SUBMITTED BY: VIRENDER KUMAR

Home Work-2 CSE404: INFORMATION SECURITY & PRIVACY Part A Q1:-Explain the concept of risk management and risk analysis in detail. Ans.-Risk analysis is the science of observation, knowledge, and evaluation- that is, keen eyesight, anticipation, etc. Risk management is the keystone to an effective performance as well as for targeted, proactive solutions to the potential threats and incidents. Risk management is the ongoing process of identifying risks and implementing plans to address them. Risk evaluation is a process that generates an organization-wide view of InfoSec risks. It provides a baseline that can be used to focus mitigation and improvement activities. Many large organizations, to demonstrate their accent on risk management, are known to employ staff to hold the post of Chief Risk Officer. Risk management is the skill of handling the identified risks in the best possible manner for the interests of the organization. Risk is described by the following mathematical formula:Risk=threat * vulnerability * asset value Following figure illustrates the process of risk analysis/risk management:
Understand Mission and security objectives Understand Information Protection Requirements

Implement Countermeasures

Evaluate Risk Environment

Decide on RiskCountermeasures

Define Alternatives

------------------------------------------------------------------------------------------------------Q2: Which are the different natural disasters? Also discuss their controls. Ans.-Different natural disasters and their controls are as:

1. Fire: Conflagration caused by fire affects IS through heat, smoke or suppression agent (e.g., fire extinguishers and water) damage. This threat category can be minor, major or catastrophic.

Controls: install smoke detectors near equipment, keep fire extinguishers near equipment and train employees in their proper use and conduct regular fire evacuation exercises. 2. Environmental Failure: This is a type of disaster that includes any interruption in the supply of controlled environmental support provided to the operations centre. Environmental Controls include clean air, air conditioning, humidity and water controls: since human and computers do not co-exist well; it is good to keep them separate. Many companies are establishing command centres for employees and a light-out environment for the machines. Also, it is essential to keep all rooms containing computers at reasonable temperatures (60-75 degree F or 10-25 degree C). Humidity levels are advised to be kept at 20-70% and monitor environmental settings. 3. Earthquake: It is nothing but a violent ground motion that results from stresses and movements of the earths surface. Controls: keep computer away from glass and elevated surfaces and in high-risk areas, secure the computers with anti-vibration devices. 4. Liquid leakage: In spite of the best of care taken, small accidents can happen in the hands of individuals working at office premises and data centres. A liquid inundation includes burst or leaking pipes and accidental discharge of sprinklers. Therefore, it is good to keep liquid-proof covers near the equipment and install water detectors on the structures floor near the computer systems. 5. Lightning: An electric charge of air can cause either direct lightning strikes to the facility or surges owing to strikes to electric power transmission lines, transformers and substations. Controls: there is a need to install surge

suppressors, store backups in grounded storage media and install and test uninterruptible power supply (UPS) and diesel generators. 6. Electric interruption: A disruption in the electric power supply, usually lasting longer than 30 min, can have a serious business impact. A countermeasure or controls is to install and test UPS, install line filters to control voltage spikes and install anti-static carpeting. ------------------------------------------------------------------------------------------------------Q3: How we can provide Security through cables and locks? Ans.-When it comes to physical security of IS, in addition to securing the campus, it may be necessary to secure the computers, networks, disk drives and electronic media. One method of securing a workstation is with an anchor pad, a metal pad with locking rods secured to the surface of the workstation. The mechanism is installed to the shell of the computer. These are available from the many vendors. Many organizations use cables and locks. Security cables are multi-strand, aircraft-type steel cables affixed to the workstation with a permanently attached plate that anchors the security cable to the desk or other fixture. Disk locks are another way to secure the workstation. These small devices are quickly inserted into the diskette slots and lock out any other diskette from the unit. They can prevent booting from diskette and infection from viruses. ------------------------------------------------------------------------------------------------------Part B Q4: Explain any three biometric techniques in detail. Ans.-Three biometric techniques are as: 1. Fingerprint: It fall into two major categories Automated Fingerprint Identification Systems (AFISs) and Fingerprint Recognition Systems (FRSs). AFIS is typically restricted to law-enforcement use.

Fingerprint recognition derives a unique template from the attributes of the fingerprint without storing the image itself or even allowing for its reconstruction. Fingerprint recognition for identification acquires the initial image through a live scan of the finger by direct contact with a reader device that can also check for validating attributes such as temperature and pulse. Since the finger actually touches the scanning device, the surface can become oily and cloudy after repeated use and therefore reduce the sensitivity and reliability of optical scanners. Solid-state sensors overcome this and other technical hurdles because the coated silicon chip itself is the sensor. Solidstate devices use electrical capacitance to sense the ridges of the fingerprint and create a compact digital image, so they are less sensitive to dirt and oils. Fingerprint recognition is generally considered reliable enough for commercial use and some vendors are already actively marketing readers as a part of the local area network (LAN) login schemes. 2. Hand geometry: The essence of the hand geometry is the comparative dimensions of the fingers and the locations of the joints. Basically, the shape of a persons hand measures hand geometry. This is a unique trait that differs significantly among people and hence is used in some biometrics systems to verify the ID of people. (Fig. Shows Hand geometry recognition system.)

