION SECURITY
(REGULATION 2008)

UNIT I
INTRODUCTION
History, What is Information Security?, Critical Characteristics of Information, NSTISSC
Security Model, Components of an Information System, Securing the Components,
Balancing Security and Access, The SDLC, The Security SDLC
UNIT II
SECURITY INVESTIGATION
Need for Security, Business Needs, Threats, Attacks, Legal, Ethical and Professional Issues
UNIT III
SECURITY ANALYSIS
Risk Management: Identifying and Assessing Risk, Assessing and Controlling Risk
UNIT IV
LOGICAL DESIGN
Blueprint for Security, Information Security Policy, Standards and Practices, ISO 17799/BS
7799, NIST Models, VISA International Security Model, Design of Security Architecture,
Planning for Continuity
UNIT V
PHYSICAL DESIGN
Security Technology, IDS, Scanning and Analysis Tools, Cryptography, Access Control
Devices, Physical Security, Security and Personnel

16

www.vidyarthiplus.com

www.vidyarthiplus.com
IV CSE (VIII SEM) NOTES

RJ Edition

PPG INSTITUTE OF TECHNOLOGY


DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING

UNIT I
PART A (2 Marks)
1. Define information security.
It is a well-informed sense of assurance that the information risks and controls are in
balance.
2. List the critical characteristics of information.
Availability
Accuracy
Authenticity
Confidentiality
Integrity
Utility
Possession
3. Define security. What are the multiple layers of security?
Security is the quality or state of being secure-to be free from danger.
Physical Security
Personal Security
Operations Security
Communication Security
Network Security
Information Security
4. When can a computer be a subject and an object of an attack respectively?
When a computer is the subject of attack, it is used as an active tool to conduct the
attack. When a computer is the object of an attack, it is the entity being attacked.
5. Why is a methodology important in implementing the information security?
Methodology is a formal approach to solve a problem based on a structured sequence
of procedures.
6. Difference between vulnerability and exposure.
Vulnerability

Exposure

Weakness or fault in a system or protection The exposure of an information system is a


mechanism that expose information to single instance when the system is open to
attack or damage.
damage.

17

www.vidyarthiplus.com

www.vidyarthiplus.com
IV CSE (VIII SEM) NOTES

RJ Edition

PPG INSTITUTE OF TECHNOLOGY


DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING

7. Sketch the NSTISSC security model.

8. List out the security services.


Three security services:
Confidentiality, integrity, and availability
Threats are divided into four broad classes:
Disclosure, or unauthorized access to information
Deception, or acceptance of false data
Disruption, or interruption or prevention of correct operation
Usurpation or unauthorized control of some part of a system.
9. Define the snooping and spoofing.
Snooping: The unauthorized interception of information is a form of disclosure. It is
passive, suggesting simply that some entity is listening to (or reading) communications or
browsing through files or system information.
Masquerading or spoofing: An impersonation of one entity by another is a form of
both deception and usurpation.
10. List the components used in security models.
Software
Hardware
Data
People
Procedures
Networks
11. What are the functions of Information Security?
Protects the organization's ability to function
Enables the safe operation of applications implemented on the organizations IT
systems
Protects the data the organization collects and uses
18

www.vidyarthiplus.com

www.vidyarthiplus.com
IV CSE (VIII SEM) NOTES

RJ Edition

PPG INSTITUTE OF TECHNOLOGY


DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING

Safeguards the technology assets in use at the organization

12. What are the phases of SDLC Waterfall method?


Investigation
Analysis
Logical Design
Physical Design
Implementation
Maintenance & change
13. What is Rand Report R-609?
The Rand Report was the first widely recognized published document to identify the
role of management and policy issues in computer security.
The scope of computer security grew from physical security to include:
Safety of the data
Limiting unauthorized access to that data
Involvement of personnel from multiple levels of the organization
14. What is meant by balancing Security and Access?
It is impossible to obtain perfect security - it is not an absolute; it is a process
Security should be considered a balance between protection and availability
To achieve balance, the level of security must allow reasonable access
PART B (16 Marks)
1. Describe the Critical Characteristics of Information.

Nov/Dec 2011
Nov/Dec 2012 May/Jun 2012

Availability
Enables authorized users persons or computer systems to access information
without interference or obstruction and receive it in the required format.
Accuracy
Information that is free from mistakes or errors and has the value end user expects
(E.g. inaccuracy of your bank account may result in mistakes such as bouncing of a check).
Authenticity
Quality or state of being genuine or original, rather than reproduction or fabrication.
Information is authentic when the contents are original as it was created, placed or
stored or transmitted.( The information receive as e-mail may not be authentic when its
contents are modified what is known as E-mail spoofing)
Confidentiality
19

www.vidyarthiplus.com

www.vidyarthiplus.com
IV CSE (VIII SEM) NOTES

RJ Edition

PPG INSTITUTE OF TECHNOLOGY


DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING

Confidentiality ensures that only those with the rights and privileges to access
information are able to do so.
When unauthorized individuals or systems can view information, confidentiality is
breached.

Integrity
Information has integrity when it is whole, complete, and uncorrupted
The integrity of information is threatened when it is exposed to corruption,
damage, destruction, other disruption of its authentic state
Many computer virus or worms are designed with the explicit purpose of
corrupting data
Information integrity is the corner stone of information systems, because
information is of no value or use if users cannot verify its integrity
Redundancy bits and check bits can compensate for internal and external threats to
integrity of information
Utility
The utility of information is the quality or state of having value for some purpose or
end. (For example, the US census data reveals information about the voters like their gender,
age, race, and so on).
Possession
It is the quality or state of having ownership or control of some object or item. Breach
of possession does not result in breach of confidentiality.
Illegal possession of encrypted data never allows someone to read it without proper
decryption methods.
2. Explain the Components of an Information System.

Nov/Dec 2011
Nov/Dec 2012 May/Jun 2013

Software
The software component of IS comprises applications, operating systems, and
assorted command utilities. Software programs are the vessels that carry the life blood of
information through an organization. Software programs become an easy target of accidental
or intentional attacks.
Hardware
It is the physical technology that houses and executes the software, stores and carries
the data, provides interfaces for the entry and removal of information from the system.
Physical security policies deal with the hardware as a physical asset and with the protection
of these assets from harm or theft.
People
20

www.vidyarthiplus.com

www.vidyarthiplus.com
IV CSE (VIII SEM) NOTES

RJ Edition

PPG INSTITUTE OF TECHNOLOGY


DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING

People have always been a threat to information security and they are the weakest link
in a security chain. Policy, education and training, awareness, and technology should be
properly employed to prevent people from accidently or intentionally damaging or losing
information.
Data
Data stored, processed, and transmitted through a computer system must be protected.
Data is the most valuable asset possessed by an organization and it is the main target of
intentional attacks.
Procedures
Procedures are written instructions for accomplishing when an unauthorized user
obtains an organizations procedures; it poses threat to the integrity of the information.
Educating employees about safeguarding the procedures is as important as securing the
information system. Lack in security procedures caused the loss of over ten million dollars
before the situation was corrected.
Networks
Information systems in LANs are connected to other networks such as the internet and
new security challenges are rapidly emerge. Apart from locks and keys which are used as
physical security measures, network security also an important aspect to be considered.
3. Discuss SDLC in detail.
May/June 2013
Investigation
What is the problem the system is being developed to solve?
The objectives, constraints, and scope of the project are specified
A preliminary cost/benefit analysis is developed
A feasibility analysis is performed to assesses the economic, technical, and
behavioral feasibilities of the process
Analysis
Assessments of the organization
Status of current systems
Capability to support the proposed systems
Analysts begin to determine

