Questions in information security

Information Security
1 a) Define Information Security and discuss the potential risks to information systems Information security is the practice or process of protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction. In simple terms, it means the practice of making certain that information is only read, heard, changed, broadcast while allowing the information to remain accessible and productive to its intended users. Some of the potential risks of information systems include: Human error: simply an error made by a human for example entering incorrect transactions, failing to spot and correct errors, processing the wrong information, accidentally deleting data. All these put information in harms way Technical errors: these include hardware that fails or software that crashes during transaction processing. Accidents and environmental disasters: such as floods, fire, theft of personal data by criminals, loss of laptops and computer media. These severely affect the business survivability due to lack of business continuity and disaster recovery planning and management. Frauds including deception and false allegations: Deliberate attempts to corrupt or amend previously legitimate data and information. For example someone denies that they made an online purchase and perhaps manipulating and falsifying transaction histories. Commercial espionage: Acquisition of trade secrets from business competitors. Trade secrets may find their way into the open market through disloyal employees or through various other means. Business secrets such as customer details, pricing and profit margin data designs, formulas, manufacturing processes, research, and future plans. Malicious damage: this is where an employee or any other person deliberately or intentionally sets out to put information in harms way. For example intentionally
1

Questions in information security

publishing highly sensitive internal information leading to loss of personal privacy or commercial disadvantage and perhaps prosecution, uncontrolled use of portable devices and transportable computer media (USB memory sticks and iPods) with potential deliberate attacks propagated on such devices or media (Trojan-infected USB sticks) which are simply given or posted to targets.

Explain and differentiate between the following malware. I) Virus and worm. Virus and worm are both malicious programs that can cause damage to your computer, but there are differences between the two. A computer virus attaches itself to a program or file enabling it to spread from one computer to another, leaving infections as it travels. A computer virus ranges in severity such as some may cause only mildly annoying effects while others can damage your hardware, software or files. Almost all viruses are attached to an executable file, which means it actually cannot infect your computer unless you run or open the malicious program. It is necessary to note that a virus cannot be spread without a human action, (such as running an infected program) to keep it going. Since a virus is spread by human action people will innocently continue the spread of a computer virus by sharing infected files.

While worms spread from computer to computer, but unlike a virus, it has the means to travel without any human action. A worm takes advantage of file or information transport features on your system, which is what allows it to travel unaided. The biggest danger with a worm is its capability to duplicate itself on your system, so rather than your computer sending out a single worm, it could send out hundreds or thousands of copies of itself, creating a huge devastating effect. Due to the copying nature of a worm and its capability to travel across networks the end result in most cases is that the worm consumes too much system memory (or network bandwidth), causing Web servers, network servers and individual computers to stop responding. For example the much-talked-about Blaster Worm, the worm has

Questions in information security

been designed to tunnel into your system and allow malicious users to control your computer remotely.

II)

Trojan horse and Tracking cookies. The Trojan horse, at first glance will appear to be useful software but will actually do damage once installed or run on your computer. Those on the receiving end of a Trojan horse are usually tricked into opening them because they appear to be receiving legitimate software or files from a legitimate source. When a Trojan is activated on your computer, the results can differ. Some Trojans are designed to be more annoying than malicious (like changing your desktop, adding ridiculous active desktop icons) or they can cause serious damage by deleting files and destroying information on your system. Trojans are also known to create a backdoor on your computer that gives malicious users access to your system, possibly allowing confidential or personal information to be compromised. Unlike viruses and worms, Trojans do not reproduce by infecting other files nor do they self-replicate. While cookies are actually harmless text files that certain web sites place onto your hard drive. The Cookie itself actually takes up very little space and acts as an identification card for the visiting site. Tracking cookies may be used to track internet users' web browsing habits. This can be demonstrated as follows: i. If the user requests a page of the site, but the request contains no cookie, the server presumes that this is the first page visited by the user; the server creates a random string and sends it as a cookie back to the browser together with the requested page; ii. From this point on, the cookie will be automatically sent by the browser to the server every time a new page from the site is requested; the server sends the page as usual, but also stores the URL of the requested page, the date/time of the request, and the cookie in a log file.
3

Questions in information security

III)

