Information Security Questions and Answers

Share Embed Donate


Short Description

IT security Exam Questions with Answers...

Description

www.vidyarthiplus.com

RJ Edition

IV CSE – (VIII SEM) NOTES

PPG INSTITUTE OF TECHNOLOGY DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING

IT2042

INFORMATION SECURITY (REGULATION 2008)

UNIT I INTRODUCTION History, What is Information Security?, Critical Characteristics of Information, NSTISSC Security Model, Components of an Information System, Securing the Components, Balancing Security and Access, The SDLC, The Security SDLC UNIT II SECURITY INVESTIGATION Need for Security, Business Needs, Threats, Attacks, Legal, Ethical and Professional Issues UNIT III SECURITY ANALYSIS Risk Management: Identifying and Assessing Risk, Assessing and Controlling Risk UNIT IV LOGICAL DESIGN Blueprint for Security, Information Security Policy, Standards and Practices, ISO 17799/BS 7799, NIST Models, VISA International Security Model, Design of Security Architecture, Planning for Continuity UNIT V PHYSICAL DESIGN Security Technology, IDS, Scanning and Analysis Tools, Cryptography, Access Control Devices, Physical Security, Security and Personnel

16

www.vidyarthiplus.com

www.vidyarthiplus.com IV CSE – (VIII SEM) NOTES

RJ Edition

PPG INSTITUTE OF TECHNOLOGY DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING

UNIT – I PART – A (2 Marks) 1. Define information security. It is a well-informed sense of assurance that the information risks and controls are in balance. 2. List the critical characteristics of information. • Availability • Accuracy • Authenticity • Confidentiality • Integrity • Utility • Possession 3. Define security. What are the multiple layers of security? Security is “the quality or state of being secure-to be free from danger”. • Physical Security • Personal Security • Operations Security • Communication Security • Network Security • Information Security 4. When can a computer be a subject and an object of an attack respectively? When a computer is the subject of attack, it is used as an active tool to conduct the attack. When a computer is the object of an attack, it is the entity being attacked. 5. Why is a methodology important in implementing the information security? Methodology is a formal approach to solve a problem based on a structured sequence of procedures. 6. Difference between vulnerability and exposure. Vulnerability

Exposure

Weakness or fault in a system or protection The exposure of an information system is a mechanism that expose information to single instance when the system is open to attack or damage. damage.

17

www.vidyarthiplus.com

www.vidyarthiplus.com IV CSE – (VIII SEM) NOTES

RJ Edition

PPG INSTITUTE OF TECHNOLOGY DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING

7. Sketch the NSTISSC security model.

8. List out the security services. Three security services: Confidentiality, integrity, and availability Threats are divided into four broad classes:  Disclosure, or unauthorized access to information  Deception, or acceptance of false data  Disruption, or interruption or prevention of correct operation  Usurpation or unauthorized control of some part of a system. 9. Define the snooping and spoofing. Snooping: The unauthorized interception of information is a form of disclosure. It is passive, suggesting simply that some entity is listening to (or reading) communications or browsing through files or system information. Masquerading or spoofing: An impersonation of one entity by another is a form of both deception and usurpation. 10. List the components used in security models.  Software  Hardware  Data  People  Procedures  Networks 11. What are the functions of Information Security?  Protects the organization's ability to function  Enables the safe operation of applications implemented on the organizations IT systems  Protects the data the organization collects and uses 18

www.vidyarthiplus.com

www.vidyarthiplus.com IV CSE – (VIII SEM) NOTES



RJ Edition

PPG INSTITUTE OF TECHNOLOGY DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING

Safeguards the technology assets in use at the organization

12. What are the phases of SDLC Waterfall method?  Investigation  Analysis  Logical Design  Physical Design  Implementation  Maintenance & change 13. What is Rand Report R-609? The Rand Report was the first widely recognized published document to identify the role of management and policy issues in computer security. The scope of computer security grew from physical security to include:  Safety of the data  Limiting unauthorized access to that data  Involvement of personnel from multiple levels of the organization 14. What is meant by balancing Security and Access?  It is impossible to obtain perfect security - it is not an absolute; it is a process  Security should be considered a balance between protection and availability  To achieve balance, the level of security must allow reasonable access PART – B (16 Marks) 1. Describe the Critical Characteristics of Information.

Nov/Dec 2011 Nov/Dec 2012 May/Jun 2012

Availability Enables authorized users – persons or computer systems – to access information without interference or obstruction and receive it in the required format. Accuracy Information that is free from mistakes or errors and has the value end user expects (E.g. inaccuracy of your bank account may result in mistakes such as bouncing of a check). Authenticity Quality or state of being genuine or original, rather than reproduction or fabrication. Information is authentic when the contents are original as it was created, placed or stored or transmitted.( The information receive as e-mail may not be authentic when its contents are modified what is known as E-mail spoofing) Confidentiality 19

www.vidyarthiplus.com

www.vidyarthiplus.com IV CSE – (VIII SEM) NOTES

RJ Edition

PPG INSTITUTE OF TECHNOLOGY DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING

Confidentiality ensures that only those with the rights and privileges to access information are able to do so. When unauthorized individuals or systems can view information, confidentiality is breached.

Integrity  Information has integrity when it is whole, complete, and uncorrupted  The integrity of information is threatened when it is exposed to corruption, damage, destruction, other disruption of its authentic state  Many computer virus or worms are designed with the explicit purpose of corrupting data  Information integrity is the corner stone of information systems, because information is of no value or use if users cannot verify its integrity  Redundancy bits and check bits can compensate for internal and external threats to integrity of information Utility The utility of information is the quality or state of having value for some purpose or end. (For example, the US census data reveals information about the voters like their gender, age, race, and so on). Possession It is the quality or state of having ownership or control of some object or item. Breach of possession does not result in breach of confidentiality. Illegal possession of encrypted data never allows someone to read it without proper decryption methods. 2. Explain the Components of an Information System.

Nov/Dec 2011 Nov/Dec 2012 May/Jun 2013

Software The software component of IS comprises applications, operating systems, and assorted command utilities. Software programs are the vessels that carry the life blood of information through an organization. Software programs become an easy target of accidental or intentional attacks. Hardware It is the physical technology that houses and executes the software, stores and carries the data, provides interfaces for the entry and removal of information from the system. Physical security policies deal with the hardware as a physical asset and with the protection of these assets from harm or theft. People 20

www.vidyarthiplus.com

www.vidyarthiplus.com IV CSE – (VIII SEM) NOTES

RJ Edition

PPG INSTITUTE OF TECHNOLOGY DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING

People have always been a threat to information security and they are the weakest link in a security chain. Policy, education and training, awareness, and technology should be properly employed to prevent people from accidently or intentionally damaging or losing information. Data Data stored, processed, and transmitted through a computer system must be protected. Data is the most valuable asset possessed by an organization and it is the main target of intentional attacks. Procedures Procedures are written instructions for accomplishing when an unauthorized user obtains an organization’s procedures; it poses threat to the integrity of the information. Educating employees about safeguarding the procedures is as important as securing the information system. Lack in security procedures caused the loss of over ten million dollars before the situation was corrected. Networks Information systems in LANs are connected to other networks such as the internet and new security challenges are rapidly emerge. Apart from locks and keys which are used as physical security measures, network security also an important aspect to be considered. 3. Discuss SDLC in detail. May/June 2013 Investigation What is the problem the system is being developed to solve?  The objectives, constraints, and scope of the project are specified  A preliminary cost/benefit analysis is developed  A feasibility analysis is performed to assesses the economic, technical, and behavioral feasibilities of the process Analysis  Assessments of the organization  Status of current systems  Capability to support the proposed systems  Analysts begin to determine  What the new system is expected to do  How the new system will interact with existing systems  Ends with the documentation of the findings and a feasibility analysis update Logical Design  Based on business need, applications are selected capable of providing needed services

