IT IAS01 Information Assurance and Security 01 EDITED BY ASC PDF

Prepared by:
RUTH G. LUCIANO
PRINCE MERT O. NICOLAS
VANESSA C. PASCUAL
JEROME MANGULABNAN
DENNIS S. ABERIN
0
Information Assurance and Security
(IT-IAS 01)
TABLE OF CONTENTS
Lesson Title Page
Pre-Test on Lesson 1...................................................................................... 2

1 Fundamentals of Information Assurance (IA)
and Information Security (INFOSEC) .......................................................... 3
Post-Test on Lesson 1.................................................................................... 11
Pre-Test on Lesson 2.......................................................................... ........... 12
2 Governance and Risk Management
2.1 Assets, Attacks, Risks, Threats
Vulnerabilities and Countermeasures............................................................ 14
Post-Test on Lesson 2.1................................................................................ 20
Pre-Test on Lesson 2.2.................................................................................. 22
2.2 Certification Programs in the
Information Security Field............................................................................. 24
Post-Test on Lesson 2.2................................................................................. 32
Pre-Test on Lesson 3..................................................................................... 35
3 Risk, Response and Recovery
Security Operations and Administration....................................................... 36
4 Information Assurance and Security
Laws and Ethics............................................................................................. 51
5 Control in the Security and Assurance
Information
5.1 Access Control............................................................................................... 58
5.2 Auditing, Testing and Monitoring................................................................. 63
Pre-Test on Lesson 5.3................................................................................... 65
5.3 Basic Concepts of Cryptography................................................................... 66
Pre-Test on Lesson 6...................................................................................... 72
6 Network Security........................................................................................... 73
Post-Test on Lesson 6 ................................................................................... 80
Pre-Test on Lesson 7.......................................................................... ........... 82
7 Securing the Future through Information
Assurance and Security................................................................................. 83
Post-Test on Lesson 6 .................................................................................. 85
1
2
1. Define IA and INFOSEC;
2. discuss the importance of studying information assurance and security (IAS);
3. write their own IS principle/s based on the discussion made in class; and
4. analyze a simple case related to IAS.
What is IA?
Digital Forensic and Cyber Security Center (DFCSC) defines IA as:
“…the practice of assuring information and managing risks related to the
use, processing, storage, and transmission of information or data and the
systems and processes used for those purposes. Information
assuranceincludes protection of the integrity, availability, authenticity,
non-repudiation and confidentiality of user data. It uses physical,
technical and administrative controls to accomplish these tasks. While
focused predominantly on information in digital form, the full range of
IA encompasses not only digital but also analog or physical form as well.
These protections apply to data in transit, both physical and electronic
forms as well as data at rest in various types of physical and electronic
storage facilities” (http://csf102.dfcsc.uri.edu,
https://en.wikipedia.org/wiki/Information_assurance)
Why Information Assurance is Needed?
Information Assurance is very much needed in the business. Therefore, “ IA increases the utility of
information to authorized users and reduces the utility of information to those unauthorized.” (Source:
https://infogalactic.com, https://en.wikipedia.org/wiki/Information_assurance)
In line with this, DFCSC stated that “IA practitioners must consider corporate governance issues
such as privacy, regulatory and standards compliance, auditing, business continuity, and disaster recovery
as they relate to information systems.” (http://csf102.dfcsc.uri.edu,
https://en.wikipedia.org/wiki/Information_assurance)
3
Information Assurance Process
IA process, as enumerated in https://infogalactic.com,
https://en.wikipedia.org/wiki/Information_assurance involves the following:
“1. Enumeration and classification of the information assets to be
protected.
2. Conduct of risk assessment for those information assets (to be done
by IA practitioners).
3. Enumerate possible threats capable of assets exploitation by
determining vulnerabilities in the information assets.
4. Consider the probability of a threat exploiting vulnerability in an asset
5. Determine the effect and impact of a threat-exploiting vulnerability in
an asset, with impact usually measured in terms of cost to the asset's
stakeholders.
6. Summarizing the products of the threats' impact and the probability of
their occurrence in the information asset.”
Five Information Assurance Pillars
The five (5) IA pillars, as discussed in https://interparestrust.org/terminology/term/information assurance,

are “... availability, integrity, authentication, confidentiality, and non- repudiation. These pillars and any
measures taken to protect and defend information and IS, to include providing for the restoration of
information systems constitute the essential underpinnings for ensuring trust and integrity in information
systems.”
4
Thecryptologycomponents of IA primarily concentrate on the last four pillars, namely: “…
integrity, authentication, confidentiality, and non-repudiation. These pillars are applied in accordance
with the mission needs of particular organizations.”
(https://itlaw.wikia.org/wiki/Information_assurance)
Tylercybersecurity.com defines these pillars as follows:
“Integrity, which means protecting against improper information
modification or damage, and includes ensuring information non-
repudiation and authenticity; Confidentiality, which means preserving,
authorized restrictions on access and disclosure, including means for
protecting personal privacy and proprietary information; Authentication
is the process of determining whether someone (or something) is, in fact,
who (or what) it is declared to
be…”(https://www.tylercybersecurity.com/blog/fundamental-objectives-
of-information-security-the-cia-triad,
https://www.studocu.com/en/document/bangalore-university/operating-
systems/lecture-notes/chapter-1-introduction-to-computer-
security/2575050/view,
https://www.cise.ufl.edu/~nemo/crypto/slides/ch01_overview_nemo.ppt,
https://www.plagscan.com/highlight?doc=132890096&source=35,
https://www.studocu.com/en/document/bangalore-university/operating-
systems/lecture-notes/chapter-1-introduction-to-computer-
security/2575050/view )
Non-repudiation, on the other hand, is defined by www.cryptomathic.com as “a legal concept

that is widely used in information security and refers to a service, which provides proof of the origin of
data and the integrity of the data. In other words, non-repudiation makes it very difficult to successfully
deny who/where a message came from as well as the authenticity and integrity of that message.”
Information Security (INFOSEC)

“Information security, shortened to InfoSec, is the practice of defending information from
unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or
destruction. It is a general term that can be used regardless of the form the data may take (electronic,
physical, etc...).” (http://indiancybersecurity.com/informaton_security_protection.php,
https://onkarsule.files.wordpress.com/2012/08/informationsecurity1.pdf)
The two (2) aspects of information security are explained in below.
“Information assurance is an act of ensuring that data is not lost when
critical issues arise. IT security is sometimes referred to as information
security applied to technology (most often used some form of computer
system). IT security specialists are responsible for keeping all of the
5
technology within the company secure from malicious cyber-attacks that
often attempt to breach into critical private information or gain control of
the internal systems.” (Sources: https://isepolido.wordpress.com,
http://indiancybersecurity.com/informaton_security_protection.php)
All institutions, both public and private, deal with a lot of confidential information. With the
advent of modern technology, most of this information is now gathered, processed and
saved digitally and transmitted over computer networks. Write ways on how this
information shall be secured properly to prevent loss of sensitive or confidential
information, prevent hostile use of data or avoid damage to the organization’s reputations.
WHY SECURITY?
PRINCIPLES OF SECURITY
The CIA triad embodies the three concepts on “fundamental security objectives for both data,
information and computing services.”
(https://www.cise.ufl.edu/~nemo/crypto/slides/ch01_overview_nemo.ppt)
These concepts are presented in the figure below:
Fig 2: CIA Triad
6
To clearly understand these concepts, please refer to the discussion below:
1. CONFIDENTIALITY
 “…is a set of rules that limits access to information.”

(https://whatis.techtarget.com/definition/Confidentiality-integrity-and-availability-CIA)
 The term used to “prevent the disclosure of information to unauthorized individuals or systems.”
(http://csf102.dfcsc.uri.edu, http://indiancybersecurity.com/informaton_security_protection.php,
 “Measures undertaken to ensure confidentiality are designed to prevent sensitive information
from reaching the wrong people, while making sure that the right people can in fact get it.”
(http://www.clevernetsol.net/why-is-cybersecurity-important/,
https://whatis.techtarget.com/definition/Confidentiality-integrity-and-availability-CIA,
https://www.studocu.com/en/document/bangalore-university/operating-systems/lecture-
notes/chapter-1-introduction-to-computer-security/2575050/view )
“The terms privacy and secrecy are sometimes used to distinguish between the protection of
personal data (privacy) and the protection of data belonging to an organization (secrecy).”
(https://www.slideshare.net/FatWreckCulley/network-security-fundamentals-29523635)
Let us take this as an example:
“…credit card transaction on the Internet requires the credit card number
to be transmitted from the buyer to the merchant and from the merchant
to a transaction processing network. The system attempts to enforce
confidentiality by encrypting the card number during transmission, by
limiting the places where it might appear (in databases, backups, printed
receipts, etc.), and by restricting access to the places where it is stored. If
an unauthorized party obtains the card number in any way, a breachof
confidentiality has
occurred.”(http://csf102.dfcsc.uri.edu,https://en.wikipedia.org/wiki/Infor
mation_assurance, http://indiancybersecurity.com/
informaton_security_protection.php,
In summary, confidentiality is important in maintaining people’s privacy. Unauthorized
disclosure of information will likely to occur when confidentiality is loss.
7
2. INTEGRITY
 …is the
assurance that the information is trustworthy and accurate.”
(https://whatis.techtarget.com/definition/Confidentiality-integrity-and-availability-CI)
 “…involves maintaining the consistency, accuracy, and trustworthiness of data over its entire life
cycle.”
(https://www.coursera.org/lecture/introduction-cybersecurity-cyber-attacks/cybersecurity-
definition-etu7J, https://www.studocu.com/en/document/bangalore-university/operating-
systems/lecture-notes/chapter-1-introduction-to-computer-security/2575050/view,
https://whatis.techtarget.com/definition/Confidentiality-integrity-and-availability-CIA,
http://dlearn.eu/why-data-integrity-is-important-for-security/,
https://www.justanswer.com/computer/brdph-1-explain-detail-concept-confidentiality.html)
 “Data must not be changed in transit, and steps must be taken to ensure that data cannot be altered
by unauthorized people (for example, in a breach of confidentiality).”
(https://cyberthreatportal.com/elements-of-cybersecurity,
notes/chapter-1-introduction-to-computer-security/2575050/view,
https://whatis.techtarget.com/definition/Confidentiality-integrity-and-availability-CIA)
 This goal defines how we avoid our data from being altered. MiTM (Man in the middle attacks) is
the example threat for this goal.
Additional qualifications like “being authorized to do what one does or following the
correct procedures have also been included under the term integrity ensuring that users of
a system, even if authorized, are not permitted to modify data items in such a way that
assets(i.e., accounting records) of the company are lost or corrupted.” (
https://www.slideshare.net/FatWreckCulley/network-security-fundamentals-29523635) DISCUSS.
8
2. AVAILABILITY
 It means that assets are accessible to authorized parties at appropriate times.

