SPG - Unit - 1 - VI Sem - PDF QB

Unit 1: Introduction to the Management of Information Security
B.E. (COMPUTER SCIENCE & ENGINEERING) SEM. VI

6KS01 SECURITY POLICY & GOVERNANCE [L-3, T-0, C-3]
Unit I
Introduction to the Management of Information Security: Introduction to Security,
Key Concepts of Information Security: Threats and Attacks, Management and
Leadership, Principles of Information Security Management.
Question Set
List and describe the three communities of interest that engage in an
organization's efforts to solve InfoSec problems. Give two or three
examples of who might be in each community?
What is the importance of the C.I.A. triad? Define each of its
components.
What is information security? What essential protections must be in
place to protect information systems from danger?
Describe the CNSS security model. What are its three dimensions?
What are the various types of malware? How do worms differ from
viruses? Do Trojan horses carry viruses or worms?
What is ransomware? How does an organization protect against it?
Does the intellectual property owned by an organization usually have
value? If so, how can attackers threaten that value?
What are the types of password attacks? What can a systems
administrator do to protect against them?
What is the difference between a denial-of-service attack and a
distributed denial-of-service attack? Which is potentially more
dangerous and devastating? Why?
What is management and what is a manager? What roles do managers
play as they execute their responsibilities?
What are the three levels of planning? Define each. List the types of
InfoSec plans and planning functions.
Management is, above all, a practice where art, science, and

craft meet.
Prof. Ram Meghe Institute of Technology & Research Badnera- Amravati Page 1
1 List and describe the three communities of interest that engage

in an organization's efforts to solve InfoSec problems. Give two
or three examples of who might be in each community?
Answer
 Organizations must realize that information security planning and
funding decisions involve more than managers of information , the
members of the information security team, or the managers of
information systems. Altogether, they must involve the entire
organization, as represented by three distinct groups of managers and
professionals, or communities of interest:
Those in the field of information security

Those in the field of IT
Those from the rest of the organization
These three groups should engage in a constructive effort to reach consensus

on an overall plan to protect the organization's information assets. The
communities of interest and the roles they fulfill include the following:
Information Security Community

 The information security community protects the organization's
information assets from the many threats they face.
 This community protects the organization information assets from
many threats they face.
 Example: This community comprises of the IT
Professionals, Chief information security officer, and
managers who bear the responsibility to secure the
information.
Information Technology Community

 The IT community supports the business objectives of the
organization by supplying and supporting IT that is appropriate to
the organization's needs.
 This community supports the business objectives of the
organization by supplying and supporting IT that is appropriate to
the organization needs.
 Examples: IT Professionals, Chief information

officer, and managers who acts as providers of
information
General Business Community:
 The general business community articulates and communicates
organizational policy and objectives and allocates resources to the
other groups.
 This community articulates and communicates organizational
policy and objectives and allocates resources to the other group.
 Examples: This community includes: Non-IT
Professionals, Users and Managers.
===================================================
===================================================
2 What is information security? What essential protections must
be in place to protect information systems from danger?
OR
What is Security and what are specialized areas of security?
Answer
What is
What is information What is
What is Asset information
security (InfoSec) security
asset
An organizational resource The focus of Protection of the A stat e of
that is being protected. An information confidentiality, being secure
asset can be logical, such as security; integrity, and and free
a Web site, software information availability of from danger
information, or data; or an that has value information assets, or harm. In
asset can be physical, such to the whether in storage, addition, the
as a person, computer organization, processing, or act ions
system, hardware, or other and the transmission, via the taken to
tangible object. Assets, systems that application of policy, make
particularly information store, process, education, training someone or
assets, are the focus of what and transmit and awareness, and something
security efforts are the technology. secure.
attempting to protect. information
 In general, security means being free from danger , to be secure is

to be protected from the risk of loss, damage, unwanted
modification, or other hazards. National security, for example, is a
system of multilayered processes that protects the sovereignty of a
state- its assets, resources, and people. Achieving an appropriate
level of security for an organization also depends on the
implementation of a multilayered system.
 Security is often achieved by means of several strategies
undertaken simultaneously or used in combination with one
another. Many of those strategies will focus on specific areas of
security, but they also have many elements in common. It is the
role of management to ensure that each strategy is properly
planned, organized, staffed, directed, and controlled.
Specialized areas of security include:

 Physical security - The protection of physical items, objects, or
areas from unauthorized access and misuse.
 Operations security - The protection of the details of an
organization's operations and activities.
 Communications security- The protection of all communications
media, technology, and content.
 Cyber (or computer) security- The protection of computerized
information processing systems and the data they contain and
process. The term cyber security is relatively new, so its use might
be slightly ambiguous in coming years as the definition gets sorted
out.
 Network security - A subset of communications security and cyber
security; the protection of voice and data networking components,
connections, and content.
 Information security (InfoSec) focuses on the protection of
information and the characteristics that give it value , such as
confidentiality, integrity, and availability, and includes the
technology that houses and transfers that information through a

variety of protection mechanisms such as policy, training and
awareness programs, and technology.
Figure: Components of information security

