Beruflich Dokumente
Kultur Dokumente
Home Work-2 CSE404: INFORMATION SECURITY & PRIVACY Part A Q1:-Explain the concept of risk management and risk analysis in detail. Ans.-Risk analysis is the science of observation, knowledge, and evaluation- that is, keen eyesight, anticipation, etc. Risk management is the keystone to an effective performance as well as for targeted, proactive solutions to the potential threats and incidents. Risk management is the ongoing process of identifying risks and implementing plans to address them. Risk evaluation is a process that generates an organization-wide view of InfoSec risks. It provides a baseline that can be used to focus mitigation and improvement activities. Many large organizations, to demonstrate their accent on risk management, are known to employ staff to hold the post of Chief Risk Officer. Risk management is the skill of handling the identified risks in the best possible manner for the interests of the organization. Risk is described by the following mathematical formula:Risk=threat * vulnerability * asset value Following figure illustrates the process of risk analysis/risk management:
Understand Mission and security objectives Understand Information Protection Requirements
Implement Countermeasures
Decide on RiskCountermeasures
Define Alternatives
------------------------------------------------------------------------------------------------------Q2: Which are the different natural disasters? Also discuss their controls. Ans.-Different natural disasters and their controls are as:
1. Fire: Conflagration caused by fire affects IS through heat, smoke or suppression agent (e.g., fire extinguishers and water) damage. This threat category can be minor, major or catastrophic.
Controls: install smoke detectors near equipment, keep fire extinguishers near equipment and train employees in their proper use and conduct regular fire evacuation exercises. 2. Environmental Failure: This is a type of disaster that includes any interruption in the supply of controlled environmental support provided to the operations centre. Environmental Controls include clean air, air conditioning, humidity and water controls: since human and computers do not co-exist well; it is good to keep them separate. Many companies are establishing command centres for employees and a light-out environment for the machines. Also, it is essential to keep all rooms containing computers at reasonable temperatures (60-75 degree F or 10-25 degree C). Humidity levels are advised to be kept at 20-70% and monitor environmental settings. 3. Earthquake: It is nothing but a violent ground motion that results from stresses and movements of the earths surface. Controls: keep computer away from glass and elevated surfaces and in high-risk areas, secure the computers with anti-vibration devices. 4. Liquid leakage: In spite of the best of care taken, small accidents can happen in the hands of individuals working at office premises and data centres. A liquid inundation includes burst or leaking pipes and accidental discharge of sprinklers. Therefore, it is good to keep liquid-proof covers near the equipment and install water detectors on the structures floor near the computer systems. 5. Lightning: An electric charge of air can cause either direct lightning strikes to the facility or surges owing to strikes to electric power transmission lines, transformers and substations. Controls: there is a need to install surge
suppressors, store backups in grounded storage media and install and test uninterruptible power supply (UPS) and diesel generators. 6. Electric interruption: A disruption in the electric power supply, usually lasting longer than 30 min, can have a serious business impact. A countermeasure or controls is to install and test UPS, install line filters to control voltage spikes and install anti-static carpeting. ------------------------------------------------------------------------------------------------------Q3: How we can provide Security through cables and locks? Ans.-When it comes to physical security of IS, in addition to securing the campus, it may be necessary to secure the computers, networks, disk drives and electronic media. One method of securing a workstation is with an anchor pad, a metal pad with locking rods secured to the surface of the workstation. The mechanism is installed to the shell of the computer. These are available from the many vendors. Many organizations use cables and locks. Security cables are multi-strand, aircraft-type steel cables affixed to the workstation with a permanently attached plate that anchors the security cable to the desk or other fixture. Disk locks are another way to secure the workstation. These small devices are quickly inserted into the diskette slots and lock out any other diskette from the unit. They can prevent booting from diskette and infection from viruses. ------------------------------------------------------------------------------------------------------Part B Q4: Explain any three biometric techniques in detail. Ans.-Three biometric techniques are as: 1. Fingerprint: It fall into two major categories Automated Fingerprint Identification Systems (AFISs) and Fingerprint Recognition Systems (FRSs). AFIS is typically restricted to law-enforcement use.
