You are on page 1of 8

Diploma in Information Technology

IT3111 InfoSecurity Management


2014/2015 Semester 2
Tutorial 1 to 8 Sample Answers
Tutorial 1
1. Briefly explain the objective of information security management.
The objective of information security management is to protect information assets from
accidental or intentional disclosure, modification, destruction or denial at a reasonable
cost.
2. Briefly describe the objective of each of the following protection mechanisms.
Prevention: to minimize vulnerabilities and risks
Detection: to identify damage to an asset
Response: to reduce/control the damage after an incident
3. Briefly explain the three components in the security triad and determine which one of
them is breached in each of the two following scenarios.
Confidentiality: prevent, detect and respond to unauthorized disclosure of information
Integrity: prevent, detect and respond to unauthorized modification of information
Availability: prevent, detect and respond to unauthorized withholding of information or
resources.
a. A disgruntled employee took revenge on the company and defaced the
company website.
Integrity
b. A student connects to a shared public network and starts to download a huge
amount of materials from the Internet. The activities slow down the internet
connection and render some services inaccessible by other users.
Availability
4. List the six secure operating environments.
Physical, Personnel, Regulatory, Hardware, Software, Networks
5. Briefly describe the responsibility of each of the stakeholders: owner, custodian and users
of information.
Information owner: Responsible for the information; Specify acceptable user of the
information; Specify appropriate controls; Appoint the information custodian
Information custodian: Implement, administer and monitor user access control
Information users: Comply with the acceptable use of the information
a. Assuming that you have an account in facebook.com, who is the owner of your
contents and information?
You own all of the content and information you post on Facebook
b. Who are the users of the posted information?
Everyone, Friends of Friends, Friends Only and the account owner
c. What access right of information posted on facebook.com that the owner can
assign to the users?
share (read only)

IT3111 Tutorial 1 to 8 sample answers

Page 1

Diploma in Information Technology

6. Give examples to illustrate how each of the two security principles least privilege and
segregation of duties can prevent information security incidents in an online sharing
trading company
"Least Privilege" means a user should have only the minimum permissions on objects
(files, data records) that are needed to perform its assigned roles/tasks, and no more
Example: Internet firewall is configured to grant access to users on websites needed to
conduct the business of the organization.
"Segregation of Duties" means two or more people are involved in different steps to
complete a high risk transaction.
Example, different employees are needed to initiate, approve and execute an order in a
trading system.
7. What is the use of the standard ISO/IEC 27002 in an organization? Should a company
implement all the security controls stated in the ISO/IEC 27002 code of practice for
information security management? Support your answer with reasons.
Provide guidelines on the information security management and security measures. The
ISO/IEC 27002 code of practice is designed for any size of organization. Each
organization should implement the relevant controls that can reduce their information
security risks
Tutorial 2
1. Information risk management does not manage credit risk or liquidity risk. What are the
two types of risk that information risk management focuses on?
Answer: Operating risk, physical security risk and information systems risk.
2. What are the 3 components in the Risk Assessment stated in the ISO/IEC 27005:2011 (E)
Answer: Risk Identification, risk analysis and risk evaluation.
3. Describe the steps you use to determine the risk level of malware attack that may affect
your study in the school and at home. You need to use the keywords, asset, threat,
impact, vulnerability and likelihood in your description. You also need to calculate and
state the risk level of malware attack.
Answer:
1) Identify the asset study environment and assignment/project work
2) Identify the threat malware attack that may disrupt study environment and delete
assignment/project work
3) Identify the impact High as malware attack disrupt study for 2 days and delete all my
assignment/project work
4) Identify the threat vulnerability the computer systems not able to detect and stop
malware attack, the current anti-virus software cannot stop new unknown viruses
5) Identify the threat likelihood High as a number of malware hidden in email messages
and Internet websites
6) Determine the risk level High as both the threat impact and likelihood are a high
level.
4. State the advantage of using each of the two assessment methods, qualitative and
quantitative methods. Discuss the best use of these two methods in the same risk
assessment project.
Answer: Qualitative assessment method helps management to prioritize risks and
immediate areas for improvement. Quantitative assessment method provides magnitude
of the impacts that can be used in the cost-benefit analysis of recommended protection.