===================================================
===================================================
3 What is the importance of the C.I.A. triad? Define each of its
components.
Answer
CIA includes
 Confidentiality
 Integrity
 Availability
Confidentiality
Confidentiality means limiting access to information only to those who need
it, and preventing access by those who do not. When unauthorized
individuals or systems can view information, confidentiality is breached. To
protect the confidentiality of information, a number of measures are used,
including:
 Information classification
 Secure document (and data) storage
 Application of general security policies
 Education of information custodians and end users
 Cryptography (encryption)
In an organization, confidentiality of information is especially important for
personal information about employees, customers, or patients. People expect
organizations to closely guard such information. Whether the organization is
a government agency, a commercial enterprise, or a nonprofit charity,
problems arise when organizations disclose confidential information.
Disclosure can occur either deliberately or by mistake.
For example, confidential information could be mistakenly e-mailed to
someone outside the organization rather than the intended person inside the
organization. Or perhaps an employee discards, rather than destroys, a
document containing critical information. Or maybe a hacker successfully
breaks into a Web-based organization's internal database and steals sensitive
information about clients, such as names, addresses, or credit card
information.
Integrity
The integrity or completeness of information is threatened when it is
exposed to corruption, damage, destruction, or other disruption of its
authentic state. Corruption can occur while information is being entered,
stored, or transmitted. Many computer viruses and worms, for example, are
designed to corrupt data.
For this reason, the key method for detecting whether a virus or worm
has caused an integrity failure to a file system is to look for changes in the
file's state, as indicated by the file's size or, in a more advanced operating
system, its hash value or checksum
The C.I.A. Triad
File corruption is not always the result of deliberate attacks. Faulty

programming or even noise in the transmission channel or medium can
cause data to lose its integrity. For example, a low-voltage states in a signal
carrying a digital bit (a 1 or o) can cause the receiving system to record the
data incorrectly.
Define the InfoSec processes of

identification, authentication,
authorization, and accountability.
Availability
Availability of information means that users, either people or other systems,
have access to it in a usable format. Availability does not imply that the
information is accessible to any user; rather, it means it can be accessed
when needed by authorized users. To understand this concept more fully,
consider the contents of a library- in particular, research libraries that
require identification for access to the library as a whole or to certain
collections.
CIA triad has been expanded into a more comprehensive list of critical
characteristics and processes, including privacy, identification,
authentication, authorization, and accountability.
 Privacy
Information that is collected, used, and stored by an organization should be

used only for the purposes stated by the data owner at the time it was
collected. In this context, privacy does not mean freedom from observation.
It means that the information will be used only in ways approved by the
person who provided it. Many organizations collect, swap, and sell personal
information as a commodity. Today, it is possible to collect and combine
personal information from several different sources {known as information
aggregation), which has resulted in databases that could be used in ways the
original data owner has not agreed to or even knows about.
 Identification
An information system possesses the characteristic of identification when it
is able to recognize individual users. Identification is the first step in gaining
access to secured material, and it serves as the foundation for subsequent
authentication and authorization. Identification and authentication are
essential to establishing the level of access or authorization that an
individual is granted. Identification is typically performed by means of a
user name or other ID.
 Authentication
Authentication is the process by which a control establishes whether a user
(or system) is the entity it claims to be . Examples include the use of
cryptographic certificates to establish Secure Sockets Layer {SSL)
connections as well as the use of cryptographic hardware devices- for
example, hardware tokens such as RSA's Secure id.
 Authorization
After the identity of a user is authenticated, a process called authorization

defines what the user (whether a person or a computer) has been specifically
and explicitly authorized by the proper authority to do, such as access,
modify, or delete the contents of an information asset. An example of
authorization is the activation and use of access control lists and

authorization groups in a networking environment.
 Accountability
Accountability of information occurs when a control provides assurance that
every activity undertaken can be attributed to a named person or automated
process. For example, audit logs that track user activity on an information
system provide accountability.
===================================================
===================================================
4 Describe the CNSS security model. What are its three
dimensions?
Answer
 The CNSS document NSTISSI No. 4011, "National Training
Standard for Information Systems Security (InfoSec) Professionals;'
presents a comprehensive model of InfoSec known as the Mccumber
Cube, which is named after its developer, John Mccumber . Shown in
Figure below, which is an adaptation of the NSTISSI model, the
Mccumber Cube serves as the standard for understanding many
aspects of InfoSec, and shows the three dimensions that are central to
the discussion of InfoSec: information characteristics, information
location, and security control categories.
 If you extend the relationship among the three dimensions that are
represented by the axes in the figure, you end up with a 3 x 3 x 3 cube
with 27 cells. Each cell represents an area of intersection among these
three dimensions, which must be addressed to secure information.
When using this model to design or review any InfoSec program, you
must make sure that each of the 27 cells is properly addressed by each
of the three communities of interest.
 For example, the cell representing the intersection of the technology,
integrity, and storage criteria could include controls or safeguards
addressing the use of technology to protect the integrity of
information while in storage. Such a control might consist of a host
intrusion detection and prevention system (HIDPS), for example,
which would alert the security administrators when a critical file was
modified or deleted.
CNSS security model
 While the CNSS model covers the three dimensions of InfoSec, it