 “Availability is very much a concern beyond the traditional boundaries of computer security. We
want to ensure that legitimate users will have reasonable access to their systems without fear of
being attacked by unauthorized users.” (https://whatis.techtarget.com/definition/Confidentiality-
integrity-and-availability-CIA, https://www.slideshare.net/FatWreckCulley/network-security-
fundamentals-29523635 )
Assignment:
Why do we need to keep important corporate information confidential? What kinds of abuses can
you think of in the absence of controls on confidentiality? What criminal activities could be
reduced or eliminated if confidentiality controls were effectively implemented?
REFERENCES
Definition of information assurance. Retrieved from https://interparestrust.org/terminology/term/
information assurance on July 13, 2020.
Elements of Cyber Security. https://cyberthreatportal.com/elements-of-cybersecurity,
notes/chapter-1-introduction-to-computer-security/2575050/view
Information assurance definition. Retrieved from https://itlaw.wikia.org/wiki/Information_assurance on
July 14, 2020.
Information security. Retrieved from https://isepolido.wordpress.com/2013/06/ on July 15, 2020.
Information security. https://onkarsule.files.wordpress.com/2012/08/informationsecurity1.pdf
Information security and protection. Retrieved from http://indiancybersecurity.com/
informaton_security_protection.php on July 15, 2020.
Metivier, Becky (2017). Fundamental objective of information security: the CIA triad. Retrieved from
https://www.tylercybersecurity.com/blog/fundamental-objectives-of-information-security-the-cia-
triad on July 14, 2020.
9
System fundamental for Cyber Security. Retrieved from http://csf102.dfcsc.uri.edu on July 14, 2020.
The CIA Triad. Retrieved from https://whatis.techtarget.com/definition/Confidentiality-integrity-and-
availability-CIA on July 14, 2020.
What is information assurance? Retrieved from https://infogalactic.com/info/Information_assurance on
July 14, 2020.
What is information security? Retrieved from https://infogalactic.com/info/Information_security on July
15, 2020.
What is non-repudiation? Retrieved fromhttps://www.cryptomathic.com/products/authentication-
signing/digital-signatures-faqs/what-is-non-repudiation on July 14, 2020.
Why is cyber security important? Retrieved from http://www.clevernetsol.net/why-is-cybersecurity-
important/ on July 15, 2020.
World Heritage Encyclopedia Edition (2020). Information assurance. Retrieved from
http://self.gutenberg.org/articles/eng/Information_assurance on July 14, 2020.
notes/chapter-1-introduction-to-computer-security/2575050/view
https://www.slideshare.net/FatWreckCulley/network-security-fundamentals-29523635
10
11
Directions: Match the items on the left to the definitions that are stated on the right. Write the
letter of your answers legibly on the space provided.
________1. Event wherein an information is accessed a) Distributed Denial of

without the consent of the authorized. Service
________2. A surveillance application that has the ability to b) Sabotage
record every keystroke that is made on the system. c) Attacks
d) Keystroke Logger
________3. Anyone with a professional skill to access
e) Breach
assets without any authorization.
f) Hacker
________4. One who knows how to get programs and run g) Attacker
them legitimately. h) Cracker
i) Vulnerability Scanning
________5. Attack meant to shut down a machine or tools
network, making it inaccessible to its intended users. j) Denial of Service
k) Espionage
________6. Automated tools that scans web-based l) Firewall
applications and finds vulnerability. m) Anti-malware
n) Countermeasures
________7. An action to detect vulnerabilities, prevent o) Attacks
attacks and/or respond to the effects of successful attacks. p) Keystroke Logger
q) Breach
________8. A deliberate action aimed at weakening an
enemy through subversion, obstruction, disruption, and/or
destruction.
________9. A program or a dedicated device that inspects
network traffic passing through it.
________10. Refer to activities that are intended to snatch
assets for the intention of using them for bad interests.
12
Directions:True or False. Write “True” is the statement is correct, and “False” if not.
_____________1. Spims are spams that are present in the instant messaging applications.
_____________2. Hackers have bad intentions always.
_____________3. Vulnerabilities are action that might compromise or destroy an asset.
_____________4. Computer viruses are self-contained.
_____________5. Spamis a message that claims to warn recipients of a (non-existent) computer
virus threat.
_____________6. Interruptionhappens when a system becomes lost, unavailable or unusable.
_____________7. Password Checker are software that is used to retrieve a forgotten password or
other network resources. Sometimes it is also used to access resources without permission.
_____________8. Backdoors refer to the hidden access included by the developers. Attackers
can use them to gain access to the Information Systems.
_____________9. The data breach is widely observed on the Web-based Information Systems
because many assets exposed over the internet are attacker’s apple of the eye.
_____________10. Grey Hat Hackers are combinations of ethical and unethical hackers.
13
a. identify assets
b. identify vulnerabilities
c. identify threats
d. identify controls
2.1 ASSETS, ATTACKS, RISKS, THREATS, VULNERABILITIES AND COUNTERMEASURES

Now that we have already defined the main objective of this course, we will be discussing the Common
Body of Knowledge in the areas of Information Assurance and Security.
ASSETS
Crown Jewels refer to a precious ornament or jewelries worn by a sovereign on certain state occasions.
Simply, crown jewels are particularly valuable or prized possession or something we secure to a safe
place.
This analogy will give us what an ASSET is. In every Information System we develop, we treat every
data as a “crown jewels”.
In Information Security, ASSET refers to any pieces of information, device or some other parts related to
them that supports business activities. Assets are either components of a computer and/or the data that are
stored in it. Basically, assets are the stuff that should be put under strict security measure because failure
to do so may result into losses to the organization.
To put is simply, assets are the main reason why we need to secure and assure our information system,
that once these are exposed, it may lead to problems leading to the organizations’ losses.
On a detailed part, mismanagement on the assets may lead into attacks. Attacks refer to activities that are
intended to snatch assets for the intention of using them for bad interests. This attacks are everywhere
whether on public or private sectors. One example of attacks isData Breaches.
Data Breaches is an event wherein an information is accessed without the consent of the authorized. This
data breach is widely observed on the Web-based Information Systems because many assets exposed over
the internet are attacker’s apple of the eye. In fact, victims rise at 80% in India in 2019. The chart below
shows the different types of attacks happened in the web recorded in the Month of September, 2019.
14
Source: https://www.hackmageddon.com/2019/11/04/september-2019-cyber-attacks-statistics/
The following are the list of Assets that Information Assurance and Security is trying to protect;
1. Customer Data
2. IT and Network Infrastructure
3. Intellectual Property
4. Finances and Financial Data
5. Service Availability and Productivity
6. Reputation
On the other hand, the person with a bad intention to attack one’s asset is a Hacker. Hackers refer to
anyone with a professional skill to access assets without any authorization. Their intention is basically to
commit crimes, mostly to steal and destroy systems. Sometimes, systems were being hacked to hold the
assets of the system in hostage wherein ransom is being collected in condition to bringing back the assets.
However, good hackers also exist. They are the one who uses their skills in hardware and software to
bypass security of a device or a network. Their intention is to provide service to the victims of attacks.
Either public or private sectors are hiring good hackers to help them keep their systems safe.
Computer Security Professional named hackers metaphorically using hat colors such as White, Black and
Gray. This name comes from the old spaghetti in the western country sides where black has been worn by
bad cowboys, white has been worn by the good ones and gray in neutral.
Black Hat Hackers

Black Hat Hackers basically have an advanced knowledge in destroying networks. They perform the
hacking through bypassing the security measures of the networks. This type of hacker also has a
knowledge in creating malware which intends to gain access to the systems to steal personal and financial
assets.
15
White Hat Hackers
Hackers who utilizes their skills to do good is referred to as White Hat Hackers. Most of the big
companies intentionally employs white hat hackers to work for them. Their main responsibility is to
check and find ditch in their systems through hacking.
The main difference of White Hat Hackers to the Black ones is that, white hat performs hacking with the
owner’s permission while the black one, doesn’t.In fact, they are some trainings and certifications for
ethical hacking.
Grey Hat Hackers
Grey can neither be white or black. This analogy applies with the Grey Hat Hackers. They are
combinations of ethical and unethical hackers. Sometimes, they will find for a system or organizations’
weakness without authorized access and report it to the company. Companies then will hire them to
secure the asset. However, if they do not employ the Grey Hat Hackers, they will exploit the said assets
online for the other Black Hat Hackers perform their intentions.
The term hacker always means not good to us. However, it is very important for us to understand that our
judgement to them shall always depend on their intentions.
Aside from hackers, we also have someone who violate or breaks the security of the remote machines.
They are known as Crackers. Initially, crackers get unauthorized access to the vital data and deprive it to
the original user or owner.
Crackers can be identified as fortunately few and far between—experts who discovers security ditch and
exploit them and/or the script kiddie—one who knows how to get programs and run them legitimately.
These hackers and crackers are the one whom Information Security is trying to catch.
Every Attacker, whether a Hacker or a Cracker, uses tools to perform their attacks. The following are the
tools they utilize to do their intentions;
1. Protocol Analyzers (Sniffers). These applications put the host NIC into mode that passes all
traffic to the CPU rather than to the controller it is designed to receive.
2. Port Scanner is an application that intends to probe a host for open port.
3. Finger scanning, is a way to acquire human biometric like fingerprints.
4. Vulnerability Scanning Tools are automated tools that scans web-based applications and finds
vulnerability. Examples are Cross-site scripting, SQL Injection, Command Injection, Path
Traversal and insecure server configuration.
5. Exploit Software is a bit of technology, a chunk of data or a series of commands that
compromises a bug or vulnerability to trigger unintended or unforeseen behavior to occur on
computer software, hardware or anything electronic.
6. Wardialers. This can be used to find backdoors into your network. This dials telephones to check
if there is a line that contains data through a modem and the like.
7. Password Cracker. This software is used to retrieve a forgotten password or other network
resources. Sometimes, these are used to access resources without permission.
8. Keystroke Loggers. Keylogger refers to a surveillance application that has the ability to record
every keystroke that is made on the system. This intends to record log file that is usually
encrypted.
16
Security Breach
Security breaches happen a lot — not at your house necessarily, but in large and small organizations.
Intention to destroy a company’s standing and finances is one concrete reason why Security Breach
exists.
Security and data breaches can happen on a large uncontrollable scale.
This happens when an attacker or intruder gains access without the permission of the asset’s owner or
keeper. They use bypass mechanism that typically can reach the restricted areas. Security breach is a
violation that can lead to damage and even loss of assets.
Simply, Security Breaches refers to any action that would result in a violation of any rules of the Central
Intelligence Agency. Most of these breaches disrupt services intentionally. However, some of them are
accidental but both can cause hardware or software failures.
The following are activities that cause Security Breaches;
1. Attack through Denial of Service (DoS). This refers to an attack that kills a machine or
network, resulting for a legitimate user not to use the destroyed asset.
2. Distributed denial-of-service (DDoS). This happens when an attacker floods network traffic to
the target making it impossible for a legitimate user be denied to use the network or a node.
3. Unacceptable Web Browsing. Acceptable web browsing is defined in an Acceptable Use Policy
(AUP) like finding for a file in the directory or browsing restricted sites.
4. Wiretapping. Wiretapping refers to the practice of connecting a listening device to a telephone
line to secretly monitor a conversation.
5. Backdoors. This refers to the hidden access included by the developers. Backdoors are used to
obtain exposure to the data repositories.
6. Data Modifications. Refers to the change in data that happens purposely or accidentally. It may
also include incomplete and truncated data.
Additional Security Challenges may include:
1. Spam and Spim. Spam refers to unsolicited email spim are spams over instant messaging.
2. Cookies. Cookies contain little chunks of data that may include login credentials that make it
possible for a user to have a great browsing experience.
3. Hoaxes.A hoax is a message that claims to warn recipients of a (non-existent) computer virus
threat.
RISK, THREATS AND VULNERABILITIES

Risk, Threats and Vulnerabilities are some characteristic that describes something that is needs to be
taken care. Failing to do so may lead into an attack,
Risk refers to the probability that bad things will happen to a specific asset.
Threat is defined as any action that might compromise or destroy an asset.
17
Vulnerability is a weakness that may harm systems or networks.
There are a wide variety of threats that spread out specially in the internet. Many call the internet as
marketplace of threats.
Threats can be categorized into Three Types which includes:

1. Disclosure Threats.These threats may include sabotage and espionage.
2. Unauthorized Threats. One of the examples in relation to Unauthorized Threats is the
Unauthorized Changes—modifications made exceeding the policy that has been agreed upon
3. Denial or Destruction Threats. DoS and/or DDoS best explains these threats.
Categories of Malicious Attacks