21

www.vidyarthiplus.com

www.vidyarthiplus.com IV CSE – (VIII SEM) NOTES

RJ Edition

PPG INSTITUTE OF TECHNOLOGY DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING



Based on applications needed, data support and structures capable of providing the needed inputs are identified  Select specific ways to implement the physical solution are chosen  Another feasibility analysis is performed Physical Design  Specific technologies are selected to support the alternatives identified and evaluated in the logical design  Selected components are evaluated based on a make-or-buy decision  Entire solution is presented to the end-user representatives for approval Implementation  Components are ordered, received, assembled, and tested  Users are trained and documentation created  Users are then presented with the system for a performance review and acceptance test Maintenance and Change  Tasks necessary to support and modify the system for the remainder of its useful life  The life cycle continues until the process begins again from the investigation phase  When the current system can no longer support the mission of the organization, a new project is implemented 4. Describe SecSDLC in detail.

Nov/Dec 2011 Nov/Dec 2012 May/Jun 2013

Security Systems Development Life Cycle  Same phases used in the traditional SDLC adapted to support the specialized implementation of a security project  Basic process is identification of threats and controls to counter them  SecSDLC is a coherent program rather than a series of random, seemingly unconnected actions Investigation  Identifies process, outcomes and goals of the project, and constraints  Begins with a statement of program security policy  Teams are organized, problems analyzed, and scope defined, including objectives, and constraints not covered in the program policy  An organizational feasibility analysis is performed Analysis  Analysis of existing security policies or programs, along with documented current threats and associated controls 22

www.vidyarthiplus.com

www.vidyarthiplus.com IV CSE – (VIII SEM) NOTES

RJ Edition

PPG INSTITUTE OF TECHNOLOGY DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING



Includes an analysis of relevant legal issues that could impact the design of the security solution  The risk management task (identifying, assessing, and evaluating the levels of risk) also begins Logical & Physical Design  Creates blueprints for security  Critical planning and feasibility analyses to determine whether or not the project should continue  In physical design, security technology is evaluated, alternatives generated, and final design selected  At end of phase, feasibility study determines readiness so all parties involved have a chance to approve the project

Implementation  The security solutions are acquired (made or bought), tested, and implemented, and tested again  Personnel issues are evaluated and specific training and education programs conducted  Finally, the entire tested package is presented to upper management for final approval Maintenance and Change  The maintenance and change phase is perhaps most important, given the high level of ingenuity in today’s threats  The reparation and restoration of information is a constant duel with an often unseen adversary  As new threats emerge and old threats evolve, the information security profile of an organization requires constant adaptation 5. Explain the NSTISSC security model and the top down approach to security implementation. Nov/Dec 2011

23

www.vidyarthiplus.com

www.vidyarthiplus.com IV CSE – (VIII SEM) NOTES

RJ Edition

PPG INSTITUTE OF TECHNOLOGY DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING

Top-down Approach



 

Initiated by upper management:  issue policy, procedures, and processes  dictate the goals and expected outcomes of the project  determine who is accountable for each of the required actions Strong upper management support, a dedicated champion, dedicated funding, clear planning, and the chance to influence organizational culture May also involve a formal development strategy referred to as a systems development life cycle  Most successful top-down approach

6. Describe the NSTISSC security model and the bottom up approach to security implementation. Bottom Up Approach  Security from a grass-roots effort - systems administrators attempt to improve the security of their systems  Key advantage - technical expertise of the individual administrators 24

www.vidyarthiplus.com

www.vidyarthiplus.com IV CSE – (VIII SEM) NOTES



RJ Edition

PPG INSTITUTE OF TECHNOLOGY DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING

Seldom works, as it lacks a number of critical features:  Participant support  Organizational staying power

7. Explain any five professional in information security with their role and focus. Senior Management  Chief Information Officer  The senior technology officer  Primarily responsible for advising the senior executive(s) for strategic planning  Chief Information Security Officer  Responsible for the assessment, management, and implementation of securing the information in the organization  Referred to as the Manager for Security Security Project Team  A number of individuals who are experienced in one or multiple requirements of both the technical and non-technical areas:  The champion  The team leader  Security policy developers  Risk assessment specialists  Security professionals  Systems administrators  End users

Data Ownership  Data owner: responsible for the security and use of a particular set of information  Data custodian: responsible for storage, maintenance, and protection of information  Data users: end users who work with information to perform their daily jobs supporting the mission of the organization

UNIT – II PART – A (2 Marks) 1. Why is information security a management problem? Management is responsible for implementing information security to protect the ability of the organization to function. 25

www.vidyarthiplus.com

www.vidyarthiplus.com IV CSE – (VIII SEM) NOTES

RJ Edition

PPG INSTITUTE OF TECHNOLOGY DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING

They must set policy and operate the organization in a manner that complies with the laws that govern the use of technology. 2. Distinguish between Dos and DDos. Dos Denial of service attack -The attacker sends a large number of connection or information requests to a target.

DDos Distributed Denial of service is an attack in which a coordinated stream of requests is launched against a target from many locations at the same time.

3. What is intellectual property? It is the ownership of ideas and control over the tangible or virtual representation of those ideas. 4. What is a policy? How it is differ from law? Policies: A body of expectations that describe acceptable and unacceptable employee behaviours in the workplace. It functions as organizational laws, complete with penalties, judicial practices, and sanctions to require complaints. The difference between policy and a law, however, is that ignorance of a policy is an acceptable defence. 5. What is a threat? What are the threats to Information Security? Threat is an object, person or other entity that represents a constant danger to an asset.  Acts of Human error or failure.  Compromises to Intellectual Property  Deliberate acts of espionage or trespass  Deliberate acts of information extortion  Deliberate acts of sabotage and vandalism  Deliberate acts of theft  Deliberate Software Attacks  Forces of Nature  Deviations in quality of service from service providers  Technical Hardware Failures or Errors  Technical Software Failures or Errors  Technological Obsolescence 6. What are the general categories of unethical and illegal behaviour? 26

www.vidyarthiplus.com

www.vidyarthiplus.com IV CSE – (VIII SEM) NOTES

RJ Edition

PPG INSTITUTE OF TECHNOLOGY DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING

There are three general categories of unethical behaviour that organizations and society should seek to eliminate:  Ignorance  Accident  Intent 7. What are the various types of malware? How do worms differ from Virus?  Viruses  Worms  Trojan horses  Active web scripts Virus Worm A virus attaches itself to s a computer A worm is similar to virus by design. It program and spreads from one computer also spreads from one computer to to another. another. Spreads with uniform speed as Worms spread more rapidly than virus. programmed. It can be attached to .EXE, .COM , .XLS It can be attached to any attachments of etc email or any file on network. Ex Melisca, cascade etc Ex Blaster Worm It requires the spreading of an infected It replicates them without the host file. host file. 8. Who are hackers? What are the levels of hackers? Hackers are people who use and create computer software for enjoyment or to gain access to information illegally. There are two levels of hackers.  Expert Hacker - Develops software codes  Unskilled Hacker - Uses the codes developed by the experts

9. What is security blue print? The security blue print is the plan for the implementation of new security measures in the organization. Sometimes called a framework, the blue print presents an organized approach to the security planning process. 10. What are the types of virus?  Macro virus  Boot virus 27

www.vidyarthiplus.com

www.vidyarthiplus.com IV CSE – (VIII SEM) NOTES

RJ Edition

PPG INSTITUTE OF TECHNOLOGY DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING

11. Distinguish between attack and threat. Attack An act which is in process. An attack is intentional.

Threat A promise of an attack to come. Threat can be either intentional or unintentional. Attack to information might have a Threat to information does not mean that chance to alter or damage the it is damaged or changed information when it is successful.