What the new system is expected to do

How the new system will interact with existing systems


Ends with the documentation of the findings and a feasibility analysis update
Logical Design
Based on business need, applications are selected capable of providing needed
services

21

www.vidyarthiplus.com

www.vidyarthiplus.com
IV CSE (VIII SEM) NOTES

RJ Edition

PPG INSTITUTE OF TECHNOLOGY


DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING

Based on applications needed, data support and structures capable of providing the
needed inputs are identified
Select specific ways to implement the physical solution are chosen
Another feasibility analysis is performed
Physical Design
Specific technologies are selected to support the alternatives identified and
evaluated in the logical design
Selected components are evaluated based on a make-or-buy decision
Entire solution is presented to the end-user representatives for approval
Implementation
Components are ordered, received, assembled, and tested
Users are trained and documentation created
Users are then presented with the system for a performance review and acceptance
test
Maintenance and Change
Tasks necessary to support and modify the system for the remainder of its useful
life
The life cycle continues until the process begins again from the investigation
phase
When the current system can no longer support the mission of the organization, a
new project is implemented
4. Describe SecSDLC in detail.

Nov/Dec 2011
Nov/Dec 2012 May/Jun 2013

Security Systems Development Life Cycle


Same phases used in the traditional SDLC adapted to support the specialized
implementation of a security project
Basic process is identification of threats and controls to counter them
SecSDLC is a coherent program rather than a series of random, seemingly
unconnected actions
Investigation
Identifies process, outcomes and goals of the project, and constraints
Begins with a statement of program security policy
Teams are organized, problems analyzed, and scope defined, including objectives,
and constraints not covered in the program policy
An organizational feasibility analysis is performed
Analysis
Analysis of existing security policies or programs, along with documented current
threats and associated controls
22

www.vidyarthiplus.com

www.vidyarthiplus.com
IV CSE (VIII SEM) NOTES

RJ Edition

PPG INSTITUTE OF TECHNOLOGY


DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING

Includes an analysis of relevant legal issues that could impact the design of the
security solution
The risk management task (identifying, assessing, and evaluating the levels of
risk) also begins
Logical & Physical Design
Creates blueprints for security
Critical planning and feasibility analyses to determine whether or not the project
should continue
In physical design, security technology is evaluated, alternatives generated, and
final design selected
At end of phase, feasibility study determines readiness so all parties involved have
a chance to approve the project

Implementation
The security solutions are acquired (made or bought), tested, and implemented,
and tested again
Personnel issues are evaluated and specific training and education programs
conducted
Finally, the entire tested package is presented to upper management for final
approval
Maintenance and Change
The maintenance and change phase is perhaps most important, given the high
level of ingenuity in todays threats
The reparation and restoration of information is a constant duel with an often
unseen adversary
As new threats emerge and old threats evolve, the information security profile of
an organization requires constant adaptation
5. Explain the NSTISSC security model and the top down approach to security
implementation.
Nov/Dec 2011

23

www.vidyarthiplus.com

www.vidyarthiplus.com
IV CSE (VIII SEM) NOTES

RJ Edition

PPG INSTITUTE OF TECHNOLOGY


DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING

Top-down Approach

Initiated by upper management:

issue policy, procedures, and processes

dictate the goals and expected outcomes of the project

determine who is accountable for each of the required actions


Strong upper management support, a dedicated champion, dedicated funding,
clear planning, and the chance to influence organizational culture
May also involve a formal development strategy referred to as a systems
development life cycle

Most successful top-down approach

6. Describe the NSTISSC security model and the bottom up approach to security
implementation.
Bottom Up Approach
Security from a grass-roots effort - systems administrators attempt to improve the
security of their systems
Key advantage - technical expertise of the individual administrators
24

www.vidyarthiplus.com

www.vidyarthiplus.com
IV CSE (VIII SEM) NOTES

RJ Edition

PPG INSTITUTE OF TECHNOLOGY


DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING

Seldom works, as it lacks a number of critical features:


Participant support
Organizational staying power

7. Explain any five professional in information security with their role and focus.
Senior Management
Chief Information Officer
The senior technology officer
Primarily responsible for advising the senior executive(s) for strategic
planning
Chief Information Security Officer
Responsible for the assessment, management, and implementation of
securing the information in the organization
Referred to as the Manager for Security
Security Project Team
A number of individuals who are experienced in one or multiple requirements of
both the technical and non-technical areas:
The champion
The team leader
Security policy developers
Risk assessment specialists
Security professionals
Systems administrators
End users

Data Ownership
Data owner: responsible for the security and use of a particular set of information
Data custodian: responsible for storage, maintenance, and protection of
information
Data users: end users who work with information to perform their daily jobs
supporting the mission of the organization

UNIT II
PART A (2 Marks)
1. Why is information security a management problem?
Management is responsible for implementing information security to protect the
ability of the organization to function.
25

www.vidyarthiplus.com

www.vidyarthiplus.com
IV CSE (VIII SEM) NOTES

RJ Edition

PPG INSTITUTE OF TECHNOLOGY


DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING

They must set policy and operate the organization in a manner that complies with the
laws that govern the use of technology.
2. Distinguish between Dos and DDos.
Dos
Denial of service attack -The
attacker sends a large number of
connection or information requests
to a target.

DDos
Distributed Denial of service is an
attack in which a coordinated stream
of requests is launched against a
target from many locations at the
same time.

3. What is intellectual property?


It is the ownership of ideas and control over the tangible or virtual representation of
those ideas.
4. What is a policy? How it is differ from law?
Policies: A body of expectations that describe acceptable and unacceptable employee
behaviours in the workplace.
It functions as organizational laws, complete with penalties, judicial practices, and
sanctions to require complaints.
The difference between policy and a law, however, is that ignorance of a policy is an
acceptable defence.
5. What is a threat? What are the threats to Information Security?
Threat is an object, person or other entity that represents a constant danger to an asset.
Acts of Human error or failure.
Compromises to Intellectual Property
Deliberate acts of espionage or trespass
Deliberate acts of information extortion
Deliberate acts of sabotage and vandalism
Deliberate acts of theft
Deliberate Software Attacks
Forces of Nature
Deviations in quality of service from service providers
Technical Hardware Failures or Errors
Technical Software Failures or Errors
Technological Obsolescence
6. What are the general categories of unethical and illegal behaviour?
26

www.vidyarthiplus.com

www.vidyarthiplus.com
IV CSE (VIII SEM) NOTES

RJ Edition

PPG INSTITUTE OF TECHNOLOGY


DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING

There are three general categories of unethical behaviour that organizations and
society should seek to eliminate:
Ignorance
Accident
Intent
7. What are the various types of malware? How do worms differ from Virus?
Viruses
Worms
Trojan horses
Active web scripts
Virus
Worm
A virus attaches itself to s a computer A worm is similar to virus by design. It
program and spreads from one computer also spreads from one computer to
to another.
another.
Spreads with uniform speed as Worms spread more rapidly than virus.
programmed.
It can be attached to .EXE, .COM , .XLS It can be attached to any attachments of
etc
email or any file on network.
Ex Melisca, cascade etc
Ex Blaster Worm
It requires the spreading of an infected It replicates them without the host file.
host file.
8. Who are hackers? What are the levels of hackers?
Hackers are people who use and create computer software for enjoyment or to gain
access to information illegally.
There are two levels of hackers.
Expert Hacker
- Develops software codes
Unskilled Hacker - Uses the codes developed by the experts

9. What is security blue print?


The security blue print is the plan for the implementation of new security measures in
the organization. Sometimes called a framework, the blue print presents an organized
approach to the security planning process.
10. What are the types of virus?
Macro virus
Boot virus
27

www.vidyarthiplus.com

www.vidyarthiplus.com
IV CSE (VIII SEM) NOTES

RJ Edition

PPG INSTITUTE OF TECHNOLOGY


DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING

11. Distinguish between attack and threat.


Attack
An act which is in process.
An attack is intentional.