omits any discussion of guidelines and policies that direct the
implementation of controls, which are essential to an effective
InfoSec program. Instead, the main purpose of the model is to
identify gaps in the coverage of an InfoSec program.
 Another weakness of this model emerges when it is viewed from a
single perspective. For example, the HIDPS control described earlier
addresses only the needs and concerns of the InfoSec community,
leaving out the needs and concerns of the broader IT and general
business communities. In practice, thorough risk reduction requires
the creation and dissemination of controls of all three types (policy,
education, and technical) by all three communities. These controls
can be implemented only through a process that includes consensus
building and constructive conflict to reflect the balancing act that
each organization faces as it designs and executes an InfoSec
program. The rest of this book will elaborate on these issues.
===================================================
===================================================
5 Does the intellectual property owned by an organization

usually have value? If so, how can attackers threaten that
value?
Answer
Intellectual Property (IP): The creation, ownership, and control of
original ideas as well as the representation of those ideas.
Software Piracy: The unauthorized duplication, installation, or

distribution of copyrighted computer software, which is a violation of
intellectual property.
 Many organizations create or support the development of intellectual

property (IP) as part of their business operations. Intellectual property
can be trade secrets, copyrights, trademarks, and patents. IP is
protected by copyright and other Jaws, For example, the use of a song
in a movie or a photo in a publication may require a specific payment
or royalty.
 The unauthorized appropriation of IP constitutes a threat to
information security. Employees may have access privileges to the
various types of IP, including purchased and developed software and
organizational information.
 Software piracy- Organizations often purchase or lease the IP
of other organizations, and must abide by a purchase or
licensing agreement for its fair and responsible use. The most
common IP breach is the unlawful use or duplication of
software-based intellectual property, more commonly known as
software piracy. Many individuals and organizations do not
purchase software as mandated by the owner's license
agreements. Because most software is licensed to a particular
purchaser, its use is restricted to a single user or to a designated
user in an organization. If the user copies the program to
another computer without securing another license or
transferring the license, the user has violated the copyright.
 Copyright protection and user registration - A number of

technical mechanisms digital watermarks, embedded code,
copyright or activation codes, and even the intentional
placement of bad sectors on software media- have been used to
enforce copyright laws. The most common tool is a unique

software registration code in combination with an end-user
license agreement (EULA) that usually pops up during the
installation of new software, requiring users to indicate that
they have read and agree to conditions of the software's use.
===================================================
===================================================
6 What are the types of password attacks? What can a systems
administrator do to protect against them?
Answer
Password Attacks
Password attacks fall under the category of espionage or trespass just as
lock-picking falls under breaking and entering. Attempting to guess or
reverse-calculate a password is often called cracking. There are a number of
alternative approaches to password cracking:
 Brute force- The application of computing and network resources
to try every possible password combination is called a brute
force password attack. If attackers can narrow the field of target
accounts, they can devote more time and resources to these
accounts. This is one reason to always change the default
administrator password assigned by the manufacturer. Brute force
password attacks are rarely successful against systems that have
adopted the manufacturer's recommended security practices.
 Dictionary attacks- The dictionary password attack, or simply
dictionary attack, is a variation of the brute force attack that
narrows the field using a dictionary of common passwords and
includes information related to the target user, such as names of
relatives or pets, and familiar numbers such as phone numbers,
addresses, and even Social Security numbers.
 Rainbow tables- A far more sophisticated and potentially much
faster password attack is possible if the attacker can gain access to
an encrypted password file, such as the Security Account
Manager (SAM) data file. While these password files contain
hashed representations of users' passwords- not the actual
passwords, and thus cannot be used by themselves- the hash
values for a wide variety of passwords can be stored in a database

known as a rainbow table. These files can be quickly searched,
and the hash value and its corresponding plaintext value can be
easily located.
 Social engineering password attacks- While social engineering
is discussed in detail later in the section called "Human Error or
Failure," it is worth mentioning here as a mechanism to gain
password information. Using an approach commonly referred to
as pretexting, attackers posing as an organization's IT
professionals may attempt to gain access to systems information.
===================================================
===================================================
7 Who are hackers? Define their roles and types
OR
How has the perception of the hacker changed over recent years?
What is the profile of a hacker today?
OR
What is the difference between a skilled hacker and an unskilled
hacker, other than skill levels? How does the protection against
each differ?
Answer
Acts of trespass can lead to unauthorized real or virtual actions that enable
information gatherers to enter premises or systems without permission. In
the real world, a hacker frequently spends long hours examining the types
and structures of targeted systems and uses skill, guile, and/or fraud to
attempt to bypass controls placed on information owned by someone else.
Hackers possess a wide range of skill levels, as with most technology users.
However, most hackers are grouped into two general categories- the expert
hacker and the novice hacker:
 The expert hacker is usually a master of several programming

languages, networking protocols, and operating systems, and exhibits
a mastery of the technical environment of the chosen targeted system.
 Once an expert hacker chooses a target system, the likelihood is
high that he or she will successfully enter the system. Fortunately for
the many poorly protected organizations in the world, there are