12. Define Information Extortion.  Information extortion is an attacker or formerly trusted insider stealing information from a computer system and demanding compensation for its return or non-use  Extortion found in credit card number theft 13. Define Hoax.  A computer virus hoax is a message warning the recipient of a non-existent computer virus threat  The message is usually a chain e-mail that tells the recipient to forward it to everyone they know

PART – B (16 Marks) 1. Explain the functions of an Information security organization. Nov/Dec 2011 Nov/Dec2012 Protecting the Ability to Function  Management is responsible  Information security  Management issue  People issue  Communities of interest must argue for information security in terms of impact and cost Enabling Safe Operation  Organizations must create integrated, efficient, and capable applications  Organization need environments that safeguard applications  Management must not abdicate to the IT department its responsibility to make choices and enforce decisions 28

www.vidyarthiplus.com

www.vidyarthiplus.com IV CSE – (VIII SEM) NOTES

RJ Edition

PPG INSTITUTE OF TECHNOLOGY DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING

Protecting Data  One of the most valuable assets is data  Without data, an organization loses its record of transactions and/or its ability to deliver value to its customers  An effective information security program is essential to the protection of the integrity and value of the organization’s data Safeguarding Technology Assets  Organizations must have secure infrastructure services based on the size and scope of the enterprise  Additional security services may have to be provided  More robust solutions may be needed to replace security programs the organization has outgrown 2. Describe about various forms of attacks. Nov/Dec 2012 IP Scan and Attack: Compromised system scans random or local range of IP addresses and targets any of several vulnerabilities known to hackers or left over from previous exploits. Web Browsing: If the infected system has write access to any Web pages, it makes all Web content files infectious, so that users who browse to those pages become infected. Virus: Each infected machine infects certain common executable or script files on all computers to which it can write with virus code that can cause infection. Unprotected Shares: Using file shares to copy viral component to all reachable locations. Mass Mail: Sending e-mail infections to addresses found in address book. SMTP: Simple Network Management Protocol - SNMP vulnerabilities used to compromise and infect. Hoaxes: A more devious approach to attacking computer systems is the transmission of a virus hoax, with a real virus attached. Back Doors: Using a known or previously unknown and newly discovered access mechanism. Password Crack: Attempting to reverse calculates a password. Brute Force: The application of computing and network resources to try every possible combination of options of a password. Dictionary: The dictionary password attack narrows the field by selecting specific accounts to attack and uses a list of commonly used passwords (the dictionary) to guide guesses. Denial-of-service (DoS)  attacker sends a large number of connection or information requests to a target  so many requests are made that the target system cannot handle them successfully along with other, legitimate requests for service  may result in a system crash, or merely an inability to perform ordinary functions Distributed Denial-of-service (DDoS) - an attack in which a coordinated stream of requests 29

www.vidyarthiplus.com

www.vidyarthiplus.com IV CSE – (VIII SEM) NOTES

RJ Edition

PPG INSTITUTE OF TECHNOLOGY DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING

is launched against a target from many locations at the same time.  Spoofing - technique used to gain unauthorized access whereby the intruder sends messages to a computer with an IP address indicating that the message is coming from a trusted host  Man-in-the-Middle - an attacker sniffs packets from the network, modifies them, and inserts them back into the network  Spam - unsolicited commercial e-mail - while many consider spam a nuisance rather than an attack, it is emerging as a vector for some attacks Buffer Overflow  Application error occurs when more data is sent to a buffer than it can handle  When the buffer overflows, the attacker can make the target system execute instructions, or the attacker can take advantage of some other unintended consequence of the failure Timing Attack  Relatively new works by exploring the contents of a web browser’s cache can allow collection of information on access to password-protected sites  Another attack by the same name involves attempting to intercept cryptographic elements to determine keys and encryption algorithms 3. Explain the different categories of threat. Give Examples. Nov/Dec 2011 May/June 2012 Acts of Human Error or Failure  Includes acts done without malicious intent  Caused by:  Inexperience  Improper training  Incorrect  Employee mistakes can easily lead to the following :  revelation of classified data  entry of erroneous data  accidental deletion or modification of data  storage of data in unprotected areas  failure to protect information Much human error or failure can be prevented with training and ongoing awareness activities. Compromises to Intellectual Property  Intellectual property is “the ownership of ideas and control over the tangible or virtual representation of those ideas”  Many organizations are in business to create intellectual property trade secrets, copyrights, trademarks, patents 30

www.vidyarthiplus.com

www.vidyarthiplus.com IV CSE – (VIII SEM) NOTES

RJ Edition

PPG INSTITUTE OF TECHNOLOGY DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING

 Watchdog organizations investigate:  Software & Information Industry Association (SIIA)  Business Software Alliance (BSA) Protective measures Enforcement of copyright has been attempted with technical security mechanisms, such as using digital watermarks and embedded code. The most common reminder of the individual’s obligation to fair and responsible use is the license agreement window that usually pops up during the installation of new software. Deliberate acts of espionage or trespass Espionage/Trespass  Broad category of activities that breach confidentiality  Unauthorized accessing of information  Competitive intelligence vs. espionage  Shoulder surfing can occur any place a person is accessing confidential information Sabotage or Vandalism Attack on the image of an organization can be serious like defacing a web site.  Individual or group who want to deliberately sabotage the operations of a computer system or business, or perform acts of vandalism to either destroy an asset or damage the image of the organization  These threats can range from petty vandalism to organized sabotage  Organizations rely on image so Web defacing can lead to dropping consumer confidence and sales  Rising threat of activist or cyber-activist operations - the most extreme version is cyber-terrorism Deliberate acts of theft  Illegal taking of another’s property - physical, electronic, or intellectual  The value of information suffers when it is copied and taken away without the owner’s knowledge  Physical theft can be controlled - a wide variety of measures used from locked doors to guards or alarm systems  Electronic theft is a more complex problem to manage and control - organizations may not even know it has occurred Deliberate Software Attacks  When an individual or group designs software to attack systems, they create malicious code/software called malware  Includes:  macro virus  boot virus 31

www.vidyarthiplus.com

www.vidyarthiplus.com IV CSE – (VIII SEM) NOTES

RJ Edition

PPG INSTITUTE OF TECHNOLOGY DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING

 worms  Trojan horses  logic bombs  back door or trap door  denial-of-service attacks  polymorphic  hoaxes Forces of Nature  Forces of nature, force majeure, or acts of God are dangerous because they are unexpected and can occur with very little warning  Can disrupt not only the lives of individuals, but also the storage, transmission, and use of information  Include fire, flood, earthquake, and lightning as well as volcanic eruption and insect infestation  Since it is not possible to avoid many of these threats, management must implement controls to limit damage and also prepare contingency plans for continued operations Technical Hardware Failures or Errors  Technical hardware failures or errors occur when a manufacturer distributes to users equipment containing flaws  These defects can cause the system to perform outside of expected parameters, resulting in unreliable service or lack of availability  Some errors are terminal, in that they result in the unrecoverable loss of the equipment  Some errors are intermittent, in that they only periodically manifest themselves, resulting in faults that are not easily repeated Technical Software Failures or Errors  This category of threats comes from purchasing software with unrevealed faults  Large quantities of computer code are written, debugged, published, and sold only to determine that not all bugs were resolved  Sometimes, unique combinations of certain software and hardware reveal new bugs  Sometimes, these items aren’t errors, but are purposeful shortcuts left by programmers for honest or dishonest reasons Technological Obsolescence  When the infrastructure becomes antiquated or outdated, it leads to unreliable and untrustworthy systems  Management must recognize that when technology becomes outdated, there is a risk of loss of data integrity to threats and attacks  Ideally, proper planning by management should prevent the risks from technology 32

www.vidyarthiplus.com

www.vidyarthiplus.com IV CSE – (VIII SEM) NOTES

RJ Edition

PPG INSTITUTE OF TECHNOLOGY DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING

obsolesce, but when obsolescence is identified, management must take action 4. Write about the attack replication vectors in detail. Nov/ Dec 2011 IP Scan and attack – The infected system scans a random or local range of IP addresses and targets any of the vulnerabilities known to hackers. Web browsing –If the infected system has right access to any web pages, it makes all web content files infectious, so that users who browse the web pages become infected. Virus – Each infected machine infects certain common executable or script files on all computers to which it can write with virus code that can cause infection Unprotected shares –Using vulnerabilities in file system and the way many organizations configure them, the infected machine copies the viral content to all locations it can reach. Mass mail – By sending email infections to addresses found in the address book, the infected machine infects the users whose mail reading programs also automatically run the program and infect other systems. SNMP – By using the widely known and common passwords that were employed in earlier versions of this protocol, the attacking program can gain control of the device. 5. Discuss the ethical concepts in information security.  Thou shalt not use a computer to harm other people  Thou shalt not interfere with other people's computer work  Thou shalt not snoop around in other people's computer files  Thou shalt not use a computer to steal  Thou shalt not use a computer to bear false witness  Thou shalt not copy or use proprietary software for which you have not paid  Thou shalt not use other people's computer resources without authorization or proper compensation  Thou shalt not appropriate other people's intellectual output  Thou shalt think about the social consequences of the program you are writing or the system you are designing  Thou shalt always use a computer in ways that insure consideration and respect for your fellow humans Ethical Differences across Cultures  Cultural differences create difficulty in determining what is and is not ethical  Difficulties arise when one nationality’s ethical behaviour conflicts with ethics of another national group  Example: many of ways in which Asian cultures use computer technology is software piracy Ethics and Education  Overriding factor in levelling ethical perceptions within a small population is 33

www.vidyarthiplus.com

www.vidyarthiplus.com IV CSE – (VIII SEM) NOTES

RJ Edition

PPG INSTITUTE OF TECHNOLOGY DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING

education  Employees must be trained in expected behaviours of an ethical employee, especially in areas of information security  Proper ethical training vital to creating informed, well prepared, and low-risk system user Deterrence to Unethical and Illegal Behaviour  Deterrence: best method for preventing an illegal or unethical activity; e.g., laws, policies, technical controls  Laws and policies only deter if three conditions are present:  Fear of penalty  Probability of being caught  Probability of penalty being administered 6. List and discuss the role and focus of any four professional organizations providing information security. May/June 2012 May/June 2013  Several professional organizations have established codes of conduct/ethics  Codes of ethics can have positive effect; unfortunately, many employers do not encourage joining of these professional organizations  Responsibility of security professionals to act ethically and according to policies of employer, professional organization, and laws of society.  ACM established in 1947 as “the world's first educational and scientific computing society”  Code of ethics contains references to protecting information confidentiality, causing no harm, protecting others’ privacy, and respecting others’ intellectual property. International Information Systems Security Certification Consortium, Inc.  Non-profit organization focusing on development and implementation of information security certifications and credentials  Code primarily designed for information security professionals who have certification from  Code of ethics focuses on four mandatory canons System Administration, Networking, and Security Institute (SANS)  Professional organization with a large membership dedicated to protection of information and systems  SANS offers set of certifications called Global Information Assurance Certification (GIAC) Information Systems Audit and Control Association (ISACA)  Professional association with focus on auditing, control, and security  Concentrates on providing IT control practices and standards  ISACA has code of ethics for its professionals. 34

www.vidyarthiplus.com

www.vidyarthiplus.com IV CSE – (VIII SEM) NOTES

RJ Edition

PPG INSTITUTE OF TECHNOLOGY DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING

UNIT – III PART – A (2 Marks) 1. In risk management strategies why does a periodic review have to be a part of process? May/June 2012 May/June 2013  The first focus is asset inventory  The completeness and accuracy of the asset inventory has to be verified  The threats and vulnerabilities that are dangerous to asset inventory must be verified 2. What is asset valuation? List any 2 components of asset valuation. May/June 2012 A method of assessing the worth of a company, real property, security, antique or other item of worth. Asset valuation is commonly performed prior to the sale of an asset or prior to purchasing insurance for an asset.  Questions to assist in developing the criteria to be used for asset valuation:  Which information asset is the most critical to the success of the organization?  Which information asset generates the most revenue? 3. Define dumpster driving. May/June 2013 To retrieve information that could embarrass a company or compromise information security. 4. What is risk management? Nov/Dec 2012 Risk management is the process of identifying vulnerabilities in an organization’s information systems and taking carefully reasoned steps to assure Confidentiality, Integrity, and Availability. 5. Define benchmarking. Benchmarking is a process of seeking out and studying the practices used in other organizations that produce results you would like to duplicate in your organization. 6. What are the different types of Access Controls?  Discretionary Access Controls (DAC)  Mandatory Access Controls (MACs)  Nondiscretionary Controls  Role-Based Controls  Task-Based Controls  Lattice-based Control

35

www.vidyarthiplus.com

www.vidyarthiplus.com IV CSE – (VIII SEM) NOTES

RJ Edition

PPG INSTITUTE OF TECHNOLOGY DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING

7. Define Disaster Recovery Plan. The most common mitigation procedure is Disaster Recovery Plan (DRP). The DRP includes the entire spectrum of activities used to recover from the incident and strategies to limit losses before and after the disaster. DRP usually include all preparations for the recovery process, strategies to limit losses during the disaster. 8. What is residual risk? Exposure to loss remaining after other known risks have been countered, factored in, or eliminated. It is simply seen as the risk that remains after safeguards have been implemented. 9. Mention the Risk Identification Estimate Factors.  Likelihood  Value of Information Assets  Percent of Risk Mitigated  Uncertainty 10. What is the formula for calculating risk? Risk = Threat x Vulnerability x Cost Risk Assessment = ((Likelihood + Impact + Current Impact)/3) * 2 - 1