Malicious Attacks can be regarded according to the intent of actions. These may include the following:
1. An interception refers to an access gained by an unauthorized party to an asset. This may include
elicit program copying and/or wiretapping.
2. Interruption happens when a system becomes lost, unavailable or unusable.
3. Modification occurs when an unauthorized attacker tampers an asset.
4. Fabrication refers to the counterfeiting of a system or network that is done by unauthorized
party.
Types of Active Threats
The following enlists types of threats that is currently active that developers or Information Security
Professional shall be aware of:
1. Birthday Attacks
2. Brute-Force Password Attacks
3. Dictionary Password Attacks
4. IP Addressing Spoofing
5. Hijacking
6. Replay Attacks
7. Man-In-The-Middle Attacks
8. Masquerading
9. Social Engineering
10. Phishing
11. Phreaking
12. Pharming
Malicious Software (Malware)
In the context of installing before, during and after installing software to our systems, we can say that is it
malicious if it;
1. Causes damage
2. Escalates security privileges
3. Divulges private data
4. Modifies or deletes data
18
General Classification of Malware
Virus
Like human being, our systems or assets can be infected by a virus too. In computing, virus comes into
another program or application. Basically, it contaminate a program and can cause it to be copied to other
computers themselves. Most of the time, when the user uses an infected application, the virus triggers.
Worm
Worm refers to a program that is self-contained. This also duplicates and send itself to other hosts without
any user intervention. One scary thing about worm is that, it does not need an application that is installed
to contaminate the whole system.
Trojan Horse
Trojan Horse is a malware that hides into a useful program. This collects sensitive information, and may
open backdoors into computers. Trojan Horse can actively upload and download files.
Rootkit
A rootkit is a group of software that is malicious. Basically, these applications gets access to a machine
unauthorizedly and hides their existence on the other applications.
Spyware
Spywares are type of malwares. They target the confidential data. Mostly, they can monitor the actions
and even can do a course of actions like scanning, snooping and installing another spyware. They can
even change the default browser of a computer.
COUNTERMEASURES
As our Old English Saying states, prevention is better than cure, in information security we can also cure,
if not prevent these attacks to happen. There are suggested activities and tools so that we, as Information
Security Professional can do as an antidote or defense from the said attacks.
Countermeasures, basically is an action to detect vulnerabilities, prevent attacks and/or react to the
impacts of positive attacks. In cases of an attack, a victim can get help from the security consultants, law
enforcement offices and/ or experts.
The following are countermeasures that can help in preventing and/or curing malware:
1. Training events for users
2. Regular updates and bulletins about malwares
3. Do not transfer assets to untrusted or unknown sources.
4. Evaluate new programs or quarantine files on a computer
5. Purchase and install anti-malware software and scan your files on a regular basis
6. Use comprehensive login credentials
On the other hand, Firewall can defend your system from various forms of attacks too. Basically, firewall
is a program or a dedicated device that inspects network traffic present in a network. It’s purpose is to
deny or permit traffic depending on protocols.
19
Directions: Write the letter of the correct answer on the space provided before each item.
_________1. What do you call the unsolicited messenger you found on your Facebook messenger?
a.Spam b. Spim
c.Junk d.Archive
_________2. The following are the ways to prevent malware EXCEPT for what?
a.Conduct educating sessions
b.Utilize pwerful username and passwords
c.Sell them your downloaded anti-malware programs
d.Scan your drives regularly and put malicious files on quarantine
_________3. It is a type of malware that masquerades as an essential application,
a.Trojan Horse b.Worm
c.Virus d.Rootkit
_________4. It refers to a suggested activity that may help to assure the safety of your assets.
a.Countermeasure b.Scanning
c.Quarantine d.Anti-malware
_________5. We can say that a file is malicious if it _________,
a.Causes damage b.Escalates security privileges
c.Divulges private data d.Back-ups important files
_________6. It refers to the data that one needs to enable to maximize web-browsing capability.
a.Hoax b.Worm c.Cookies d.Incognito
_________7. This refers to a threat when someone exploits the confidential information into organization
or people for intention of attacking the asset’s owner.
a.Death Threat b.Disclosure Threat
c.Unauthorized Threat d.Hijacking
_________8. The following are “Security Breaches”EXCEPTfor what?
a.Denial of Service Attack(DoS) b.Distributed denial-of-service (DDoS)
c.Wiretapping d.Computer Formatting
_________9. The following are the stuff that Information Security is trying to protect EXCEPTfor what?
a. Attitudes b.Bank Accounts
c. Registration Details d. LAN and WAN Networks
_________10. Assets, such as Crown Jewels should be kept in________.
a.Treasure Box b.Vault
c.Secured database d. Fault-free bodega
POST-TEST. Quiz 2.2

Directions: Tell whether the following is an asset, threat, risk, vulnerability, or countermeasure.
________________1. The manager told a client the account balance of his/her rival.
________________2. The student wrote his home address on the registration form.
________________3. The Network Engineer left the server room open while he/she went for a snack.
________________4. The anti-malware software runs scan every three hours.
________________5. The hacker of your rival company found out that your login credential is your
birthday.
________________6. You found out that your computer is infected and you run the back-up quickly.
________________7. You answered 150,00.00 on the survey of your family’s annual income.
20
________________8. The IT Team advises their online bankers not to share their One-Time Passwords
(OTP)
________________9. Your anti-malware application expired and you did not purchase a good one to
secure your files.
________________10. The manager forgot to lock his/her computer because of the tension happened in
the office.
21
22
Directions:Write down the letter of the correct/ best answer on the space provided before each item.
_____1. The following are Vendor-Neutral Certification EXCEPTfor what?
a.GIAC b.CIW c.CISCO d. CISSP
_____2. The following are aspects of GIAC-SANS Certifications but not__________.
a.Health b.Audit c.Laws d. Hardware Security
_____3. The highest rank on CISCO certification is the ________,
a.Engineer b.Architect c.Associate d. Expert
_____4. To become eligible in the CIW Web Security Specialist certification, how many certification
from CIW-approved credential list, an applicant must possess?
a.One b.Two c.Three d. None
_____5. This (ICS)2 Certification recognizes your knowledge and ability to successfully implement,
manage or assess security and privacy controls for healthcare and patient information.
a. HCISPP b. SSCP c. CISSP d. CCSP
_____6. National Training Standard for Information Systems Security (InfoSec) Professionals
a.NSTISS-4011 b.CNSS-4012
c.CNSS-4013 d.CNSS-4014
_____7. It has replaced the 8570.01 directive.
a.8140 b.8411 c.8140.1 d.8410
_____8. They manufacture a variety of network security hardware and software. They also offers a varied
range of certifications for its networking product line. Basically, they offer Four levels from 11 different
tracks.
a.Juniper Networks b.CISCO c.ISACA d.APPLE
_____9. Vendor-Specific Certification wherein for one to be certified they require their applicants to pass
an exam that involves 80 percent study materials and 20 percent hands-on experience.
a.Juniper Networks b.CISCO c.Check Point d.RSA
_____10. Their main job is to protect the assets of the company from inside and outside
threats.
a.IS Security Professional b. IS Security Associate
c. IS Security Clerk d. IS Security Expert
23
2.2 CERTIFICATION PROGRAMS IN THE INFORMATION SECURITY FIELD
1. demonstrate understanding of the different job responsibilities of an Information Security Professional;

2. enumerate the different certifying bodies in the Information Security Field; and
3. demonstrate understanding of the coverage of each certifications.
INTRODUCTION
Just like any other fields, one shall undergo a training and pass a series of assessments to be able to be
certified in the profession. In information security, there are also some evaluations that are conducted so
that one can be expert in it. Mostly, this Certifications are given by a specialized agency either through
the government or by a private sector.
Information Security Professional

Information Security Professional refers to a title for an individual who possesses certification in the field
of Information Security. Their primary function is to secure the company’s properties from internal and
external risks. There are in-charged in making sure that the organization’s asset is free from attacks.
Since we treat our assets as our crown jewels, we shall assign someone who will take care of it. That is
the main reason why companies whether private or public employs IS Professional.
Career Description, Duties and Common Tasks
The following are the main duties and tasks of an Information Security Professional;
 Monitors the IT System and look for threats and vulnerabilities;

 Creates protocols in identifying and eliminating threats;
 Maintains updated anti-virus software that blocks the threats;
 Facilitates trainings to support minimizing threats in the organization;
 Identifies the software that are safe to use by the organization;
 Investigates cases of asset leaks and exploitation;
 Troubleshoots, maintains and manages IT security equipment;
 Documents the reports of incidents and cases with relation to information;
 Work hand-in-hand with the IT Manager.
The Department of Defense (DoD) is the one who certifies an individual to wish to get a license in the
field. As an agencywhich primarily provides security to the whole nation, it shall be also held liable if
ever someone whom they certify carries out an attack to any entity. For this reason, the DoD is very strict
in implementing the series of directives.
24
Certifications and Trainings
DoD Directive 8570.01
The DoD Directive 8570.01 is also known as Information Assurance Training Certification and
Workforce Management. This directive mainly affects any DoD Facility or Contractor Organization.
It is intended to ensure that all personnel
directly involved with information protection are accredited with licenses.
DoD Directive 8140
The DoD Directive 8140 has replaced the 8570.01 directive. This was developed by the Defense Agency
focusing on Information Systems known as DISA, where roles of a certified individual have been
identifies such as; providing protection, running and preserving, protecting and defending, researching,
managing, gathering, overseeing and developing and investigating. For someone who wishes to get a
certification, it is very important for him/her to undergo the prescribed trainings. The US DoD/ NSA set a
standard in training listed below;
25
Vendor-Neutral Professional Certifications
Information Security Assurance Certifications (ISC)2
Vendor-neutral certifications cover general ideas and subjects.
Basically, (ISC)2 or the Information Security Certifications certifies an individual that aspires to have
greater information security skills. The following are the certifications that (ISC)2 covers.
26
Global Information Assurance Certification (GIAC-SANS)
GIAC Certifications develops and implements certificate programs for information security. More than 30
certifications for cyber security correspond with SANS training and guarantee mastery in vital, advanced
InfoSec domains. GIAC Certifications include industry, state, and military clients worldwide with the
highest and most comprehensive confirmation of information security expertise and skills available.
GIAC identifies several job disciplines in the information security such as audit, forensics, legal,
management, security administration and software security.
The following table shows the Job Discipline, Level and Credential for GIAC certifications.
27
Certified Internet Webmaster (CIW)
CIW is the world's leading vendor neutral training and certification system in IT and Internet technology.
The CIW credentials concentrate on protection in general as well as on the site. It basically needs to
complete the requirement of the other vendor-neutral certifications. For CIW Web Security Associate,
one shall pass Web Security Associate Exam (1DO-571), for CIW Web Security Specialist, one shall pass
Web Security Associate Exam (1DO-571) and earn ONE credential from CIW- approved credential list,
and CIW Web Security Professional, an applicant shall pass Web Security Associate Exam (1DO-571)
and earn TWO credential from CIW- approved credential list.
CompTIA Security+
CompTIA Security+ Is a global credential validating the basic skills you need to conduct core security
functions and pursue a career in IT security. CompTIA Security+ should be the first IT protection
certification a specialist must win. This sets the core knowledge needed for any position in cybersecurity
and provides a springboard for cybersecurity employment at intermediate level.
Skills such as the following will be acquired in this certification:
 Detect various types of compromise and understand penetration testing and vulnerability
scanning concepts
 Install, configure, and deploy network components while assessing and troubleshooting issues to
support organizational security
 Implement secure network architecture concepts and systems design
 Install and configure identity and access services, as well as management controls
 Implement and summarize risk management best practices and the business impact
 Install and configure wireless security settings and implement public key infrastructure
ISACA
ISACA is an international professional association focused on IT (Information technology) governance.
On its IRS filings, It is known as the Society for Information Systems Audit and Control. ISACA offers
four certifications for IT auditors, risk management and IT management professionals and managers.
ISACA offers;
 Certified Information Systems Auditor (CISA)
 Certified Information Security Manager (CISM)
 Certified in the Governance of Enterprise IT (CGEIT)
 Certified in Risk and Information Systems Control (CRISC)
28
VENDOR-SPECIFIC PROFESSIONAL CERTIFICATIONS
Vendors of hardware and software products provide VENDOR-SPECIFIC Technical Certifications. A
certificate signifies competence in the line of product of a specific vendor. Vendors perform various types
of tests and if an applicant satisfies qualification criteria, the applicant has a certain degree of competence
and competencies.
CISCO Systems
Cisco is one of the main producers of software and network protection tools.
They provide its networking products a variety of certifications. They also offer many different levels of
qualification along various paths.
The following table shows the different levels and its corresponding CISCO Certifications.
29
Juniper Networks
Juniper Networks builds a combination of hardware and software for network security. Like CISCO, they
also provide a wide set of certifications for their product line. Basically, Juniper Networks offer Four
levels from 11 different tracks.
The following table shows offered tracks.
RSA
RSA Global is a supplier of workplace health, risk and regulatory solutions. They offer innovative
courses to help the safety of professional use of products effectively. They also conduct licenses on RSA
Archer and RSA SecrID.
Symantec
Symantec offers a wide range of product safety software. They test applicants on its product lines for
certifications, including:
• Administration of Symantec NetBackup for UNIX
• Administration of Symantec Enterprise Vault for Exchange
• Administration of Symantec Endpoint Protection
• Administration of Symantec NetBackup for Windows
30
Check Point
Check Point is a Global network and security system, and software producer.
We provide educational and qualification pathways for safety practitioners to promote awareness and
skills. They require their applicants to pass an 80% examination from study materials and 20% practical
experience.
Check Point Certifications are shown in the table below;
31
Directions: Complete the following OATH statements with words that is appropriate in the job
responsibilities of an Information Security Professional.
As an Information Security Professional I, _________________________________ promise

