Module Code: CSM202

Student Name: Chandra Bahadur Tharu

Student ID: 1801T3100137

Table of Contents
Chapters Page No

1. Question 1...2 - 6 a. Evaluate security risk and consequences.2 - 2 b. Perform asset value analysis2 - 2 c. Discuss the potential threats3 - 3 d. Analyze potentially malicious or harmful activities4 - 4 e. Analyze high-level vulnerabilities...5 - 5 f. Discuss the security goals............6 - 6

2. Question 2...6 - 7 a. Usability/Ergonomics Testing.................6 - 6 b. Performance Testing....7 - 7 c. Vulnerability Testing...7 - 7

3. Question 3...........7 - 9 i. Three phases of OCTAVE..7 - 8 a. Build Assets-Based Threat Profiles.....7 - 7 To Identify Senior Management Knowledge....7 - 7 To Identify Operational Area Management Knowledge...7 - 7 To Identify Staff Knowledge7 - 7 To Create Threat Profiles..7 - 7 b. Identify Infrastructure Vulnerabilities8 - 8 Evaluate Selected Components.8 - 8 Identify Key Components.8 - 8 c. Develop Security Strategy and Plans..8 - 8

Conduct Risk Analysis..8 8 College: Informatics College, Kamal Pokhari, Kathmandu, Nepal Page 1 of 20

Module Code: CSM202

Student Name: Chandra Bahadur Tharu

Student ID: 1801T3100137

Develop Protection Strategy.8 8

ii. Applying OCTAVE9 - 9

4. Question 49 - 10 a. Approach 1: Taint checking...9

-9
b. Approach 2: Pair Programming..10

- 10
c. Approach 3: API handling..10 -

10

5. Question 5..11 - 12 a. Fixing the root node11 - 11 b. Other leaf nodes..12 - 12

6. Question 6..12 - 12 a. Use 1: ApacheBench..12 -

12
b. Use 2: Selenium..12 -

12

7. References.13 -

15

8. Turnitin Report16 -

16

1. Answer: a. We can define security risks as the coincidence of threats acting on vulnerabilities to

cause several negative and harmful impacts on any objective of organization that must

College: Informatics College, Kamal Pokhari, Kathmandu, Nepal

Page 2 of

20

Module Code: CSM202

Student Name: Chandra Bahadur Tharu

Student ID: 1801T3100137

be secured and safe. It can be identified by looking at potential sources of risk and when, where, why and how the risks may occurs. Consequences are:
-

Security risk is caused due to failure of software, network-hardware and computer. Overall, weak security has to face several negative impacts which cause loss of financial/materials assets. Social engineering, targeted phishing and malware attacks on call centre staff obtain unauthorized access to personal data that exploited by fraudsters for identity theft.

So to control information security awareness, training/education, helping people understand, fulfil their security obligations. Motivating them to do secure thing and avoid insecure, creating security culture, use secure hardware/software, skilful human resource, etc.
b. Asset value analysis plays very important roles in secure security system which

means efficient budgets fulfil necessary assets/requirements. Weaknesses of security measures and asset cause various negative impacts on any organizations like financial loss, reputations, and loss of customer confidence. Similarly, assets like internet and networking must requires new security measures, policies to reduce threats, challenges inherent from new technologies, applications and network-devices. They must keep safe so they performs task in correct order to control security. Since networking and subsystems are the major point of attacks against system, they should be considered as special cases rather than combined with general hardware/software components. Likewise main-power or human resource must be skilful to handle hardware. Organization must analyze its asset value and threats because they face several problems from their inside/outside attacks. Hence performance of asset value analysis is one of the major parts of security risk management system.

College: Informatics College, Kamal Pokhari, Kathmandu, Nepal

Page 3 of

20

Module Code: CSM202

Student Name: Chandra Bahadur Tharu

Student ID: 1801T3100137

c. Potential threat means unnecessary events that cause adverse effect on security

systems and resources by utilizing vulnerabilities in computer systems and servers. So it has defined by (Nyanchama, 2005) and (Johnson, 2008) Threats take advantage of vulnerabilities to cause damage or loss and Threat is an indication of impending danger or harm respectively. They may be insider/outsider threat, an object or entity which is dangerous for assets and users, so organization must make well managed security system. Threats are usually divided as:
Natural: - threats like fire, water, plagues, earthquakes, etc. Unintentional: - natural threats that makes loss in utility service and failures in

equipments by fire, water, building damage, etc.

