Chapter 1

Chapter 1

1. Suppose you visit an e-commerce website such as your bank, stock

broker, etc. Before you type in highly sensitive information, you’d like to have
some assurance that your information will be protected.
 Do you (have such assurance)? How can you know?
o Yes, because they have term and condition, privacy policy and it depend on the user if they will
have agreed to it.
 What security-relevant things do you want to happen, or not happen when

o Keep your website up-to-date

o Enforce a strong password policy

o Encrypt login pages

o Use a secure host

o Keep the website clean

o Backup user’s data

o Hire a security expert

o Scan your website for vulnerabilities

you use such a website?

2. Which of these do you think fall under Information Assurance?
 Privacy of your data
 Protection against phishing
 Integrity of your data
 Authentication
 Authorization
 Confidentiality
 Non-repudiation
3. According to ISO/IEC Standard 9126-1 (Software Engineering—Product Quality),
the following are all aspects of system quality:
 Functionality
 adequacy
 interoperability o correctness o security
 reliability
 usability o efficiency o maintainability
 portability

 Which of these ISO Standard do you think apply to IA?

o All of the above

5. How does information differ from data?

 Data are the raw bits and pieces of facts and statistics with no context. Data can be quantitative
or qualitative. Information is data that has been given context.

6. What’s the difference between an exploit and an attack?

 exploits allow an intruder to remotely access a network and gain elevated privileges, or move
deeper into the network.
 The attack is an intended unauthorized action on a system/asset. An attack always has a
motivation to misuse system and generally wait for an opportunity to occur.
 Chapter 2

I. Identification. Write the correct answer on the space provided.

VULNERABILITIES 1. refers to a known weakness of an asset (resource) that can be exploited by one
or more attackers.
RISK 2. is defined as the potential for loss or damage when at threat exploits
vulnerability.
THREAT 3. is a possible danger that might exploit a vulnerability to breach security and
cause possible harm?
DATA TAMPERING 4. A deliberately modifying, destroying, manipulating, editing of data through
unauthorized channels.
MALICIOUS SOFTWARE 5. a program that overtly does one thing while covertly doing another.
BACKDOOR 6. a specific type of Trojan horse that can be used to spread its "infection" from
one computer to another.
TROJAN 7. a program that has a secret entry point information leaks in a program: code
that makes information accessible to unauthorized people or programs.
DATA INTEGRITY 8. can be used to achieve integrity, since data that cannot be read generally also
cannot be changed.
II. Essay

1. What is threats? And what are the three major type of threats?
 it refers to a new or newly discovered incident that has the potential to harm a system or your
company overall, the three major type of threats are Denial-of-Service (DoS/DDoS) Attacks,
Social Engineering and malware.
2. What is the best way to Perform regular threat assessments?
 Conduct Risk Identification and Analysis, identifying risks for each asset and possible threats
they face is a complex task. The most important thing is to structure the process well so that
nothing important slips through the cracks. Companies can accomplish this by structuring their
asset registers with added columns for threats and vulnerabilities
3. What are the question to ask to determining your security vulnerabilities?
 Do we understand the actual risk?
 Has it been properly fixed?
 Can we validate that the fix has worked?
4. What are the key aspects to consider when developing your risk management strategy?
 Identify the risk
 Analyze the risk
 Rank the risk
 Assign responsibility to address the risk
 Monitor the risk
 Respond to the risk
5. What are the Intentional threats (give examples)?
 Intentional threats refer to purposeful actions resulting in the theft or damage of computer
resources, equipment, and data. Intentional threats include viruses, denial of service attacks, theft
of data, sabotage, and destruction of computer resources.
6. What are the Accidental threats (give examples)?
 Accidental threats refer to situations in which damage or data loss occurs as a result of an insider
who has no malicious intent
7. Enumerate Threat Classification?
 Spoofing of user identity
 Tampering
 Repudiation
 Information disclosure (privacy breach or Data leak)
 Denial of Service (D.o.S.)
 Elevation of privilege
8. Give two example for Compromise of information from Threat Classification?
 error in use, abuse of rights, denial of actions
9. Give two example for Technical failures from Threat Classification?
 equipment, software, capacity saturation
10. How Microsoft classifies threat?
 Damage – how bad would an attack be?
 Reproducibility – how easy it is to reproduce the attack?
  Exploitability – how much work is it to launch the attack?
 Affected users – how many people will be impacted?
 Discoverability – how easy it is to discover the threat?
11. Give examples of identity theft?
 Stolen Checks
 ATM Cards
 Fraudulent Change of Address
 Social Security Number Misuse
 False Civil and Criminal Judgements
12. what are the types of identity theft?
 Financial Identity Theft
 Medical Identity Theft
 Criminal Identity Theft
 Child Identity Theft
 Identity Cloning & Concealment
 Synthetic Identity Theft
 Mitigate Your Risk
 Chapter 3