to do my job to….
1. Work hand-in-hand with the ________________.
2. Monitor the IT System and look for ___________ and___________;
3. Troubleshoot, maintain and manage ________________________;
4. Identify the _______________ that are safe to use by the organization;
5. Investigate cases of asset___________ and ____________________;
6. Maintain updated ___________________ that blocks the threats;
7. Facilitating ______________to support minimizing threats in the organization;
8. Create __________________in identifying and eliminating threats;
9. Document the reports of _________________ with relation to information;
10. Held liable for ________________________________.
Directions: Write the letter of the correct answer on the space provided before each item.
_____1. This (ICS)2 Certification recognizes your knowledge and ability to successfully
implement, manage or assess security and privacy controls for healthcare and patient
information.
a. HCISPP b. SSCP c. CISSP d. CCSP
_____2. National Training Standard for Information Systems Security (InfoSec) Professionals
a.NSTISS-4011 b.CNSS-4012
c.CNSS-4013 d.CNSS-4014
_____3. The following are aspects of GIAC-SANS Certifications but not _______.
a.Health b.Audit c.Laws d. Hardware Security
_____4. The highest rank on CISCO certification is,

a.Engineer b.Architect c.Associate d. Expert
_____5. Their main job is to protect the assets of the company from inside and outside
threats.
a.IS Security Professional b. IS Security Associate
c. IS Security Clerk d. IS Security Expert
_____6. The following are Vendor-Neutral Certification EXCEPT for what?

a.GIAC b.CIW c.CISCO d. CISSP
32
_____7. They manufacture a variety of network security hardware and software. They also offers
a varied range of certifications for its networking product line. Basically, they offer Four levels
from 11 different tracks.
a.Juniper Networks b.CISCO c.ISACA d.APPLE
_____8. To become eligible in the CIW Web Security Specialist certification, how many
certification from CIW-approved credential list, an applicant must possess?
a.One b.Two c.Three d. None
_____9. Vendor-Specific Certification wherein for one to be certified they requires their
applicants to pass an exam that involves 80 percent study materials and 20 percent hands-on
experience.
a.Juniper Networks b.CISCO c.Check Point d.RSA
_____10. Has replaced the 8570.01 directive.

a.8140 b.8411
c.8140.1 d.8410
33
34
35
1. define the concepts of risk management, specific response strategies and issues related to IT systems
recovery;
What is Risk Management?

The risk management process involves identifying and taking measures to reduce this risk to an
acceptable level, as represented by vulnerabilities, to the information resources and infrastructure of an
organization.
Purpose of Risk Management

Risk management aim is to detect potential issues before they arise so that risk-handling measures
can be prepared and used as required during the product or project life to minimize adverse impacts on
achieving goals.
Risk identification
Risk Identification is the analysis and recording of an organization's IT security situation, and the
threats that it faces. A risk management strategy includes information security professionals
understanding their organization's information assets — that is, identifying, recognizing, and prioritizing
those assets.
Component of risk identification

Organize and plan the process
 Start by organizing a team, typically made up of representatives of all affected groups;
 The process shall then be organized with regular deliverables, updates and management
presentations
 Tasks are set out, tasks are made and plans are addressed. Only then is the organization ready to
actually begin the next step—identifying and categorizing assets.
36
Identifying, Inventorying and Classifying properties
 The iterative cycle starts with the enumeration of assets, including all aspects of an organization's
structure, such as staff, procedures, data and information, software, hardware and networking
aspects.
 Then the properties are classified and graded, adding information to analyze you dig deeper.
Categorization of information system elements
Identification of the individuals, procedures and data properties

 Human resources, documents and data assets are more difficult to classify than the hardware and
software properties.
 The task should be delegated to the individuals with expertise, experience and judgment.
 Since the persons, procedures and data assets are known, they should be registered using a
reliable data method.

Identification of the hardware, applications, and network properties
 What monitoring feature of the information depends on:
- Organizational / risk-management requirements
- The preferences / needs of the defense and the information technology communities
 Asset attribute to be consider :
- Name of - Model number of the maker, or
- IP-address component number
- Media access control (MAC) - Version of the program, revision
address update or FCO number
- Element type - Physical location
- Serial number - Logical emplacement
- Name of Manufacturer - Supervising entity
Asset Categorization
 People comprise employees and nonemployees.
 Procedures often do not reveal a potential intruder to useful information or are vulnerable and
may lead the attacker to gain an advantage.
 The data components account for the information being distributed, processed and stored.
 The software components include applications, operating systems, or components for security.
 Hardware: either normal system equipment and peripherals, or a component of information
security control systems
37
Evaluation of Information Assets
• Questions help to formulate asset valuation criteria.
• Which information asset:
• Was it the most important to the performance of the organisation?
– Does revenue / profitability generate the most?
– Will it play the biggest part in revenue generation or service delivery?
– Will repairing or preserving it be the costliest?
– Unless it were published, would it be the most disgusting act, or would it suffer the biggest
liability?
• Prioritization of information assets

– Build weightings based on responses to questions for each division.
– Prioritize every commodity using the weighted factor analysed.
– List the property according to their importance using the workbook for the weighted
factor analysis
Identification and prioritization of risks

• Practical hazards call for investigation; minor risks are put aside.
• Assessment of the threat:
– What are the risks to assets that pose danger?
– Which threats pose the greatest risk to information?
– How much does the successful attack cost to recover?
– Which threat needs the greatest preventive expenditure?
38
Specifying the properties vulnerabilities
• Specific threatening avenues may be used to exploit vulnerabilities to attack an organization's
information.
• Analyse how to perpetrate each hazard, and list the strengths and vulnerabilities of the
organization.
• System works better when people with different backgrounds work iteratively within an
organization through a series with brainstorming sessions.
Risk Assessment
 Risk evaluation assesses the inherent risk in relation to increased vulnerability.
 Each information asset is given a risk rating or ranking.
 Preparation and coordination in risk management
– The goal at this point is to develop a risk assessment approach for each vulnerability
identified.
39
Likelihood
 Likelihood is a chance that a particular vulnerability will be the target of a devastating attack.
 In risk evaluation, a numerical value is given to the likelihood.
 In Special Publication 800-30 by the NIST suggest that a number should be assigned between 0.1
(low) and 1.0 (high).
 Wherever possible, use external sources for probability values that have been checked and
modified for your particular circumstances. Most combinations of assets and vulnerability have
sources of likelihood, for instance:
– The possibility of any given email containing a virus or worm being investigated.
– The number of attack on a network can be estimated based to the number of assigned
addresses for a business.
Assessing the Magnitude of Loss

• The next move is to determine how much of the information resources might be lost in a
successful attack.
• Combines the valuation of the intelligence asset with the amount of data destroyed in the event of
a successful attack.
• Issues include:
– Value of the information resources
– Measure the amount of information destroyed in best-case scenarios, worst-case
scenarios and most probable scenarios
Risk Calculation
• For the purposes of relative risk assessment the risk is equal to:
– probability of occurrence of vulnerability Times value (or impact)
– minus percentage of risk already controlled
– plus an element of insecurity
Identify Potential Controls

• Create a ranking of relative risk levels for each hazard and related residual risk vulnerabilities.
– Residual risk is the danger that persists to the information asset even after the controls have
been carried out.
• There are three general types of controls:
– Policies - Policies-documents specifying the security approach of an organization
• There are four types of security policies:
– General security policies – Policies related to the topic
– Program security policies – Specific policies for the systems
– Programs - is being carried out inside the company to strengthen security.
40
– Technologies - Technical implementation of organizationally defined policies.
• Where the risk appetite is lower than the residual risk, additional risk reduction strategies need to
be sought.
Documenting Risk Assessment Results

• The Ranked Vulnerability Risk Worksheet is the final summary document.
• Worksheet describes assets, relative value of assets, vulnerabilities, frequency of losses and
magnitude of losses.
• The goal so far has been to identify and list information assets with specific vulnerabilities,
ranked by those most in need of protection.
• The worksheet shown in Ranked Vulnerability Risk Worksheet is organized as follows:
– Asset: List each identified vulnerable asset.
– Asset Impact: Show results for this asset from weighted factor analysis workbook. This is
a number from 1 to 100, in the example.
– Vulnerability: List every vulnerability unchecked.
– Risk-Rating Factor:
• Enter the amount of the asset impact calculation
• Multiply by the Likelihood
• Example, the number of the calculation is from 1 to 100.
• The most pressing risk in the table below is the vulnerable mail server. While the information
asset represented by the customer support e-mail has an impact rating of only 55, the fairly high
probability of hardware failure makes it the most urgent problem.
 Now that you've completed the risk identification process,

 What should the documentation look like for this process? What are the outcomes of this project
phase?
– Contains a description of the role and reports, who is responsible for preparing and
reviewing the reports.
– The Vulnerability Risk Worksheet is the first reference paper for the next procedure of
the risk management process: risk evaluation and monitoring.
41
What is Risk Response?
Risk response is the process of developing strategic options and identifying actions, enhancing
opportunities and reducing threats to the objectives of the project.
Positive Risk (opportunity) Negative Risk(threat)
A opportunity to project A threat to the project
You shouldn't ignore it but boost it and make the Avoid it, and remove
most of it
Brings in a good outcome and results in the Brings a negative outcome and can lead to project
success of the project failure
Plans Risk Response

Risk Management Plan – Includes Roles & Responsibilities, Risk Analysis Definitions, and
Timeframes for Reviews and Risk Thresholds for low, moderate and high risks.
Positive risks are situations that may bring great possibilities if you just take good advantage of
them.
Formal management approaches for reacting to positive threats are as follows:
 Exploit - Taking a proactive risk requires ensuring that all is in position to improve the
probability of the incident happening.
 Share - Positive risk includes the allocation to a third party of any or all length of the
opportunity to achieve the prospect that will eventually support the project.
 Enhance - The enhance strategy improves the likelihood of the positive impacts of an
opportunity.
 Accept - This strategy is typically applied to low-priority or costly opportunities.
Negative risks or threats.
The five basic strategies for dealing with negative risks or threats are as follows:
 Mitigate - Attempts to reduce the attack's impact rather than mitigate the attack's
effectiveness itself.
 Transfer - Threat attempts at shifting to other properties, structures or organizations
 Accept - Accept-is the choice to do little to protect a vulnerability, and to allow the product
between abuses. It may or may not be a deliberate business judgment.
 Avoid - acts to eliminate the threat or protect the project from its impact.
Protecting Physical Security

 HVAC - stands for heating, ventilation and air conditioning.
 Fire Suppression - Fire is dangerous to any organization. It often happens when the electrical
equipment is managed improperly.
 EMI Shielding - The shielding of electromagnetic interference (EMI) is necessary for both power
distribution cables and network communication cables.
 Proper Lighting - Although lighting is not a sufficient deterrent, it can be used to discourage
intruders, prowlers, and intruders.
 Signs- Signs are used to display security alerts and to signify security cameras.
 Video Surveillance - Video surveillance and closed-circuit television.
 Access List - To help track down the perpetrators and verify all workers when an incident occurs, a
list of all visitors should be created.
Choosing Countermeasures
 Patch identified exploitable bugs in applications
 Build and execute organizational and access control (data and system) procedures
42
 Gives encryption capabilities
 Improve physical protections
 Disconnect Networks Unreliable
Risk Management and Risk Control