Intentional Physical: - here an insider/outsider threat makes harm to system by

knowing or by bombs, fire, building damages, theft of documents, equipments, etc.

Intentional Non-Physical: - here insider/outsider threats like fraud, social

engineering, phishing attacks, denial-of-service(DoS) attacks, hacking, identity theft, malicious code, espionage, etc. comes under it.

Below threats are also divided into different categories with example:

College: Informatics College, Kamal Pokhari, Kathmandu, Nepal

Page 4 of

20

Module Code: CSM202

Student Name: Chandra Bahadur Tharu

Student ID: 1801T3100137

d. Potential malicious or harmful activities frequently increase as email affection,

cause security damages in computer system and its network. Malicious code makes harmful activities like unauthorized access privilege (Trapdoor), disclosing sensitive information (Covert Channel), exhausting system resources (Worm), and infecting normal programs (Virus), Trojan horse, time/logic bomb, etc. Hackers with malicious goal will give up/stop intrusion process until they achieve their objectives although vulnerabilities exploited are removed. Similarly in terms of HTTP malicious attackers attack the HTTP servers so, servers can symbolize first line of defence that (if bypassed) can compromise integrity, confidentiality and availability attributes for enterprise security. Main purpose are: destroy files, steal information, etc. so to prevent powerful firewall must managed to monitor control traffic which may originate from protected network/host.

Fig: Malicious Code Injection Path

College: Informatics College, Kamal Pokhari, Kathmandu, Nepal

Page 5 of

20

Module Code: CSM202

Student Name: Chandra Bahadur Tharu

Student ID: 1801T3100137

e. Vulnerability is the weak point of information systems that can lead to attacks,

modification, harm, interruption, destruction, disclosure and interception. Attacks on systems are also defined as a sign of vulnerability.

Destruction: - takes place if hardware, software and information are destroyed

due to malicious intention.

Modification: - takes place if unknown/unauthorized users change the

information of server system and computer.

Interruption: - takes place if the entire network cause disturbance or unavailable

for access. E.g. Denial-of-Service (DoS) attack.

Interception: - takes place if unknown/unauthorized users copy information

which is in the computer/server system and when data is in transmission mode.

Discloser: takes place if unauthorized users access information system and

damage important documents. Unauthorized discloser has a serious impact on maintaining security an privacy of the system (Dhillon). The vulnerabilities are also divided in many parts like: Administrative, Physical and Technical Vulnerability. Vulnerability assessment deals with identifying flaws and weakness that could possibly be exploited of the threats (Dhillon).

College: Informatics College, Kamal Pokhari, Kathmandu, Nepal

Page 6 of

20

Module Code: CSM202

Student Name: Chandra Bahadur Tharu

Student ID: 1801T3100137

f. Security goals mean preventive measures of organizations about their assets,

documents, human-power, hardware and software from different threats, malicious coder/attackers, vulnerabilities, etc. Here we measures them and create efficient policy for solution. Three important aspects of security related system are: Confidentiality, integrity and availability.
Confidentiality: Here authorised persons can only access assets which means

for getting information like studying, viewing, printing and to know secret assets/documents. It is often known as secrecy/privacy.
College: Informatics College, Kamal Pokhari, Kathmandu, Nepal Page 7 of

20

Module Code: CSM202

Student Name: Chandra Bahadur Tharu

Student ID: 1801T3100137

Integrity: Only authorised persons can access assets and modify them in

authorized ways which includes writing, changing, deleting, changing status and creating.
Availability: This term defines authorised parties can access assets/objects in

proper periods.

