SPG - Unit - 1 - VI Sem - PDF QB
SPG - Unit - 1 - VI Sem - PDF QB
SPG - Unit - 1 - VI Sem - PDF QB
Unit I
Introduction to the Management of Information Security: Introduction to Security,
Key Concepts of Information Security: Threats and Attacks, Management and
Leadership, Principles of Information Security Management.
Question Set
List and describe the three communities of interest that engage in an
organization's efforts to solve InfoSec problems. Give two or three
examples of who might be in each community?
What is the importance of the C.I.A. triad? Define each of its
components.
What is information security? What essential protections must be in
place to protect information systems from danger?
Describe the CNSS security model. What are its three dimensions?
What are the various types of malware? How do worms differ from
viruses? Do Trojan horses carry viruses or worms?
What is ransomware? How does an organization protect against it?
Does the intellectual property owned by an organization usually have
value? If so, how can attackers threaten that value?
What are the types of password attacks? What can a systems
administrator do to protect against them?
What is the difference between a denial-of-service attack and a
distributed denial-of-service attack? Which is potentially more
dangerous and devastating? Why?
What is management and what is a manager? What roles do managers
play as they execute their responsibilities?
What are the three levels of planning? Define each. List the types of
InfoSec plans and planning functions.
Prof. Ram Meghe Institute of Technology & Research Badnera- Amravati Page 1
Unit 1: Introduction to the Management of Information Security
===================================================
===================================================
2 What is information security? What essential protections must
be in place to protect information systems from danger?
OR
What is Security and what are specialized areas of security?
Answer
What is
What is information What is
What is Asset information
security (InfoSec) security
asset
An organizational resource The focus of Protection of the A stat e of
that is being protected. An information confidentiality, being secure
asset can be logical, such as security; integrity, and and free
a Web site, software information availability of from danger
information, or data; or an that has value information assets, or harm. In
asset can be physical, such to the whether in storage, addition, the
as a person, computer organization, processing, or act ions
system, hardware, or other and the transmission, via the taken to
tangible object. Assets, systems that application of policy, make
particularly information store, process, education, training someone or
assets, are the focus of what and transmit and awareness, and something
security efforts are the technology. secure.
attempting to protect. information
Prof. Ram Meghe Institute of Technology & Research Badnera- Amravati Page 3
Unit 1: Introduction to the Management of Information Security
Prof. Ram Meghe Institute of Technology & Research Badnera- Amravati Page 4
Unit 1: Introduction to the Management of Information Security
Confidentiality
Integrity
Availability
Prof. Ram Meghe Institute of Technology & Research Badnera- Amravati Page 5
Unit 1: Introduction to the Management of Information Security
Confidentiality
Confidentiality means limiting access to information only to those who need
it, and preventing access by those who do not. When unauthorized
individuals or systems can view information, confidentiality is breached. To
protect the confidentiality of information, a number of measures are used,
including:
Information classification
Secure document (and data) storage
Application of general security policies
Education of information custodians and end users
Cryptography (encryption)
In an organization, confidentiality of information is especially important for
personal information about employees, customers, or patients. People expect
organizations to closely guard such information. Whether the organization is
a government agency, a commercial enterprise, or a nonprofit charity,
problems arise when organizations disclose confidential information.
Disclosure can occur either deliberately or by mistake.
For example, confidential information could be mistakenly e-mailed to
someone outside the organization rather than the intended person inside the
organization. Or perhaps an employee discards, rather than destroys, a
document containing critical information. Or maybe a hacker successfully
breaks into a Web-based organization's internal database and steals sensitive
information about clients, such as names, addresses, or credit card
information.
Integrity
The integrity or completeness of information is threatened when it is
exposed to corruption, damage, destruction, or other disruption of its
authentic state. Corruption can occur while information is being entered,
stored, or transmitted. Many computer viruses and worms, for example, are
designed to corrupt data.
For this reason, the key method for detecting whether a virus or worm
has caused an integrity failure to a file system is to look for changes in the
file's state, as indicated by the file's size or, in a more advanced operating
system, its hash value or checksum
Prof. Ram Meghe Institute of Technology & Research Badnera- Amravati Page 6
Unit 1: Introduction to the Management of Information Security
Availability
Availability of information means that users, either people or other systems,
have access to it in a usable format. Availability does not imply that the
information is accessible to any user; rather, it means it can be accessed
when needed by authorized users. To understand this concept more fully,
consider the contents of a library- in particular, research libraries that
require identification for access to the library as a whole or to certain
collections.