Threat
A promise of an attack to come.
Threat can be either intentional or
unintentional.
Attack to information might have a Threat to information does not mean that
chance to alter or damage the it is damaged or changed
information when it is successful.

12. Define Information Extortion.


Information extortion is an attacker or formerly trusted insider stealing
information from a computer system and demanding compensation for its return
or non-use
Extortion found in credit card number theft
13. Define Hoax.
A computer virus hoax is a message warning the recipient of a non-existent
computer virus threat
The message is usually a chain e-mail that tells the recipient to forward it to
everyone they know

PART B (16 Marks)


1. Explain the functions of an Information security organization.
Nov/Dec 2011 Nov/Dec2012
Protecting the Ability to Function
Management is responsible
Information security
Management issue
People issue
Communities of interest must argue for information security in terms of impact
and cost
Enabling Safe Operation
Organizations must create integrated, efficient, and capable applications
Organization need environments that safeguard applications
Management must not abdicate to the IT department its responsibility to make
choices and enforce decisions
28

www.vidyarthiplus.com

www.vidyarthiplus.com
IV CSE (VIII SEM) NOTES

RJ Edition

PPG INSTITUTE OF TECHNOLOGY


DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING

Protecting Data
One of the most valuable assets is data
Without data, an organization loses its record of transactions and/or its ability to
deliver value to its customers
An effective information security program is essential to the protection of the
integrity and value of the organizations data
Safeguarding Technology Assets
Organizations must have secure infrastructure services based on the size and
scope of the enterprise
Additional security services may have to be provided
More robust solutions may be needed to replace security programs the
organization has outgrown
2. Describe about various forms of attacks.
Nov/Dec 2012
IP Scan and Attack: Compromised system scans random or local range of IP addresses and
targets any of several vulnerabilities known to hackers or left over from previous exploits.
Web Browsing: If the infected system has write access to any Web pages, it makes all Web
content files infectious, so that users who browse to those pages become infected.
Virus: Each infected machine infects certain common executable or script files on all
computers to which it can write with virus code that can cause infection.
Unprotected Shares: Using file shares to copy viral component to all reachable locations.
Mass Mail: Sending e-mail infections to addresses found in address book.
SMTP: Simple Network Management Protocol - SNMP vulnerabilities used to compromise
and infect.
Hoaxes: A more devious approach to attacking computer systems is the transmission of a
virus hoax, with a real virus attached.
Back Doors: Using a known or previously unknown and newly discovered access
mechanism.
Password Crack: Attempting to reverse calculates a password.
Brute Force: The application of computing and network resources to try every possible
combination of options of a password.
Dictionary: The dictionary password attack narrows the field by selecting specific accounts
to attack and uses a list of commonly used passwords (the dictionary) to guide guesses.
Denial-of-service (DoS)
attacker sends a large number of connection or information requests to a
target
so many requests are made that the target system cannot handle them
successfully along with other, legitimate requests for service
may result in a system crash, or merely an inability to perform ordinary
functions
Distributed Denial-of-service (DDoS) - an attack in which a coordinated stream of requests
29

www.vidyarthiplus.com

www.vidyarthiplus.com
IV CSE (VIII SEM) NOTES

RJ Edition

PPG INSTITUTE OF TECHNOLOGY


DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING

is launched against a target from many locations at the same time.


Spoofing - technique used to gain unauthorized access whereby the intruder sends
messages to a computer with an IP address indicating that the message is coming
from a trusted host
Man-in-the-Middle - an attacker sniffs packets from the network, modifies them,
and inserts them back into the network
Spam - unsolicited commercial e-mail - while many consider spam a nuisance
rather than an attack, it is emerging as a vector for some attacks
Buffer Overflow
Application error occurs when more data is sent to a buffer than it can handle
When the buffer overflows, the attacker can make the target system execute
instructions, or the attacker can take advantage of some other unintended
consequence of the failure
Timing Attack
Relatively new works by exploring the contents of a web browsers cache can
allow collection of information on access to password-protected sites
Another attack by the same name involves attempting to intercept cryptographic
elements to determine keys and encryption algorithms
3. Explain the different categories of threat. Give Examples.
Nov/Dec 2011 May/June 2012
Acts of Human Error or Failure
Includes acts done without malicious intent
Caused by:
Inexperience
Improper training
Incorrect
Employee mistakes can easily lead to the following :
revelation of classified data
entry of erroneous data
accidental deletion or modification of data
storage of data in unprotected areas
failure to protect information
Much human error or failure can be prevented with training and ongoing awareness
activities.
Compromises to Intellectual Property
Intellectual property is the ownership of ideas and control over the tangible or
virtual representation of those ideas
Many organizations are in business to create intellectual property trade secrets,
copyrights, trademarks, patents
30

www.vidyarthiplus.com

www.vidyarthiplus.com
IV CSE (VIII SEM) NOTES

RJ Edition

PPG INSTITUTE OF TECHNOLOGY


DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING

Watchdog organizations investigate:


Software & Information Industry Association (SIIA)
Business Software Alliance (BSA)
Protective measures
Enforcement of copyright has been attempted with technical security mechanisms,
such as using digital watermarks and embedded code.
The most common reminder of the individuals obligation to fair and responsible use
is the license agreement window that usually pops up during the installation of new
software.
Deliberate acts of espionage or trespass
Espionage/Trespass
Broad category of activities that breach confidentiality
Unauthorized accessing of information
Competitive intelligence vs. espionage
Shoulder surfing can occur any place a person is accessing confidential
information
Sabotage or Vandalism
Attack on the image of an organization can be serious like defacing a web site.
Individual or group who want to deliberately sabotage the operations of a
computer system or business, or perform acts of vandalism to either destroy an
asset or damage the image of the organization
These threats can range from petty vandalism to organized sabotage
Organizations rely on image so Web defacing can lead to dropping consumer
confidence and sales
Rising threat of activist or cyber-activist operations - the most extreme version is
cyber-terrorism
Deliberate acts of theft
Illegal taking of anothers property - physical, electronic, or intellectual
The value of information suffers when it is copied and taken away without the
owners knowledge
Physical theft can be controlled - a wide variety of measures used from locked
doors to guards or alarm systems
Electronic theft is a more complex problem to manage and control - organizations
may not even know it has occurred
Deliberate Software Attacks
When an individual or group designs software to attack systems, they create
malicious code/software called malware
Includes:
macro virus
boot virus
31