Fingerprint recognition derives a unique template from the attributes of the fingerprint without storing the image itself or even allowing for its reconstruction. Fingerprint recognition for identification acquires the initial image through a live scan of the finger by direct contact with a reader device that can also check for validating attributes such as temperature and pulse. Since the finger actually touches the scanning device, the surface can become oily and cloudy after repeated use and therefore reduce the sensitivity and reliability of optical scanners. Solid-state sensors overcome this and other technical hurdles because the coated silicon chip itself is the sensor. Solidstate devices use electrical capacitance to sense the ridges of the fingerprint and create a compact digital image, so they are less sensitive to dirt and oils. Fingerprint recognition is generally considered reliable enough for commercial use and some vendors are already actively marketing readers as a part of the local area network (LAN) login schemes. 2. Hand geometry: The essence of the hand geometry is the comparative dimensions of the fingers and the locations of the joints. Basically, the shape of a persons hand measures hand geometry. This is a unique trait that differs significantly among people and hence is used in some biometrics systems to verify the ID of people. (Fig. Shows Hand geometry recognition system.)
A person places his hand on a device that has grooves for each finger. Reference marks on the plate allow calibration of the image to improve the precision of matching. The system compares the geometry of each finger and the hand as a whole, to the information in a reference file (called the template)
to verify that persons ID. Some systems perform simple, 2D measurements of the palm of the hand. Others attempt to construct a simple 3D image from which to extract template characteristics. Readers may find it interesting to note that one of the earliest automated biometrics systems, Identimat, was installed at the Shearson-Hamill investment bank on Wall Street (Manhattan, NY, USA) during the late 1960s. It used hand geometry and stayed in the production for almost 20 years. In one of the most popular descendants of the Identimat, a small digital camera captures top and side images of the hand. 3. Retinal scan: For retinal scan, there is a system used for reading a persons retina to scan the blood-vessel pattern of a retina on the backside of the eyeball. This pattern is known to be extremely unique among people.
A camera is used to project a beam inside the eye and capture the pattern and compare it to the reference file recorded previously. Thus, retinal recognition creates an eye signature from the vascular configuration of the retina, an extremely consistent and reliable attribute with the advantage of being protected inside the eye itself. An image of the retina is captured by having the individual look through a lens
at an alignment target. Diseases or injuries that would interfere with the retina are comparatively rare in the general population, so the attribute normally remains both consistent and consistently available. ------------------------------------------------------------------------------------------------------Q5: Which are the various key success factors of biometrics? Ans.-Key success factors of biometrics:
2.
Speed and Throughput Rate: The speed and throughput capability of the system must meet the needs of the user. If a biometric is perfect in every other aspect, but the system can only perform one biometric-based match per hour whereas you need to do 100 per hour, then the biometric is essentially useless for your purposes.
3.
Acceptability by users: The acceptance of the biometric feature captures method by the population using the system. For example, does the majority of the user population accept or reject having their fingerprints captured on a
glass surface? Or, what is the acceptance of retinal scan that involves projecting a laser light through pupil of the eye to illuminate the retina. In some applications, population acceptance may not be an issue; for instance, the possibility that persons under arrest may object to having their finger placed on a glass surface may be of no consequence. 4. Repeatability: The repeatability of the biometric scan. If only slight variations in the nearby environment significantly change subsequent scans, the biometric could be useless for comparison against an existing target database of previous scans. The aspect of biometric scan repeatability must also be measured in terms of repeatability over time. Does the biometric scan of a person match the same individual one, two, or more years later? 5. Practicality: The practicality of the biometric capture method. If obtaining a biometric measurement is overly complicated or cumbersome, the system will not find favour with the users and will be quickly dropped from use. 6. Discrimination: The discrimination of biometric data between any two individuals. If the biometric being measured does not differ in any measurable way between different individuals, the biometric is useless for most purposes. The concept of discrimination can be expanded to include the notion of the amount of data that is obtained by a biometric scan. If the range of data content for a biometric measurement is very low, there will be a limited number of unique data states, or possibilities; in this case, the target database of previous scans is limited to a low number and, once this number is reached, the next individual added to the database will effectively duplicate an already-enrolled individual.
The IDS can be hardware or software based security service that monitors and analyses system events for the purpose of finding and providing real-time or near realtime warning of events that are identified by the network configuration to be attempts to access system resources in an unauthorized manner. Typically the monitoring and warning is done by examining the network vulnerability scans. There are a number of good network vulnerability tools available in the market. Essentially network ports are scanned to access if any potential vulnerability can be seen. -------------------------------------------------------------------------------------------------------