Project risk management and risk analysis is where you keep track of how the risk responses are
being conducted against the schedule, as well as where new project risks are being handled.
Function of risk management:
– Identify events that can affect directly on project outputs
– Give a qualitative and quantitative weight to the possibilities and consequences of an occurrence
that can impact the result.
– Generate alternative execution paths for events which are outside your influence or impossible to
be remedied
– Implement an incremental process for the identification, qualification, quantification and response
of new risks
Make sure that you provide a response plan for each identified risk. It's not very helpful if the risk
becomes a reality or an issue and you don't have an alternate execution path or any other emergency
procurement plan.
Main inputs to effectively monitor and control risks:
– Risk management plan – Project communications
– Risk Register / Risk Tracker – New risk identification
– Risk response plan – Scope changes
Business Continuity Management (BCM)

 Business Continuity Plan (BCP)
– BCP is a plan to help the business process to continue even an accident or emergency occurs.
– Organizations should analyze all these future risks and prepare with BCP to ensure effective
compliance if the danger become a reality.
– When developing a BCP all threats that might stop regular business should be identified. The next
step is to evaluate the most critical activities required for continuity of operations.
 Who are the people needed, and what resources and knowledge are required to maintain
operation?
 BCP should include a list of executives and their contact details.
 There should be backup of data and disaster recovery guidelines.
 Disaster recovery plan (DRP)

– DRP is a recorded, organized method outlining how a company should restart its function
immediately following an unplanned event.
– The objective of the DRP is to help an organization resolve data loss and restore system
functionality so that it can perform after an incident, even if it operates at a minimal level.
– The step-by - step plan is made up of precautions to minimize the impact of a disaster, so
that the organization can continue to function or resume mission-critical functions
quickly.
 Disruptions include extreme weather events, illegal activity, civil unrest / terrorism,
organizational disruption and disruption of program failures
43
Assessing Maximum Tolerable Downtime (MTD)
MTD is the time during which the process is typically inaccessible causes irreversible effects,
exceeding the MTD results with serious harm to the profitability of the enterprise. Depending on the
process MTD can be in hours, days, or more.
Just an example of a BCP / DRP.
Stage 1: Business as usual
All systems are running production at this stage and are functioning correctly.
Stage 2: Disaster
Disaster happens at a certain point in time, and the systems need to be repaired. The Recovery Point
Objective (RPO) specifies the average amount of data loss accumulated over time. The maximum
tolerable loss in data, for example, is 15 minutes.
Stage 3: Recovery
The system is back online at this point, and the system is being recovered but not yet ready for
production. The RTO determines the overall manageable time required to get all critical services back
online. For example, this covers restoring data from backup or fixing a failure. Mostly this function is
handled by administrator of server, network and storage etc.
Stage 4: Resume Production
At this point, all systems have been restored, the security of the network, the data checked and all
essential infrastructure can restart regular operation. Work Recovery Period (WRT) specifies the overall
tolerable time necessary to confirm the program or data integrity. For example, it might be important to
check databases and logs, to ensure that programs or services are managed and available.
The sum of RTO and WRT is known as the MTD, which determines the minimum time duration that can
disrupt the operational process without harmful effects.
44
Review and Test the Plan
 Critical to periodically review and upgrade BCP
BCP Testing
Four steps to better business continuity plan testing:
 Step One: Various BCP research methods
 A variety of tools are available that you can use to test the efficiency and efficacy of a
business continuity plan. Many of the potential research methods are mentioned:
– Audit Strategy – Simulation Test
– Walk-Through Test – Full Recovery Test
 Step Two: How Frequently to Test
 There is really no rule for determining how much you are screened for BCP, but certain
specific criteria are generally suggested.
 Step Three: Include The Merchants
 Having your vendors in this phase not only allows you verify to a greater degree of precision
and reliability, it also offers your vendors the chance to offer feedback that might be of value
to your plans or testing method.
 Step Four: Document the Testing
 Log all study outcomes, along with any actionable conclusions from such tests;
Test for DRP

How do you test a strategy to recover from a disaster?
1. Use various DRP testing techniques-there is no one-size-fits-all approach to testing the
effectiveness and usability of your DRP and BCP. Various test techniques are available that you
should use.
2. Realize how much testing is needed-A functional evaluation of recovery from a disaster is
expected at least once a year.
3. Involve Your Merchants-Involving your merchants in your research operation helps you to
evaluate and determine the quality and serviceability of your business plans to a greater degree.
4. Report Your Tests or Drills-Make sure you log and file your test and drill reports properly. After
you have finished your drilling and checking, record the results and apply those results to change
your DRP and BCP.
Backing up Data - Why is it important?

Backing up data allows you to retrieve the data you've lost. It’s like hitting the rewind button and
making your computer go back to the previous state before a tragic accident took place.
Data Backup – What to Back Up?

So how do we classify the files needed and where do we find them? As a rule of thumb, files you
make are the sort of files you are expected to backup. System files, directories for the Operating System,
installed programs, and temporary files are files not needed for backup.
Backup Frequency
How often you make changes to your files can rely on that. When you update your documents and
save them regularly, you can make a backup at least once a day. For some cases, some files (such as data
logs) may be updated several times a day, in which case a backup process designed for real time backups
is more suitable.
45
Where to back up your data?
Media option will rely on multiple factors including backup size, setup complexity, portability and
security requirements, budget, on-site or off-site backup.
Some Example:
 External hard drives
 USB flash drives
 Network Attached Storage (NAS)
 Cloud Backup
 FTP/FTPS/SFT
46
Different Backup and Recovery Types
The various forms of backups accessible to IT personnel include:
 Full backups - All data is copied to another location in a complete data or device backup.
 Incremental Backup - This type only supports the information that has been altered since the
recent backup.
 Differential backups - Similar to incremental backup, a differential backup copies all data that
has changed from the last full back up each time it is run.
Phases of the response to the incident

Typically, incident response is divided into six phases:
1) Preparation - Preparation is as simple as ensuring that you have a qualified emergency
management team, either hired, on hold or at least somebody's business card so you know who to
call.
2) Identification - Initially, the incident is identified in a variety of ways, which allows you to
continue your response plan with a vague knowledge of what the incident could be. This portion
is intended to describe and clear up for better identification process. This process also involves an
inquiry into the extent, source and success or failure of the compromise.
3) Containment - Containment also occurs concurrently with recognition, or directly afterwards.
Damaged systems are withdrawn from production, computers are disconnected, and accounts
compromised are locked.
4) Eradication - Eradication is the same tone of that. Removal of any damage found during the
discovery process and remediation.
5) Recovery - Recovery is recovery of missing data and testing of fixes in the process of eradication
and the return to normal operations.
6) Lessons Learned - Lessons Learned-Lessons Learned includes evaluating the steps taken during
each phase and strengthening both your response capability to accidents and your footprint for
protection are crucial steps away from this process. The Lessons Learned stage is about taking
protection seriously and working for potential change wherever possible.
Trigger the disaster response program

Activation includes the entirety of all relevant methods and procedures to insure that the DRP can be
activated:
 Requirements for activation. Identify the different disaster conditions that cause plan activation
(depending on type, intensity, impact and duration).
 Evaluation Methods. To evaluate future incidents of an incident to ensure the conditions for
activation have been achieved.
 Authorization structures. In order to obtain sufficient approvals for the activation of the
programmed, consideration should be extended to IT management personnel, business
management staff and company executives.
 Infrastructure Activation. To insure that sufficient resources and facilities are accessible to
promote plan execution, including the site of the appointed Command Center, where much, if not
any, of the "command and control" operations conducted throughout the disaster recovery phase.
 The protocols for contact. To remind all workers and other interested parties (customers, vendors,
suppliers, and the public) of all decisions and activities related to activation.
47
Guidelines for Activation Based on Case Analysis
Some of the most critical steps in DRP activation is to know if activation is sufficient.
As the activation procedures are prepared, the activities of the event analysis must be adequately specified
by the following questions:
1. Which types of events would cause the activation of the plan?
2. How will these incidents be measured to ensure that program activation is appropriate?
3. Who is going to be involved in the event evaluation process?
4. How will the appraisal guidelines be tailored to the correct decision-makers?
5. Who needs to approve program activation?
6. How many approvals are needed for this?
7. How will the activation of the program be communicated?
Primary Step to Disaster Recovery

Steps to disaster recovery:
1. Ensure the safety of every one
2. Contain the damage
3. Assess damage and launch recovery operations in accordance with DRP and BCP
Restore Damaged Systems

You must plan for rebuilding damage system.
 Know where to find configuration maps, inventory lists, backup software and data
 Use access control lists to make sure that the program allows only legitimate personnel.
 Upgrade operating systems and software with the most recent patches
 Ensure that applications and operating systems are current and secure;
 Trigger rules for access control, directories and remote access systems to enable users to access
new systems;
Recovery Alternatives
Three choice usually are considered if a business (or some part of it) has to be moved for recovery:
 A dedicated business location, such as a secondary distribution center;
 Commercially leased installations, such as hot sites or mobile facilities;
Arrangement with an internal or external facility;
48
49
50
1. analyse a simple case related to Information Assurance and Security (IAS) Laws.
2. differentiate between laws and ethics
3. understand the role of culture as it applies to ethics in information security
Law and ethics in information security

Ultimately, people prefer to swap those facets of personal liberty for humanity.
 Laws are laws that require or forbid such behaviour; they are founded on principles that
describe socially appropriate behaviours. The main distinction between the law and the
ethics is that the law is regulated by the authority of the governing body, and the ethics
are not.
 Ethics, on the other hand, is focused on cultural norms: set moral beliefs or practices of a
specific group. There are certain ethical principles that are common. Murder, stealing,
attack, and arson.
Types of Law
1. Civil law includes a huge range of laws governing a country and dealing with relations
and struggle between organizations and individuals.
2. Criminal law deals with tasks and conduct that are not good to the community and is
applied vigorously by the government.
 Private law is comprised of family law , business law and labour law which regulates
ties between persons and organizations.
 Public law governs the organization and operation of governing agencies and their
interactions with residents , workers and other public agencies.
51
Cybersecurity in our country
The Cybercrime Prevention Act 2012 (CPA) considered the following as cybercrimes:
 Confidentiality and security of computer data and programs (illegal access, unauthorized
capture, data intrusion, network intrusion, misuse of computers and cybersquatting);
 Computer-related offences (forgery related to computers, fraud related to computers and

identity theft related to computers); and
 Content-related crimes (cybersex, child pornography, unsolicited commercial messages

and libel).
The Rule of the Supreme Court on Cybercrime Warrants (AM No. 17-11-03-SC) regulates
the submission and issuance of court orders and related orders relating to the retention,
disclosure, surveillance, search, retrieval or review, as well as the custody and destruction of
computer data as provided for in the CPA.
The Electronic Commerce Act 2000 (ECA) allows for the legal recognition of electronic
records, commercial communications and signatures, government transactions and testimony in
court proceedings. ECA penalizes the hacking and copying of protected content, electronic
signatures or copyrighted works, restricts the liability of service providers who merely provide
access, and bans individuals who do so.
The Access Devices Regulation Act of 1998 (ADRA) penalizes various acts of fraud involving
access devices, such as the use of counterfeit access devices. Access device shall be any card,
plate, code, account number, electronic serial number, personal identification number or other
telecommunications service, device or instrument identifier or other means of access to an
account that may be used to obtain money, goods or services
The 2012 Data Privacy Act (DPA) governs the storage and distribution of personal details,
particularly confidential personal information in government, in the Philippines and the
Philippines; creates the National Privacy Commission (NPC) as a regulatory authority; mandates
that personal information controllers take fair and effective steps to secure and alert personal
information
Effective July 1, 2018, the Philippines acceded to the Cybercrime Convention
52
Privacy
In 21st century, privacy became most of the toughest questions in information security. Many
organizations gather, swap, and sell personal information as a trade good, and a lot of people
look to governments for privacy protection.
Privacy of Customer Information
With the passage of the 2011 Data Privacy Act, Philippines introduced a robust data security
and privacy rights policy for organizations that operate within the country. Organizations are
required to meet all data privacy requirements and ensure data security to the highest standards,
for which they will be liable to serious fines and legal action.
With the banking and business process outsourcing (BPO) industry booming in the Philippines,
these data privacy laws will be vital to the development of a secure environment for these
industries in the region. Legal access to information, confidentiality and data protection are some
of the strong reasons that will help to fuel service sector growth and e-governance in the
Philippines.
Identity Theft
Upgrade involves modifying or changing an current code data or program, in shape or material,
for the purposes of the statute.
"The usual identification information about a person includes his name, citizenship, address of
residence, contact number, place and date of birth, if any, his spouse's name, occupation, and the
like. The law punishes those who without right obtain or use such identifying information,
indirectly to cause harm.
The theft of identity information must obviously be intended for an unlawful purpose.
Furthermore, the acquisition and dissemination of information made public by the user himself
cannot be considered a form of theft.”
Intellectual Property
Intellectual property ( IP) is a type of properties encompassing the intangible works of the
human intellect. There are several forms of intellectual property and certain nations are more
accepted than others. The most popular categories contain copyrights, licenses, logos, and trade
secrets.
53
Philippine Copyright Law
The copyright law in Philippine or officially recognized as the Republic Act No. 8293 is based
on United States copyright law. Furthermore, Philippine copyright law protects trademarks ,
patents and even different forms of intellectual property. You may also have learned of the
Optical Media Act, which seeks to shield local artists from piracy. Computer programs and video
games are protected under the same Act.
Ethics and Information Security