www.vidyarthiplus.com

www.vidyarthiplus.com
IV CSE (VIII SEM) NOTES

RJ Edition

PPG INSTITUTE OF TECHNOLOGY


DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING

worms
Trojan horses
logic bombs
back door or trap door
denial-of-service attacks
polymorphic
hoaxes
Forces of Nature
Forces of nature, force majeure, or acts of God are dangerous because they are
unexpected and can occur with very little warning
Can disrupt not only the lives of individuals, but also the storage, transmission,
and use of information
Include fire, flood, earthquake, and lightning as well as volcanic eruption and
insect infestation
Since it is not possible to avoid many of these threats, management must
implement controls to limit damage and also prepare contingency plans for
continued operations
Technical Hardware Failures or Errors
Technical hardware failures or errors occur when a manufacturer distributes to
users equipment containing flaws
These defects can cause the system to perform outside of expected parameters,
resulting in unreliable service or lack of availability
Some errors are terminal, in that they result in the unrecoverable loss of the
equipment
Some errors are intermittent, in that they only periodically manifest themselves,
resulting in faults that are not easily repeated
Technical Software Failures or Errors
This category of threats comes from purchasing software with unrevealed faults
Large quantities of computer code are written, debugged, published, and sold only
to determine that not all bugs were resolved
Sometimes, unique combinations of certain software and hardware reveal new
bugs
Sometimes, these items arent errors, but are purposeful shortcuts left by
programmers for honest or dishonest reasons
Technological Obsolescence
When the infrastructure becomes antiquated or outdated, it leads to unreliable and
untrustworthy systems
Management must recognize that when technology becomes outdated, there is a
risk of loss of data integrity to threats and attacks
Ideally, proper planning by management should prevent the risks from technology
32

www.vidyarthiplus.com

www.vidyarthiplus.com
IV CSE (VIII SEM) NOTES

RJ Edition

PPG INSTITUTE OF TECHNOLOGY


DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING

obsolesce, but when obsolescence is identified, management must take action


4. Write about the attack replication vectors in detail.
Nov/ Dec 2011
IP Scan and attack The infected system scans a random or local range of IP
addresses and targets any of the vulnerabilities known to hackers.
Web browsing If the infected system has right access to any web pages, it makes
all web content files infectious, so that users who browse the web pages become infected.
Virus Each infected machine infects certain common executable or script files on
all computers to which it can write with virus code that can cause infection
Unprotected shares Using vulnerabilities in file system and the way many
organizations configure them, the infected machine copies the viral content to all locations it
can reach.
Mass mail By sending email infections to addresses found in the address book, the
infected machine infects the users whose mail reading programs also automatically run the
program and infect other systems.
SNMP By using the widely known and common passwords that were employed in
earlier versions of this protocol, the attacking program can gain control of the device.
5. Discuss the ethical concepts in information security.
Thou shalt not use a computer to harm other people
Thou shalt not interfere with other people's computer work
Thou shalt not snoop around in other people's computer files
Thou shalt not use a computer to steal
Thou shalt not use a computer to bear false witness
Thou shalt not copy or use proprietary software for which you have not paid
Thou shalt not use other people's computer resources without authorization or
proper compensation
Thou shalt not appropriate other people's intellectual output
Thou shalt think about the social consequences of the program you are writing or
the system you are designing
Thou shalt always use a computer in ways that insure consideration and respect
for your fellow humans
Ethical Differences across Cultures
Cultural differences create difficulty in determining what is and is not ethical
Difficulties arise when one nationalitys ethical behaviour conflicts with ethics of
another national group
Example: many of ways in which Asian cultures use computer technology is
software piracy
Ethics and Education
Overriding factor in levelling ethical perceptions within a small population is
33

www.vidyarthiplus.com

www.vidyarthiplus.com
IV CSE (VIII SEM) NOTES

RJ Edition

PPG INSTITUTE OF TECHNOLOGY


DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING

education
Employees must be trained in expected behaviours of an ethical employee,
especially in areas of information security
Proper ethical training vital to creating informed, well prepared, and low-risk
system user
Deterrence to Unethical and Illegal Behaviour
Deterrence: best method for preventing an illegal or unethical activity; e.g., laws,
policies, technical controls
Laws and policies only deter if three conditions are present:
Fear of penalty
Probability of being caught
Probability of penalty being administered
6. List and discuss the role and focus of any four professional organizations providing
information security.
May/June 2012 May/June 2013
Several professional organizations have established codes of conduct/ethics
Codes of ethics can have positive effect; unfortunately, many employers do not
encourage joining of these professional organizations
Responsibility of security professionals to act ethically and according to policies
of employer, professional organization, and laws of society.
ACM established in 1947 as the world's first educational and scientific
computing society
Code of ethics contains references to protecting information confidentiality,
causing no harm, protecting others privacy, and respecting others intellectual
property. International Information Systems Security Certification Consortium,
Inc.
Non-profit organization focusing on development and implementation of
information security certifications and credentials
Code primarily designed for information security professionals who have
certification from
Code of ethics focuses on four mandatory canons
System Administration, Networking, and Security Institute (SANS)
Professional organization with a large membership dedicated to protection of
information and systems
SANS offers set of certifications called Global Information Assurance
Certification (GIAC) Information Systems Audit and Control Association
(ISACA)
Professional association with focus on auditing, control, and security
Concentrates on providing IT control practices and standards
ISACA has code of ethics for its professionals.
34

www.vidyarthiplus.com

www.vidyarthiplus.com
IV CSE (VIII SEM) NOTES

RJ Edition

PPG INSTITUTE OF TECHNOLOGY


DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING

UNIT III
PART A (2 Marks)
1. In risk management strategies why does a periodic review have to be a part of
process?
May/June 2012 May/June 2013
The first focus is asset inventory
The completeness and accuracy of the asset inventory has to be verified
The threats and vulnerabilities that are dangerous to asset inventory must be
verified
2. What is asset valuation? List any 2 components of asset valuation.
May/June 2012
A method of assessing the worth of a company, real property, security, antique or
other item of worth. Asset valuation is commonly performed prior to the sale of an asset or
prior to purchasing insurance for an asset.
Questions to assist in developing the criteria to be used for asset valuation:
Which information asset is the most critical to the success of the organization?
Which information asset generates the most revenue?
3. Define dumpster driving.
May/June 2013
To retrieve information that could embarrass a company or compromise information
security.
4. What is risk management?
Nov/Dec 2012
Risk management is the process of identifying vulnerabilities in an organizations
information systems and taking carefully reasoned steps to assure Confidentiality, Integrity,
and Availability.
5. Define benchmarking.
Benchmarking is a process of seeking out and studying the practices used in other
organizations that produce results you would like to duplicate in your organization.
6. What are the different types of Access Controls?
Discretionary Access Controls (DAC)
Mandatory Access Controls (MACs)
Nondiscretionary Controls
Role-Based Controls
Task-Based Controls
Lattice-based Control

35

www.vidyarthiplus.com

www.vidyarthiplus.com
IV CSE (VIII SEM) NOTES

RJ Edition

PPG INSTITUTE OF TECHNOLOGY


DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING

7. Define Disaster Recovery Plan.


The most common mitigation procedure is Disaster Recovery Plan (DRP). The DRP
includes the entire spectrum of activities used to recover from the incident and strategies to
limit losses before and after the disaster. DRP usually include all preparations for the
recovery process, strategies to limit losses during the disaster.
8. What is residual risk?
Exposure to loss remaining after other known risks have been countered, factored in,
or eliminated. It is simply seen as the risk that remains after safeguards have been
implemented.
9. Mention the Risk Identification Estimate Factors.
Likelihood
Value of Information Assets
Percent of Risk Mitigated
Uncertainty
10. What is the formula for calculating risk?
Risk = Threat x Vulnerability x Cost
Risk Assessment = ((Likelihood + Impact + Current Impact)/3) * 2 - 1

PART B (16 Marks)