substantially fewer expert hackers than novice hackers.
 Novice hackers have little or no real expertise of their own, but rely
upon the expertise of expert hackers, who often become dissatisfied
with attacking systems directly and turn their attention to writing
software.
 These programs are automated exploits that allow novice hackers to
act as script kiddies or packet monkeys. The good news is that if an
expert hacker can post a script tool where a script kiddie or packet
monkey can find it, then systems and security administrators can find
it, too
 However, just as novice hackers can use tools to gain access, they can
use tools to escalate privileges. A common example of privilege
escalation is called jail breaking or rooting.
 Owners of certain smartphones can download and use particular tools
to gain control over system functions, often against the original
intentions of the designers. The term jail breaking is more commonly
associated with Apple's iOS devices, while the term rooting is more
common with Android-based devices.
 The term cracker is commonly associated with software copyright
bypassing and password decryption. With the removal of the
copyright protection, software can be easily distributed and installed.
 Phreakers grew in fame in the 1970s when they developed devices
called blue boxes that enabled them to make free calls from pay
phones. Later, red boxes were developed to simulate the tones of
coins falling in a pay phone, and finally black boxes emulated the line
voltage. With the advent of digital communications, these boxes
became practically obsolete. Even with the loss of the colored box
technologies, however, phreakers continue to cause problems for all
telephone systems.
===================================================
===================================================
8 Explain different Categories of Threat
Answer
Table below shows twelve general categories of threats that represent a clear and present
danger to an organization's people, information, and systems. Each organization must
prioritize the threats it faces based on the particular security situation in which it
operates, its organizational strategy regarding risk, and the exposure levels of its assets.
You may notice that many of the attack examples in the table could be listed in more
than one category.
Category of Threat Attack Examples

Compromises to intellectual property Piracy, copyright infringement
Internet service provider (ISP), power, or
Deviations in quality of service
WAN service problems
Espionage or trespass Unauthorized access and/or data collection
Forces of nature Fire, floods, earthquakes, lightning
Human error or failure Accidents, employee mistakes
Information extortion Blackmail, information disclosure
Sabotage or vandalism Destruction of systems or information
Software attacks Viruses, worms, macros, denial of service
Technical hardware failures or errors Equipment failure
Technical software failures or errors Bugs, code problems, unknown loopholes
Technological obsolescence Antiquated or outdated technologies
Illegal confiscation of equipment or
Theft
information
 Deviations in Quality of Service
How deviation in quality of
service can affect information
security)
 Internet service issues- In organizations that rely heavily on the

Internet and the Web to support continued operations, ISP failures
can considerably undermine the availability of information. Many
organizations have sales staff and telecommuters working at remote
locations. When these offsite employees cannot contact the host
systems, they must use manual procedures to continue operations.
When an organization places its Web servers in the care of a Web
hosting provider, that provider assumes responsibility for all Internet
services and for the hardware and operating system software used to
operate the Web site. These Web hosting services are usually
arranged with a service level agreement (SLA). When a service
provider fails to meet the terms of the SLA, the provider may accrue
fines to cover losses incurred by the client, but these payments
seldom cover the losses generated by the outage.
 Communications and other service provider issues-

Other utility services can affect organizations as well. Among these
are telephone, water, wastewater, trash pickup, cable television,
natural or propane gas, and custodial services.
For instance, most facilities require water service to operate an air-
conditioning system. If a wastewater system fails, an organization
might be prevented from allowing employees into the building.
 Power irregularities- Irregularities from power utilities are common
and can lead to fluctuations such as power excesses, power shortages,
and power losses. These fluctuations can pose problems for
organizations that provide inadequately conditioned power for their
information systems equipment.
When power voltage levels vary from normal, expected levels, such
as during a blackout, brownout, fault, noise, spike, surge, or sag,
an organization's sensitive electronic equipment- especially
networking equipment, computers, and computer-based systems,
which are vulnerable to fluctuations- can be easily damaged or
destroyed. Most good uninterruptible power supplies (UPS) can
protect against spikes, surges, and sags, and even brownouts and
blackouts of limited duration.
 Espionage or Trespass
What are different types of
trespassing techniques?
Espionage or trespass is a well-known and broad category of electronic

and human activities that can breach the confidentiality of information.
When an unauthorized person gains access to information an
organization is trying to protect, the act is categorized as espionage or
trespass.
Attackers can use many different methods to access the information
stored in an information system. Some information-gathering techniques are
legal- for example, using a Web browser to perform market research. These
legal techniques are collectively called competitive intelligence.
When information gatherers employ techniques that cross a legal or ethical
threshold, they are conducting industrial espionage. Many countries that are
considered allies of the United States engage in industrial espionage against