2. Answer
a.

Usability / Ergonomics Testing is a technique for ensuring which system users can carry out proposed tasks in efficient and satisfying way. It is enough to identify problems with information architecture and all issues of design. This is used to designed purpose but not for a human-centred design process. Similarly, usability assessment program can decide any of the following:

Comfort & fit Weight and balance of product Erase use of product controls Accuracy and clarity of diagrams & instructions Usefulness of special features and accessories

College: Informatics College, Kamal Pokhari, Kathmandu, Nepal

Page 8 of

20

Module Code: CSM202

Student Name: Chandra Bahadur Tharu

Student ID: 1801T3100137

b. Performance Testing: Determining the accuracy/speed of any computers, networks,

software and devices is performance testing which helps to measure times and numbers of MIPS (millions of instructions per second), wrong pathways, failure to find content, etc. Scalability, reliability, and interoperability are calculated here and also done with stress testing. Main purpose of performance testing is to detect failure in security test plans by knowing above measures. Similarly, for diagnostic aid in locating communications bottlenecks is used.

c. Vulnerability Testing: The vulnerability is defined as a software defect or weakness in

security system that might be exploited by malicious users which cause loss or harm. So, vulnerability testing is the process/scheduled base on impact of system and score of it. All the vulnerability scores are the results of last vulnerability tests. The testing assess helps to estimate structural and functional changes caused by defected components/materials in network, scan the architecture of a network, report and deleted vulnerabilities and suggests to remediate them.

3. OCTAVE means an approach to information security risk evaluations that is

comprehensive, systematic, contex-driven, and self-directed. The approach is embodied in a set of criteria that defines the essential elements of an asset-driven information security risk evaluation (Alberts 2001a).
i. Three phases of OCTAVE are: a. Build Assets-Based Threat Profiles: Actually, this is used in evaluation or

consideration of organization. Both business and IT department do analysis that which assets are most important to organisation and what types of activities can be done to protect. Some necessary processes are:
To Identify Senior Management Knowledge This process classifies and

recognize all essential assets, current security practices and requirements, perceived threats and vulnerabilities of organization.

College: Informatics College, Kamal Pokhari, Kathmandu, Nepal

Page 9 of

20

Module Code: CSM202

Student Name: Chandra Bahadur Tharu

Student ID: 1801T3100137

To Identify Operational Area Management Knowledge This process also

knows all the important assets, current security practices their requirements, vulnerabilities and visible threats.

To Identify Staff Knowledge Certain general and IT staff members who have

knowledge about important assets, current security requirements, threats, vulnerabilities can identify them.

To Create Threat Profiles - They (analysis-team) find out all significant

information by refining them from Process 1 to 3 and at-last create profile about them.

b. Identify Infrastructure Vulnerabilities: This measures all information

infrastructures and find-out key components for weakness which can guide unauthorized actions against critical assets. Some process are:
Identify Key Components It shows key information systems and components

of every critical asset so detailed instances are chosen for evaluation.

Evaluate Selected Components It analyse key systems and components for

technology weakness so vulnerability tools are used.

c. Develop Security Strategy and Plans: This phase identify risks of

organizations assets and find-out suitable solution by collecting information about them. Some process are:
Conduct Risk Analysis - It identifies impacts of threats, critical assets and

other vulnerabilities so that it creates risk profile of all critical assets.

Develop Protection Strategy Here protection strategy/policy is created for

organizations so risk can be troubleshoot easily according to risk profile.

College: Informatics College, Kamal Pokhari, Kathmandu, Nepal

Page 10 of 20

Module Code: CSM202

Student Name: Chandra Bahadur Tharu

Student ID: 1801T3100137

ii. To apply OCTATIVE following points must be included:

The way in which risk assessment information is gathered must fit organizational context. Documents which are prepared should be made by using appropriate level of details and contex-specific terminology. Threats considered within the analysis steps must be reliable with those considerations appropriate to organization. Catalog of security practices used to access risk must address regulatory and accepted security practices for organizational domain. Risk improvement profile that is created must fulfil needs and specific objectives.

Determine and evaluate potential consequences to organization of threats are realized.

College: Informatics College, Kamal Pokhari, Kathmandu, Nepal

Page 11 of 20

Module Code: CSM202

Student Name: Chandra Bahadur Tharu

Student ID: 1801T3100137

4. Answer Three approaches to code review for projects both large and small. a. Approach 1: Taint checking is used to increase security, to avoid malicious users so they cant execute commands on host computer. It is an attribute thats available in some computer programming languages (Perl and Ruby) only, can be redesigned to make safe wall on dangerous inputs. Checks website related risk and attackers use buffer overflow attack and SQL injection approaches. Similarly, it falls under blacklist approach because it asserts certain risky values. Taint checking tool proceeds all variables until completes listing of them which are probably control by outside input. So if any variables execute dangerous commands like direct commands to SQL database or OS of host computer then taint checking tool warns dangerous variables and contributes secure wall around them.

b.