1. Explain in detail the process of asset identification for different categories.
Nov/Dec 2012
People, Procedures, and Data Asset Identification
Human resources, documentation, and data information assets are not as readily
discovered and documented
These assets should be identified, described, and evaluated by people using
knowledge, experience, and judgment
As these elements are identified, they should also be recorded into some reliable
data handling process
Asset Information for People
Position name/number/ID try to avoid names and stick to identifying positions,
roles, or functions
Supervisor
Security clearance level
Special skills
Hardware, Software, and Network Asset Identification
What attributes of each of these information assets should be tracked?
36

www.vidyarthiplus.com

www.vidyarthiplus.com
IV CSE (VIII SEM) NOTES

RJ Edition

PPG INSTITUTE OF TECHNOLOGY


DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING

When deciding which information assets to track, consider including these asset
attributes:
Name
IP address
MAC address
Element type
Serial number
Manufacturer name
Manufacturers model number or part number
Software version, update revision, or FCO number
Physical location
Logical location
Controlling entity

Asset Information for Procedures


Description
Intended purpose
What elements is it tied to
Where is it stored for reference
Where is it stored for update purposes
Security clearance level
Special skills
Asset Information for Data
For Data:
Classification
Owner/creator/manager
Size of data structure
Data structure used sequential, relational
Online or offline
Where located
Backup procedures employed
2. What are risk control strategies?
Nov/Dec 2011 May/June 2012
When risks from information security threats are creating a competitive
disadvantage
Information technology and information security communities of interest take
control of the risks
Four basic strategies are used to control the risks that result from vulnerabilities:
Apply safeguards (avoidance)
Transfer the risk (transference)
37

www.vidyarthiplus.com

www.vidyarthiplus.com
IV CSE (VIII SEM) NOTES

RJ Edition

PPG INSTITUTE OF TECHNOLOGY


DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING

Reduce the impact (mitigation)


Inform themselves of all of the consequences and accept the risk without
control or mitigation (acceptance)
Risk Control Strategies:
Avoidance
Avoidance attempts to prevent the exploitation of the vulnerability
Accomplished through countering threats removing vulnerabilities in assets
limiting access to assets adding protective safeguards
Three areas of control:
Policy
Training and education
Technology
Transference
Transference is the control approach that attempts to shift the risk to other assets,
other processes, or other organizations

If an organization does not already have quality security management


and administration experience, it should hire individuals or firms that
provide such expertise

This allows the organization to transfer the risk associated with the
management of these complex systems to another organization with
established experience in dealing with those risks
Mitigation
Mitigation attempts to reduce the impact of exploitation through planning and
preparation
Three types of plans:
disaster recovery planning (DRP)
business continuity planning (BCP)
incident response planning (IRP)
Acceptance
Acceptance of risk is doing nothing to close a vulnerability and to accept the
outcome of its exploitation
Acceptance is valid only when:
Determined the level of risk
Assessed the probability of attack
Estimated the potential damage
Performed a thorough cost benefit analysis
Evaluated controls using each appropriate feasibility
Decided that the particular function, service, information, or asset did not
justify the cost of protection
Risk appetite describes the degree to which an organization is willing to accept
risk as a trade-off to the expense of applying controls
38

www.vidyarthiplus.com

www.vidyarthiplus.com
IV CSE (VIII SEM) NOTES

RJ Edition

PPG INSTITUTE OF TECHNOLOGY


DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING

Risk Assessment
To determine the relative risk for each of the vulnerabilities through a process
called risk assessment
Risk assessment assigns a risk rating or score to each specific information asset,
useful in gauging the relative risk introduced by each vulnerable information asset
and making comparative ratings later in the risk control process
Risk Identification Estimate Factors
Likelihood
Value of Information Assets
Percent of Risk Mitigate
3. Explain the process of Risk assessment.
Nov/Dec 2011 Nov/Dec 2012
Risk assessment assigns a risk rating or score to each specific information asset,
useful in gauging the relative risk introduced by each vulnerable information asset
and making comparative ratings later in the risk control process.
Risk Identification Estimate Factors
Likelihood
Value of Information Assets
Percent of Risk Mitigated
Uncertainty
4. Write short notes on a) Incidence Response Plan b) Disaster Recovery Plan
c) Business continuity plan.
Incidence Response Plan
The actions an organization can perhaps should take while the incident is in progress
are documented in what is known as Incident Response Plan(IRP) IRP provides answers to
questions victims might pose in the midst of the incident ,such as What do I do now?.
What should the administrator do first?
Whom should they contact?
What should they document?
For example, in the event of serious virus or worm outbreak, the IRP may be used to
assess the likelihood of imminent damage and to inform key decision makers in the various
communities of interest.
Disaster Recovery Plan
The most common mitigation procedure is Disaster Recovery Plan(DRP). The DRP
includes the entire spectrum of activities used to recover from the incident. DRP can include
strategies to limit losses before and after the disaster. These strategies are fully deployed
once the disaster has stopped.
DRP usually include all preparations for the recovery process, strategies to limit
losses during the disaster, and detailed steps to follow when the smoke clears, the dust settles,
or the floodwaters recede.
39

www.vidyarthiplus.com

www.vidyarthiplus.com
IV CSE (VIII SEM) NOTES

RJ Edition

PPG INSTITUTE OF TECHNOLOGY


DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING

Business Continuity Plan


The BCP is the most strategic and long term of the three plans. It encompasses the
continuation of business activities if a catastrophic event occurs, such as the loss of an entire
database, building or entire operations centre. The BCP includes the planning the steps
necessary to ensure the continuation of the organization when the scope or scale of a disaster
exceeds the ability of the DRP to restore operations. This can include preparation steps for
activation of secondary data centres, hot sites, or business recovery sites.
5. Explain the process of vulnerability identification and assessment for different
threats faced by an information security system.
Vulnerability Identification
Vulnerabilities are specific avenues that threat agents can exploit to attack an
information asset
Examine how each of the threats that are possible or likely could be perpetrated
and list the organizations assets and their vulnerabilities
The process works best when groups of people with diverse backgrounds
within the organization work iteratively in a series of brainstorming sessions
At the end of the process, an information asset / vulnerability list has been
developed
This is the starting point for the next step, risk assessment
6. Discuss briefly data classification and management.
Data Classification and Management
A variety of classification schemes are used by corporate and military
organizations
Information owners are responsible for classifying the information assets for
which they are responsible
Information owners must review information classifications periodically
The military uses a five-level classification scheme but most organizations do not
need the detailed level of classification used by the military or federal agencies
Management of Classified Data
Includes the storage, distribution, portability, and destruction of classified
information
Clean desk policies require all information to be stored in its appropriate storage
container at the end of each day
Proper care should be taken to destroy any unneeded copies
Dumpster diving can prove embarrassing to the organization.

40

www.vidyarthiplus.com

www.vidyarthiplus.com
IV CSE (VIII SEM) NOTES

RJ Edition

PPG INSTITUTE OF TECHNOLOGY


DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING

7. Explain the risk control cycle process.


Once a control strategy has been implemented, it should be monitored and measures
on an ongoing basis to determine the effectiveness of the security controls and the accuracy
of the estimate of the residual risk. The following flowchart shows how this cyclical process
is continuously used to ensure that risks are controlled.