American organizations.
Some forms of espionage are relatively low tech. One example, called
shoulder surfing, is used in public or semipublic settings when people
gather information they are not authorized to have. Instances of shoulder
surfing occur at computer terminals, desks, and ATMs; on a bus, airplane,
or subway, where people use smartphones and tablet PCs; and in other
places where employees may access confidential information.
 Forces of Nature
Forces of nature, sometimes called acts of God, can present some of the
most dangerous threats because they usually occur with little warning and
are beyond the control of people. These threats, which include events such
as fires, floods, earthquakes, and lightning as well as volcanic eruptions
and insect infestations, can disrupt not only people's lives but also the
storage, transmission, and use of information.
Some typical force of nature attacks includes the following:
 Fire- The ignition of combustible material; damage can also be
caused by smoke from fires or by water from sprinkler systems or
firefighters.
 Flood- Water overflowing into an area that is normally dry, causing
direct damage, and subsequent indirect damage from high humidity
and moisture.
 Earthquake- A sudden movement of the earth's crust caused by
volcanic activity or the release of stress accumulated along geologic
faults.
 Lightning- An abrupt, discontinuous natural electric discharge in the
atmosphere, which can cause direct damage through an electrical
surge or indirect damage from fires. Damage from lightning can
usually be prevented with specialized lightning rods and by installing
special electrical circuit protectors.
 Landslide or mudslide- The downward slide of a mass of earth and
rock. Landslides or mudslides also disrupt operations by interfering
with access to buildings.
 Tomados or severe windstorms- Violent wind effects in which air
moves at destructively high speeds, causing direct damage and
indirect damage from thrown debris. A tornado is a rotating column
of whirling air that can be more than a mile wide. Wind shear is a
much smaller and linear wind effect, but it can have similar
devastating consequences.
 Hurricanes, typhoons, and tropical depressions- Severe tropical
storms that commonly originate at sea and move to land, bringing
excessive rainfall, flooding, and high winds.
 Tsunami- A very large ocean wave caused by an underwater
earthquake or volcanic eruption; it can reach miles inland as it crashes
into land masses.
 Electrostatic discharge (ESD) - Also known as static electricity, and
usually little more than a nuisance. However, an employee walking
across a carpet on a cool, dry day can generate up to 12,000 volts of
electricity, and sensitive electronics can suffer damage from as little
as 10 volts.•
 Dust contamination- Can dramatically reduce the effectiveness of
cooling mechanisms and potentially cause components to overheat.
Specialized optical technology, such as CD or DVD drives, can suffer
failures due to excessive dust contamination inside systems.
===================================================
===================================================
9 What is a threat process? Explain Threats and attacks
Answer
Threat Vulner
Attack Exploit loss threat
Agent ability
An A technique A single Any event or The A
intentional used to instance of circumstance that has the specific potential
or compromise a an potential to adversely instance weakness
unintentiona system. This information affect operations and or a in an
l act that can term can be a asset assets. The term threat componen asset or
damage or verb or a noun. suffering source is commonly used t of a its
otherwise Threat agents damage or interchangeably with the threat defensive
compromise may attempt to destruction, more generic term threat. control
information exploit a unintended While the two terms are system(s)
and the system or other or technically distinct, in .
systems that information unauthorized order to simplify
support it. asset by using modification discussion the text will
it illegally for or disclosure, continue to use the term
their personal or denial of threat to describe threat
gain. use. sources.
To protect your organization's information, you must:

(1) know yourself; that is, be familiar with the information assets to be
protected, their inherent flaws and vulnerabilities, and the systems,
mechanisms, and methods used to store, transport, process, and protect
them; and
(2) Know the threats you face. To make sound decisions about information
security, management must be informed about the various threats to an
organization's people, applications, data, and information systems.
As illustrated in Figure below, a threat represents a potential risk to an

information asset, whereas an attack, sometimes called a threat event,
represents an ongoing act against the asset that could result in a loss.
Threat agents damage or steal an organization's information or physical
assets by using exploits to take advantage of vulnerability where controls
are not present or no longer effective.
 Unlike threats, which are always present, attacks exist only when a
specific act may cause a loss. For example, the threat of damage from
a thunderstorm is present throughout the summer in many places, but
an attack and its associated risk of loss exist only for the duration of
an actual thunderstorm.
Figure: Example of Threat and Attacks

===================================================
===================================================
10 What are the various types of malware? How do worms differ

from viruses? Do Trojan horses carry viruses or worms?
Answer
Malware & its Types:

 The most common form of software attack is malware.
 Malware is also referred to as malicious code or malicious software.
 Malicious code attacks include the execution of viruses, worms,
Trojan horses, and active Web scripts with the intent to destroy or
steal information.
 The most state-of-the-art malicious code attack is the polymorphic
worm, or multivector worm.
 These attack programs use up to six known attack vectors to exploit a
variety of vulnerabilities in common information system devices.
 Virus
A computer virus consists of code segments (programming
instructions) that perform malicious actions. This code behaves much
like a virus pathogen that attacks animals and plants, using the cell's
own replication machinery to propagate the attack beyond the initial
target.
Viruses can be classified by how they spread themselves. Among the
most common types of information system viruses are the macro
virus, which is embedded in automatically executing macro code used
by word processors spreadsheets, and database applications, and the
boot virus (or boot-sector virus), which infects the key operating
system files in a computer's boot sector.
 Worms
Named for the tapeworm in John Brunner's novel The Shockwave
Rider, a worm can continue replicating itself until it completely fills
available resources, such as memory, hard drive space, and/or
network bandwidth. The complex behavior of worms can be initiated
with or without the user downloading or executing the file. Once the
worm has infected a computer, it can redistribute itself to other
systems connected to the compromised systems using e-mail
directories and network links found on the infected system.
Furthermore, a worm can deposit copies of itself onto all Web servers
that the infected system can reach; users who subsequently visit those
sites become infected.
 Trojan horses- A Trojan horse may frequently be disguised as a