Approach 2: Pair Programming and Review - is a technique of agile software development where two programmers work together in same place/workstation, among them one does coding and another does reviews of that code where coding and reviewing person are called driver and observer/navigator respectively. All the mistakes of programmer are easily corrected and review while coding, by observer which make error free so Pairing is always efficient. Reviewing Here navigator/observer make better planning/guidance about the direction of work so he/she provides upgrading ideas to troubleshoot upcoming problems, makes free for coding and completing task without any tension. One Economist(September 20, 2001) noted , Laurie Williams of the University of Utah in Salt Lake City has showed that paired programmers are only 15% slower than tow independent individual programmers, but produce 15% fewer bugs. Since testing and debugging are often many times more costly than initial programming, this is an impressive result

Approach 3: API (Application Programming Interface) handling when application program communicate with OS, control program - (DBMS) or College: Informatics College, Kamal Pokhari, Kathmandu, Nepal Page 12 of 20

c.

Module Code: CSM202

Student Name: Chandra Bahadur Tharu

Student ID: 1801T3100137

communications protocol, etc use language and message format in API handling. It is executed by writing function calls in program which give link to subroutine. Looking error message, code, apply logic for password expiry, system maintenance, networking system, etc. are function. For e.g. API can be used as web service interface for mapping service in the Google. API explain that how programmers use particular features of computer. It uses both GUI and CUI as its interface to an OS or program. Building an application with no APIs is basically like building a house with no doors. The API for all computing purposes is how you open the blinds and the doors and exchange information. (Josh Walker an analyst at Forrester Research Inc. in Camridge, Mass). So if any application is made without API then that is weak/unsecure then attackers can easily attack.

5.

Answer Attack Tree: - An attack tree is a process to analyze security systems and subsystems. It helps to think about security, for capturing and reusing skills about security and to take actions about changes in system. So it makes platform to understand more efficient way of security thats so we say Security is not a product - its a Process.
i) Fixing the root node: Here I have created an attack tree with obtaining user

name/password to the system as a set goal.

Password should be mixed with numbers, symbols, capital/small letters and that

should not be kept with widely used name to avoid from guessing.
Every password must type in asterisk, hatch or full-stop and avoid text/written

form.
Default settings, password/username must be changed and should be

customized.
Observation of password through camera or outsider should be banned. College: Informatics College, Kamal Pokhari, Kathmandu, Nepal Page 13 of 20

Module Code: CSM202

Student Name: Chandra Bahadur Tharu

Student ID: 1801T3100137

Systems applications must be checked time to time so that no any harmful activities can be processed.

Fig: Attack Tree

ii) Other leaf nodes:

We can obtain passwords in different ways like observing password, using default password, guessing/leaning, etc. In attack tree, nodes represent target of attacks, leaf nodes are actions where attackers attack as goal. OR & AND nodes symbolize different way for achieving same goal and altered steps respectively. In figure, arc represents AND nodes where password can be seen by watching live screen or installed hidden camera, can be learn from target and finding written password.
College: Informatics College, Kamal Pokhari, Kathmandu, Nepal Page 14 of 20

Module Code: CSM202

Student Name: Chandra Bahadur Tharu

Student ID: 1801T3100137

Likewise by social engineering OR threatens or steal or bribe or blackmail, we can authenticate. And at last we steal by using Acquiring sniffer output file, use keystroke logger, access database.

6. HTTP Testing Tool: The open source software which is scriptable protocol test tool

for Hypertext Transfer Protocol (HTTP) based products like web browsers, web servers, web applications or ICAP defined as HTTP Testing Tool. Two uses of HTTP testing tools like ApacheBench and Selenium with their functions are.

a. Use 1: ApacheBench This tool is used for measuring performances of HTTP web-

servers with a single threaded command line program and also mainly created for testing Apache HTTP servers.

b. Use 2: Selenium - This is a transportable software testing framework used for

automatic web-applications testing functions and asserts title of each page. It helps to supply: trace/playback tools without learning test scripting language for authoring tests, record, edit and debug tests also. Similarly, test domain specific language for writing tests in different programming languages like Java, Perl, PHP, Python, C# Groovy and Ruby.

