Beruflich Dokumente
Kultur Dokumente
Table of Contents
Chapters Page No
1. Question 1...2 - 6 a. Evaluate security risk and consequences.2 - 2 b. Perform asset value analysis2 - 2 c. Discuss the potential threats3 - 3 d. Analyze potentially malicious or harmful activities4 - 4 e. Analyze high-level vulnerabilities...5 - 5 f. Discuss the security goals............6 - 6
3. Question 3...........7 - 9 i. Three phases of OCTAVE..7 - 8 a. Build Assets-Based Threat Profiles.....7 - 7 To Identify Senior Management Knowledge....7 - 7 To Identify Operational Area Management Knowledge...7 - 7 To Identify Staff Knowledge7 - 7 To Create Threat Profiles..7 - 7 b. Identify Infrastructure Vulnerabilities8 - 8 Evaluate Selected Components.8 - 8 Identify Key Components.8 - 8 c. Develop Security Strategy and Plans..8 - 8
Conduct Risk Analysis..8 8 College: Informatics College, Kamal Pokhari, Kathmandu, Nepal Page 1 of 20
-9
b. Approach 2: Pair Programming..10
- 10
c. Approach 3: API handling..10 -
10
12
b. Use 2: Selenium..12 -
12
7. References.13 -
15
8. Turnitin Report16 -
16
1. Answer: a. We can define security risks as the coincidence of threats acting on vulnerabilities to
cause several negative and harmful impacts on any objective of organization that must
Page 2 of
20
be secured and safe. It can be identified by looking at potential sources of risk and when, where, why and how the risks may occurs. Consequences are:
-
Security risk is caused due to failure of software, network-hardware and computer. Overall, weak security has to face several negative impacts which cause loss of financial/materials assets. Social engineering, targeted phishing and malware attacks on call centre staff obtain unauthorized access to personal data that exploited by fraudsters for identity theft.
So to control information security awareness, training/education, helping people understand, fulfil their security obligations. Motivating them to do secure thing and avoid insecure, creating security culture, use secure hardware/software, skilful human resource, etc.
b. Asset value analysis plays very important roles in secure security system which
means efficient budgets fulfil necessary assets/requirements. Weaknesses of security measures and asset cause various negative impacts on any organizations like financial loss, reputations, and loss of customer confidence. Similarly, assets like internet and networking must requires new security measures, policies to reduce threats, challenges inherent from new technologies, applications and network-devices. They must keep safe so they performs task in correct order to control security. Since networking and subsystems are the major point of attacks against system, they should be considered as special cases rather than combined with general hardware/software components. Likewise main-power or human resource must be skilful to handle hardware. Organization must analyze its asset value and threats because they face several problems from their inside/outside attacks. Hence performance of asset value analysis is one of the major parts of security risk management system.
Page 3 of
20
c. Potential threat means unnecessary events that cause adverse effect on security
systems and resources by utilizing vulnerabilities in computer systems and servers. So it has defined by (Nyanchama, 2005) and (Johnson, 2008) Threats take advantage of vulnerabilities to cause damage or loss and Threat is an indication of impending danger or harm respectively. They may be insider/outsider threat, an object or entity which is dangerous for assets and users, so organization must make well managed security system. Threats are usually divided as:
Natural: - threats like fire, water, plagues, earthquakes, etc. Unintentional: - natural threats that makes loss in utility service and failures in
engineering, phishing attacks, denial-of-service(DoS) attacks, hacking, identity theft, malicious code, espionage, etc. comes under it.
Below threats are also divided into different categories with example:
Page 4 of
20
cause security damages in computer system and its network. Malicious code makes harmful activities like unauthorized access privilege (Trapdoor), disclosing sensitive information (Covert Channel), exhausting system resources (Worm), and infecting normal programs (Virus), Trojan horse, time/logic bomb, etc. Hackers with malicious goal will give up/stop intrusion process until they achieve their objectives although vulnerabilities exploited are removed. Similarly in terms of HTTP malicious attackers attack the HTTP servers so, servers can symbolize first line of defence that (if bypassed) can compromise integrity, confidentiality and availability attributes for enterprise security. Main purpose are: destroy files, steal information, etc. so to prevent powerful firewall must managed to monitor control traffic which may originate from protected network/host.
