MBAIT – 107 INFORMATION SECURITY

SECTION 1
Q1. What is the need of information security?
Ans.
No matter how big or small a company may be, there is vital importance in
ensuring information security for both your own and your client’s
data. The careful planning, implementation, monitoring and maintenance of
strict controls is necessary to protect all assets, especially information-
which is extremely valuable to any organization.
Currently information security is crucial to all organization to protect their
information and conducts their business. Information security is defined as
the protection of information and the system, and hardware that use, store
and transmit that information. Information security performs four important
for an organization which is protect the organization’s ability to function,
enable the safe operation of applications implemented on the organization’s
IT systems, protect the data the organization collect and uses, and lastly is
safeguards the technology assets in use at the organization. There are also
challenges and risk involves in implemented information security in
organization.

Q2. What are the characteristics of information?

Ans.
Five characteristics of high quality information are accuracy, completeness, consistency, uniqueness, and
timeliness.
Information needs to be of high quality to be useful and accurate. The information that is input into a data base
is presumed to be perfect as well as accurate. The information that is accessed is deemed reliable. Flaws do
arise with database design but do not let something in your control, accurate and reliable data, be one of
them. A database design that is accurate and reliable will help achieve the development of new business ideas
as well as promoting the organizational goals.

Completeness is another attribute of high quality information. Partial information may as well be incomplete
information because it is only a small part of the picture. Completeness is as necessary as accuracy when
inputting data into a database.

Consistency is key when entering information into a database. For example, with a column for a phone number
entry 10 digits is the expected length of the field. Once the fields have been set in the database, a number more
or less than 10 digits will not be accepted. The same applies for any field, whether it is an entry that requires a
number, a series of numbers, an address, or a name, etc. If the fields are not set to a specific limit for
information then consistency is even more important.
Uniqueness is the fourth component of high quality information. In order to add value to any organization,
information must be unique and distinctive. Information is a very essential part of any organization and if used
properly can make a company competitive or can keep a company competitive.

A fifth important aspect of information is timeliness. New and current data is more valuable to organizations
than old outdated information. Especially now, in this era of high technological advances, out-of-date
information can keep a company from achieving their goals or from surviving in a competitive arena. The
information does not necessarily need to be out of date to have effect, it just needs to not be the most
current. Real-time information is an element of timeliness.

Q3. What are threats?

Ans.

Q4. Elaborate about Cryptography.

Ans.
Cryptography involves creating written or generated codes that allow information to be kept secret.
Cryptography converts data into a format that is unreadable for an unauthorized user, allowing it to be
transmitted without unauthorized entities decoding it back into a readable format, thus compromising
the data.
Information security uses cryptography on several levels. The information cannot be read without a
key to decrypt it. The information maintains its integrity during transit and while being stored.
Cryptography also aids in nonrepudiation. This means that the sender and the delivery of a message
can be verified.
Cryptography is also known as cryptology.

Q5. What is IDS?

Ans.
An intrusion detection system (IDS) is a type of security software designed to automatically alert
administrators when someone or something is trying to compromise information system through
malicious activities or through security policy violations.

An IDS works by monitoring system activity through examining vulnerabilities in the system, the
integrity of files and conducting an analysis of patterns based on already known attacks. It also
automatically monitors the Internet to search for any of the latest threats which could result in a future
attack. There are three primary components of an IDS:

• Network Intrusion Detection System (NIDS): This does analysis for traffic on a whole subnet
and will make a match to the traffic passing by to the attacks already known in a library of
known attacks.
• Network Node Intrusion Detection System (NNIDS): This is similar to NIDS, but the traffic is
only monitored on a single host, not a whole subnet.
• Host Intrusion Detection System (HIDS): This takes a “picture” of an entire system’s file set
and compares it to a previous picture. If there are significant differences, such as missing files,
it alerts the administrator.

Q6. What is policy? How is it different from law?.

Ans.
SECTION B
Q1. Define SDLC. Explain in detail the steps in security SDLC with diagram
Ans

The System Development Life Cycle, "SDLC" for short, is a multistep, iterative process, structured in a
methodical way. This process is used to model or provide a framework for technical and non-technical
activities to deliver a quality system which meets or exceeds a business"s expectations or manage
decision-making progression.