College: Informatics College, Kamal Pokhari, Kathmandu, Nepal

Page 15 of 20

Module Code: CSM202

Student Name: Chandra Bahadur Tharu

Student ID: 1801T3100137

7. Refrences
Michael E. Whiteman and Herbert J. Mattord, 2011, 4th Edition, 20 Channel Centre

Boston, MA 002210 USA. Informatics College, CSM203 Hacking and Computing Forensic, Informatics Education Ltd., Informatics Campus 12 Science Centre Road Singapore 609080.
Carnegie Mellon University, 2008. Applying OCTAVE: Practitioners Report [pdf]

Available at: < http://www.cert.org/archive/pdf/06tn010.pdf> [Accessed 28 February 2012]. Karel Burda, December 2008, Threat analysis based on the graph of elementary threats, IJCSNS International Journal of Computer Science and Network Security, [e-journal] VOL.8 No.12, Available through: London Metropolitan University[Accessed 25 February 2012]. Sung-Whan Woo, HyunChul Joh*, Omar H. Alhazmi, Yashwant K. Malaiya, 2011. Modeling vulnerability discovery process in Apache and IIS HTTP servers, [e-journal] Computers & Security 3 0 (2011) 5 0 - 6 2. Available through: London Metropolitan University. <http://0-pdn.sciencedirect.com.emu.londonmet.ac.uk/science? _ob=MiamiImageURL&_cid=271887&_user=983321&_pii=S0167404810000908&_c heck=y&_origin=search&_zone=rslt_list_item&_coverDate=2011-0131&wchp=dGLbVlV-zSkzk&md5=2383a94c592ea38ecbaa2b88b48d25d1/1-s2.0S0167404810000908-main.pdf> [Accessed 26 February 2012]. D. Michael Caia, Maya Gokhaleb, James Theilerc, 2006. Comparison of feature selection and classification algorithms in identifying malicious executables [e-journal] Computational Statistics & Data Analysis 51 (2007) 3156 3172. Available through: London Metropolitan University <ttp://0pdn.sciencedirect.com.emu.londonmet.ac.uk/science? _ob=MiamiImageURL&_cid=271708&_user=983321&_pii=S0167947306003288&_c heck=y&_origin=search&_zone=rslt_list_item&_coverDate=2007-0301&wchp=dGLbVlB-zSkWA&md5=a5dcc7987f34f7d06189dd10adc5c325/1-s2.0S0167947306003288-main.pdf > [Accessed 26 February 2012]. NZCSRSC 2008, April 2008. A Systematic Review of Pair Programming Research Initial Results [pdf] Norsaremah Salleh Department of Computer Science University of Auckland. Available at: University of Auckland [Accessed 25 February 2012]. <http://nzcsrsc08.canterbury.ac.nz/site/proceedings/Individual_Papers/pg151_A_Syste matic_Review_of_Pair_Programming_Research_-_Initial_Results.pdf> [Accessed 25 February 2012].
Page 16 of 20

College: Informatics College, Kamal Pokhari, Kathmandu, Nepal

Module Code: CSM202

Student Name: Chandra Bahadur Tharu

Student ID: 1801T3100137

Gerry Gaffney, 1999. What is Usability Testing? [online] Available at:

<http://www.infodesign.com.au/ftp/UsabilityTesting.pdf> [Accessed 25 February 2012]. C & A Security Risk Analysis Group. [Online] Available at: <http://www.security-riskanalysis.com/> [Accessed 5 March 2012].
Wikipedia. [Online] Available at: <http://en.wikipedia.org/wiki/Security_risk>,

[Accessed 29 February 2012].

Microsoft, 2012. Security Risk. [Online] Available at:

<http://technet.microsoft.com/en-us/library/cc960623.aspx>, [Accessed 2 March 2012].