I. Identification. Write the correct answer on the space provided.

1. It is the breaking of codes and ciphers.
 Cryptanalysis
2. The word cryptography comes from the two Greek words “Kryptos” and “Grafein”. What
does Kryptos means?
 hidden
3. The most commonly used encryption during the year 1990.
 widespread standard for encryption
4. He is considered as the father of mathematical cryptography.
 Claude Shannon
5. It is the year when the cryptography article of Shannon was published.
 1945
6. – 7. The two main goal of cryptography according to Shannon.
 secrecy
 and authenticity
8. The process of hiding information into unreadable form or code.
 Cryptography
9. It contains a form of the original plaintext that is unreadable by a human or computer.
 Cipher text
10. It is the inverse on encryption.
 Decryption
II. Essay:
1. The need for cryptography started in as early 1945 to address problems on secrecy of
communication during War. In your own opinion, how does cryptography applied during this
time. Explain your answer.
 invention of complex mechanical and electromechanical machines, provided
more sophisticated and efficient means of encryption; and the subsequent introduction
of electronics and computing has allowed elaborate schemes of still greater
complexity, most of which are entirely unsuited to pen and paper.
2. Discuss the different application of Encryption in today’s generation.
 Today, encryption protects the communications of individuals and organizations
from unsophisticated and sophisticated criminals and repressive governments. It
assures the security of electronic commerce transactions over the Internet—for
example making it possible to transmit credit card numbers.

I. Identification. Write the correct answer on the space provided.
1. Also referred to as symmetric encryption or single-key encryption.
 Conventional encryption
2. On the notation Y=Ek(X), what does Y stands for.
 Ciphertext
3. Is a type of encryption where only one key is used?
 Symmetric Encryption
4. On the notation Y=Ek(X), what does k stands for.
 key
5. What is the notation for plaintext X.?
 This notation indicates that Y is produced by using encryption algorithm E as a
function of the plaintext X
6. The process of attempting to discover X of K or both.
 Cryptanalysis
7. It is a term used for hiding a plaintext into something such as invisible ink.
 STEGANOGRAPHY
8. Is one in which the letters of plaintext are replaced by other letters or by number of symbols.
 Cryptography
9. Also known as the shift cipher.
 Caesar Cipher
10. The best known multiple-letter encryption cipher.
 Playfair Cipher
II. Convert the following Plaintext using the required techniques. Show the solution on the space
provided at the back of the paper and numbered in sequence.
Plain text Caesar Cipher Monoalphabetic Playfair
1. CHED FKHG
2. EDUCATION HGXFDWLRQ
3. VIRTUAL YLUWXDO
4. UNIVERSITY XQLYHUVLWB
5. COLLEGE FROOHJH
 Chapter 4
1. Discuss the importance of Authentication in the advent of the new technology of today’s generation.
 Authentication is important because it enables organizations to keep their networks secure by
permitting only authenticated users to access its protected resources, which may include
computer systems, networks, databases, websites and other network-based applications or
services.
2. Discuss how Hash Function works.
 a mathematical function that converts an input value into a compressed numerical value – a hash
or hash value. Basically, it's a processing unit that takes in data of arbitrary length and gives you
the output of a fixed length – the hash value.
3. Enumerate the steps to hash plaintext using MD5 Hash Generator.