Before deciding on the strategy for a specific vulnerability all information about
the economic and non-economic consequences of the vulnerability facing the
information asset must be explored
Cost Benefit Analysis (CBA)
The most common approach for a project of information security controls and
safeguards is the economic feasibility of implementation
Begins by evaluating the worth of the information assets to be protected and the
loss in value if those information assets are compromised
It is only common sense that an organization should not spend more to protect an
asset than it is worth
The formal process to document this is called a cost benefit analysis or an
economic feasibility study
Some of the items that impact the cost of a control or safeguard include:
Cost of development or acquisition
Training fees
Cost of implementation
Service costs
Cost of maintenance

41

www.vidyarthiplus.com

www.vidyarthiplus.com
IV CSE (VIII SEM) NOTES

RJ Edition

PPG INSTITUTE OF TECHNOLOGY


DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING

Asset valuation
It is the process of assigning financial value or worth to each information asset
The valuation of assets involves estimation of real and perceived costs associated
with the design, development, installation, maintenance, protection, recovery, and
defense against market loss and litigation
These estimates are calculated for each set of information bearing systems or
information assets
The expected value of a loss can be stated in the following equation:
Annualized Loss Expectancy (ALE) = Single Loss Expectancy (SLE) x Annualized
Rate of Occurrence (ARO)
SLE = asset value x exposure factor (EF)
ARO is simply how often you expect a specific type of attack to occur, per year.
SLE is the calculation of the value associated with the most likely loss from an attack.
EF is the percentage loss that would occur from a given vulnerability being exploited.
When benchmarking, an organization typically uses one of two measures:
Metrics-based measures are comparisons based on numerical standards
Process-based measures examine the activities performed in pursuit of its goal,
rather than the specifics of how goals were attained
Organizational feasibility examines how well the proposed information security
alternatives will contribute to the efficiency, effectiveness, and overall operation of an
organization
Operational Feasibility addresses user acceptance and support, management
acceptance and support, and the overall requirements of the organizations
stakeholders. Sometimes known as behavioural feasibility, because it measures the
behaviour of users.

42

www.vidyarthiplus.com

www.vidyarthiplus.com
IV CSE (VIII SEM) NOTES

RJ Edition

PPG INSTITUTE OF TECHNOLOGY


DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING

UNIT IV
PART A (2 Marks)
1. What measurement do you use when preparing a potential damage assessment?
May/June 2012
Identify what must be done to recover from each possible case. The costs include the
actions of the response team(s) as they act to recover quickly and effectively from an incident
or disaster.
2. Define policy and standards.
May/June 2012
A policy is a plan or course of action, as of a government, political party, or business,
intended to influence and determine decisions, actions, and other matters. Standards, on the
other hand, are more detailed statements of what must be done to comply with policy.
3. What is the difference between the management, technical and operational control?
When would each be applied as a part of a security framework?
May/June 2012
Managerial controls cover security processes that are designed by strategic planners
and implemented by the security administration of the organization.
4. Give any 5 major sections of ISO/IEC 17799 standards.
Organizational Security Policy
Organizational Security Infrastructure
Asset Classification and Control
Personnel Security
Compliance
5. What are the three types of security policies?
General or security program policy
Issue-specific security policies
Systems-specific security policies

May/June 2013

Nov/Dec 2012

6. Mention the Drawbacks of ISO 17799/BS 7799.


Nov/Dec 2011
The global information security community has not defined any justification for a
code of practice as identified in the ISO/IEC 17799
17799 lacks the necessary measurement precision of a technical standard
There is no reason to believe that 17799 is more useful than any other approach
currently available
17799 is not as complete as other frameworks available
17799 is perceived to have been hurriedly prepared given the tremendous impact
its adoption could have on industry information security controls
43

www.vidyarthiplus.com

www.vidyarthiplus.com
IV CSE (VIII SEM) NOTES

RJ Edition

PPG INSTITUTE OF TECHNOLOGY


DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING

7. What is Defense in Depth?


One of the foundations of security architectures is the requirement to implement
security in layers .Defense in depth requires that the organization establish sufficient security
controls and safeguards, so that an intruder faces multiple layers of controls.
8. What is contingency planning?
Nov/Dec 2012
It is the entire planning conducted by the organization to prepare for, react to, and
recover from events that threaten the security of information and information assets in the
organization.
9. What are the approaches of ISSP?
Create a number of independent ISSP documents
Create a single comprehensive ISSP document
Create a modular ISSP document
10. What is Sphere of protection?
The sphere of protection overlays each of the levels of the sphere of use with
a layer of security, protecting that layer from direct or indirect use through the
next layer
The people must become a layer of security, a human firewall that protects the
information from unauthorized access and use
Information security is therefore designed and implemented in three layers
Policies
People (education, training, and awareness programs)
Technology
11. What is Security perimeter?
The point at which an organizations security protection ends, and the outside world
begins is referred to as the security perimeter.
12. Mention the Operational Controls of NIST SP 800-26.
Personnel Security
Physical Security
Production, Input/output Controls
Contingency Planning
Hardware and Systems Software
Data Integrity
Documentation
Security Awareness, Training, and Education
Incident Response Capability .
44

www.vidyarthiplus.com

www.vidyarthiplus.com
IV CSE (VIII SEM) NOTES

RJ Edition

PPG INSTITUTE OF TECHNOLOGY


DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING

13. What is Information Security Blueprint?


The Security Blue Print is the basis for Design, Selection and Implementation of
Security Policies, education and training programs, and technology controls.
14. What are ACL Policies?
Who can use the system
What authorized users can access
When authorized users can access the system
Where authorized users can access the system from
How authorized users can access the system
15. Define Issue-Specific Security Policy (ISSP).
addresses specific areas of technology
requires frequent updates
contains an issue statement on the organizations position on an issues
16. What is Security Program Policy?
A general security policy
IT security policy
Information security policy

PART B (16 Marks)


1. Describe NIST SP 800-26.
Management Controls
Risk Management
Review of Security Controls
Life Cycle Maintenance
Authorization of Processing (Certification and Accreditation)
System Security Plan
Operational Controls
Personnel Security
Physical Security
Production, Input / Output Controls
Contingency Planning
Hardware and Systems Software
Data Integrity
Documentation
Security Awareness, Training, and Education
45

www.vidyarthiplus.com

www.vidyarthiplus.com
IV CSE (VIII SEM) NOTES

RJ Edition

PPG INSTITUTE OF TECHNOLOGY


DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING

Incident Response Capability

Technical Controls
Identification and Authentication
Logical Access Controls
Audit Trails
2. Explain the design of security architecture in detail.
Host-based Ids
Network-based Ids
Signature-based Ids
Statistical anomaly based Ids

May/June 2013

3. Discuss the types of information security policies in detail.


Nov/Dec 2011
General or security program policy
Issue-specific security policies
Systems-specific security policies
Security Program Policy
Sets the strategic direction, scope, and tone for all security efforts within the
organization
An executive-level document, usually drafted by or with, the CIO of the
organization and is usually 2 to 10 pages long
Issue-Specific Security Policy (ISSP)
As various technologies and processes are implemented, certain guidelines are
needed to use them properly
ISSP:
addresses specific areas of technology
requires frequent updates
contains an issue statement on the organizations position on an issue
Three approaches:
Create a number of independent ISSP documents
Create a single comprehensive ISSP document
Create a modular ISSP document
Systems-Specific Policy (SysSP)
SysSPs are frequently codified as standards and procedures used when
configuring or maintaining systems
Access control lists (ACLs) consist of the access control lists, matrices, and
capability tables governing the rights and privileges of a particular user to a
particular system
Configuration rules comprise the specific configuration codes entered into
46

www.vidyarthiplus.com

www.vidyarthiplus.com
IV CSE (VIII SEM) NOTES

RJ Edition

PPG INSTITUTE OF TECHNOLOGY


DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING

security systems to guide the execution of the system


4. Explain NIST security model in detail.
NIST special publication SP 800-12
NIST special publication SP 800-14
NIST special publication SP 800-18