Prof. Ram Meghe Institute of Technology & Research Badnera- Amravati Page 7
Unit 1: Introduction to the Management of Information Security
CIA triad has been expanded into a more comprehensive list of critical
characteristics and processes, including privacy, identification,
authentication, authorization, and accountability.
Privacy
Prof. Ram Meghe Institute of Technology & Research Badnera- Amravati Page 8
Unit 1: Introduction to the Management of Information Security
Accountability
Accountability of information occurs when a control provides assurance that
every activity undertaken can be attributed to a named person or automated
process. For example, audit logs that track user activity on an information
system provide accountability.
===================================================
===================================================
4 Describe the CNSS security model. What are its three
dimensions?
Answer
The CNSS document NSTISSI No. 4011, "National Training
Standard for Information Systems Security (InfoSec) Professionals;'
presents a comprehensive model of InfoSec known as the Mccumber
Cube, which is named after its developer, John Mccumber . Shown in
Figure below, which is an adaptation of the NSTISSI model, the
Mccumber Cube serves as the standard for understanding many
aspects of InfoSec, and shows the three dimensions that are central to
the discussion of InfoSec: information characteristics, information
location, and security control categories.
If you extend the relationship among the three dimensions that are
represented by the axes in the figure, you end up with a 3 x 3 x 3 cube
with 27 cells. Each cell represents an area of intersection among these
three dimensions, which must be addressed to secure information.
When using this model to design or review any InfoSec program, you
must make sure that each of the 27 cells is properly addressed by each
of the three communities of interest.
For example, the cell representing the intersection of the technology,
integrity, and storage criteria could include controls or safeguards
addressing the use of technology to protect the integrity of
information while in storage. Such a control might consist of a host
intrusion detection and prevention system (HIDPS), for example,
Prof. Ram Meghe Institute of Technology & Research Badnera- Amravati Page 9
Unit 1: Introduction to the Management of Information Security
which would alert the security administrators when a critical file was
modified or deleted.
Prof. Ram Meghe Institute of Technology & Research Badnera- Amravati Page 10
Unit 1: Introduction to the Management of Information Security
===================================================
===================================================
6 What are the types of password attacks? What can a systems
administrator do to protect against them?
Answer
Password Attacks
Password attacks fall under the category of espionage or trespass just as
lock-picking falls under breaking and entering. Attempting to guess or
reverse-calculate a password is often called cracking. There are a number of
alternative approaches to password cracking:
Brute force- The application of computing and network resources
to try every possible password combination is called a brute
force password attack. If attackers can narrow the field of target
accounts, they can devote more time and resources to these
accounts. This is one reason to always change the default
administrator password assigned by the manufacturer. Brute force
password attacks are rarely successful against systems that have
adopted the manufacturer's recommended security practices.
Dictionary attacks- The dictionary password attack, or simply
dictionary attack, is a variation of the brute force attack that
narrows the field using a dictionary of common passwords and
includes information related to the target user, such as names of
relatives or pets, and familiar numbers such as phone numbers,
addresses, and even Social Security numbers.
Rainbow tables- A far more sophisticated and potentially much
faster password attack is possible if the attacker can gain access to
an encrypted password file, such as the Security Account
Manager (SAM) data file. While these password files contain
hashed representations of users' passwords- not the actual
passwords, and thus cannot be used by themselves- the hash
Prof. Ram Meghe Institute of Technology & Research Badnera- Amravati Page 12
Unit 1: Introduction to the Management of Information Security
===================================================
===================================================
7 Who are hackers? Define their roles and types
OR
How has the perception of the hacker changed over recent years?
What is the profile of a hacker today?
OR
What is the difference between a skilled hacker and an unskilled
hacker, other than skill levels? How does the protection against
each differ?
Answer
Acts of trespass can lead to unauthorized real or virtual actions that enable
information gatherers to enter premises or systems without permission. In
the real world, a hacker frequently spends long hours examining the types
and structures of targeted systems and uses skill, guile, and/or fraud to
attempt to bypass controls placed on information owned by someone else.
Hackers possess a wide range of skill levels, as with most technology users.