4. Describe the principal threats to the secrecy of passwords.
 The attacker obtains the system password file and compares the password hashes against hashes
of commonly used passwords. If a match is found, the attacker can gain access by that
ID/password combination.
5. What are techniques used to protect a password file?
 Two common techniques to protect a password file are- hashed passwords as well as a salt value
or password file access control
6. Create strong password (give five examples)
 !LoveMyPiano
 d3ltagamm@
 i7ovemydog!!
 sn00pdoggyd0G
 d0gsaremybestfr13nds
---------------------------------------------------------------------------------------------------------------------------------------
1. Describe the following diagram
 Users log in to a system and once authenticated are provided with a token to access other
services without having to enter their username and password multiple times. In short, token-
based authentication adds a second layer of security to application, network, or service access.
2. What are benefits of authentication tokens?
 his is great for scalability as it frees your server from having to store session state.
---------------------------------------------------------------------------------------------------------------------------------------
1. Is biometric adoption really accelerating?
 The last five years have seen a rapid increase, not only in adoption, but also in the range of
market sectors and targeted consumer activities. Adoption of biometric technologies should
continue to accelerate and expand across all user domains and market sectors.
2. What types of biometrics are most popular, and in which industries?
 Iris Recognition
3. What are the trends in technology platform (e.g. mobile devices, laptops, on-site) for biometric
adoption?
 The first trend is multimodal biometric authentication, when not one biometric technology is
used, but several are used at once. The second is the use of a personal device as a biometric
access token.
4. Which market sectors show the most increase in biometrics?
 Face recognition is a versatile technology, which is expected to show rapid growth during the
forecast period owing to its high adoption in retail, defense and law enforcement, and consumer
electronics sectors.
5. Which types of consumer activity are targeted by businesses rolling out biometric authentication?
 The financial sector has seen an explosion in biometric use, with fingerprint scanners, voice
recognition, iris scanners and even heartbeat monitors used by customers to access accounts and
make purchases.
6. Do trends indicate future increase in the adoption of biometrics?
 Users can now utilize several different biometric measures, including retinal scanning and voice
recognition. In addition to the already popular fingerprint and face recognition technologies
7. List and briefly describe the principal physical characteristics used for biometric identification.
 Biometric systems use people's intrinsic physical characteristics to verify their identification. The
characteristics that can be used by biometric systems include fingerprints, facial identification
systems, voice recognition systems and in new developments
8. In the context of biometric user authentication, explain the terms, enrollment, verification, and
identification.
 Each individual who is to be included in the database of authorized users must first be enrolled in
the system. *Verification: The user enters a PIN and also uses a biometric sensor.
---------------------------------------------------------------------------------------------------------------------------------------
1. Describe the following diagram
 access to a computer or a computer system from another location by means of a network
connection If the person went along with the call, the scammer would try to convince them to
provide remote access to their computer
 Chapter 5

1. Which of the following is an unintentional threat to the security of computer?

 Networks
2. Your supervisor is very busy and asks you to log into the HR Server using her user-ID and password to
retrieve some reports. What should you do?
 a. It’s your boss, so it’s okay to do this
3. Scenario 1: We saw a case a while back where someone used their Gmail account at a computer lab on
campus. She made sure her Gmail account was no longer open in the browser window before leaving the
lab. Someone came in behind her and used the same browser to re-access her account. They started
sending emails from it and caused all sorts of mayhem.
 What do you think might be going on here? Possible answers:
 The first person probably didn't log out of her account, so the new person could just go to
history and access her account. Another possibility is that she did log out, but didn’t clear
her web cache. This is done through the browser menu to clear pages that the browser has
saved for future use.
Scenario #2:
You receive the following email from the Help Desk:
4. Scenario 2:
A student receives the following email from a help desk Dear ISU Student, beginning next week, we
will be deleting all inactive Gmail accounts in order to create space for more users. You are required to
send the following information in order to continue using your email account. If we do not receive this
information from you by the end of the week, your email account will be closed.
*Name (first and last):
*Email Login:
*Password:
*Date of birth:
*Alternate email:
Please contact the Webmail Team with any questions. Thank you for your immediate
attention.
 What should the student do?
This email is a classic example of “phishing” – trying to trick into “biting”. They want
your information. Don't respond to email, instant messages (IM), texts, phone calls,
etc., asking you for your password or other private information. You should never
disclose your password to anyone, even if they say they work for ISU, or other
campus organizations.
If you receive phishing or spam in your Google email, report it
to Google: http://its.ucsc.edu/google/security.html#spam