Page 5 of
20
e. Vulnerability is the weak point of information systems that can lead to attacks,
modification, harm, interruption, destruction, disclosure and interception. Attacks on systems are also defined as a sign of vulnerability.
damage important documents. Unauthorized discloser has a serious impact on maintaining security an privacy of the system (Dhillon). The vulnerabilities are also divided in many parts like: Administrative, Physical and Technical Vulnerability. Vulnerability assessment deals with identifying flaws and weakness that could possibly be exploited of the threats (Dhillon).
Page 6 of
20
documents, human-power, hardware and software from different threats, malicious coder/attackers, vulnerabilities, etc. Here we measures them and create efficient policy for solution. Three important aspects of security related system are: Confidentiality, integrity and availability.
Confidentiality: Here authorised persons can only access assets which means
for getting information like studying, viewing, printing and to know secret assets/documents. It is often known as secrecy/privacy.
College: Informatics College, Kamal Pokhari, Kathmandu, Nepal Page 7 of
20
Integrity: Only authorised persons can access assets and modify them in
authorized ways which includes writing, changing, deleting, changing status and creating.
Availability: This term defines authorised parties can access assets/objects in
proper periods.
2. Answer
a.
Usability / Ergonomics Testing is a technique for ensuring which system users can carry out proposed tasks in efficient and satisfying way. It is enough to identify problems with information architecture and all issues of design. This is used to designed purpose but not for a human-centred design process. Similarly, usability assessment program can decide any of the following:
Comfort & fit Weight and balance of product Erase use of product controls Accuracy and clarity of diagrams & instructions Usefulness of special features and accessories
Page 8 of
20
software and devices is performance testing which helps to measure times and numbers of MIPS (millions of instructions per second), wrong pathways, failure to find content, etc. Scalability, reliability, and interoperability are calculated here and also done with stress testing. Main purpose of performance testing is to detect failure in security test plans by knowing above measures. Similarly, for diagnostic aid in locating communications bottlenecks is used.
security system that might be exploited by malicious users which cause loss or harm. So, vulnerability testing is the process/scheduled base on impact of system and score of it. All the vulnerability scores are the results of last vulnerability tests. The testing assess helps to estimate structural and functional changes caused by defected components/materials in network, scan the architecture of a network, report and deleted vulnerabilities and suggests to remediate them.
comprehensive, systematic, contex-driven, and self-directed. The approach is embodied in a set of criteria that defines the essential elements of an asset-driven information security risk evaluation (Alberts 2001a).
i. Three phases of OCTAVE are: a. Build Assets-Based Threat Profiles: Actually, this is used in evaluation or
consideration of organization. Both business and IT department do analysis that which assets are most important to organisation and what types of activities can be done to protect. Some necessary processes are:
To Identify Senior Management Knowledge This process classifies and
recognize all essential assets, current security practices and requirements, perceived threats and vulnerabilities of organization.
Page 9 of
20
knows all the important assets, current security practices their requirements, vulnerabilities and visible threats.
To Identify Staff Knowledge Certain general and IT staff members who have
knowledge about important assets, current security requirements, threats, vulnerabilities can identify them.
information by refining them from Process 1 to 3 and at-last create profile about them.
infrastructures and find-out key components for weakness which can guide unauthorized actions against critical assets. Some process are:
Identify Key Components It shows key information systems and components
organizations assets and find-out suitable solution by collecting information about them. Some process are:
Conduct Risk Analysis - It identifies impacts of threats, critical assets and
Page 10 of 20
The way in which risk assessment information is gathered must fit organizational context. Documents which are prepared should be made by using appropriate level of details and contex-specific terminology. Threats considered within the analysis steps must be reliable with those considerations appropriate to organization. Catalog of security practices used to access risk must address regulatory and accepted security practices for organizational domain. Risk improvement profile that is created must fulfil needs and specific objectives.
Page 11 of 20
4. Answer Three approaches to code review for projects both large and small. a. Approach 1: Taint checking is used to increase security, to avoid malicious users so they cant execute commands on host computer. It is an attribute thats available in some computer programming languages (Perl and Ruby) only, can be redesigned to make safe wall on dangerous inputs. Checks website related risk and attackers use buffer overflow attack and SQL injection approaches. Similarly, it falls under blacklist approach because it asserts certain risky values. Taint checking tool proceeds all variables until completes listing of them which are probably control by outside input. So if any variables execute dangerous commands like direct commands to SQL database or OS of host computer then taint checking tool warns dangerous variables and contributes secure wall around them.
b.