However, most hackers are grouped into two general categories- the expert
hacker and the novice hacker:
Prof. Ram Meghe Institute of Technology & Research Badnera- Amravati Page 13
Unit 1: Introduction to the Management of Information Security
===================================================
===================================================
8 Explain different Categories of Threat
Answer
Table below shows twelve general categories of threats that represent a clear and present
danger to an organization's people, information, and systems. Each organization must
Prof. Ram Meghe Institute of Technology & Research Badnera- Amravati Page 14
Unit 1: Introduction to the Management of Information Security
prioritize the threats it faces based on the particular security situation in which it
operates, its organizational strategy regarding risk, and the exposure levels of its assets.
You may notice that many of the attack examples in the table could be listed in more
than one category.
Prof. Ram Meghe Institute of Technology & Research Badnera- Amravati Page 15
Unit 1: Introduction to the Management of Information Security
Espionage or Trespass
What are different types of
trespassing techniques?
Prof. Ram Meghe Institute of Technology & Research Badnera- Amravati Page 16
Unit 1: Introduction to the Management of Information Security
Forces of Nature
Forces of nature, sometimes called acts of God, can present some of the
most dangerous threats because they usually occur with little warning and
are beyond the control of people. These threats, which include events such
as fires, floods, earthquakes, and lightning as well as volcanic eruptions
and insect infestations, can disrupt not only people's lives but also the
storage, transmission, and use of information.
Some typical force of nature attacks includes the following:
Fire- The ignition of combustible material; damage can also be
caused by smoke from fires or by water from sprinkler systems or
firefighters.
Flood- Water overflowing into an area that is normally dry, causing
direct damage, and subsequent indirect damage from high humidity
and moisture.
Earthquake- A sudden movement of the earth's crust caused by
volcanic activity or the release of stress accumulated along geologic
faults.
Lightning- An abrupt, discontinuous natural electric discharge in the
atmosphere, which can cause direct damage through an electrical
surge or indirect damage from fires. Damage from lightning can
usually be prevented with specialized lightning rods and by installing
special electrical circuit protectors.
Landslide or mudslide- The downward slide of a mass of earth and
rock. Landslides or mudslides also disrupt operations by interfering
with access to buildings.
Tomados or severe windstorms- Violent wind effects in which air
moves at destructively high speeds, causing direct damage and
indirect damage from thrown debris. A tornado is a rotating column
Prof. Ram Meghe Institute of Technology & Research Badnera- Amravati Page 17
Unit 1: Introduction to the Management of Information Security
of whirling air that can be more than a mile wide. Wind shear is a
much smaller and linear wind effect, but it can have similar
devastating consequences.
Hurricanes, typhoons, and tropical depressions- Severe tropical
storms that commonly originate at sea and move to land, bringing
excessive rainfall, flooding, and high winds.
Tsunami- A very large ocean wave caused by an underwater
earthquake or volcanic eruption; it can reach miles inland as it crashes
into land masses.
Electrostatic discharge (ESD) - Also known as static electricity, and
usually little more than a nuisance. However, an employee walking
across a carpet on a cool, dry day can generate up to 12,000 volts of
electricity, and sensitive electronics can suffer damage from as little
as 10 volts.•
Dust contamination- Can dramatically reduce the effectiveness of
cooling mechanisms and potentially cause components to overheat.
Specialized optical technology, such as CD or DVD drives, can suffer
failures due to excessive dust contamination inside systems.
===================================================
===================================================
9 What is a threat process? Explain Threats and attacks
Answer
Threat Vulner
Attack Exploit loss threat
Agent ability
An A technique A single Any event or The A
intentional used to instance of circumstance that has the specific potential
or compromise a an potential to adversely instance weakness
unintentiona system. This information affect operations and or a in an
l act that can term can be a asset assets. The term threat componen asset or
damage or verb or a noun. suffering source is commonly used t of a its
otherwise Threat agents damage or interchangeably with the threat defensive
compromise may attempt to destruction, more generic term threat. control
information exploit a unintended While the two terms are system(s)
and the system or other or technically distinct, in .
systems that information unauthorized order to simplify
support it. asset by using modification discussion the text will
it illegally for or disclosure, continue to use the term
their personal or denial of threat to describe threat
gain. use. sources.
Prof. Ram Meghe Institute of Technology & Research Badnera- Amravati Page 18
Unit 1: Introduction to the Management of Information Security
Prof. Ram Meghe Institute of Technology & Research Badnera- Amravati Page 19
Unit 1: Introduction to the Management of Information Security
Virus
A computer virus consists of code segments (programming
instructions) that perform malicious actions. This code behaves much
like a virus pathogen that attacks animals and plants, using the cell's
own replication machinery to propagate the attack beyond the initial
target.