IT3111 Tutorial 1 to 8 sample answers

Page 2

Diploma in Information Technology

The best use of these two methods is to conduct a qualitative assessment to identify
immediate areas for improvement and followed by quantitative assessment that can
determine a cost-effective security controls through a cost-benefit analysis.
5. Describe 4 vulnerabilities exploited by malware to attack lab PCs in the school. Suggest a
security control that can reduce each of the 4 vulnerabilities.
Answer:
1) A computer system cannot determine if a program is harmful to the system or human
being. Preventive Control: re-design computer architecture to block a program from
unauthorized access to other programs.
2) A user clicks the attachment in an email without checking. Preventive Control: brief
and training users to avoid clicking attachments in email messages from unknown or
untrusted senders.
3) A system operating system allows autoplay malware hidden in a removable USB
thumb drive. Preventive Control: Disable the autoplay capability in Windows registry.
4) Some home PCs do not have the latest security patches installed. Preventive Control:
software manufacturers provide regular auto security patches installation secured by
digital signing of the patches.
Tutorial 3
1. List the 7 steps required to conduct a risk assessment on a new information system for an
organization.
Answer:
1) System Characterization (Asset Valuation)
2) Threat Identifications
3) Vulnerabilities Identifications
4) Control Analysis (existing controls)
5) Likelihood Determination
6) Impact Analysis
7) Risk Determination
2. Read the Item 1A Risk Factors in pages 5 to 14 of Amazon Inc. 2011 Annual Report
available at learn.nyp.edu.sg. Identify and describe any TWO (2) risks that related to
information systems and their operation in Amazon Inc.
Answer:
1) Amazon may not manage the growth of the systems and technical performance
effectively.
2) Amazon may experience significant fluctuation in operating results on the extent to
which operators of the networks between our customers and our websites
successfully charge fees to grant our customers unimpaired and unconstrained
access tour online services.
3) Amazon could suffer on the difficulty of integrating a new companys accounting,
financial reporting, management, information and information security, human
resources and other administrative systems to permit effective management.
4) Amazon could be harmed by data loss or other information security breaches
including exposing customers to a risk of loss or misuse of information result in liability
for Amazon
3. Describe the TWO (2) sources of information that can provide figures on Annualized Rate
of Occurrence (ARO) on specific threats.
Answer:

IT3111 Tutorial 1 to 8 sample answers

Page 3

Diploma in Information Technology

1) Use the statistics on previous incident reports of individual organization to estimate


the ARO.
Use the likelihood figures stated in information security threats and vulnerabilities survey
reports to estimate the ARO.
4.
(a) What is the Annualized Rate of Occurrence (ARO) for this risk?
Assuming that the company is as vulnerable as the companies in the trade
magazine survey, then the ARO is 80% or 0.8 chance
(b) Calculate the Single Loss Expectancy (SLE) for this risk?
Assuming virus attack on one workstation will spread all the 100 workstations
and the 200 users need to wait for 3 hours before the virus is removed.
The SLE will be 200users x 3 hours x $30/hour = $18,000
(c) Using the formula ARO x SLE = ALE, calculate the Annual Loss Expectancy
ALE = ARO x ALE = 0.8 x $18,000 = $14,400
(d) Determine whether it is cost-effective to purchase the anti-virus software by
calculating how much money would be saved or lost after purchasing the
software. You can assume the anti-virus software can remove 90% of the
estimated risk.
If the anti-virus software can remove 90% of the estimated risk that is the ALE
value, the ALE after the installation of the anti-virus software will be $14,400 x
(1-90%) = $1,440
The annual cost of the anti-virus software is $4,700 per year.
The annual cost saving using anti-virus software is
ALE before installation of software (ALE after installation software + cost of
the software)
$14,400 ($1,440 + $4,700) = $8,260.
$8,260 is the saving after installation of the software. So it is cost-effective to
implement the anti-virus software.
(e) If anti-virus software solution is used, discuss if theres still any residual risk.
Theres still another 10% of risk cannot be removed by this anti-virus software,
e.g. a machine can still be infected by virus if the virus definition is not up-todate; employees may disable anti-virus software for convenience. The
management should manage these residual risks to an acceptable level
through other risk mitigation methods.

IT3111 Tutorial 1 to 8 sample answers

Page 4

Diploma in Information Technology

Tutorial 4 and 5
Section 1 MCQ
1) A
2) B
3) A
4) D
5) C
6) C
7) B
8) D
9) C
10) D
Section 2
Checklist Section

Audit Question

Findings

Compliance

Access Control
7.1
7.1.1

Business Requirement for Access Control


Access
Control Policy

Whether an access control


policy is developed and
reviewed based on the
business and security
requirements.

Whether both logical and


physical access control are
taken into consideration in
the policy


7.2
7.2.1

Whether the users and


service providers were
given a clear statement of
the business requirement
to be met by access
controls.

A few policies
such as Wireless
Network Policy is
developed based
on the business
need to govern the
access to Wireless
network by
students
e.g. Wireless
Network Policy
logical access
control by user
logon procedure,
physical access
control by provide
wireless access
only in NYP
campus
Clear statement of
the business
requirement is in
the Wireless
Network Policy

Yes

Each student
needs to go
through a formal
student
registration
process

Yes

Yes

Yes

User Access Management


User
Registration

Whether there is any


formal user registration
and deregistration

IT3111 Tutorial 1 to 8 sample answers

Page 5

Diploma in Information Technology

Tutorial 6
1)
2)
3)
4)
5)
6)
7)
8)

a
d
b
b
a
c
d
c

9) Well-formed transaction and separation of duties.