---------------------------------------------------------------------------------------------------------------------------------------
I. IDENTIFICATION. Write the correct answer on the space provided.
RA 10173 1. This act shall be known as the Data Privacy Act of 2012.
RA 10175 2. Also known as the Cybercrime Prevention Act of 2012.
Nine 3. Determine the total number of chapters included in question no.1.
Eight 4. Determine the total number of chapters included in question no.2.
SECTION 28 5. In the Data Privacy Act of 2012, determine the provision under chapter VIII.
Consent 6. Refers to any freely given, specific and agrees to collection and processing of personal
information relating to him or her.
Data Subject 7. Refers to an individual whose personal information is processed.
Information and Communications System 8. Refers to a system for generating, sending, receiving, storing and
processing of electronic data.
National Privacy Commission 9. To administer and implement, monitor and ensure the provision of the act.
Chapter IV 10. Identify the chapters where rights of the data subject are enumerated.
Not less than (Php500,000.00) but not more than (Php2,000,000.00) 11. The unauthorized processing of
personal information shall be penalized by 1 to 3 years’ imprisonment and a fine of_____.
September 9, 2016 12. The date when R.A. 10173 was approved.
II. True or False. Write T if the statement if True and write F if the statement in false.
T 1. Access refers to the instruction, communication with, storing data in, retrieving data from, or
otherwise making use of any resources of a computer system or communication network.
T 2. Alteration refers to the modification or change, in form or substance, of an existing computer data or
program.
T 3. Communication refers to the transmission of information through ICT media, including voice, video
and other forms of data.
T 4. Computer refers to an electronic, magnetic, optical, electrochemical, or other data processing or
communications device, or grouping of such devices, capable of performing logical, arithmetic, routing, or
storage functions.
T 5. Computer program refers to any representation of facts, information, or concepts in a form suitable
for processing in a computer system.
F 6. Computer data refers to a set of instructions executed by the computer to achieve intended results.
T 7. Computer system refers to any device or group of interconnected or related devices, one or more of
which, pursuant to a program, performs automated processing of data.
T 8. Illegal Access is the access to the whole or any part of a computer system without right.
T 9. Illegal Interception is the interception made by technical means without right of any non-public
transmission of computer data to, from, or within a computer system including electromagnetic emissions from
a computer system carrying such computer data.
F 10. Cyber-squatting is the intentional or reckless alteration, damaging, deletion or deterioration of
computer data, electronic document, or electronic data message, without right, including the introduction or
transmission of viruses.
T 11. System Interference is the intentional alteration or reckless hindering or interference with the
functioning of a computer or computer network by inputting, transmitting, damaging, deleting, deteriorating,
altering or suppressing computer data.
T 12. Data Interference is the acquisition of a domain name over the internet in bad faith to profit, mislead,
destroy reputation, and deprive others from registering the same, if such a domain name is:

III. MATCHING TYPE. Fill-in the missing words by matching Column A to Column B. Write the exact
word on the space provided.
1. R.A. no. 10173 AN ACT PROTECTING INDIVIDUAL PERSONAL INFORMATION IN
INFORMATION AND COMMUNICATIONS SYSTEMES IN THE GOVERNMENT AND THE
PRIVATE SECTOR, CREATING FOR THE PURPOSE A NATIONAL PRIVACY
_______________________ COMMISSION AND FOR OTHER PURPOSE.
2. R.A. no. 10175 AN ACT DEFINING CYBERCRIME, PROVIDING FOR THE PREVENTION,
INVESTIGATION, SUPPRESSION AND THE IMPOSITION OF PENALTIES THEREFORE AND
FOR OTHER PURPOSES.