Viruses can be classified by how they spread themselves. Among the
most common types of information system viruses are the macro
virus, which is embedded in automatically executing macro code used
by word processors spreadsheets, and database applications, and the
boot virus (or boot-sector virus), which infects the key operating
system files in a computer's boot sector.
Worms
Named for the tapeworm in John Brunner's novel The Shockwave
Rider, a worm can continue replicating itself until it completely fills
available resources, such as memory, hard drive space, and/or
network bandwidth. The complex behavior of worms can be initiated
with or without the user downloading or executing the file. Once the
worm has infected a computer, it can redistribute itself to other
systems connected to the compromised systems using e-mail
directories and network links found on the infected system.
Furthermore, a worm can deposit copies of itself onto all Web servers
that the infected system can reach; users who subsequently visit those
sites become infected.
Prof. Ram Meghe Institute of Technology & Research Badnera- Amravati Page 20
Unit 1: Introduction to the Management of Information Security
Prof. Ram Meghe Institute of Technology & Research Badnera- Amravati Page 21
Unit 1: Introduction to the Management of Information Security
Do not pay the ransom- There is no guarantee you will get your data
back. Druva finds that one in three organizations affected pay the
ransom, yet almost half do not get their data back.
Turn all devices off and disconnect from the network- Try to
minimize the spread and damage from the infection. Shut down th e
Wi-Fi service and try to isolate infected systems so the damage does
not spread further.
Find the source of the infection- Trying to determine how your
systems were infected can assist you in preventing further spread by
informing and educating users.
Alert all users - Let everyone know that a ransomware attack is in
progress and how not to get infected. Do not just rely on e-mail to
send these alerts – you may want to activate your phone tree and
spread the word that way.
Restore from a backup to a new device- Determine if your backups
are infected by eliminating any chance that the infection was present
on the computer to which you are restoring. Then, make sure the data
is accessible before porting it to another system.
Reimage the infected systems- The only way to be sure ransomware
is not lurking in a hidden file in the operating system, hard drive, or
an application is to wipe the infected systems to their initial state and
Prof. Ram Meghe Institute of Technology & Research Badnera- Amravati Page 22
Unit 1: Introduction to the Management of Information Security
start over. Many organizations use standard images for their systems.
Wiping all drives clean and reimaging provides a fresh start and some
assurances that the systems will not be immediately reinfected once
data is available.
===================================================
===================================================
12 What is the difference between a denial-of-service attack and a
distributed denial-of-service attack? Which is potentially more
dangerous and devastating? Why?
Answer
Denial-of-service (DoS)
DDoS attacks are more difficult to defend against, and currently there
are no controls that any single organization can apply. To use a popular
metaphor, DDoS is considered a weapon of mass destruction on the Internet.
Prof. Ram Meghe Institute of Technology & Research Badnera- Amravati Page 23
Unit 1: Introduction to the Management of Information Security
===================================================
===================================================
13 Explain planning controlling link in brief?
OR
What are the three levels of planning? Define each. List the types of
InfoSec plans and planning functions.
Answer
Prof. Ram Meghe Institute of Technology & Research Badnera- Amravati Page 24
Unit 1: Introduction to the Management of Information Security
Planning
The process of developing, creating, and implementing strategies for the
accomplishment of objectives is called planning. Several different
approaches to planning are examined more thoroughly in later chapters of
this book. The three levels of planning are:
Strategic planning- This occurs at the highest levels of the
organization and for a long period of time, usually five or more years.
Tactical planning- This focuses on production planning and
integrates organizational resources at a level below the entire enterprise and
for an intermediate duration (such as one to five years).
Operational planning- This focuses on the day-to-day operations of
local resources and occurs in the present or the short term.
The planning process begins with the creation of strategic plans for the
entire organization. The resulting plan is then divided into planning
elements relevant to each major business unit of the organization. To better
understand planning process, an organization must thoroughly define its
goals and objectives. While the exact definition varies depending on
context, the term goal refers to the end result of a planning process- for
example, increasing market share by two percent. The term objective refers
to an intermediate point that allows you to measure progress toward the
Prof. Ram Meghe Institute of Technology & Research Badnera- Amravati Page 25
Unit 1: Introduction to the Management of Information Security
goal- for example, a growth in sales for each quarter. If you accomplish all
objectives in a timely manner, then you are likely to accomplish your goal.