helpful, interesting, or necessary piece of software, such as the
readme.exe files often included with shareware or freeware packages.
Like their namesake in Greek legend, once Trojan horses are brought
into a system, they become activated and can wreak havoc on the
unsuspecting user. Most malware in use gains its initial foothold using
this type of Trojan horse behavior, relying on system users to activate
the initial infection with a mouse click or other means of implied
approval
 Polymorphic threats- One of the biggest challenges to fighting

viruses and worms has been the emergence of polymorphic threats. A
polymorphic threat actually evolves, changing its size and other
external file characteristics to elude detection by antivirus software
programs.
 Virus and worm hoaxes- As frustrating as viruses and worms are,

perhaps more time and money are spent resolving virus hoaxes. Well-
meaning people can disrupt the harmony and flow of an organization
when they send group e –mails warning of supposedly dangerous
viruses that do not exist. When people fail to follow virus-reporting
procedures in response to a hoax, the network becomes overloaded
and user’s waste time and energy forwarding the warning message to
everyone they know, posting the message on bulletin boards, and
trying to update their antivirus protection software.
===================================================
===================================================
11 What is ransomware? How does an organization protect
against it?
Answer
Information Extortion: The act of an attacker or trusted insider who steals

information from a computer system and demands compensation for its
return or for an agreement not to disclose the information. Also known as
cyber extortion
Ransomware: Computer software specifically designed to identify and
encrypt valuable information in a victim's system in order to extort payment
for the key needed to unlock the encryption
 Information Extortion attacks have involved specialized forms of
malware known as ransomware
 This attack is usually implemented with malware that is run on the

victim's system as a result of phishing or spear-phishing attacks. The
result is that the user's data is encrypted. Paying the adversary a
ransom in a digital currency may or may not result in the victim
receiving the encryption key to recover the data
How does an organization protect against it?

Ransomware is most likely to enter the organization through an e-mail-
based phishing attack that tries to convince the unsuspecting victim to click
a Web link or open an infected attachment, which in stalls the malware.
Ransomware perpetrators usually ask for a few hundred dollars, although
some targeted attacks have demanded ransoms for tens of thousands of
dollars. Most victims do not pay the ransom. In fact, less than three percent
of organizations targeted in the United States reported paying ransoms in
2015 and 2016. However, of those that refused to pay, approximately one-
quarter of the victims lost files in the attack. So, if you do not pay, you will
probably lose some files. If you do pay, however, there is no guarantee your
files will be decrypted, either
 Do not pay the ransom- There is no guarantee you will get your data
back. Druva finds that one in three organizations affected pay the
ransom, yet almost half do not get their data back.
 Turn all devices off and disconnect from the network- Try to
minimize the spread and damage from the infection. Shut down th e
Wi-Fi service and try to isolate infected systems so the damage does
not spread further.
 Find the source of the infection- Trying to determine how your
systems were infected can assist you in preventing further spread by
informing and educating users.
 Alert all users - Let everyone know that a ransomware attack is in
progress and how not to get infected. Do not just rely on e-mail to
send these alerts – you may want to activate your phone tree and
spread the word that way.
 Restore from a backup to a new device- Determine if your backups
are infected by eliminating any chance that the infection was present
on the computer to which you are restoring. Then, make sure the data
is accessible before porting it to another system.
 Reimage the infected systems- The only way to be sure ransomware
is not lurking in a hidden file in the operating system, hard drive, or
an application is to wipe the infected systems to their initial state and
start over. Many organizations use standard images for their systems.
Wiping all drives clean and reimaging provides a fresh start and some
assurances that the systems will not be immediately reinfected once
data is available.
===================================================
===================================================
12 What is the difference between a denial-of-service attack and a
distributed denial-of-service attack? Which is potentially more
dangerous and devastating? Why?
Answer
Denial-of-service (DoS)
In a denial-of-service (DoS) attack, the attacker sends a large number

of connection or information requests to a target as shown in figure below.
So many requests are made that the target system becomes

overloaded and cannot respond to legitimate requests for service.
The system may crash or simply become unable to perform ordinary

functions.
Distributed denial-of-service (DDoS)
In a distributed denial-of-service (DDoS) attack, a coordinated stream

of requests is launched against a target from many locations at the same
time.
Most DDoS attacks are preceded by a preparation phase in which

many systems, perhaps thousands, are compromised.
The compromised machines are turned into a bot or zombie, a system

that is directed remotely by the attacker (usually via a transmitted
command) to participate in the attack.
DDoS attacks are more difficult to defend against, and currently there
are no controls that any single organization can apply. To use a popular
metaphor, DDoS is considered a weapon of mass destruction on the Internet.
Figure: Denial-of-service attack
Any system connected to the Internet and providing TCP-based network

services (such as a Web server, FTP server, or mail server) is vulnerable to
DoS attacks. DoS attacks can also be launched against routers or other
network server systems if these hosts enable other TCP services, such as
echo.
===================================================
===================================================
13 Explain planning controlling link in brief?
OR
What are the three levels of planning? Define each. List the types of
InfoSec plans and planning functions.
Answer
Controlling Leading Organizing Planning

