Beruflich Dokumente
Kultur Dokumente
, 2015
Form No. Acad-006
Assignment - 1
Q1. Discuss the process of Information System? Explain Information System types in detail
Sol: Information system can also be described as a combination of hardware, software, data, business
process and functions which can be used to increase efficiency and management of an organization. Any
specific information system aims to support operations, management and decision-making.
Types:
Operations support system
In an organization, data input is done by the end user which is processed to generate information
products i.e. reports, which are utilized by internal and or external users. Such a system is called
operation support system.
The purpose of the operation support system is to facilitate business transaction, control
production, support internal as well as external communication and update organization central
database. The operation support system is further divided into a transaction-processing system,
processing control system and enterprise collaboration system.
In manufacturing organization, there are several types of transaction across department. Typical
organizational departments are Sales, Account, Finance, Plant, Engineering, Human Resource and
Marketing. Across which following transaction may occur sales order, sales return, cash receipts,
credit sales; credit slips, material accounting, inventory management, depreciation accounting,
etc.
These transactions can be categorized into batch transaction processing, single transaction
processing and real time transaction processing.
In recent times, there is more stress on team effort or collaboration across different functional
teams. A system which enables collaborative effort by improving communication and sharing of
data is referred to as an enterprise collaboration system.
Management information system provides information to manager facilitating the routine decision-
making process. Decision support system provides information to manager facilitating specific issue
related solution.
Thanks to software vulnerabilities, there are also ways that attackers can slip malware onto your
computer without you even knowing. A software vulnerability is a security hole or weakness found in an
operating system or software program. Hackers can exploit this weakness by writing code to target a
specific vulnerability, and then inject the malware onto your device.
Wi-Fi snooping and sniffing is what it sounds like. Cybercriminals can buy special software kits and even
devices to help assist them with eavesdropping on Wi-Fi signals. This technique can allow the attackers
to access everything that you are doing online — from viewing whole webpages you have visited
(including any information you may have filled out while visiting that webpage) to being able to capture
your login credentials, and even hijack your accounts.
Malicious hotspots
These “rogue access points” trick victims into connecting to what they think is a legitimate network
because the name sounds reputable. Say you’re staying at the Goodnyte Inn and want to connect to the
hotel’s Wi-Fi. You may think you’re selecting the correct one when you click on “GoodNyte Inn,” but
you haven’t. Instead, you’ve just connected to a rogue hotspot set up by cybercriminals who can now
view your sensitive information.
The best way to know your information is safe while using public Wi-Fi is to use a virtual private
network (VPN), like Norton WiFi Privacy, when surfing on your PC, Mac, smartphone or tablet.
However, if you must use public Wi-Fi, follow these tips to protect your information.
Don’t:
Do:
Assignment – 2
This, the original type of firewall, operates inline at junction points where devices such as routers and
switches do their work. However, this firewall doesn't route packets, but instead compares each packet
received to a set of established criteria -- such as the allowed IP addresses, packet type, port number, etc.
Packets that are flagged as troublesome are, generally speaking, unceremoniously dropped -- that is, they
are not forwarded and, thus, cease to exist.
Circuit-level gateways
Using another relatively quick way to identify malicious content, these devices monitor the TCP
handshakes across the network as they are established between the local and remote hosts to determine
whether the session being initiated is legitimate -- whether the remote system is considered trusted. They
don't inspect the packets themselves, however.
Application-level gateways
This kind of device, technically a proxy, and sometimes referred to as a proxy firewall, combines some of
the attributes of packet filtering firewalls with those of circuit-level gateways. They filter packets not
only according to the service for which they are intended -- as specified by the destination port -- but also
by certain other characteristics, such as the HTTP request string.While gateways that filter at the
application layer provide considerable data security, they can dramatically affect network performance.
A proxy firewall is a network security system that protects network resources by filtering messages at the
application layer. A proxy firewall may also be called an application firewall or gateway firewall.
Q2. What is Digital Signature? What are the requirements of a digital signature system? List the security
services provided by it.
Sol: A digital code (generated and authenticated by public key encryption) which is attached to an
electronically transmitted document to verify its contents and the sender's identity.