Approach 2: Pair Programming and Review - is a technique of agile software development where two programmers work together in same place/workstation, among them one does coding and another does reviews of that code where coding and reviewing person are called driver and observer/navigator respectively. All the mistakes of programmer are easily corrected and review while coding, by observer which make error free so Pairing is always efficient. Reviewing Here navigator/observer make better planning/guidance about the direction of work so he/she provides upgrading ideas to troubleshoot upcoming problems, makes free for coding and completing task without any tension. One Economist(September 20, 2001) noted , Laurie Williams of the University of Utah in Salt Lake City has showed that paired programmers are only 15% slower than tow independent individual programmers, but produce 15% fewer bugs. Since testing and debugging are often many times more costly than initial programming, this is an impressive result
Approach 3: API (Application Programming Interface) handling when application program communicate with OS, control program - (DBMS) or College: Informatics College, Kamal Pokhari, Kathmandu, Nepal Page 12 of 20
c.
communications protocol, etc use language and message format in API handling. It is executed by writing function calls in program which give link to subroutine. Looking error message, code, apply logic for password expiry, system maintenance, networking system, etc. are function. For e.g. API can be used as web service interface for mapping service in the Google. API explain that how programmers use particular features of computer. It uses both GUI and CUI as its interface to an OS or program. Building an application with no APIs is basically like building a house with no doors. The API for all computing purposes is how you open the blinds and the doors and exchange information. (Josh Walker an analyst at Forrester Research Inc. in Camridge, Mass). So if any application is made without API then that is weak/unsecure then attackers can easily attack.
5.
Answer Attack Tree: - An attack tree is a process to analyze security systems and subsystems. It helps to think about security, for capturing and reusing skills about security and to take actions about changes in system. So it makes platform to understand more efficient way of security thats so we say Security is not a product - its a Process.
i) Fixing the root node: Here I have created an attack tree with obtaining user
should not be kept with widely used name to avoid from guessing.
Every password must type in asterisk, hatch or full-stop and avoid text/written
form.
Default settings, password/username must be changed and should be
customized.
Observation of password through camera or outsider should be banned. College: Informatics College, Kamal Pokhari, Kathmandu, Nepal Page 13 of 20
Systems applications must be checked time to time so that no any harmful activities can be processed.
We can obtain passwords in different ways like observing password, using default password, guessing/leaning, etc. In attack tree, nodes represent target of attacks, leaf nodes are actions where attackers attack as goal. OR & AND nodes symbolize different way for achieving same goal and altered steps respectively. In figure, arc represents AND nodes where password can be seen by watching live screen or installed hidden camera, can be learn from target and finding written password.
College: Informatics College, Kamal Pokhari, Kathmandu, Nepal Page 14 of 20
Likewise by social engineering OR threatens or steal or bribe or blackmail, we can authenticate. And at last we steal by using Acquiring sniffer output file, use keystroke logger, access database.
6. HTTP Testing Tool: The open source software which is scriptable protocol test tool
for Hypertext Transfer Protocol (HTTP) based products like web browsers, web servers, web applications or ICAP defined as HTTP Testing Tool. Two uses of HTTP testing tools like ApacheBench and Selenium with their functions are.
a. Use 1: ApacheBench This tool is used for measuring performances of HTTP web-
servers with a single threaded command line program and also mainly created for testing Apache HTTP servers.
automatic web-applications testing functions and asserts title of each page. It helps to supply: trace/playback tools without learning test scripting language for authoring tests, record, edit and debug tests also. Similarly, test domain specific language for writing tests in different programming languages like Java, Perl, PHP, Python, C# Groovy and Ruby.
Page 15 of 20
7. Refrences
Michael E. Whiteman and Herbert J. Mattord, 2011, 4th Edition, 20 Channel Centre
Boston, MA 002210 USA. Informatics College, CSM203 Hacking and Computing Forensic, Informatics Education Ltd., Informatics Campus 12 Science Centre Road Singapore 609080.