The process of monitoring The provision of The structuring of The process of
progress and making leadership. resources to creating designs or
necessary adjustments to maximize their schemes for future
achieve desired goals or efficiency and ease efforts or
objectives. of use performance.
 Planning
The process of developing, creating, and implementing strategies for the
accomplishment of objectives is called planning. Several different
approaches to planning are examined more thoroughly in later chapters of
this book. The three levels of planning are:
Strategic planning- This occurs at the highest levels of the
organization and for a long period of time, usually five or more years.
Tactical planning- This focuses on production planning and
integrates organizational resources at a level below the entire enterprise and
for an intermediate duration (such as one to five years).
Operational planning- This focuses on the day-to-day operations of
local resources and occurs in the present or the short term.
Figure: The planning-controlling link
The planning process begins with the creation of strategic plans for the
entire organization. The resulting plan is then divided into planning
elements relevant to each major business unit of the organization. To better
understand planning process, an organization must thoroughly define its
goals and objectives. While the exact definition varies depending on
context, the term goal refers to the end result of a planning process- for
example, increasing market share by two percent. The term objective refers
to an intermediate point that allows you to measure progress toward the
goal- for example, a growth in sales for each quarter. If you accomplish all
objectives in a timely manner, then you are likely to accomplish your goal.
 Organizing
The management function dedicated to the structuring of resources to
support the accomplishment of objectives is called organizing. It includes
the structuring of departments and their associated staffs, the storage of raw
materials to facilitate manufacturing, and the collection of information to aid
in the accomplishment of the task. Recent definitions of "organizing"
include staffing, because organizing people so as to maximize their
productivity is not substantially different from organizing time, money, or
equipment.
 Leading
Leading encourages the implementation of the planning and organizing
functions. It includes supervising employee behavior, performance,
attendance, and attitude while ensuring completion of the assigned tasks,
goals, and objectives. Leadership generally addresses the direction and
motivation of the human resource.
 Controlling
In general, controlling ensures the validity of the organization's plan. The
manager ensures that sufficient progress is made, that impediments to the
completion of the task are resolved, and that no additional resources are
required. Should the plan be found invalid in light of the operational reality
of the organization, the manager takes corrective action.
The control function relies on the use of cybernetic control loops, often
called "negative feedback." These involve performance measurements,
comparisons, and corrective actions, as shown in flowchart. Here, the
cybernetic control process begins with a measurement of actual
performance, which is then compared to the expected standard of
performance as determined by the planning process. If the standard is being
met, the
Figure: The control process

Process is allowed to continue toward completion. If an acceptable level of
performance is not being attained, either the process is corrected to achieve
satisfactory results or the expected level of performance is redefined.
===================================================
===================================================
14 What are Principles of Information Security Management?
Answer
Principles of Information Security Management revolve around 6 P’s i.e.
Planning
Policy
Programs
Protection
People
Projects
 Planning
Planning model are activities necessary to support the design, creation, and
implementation of InfoSec strategies within the planning environments of
all organizational units, including IT.
Because the InfoSec strategic plans must support not only the IT use and
protection of information assets, but also those of the entire organization, it
is imperative that the CISO work closely with all senior managers in
developing InfoSec strategy.
Several types of InfoSec plans and planning functions exist to support
routine and non-normal operations. These include incident response
planning, business continuity planning, disaster recovery planning, policy
planning, personnel planning, technology rollout planning, risk management
planning, and security program planning. Each of these plans has unique
goals and objectives, yet each benefit from the same methodical approach.
 Policy
Enterprise Information Security Policy (EISP)- Developed within
the context of the strategic IT plan, this sets the tone for the InfoSec
department and the InfoSec climate across the organization. The CISO
typically drafts the program policy, which is usually supported and signed
by the CIO or the CEO.
Issue -Specific Security Policies {ISSPs)-These are sets of rules that
define acceptable behavior within a specific organizational resource, such as
e-mail or Internet usage.
System-Specific Policies (SysSPs) - A merger of technical and managerial
intent, SysSPs include both the managerial guidance for the implementation
of a technology as well as the technical specifications for its configuration.
 Programs
InfoSec operations that are specifically managed as separate entities are
called "programs:· An example would be a security education training
and awareness (SETA) program, a risk management program, or
contingency programs such as incident response, disaster recovery, or
business continuity. SETA programs provide critical information to