(https://mafiadoc.com/legal-ethical-and-professional-issues-in-information-security_599eb5da1723dd0f406ee946.html/
https://renzjiodionisio.blogspot.com/2010/08/ethics-technology.html)
“The Ten Commandments of Computer Ethics”13

(https://mafiadoc.com/legal-ethical-and-professional-issues-in-information-
security_599eb5da1723dd0f406ee946.html, https://renzjiodionisio.blogspot.com/2010/08/ethics-
technology.html)
security_599eb5da1723dd0f406ee946.html, https://renzjiodionisio.blogspot.com/2010/08/ethics-
technology.html, https://www.slideshare.net/fvsandoval/ethical-issues-and-relevant-laws-on-
computing)
(https://quizlet.com/238714491/domain-1-security-and-risk-management-professional-ethics-
flash-cards/)
1. Do not “use a computer to harm” others.

2. You are not to interfere with the computer work of other people.
3. You are not going to snoop around in the computer files of other people.”
4. Don't use a computer for stealing.
5. You shall not bear false testimony using a computer.
6. You are not going to copy or use proprietary software you didn't pay for.
7. You are not going to use the computer resources of other people without authorization or
fair compensation.
8. You will not be appropriating the intellectual output of other people.
9. You'll consider the social implications of the curriculum you 're writing or the method
you 're developing.
10. Please use a machine in ways that guarantee dignity and compassion for your fellow
human beings.
“Codes of Ethics and Professional Organizations

This is the duty of the support personnel to behave ethically and in compliance with their
employers' policies and practices, their professional associations and the laws of society.” It's
also the duty of the company to create, disseminate and implement its policies.
security_599eb5da1723dd0f406ee946.html)
54
Directions. Identification. Identify what is being referred to in each statement. Write your answer on the
space provided.
1. ____________________ are rules that mandate or prohibit certain behavior.

2. ____________________ compromises a wide variety of laws that govern a nation or state and deal
with the relationships and conflicts between organizational entities and people.
3. ____________________ addresses activities and conduct harmful to society and is actively enforced
by the state.
4. _____________________ encompasses family law, commercial law, and labor law, and regulates the
relationship between individuals and organizations.
5. ______________________ regulates the structure and administration of government agencies and
their relationships with citizens, employees, and other governments.
6. ______________________ guidelines that describe acceptable and unacceptable employee behaviors
in the workplace.
7. _______________________ “state of being free from unsanctioned intrusion.
8. _______________________ “occurring when someone uses your personally identifying information
like your name, Social Security Number, or credit card number, without your permission, to commit
fraud, or other crimes.”
9. ________________________ is a protected asset.
10. ________________________ fixed moral attitudes or customs of a particular group.
space provided.
1. __________________ It refers to the right of the people to information on matters of public concern.
2. __________________ is a respected professional society that was established in 1947 as “the world’s
first educational and scientific computing society.”
3. ___________________ is a nonprofit organization that focuses on the development and
implementation of information security certifications and credentials.
4. ____________________ SANS stands forecasts
5. ____________________ is a nonprofit society of information security professionals.
6. ____________________ regulates the collection and processing of personal information in the
Philippines and of Filipinos, including sensitive personal information in government.
7. ____________________ penalizes various acts of access device fraud such as using counterfeit access
devices.
8. ____________________ provides for the legal recognition of electronic documents, messages and
signatures for commerce, transactions in government and evidence in legal proceedings.
9. _____________________ CICC stands for
10. ____________________ an inter-agency body for policy coordination and enforcement of the
national cybersecurity
55
REFERENCES
https://mafiadoc.com/legal-ethical-and-professional-issues-in-information-security_599eb5da1723dd0f406ee946.html
https://studyhippo.com/ethics-in-information-technology-2/
https://www.lexology.com/library/detail.aspx?g=63436afb-fc7c-41aa-967c-cef82a8e4cff
https://www.lexology.com/library/detail.aspx?g=63436afb-fc7c-41aa-967c-cef82a8e4cff
https://www.acc.com/sites/default/files/resources/20190314/1492582_1.pdf
https://quizlet.com/28057621/cis-377-mid-term-towson-flash-cards/
https://epdf.pub/lessons-from-the-identity-trail-anonymity-privacy-and-identity-in-a-networked-so.html
https://en.wikipedia.org/wiki/Intellectual_property#Intellectual_property_rights
https://renzjiodionisio.blogspot.com/2010/08/ethics-technology.html
https://www.govserv.org/PH/Cagayan-de-Oro/729716783727407/PNP-Anti-Cybercrime-Group-10
https://www.scribd.com/document/350923005/Chapter-3
https://www.facebook.com/notes/jayson-francisco/anti-cybercrime-bill-now-a-law-new-law-punishes-hacking-online-libel-
internet-ch/455990667757790
https://ezgesports.com/qa/is-intellectual-property-real-property.html
https://ezgesports.com/qa/what-non-physical-property-is-intellectual-property-based-on.html
https://www.preda.org/2012/new-law-punishes-hacking-online-libel-internet-child-porn/
https://www.coursehero.com/file/p2fejk/ISC-PTS-1-REF-107-74-ANS-jurisdiction-PTS-1-REF-89-75-ANS-Liability-PTS-1-
REF/
https://www.slideshare.net/fvsandoval/ethical-issues-and-relevant-laws-on-computing
https://quizlet.com/238714491/domain-1-security-and-risk-management-professional-ethics-flash-cards/
https://en.wikipedia.org/wiki/Glossary_of_computer_science
https://www.preda.org/2012/pnoy-signed-cybercrime-prevention-act/
https://www.gunnebo.com/Privacy-Policy
https://rhczgd6m8l1kkaip12ax254u-wpengine.netdna-ssl.com/wp-content/uploads/James-Hines-Data-Protection-Policy-Rev-
1.1.pdf
https://resources.infosecinstitute.com/cissp-for-legal-and-investigation-regulatory-compliance/
https://www.coursehero.com/file/pf8hlrm/There-are-many-types-of-intellectual-property-and-some-countries-recognize-more/
http://www.unesco.org/new/en/member-states/single-
view/news/unesco_trains_journalists_from_community_radio_stations_on_u/
https://www.fanfiction.net/u/1339123/dragonfairy330
https://www.reddit.com/r/morbidquestions/comments/92ihxv/texas_is_there_some_kind_of_gun_registrydatabase/
https://www.lawphil.net/statutes/repacts/ra1998/ra_8484_1998.html
https://jeopardylabs.com/play/enter-title226529
https://jeopardylabs.com/play/enter-title226529
https://www.cengage.com/resource_uploads/downloads/1111138214_259148.pdf
https://content.grantham.edu/at/IS211/ch03.pdf
https://www.slideshare.net/sappingtonkr/02-legal-ethical-and-professional-issues-in-information-security
https://www.reddit.com/r/morbidquestions/comments/92ihxv/texas_is_there_some_kind_of_gun_registrydatabase/
https://www.facebook.com/Pietofficial/posts/2890769410966028
http://wiki.netseclab.mu.edu.tr/images/8/87/Ceng3544-legal-ethical-professional-issues.pdf
https://vdocuments.mx/legal-ethical-and-professional-issues-in-information-wiki-ethical-and-professional.html
https://vdocuments.mx/legal-ethical-and-professional-issues-in-information-security-chapter-3.html
56
Directions: Answer the following.
1. Cite and explain the Four Parts / Mechanism of Access Control
2. What are the Four Central Components of Access Control?
3. Cite the Four Logical Access Control Solutions.
4. Cite all Biometric Recognition Characteristics
5. Cite and explain the Five Authentication Types
57
1. demonstrate understanding of access control concepts and technologies;
2. analyze formal models of access control; and
3. develop, manage, and maintain system access control.
5.1 ACCESS CONTROL

What is Access Control?
Access control is the process through which systems decide when and how a person can be allowed into
an organization's protected area. Access control is accomplished by a blend of laws, services, and
technologies. Access controls can be compulsory, nondiscretionary, or optional.
A sailor checks an identification

card (ID) before allowing a
vehicle to enter a military
institution.
Four Parts / Mechanism of Access Control
58
In authentication, the following mechanisms are involved;
The Four Unified Access control Components includes Users, Resources, Actions and Relationships.
Logical Access Controls

Logical access controls are methods and procedures used in computer information systems to define,
authenticate, approve and assume responsibility. Logical access is often necessary for remote hardware
access, and is often compared with the term "physical access".
Logical access controls implement mechanisms for access control of systems, services, procedures, and
information. The controls may be built into operating systems, software, add-on security products, or
management systems for database and telecommunication.
Solutions for Logical Access Control may include Biometrics, Tokens, Passwords, and Single Sign-on.
Biometric Access Controls

Biometric Access Control is focused over the use of some observable human characteristic or attribute to
verify the identity of a potential user (a supplicant) of the systems. Fingerprint comparison, Palm print
comparison, Hand geometry, Facial recognition, Retinal print comparison are useful biometric
authentication tools.
59
Minutiae are unique point of reference in one’s biometric that is stored as image to be verified upon a
requested access. Each single attempt at access results in a calculation that is compared to the encoded
value to decide if the consumer is who he or she claims to be. A concern with this approach is that is
changes as our body develops over time.
For authentication during a transaction, retail stores uses signature capture. The customer shall sign a
digital tab with a special pen recording the signature. The signature will stored for future reference, or
compared for validation to a signature on a database.
Voice recognition operates in a similar manner by recording the user 's initial voiceprint reciting a word.
Later, the authentication mechanism allows the user to utter the same phrase when the user tries to access
the device so that the algorithm can match the actual voiceprint to the stored value.
Effectiveness of Biometrics
Biometrics are assessed using parameters such as; the false rejection rate, which is the rate of supplicants
who are in fact approved users but who are denied access; False acceptance rate, which is the percentage
of users who are unauthorized users but are allowed access; and third, the crossover error rate, which is
the amount at which the number of false dismissals is equal to the false acceptances.
Authenticating with Kerberos and SESAME

Kerberos was named after the Greek mythology which uses symmetric key encryption to authorize an
individual user with specific network resources. Kerberos maintains a data repository that contains
system’s private keys. Network services operate on servers in the Kerberos network registry, as do the
clients using those services. Such private keys are referred to the Kerberos program and can check a host
to another.
60
Kerberos is based on the logic of the following principles;
1. The KDC is aware of the hidden keys of both network clients and servers. Through using these
hidden keys, the KDC initially shares information with the client and the server.
2. By providing temporary session keys for communication between the client and KDC, the server
and KDC, and the client and server, Kerberos authenticates a client through a requested service
on a server via TGS. Communications between the client and the server are then made using
these temporary session keys.
Visit http://web.mit.edu/Kerberos/, to obtain Kerberos service.
Secure European System for Multivendor Environment (SESAME) is similar to