Spam and zombies. Spam is the use of electronic messaging systems (including most broadcast media, digital delivery systems) to send unwanted bulk messages indiscriminately. The most widely recognized form of spam is e-mail spam, however the term is applied to similar abuses in other media: such as instant messaging spam, Usenet newsgroup spam, Web search engine spam, advertising and file sharing network spam. A person who creates electronic spam is called a spammer. E-mail spam, also known as unsolicited bulk Email, junk mail, or unsolicited commercial email, is the practice of sending unwanted e-mail messages, frequently with commercial content, in large quantities to an indiscriminate set of recipients. Spamming remains economically possible because advertisers have no operating costs beyond the management of their mailing lists, and it is difficult to hold senders accountable for their mass mailings. Spamming has been the subject of legislation in many jurisdictions. While a zombie computer (commonly shortened as zombie) is a computer connected to the Internet that has been compromised by a cracker, computer virus or Trojan horse and can be used to perform malicious tasks of one sort or another under remote direction. The spammer controls and uses your pc without you knowing it. Spammers may be using your computer to send unsolicited and possibly offensive email offers for products and services. Spammers are using home computers to send bulk emails by the millions. Some of the zombies' spam e-mails are also used to spread the programs that create zombies for personal information or spread viruses. This spam is difficult to shut down, because even if one computer is blocked, other zombies will still be free to send out unwanted (and often illegal) e-mails.
4

Questions in information security

Conclusively, today, e-mail spam is increasingly sent via zombie networks, networks of virus or worm infected personal computers in homes and offices around the globe. This allows the spammer access to the computer and uses it for malicious purposes. Zombies can also be used to launch mass attack on any company or website. IV) Adware and spyware. Adware is considered a genuine alternative offered to consumers who do not wish to pay for software. Programs, games or utilities can be designed and distributed as freeware. Sometimes freeware blocks features and functions of the software until you pay to register it. Today we have a growing number of software developers who offer their goods as "sponsored" freeware until you pay to register. Generally most or all features of the freeware are enabled but you will be viewing sponsored advertisements while the software is being used. This allows consumers to try the software before they buy and you always have the option of disabling the ads by purchasing a registration key. Whereas spyware

Spyware is considered as malicious program. One can become a victim of spyware by downloading certain peer-to-peer file swapping products readily available on the Internet. But more and more, users can be infected with spyware simply by surfing the internet. Many times spyware objects are invisibly and unethically embedded into web pages by the web master. And by simply visiting one of these web sites, the user is unsuspectingly infected. Spyware works like adware but is usually a separate program that is installed unknowingly when you install another freeware type program or application. Once installed, the spyware sends information to its creators about a user's activities typically passwords, credit card numbers, e-mail addresses and other information that can be sold on the black market. Compromised machines that are located within a corporate network can be worth since they can often gain access to confidential information held within that company. Because spyware exists as independent executable programs, scan files on the hard drive, install other spyware programs, read cookies while consistently relaying this
5

Questions in information security

information back to the spyware author who will either use it for advertising and marketing purposes or sell the information to another party.

V)

Pop-ups and Pop-under. Simply a Pop-up is a type of windows that appears over the browser window, while a pop-under is a type of windows that appears behind the browser window. However to elaborate more on this; Pop-up ads or pop-ups are a form of online advertising on the internet intended to attract web traffic or capture email addresses. Pop-ups are generally new web browser windows to display advertisements. A variation on the pop-up window is the pop-under advertisement, which opens a new browser window hidden under the active window. Pop-under do not interrupt the user immediately and are not seen until the covering window is closed, making it more difficult to determine which web site opened them.

b) Explain the various information security tools that can be employed to minimize the effects of the malware above.

Anti-spyware software: With the onset of spyware comes a plentiful of anti-spyware software packages to rid your system of these unwanted and malicious programs. Antispyware software works by identifying any spyware installed on your system and removing it. Anti-spyware software will look for evidence of these files and delete them if found. Keep the Operating System updated: The first step in protecting your computer from any malicious there is to ensure that your operating system is up-to-date. This is very essential especially if you are using a Microsoft Windows OS. Secondly, you need to have anti-virus software installed on your system and ensure you download updates often to ensure your software has the latest fixes for new viruses, worms, and Trojan horses. Additionally, you want to make sure your anti-virus program has the capability to scan email and files as they are downloaded from the Internet and you also need to run full disk
6