PART – B (16 Marks) 1. Explain in detail the process of asset identification for different categories. Nov/Dec 2012 People, Procedures, and Data Asset Identification  Human resources, documentation, and data information assets are not as readily discovered and documented  These assets should be identified, described, and evaluated by people using knowledge, experience, and judgment  As these elements are identified, they should also be recorded into some reliable data handling process Asset Information for People  Position name/number/ID – try to avoid names and stick to identifying positions, roles, or functions  Supervisor  Security clearance level  Special skills Hardware, Software, and Network Asset Identification  What attributes of each of these information assets should be tracked? 36

www.vidyarthiplus.com

www.vidyarthiplus.com IV CSE – (VIII SEM) NOTES



RJ Edition

PPG INSTITUTE OF TECHNOLOGY DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING

When deciding which information assets to track, consider including these asset attributes:  Name  IP address  MAC address  Element type  Serial number  Manufacturer name  Manufacturer’s model number or part number  Software version, update revision, or FCO number  Physical location  Logical location  Controlling entity

Asset Information for Procedures  Description  Intended purpose  What elements is it tied to  Where is it stored for reference  Where is it stored for update purposes  Security clearance level  Special skills Asset Information for Data  For Data:  Classification  Owner/creator/manager  Size of data structure  Data structure used – sequential, relational  Online or offline  Where located  Backup procedures employed 2. What are risk control strategies? Nov/Dec 2011 May/June 2012  When risks from information security threats are creating a competitive disadvantage  Information technology and information security communities of interest take control of the risks  Four basic strategies are used to control the risks that result from vulnerabilities:  Apply safeguards (avoidance)  Transfer the risk (transference) 37

www.vidyarthiplus.com

www.vidyarthiplus.com IV CSE – (VIII SEM) NOTES

RJ Edition

PPG INSTITUTE OF TECHNOLOGY DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING

 Reduce the impact (mitigation)  Inform themselves of all of the consequences and accept the risk without control or mitigation (acceptance) Risk Control Strategies: Avoidance  Avoidance attempts to prevent the exploitation of the vulnerability  Accomplished through countering threats removing vulnerabilities in assets limiting access to assets adding protective safeguards  Three areas of control:  Policy  Training and education  Technology Transference  Transference is the control approach that attempts to shift the risk to other assets, other processes, or other organizations  If an organization does not already have quality security management and administration experience, it should hire individuals or firms that provide such expertise  This allows the organization to transfer the risk associated with the management of these complex systems to another organization with established experience in dealing with those risks Mitigation  Mitigation attempts to reduce the impact of exploitation through planning and preparation  Three types of plans:  disaster recovery planning (DRP)  business continuity planning (BCP)  incident response planning (IRP) Acceptance  Acceptance of risk is doing nothing to close a vulnerability and to accept the outcome of its exploitation  Acceptance is valid only when:  Determined the level of risk  Assessed the probability of attack  Estimated the potential damage  Performed a thorough cost benefit analysis  Evaluated controls using each appropriate feasibility  Decided that the particular function, service, information, or asset did not justify the cost of protection  Risk appetite describes the degree to which an organization is willing to accept risk as a trade-off to the expense of applying controls 38

www.vidyarthiplus.com

www.vidyarthiplus.com IV CSE – (VIII SEM) NOTES

RJ Edition

PPG INSTITUTE OF TECHNOLOGY DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING

Risk Assessment  To determine the relative risk for each of the vulnerabilities through a process called risk assessment  Risk assessment assigns a risk rating or score to each specific information asset, useful in gauging the relative risk introduced by each vulnerable information asset and making comparative ratings later in the risk control process  Risk Identification Estimate Factors  Likelihood  Value of Information Assets  Percent of Risk Mitigate 3. Explain the process of Risk assessment. Nov/Dec 2011 Nov/Dec 2012  Risk assessment assigns a risk rating or score to each specific information asset, useful in gauging the relative risk introduced by each vulnerable information asset and making comparative ratings later in the risk control process.  Risk Identification Estimate Factors  Likelihood  Value of Information Assets  Percent of Risk Mitigated  Uncertainty 4. Write short notes on a) Incidence Response Plan b) Disaster Recovery Plan c) Business continuity plan. Incidence Response Plan The actions an organization can perhaps should take while the incident is in progress are documented in what is known as Incident Response Plan(IRP) IRP provides answers to questions victims might pose in the midst of the incident ,such as “What do I do now?”.  What should the administrator do first?  Whom should they contact?  What should they document? For example, in the event of serious virus or worm outbreak, the IRP may be used to assess the likelihood of imminent damage and to inform key decision makers in the various communities of interest. Disaster Recovery Plan The most common mitigation procedure is Disaster Recovery Plan(DRP). The DRP includes the entire spectrum of activities used to recover from the incident. DRP can include strategies to limit losses before and after the disaster. These strategies are fully deployed once the disaster has stopped. DRP usually include all preparations for the recovery process, strategies to limit losses during the disaster, and detailed steps to follow when the smoke clears, the dust settles, or the floodwaters recede. 39

www.vidyarthiplus.com

www.vidyarthiplus.com IV CSE – (VIII SEM) NOTES

RJ Edition

PPG INSTITUTE OF TECHNOLOGY DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING

Business Continuity Plan The BCP is the most strategic and long term of the three plans. It encompasses the continuation of business activities if a catastrophic event occurs, such as the loss of an entire database, building or entire operations centre. The BCP includes the planning the steps necessary to ensure the continuation of the organization when the scope or scale of a disaster exceeds the ability of the DRP to restore operations. This can include preparation steps for activation of secondary data centres, hot sites, or business recovery sites. 5. Explain the process of vulnerability identification and assessment for different threats faced by an information security system. Vulnerability Identification  Vulnerabilities are specific avenues that threat agents can exploit to attack an information asset  Examine how each of the threats that are possible or likely could be perpetrated and list the organization’s assets and their vulnerabilities  The process works best when groups of people with diverse backgrounds within the organization work iteratively in a series of brainstorming sessions  At the end of the process, an information asset / vulnerability list has been developed  This is the starting point for the next step, risk assessment 6. Discuss briefly data classification and management. Data Classification and Management  A variety of classification schemes are used by corporate and military organizations  Information owners are responsible for classifying the information assets for which they are responsible  Information owners must review information classifications periodically  The military uses a five-level classification scheme but most organizations do not need the detailed level of classification used by the military or federal agencies Management of Classified Data  Includes the storage, distribution, portability, and destruction of classified information  Clean desk policies require all information to be stored in its appropriate storage container at the end of each day  Proper care should be taken to destroy any unneeded copies  Dumpster diving can prove embarrassing to the organization.

40

www.vidyarthiplus.com

www.vidyarthiplus.com IV CSE – (VIII SEM) NOTES

RJ Edition

PPG INSTITUTE OF TECHNOLOGY DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING

7. Explain the risk control cycle process. Once a control strategy has been implemented, it should be monitored and measures on an ongoing basis to determine the effectiveness of the security controls and the accuracy of the estimate of the residual risk. The following flowchart shows how this cyclical process is continuously used to ensure that risks are controlled.

. 