A person places his hand on a device that has grooves for each finger. Reference marks on the plate allow calibration of the image to improve the precision of matching. The system compares the geometry of each finger and the hand as a whole, to the information in a reference file (called the template)

to verify that persons ID. Some systems perform simple, 2D measurements of the palm of the hand. Others attempt to construct a simple 3D image from which to extract template characteristics. Readers may find it interesting to note that one of the earliest automated biometrics systems, Identimat, was installed at the Shearson-Hamill investment bank on Wall Street (Manhattan, NY, USA) during the late 1960s. It used hand geometry and stayed in the production for almost 20 years. In one of the most popular descendants of the Identimat, a small digital camera captures top and side images of the hand. 3. Retinal scan: For retinal scan, there is a system used for reading a persons retina to scan the blood-vessel pattern of a retina on the backside of the eyeball. This pattern is known to be extremely unique among people.

A camera is used to project a beam inside the eye and capture the pattern and compare it to the reference file recorded previously. Thus, retinal recognition creates an eye signature from the vascular configuration of the retina, an extremely consistent and reliable attribute with the advantage of being protected inside the eye itself. An image of the retina is captured by having the individual look through a lens

at an alignment target. Diseases or injuries that would interfere with the retina are comparatively rare in the general population, so the attribute normally remains both consistent and consistently available. ------------------------------------------------------------------------------------------------------Q5: Which are the various key success factors of biometrics? Ans.-Key success factors of biometrics:

1. Accuracy: the accuracy of the biometric system is an important and highly

controversial aspect of selecting a correct biometric system. From our experience, it would seem that system accuracy is sometimes the only metric by which a biometric system is selected. To compound the problem, accuracy tests are usually not completely thought out (designed) properly and the results are not interpreted correctly or fairly. Two issues are: FRR: False reject rate or false non-match rate (FRR or FNMR) the probability that the system fails to detect a match between the input pattern and a matching template in the database. It measures the percent of valid inputs which are incorrectly rejected. CER: Equal error rate or crossover error rate (EER or CER) the rate at which both accept and reject errors are equal. The value of the EER can be easily obtained from the ROC curve. The EER is a quick way to compare the accuracy of devices with different ROC curves. In general, the device with the lowest EER is most accurate. Obtained from the ROC plot by taking the point where FAR and FRR have the same value. The lower the EER, the more accurate the system is considered to be.

2.

Speed and Throughput Rate: The speed and throughput capability of the system must meet the needs of the user. If a biometric is perfect in every other aspect, but the system can only perform one biometric-based match per hour whereas you need to do 100 per hour, then the biometric is essentially useless for your purposes.

3.

Acceptability by users: The acceptance of the biometric feature captures method by the population using the system. For example, does the majority of the user population accept or reject having their fingerprints captured on a

glass surface? Or, what is the acceptance of retinal scan that involves projecting a laser light through pupil of the eye to illuminate the retina. In some applications, population acceptance may not be an issue; for instance, the possibility that persons under arrest may object to having their finger placed on a glass surface may be of no consequence. 4. Repeatability: The repeatability of the biometric scan. If only slight variations in the nearby environment significantly change subsequent scans, the biometric could be useless for comparison against an existing target database of previous scans. The aspect of biometric scan repeatability must also be measured in terms of repeatability over time. Does the biometric scan of a person match the same individual one, two, or more years later? 5. Practicality: The practicality of the biometric capture method. If obtaining a biometric measurement is overly complicated or cumbersome, the system will not find favour with the users and will be quickly dropped from use. 6. Discrimination: The discrimination of biometric data between any two individuals. If the biometric being measured does not differ in any measurable way between different individuals, the biometric is useless for most purposes. The concept of discrimination can be expanded to include the notion of the amount of data that is obtained by a biometric scan. If the range of data content for a biometric measurement is very low, there will be a limited number of unique data states, or possibilities; in this case, the target database of previous scans is limited to a low number and, once this number is reached, the next individual added to the database will effectively duplicate an already-enrolled individual.

7. Cost Effectiveness: Cost effectiveness of the biometric system is always an

important consideration. Can the design goal of a biometric system be met for less money by installing a low technology solution? For instance, is the cost of paying for armed guards at high-security entry points less than the cost of a fully installed system that is just as effective as the armed personnel?

8. Response Time: The response time of the biometric comparison (search)

measured from the time the biometric is scanned or captured to the time the comparison result is returned (including a validation step, if required) is an important consideration when designing or selecting a biometric system. If the response time of the system too high, the system may be of no use. ---------------------------------------------------------------------------------------------------Q6: Explain the concept of intrusion detection system in detail? Ans.-An IDS inspects all inbound and outbound network activities. It can be set up to identify any suspicious network activity patterns that may indicate a network or system attack. Unusual patterns that are known to generally attack networks can signify someone attempting to break into the network system or trying to compromise the system.

The IDS can be hardware or software based security service that monitors and analyses system events for the purpose of finding and providing real-time or near realtime warning of events that are identified by the network configuration to be attempts to access system resources in an unauthorized manner. Typically the monitoring and warning is done by examining the network vulnerability scans. There are a number of good network vulnerability tools available in the market. Essentially network ports are scanned to access if any potential vulnerability can be seen. -------------------------------------------------------------------------------------------------------