10) Chinese Wall Model can prevent conflict of interest. It implements the policy to ensure
people are only allowed to access information which is not held to conflict with any
other information they already possess.
11) The consultant company should keep data from each computer storage company in a
separate dataset. It then put these 3 datasets into the same conflict of interest
class. Access controls must be implemented to prevent any user has accessed one
dataset to access another dataset in the same class.
12) Operating system ranks disk input/output processes with a high priority in availability
and gives them more CPU time compares to low availability such as word processing
processes.
13) Ownership of information: creator of information becomes the owner and owner
may grant access rights of the information to others. Delegation of rights: A subject
receives access rights of information can pass the rights to other subjects.
14) If two of more subjects have the subjects have the privilege of granting or revoking
certain access rules to other subjects, this may lead to conflict in cascading
revocation chains.
15) It can indicate the classification of information and clearance of different subjects
that used by a system enforce the policies in an information security model.
16) In role assignment, a subject is assigned to a role which can executes a restricted set
of transactions whereas a subject is authorised with one active role among other
assigned roles.
17) With need-to-use transactions authorised for a role, a user assigned to a role cannot
pass his/her permissions on an information object to other users.
18) With restricted read or write transactions authorised for a role, it can protect both
confidentiality and integrity of information objects

IT3111 Tutorial 1 to 8 sample answers

Page 6

Diploma in Information Technology

Tutorial 7
8. Some of the security tools of Windows operating system are listed below.
a. File permissions
b. Group policy
c. Microsoft Baseline Security Analyser
d. Performance monitor
e. Event viewer
f. Encrypting file system
g. Disk Quotas
Briefly describe how the above security tools help to reduce the risk level of each of the
following threats to Windows Servers
i.
ii.
iii.
iv.
v.

Unauthorised access to confidential files


File permission, Group policy, Encrypting file system
Unauthorised modification of important files
File permission
Weak passwords
Group policy, MBSA
System crashes due to hard disk full
Disk Quota
Malware
MBSA, performance monitor, event viewer

9. Identify two advantages on access controls in a Windows server with Active Directory
when it is compared to a standalone Windows server without Active Directory.
Active Directory provides single-sign-on (on any computers joined the Active Directory
domain) and delegation of administrative rights
10. Briefly describe TWO(2) important tasks required in the process to create a new user
account in Microsoft Windows operating system which can assure the new user has the
appropriate rights and permissions to perform his/her duty.
Any two of the following tasks:
1) Obtain new users department and roles (appointments)
2) Create the user in the relevant OU according to department of the new user
3) Configure users group membership user rights assignment (roles assignment)
4) Configure users network resources permissions

11. Briefly describe delegate administrative rights in Windows Active Directory


A domain administrator can delegate administrative right such as reset password to a
department manager to reset password of the staff in the same department
located/created in the department Organizational Unit (OU)
12. Briefly describe how the staffs and students in school of IT can be configured and
represented in Active Directory structure with Forest, Domains and Organizational Units.
A domain SIT represents the school. A forest will be created to contain the domain SIT.
Within the SIT domain, one Organizational Unit is created to represent the school
department, eg. sit. Two user groups should be created: staff & student.
13. In Windows Active Directory, group policies can be set at different levels, (e.g. local
computer, local OU, parent OU, site, and domain). Describe how these policies at
different levels take effect on the targeted user or computer object.

IT3111 Tutorial 1 to 8 sample answers

Page 7

Diploma in Information Technology

The group policies are applied in sequence (local computer -> site -> domain -> parent
OU -> local OU), and the settings accumulate. In cases of conflict, the settings in the later
policies override those in earlier ones.
Tutorial 8
14. Briefly describe how the following configurations/services of Windows servers can be
hardened (protected)
a. Registry
Restrict remote access of registry grant administrators group full access
and authenticated users group read access
Limit the number of users in Administrators group
Remove registry editor from the system
Disable Registry tools through GPO (Group Policy Object) and apply the
GPO to all users except Administrators.
Enable auditing of specific keys and subkeys
b. User Accounts
Assign least required rights using group policies for each user to perform
their duties
Apply password policies
Apply logon session restrictions
c. Files and folders in hard disks
Apply disk quota
Assign file/folder permissions for each user
15. Briefly describe any TWO security tools/controls in Windows servers that protect
confidentiality of information assets.
Object-based access control and Encrypting File System
16. Briefly describe ONE security tool/control in Windows servers that protects integrity of
information assets.
File/folder access control allow only authorized users to modify particular files/folders
17. Briefly describe any TWO security tools/controls in Windows servers that protect
availability of information assets.
Disk quota, file replication, file access control
18. Name THREE duties that are normally performed by a Patch and Vulnerability Group.
Which patch management tool at Windows is recommended for individual users?
Refer to lecture notes
19. What is EICAR virus? How can it help in malware control?
Refer to lecture notes
20. What is the first step in handling a PC infected with virus? Justify your answer with a good
reason.
Refer to lecture notes

IT3111 Tutorial 1 to 8 sample answers

Page 8