  

  

Before deciding on the strategy for a specific vulnerability all information about the economic and non-economic consequences of the vulnerability facing the information asset must be explored Cost Benefit Analysis (CBA) The most common approach for a project of information security controls and safeguards is the economic feasibility of implementation Begins by evaluating the worth of the information assets to be protected and the loss in value if those information assets are compromised It is only common sense that an organization should not spend more to protect an asset than it is worth The formal process to document this is called a cost benefit analysis or an economic feasibility study Some of the items that impact the cost of a control or safeguard include:  Cost of development or acquisition  Training fees  Cost of implementation  Service costs  Cost of maintenance

41

www.vidyarthiplus.com

www.vidyarthiplus.com IV CSE – (VIII SEM) NOTES







RJ Edition

PPG INSTITUTE OF TECHNOLOGY DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING

 Asset valuation  It is the process of assigning financial value or worth to each information asset  The valuation of assets involves estimation of real and perceived costs associated with the design, development, installation, maintenance, protection, recovery, and defense against market loss and litigation  These estimates are calculated for each set of information bearing systems or information assets  The expected value of a loss can be stated in the following equation: Annualized Loss Expectancy (ALE) = Single Loss Expectancy (SLE) x Annualized Rate of Occurrence (ARO) SLE = asset value x exposure factor (EF) ARO is simply how often you expect a specific type of attack to occur, per year. SLE is the calculation of the value associated with the most likely loss from an attack. EF is the percentage loss that would occur from a given vulnerability being exploited. When benchmarking, an organization typically uses one of two measures:  Metrics-based measures are comparisons based on numerical standards  Process-based measures examine the activities performed in pursuit of its goal, rather than the specifics of how goals were attained Organizational feasibility examines how well the proposed information security alternatives will contribute to the efficiency, effectiveness, and overall operation of an organization Operational Feasibility addresses user acceptance and support, management acceptance and support, and the overall requirements of the organization’s stakeholders. Sometimes known as behavioural feasibility, because it measures the behaviour of users.

42

www.vidyarthiplus.com

www.vidyarthiplus.com IV CSE – (VIII SEM) NOTES

RJ Edition

PPG INSTITUTE OF TECHNOLOGY DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING

UNIT – IV PART – A (2 Marks) 1. What measurement do you use when preparing a potential damage assessment? May/June 2012 Identify what must be done to recover from each possible case. The costs include the actions of the response team(s) as they act to recover quickly and effectively from an incident or disaster. 2. Define policy and standards. May/June 2012 A policy is a plan or course of action, as of a government, political party, or business, intended to influence and determine decisions, actions, and other matters. Standards, on the other hand, are more detailed statements of what must be done to comply with policy. 3. What is the difference between the management, technical and operational control? When would each be applied as a part of a security framework? May/June 2012 Managerial controls cover security processes that are designed by strategic planners and implemented by the security administration of the organization. 4. Give any 5 major sections of ISO/IEC 17799 standards.  Organizational Security Policy  Organizational Security Infrastructure  Asset Classification and Control  Personnel Security  Compliance 5. What are the three types of security policies?  General or security program policy  Issue-specific security policies  Systems-specific security policies

May/June 2013

Nov/Dec 2012

6. Mention the Drawbacks of ISO 17799/BS 7799. Nov/Dec 2011  The global information security community has not defined any justification for a code of practice as identified in the ISO/IEC 17799  17799 lacks “the necessary measurement precision of a technical standard”  There is no reason to believe that 17799 is more useful than any other approach currently available  17799 is not as complete as other frameworks available  17799 is perceived to have been hurriedly prepared given the tremendous impact its adoption could have on industry information security controls 43

www.vidyarthiplus.com

www.vidyarthiplus.com IV CSE – (VIII SEM) NOTES

RJ Edition

PPG INSTITUTE OF TECHNOLOGY DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING

7. What is Defense in Depth? One of the foundations of security architectures is the requirement to implement security in layers .Defense in depth requires that the organization establish sufficient security controls and safeguards, so that an intruder faces multiple layers of controls. 8. What is contingency planning? Nov/Dec 2012 It is the entire planning conducted by the organization to prepare for, react to, and recover from events that threaten the security of information and information assets in the organization. 9. What are the approaches of ISSP?  Create a number of independent ISSP documents  Create a single comprehensive ISSP document  Create a modular ISSP document 10. What is Sphere of protection?  The “sphere of protection” overlays each of the levels of the “sphere of use” with a layer of security, protecting that layer from direct or indirect use through the next layer  The people must become a layer of security, a human firewall that protects the information from unauthorized access and use  Information security is therefore designed and implemented in three layers  Policies  People (education, training, and awareness programs)  Technology 11. What is Security perimeter? The point at which an organization’s security protection ends, and the outside world begins is referred to as the security perimeter. 12. Mention the Operational Controls of NIST SP 800-26.  Personnel Security  Physical Security  Production, Input/output Controls  Contingency Planning  Hardware and Systems Software  Data Integrity  Documentation  Security Awareness, Training, and Education  Incident Response Capability . 44

www.vidyarthiplus.com

www.vidyarthiplus.com IV CSE – (VIII SEM) NOTES

RJ Edition

PPG INSTITUTE OF TECHNOLOGY DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING

13. What is Information Security Blueprint? The Security Blue Print is the basis for Design, Selection and Implementation of Security Policies, education and training programs, and technology controls. 14. What are ACL Policies?  Who can use the system  What authorized users can access  When authorized users can access the system  Where authorized users can access the system from  How authorized users can access the system 15. Define Issue-Specific Security Policy (ISSP).  addresses specific areas of technology  requires frequent updates  contains an issue statement on the organization’s position on an issues 16. What is Security Program Policy?  A general security policy  IT security policy  Information security policy

PART – B (16 Marks) 1. Describe NIST SP 800-26. Management Controls  Risk Management  Review of Security Controls  Life Cycle Maintenance  Authorization of Processing (Certification and Accreditation)  System Security Plan Operational Controls  Personnel Security  Physical Security  Production, Input / Output Controls  Contingency Planning  Hardware and Systems Software  Data Integrity  Documentation  Security Awareness, Training, and Education 45

www.vidyarthiplus.com

www.vidyarthiplus.com IV CSE – (VIII SEM) NOTES



RJ Edition

PPG INSTITUTE OF TECHNOLOGY DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING

Incident Response Capability

Technical Controls  Identification and Authentication  Logical Access Controls  Audit Trails 2. Explain the design of security architecture in detail.  Host-based Ids  Network-based Ids  Signature-based Ids  Statistical anomaly based Ids

May/June 2013

3. Discuss the types of information security policies in detail. Nov/Dec 2011  General or security program policy  Issue-specific security policies  Systems-specific security policies Security Program Policy  Sets the strategic direction, scope, and tone for all security efforts within the organization  An executive-level document, usually drafted by or with, the CIO of the organization and is usually 2 to 10 pages long Issue-Specific Security Policy (ISSP)  As various technologies and processes are implemented, certain guidelines are needed to use them properly  ISSP:  addresses specific areas of technology  requires frequent updates  contains an issue statement on the organization’s position on an issue  Three approaches:  Create a number of independent ISSP documents  Create a single comprehensive ISSP document  Create a modular ISSP document Systems-Specific Policy (SysSP)  SysSPs are frequently codified as standards and procedures used when configuring or maintaining systems  Access control lists (ACLs) consist of the access control lists, matrices, and capability tables governing the rights and privileges of a particular user to a particular system  Configuration rules comprise the specific configuration codes entered into 46

www.vidyarthiplus.com

www.vidyarthiplus.com IV CSE – (VIII SEM) NOTES

RJ Edition

PPG INSTITUTE OF TECHNOLOGY DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING

security systems to guide the execution of the system 4. Explain NIST security model in detail.  NIST special publication SP 800-12  NIST special publication SP 800-14  NIST special publication SP 800-18