Carnegie Mellon University, 2008. Applying OCTAVE: Practitioners Report [pdf]
Available at: < http://www.cert.org/archive/pdf/06tn010.pdf> [Accessed 28 February 2012]. Karel Burda, December 2008, Threat analysis based on the graph of elementary threats, IJCSNS International Journal of Computer Science and Network Security, [e-journal] VOL.8 No.12, Available through: London Metropolitan University[Accessed 25 February 2012]. Sung-Whan Woo, HyunChul Joh*, Omar H. Alhazmi, Yashwant K. Malaiya, 2011. Modeling vulnerability discovery process in Apache and IIS HTTP servers, [e-journal] Computers & Security 3 0 (2011) 5 0 - 6 2. Available through: London Metropolitan University. <http://0-pdn.sciencedirect.com.emu.londonmet.ac.uk/science? _ob=MiamiImageURL&_cid=271887&_user=983321&_pii=S0167404810000908&_c heck=y&_origin=search&_zone=rslt_list_item&_coverDate=2011-0131&wchp=dGLbVlV-zSkzk&md5=2383a94c592ea38ecbaa2b88b48d25d1/1-s2.0S0167404810000908-main.pdf> [Accessed 26 February 2012]. D. Michael Caia, Maya Gokhaleb, James Theilerc, 2006. Comparison of feature selection and classification algorithms in identifying malicious executables [e-journal] Computational Statistics & Data Analysis 51 (2007) 3156 3172. Available through: London Metropolitan University <ttp://0pdn.sciencedirect.com.emu.londonmet.ac.uk/science? _ob=MiamiImageURL&_cid=271708&_user=983321&_pii=S0167947306003288&_c heck=y&_origin=search&_zone=rslt_list_item&_coverDate=2007-0301&wchp=dGLbVlB-zSkWA&md5=a5dcc7987f34f7d06189dd10adc5c325/1-s2.0S0167947306003288-main.pdf > [Accessed 26 February 2012]. NZCSRSC 2008, April 2008. A Systematic Review of Pair Programming Research Initial Results [pdf] Norsaremah Salleh Department of Computer Science University of Auckland. Available at: University of Auckland [Accessed 25 February 2012]. <http://nzcsrsc08.canterbury.ac.nz/site/proceedings/Individual_Papers/pg151_A_Syste matic_Review_of_Pair_Programming_Research_-_Initial_Results.pdf> [Accessed 25 February 2012].
Page 16 of 20
<http://www.infodesign.com.au/ftp/UsabilityTesting.pdf> [Accessed 25 February 2012]. C & A Security Risk Analysis Group. [Online] Available at: <http://www.security-riskanalysis.com/> [Accessed 5 March 2012].
Wikipedia. [Online] Available at: <http://en.wikipedia.org/wiki/Security_risk>,
Page 17 of 20
TechTarget, 2012. Application program interface (API) [online] August 2000. Available at: <http://searchexchange.techtarget.com/definition/applicationprogram-interface> [Accessed 2 March 2012]. Computerworld Inc. 1994 2012. QuickStudy: Application Programming Interface (API) [online] January 10, 2000 12:00 PM. Available at: < http://www.computerworld.com/s/article/43487/Application_Programming_In terface> [Accessed 2 March 2012]. UBM TechWeb. 2012. Attack Trees [online] December 01, 1999. Available at: <http://drdobbs.com/article/print? articleId=184411129&dept_url=/>[Accessed 2 March 2012]. Bruce Schneier, Hamletdarcy. Attack Trees to Assess Security [online] WEDNESDAY, OCTOBER 10, 2007. Available at: <http://hamletdarcy.blogspot.com/2007/10/attack-trees-to-assesssecurity.html> [Accessed 2 March 2012]. Wikipedia. HTTP Test Tool [online] 5 January 2012 at 22:16. Available at: <http://en.wikipedia.org/wiki/HTTP_Test_Tool> [Accessed 3 March 2012]. Wikipedia. ApacheBench [online] 8 March 2012 at 21:50. . Available at: < http://en.wikipedia.org/wiki/ApacheBench> [Accessed 3 March 2012]. Wikipedia. Selenium (software) [online] 10 March 2012 at 21:09. Available at: <http://en.wikipedia.org/wiki/Selenium_(software)> [Accessed 3 March 2012]. Computer Security Division, Information Technology Laboratory, National Institute of Standards and Technology, Gaithersburg, MD 2089-8930 <http://csrc.nist.gov/publications/nistpubs/800-39/SP800-39-final.pdf> [Accessed
March 2011].
Carnegie Mellon University, 1995-2012. OCTAVE Download Area [online]
Carnegie Mellon University. Available at: < http://www.cert.org/archive/pdf/06tn010.pdf> [Accessed 25 February 2012].
Page 18 of 20
Page 19 of 20
-------------The End-----------
Page 20 of 20