In this example the message is only signed and not encrypted. 1) Alice signs a message with her private
key. 2) Bob can verify that Alice sent the message and that the message has not been modified.
A digital signature is a mathematical scheme for presenting the authenticity of digital messages or
documents. A valid digital signature gives a recipient reason to believe that the message was created by a
known sender (authentication), that the sender cannot deny having sent the message (non-repudiation),
and that the message was not altered in transit (integrity)
List the security services provided Digital Signature
Authentication. ...
Integrity. ...
Non-repudiation. ...
Putting the private key on a smart card. ...
Using smart card readers with a separate keyboard. ...
Other smart card designs. ...
Using digital signatures only with trusted applications
Q3. Explain different security threats to Cyber Security with suitable example.
Sol:Different security threats to Cyber Security are:
Malware: Malware is short for “malicious software.” Wikipedia describes malware as a term used to
mean a “variety of forms of hostile, intrusive, or annoying software or program code.” Malware could be
computer viruses, worms, Trojan horses, dishonest spyware, and malicious rootkits—all of which are
defined below.
Computer virus: A computer virus is a small piece of software that can spread from one infected
computer to another. The virus could corrupt, steal, or delete data on your computer—even erasing
everything on your hard drive. A virus could also use other programs like your email program to spread
itself to other computers.
Trojan horse: Users can infect their computers with Trojan horse software simply by downloading an
application they thought was legitimate but was in fact malicious. Once inside your computer, a Trojan
horse can do anything from record your passwords by logging keystrokes (known as a keystroke logger)
to hijacking your webcam to watch and record your every move.
Malicious spyware: Malicious spyware is used to describe the Trojan application that was created by
cybercriminals to spy on their victims. An example would be keylogger software that records a victim’s
every keystroke on his or her keyboard. The recorded information is periodically sent back to the
originating cybercriminal over the Internet. Keylogging software is widely available and is marketed to
parents or businesses that want to monitor their kids’ or employees’ Internet usage.
Computer worm: A computer worm is a software program that can copy itself from one computer to
another, without human interaction. Worms can replicate in great volume and with great speed. For
example, a worm can send copies of itself to every contact in your email address book and then send
itself to all the contacts in your contacts’ address books.
Because of their speed of infection, worms often gain notoriety overnight infecting computers across the
globe as quickly as victims around the world switch them on and open their email. This happened with
the Conficker worm (also known as Downadup), which, in just four days, had more than tripled the
number of computers it infected to 8.9 million.
Botnet: A botnet is a group of computers connected to the Internet that have been compromised by a
hacker using a computer virus or Trojan horse. An individual computer in the group is known as a
“zombie“ computer.
The botnet is under the command of a “bot herder” or a “bot master,” usually to perform nefarious
activities. This could include distributing spam to the email contact addresses on each zombie computer,
for example. If the botnet is sufficiently big in number, it could be used to access a targeted website
simultaneously in what’s known as a denial-of-service (DoS) attack. The goal of a DoS attack is to bring
down a web server by overloading it with access requests. Popular websites such as Google
and Twitter have been victims of DoS attacks.
Spam: Spam in the security context is primarily used to describe email spam —unwanted messages in
your email inbox. Spam, or electronic junk mail, is a nuisance as it can clutter your mailbox as well as
potentially take up space on your mail server. Unwanted junk mail advertising items you don’t care for is
harmless, relatively speaking. However, spam messages can contain links that when clicked on could go
to a website that installs malicious software onto your computer.
Phishing: Phishing scams are fraudulent attempts by cybercriminals to obtain private information.
Phishing scams often appear in the guise of email messages designed to appear as though they are from
legitimate sources. For example, the message would try to lure you into giving your personal information
by pretending that your bank or email service provider is updating its website and that you must click on
the link in the email to verify your account information and password details.
Rootkit: According to TechTarget, a rootkit is a collection of tools that are used to obtain administrator-
level access to a computer or a network of computers. A rootkit could be installed on your computer by a
cybercriminal exploiting a vulnerability or security hole in a legitimate application on your PC and may
contain spyware that monitors and records keystrokes.