Organizing
The management function dedicated to the structuring of resources to
support the accomplishment of objectives is called organizing. It includes
the structuring of departments and their associated staffs, the storage of raw
materials to facilitate manufacturing, and the collection of information to aid
in the accomplishment of the task. Recent definitions of "organizing"
include staffing, because organizing people so as to maximize their
productivity is not substantially different from organizing time, money, or
equipment.
Leading
Leading encourages the implementation of the planning and organizing
functions. It includes supervising employee behavior, performance,
attendance, and attitude while ensuring completion of the assigned tasks,
goals, and objectives. Leadership generally addresses the direction and
motivation of the human resource.
Controlling
In general, controlling ensures the validity of the organization's plan. The
manager ensures that sufficient progress is made, that impediments to the
completion of the task are resolved, and that no additional resources are
required. Should the plan be found invalid in light of the operational reality
of the organization, the manager takes corrective action.
The control function relies on the use of cybernetic control loops, often
called "negative feedback." These involve performance measurements,
comparisons, and corrective actions, as shown in flowchart. Here, the
cybernetic control process begins with a measurement of actual
performance, which is then compared to the expected standard of
performance as determined by the planning process. If the standard is being
met, the
Prof. Ram Meghe Institute of Technology & Research Badnera- Amravati Page 26
Unit 1: Introduction to the Management of Information Security
Prof. Ram Meghe Institute of Technology & Research Badnera- Amravati Page 27
Unit 1: Introduction to the Management of Information Security
People
Projects
Planning
Planning model are activities necessary to support the design, creation, and
implementation of InfoSec strategies within the planning environments of
all organizational units, including IT.
Because the InfoSec strategic plans must support not only the IT use and
protection of information assets, but also those of the entire organization, it
is imperative that the CISO work closely with all senior managers in
developing InfoSec strategy.
Several types of InfoSec plans and planning functions exist to support
routine and non-normal operations. These include incident response
planning, business continuity planning, disaster recovery planning, policy
planning, personnel planning, technology rollout planning, risk management
planning, and security program planning. Each of these plans has unique
goals and objectives, yet each benefit from the same methodical approach.
Policy
Enterprise Information Security Policy (EISP)- Developed within
the context of the strategic IT plan, this sets the tone for the InfoSec
department and the InfoSec climate across the organization. The CISO
typically drafts the program policy, which is usually supported and signed
by the CIO or the CEO.
Issue -Specific Security Policies {ISSPs)-These are sets of rules that
define acceptable behavior within a specific organizational resource, such as
e-mail or Internet usage.
System-Specific Policies (SysSPs) - A merger of technical and managerial
intent, SysSPs include both the managerial guidance for the implementation
of a technology as well as the technical specifications for its configuration.
Programs
InfoSec operations that are specifically managed as separate entities are
called "programs:· An example would be a security education training
and awareness (SETA) program, a risk management program, or
contingency programs such as incident response, disaster recovery, or
Prof. Ram Meghe Institute of Technology & Research Badnera- Amravati Page 28
Unit 1: Introduction to the Management of Information Security
Protection
The protection function is executed via a set of risk management activities,
as well as protection mechanisms, technologies, and tools. Each of these
mechanisms or safeguards represents some aspect of the management of
specific controls in the overall InfoSec plan.
People
People are the most critical link in the InfoSec program. This area
encompasses security personnel (the professional information security
employees), the security of personnel (the protection of employees and their
information), and aspects of the SETA program mentioned earlier.
Projects
Whether an InfoSec manager is asked to roll out a new security training
program or select and implement a new firewall, it is important that the
process be managed as a project. The final element for thoroughgoing
InfoSec management is the application of a project management discipline
to all elements of the InfoSec program. Project management involves
identifying and controlling the resources applied to the project, as well as
measuring progress and adjusting the process as progress is made toward the
goal.
=================================================
=================================================
Prof. Ram Meghe Institute of Technology & Research Badnera- Amravati Page 29
Unit 1: Introduction to the Management of Information Security
Management:
o The process of achieving objectives by appropriately applying
a given set of resources.
o In its most basic form, management involves using resources to
get a job done.
Manager:
o A manager is a member of the organization assigned to marshal
and administer resources, coordinate the completion of tasks,
and handle the many roles necessary to complete the desired
objectives.
o Managers have many roles to play within organizations,
including the following:
Prof. Ram Meghe Institute of Technology & Research Badnera- Amravati Page 30