Kerberos in that the user is first authenticated to a server and receives a
token.The privilege attribute server (instead of a ticket awarding service as in
Kerberos) as proof of identity to obtain a certificate of privilege attribute
(PAC).The PAC is like the ticket in Kerberos; however, a PAC conforms to the
standards of the European Computer Manufacturers Association (ECMA) and
the International Organization for Standardization/International
Telecommunications Union (ISO/ITU-T). The remaining variations lie in the safety
protocols and methods of distribution. SESAME uses encryption on key to
distribute confidential keys.SESAME also builds on the Kerberos model by
introducing additional and more advanced access control features, more
robust encryption schemes, enhanced manageability, audit features, and the
option to delegate access authorization responsibilities.
61
1. Cite and explain the Four Parts / Mechanism of Access Control
2. What are the Four Central Components of Access Control?
3. Cite the Four Logical Access Control Solutions.
4. Cite all Biometric Recognition Characteristics
5. Cite and explain the Five Authentication Types
REFERENCES
Varghese, Thomas. "Addressing Red Flags Compliance". SC Magazine, Jan. 28,
2009.
Andress, Jason. (2011). ″The Basics of Information Security.″

Cory Janssen, Logical Access, Techopedia, August 12, 2014
Find BIOMETRICS, Logical Access Control Biometrics, August 12, 2014

“Principles of Information Security” Michael E. Whitman, Ph.D., CISM, CISSP,
Herbert J. Mattord, CISM, CISSP
2012 Course Technology, Cengage Learning

Fundamentals of Information Systems Security
2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
62
5.2 AUDITING, TESTING AND MONITORING
1. demonstrate understanding of Ways to Monitor Systems;

2. capture and analyze Log Data; and
3. show understanding of How To Monitor And Test Security Systems.
Security Audit
A security audit is a comprehensive assessment of a business's information system security by evaluating

how well it follows a set of defined requirements. A comprehensive audit usually reviews the protection
of the physical configuration and environment, applications, processes of information processing, and
user practices in the system. Security assessments are also used to assess regulatory enforcement despite
legislation outlining how information needs to be treated by organizations.
Security audits assess efficiency of an information system against a set of criteria. On the other hand, a
vulnerability evaluation requires a systematic analysis of a whole information system, searching for
possible security vulnerabilities. Penetration testing is a secret activity in which a security specialist
attempts a variety of attacks to determine whether or not a device will survive a malicious hacker's same
types of attacks. Each of the approaches has inherent strengths, and using two or more of them in
conjunction may be the most effective approach of all.
Security Auditing and Analysistries to address the following questions;

1. Are security protocols valid and appropriate for the organization or business?
2. Are these controls supporting your policies?
3. Is there efficient management and control-keeping?
The following figure best explains the Security Controls Address Risk which is referred to as Security
Cycle.
63
Security Monitoring for Computer Systems
Security Monitoring for Computer Systems may be identified based to the information it captures namely;
1. Real-time Monitoring- this focuses on the Host IDS, System Integrity Monitoring and Data Loss
Prevention.
2. Non-real-time Monitoring- it checks application and system logging.
3. Log Activities- this monitor host-based activities and networks and its devices.
With regards to Log Activities, Event Logs, Access Logs, Security Logs, Audit Logs are basically
involved.

1. What are the ways to monitor a system?
2. Define and explain the scope of the plan
3. What are the things to be consider in security monitoring?
4. What are the types of logs to be captured?
5. Develop a log information system
REFERENCES
“Principles of Information Security” Michael E. Whitman, Ph.D., CISM, CISSP,
Herbert J. Mattord, CISM, CISSP
2012 Course Technology, Cengage Learning
Fundamentals of Information Systems Security

2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
64
space provided.
1. ____________________ which concerns itself with the secrecy system itself and its design
2. ____________________ is defined as the science of making communication incomprehensible to all

people except those who have a right to read and understand it.
3. ______________ which concerns itself with the breaking of the secrecy system above.
4. _______________ a set of information that will allow words to be changed to other words or symbols,
for instance, a code for the word “rifle” may be “escargot.”
5. _______________ the message that you wish to put into a secret form.
6. _______________ the method for altering the plaintext
7. _______________ the secret version of the plaintext.
8. _______________ changing from plaintext to ciphertext
9. _______________ changing from ciphertext to plaintext
10. ______________ each plaintext letter is replaced by another character whose position in the alphabet
is a certain number of units away.
65
Lesson 5.3 Basic Concepts of Cryptography
1.perform basic encryption and decryption using cryptography.
CRYPTOPOLOGY
Cryptology is characterized as the method of having communications inaccessible to all individuals
excluding those who have the ability to read and interpret it.
There are two portions that is being studied in Cryptology. First the CRYPTOPGRAPHY that involves
the confidentiality program and its structure itself, and second CRYPTANALYSIS which is associated
with breaking the above-mentioned system of anonymity.
Code - A compilation of knowledge enabling terms to be transferred to symbols or other phrases. Banana
can be a code for gun. However, This isn't some kind of cryptography that can be evaluated. The only
means a message can be decrypted is by having the terms set and their codes.
Plaintext is the meaning you wish to convey in a coded form. Plain text is generally written without
spaces in any lower case letter. There are figures printed out, and the punctuation is overlooked. It is also
referred to as clear.
For example, the sentence;
“The bomb is planted on the roof” is written as thebombisplantedontheroof
Cipher relates to the plaintext-alteration process. The secret version of plaintext is called ciphertext.
66
Example;
thebombisplantedontheroof will be then changed to
ymjgtrgnxuqfsyjityjwttk
For a decoder to read it easily, the code is typically written every after 5 characters. The example above
can be presented as;
ymjg trgnx uqfsy jityj wttk
When we encipher, we alter the plaintext to ciphertext while when we decipher, we do it the other way
around.
Key refers to data that enables us to encode the plaintext and decode the ciphertext as well.
In this case, both upper and lower case uses the same numerical value.
67
68
69
70
71
72
1. discuss the importance of creating a secured network design;
2. discuss steps or procedure on securing a network;
3. write down 10 software security best practices; and
4. give concrete examples on the application of these practices in actual software
development.
All information systems (IS) create risks to an organization; whether or not the level of risk
introduced is acceptable or not acceptable in formulating a business decision, controls such as “firewalls,
resource isolation, hardened system configurations, authentication and access control systems and
encryption can be used to help mitigate identified risks to acceptable levels.”
(https://www.slideshare.net/lavanyamarichamy/network-design-consideration)
In this lesson, we will be discussing about firewalls and authentication procedure that we can
implement to have a secured network.
Security, as described by Lavanya (2019),“is often an overlooked aspect of network design, and
attempts at retrofitting security on top of an existing network can be expensive and difficult to implement
properly. Separating assets of differing trust and security requirements should be an integral goal during
the design phase of any new project.”
She further stresses that “…aggregating assets that have similar security requirements in
dedicated zones allows an organization to use small numbers of network security devices, such as
firewalls and intrusion-detection systems, to secure and monitor multiple application systems.”
(https://www.slideshare.net/lavanyamarichamy/network-design-consideration)
Other influences on network design include budgets, availability requirements, the network’s size
and scope, future growth expectations, capacity requirements, and management’s risk tolerance. For
example, dedicated WAN links to remote offices can be more reliable than virtual private networks
(VPNs), but they cost more, especially when covering large distances. Fully redundant networks can
easily recover from failures, but having duplicate hardware increases costs, and the more routing paths
available, the harder it is to secure and segregate traffic flows.
A significant but often missed or under-considered factor in determining an appropriate security
design strategy is to identify how the network will be used and what is expected from the business it
supports. This design diligence can help avoid expensive and difficult retrofits after the network is
implemented.
Let’s consider some key network design strategies.
73
FIREWALLS
What is a Firewall?
A firewall is defined by Khandal, et al (2018) as “…a program or network devices that filters the
information coming through the internet connection into your private network or computer system.”
Firewall is further explained in www.auysolutions.com as “is a network security system that
monitorsand controls incoming and outgoing network traffic based on predetermined security rules. A
firewall typically establishes a barrier between a trusted internal network and untrusted external network,
such as the Internet.”
Theseare often categorized as either “network-based firewalls or host-based firewalls”
(https://www.auysolutions.com/product/security-essentials/)
Network firewalls run on network hardware and filter traffic between two or more networks.
Host-based firewalls, on the other hand, run on host computers and control network traffic
coming in and out of those machines.
Network-Based Firewall
74
Host-Based Firewall
Difference between Network-based and Host-based Firewall

The difference between these firewalls was clearly discussed in the paper of Khandal, et al (2018)
as follows:
“A host-based firewall is installed on the individual computer to protect
it from activity occurring on its network. A network-based firewall is
implemented at a specific point in the network path and protects all
computers on the “internal” side of the firewall from all computers on the
external side of the firewall.”
Advantages of Firewalls
The advantages of firewalls as discussed by Khandal (2018) are as follows:
Concentration of security, “…all modified software and logging is located on the firewall system as
opposed to being distributed to multiple hosts.”
Protocol filtering, “…where the firewalls filters protocols and services that are either not necessary or
that cannot be adequately secured from exploitation.”
Information hiding, “…in which a firewall can “hide” names of internal systems (or) electronic mail
addresses, thereby revealing less information to outside hosts.”
Application gateways, “…where the firewalls require inside or outside users to connect first to the
firewall before connecting further, thereby are filtering the protocol.”
75
Disadvantages of Firewalls
Firewalls, on the other hand, are disadvantageous in terms of (Khandal, et al., 2018):
The most obvious being that certain types of network access maybe hampered or even blocked
for some hosts, including telnet, FTP, NFS, etc.
A second disadvantages with a firewall system is that it concentrates security in one spot as
opposed to distributing it among systems, thus a compromised of the firewall could be disastrous to other
less protected systems on the subnet.
Example: If someone attacks the security guard, the organization faces more risks.
The Role of Firewalls

A firewall is a term used for a “barrier” between a network of machines and users that operate
under a common securitypolicy and generally trust each other and the outside world.” (Khandal, 2018)
There are two basic reasons for using a firewall at present. These according to Dinesh (2017) are
as follows: “(1) to save money in concentrating your security on a small number of components, and (2)
to simplify the architecture of a system by restricting access only to machines that trust each other.”
Three (3) Design Goals of Firewalls
The first design goal for a firewall is that collectively the sum of the entire network “…from
internal to external must go through the firewall physically cutting off all access to the local network
except via firewall.” (Khandal et al, 2018)
Example: Security Guard in a Commercial Bank.
The second goal would be “only authorized traffic which is delineated by the local security policy
will be allowed to proceed.” (Khandal et al, 2018)
Example: The Bank Manager informed the Security Guard to block A and B.
Finally, the last design goal is that the firewall “…itself is resistant to penetration inclusive in a
solid trustworthy system with0 a protected operating system.” (Khandal et al, 2018)
Example: Here the security guard himself/herself act as an intellectual to block few peoples.
AUTHENTICATION
Authentication is the “process of reliably verifying the identity of someone (or something).”
(http://www.dis.uniroma1.it/~damore/sicu/slide/slide2012/8.Authentication-1v1.1.pdf)
76
There are lots of examples of authentication in human interaction.
1. We recognize each others' faces when we meet.

2. We recognize each others' voices on the telephone.
3. We are authenticated by the customs official who checks us against the picture on our passport.
4. “…a guard might authenticate you by comparing you with the picture on your badge”.
http://www.dis.uniroma1.it/~damore/sicu/slide/slide2012/8.Authentication-1v1.1.pdf
5. “A mail order company might accept as authentication the fact that you know the expiration date
on your credit card” (http://www.dis.uniroma1.it/~damore/sicu/slide/slide2012/8.Authentication-
1v1.1.pdf)
CREATING A GOOD QUALITY PASSWORD POLICY

The security provided by a password system depends on the ability of the users to keep their
password or pass code unique and secured at all time Thus, according to Gupta (2018), “…a password is
vulnerable to compromise whenever it is used, stored, or even known.”
• The system must initially assign a password to its users.