Nov/Dec 2011

5. Discuss VISA International security models in detail.


Nov/Dec 2012
VISA International promotes strong security measures and has security guidelines
Developed two important documents that improve and regulate information
systems: Security Assessment Process; Agreed Upon Procedures
Using the two documents, security team can develop sound strategy the design of
good security architecture
Only down side to this approach is very specific focus on systems that can or do
integrate with VISAs systems
6. Describe the major steps in contingency planning.
Nov/Dec 2012
Plans for events of this type are referred to in a number of ways:
Business continuity plans (BCPs)
Disaster recovery plans (DRPs)
Incident response plans (IRPs)
Contingency plans
Large organizations may have many types of plans and small organizations may
have one simple plan, but most have inadequate planning

47

www.vidyarthiplus.com

www.vidyarthiplus.com
IV CSE (VIII SEM) NOTES

RJ Edition

PPG INSTITUTE OF TECHNOLOGY


DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING

Before any planning begins, a team has to plan the effort and prepare resulting
documents
Champion: high-level manager to support, promote, and endorse findings of the
project
Project manager: leads project and makes sure a sound project planning process is
used, a complete and useful project plan is developed, and project resources are
prudently managed
Team members: should be managers or their representatives from various
communities of interest (business, IT, and information security).
Major steps in contingency planning:

48

www.vidyarthiplus.com

www.vidyarthiplus.com
IV CSE (VIII SEM) NOTES

RJ Edition

PPG INSTITUTE OF TECHNOLOGY


DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING

CP team conducts BIA in the following stages:


Threat attack identification
Business unit analysis
Attack success scenarios
Potential damage assessment
Subordinate plan classification
Incident response planning covers identification of, classification of, and response
to an incident
Incident is attack against an information asset that poses clear threat to the
confidentiality, integrity, or availability of information resources
IR team consists of those individuals needed to handle systems as incident takes
place
IR consists of the following four phases:
Planning
Detection
Reaction
Recovery

Disaster recovery planning (DRP) is planning the preparation for and recovery from a
disaster.
Contingency planning team must decide which actions constitute disasters and which
constitute incidents.
DRP Steps:
There must be a clear establishment of priorities
There must be a clear delegation of roles and responsibilities
Someone must initiate the alert roster and notify key personnel
Crisis management occurs during and after a disaster and focuses on the people
49

www.vidyarthiplus.com

www.vidyarthiplus.com
IV CSE (VIII SEM) NOTES

RJ Edition

PPG INSTITUTE OF TECHNOLOGY


DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING

involved and addressing the viability of the business


Business continuity planning outlines reestablishment of critical business
operations during a disaster that impacts operations

UNIT V
PART A (2 Marks)
1. Distinguish between symmetric and asymmetric encryption.
Nov/Dec 2011
Symmetric
Asymmetric
Uses the same secret (private) key to Uses both a public and private key.
encrypt and decrypt its data
Requires that the secret key be known by Asymmetric allows for distribution of
the party encrypting the data and the your public key to anyone with which
party decrypting the data.
they can encrypt the data they want to
send securely and then it can only be
decoded by the person having the private
key.
Fast
1000 times slower than symmetric
2. What is content filter?
May/June 2013
A content filter is software filter-technically not a firewall-that allows administrators
to restrict access to content from within a network.
3. List all physical security controls.
guards
dogs
lock and keys
electronic monitoring
ID cards and badges
man traps
alarms and alarm systems

May/June 2013

4. What are the seven major sources of physical loss?


Temperature extremes
Gases
Liquids
Living organisms
Projectiles
50

www.vidyarthiplus.com

www.vidyarthiplus.com
IV CSE (VIII SEM) NOTES

RJ Edition

PPG INSTITUTE OF TECHNOLOGY


DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING

Movement
Energy anomalies

5. What are the advantages and disadvantages of using honey pot or padded cell
approach?
Advantages:
Attackers can be diverted to targets that they cannot damage
Administrators have time to decide how to respond to an attacker
Attackers action can be easily and extensively monitored
Honey pots may be effective at catching insiders who are snooping around a
network
Disadvantages:
The legal implications of using such devices are not well defined
Honey pots and Padded cells have not yet been shown to be generally useful
security technologies
An expert attacker, once diverted into a decoy system, may become angry
and launch a hostile attack against an organizations systems
Security managers will need a high level of expertise to use these systems
6. Define encryption and decryption.
Encryption is the process of converting an original message into a form that is
unreadable to unauthorized individuals-that is, to anyone without the tools to convert the
encrypted message back to its original format.
Decryption is the process of converting the cipher text into a message that conveys
readily understood meaning.
7. What are different types of IDSs?
Network-based IDS
Host-based IDS
Application-based IDS
Signature-based IDS
Statistical Anomaly-Based IDS

8. What are firewalls?


A firewall is any device that prevents a specific type of information from moving
between the un-trusted network outside and the trusted network inside. The firewall may be:
a separate computer system
51

www.vidyarthiplus.com

www.vidyarthiplus.com
IV CSE (VIII SEM) NOTES

RJ Edition

PPG INSTITUTE OF TECHNOLOGY


DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING

a service running on an existing router or server


a separate network containing a number of supporting devices

9. What is Application-based IDS?


A refinement of Host-based IDs is the application-based IDS (AppIDS). The
application based IDs examines an application for abnormal incidents. It looks for anomalous
occurrences such as users exceeding their authorization, invalid file executions etc.
10. What are Digital signatures?
An interesting thing happens when the asymmetric process is reversed, that is the
private key is used to encrypt a short message
The public key can be used to decrypt it, and the fact that the message was sent by
the organization that owns the private key cannot be reputed
This is known as non-repudiation, which is the foundation of digital signatures
Digital Signatures are encrypted messages that are independently verified by a
central facility (registry) as authentic
11. What are dual homed host firewalls?
The bastion-host contains two NICs (network interface cards)
One NIC is connected to the external network, and one is connected to the internal
network
With two NICs all traffic must physically go through the firewall to move between
the internal and external networks
A technology known as network-address translation (NAT) is commonly
implemented with this architecture to map from real, valid, external IP addresses
to ranges of internal IP addresses that are non-routable
12. How firewalls are categorized by processing mode?
Packet filtering
Application gateways
Circuit gateways
MAC layer firewalls
Hybrids
13. What is Cryptanalysis?
Cryptanalysis is the process of obtaining the original message (called plaintext) from
an encrypted message (called the cipher text) without knowing the algorithms and keys used
to perform the encryption.
14. What is Public Key Infrastructure (PKI)?
52

www.vidyarthiplus.com

www.vidyarthiplus.com
IV CSE (VIII SEM) NOTES

RJ Edition

PPG INSTITUTE OF TECHNOLOGY


DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING

Public Key Infrastructure is the entire set of hardware, software, and cryptosystems
necessary to implement public key encryption.
PKI systems are based on public-key cryptosystems and include digital certificates
and certificate authorities (CAs) and can:
Issue digital certificates
Issue crypto keys

PART B (16 Marks)