employees to maintain or improve their current levels of security
knowledge.
Risk management programs include the identification, assessment, and
control of risks to information assets. Contingency programs prepare the
organization for non-normal business operations such as reacting to an
incident or disaster, which may require the organization to relocate to an
alternate site at least temporarily. Other programs that may emerge include a
physical security program, complete with fire protection, physical
access, gates, guards, and so on.. Each organization will typically have
several security programs that must be managed.
 Protection
The protection function is executed via a set of risk management activities,
as well as protection mechanisms, technologies, and tools. Each of these
mechanisms or safeguards represents some aspect of the management of
specific controls in the overall InfoSec plan.
 People
People are the most critical link in the InfoSec program. This area
encompasses security personnel (the professional information security
employees), the security of personnel (the protection of employees and their
information), and aspects of the SETA program mentioned earlier.
 Projects
Whether an InfoSec manager is asked to roll out a new security training
program or select and implement a new firewall, it is important that the
process be managed as a project. The final element for thoroughgoing
InfoSec management is the application of a project management discipline
to all elements of the InfoSec program. Project management involves
identifying and controlling the resources applied to the project, as well as
measuring progress and adjusting the process as progress is made toward the
goal.
=================================================
=================================================
15 What is management and what is a manager? What roles do

managers play as they execute their responsibilities?
Answer
Management:
o The process of achieving objectives by appropriately applying
a given set of resources.
o In its most basic form, management involves using resources to
get a job done.
Manager:
o A manager is a member of the organization assigned to marshal
and administer resources, coordinate the completion of tasks,
and handle the many roles necessary to complete the desired
objectives.
o Managers have many roles to play within organizations,
including the following:
Informational role - Collecting, processing, and using information

that can affect the completion of the objective
Interpersonal role- Interacting with superiors, subordinates, outside

stakeholders, and other parties that influence or are influenced by the
completion of the task
Decisional role - Selecting from among alternative approaches and

resolving conflicts, dilemmas, or challenges
Note that there are differences between leadership and management. A

leader does more than a manager. He or she is expected to lead by example
and demonstrate personal traits that instill a desire in others to follow.
By comparison, a manager administers the resources of the organization. He

or she creates budgets, authorizes expenditures, and recruits, hires,
evaluates, and terminates employees. This distinction between a leader and
a manager is important because leaders do not always perform a managerial
function, and managers are often assigned roles in which they are not
responsible for personnel. However, effective managers can also be
effective leaders.
===================================================
===================================================

SPG - Unit - 1 - VI Sem - PDF QB

Uploaded by

Copyright:

Available Formats

SPG - Unit - 1 - VI Sem - PDF QB

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

SPG - Unit - 1 - VI Sem - PDF QB

Uploaded by

Copyright:

Available Formats

Unit 1: Introduction to the Management of Information Security

B.E. (COMPUTER SCIENCE & ENGINEERING) SEM. VI

Management is, above all, a practice where art, science, and

1 List and describe the three communities of interest that engage

Those in the field of information security

These three groups should engage in a constructive effort to reach consensus

Information Security Community

Information Technology Community

 Examples: IT Professionals, Chief information

 In general, security means being free from danger , to be secure is

Specialized areas of security include:

technology that houses and transfers that information through a

Figure: Components of information security

The C.I.A. Triad

File corruption is not always the result of deliberate attacks. Faulty

Define the InfoSec processes of

Information that is collected, used, and stored by an organization should be

After the identity of a user is authenticated, a process called authorization

authorization is the activation and use of access control lists and

CNSS security model

 While the CNSS model covers the three dimensions of InfoSec, it

5 Does the intellectual property owned by an organization

Software Piracy: The unauthorized duplication, installation, or

 Many organizations create or support the development of intellectual

 Copyright protection and user registration - A number of

enforce copyright laws. The most common tool is a unique

values for a wide variety of passwords can be stored in a database

 The expert hacker is usually a master of several programming

the many poorly protected organizations in the world, there are

Category of Threat Attack Examples

 Internet service issues- In organizations that rely heavily on the

 Communications and other service provider issues-

Espionage or trespass is a well-known and broad category of electronic

considered allies of the United States engage in industrial espionage against

To protect your organization's information, you must:

As illustrated in Figure below, a threat represents a potential risk to an

Figure: Example of Threat and Attacks

10 What are the various types of malware? How do worms differ

Malware & its Types:

 Trojan horses- A Trojan horse may frequently be disguised as a

 Polymorphic threats- One of the biggest challenges to fighting

 Virus and worm hoaxes- As frustrating as viruses and worms are,

Information Extortion: The act of an attacker or trusted insider who steals

 This attack is usually implemented with malware that is run on the

How does an organization protect against it?

In a denial-of-service (DoS) attack, the attacker sends a large number

So many requests are made that the target system becomes

The system may crash or simply become unable to perform ordinary

Distributed denial-of-service (DDoS)

In a distributed denial-of-service (DDoS) attack, a coordinated stream

Most DDoS attacks are preceded by a preparation phase in which

The compromised machines are turned into a bot or zombie, a system

Figure: Denial-of-service attack

Any system connected to the Internet and providing TCP-based network

Controlling Leading Organizing Planning

Figure: The planning-controlling link

Figure: The control process

business continuity. SETA programs provide critical information to

15 What is management and what is a manager? What roles do