Armorize Technologies Inc., 2005 2009. Where is the code injected to? [online] <http://www.malwareinfo.com/mal_faq_inject.html#What_is_malicious_code?> [Accessed 2 March 2012]. Latest Technology, Security Goals [online] Sunday, June 19, 2011. Available at: <http://technologyforeducationlatest.blogspot.com/2011/06/securitygoals.html> [Accessed 29 February 2012]. Intertek Group plc. Usability testing [online] Available at: <http://www.intertek.com/performance-testing/usability-assessment/> [Accessed 29 February 2012]. TechTarget, 2006 2012. performance testing [online] June 2007. Available at: < http://searchsoftwarequality.techtarget.com/definition/performancetesting> [Accessed 29 February 2012]. Nicolas Alpi, Pair programming? [online] Available at: <http://notgeeklycorrect.com/project-development/2010/04/14/my-twoweeks-pair-programming-review> [Accessed 29 February 2012]. Software Quality Connection. 2012. Does Pair Programming Obviate the Need for Code Review? [online] April 1, 2011. Available at: <http://www.softwarequalityconnection.com/2011/04/does-pairprogramming-obviate-the-need-for-code-review/> [Accessed 29 February 2012]. Wikipedia. Taint checking [online] 25 June 2011 at 12:40. Available at: <http://en.wikipedia.org/wiki/Taint_checking>[Accessed 29 February 2012]. Mediawiki. Application programming interface [online] 1 February 2012, at 19:07. Available at: <http://wiki.dreamhost.com/Application_programming_interface> [Accessed 29 February 2012].

College: Informatics College, Kamal Pokhari, Kathmandu, Nepal

Page 17 of 20

Module Code: CSM202

Student Name: Chandra Bahadur Tharu

Student ID: 1801T3100137

TechTarget, 2012. Application program interface (API) [online] August 2000. Available at: <http://searchexchange.techtarget.com/definition/applicationprogram-interface> [Accessed 2 March 2012]. Computerworld Inc. 1994 2012. QuickStudy: Application Programming Interface (API) [online] January 10, 2000 12:00 PM. Available at: < http://www.computerworld.com/s/article/43487/Application_Programming_In terface> [Accessed 2 March 2012]. UBM TechWeb. 2012. Attack Trees [online] December 01, 1999. Available at: <http://drdobbs.com/article/print? articleId=184411129&dept_url=/>[Accessed 2 March 2012]. Bruce Schneier, Hamletdarcy. Attack Trees to Assess Security [online] WEDNESDAY, OCTOBER 10, 2007. Available at: <http://hamletdarcy.blogspot.com/2007/10/attack-trees-to-assesssecurity.html> [Accessed 2 March 2012]. Wikipedia. HTTP Test Tool [online] 5 January 2012 at 22:16. Available at: <http://en.wikipedia.org/wiki/HTTP_Test_Tool> [Accessed 3 March 2012]. Wikipedia. ApacheBench [online] 8 March 2012 at 21:50. . Available at: < http://en.wikipedia.org/wiki/ApacheBench> [Accessed 3 March 2012]. Wikipedia. Selenium (software) [online] 10 March 2012 at 21:09. Available at: <http://en.wikipedia.org/wiki/Selenium_(software)> [Accessed 3 March 2012]. Computer Security Division, Information Technology Laboratory, National Institute of Standards and Technology, Gaithersburg, MD 2089-8930 <http://csrc.nist.gov/publications/nistpubs/800-39/SP800-39-final.pdf> [Accessed

March 2011].
Carnegie Mellon University, 1995-2012. OCTAVE Download Area [online]

Available at: <http://www.cert.org/octave/download/intro.html> [Accessed 25 February 2012].

Carol Woody, PhD, May 2006. Applying OCTAVE: Practitioners Report [pdf]

Carnegie Mellon University. Available at: < http://www.cert.org/archive/pdf/06tn010.pdf> [Accessed 25 February 2012].

College: Informatics College, Kamal Pokhari, Kathmandu, Nepal

Page 18 of 20

Module Code: CSM202

Student Name: Chandra Bahadur Tharu

Student ID: 1801T3100137

College: Informatics College, Kamal Pokhari, Kathmandu, Nepal

Page 19 of 20

Module Code: CSM202

Student Name: Chandra Bahadur Tharu

Student ID: 1801T3100137

8. Turnitin Originality Report

-------------The End-----------

College: Informatics College, Kamal Pokhari, Kathmandu, Nepal

Page 20 of 20