• Periodic update of users’ password.
• The system must maintain a “password database”.
• Users must remember their passwords.
• During authentication time, users must enter their passwords into the system.
• Employees should “…not disclose their passwords to anyone including the administrators and IT
managers.”(https://www.orcanos.com/help/Knowledgebase/password-aging-password-
expiration/)
AUTHENTICATION IDENTIFICATION
Computers also verify the identity of its users, based on three (3) methods:
• What you know (e.g., passwords)

• What you have (e.g., keycards)
• What you are (e.g., biometric information)
VERIFICATION
Validation of information supplied against a table of possible values based on users claimed
identity, verify identity based on your physical characteristics, known as biometrics. Characteristics used
include:
 Signature
 Fingerprint, hand geometry face or body profile
 Speech, retina pattern
77
How authentication is done depends on capabilities of entity being authenticated. Two most
important capabilities:
• Ability to store a high-quality key.

• Ability to perform cryptographic operations
TYPES OF AUTHENTICATION
There are three types of authentication. These concepts are explained below:
1. Password-based authentication
 Authenticating oneself by showing a secret password to the remote peer (and to the network).
(Shankar, 2013)
 “Always vulnerable to eaves dropping attack.” (Shankar, 2013)
 Usual protection: “limit frequency of incorrect password entries. (Shankar, 2013)
2. Address-based authentication
 Authenticating oneself, according to Shankar (2013), can be done “by using a physically-secured
terminal/computer.” Conceptually similar to password-based authentication.
3. Cryptography-based authentication
“Authenticating oneself by showing evidence of a secret key to the remote peer (and to the
network) but without exposing the secret to the peer (or to the network).Secret key can be obtained from a
password.” (Shankar (2013)
PROBLEMS WITH PASSWORDS

1. Eavesdropping
 Passwords must be uttered to be used.

 Most people don't watch.
 But they are not the people you are worried about.
 Wire tapping is a more sophisticated problem.
 If the password is sent from across a network then eavesdropping is possible.
 For example, a traditional telnet connection is unsecured – no cryptography; so an attacker who
can eavesdrop, e.g., on the port in use, simply gets to see the password
2. Trojan Horses
A Trojan horse is a useful, or apparently useful, program, which also performs unwanted/ harmful
functions.
78
 If a user can be induced to run a Trojan horse which mimics the login program then, the Trojan
can capture the user’s password.
 The password can then be sent to the author of the Trojan
3. On-Line Guessing
 I can impersonate you if I can guess your password.
 Some systems enforce easily guessable passwords.
 Some people use easily guessable passwords.
 With enough guesses even obscure passwords can be guessed.
 Executing users who get their password wrong would probably be unacceptable.
 Can make sure that guesses have to be typed
4. Locking Accounts
 Can lock accounts after too many failed attempts.
 But then easy for someone to deny access.
 Can cut-off connection after a number of failed attempts and require it to be re-established.
 Can have system response be very slow.
5. Offline Password Guessing

 Passwords are more vulnerable if off-line guessing is possible.
 Offline attack- an intruder captures a quantity that is derived from password.
 Attacker then takes their time trying to compute password.
Assignment:
1. Write a 200-word essay with the theme: “What can’t a firewall protect against?”
2. Using the insights you have learned from this lesson; write down 10 best practices in
ensuring computer security.
79
80
REFERENCES:
Authentication (2012). Retrieved from

http://www.dis.uniroma1.it/~damore/sicu/slide/slide2012/8.Authentication-1v1.1.pdf on July 15,
2020.
Dinesh, N. (2017). Seminar on firewall. Retrieved from

https://www.slideshare.net/NAGADINESH3/firewall-80659551 on July 16, 2020.
Gupta, Amita (2018). Knowledge base password aging and expiration. Retrieved from
https://www.orcanos.com/help/Knowledgebase/password-aging-password-expiration/ on July 17,
2020.
Khandal, et al (2018). Firewall concepts in the area of networking. Retrieved from

http://www.ijetjournal.org/Special-Issues/ICEMESM18/ICEMESM18.pdf on July 15, 2020.
Lavanya, M. (2019). Network design considerations. Retrieved from https://www.slideshare.net/

lavanyamarichamy/network-design-consideration on July 16, 2020.
Security essentials. Retrieved from https://www.auysolutions.com/product/security-essentials/ on July 16,

2020.
Shankar, U. (2013). Computer and network security. Retrieved from

http://www.cs.umd.edu/~shankar/414-Notes/414-authentication-slides-4pp.pdf on July 16, 2020.
81
Directions: Say that you are on the situation that your parents do not want you to pursue your
degree on Information Security, how are you going to convince them? Write your answer on the
comic bubble.
82
Do a research on securing our Future through IAS. Document the result of your research
and prepare a write-up discussing the important or significant contribution/s of IAS in our daily
lives be it in economical, physical, spiritual or any other aspects you can identify.
Introduction
As we all know, that there are wide variety of career one can choose into in the field of
Computing Science and Information Security. Pursuing education in these areas of knowledge is
really a prize. Aside from the high rate of employability, high salary rate can also be a
motivation in pursuing well.
In the field of Information Security alone, there are number of opportunities one can take in the
future. Aside from the certifications we have tackled in Lesson 2.2, there are also some programs
that is available to add knowledge in this area.
Getting a Professional Certificate trough, a certifying body is really an edge or an advantage.
However, it is one’s call whatever means he/she will use to learn and gain more knowledge.
One option for an aspirant to be trained in the field of Information Security is through Self-Study
Programs. This program aims to educate an individual at the comfort of his/her time. This is
also referred to as Self-Paced learning, where one will not be required to attend mandatory
trainings. The advantages of this self-study program are as follows;
1. Self-motivation
2. Low cost
3. Flexible materials
4. Flexible schedule
5. Supplemental materials.
However, procrastination, resource selection, lack of interaction, quality, and validated outcomes
may be a factor to be considered in self-study programs. These are its disadvantages.
In self-study programs, choosing a material to study is really a struggle. In selecting what
instructional materials to utilize, one must check that is should come from reputable sources,
meaning the resources shall come from a reliable or well-respected organization or author. You
can check the material review so that you may have an insight to its content. Self-study
materials shall also be supplemented by other products to support your learning. Finally, hand-
son skill sets or laboratory activities shall also be enforced from the materials to evaluate the
learning process.
83
Another option to acquire knowledge in the area of Information Security is through Instructor-
Led programs. This may be an alternative to the self-paced learning. This type of program is
also known as the Formal Training that is being catered inside an educational group or a school.
Completing the prescribed hours or requirement for the training leads to a certificate that will
prove one’s competence.
Instructor-led programs starts from general to highly technical.
A professional can also acquire additional knowledge to IS through the Continuing Professional
Education (CPE) and/or Continuing Professional Development (CPD). The main goal of
these programs is to keep the practitioners updated to the current state of technology in the field.
Postsecondary Degree programs are also offered in the colleges and universities specializing in
Information Technology, Information Systems Security, Information Assurance and other field
of Computing Sciences. One may continue his/her journey up to Ph.D.
A degree may be taken by an individual trough as two-year program. That is what we call
Associate Degree, wherein it prepares one for a wide variety of entry-level positions in the IT
and IS fields.
On the other hand, a four-year degree program or the Bachelor’s Degree is needed to have a
higher entry positions in the areas such as IT and IS.
Some of them includes:
1. BS in Computer Science
2. BS in Information Technology
3. BS in Applied Science
4. BS in Engineering
Some of the institutions offers a laddered course where an Associate Degree can be continued to
the Bachelor’s.
It is very important for us to study the curriculum offered by an institution first and visualize
what field you will pursue in the future.
Master of Science Degree is a two-year study program after completing the Bachelor’s Degree.
This is basically intended to specialize in one field of study. It focuses more on depth of
knowledge in a specific field. This might include;
1. Master of Science (MS or MSc)
2. Master of Science in Information Technology (MScIT)
3. Master in Business Administration
a. Focusing on the process of securing IS
b. Focusing on the management and maintenance of IS.
84
Doctoral Degree is the highest educational attainment one can obtain. It requires more
comprehensive and extensive studies. It may vary from three to five years. Fields may include;
1. Doctor of Science
2. Doctor of Information Technology
3. Doctor of Technology
4. Doctor of Philosophy
Aside from these formal schooling, there are also some programs that intends to certify an
individual. They focuses more on the technicality and skills needed to be developed by an
individual through hands-on or experiential learning.
The following are the Security Training Organizations that enables one to get certified;
1. SANS Institute
2. ITPG
3. InfoSec Institute
4. ISACA
5. Phoenix TS
6. SEI
Many are the ways one can acquire knowledge. It can be through informal or formal training.
The intention of these falls into one purpose and that is to gain knowledge and skill that can be
used as arms in this world whose demand is increasing rapidly.
It may be difficult to achieve, or one might say that he/she made a wrong decision but one thing
is for sure, when you learn to love what you do, you will succeed. You are half-way to the
highest paying job. So do it right. You are on the right track.
Directions: Assume that you are certified by the certifying bodies in Lesson2 and graduated
you’re your dream degree in the field, write down an application letter for the job, Information
Security Officer in XYZ Bank, the leading bank of the billionaires. State your credential, skills
and something that you can contribute to the organization.
85

IT IAS01 Information Assurance and Security 01 EDITED BY ASC PDF

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

IT IAS01 Information Assurance and Security 01 EDITED BY ASC PDF

Hochgeladen von

Copyright:

Verfügbare Formate

Prepared by:

Lesson Title Page

Pre-Test on Lesson 1...................................................................................... 2

Five Information Assurance Pillars

The five (5) IA pillars, as discussed in https://interparestrust.org/terminology/term/information assurance,

Non-repudiation, on the other hand, is defined by www.cryptomathic.com as “a legal concept

Information Security (INFOSEC)

Fig 2: CIA Triad

 “…is a set of rules that limits access to information.”

 It means that assets are accessible to authorized parties at appropriate times.

________1. Event wherein an information is accessed a) Distributed Denial of

2.1 ASSETS, ATTACKS, RISKS, THREATS, VULNERABILITIES AND COUNTERMEASURES

Black Hat Hackers

RISK, THREATS AND VULNERABILITIES

Threats can be categorized into Three Types which includes:

Categories of Malicious Attacks

POST-TEST. Quiz 2.2

1. demonstrate understanding of the different job responsibilities of an Information Security Professional;

Information Security Professional

 Monitors the IT System and look for threats and vulnerabilities;

As an Information Security Professional I, _________________________________ promise

_____4. The highest rank on CISCO certification is,

_____6. The following are Vendor-Neutral Certification EXCEPT for what?

_____10. Has replaced the 8570.01 directive.

What is Risk Management?

Purpose of Risk Management

Component of risk identification

Categorization of information system elements

Identification of the individuals, procedures and data properties

• Prioritization of information assets

Identification and prioritization of risks

Assessing the Magnitude of Loss

Identify Potential Controls

Documenting Risk Assessment Results

 Now that you've completed the risk identification process,

Plans Risk Response

Protecting Physical Security

Risk Management and Risk Control

Business Continuity Management (BCM)

 Disaster recovery plan (DRP)

Stage 4: Resume Production

Test for DRP

Backing up Data - Why is it important?

Data Backup – What to Back Up?

Phases of the response to the incident

Trigger the disaster response program

Primary Step to Disaster Recovery

Restore Damaged Systems

Law and ethics in information security

 Computer-related offences (forgery related to computers, fraud related to computers and

 Content-related crimes (cybersex, child pornography, unsolicited commercial messages

Effective July 1, 2018, the Philippines acceded to the Cybercrime Convention

Ethics and Information Security

“The Ten Commandments of Computer Ethics”13

1. Do not “use a computer to harm” others.

“Codes of Ethics and Professional Organizations

1. ____________________ are rules that mandate or prohibit certain behavior.

5.1 ACCESS CONTROL

A sailor checks an identification

Four Parts / Mechanism of Access Control

Logical Access Controls

Biometric Access Controls

Authenticating with Kerberos and SESAME