Questions in information security

scans periodically. This will help prevent malicious programs from even reaching your computer. Use a Firewall: A firewall is a system that prevents unauthorized use and access to your computer. A firewall can be either hardware or software. Hardware firewalls provide a strong degree of protection from most forms of attack coming from the outside world. Unfortunately, when battling viruses, worms and Trojans, a hardware firewall may be less effective than a software firewall, as it could possibly ignore embedded worms in outgoing e-mails and see this as regular network traffic. For individual home users, the most popular firewall choice is a software firewall. A good software firewall will protect your computer from outside attempts to control or gain access your computer, and usually provides additional protection against the most common Trojan programs or e-mail worms. The downside to software firewalls is that they will only protect the computer they are installed on, not a network.

c) What is software Vulnerability? Software vulnerability is a weakness which allows an attacker to reduce a system's information assurance. It is essential for these vulnerabilities to be encountered by safeguards in order to reduce the harm on the information. For example memory safety violations such as buffer overflow. Here an attacker finds and uses an overflow weakness to install malware to exploit sensitive data.

Questions in information security

2. a) Describe the process of system development life cycle (SDLC). The system development life cycle is the overall process of developing, implementing and retiring information systems through a multistep process from initiation, analysis, design, implementation, and maintenance to disposal. There are many different SDLC models and methodologies, but each generally consists of a series of defined steps or phases. For any SDLC model that is used, information security must be integrated into the SDLC to ensure appropriate protection for the information that the system will transmit, process, and store.

Initiation Phase: During the initiation phase, the organization establishes the need for a system and documents its purpose. Security planning should begin in the initiation phase with the identification of key security roles to be carried out in the development of the system. The information to be processed, transmitted, or stored is evaluated for security requirements, and all stakeholders should have a common understanding of the security considerations. Early planning and awareness will result in savings in costs and staff time through proper risk management planning. In this phase, the organization clearly defines its project goals and high-level information security requirements, as well as the enterprise security system architecture.

Development/Acquisition Phase: During this phase, the system is designed, purchased, programmed, developed, or otherwise constructed. A key security activity in this phase is conducting a risk assessment and using the results to enhance the baseline security controls. In addition, the organization should analyze security requirements, perform functional and security testing; prepare initial documents for system certification and accreditation and design the security architecture.

Questions in information security

The risk assessment enables the organization to determine the risk to operations, assets, and individuals resulting from the operation of information systems, and the processing, storage, or transmission of information. Another essential element is the development of security plans, which establish the security requirements for the information system, describe security controls that have been selected, and present the underlying principle for security categorization, how controls are implemented, and how use of systems can be restricted in high-risk situations. Security plans document the decisions made in the selection of controls, and are approved by authorized officials.

The developmental testing of the technical and security features and functions of the system ensure that they perform as intended, prior to launching the implementation and integration phase.

Implementation Phase: In the implementation phase, the organization configures and enables system security features, tests the functionality of these features, installs and obtains a formal authorization to operate the system. Design reviews and system tests should be performed before placing the system into operation to ensure that it meets all required security specifications. In addition, if new controls are added to the application or the support system, additional acceptance tests of those new controls must be performed. This approach ensures that new controls meet security specifications and do not conflict with or invalidate existing controls. The results of the design reviews and system tests should be fully documented, updated as new reviews or tests are performed, and maintained in the organizations official records.

Operations/Maintenance Phase: In this phase, systems and products are in place and operating, enhancements and modifications to the system are developed and tested, and hardware and software components are added or replaced. The organization should continuously monitor performance of the system to ensure that it is consistent with pre-established user and security requirements, and that needed system modifications are incorporated. Also under Operations/Maintenance Phase, configuration management and control activities should be conducted to document any future or actual changes in the security plan of the system. Information systems are in a steady state of evolution with upgrades to hardware, software,
9