1. Write about the different generations of firewalls.
First Generation
Called packet filtering firewalls
Examines every incoming packet header and selectively filters packets based on
address, packet type, port request, and others factors
The restrictions most commonly implemented are based on:
IP source and destination address
Direction (inbound or outbound)
TCP or UDP source and destination port-requests
Second Generation
Called application-level firewall or proxy server
Often a dedicated computer separate from the filtering router
With this configuration the proxy server, rather than the Web server, is exposed to
the outside world in the DMZ
Additional filtering routers can be implemented behind the proxy server
The primary disadvantage of application-level firewalls is that they are designed
for a specific protocol and cannot easily be reconfigured to protect against attacks
on protocols for which they are not designed
Third Generation
Called stateful inspection firewalls
Keeps track of each network connection established between internal and external
systems using a state table which tracks the state and context of each packet in the
conversation by recording which station sent what packet and when
If the stateful firewall receives an incoming packet that it cannot match in its state
table, then it defaults to its ACL to determine whether to allow the packet to pass
The primary disadvantage is the additional processing requirements of managing
and verifying packets against the state table which can possibly expose the system
to a DoS attack
These firewalls can track connectionless packet traffic such as UDP and remote
procedure calls (RPC) traffic
53

www.vidyarthiplus.com

www.vidyarthiplus.com
IV CSE (VIII SEM) NOTES

RJ Edition

PPG INSTITUTE OF TECHNOLOGY


DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING

Fourth Generation
While static filtering firewalls, such as first and third generation, allow entire sets
of one type of packet to enter in response to authorized requests, a dynamic packet
filtering firewall allows only a particular packet with a particular source,
destination, and port address to enter through the firewall
It does this by understanding how the protocol functions, and opening and closing
doors in the firewall, based on the information contained in the packet header. In
this manner, dynamic packet filters are an intermediate form, between traditional
static packet filters and application proxies
Fifth Generation
The final form of firewall is the kernel proxy, a specialized form that works under
the Windows NT Executive, which is the kernel of Windows NT
It evaluates packets at multiple layers of the protocol stack, by checking security
in the kernel as data is passed up and down the stack
2. Explain briefly the basic Encryption definitions.
Algorithm: mathematical formula used to convert an unencrypted message into
an encrypted message
Cipher: transformation of the individual components (characters, bytes, or bits) of
an unencrypted message into encrypted components
Ciphertext or cryptogram: unintelligible encrypted or encoded message
resulting from an encryption
Code: transformation of the larger components (words or phrases) of an
unencrypted message into encrypted components
Cryptosystem: set of transformations necessary to convert an unencrypted
message into an encrypted message
Decipher: decrypt or convert ciphertext to plaintext
Encipher: encrypt or convert plaintext to ciphertext
Key or cryptovariable: information used in conjunction with the algorithm to
create ciphertext from plaintext
Keyspace: entire range of values that can possibly be used to construct an
individual key
Link encryption: a series of encryptions and decryptions between a number of
systems, whereby each node decrypts the message sent to it and then re-encrypts it
using different keys and sends it to the next neighbor, until it reaches the final
destination
Plaintext: original unencrypted message that is encrypted and results from
successful decryption
Steganography: process of hiding messages in a picture or graphic
54

www.vidyarthiplus.com

www.vidyarthiplus.com
IV CSE (VIII SEM) NOTES

RJ Edition

PPG INSTITUTE OF TECHNOLOGY


DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING

Work factor: amount of effort (usually in hours) required to perform


cryptanalysis on an encoded message

3. Explain about RSA algorithm.


public key encryption technique
encryption algorithm
decryption algorithm
security in RSA
RSA Algorithm
Rivest-Shamir-Adleman (RSA) algorithm is one of the most popular and secures
public-key encryption methods. The algorithm capitalizes on the fact that there is no efficient
way to factor very large (100-200 digit) numbers.
Using an encryption key (e,n), the algorithm is as follows:
Represent the message as an integer between 0 and (n-1). Large messages can be
broken up into a number of blocks. Each block would then be represented by an
integer in the same range
Encrypt the message by raising it to the eth power modulo n. The result is a cipher
text message C
To decrypt cipher text message C, raise it to another power d modulo n
The encryption key (e,n) is made public. The decryption key (d,n) is kept private by
the user.
How to Determine Appropriate Values for e, d, and n
Choose two very large (100+ digit) prime numbers. Denote these numbers as p
and q.
Set n equal to p * q.
Choose any large integer, d, such that GCD(d, ((p-1) * (q-1))) = 1
Find e such that e * d = 1 (mod ((p-1) * (q-1)))
4. What are the different types of intrusion detection systems (IDS)? Explain Ids.
May/June 2013
Intrusion Detection Systems (IDSs)
IDSs work like burglar alarms
IDSs require complex configurations to provide the level of detection and
response desired
An IDS operates as either network-based, when the technology is focused on
protecting network information assets, or host-based, when the technology is
focused on protecting server or host information assets
IDSs use one of two detection methods, signature-based or statistical anomalybased
55

www.vidyarthiplus.com

www.vidyarthiplus.com
IV CSE (VIII SEM) NOTES

RJ Edition

PPG INSTITUTE OF TECHNOLOGY


DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING

A network-based IDS (NIDS) resides on a computer or an appliance connected to a


segment of an organizations network and monitors traffic on that network segment, looking
for indications of ongoing or successful attacks.
5. What are the recommended practices in designing firewalls?
All traffic from the trusted network is allowed out
The firewall device is always inaccessible directly from the public network
Allow Simple Mail Transport Protocol (SMTP) data to pass through your firewall,
but insure it is all routed to a well-configured SMTP gateway to filter and route
messaging traffic securely
All Internet Control Message Protocol (ICMP) data should be denied
Block telnet (terminal emulation) access to all internal servers from the public
networks
When Web services are offered outside the firewall, deny HTTP traffic from
reaching your internal networks by using some form of proxy access or DMZ
architecture

6. Explain different types of Scanning and Analysis tools available.


Port Scanners
Port scanners fingerprint networks to find ports and services and other
useful information
Why secure open ports?
An open port can be used to send commands to a computer, gain access to a
server, and exert control over a networking device
The general rule of thumb is to remove from service or secure any port not
absolutely necessary for the conduct of business
Vulnerability Scanners
Vulnerability scanners are capable of scanning networks for very detailed
56

www.vidyarthiplus.com

www.vidyarthiplus.com
IV CSE (VIII SEM) NOTES

RJ Edition

PPG INSTITUTE OF TECHNOLOGY


DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING

information
As a class, they identify exposed usernames and groups, show open network
shares, expose configuration problems, and other vulnerabilities in servers
Packet Sniffers
on a network that the organization owns
under direct authorization of the owners of the network
have knowledge and consent of the content creators (users)
Content Filters
Although technically not a firewall, a content filter is a software filter that allows
administrators to restrict accessible content from within a network
The content filtering restricts Web sites with inappropriate content
Trap and Trace
Trace: determine the identity of someone using unauthorized access
Better known as honey pots, they distract the attacker while notifying the
administrator
7. What is Cryptography? Explain the key terms associated with cryptography.
Cryptography, which comes from the Greek work kryptos, meaning hidden,
meaning to write, is a process of making and using codes to secure the transmission of
information.
Cryptanalysis is the process of obtaining the original message (called plaintext) from
an encrypted message (called the cipher text) without knowing the algorithms and keys used
to perform the encryption.
Encryption is the process of converting an original message into a form that is
unreadable to unauthorized individuals-that is, to anyone without the tools to convert the
encrypted message back to its original format.
Decryption is the process of converting the cipher text into a message that conveys
readily understood meaning.

57

www.vidyarthiplus.com