Nov/Dec 2011

5. Discuss VISA International security models in detail. Nov/Dec 2012  VISA International promotes strong security measures and has security guidelines  Developed two important documents that improve and regulate information systems: “Security Assessment Process”; “Agreed Upon Procedures”  Using the two documents, security team can develop sound strategy the design of good security architecture  Only down side to this approach is very specific focus on systems that can or do integrate with VISA’s systems 6. Describe the major steps in contingency planning. Nov/Dec 2012  Plans for events of this type are referred to in a number of ways:  Business continuity plans (BCPs)  Disaster recovery plans (DRPs)  Incident response plans (IRPs)  Contingency plans  Large organizations may have many types of plans and small organizations may have one simple plan, but most have inadequate planning

47

www.vidyarthiplus.com

www.vidyarthiplus.com IV CSE – (VIII SEM) NOTES

RJ Edition

PPG INSTITUTE OF TECHNOLOGY DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING



Before any planning begins, a team has to plan the effort and prepare resulting documents  Champion: high-level manager to support, promote, and endorse findings of the project  Project manager: leads project and makes sure a sound project planning process is used, a complete and useful project plan is developed, and project resources are prudently managed  Team members: should be managers or their representatives from various communities of interest (business, IT, and information security). Major steps in contingency planning:

48

www.vidyarthiplus.com

www.vidyarthiplus.com IV CSE – (VIII SEM) NOTES



   

RJ Edition

PPG INSTITUTE OF TECHNOLOGY DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING

CP team conducts BIA in the following stages:  Threat attack identification  Business unit analysis  Attack success scenarios  Potential damage assessment  Subordinate plan classification Incident response planning covers identification of, classification of, and response to an incident Incident is attack against an information asset that poses clear threat to the confidentiality, integrity, or availability of information resources IR team consists of those individuals needed to handle systems as incident takes place IR consists of the following four phases:  Planning  Detection  Reaction  Recovery

Disaster recovery planning (DRP) is planning the preparation for and recovery from a disaster. Contingency planning team must decide which actions constitute disasters and which constitute incidents. DRP Steps:  There must be a clear establishment of priorities  There must be a clear delegation of roles and responsibilities  Someone must initiate the alert roster and notify key personnel  Crisis management occurs during and after a disaster and focuses on the people 49

www.vidyarthiplus.com

www.vidyarthiplus.com IV CSE – (VIII SEM) NOTES



RJ Edition

PPG INSTITUTE OF TECHNOLOGY DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING

involved and addressing the viability of the business Business continuity planning outlines reestablishment of critical business operations during a disaster that impacts operations

UNIT – V PART – A (2 Marks) 1. Distinguish between symmetric and asymmetric encryption. Nov/Dec 2011 Symmetric Asymmetric Uses the same secret (private) key to Uses both a public and private key. encrypt and decrypt its data Requires that the secret key be known by Asymmetric allows for distribution of the party encrypting the data and the your public key to anyone with which party decrypting the data. they can encrypt the data they want to send securely and then it can only be decoded by the person having the private key. Fast 1000 times slower than symmetric 2. What is content filter? May/June 2013 A content filter is software filter-technically not a firewall-that allows administrators to restrict access to content from within a network. 3. List all physical security controls.  guards  dogs  lock and keys  electronic monitoring  ID cards and badges  man traps  alarms and alarm systems

May/June 2013

4. What are the seven major sources of physical loss?  Temperature extremes  Gases  Liquids  Living organisms  Projectiles 50

www.vidyarthiplus.com

www.vidyarthiplus.com IV CSE – (VIII SEM) NOTES

 

RJ Edition

PPG INSTITUTE OF TECHNOLOGY DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING

Movement Energy anomalies

5. What are the advantages and disadvantages of using honey pot or padded cell approach? Advantages:  Attackers can be diverted to targets that they cannot damage  Administrators have time to decide how to respond to an attacker  Attackers action can be easily and extensively monitored  Honey pots may be effective at catching insiders who are snooping around a network Disadvantages:  The legal implications of using such devices are not well defined  Honey pots and Padded cells have not yet been shown to be generally useful security technologies  An expert attacker, once diverted into a decoy system, may become angry and launch a hostile attack against an organization’s systems  Security managers will need a high level of expertise to use these systems 6. Define encryption and decryption. Encryption is the process of converting an original message into a form that is unreadable to unauthorized individuals-that is, to anyone without the tools to convert the encrypted message back to its original format. Decryption is the process of converting the cipher text into a message that conveys readily understood meaning. 7. What are different types of IDSs?  Network-based IDS  Host-based IDS  Application-based IDS  Signature-based IDS  Statistical Anomaly-Based IDS

8. What are firewalls? A firewall is any device that prevents a specific type of information from moving between the un-trusted network outside and the trusted network inside. The firewall may be:  a separate computer system 51

www.vidyarthiplus.com

www.vidyarthiplus.com IV CSE – (VIII SEM) NOTES

 

RJ Edition

PPG INSTITUTE OF TECHNOLOGY DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING

a service running on an existing router or server a separate network containing a number of supporting devices

9. What is Application-based IDS? A refinement of Host-based IDs is the application-based IDS (AppIDS). The application based IDs examines an application for abnormal incidents. It looks for anomalous occurrences such as users exceeding their authorization, invalid file executions etc. 10. What are Digital signatures?  An interesting thing happens when the asymmetric process is reversed, that is the private key is used to encrypt a short message  The public key can be used to decrypt it, and the fact that the message was sent by the organization that owns the private key cannot be reputed  This is known as non-repudiation, which is the foundation of digital signatures  Digital Signatures are encrypted messages that are independently verified by a central facility (registry) as authentic 11. What are dual homed host firewalls?  The bastion-host contains two NICs (network interface cards)  One NIC is connected to the external network, and one is connected to the internal network  With two NICs all traffic must physically go through the firewall to move between the internal and external networks  A technology known as network-address translation (NAT) is commonly implemented with this architecture to map from real, valid, external IP addresses to ranges of internal IP addresses that are non-routable 12. How firewalls are categorized by processing mode?  Packet filtering  Application gateways  Circuit gateways  MAC layer firewalls  Hybrids 13. What is Cryptanalysis? Cryptanalysis is the process of obtaining the original message (called plaintext) from an encrypted message (called the cipher text) without knowing the algorithms and keys used to perform the encryption. 14. What is Public Key Infrastructure (PKI)? 52

www.vidyarthiplus.com

www.vidyarthiplus.com IV CSE – (VIII SEM) NOTES

RJ Edition

PPG INSTITUTE OF TECHNOLOGY DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING

Public Key Infrastructure is the entire set of hardware, software, and cryptosystems necessary to implement public key encryption. PKI systems are based on public-key cryptosystems and include digital certificates and certificate authorities (CAs) and can:  Issue digital certificates  Issue crypto keys