Questions in information security

firmware, and possible modifications in the surrounding environment. Documenting information system changes and assessing the potential impact of these changes on the security of a system are essential activities to assure continuous monitoring, and prevent lapses in the system security accreditation. Disposal Phase: In this phase, plans are developed for discarding system information, hardware, and software and making the transition to a new system. The information, hardware, and software may be moved to another system, archived, discarded, or destroyed. If performed improperly, the disposal phase can result in the unauthorized disclosure of sensitive data. When archiving information, organizations should consider the need for and the methods for future retrieval. Regularly, there is no definitive end to a system. Systems normally evolve to the next generation because of changing requirements or improvements in technology. The disposal activities ensure the orderly termination of the system and preserve the vital information about the system so that some or all of the information may be reactivated in the future, if necessary. Particular importance is given to proper preservation of the data processed by the system so that the data is in actual fact migrated to another system or archived in accordance with applicable records management regulations and policies for potential future access. The removal of information from a storage medium, such as a hard disk or tape, should be done in accordance with the organizations security requirements.

b) Describe the following models of SDLC. i) Water fall model. The waterfall model is a sequential design process, often used in software development processes, in which progress is seen as flowing steadily downwards (like a waterfall) through the phases of Conception, Initiation, Analysis, Design, Construction, Testing, Production/Implementation and Maintenance. In a waterfall model, after each phase is finished, it proceeds to the next one. Reviews must take place before moving to the next phase which allows for the possibility of changes. Reviews may also be employed to ensure that the phase is indeed complete. Waterfall discourages revisiting

10

Questions in information security

and revising any prior phase once it's complete. This "inflexibility" in a pure Waterfall model has been a source of criticism by supporters of other more "flexible" models.

ii) Prototyping. This model is used usually when the business process is likely to be changed as the project proceeds or when the project sponsor has little idea of what system to be built. The Analysis, Design, and Implementation phases performed concurrently and on each cycle resulting in a system prototype that will be reviewed by the project sponsor. The cycle is repeated continually based on the sponsor comments until the prototype successfully meets the requirements. The last prototype will then be called the system. Prototyping development needs only initial basic analysis and design, but as the result important system functions may not be recognized until somewhere in the middle of project timeline. Thus there is a possibility to alter the initial design decision and start all over again from the beginning. One of its main benefit is it can deliver system quickly to users, though it doesnt exactly meet the requirements.

iii) Spiral model. The spiral model combines the idea of prototyping with the systematic, controlled aspects of the waterfall model. It allows for incremental releases of the product, or incremental refinement through each time around the spiral. The spiral model also explicitly includes risk management within software development. Identifying major risks, both technical and managerial, and determining how to lessen the risk helps keep the software development process under control. The spiral model is based on continuous refinement of key products for requirements definition and analysis, system and software design, and implementation. This model uses many of the same phases as the waterfall model, in essentially the same order, separated by planning, risk assessment, and the building of prototypes and simulations. Documents are produced when they are required, and the content reflects the information necessary at that point in the process. All documents will not be created at the beginning of the process, nor all at the end. Like the product they define, the documents are works in progress.

11

Questions in information security

The spiral lifecycle model allows for elements of the product to be added in when they become available or known. This assures that there is no conflict with previous requirements and design. This method is consistent with approaches that have multiple software builds and releases and allows for making an orderly transition to a maintenance activity. It also has a high amount of risk analysis, good for large and mission-critical projects; Software is produced early in the software life cycle. However, it can be a costly model to use, risk analysis requires highly specific expertise, projects success is highly dependent on the risk analysis phase, doesnt work well for smaller projects. iv) RAD. Rapid application development (RAD) is a software development methodology that uses minimal planning in favor of rapid prototyping. In rapid application development, structured techniques and prototyping are especially used to define users' requirements and to design the final system. The development process starts with the development of preliminary data models and business process models using structured techniques. In the next stage, requirements are verified using prototyping, eventually to refine the data and process models. These stages are repeated iteratively; further development results in "a combined business requirements and technical design statement to be used for constructing new systems". RAD methodology enters to overcome the weaknesses of Structured Design method. RAD methodology introduced the use of advance development tools like code generators and the visual fourth-generation (4G) programming languages such as Microsoft Visual Basic and Borland Delphi. The use of these tools speed up the development process and in some degree produces higher quality of codes. However as the system can be delivered quickly, users tend to change their expectations of what the system can do, thus the requirements tend to change and expand. d) What is a metric? Explain various types of metrics you know. Metrics are derived measures which give quantitative evaluation about a software system, process or related documentation. E.g. effort variance, training effectiveness, customer satisfaction index, defect density, fog index, lines of code in a program and many others. Or

12

Questions in information security

Metrics in simple terms are measures that are used to quantify the software, software development resource and software development process. Metric generally classified into 2 types, process metric and product metric. Process Metric: Metric used to measure the characteristic of the methods, techniques and tools employed in developing, implementing and maintaining the software system. Product Metric: Metric used to measure the characteristic of the documentation and code. The metrics for the test process would include status of test activities against the plan, test coverage achieved so far, among others. An important metric is the number of defects found in internal testing compared to the defects found in customer tests, which indicate the effectiveness of the test process itself.