Traditionally, the systems-development life cycle consisted of five stages. That has now increased to
seven phases. Increasing the number of steps helped systems analysts to define clearer actions to
achieve specific goals.

The SDLC highlights different stages (phrases or steps) of the development process. The life cycle
approach is used so users can see and understand what activities are involved within a given step. It is
also used to let them know that at any time, steps can be repeated or a previous step can be reworked
when needing to modify or improve the system.

Seven Phases of SDLC are as follows -

Q2. Explain the NSTISSC security model and the top down approach to security
implementation
Ans.
Q3. What is the difference between attack and vulnerability? List and explain five
attacks.
Ans.
A Threat is a possible danger with some evidence that an attack may occur towards a person or area
where people are or other harm.

Example of Threat; In Arizona, a lone FBI agent investigated the Saudi Arabians attending a flight
school in Arizona on a VISA and was concerned that they were taking classes to fly a plane but not to
land it. He had a bad feeling about this and other factors he saw and reported this concern to his
superiors at the FBI. They blew it off, were not concerned.

An Attack is when a hostile action by person or persons by any one of many means has occurred
towards a person or persons, causing harm to one person or many persons.

Example of Attack; Due to the historic blunder of the FBI in ignoring the threats believed in by one of
their agents, 3000 Americans were murdered by those pilots who hijacked US planes into the World
Trade Center, Pentagon and a foiled attempt to attack either the White House or Capitol, which did
lead to the death of all on the hijacked plane. No one was held responsible in the FBI for this major
catastrophe that their apathetic incompetence led to

• Vulnerability – A weakness in some aspect or feature of a system that makes an

exploit possible. Vulnerabilities can exist at the network, host, or application levels
and include operational practices.
• Attack (or exploit) – An action taken that uses one or more vulnerabilities to
realize a threat. This could be someone following through on a threat or exploiting
a vulnerability.
You can use threats, attacks, vulnerabilities and countermeasures to organize your security
information. Here’s an example of organizing threats, attacks, vulnerabilities and
countermeasures for Input/Data validation:

Threats/Attacks for Input/Data Validation

• Buffer overflows
• Cross-site scripting
• SQL injection
• Canonicalization attacks
• Query string manipulation
• Form field manipulation
• Cookie manipulation
• HTTP header manipulation

Q4. Write the steps involved in assessing and controlling risk

Ans.
A risk assessment will protect your workers and your business, as well as complying with
law. As for when to do a risk assessment it should simply be conducted before you or any
other employees conduct some work which presents a risk of injury or ill-health.

A person from your organisation needs to attend risk assessment training as it will ensure
that this person is competent within your organisation and will gain abilities such as
hazard identification, ability to categorise and evaluate risk(s). These abilities will allow a
‘suitable and sufficient’ risk assessment to be conducted within your own organisation.
How to do a risk assessment
There are no fixed rules on how a risk assessment should be carried out, but there are a
few general principles that should be followed.

Five steps to risk assessment can be followed to ensure that your risk assessment is
carried out correctly, these five steps are:

1. Identify the hazards

2. Decide who might be harmed and how

3. Evaluate the risks and decide on control measures

4. Record your findings and implement them

5. Review your assessment and update if necessary

Step 1: Identify the hazards
In order to identify hazards you need to understand the difference between a ‘hazard’ and
‘risk’. A hazard is ‘something with the potential to cause harm’ and a risk is ‘the likelihood
of that potential harm being realised’.

Hazards can be identified by using a number of different techniques such as walking

round the workplace, or asking your employees.

Step 2: Decide who might be harmed and how

Once you have identified a number of hazards you need to understand who might be
harmed and how, such as ‘people working in the warehouse’, or members of the public.

Step 3: Evaluate the risks and decide on control measures

After ‘identifying the hazards’ and ‘deciding who might be harmed and how’ you are then
required to protect the people from harm. The hazards can either be removed completely
or the risks controlled so that the injury is unlikely.

Step 4: Record your findings

Your findings should be written down it’s a legal requirement where there are 5 or more
employees; and by recording the findings it shows that you have identified the hazards,
decided who could be harmed and how, and also shows how you plan to eliminate the
risks and hazards.

Step 5: Review your assessment and update as and when necessary

You should never forget that few workplaces stay the same and as a result this risk
assessment should be reviewed and updated when required.