PART – B (16 Marks) 1. Write about the different generations of firewalls. First Generation  Called packet filtering firewalls  Examines every incoming packet header and selectively filters packets based on address, packet type, port request, and others factors  The restrictions most commonly implemented are based on:  IP source and destination address  Direction (inbound or outbound)  TCP or UDP source and destination port-requests Second Generation  Called application-level firewall or proxy server  Often a dedicated computer separate from the filtering router  With this configuration the proxy server, rather than the Web server, is exposed to the outside world in the DMZ  Additional filtering routers can be implemented behind the proxy server  The primary disadvantage of application-level firewalls is that they are designed for a specific protocol and cannot easily be reconfigured to protect against attacks on protocols for which they are not designed Third Generation  Called stateful inspection firewalls  Keeps track of each network connection established between internal and external systems using a state table which tracks the state and context of each packet in the conversation by recording which station sent what packet and when  If the stateful firewall receives an incoming packet that it cannot match in its state table, then it defaults to its ACL to determine whether to allow the packet to pass  The primary disadvantage is the additional processing requirements of managing and verifying packets against the state table which can possibly expose the system to a DoS attack  These firewalls can track connectionless packet traffic such as UDP and remote procedure calls (RPC) traffic 53

www.vidyarthiplus.com

www.vidyarthiplus.com IV CSE – (VIII SEM) NOTES

RJ Edition

PPG INSTITUTE OF TECHNOLOGY DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING

Fourth Generation  While static filtering firewalls, such as first and third generation, allow entire sets of one type of packet to enter in response to authorized requests, a dynamic packet filtering firewall allows only a particular packet with a particular source, destination, and port address to enter through the firewall  It does this by understanding how the protocol functions, and opening and closing “doors” in the firewall, based on the information contained in the packet header. In this manner, dynamic packet filters are an intermediate form, between traditional static packet filters and application proxies Fifth Generation  The final form of firewall is the kernel proxy, a specialized form that works under the Windows NT Executive, which is the kernel of Windows NT  It evaluates packets at multiple layers of the protocol stack, by checking security in the kernel as data is passed up and down the stack 2. Explain briefly the basic Encryption definitions.  Algorithm: mathematical formula used to convert an unencrypted message into an encrypted message  Cipher: transformation of the individual components (characters, bytes, or bits) of an unencrypted message into encrypted components  Ciphertext or cryptogram: unintelligible encrypted or encoded message resulting from an encryption  Code: transformation of the larger components (words or phrases) of an unencrypted message into encrypted components  Cryptosystem: set of transformations necessary to convert an unencrypted message into an encrypted message  Decipher: decrypt or convert ciphertext to plaintext  Encipher: encrypt or convert plaintext to ciphertext  Key or cryptovariable: information used in conjunction with the algorithm to create ciphertext from plaintext  Keyspace: entire range of values that can possibly be used to construct an individual key  Link encryption: a series of encryptions and decryptions between a number of systems, whereby each node decrypts the message sent to it and then re-encrypts it using different keys and sends it to the next neighbor, until it reaches the final destination  Plaintext: original unencrypted message that is encrypted and results from successful decryption  Steganography: process of hiding messages in a picture or graphic 54

www.vidyarthiplus.com

www.vidyarthiplus.com IV CSE – (VIII SEM) NOTES



RJ Edition

PPG INSTITUTE OF TECHNOLOGY DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING

Work factor: amount of effort (usually in hours) required to perform cryptanalysis on an encoded message

3. Explain about RSA algorithm.  public key encryption technique  encryption algorithm  decryption algorithm  security in RSA RSA Algorithm Rivest-Shamir-Adleman (RSA) algorithm is one of the most popular and secures public-key encryption methods. The algorithm capitalizes on the fact that there is no efficient way to factor very large (100-200 digit) numbers. Using an encryption key (e,n), the algorithm is as follows:  Represent the message as an integer between 0 and (n-1). Large messages can be broken up into a number of blocks. Each block would then be represented by an integer in the same range  Encrypt the message by raising it to the eth power modulo n. The result is a cipher text message C  To decrypt cipher text message C, raise it to another power d modulo n The encryption key (e,n) is made public. The decryption key (d,n) is kept private by the user. How to Determine Appropriate Values for e, d, and n  Choose two very large (100+ digit) prime numbers. Denote these numbers as p and q.  Set n equal to p * q.  Choose any large integer, d, such that GCD(d, ((p-1) * (q-1))) = 1  Find e such that e * d = 1 (mod ((p-1) * (q-1))) 4. What are the different types of intrusion detection systems (IDS)? Explain Ids. May/June 2013 Intrusion Detection Systems (IDSs)  IDSs work like burglar alarms  IDSs require complex configurations to provide the level of detection and response desired  An IDS operates as either network-based, when the technology is focused on protecting network information assets, or host-based, when the technology is focused on protecting server or host information assets  IDSs use one of two detection methods, signature-based or statistical anomalybased 55

www.vidyarthiplus.com

www.vidyarthiplus.com IV CSE – (VIII SEM) NOTES

RJ Edition

PPG INSTITUTE OF TECHNOLOGY DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING

A network-based IDS (NIDS) resides on a computer or an appliance connected to a segment of an organization’s network and monitors traffic on that network segment, looking for indications of ongoing or successful attacks. 5. What are the recommended practices in designing firewalls?  All traffic from the trusted network is allowed out  The firewall device is always inaccessible directly from the public network  Allow Simple Mail Transport Protocol (SMTP) data to pass through your firewall, but insure it is all routed to a well-configured SMTP gateway to filter and route messaging traffic securely  All Internet Control Message Protocol (ICMP) data should be denied  Block telnet (terminal emulation) access to all internal servers from the public networks  When Web services are offered outside the firewall, deny HTTP traffic from reaching your internal networks by using some form of proxy access or DMZ architecture

6. Explain different types of Scanning and Analysis tools available. Port Scanners  Port scanners fingerprint networks to find ports and services and other useful information  Why secure open ports?  An open port can be used to send commands to a computer, gain access to a server, and exert control over a networking device  The general rule of thumb is to remove from service or secure any port not absolutely necessary for the conduct of business Vulnerability Scanners  Vulnerability scanners are capable of scanning networks for very detailed 56

www.vidyarthiplus.com

www.vidyarthiplus.com IV CSE – (VIII SEM) NOTES

RJ Edition

PPG INSTITUTE OF TECHNOLOGY DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING

information  As a class, they identify exposed usernames and groups, show open network shares, expose configuration problems, and other vulnerabilities in servers Packet Sniffers  on a network that the organization owns  under direct authorization of the owners of the network  have knowledge and consent of the content creators (users) Content Filters  Although technically not a firewall, a content filter is a software filter that allows administrators to restrict accessible content from within a network  The content filtering restricts Web sites with inappropriate content Trap and Trace  Trace: determine the identity of someone using unauthorized access  Better known as honey pots, they distract the attacker while notifying the administrator 7. What is Cryptography? Explain the key terms associated with cryptography. Cryptography, which comes from the Greek work kryptos, meaning “hidden”, meaning “to write”, is a process of making and using codes to secure the transmission of information. Cryptanalysis is the process of obtaining the original message (called plaintext) from an encrypted message (called the cipher text) without knowing the algorithms and keys used to perform the encryption. Encryption is the process of converting an original message into a form that is unreadable to unauthorized individuals-that is, to anyone without the tools to convert the encrypted message back to its original format. Decryption is the process of converting the cipher text into a message that conveys readily understood meaning.

57

www.vidyarthiplus.com

View more...

Comments

Copyright ©2017 KUPDF Inc.
SUPPORT KUPDF