Rootkits gained notoriety when, in 2005, a security blogger discovered that a copy-protection tool inside
music CDs from Sony BMG Music Entertainment was secretly installing a rootkit when users copied the
CD onto their computers. At the time, security expert Bruce Schneier warned that the rootkit could allow
a hacker to “gain and maintain access to your system and you wouldn’t know it.”
Q4 Define EPS .Also explain various types of EPS with suitable example.
Sol: E-payment system is a way of making transactions or paying for goods and services through
an electronicmedium without the use of check or cash. It's also called an electronic payment system or
online payment system.
various types of EPS
Credit Card
The most popular form of payment for e-commerce transactions is through credit cards. It is simple
to use; the customer has to just enter their credit card number and date of expiry in the appropriate
area on the seller’s web page. To improve the security system, increased security measures, such
as the use of a card verification number (CVN), have been introduced to on-line credit card
payments. The CVN system helps detect fraud by comparing the CVN number with the cardholder's
information.
Debit Card
Debit cards are the second largest e-commerce payment medium in India. Customers who want to
spend online within their financial limits prefer to pay with their Debit cards. With the debit card, the
customer can only pay for purchased goods with the money that is already there in his/her bank
account as opposed to the credit card where the amounts that the buyer spends are billed to
him/her and payments are made at the end of the billing period.
Smart Card
It is a plastic card embedded with a microprocessor that has the customer’s personal information
stored in it and can be loaded with funds to make online transactions and instant payment of bills.
The money that is loaded in the smart card reduces as per the usage by the customer and has to
be reloaded from his/her bank account.
E-Wallet
E-Wallet is a prepaid account that allows the customer to store multiple credit cards, debit card and
bank account numbers in a secure environment. This eliminates the need to key in account
information every time while making payments. Once the customer has registered and created E-
Wallet profile, he/she can make payments faster.
Netbanking
This is another popular way of making e-commerce payments. It is a simple way of paying for online
purchases directly from the customer’s bank. It uses a similar method to the debit card of paying
money that is already there in the customer’s bank. Net banking does not require the user to have a
card for payment purposes but the user needs to register with his/her bank for the net banking
facility. While completing the purchase the customer just needs to put in their net banking id and pin.
Mobile Payment
One of the latest ways of making online payments are through mobile phones. Instead of using a
credit card or cash, all the customer has to do is send a payment request to his/her service provider
via text message; the customer’s mobile account or credit card is charged for the purchase. To set
up the mobile payment system, the customer just has to download a software from his/her service
provider’s website and then link the credit card or mobile billing information to the software.
Amazon Pay
Another convenient, secure and quick way to pay for online purchases is through Amazon Pay. Use
your information which is already stored in your Amazon account credentials to log in and pay at
leading merchant websites and apps. Your payment information is safely stored with Amazon and
accessible on thousands of websites and apps where you love to shop.
Q5. Justify the crucial role of VPN? Discuss various protocol used for encryption and decryption in VPN.
Sol: Virtual Private Network (VPN) creates a secure private network connection over a public network,
like Internet, and allows users to send and receive data across this secure private network. Virtual Private
Networks were mostly used by large business and government organizations only.
VPN tunnels have long been used to provide confidentiality and integrity for data over untrusted
networks like the Internet. Today, many companies use tunnels to secure traffic from remote workers to a
VPN gateway at the edge of the company network. That gateway is responsible for authenticating users
and controlling which destinations can be reached.
Today, VPNs are also being leveraged for endpoint security enforcement, either alone or in conjunction
with a broader Network Access Control (NAC) deployment. Endpoint devices are checked for
compliance before being granted network access. For example, a worker on a public PC may only be
permitted to check e-mail, while a worker on a company laptop may be given access to sensitive servers.
A laptop missing patches or infected with a Trojan may be directed a quarantine server for remediation.
Wireless users can benefit from these same security measures.
Assignment – 3
Q1. What is an application development security? Describe in brief security architecture and design.