13

Questions in information security

3. a) Discuss the responsibility and responsibilities or duties of the chief information officer.

The chief information officer is the agencys official responsible for developing and maintaining an agency wide information security program and has the following responsibilities.

Designating a Senior Agency Information Security Officer (SAISO) who will carry out the CIOs responsibilities of system security planning;

Developing and maintaining information security policies, procedures and control techniques to address system security planning. As a member of the highest level of management in an organization, the Chief Information Officer serves as the expert on technology, software, and information systems for top-level planning and development.

Managing the identification, implementation and assessment of common security controls;

Ensuring that personnel with significant responsibilities for system security plans are trained; In this case Chief Information Officer might initiate business wide technology initiatives that are designed to bring the company up to date and to encourage employees to under -go training influence technology knowledge in order to support their job duties.

Assisting senior agency officials with their responsibilities for system security plans;

14

Questions in information security

Identifying and developing common security controls for the agency. Here the Chief Information Officer must evaluate and choose the type of platform and computer system that will allow the business to carry out its services.

b) What are uncertainties? Discuss various risk management techniques you know. Uncertainties is a normal and unavoidable state or characteristics of most software projects which result from continuously increasing complexity of products we create and the disturbance with which we sometimes develop the source code. y Invest in a systematic information management system incorporating high quality assurance processes. y Data confidentiality controls to protect personal data against unauthorized access including physical, legal and logical access controls both technical and procedural in nature. y Data integrity control to improve the quality, completeness and accuracy of data in the computer systems through data entry, processing, output and transmission control. y Proactive technical vulnerability management including timely identification of vulnerabilities, patching and updating of systems and intensive security testing. y Anti-everything software that includes anti-virus, anti-spyware, firewalls e.tc to minimize the malware, spam, spyware and intrusion accidents incidents on systems. y Proactive IT auditing, monitoring and reporting processes to identify and respond to risks before they cause incidents and post-incident analysis. y Enforcement of rights and compliance obligations in relation to IP ownership, IT governance, personal data protection etc through legal, regulatory and other means. y Resilience engineering: this involves designing, building, testing, operating and maintaining both business processes and IT systems to provide reliable and secure services by reducing vulnerabilities and single points of failure and hence minimizing unplanned downtime and other disruptive incidents even if threats materialize. y Contingency arrangements including back-ups, redundant assets, IT disaster recovery plans and audits.
15

Questions in information security

Information security awareness, training and education. This helps people understand and fulfill their security obligations. Motivating them to do secure work to avoid insecurity thus creating a secure culture.

d) Briefly explain the incident response process. Incident response is an organized approach to addressing and managing the aftermath of a security breach or attack (also known as an incident). The goal is to handle the situation in a way that limits damage and reduces recovery time and costs. An incident response plan includes a policy that defines, in specific terms, what constitutes an incident and provides a step-by-step process that should be followed when an incident occurs. An organization's incident response is conducted by the computer incident response team, a carefully selected group that, in addition to security and general IT staff, may include representatives from legal, human resources, and public relations departments.

1. Preparation: The organization educates users and IT staff of the importance of updated security measures and trains them to respond to computer and network security incidents quickly and correctly. 2. Identification: The response team is activated to decide whether a particular event is, in fact, a security incident. The team may contact the CERT Coordination Center, which tracks Internet security activity and has the most current information on viruses and worms. 3. Containment: The team determines how far the problem has spread and contains the problem by disconnecting all affected systems and devices to prevent further damage. 4. Eradication: The team investigates to discover the origin of the incident. The root cause of the problem and all traces of malicious code are removed. 5. Recovery: Data and software are restored from clean backup files, ensuring that no vulnerabilities remain. Systems are monitored for any sign of weakness or recurrence.

16

Questions in information security

6. Lessons learned: The team analyzes the incident and how it was handled, making recommendations for better future response and for preventing a recurrence.

17