Sol:Application security is the use of software, hardware, and procedural methods to protect applications from
external threats. Once an afterthought in software design, security is becoming an increasingly important
concern during development as applications become more frequently accessible over networks and are, as a
result, vulnerable to a wide variety of threats. Security measures built into applications and a sound application
security routine minimize the likelihood that unauthorized code will be able to manipulate applications to
access, steal, modify, or delete sensitive data.
Security Architecture is one component of a products/systems overall architecture and is developed to provide
guidance during the design of the product/system.Security Architecture is the design artifacts that describe how
the security controls (= security countermeasures) are positioned and how they relate to the overall systems
architecture. These controls serve the purpose to maintain the system’s quality attributes such as
confidentiality, integrity and availability.A security policy is a statement that outlines how entities access each
other, what operations different entities can carry out, what level of protection is required for a system or
software product, and what actions should be taken when these requirements are not met.
Q2. How is the physical security of an organization achieved? What is the primary measure applied for the
security of backup?
Sol: Physical security describes security measures that are designed to deny unauthorized access to facilities,
equipment and resources and to protect personnel and property from damage or harm (such as espionage, theft,
or terrorist attacks).
Many storage professionals responsible for backups believe that the mere existence of a process for
replicating sensitive data is all that's needed to keep the organization secure. But that's only half the
battle. It's what can be done with the data backups after the fact that introduces an entirely different set of
risks that are often overlooked. Here are 10 ways you can ensure that your data backups are secure:
1. Ensure your security policies include backup-related systems within their scope.
Practically every type of security policy -- from access controls to physical security to system
monitoring -- applies directly to data backups.
Include your data backup systems in your disaster recovery and incident response plans.
Data backups can be breached, compromised or destroyed. Be it a malware outbreak, employee
break-in or hurricane -- otherwise good backups can be adversely affected and you need to have a
plan outlining what you're going to do if that time comes.
Assign backup software access rights only to those who have a business need to be involved in
the backup process. Be sure not to overlook any Web-based interfaces that provide backup access and
keep your original backup software media secured as well.
Store your backups offsite or at least in another building. I know this sounds pretty basic, but I
still see it a lot. A fire or other incident could be all that's needed to take out your data center and your
backups in one fell swoop.
However you choose to store your backups -- be it on tape, network-attached storage (NAS), or
external drives -- be sure to control access to the room/car/house in which the backups stored. Handle
your backup media as you would any other critical hardware.
Use a fireproof and media-rated safe. Many people store their backups in a "fireproof" safe, but
typically one that's only rated for paper storage. Backup media such as tapes, optical disks and
magnetic drives have a lower burning/melting point than paper and a standard fireproof safe only
serves to provide a false sense of security.
Find out the security measures that your vendors for offsite storage, data center and courier
services are taking to ensure that your backups remain safe in their hands. Although lawyers like
good contracts, they're not enough. Contracts do offer fallback measures but they won't keep sensitive
data from being exposed in the first place, so make sure reasonable and consistent security measures
are taking place with any vendor that has a hand in your backups.
Password-protect your backups at a minimum. Passwords aren't foolproof because some people
with special skills and tools may be able to crack the code, but it is a level of security that should be
considered. That said, password-protection is better than nothing, and at least provides a layer of
security.
Encrypt your backups if your software and hardware support it. As with laptop computers and
other mobile devices, portable backup media need to be encrypted with strong passphrases especially
if they're ever removed from the premises. Encryption implemented and managed in the right way
serves as an excellent last layer of defense. It also helps provide peace of mind knowing that the
worst outcome is that you'll have to buy new backup media -- especially when it comes to compliance
and data breach notifications.
You've heard it a thousand times but it deserves repeating: Your backups are only as good as
what's on the backup media. There are two sides to this coin. First, make sure your backing up
everything that's important. Most backups are server-centric but what about all of that unstructured
data scattered about on your workstations and mobile devices that isn't getting backed up? Second,
test your backups occasionally -- especially if you're using tape. There's nothing worse than
recovering from a loss and only to find out you backed up the wrong data or no data at all.
Assignment – 4
ISO27001
Important Areas of Concern