Unit 1

15IT42IE - INFORMATION AND NETWORK SECURITY
I 5IT42IE - INFORMATION AND NETWORK SECURITY

UNIT-I
Part-A (Multiple choice questions)
1. A ---------- is a plan to convey instructions from top management people to others who take actions and
perform duties.
(a) Mission
(b) Policy
(c) Standards
(d) Vision [IO1 : L1] [TB :1 Page no :60]
Ans : b
2. The process of moving the organization towards its vision is called as
(a) Strategic planning
(b) Security policy
(c) Dissemination
(d) Comprehension [IO1 : L1] [TB :1 Page no :29]
Ans : a
3. ----------- consists of the user access lists that governs the rights and privileges of the users.
(a) Privileges list
(b) Access matrix
(c) Access control list
(d) User list [IO 1 : L2] [TB :1 Page no :185]
Ans : c
4. Which guides the development implementation and management of security program?
(a) EISP
(b) ESIP
(c) ESPI
(d) EPSI [IO 1 : L2] [TB :1 Page no :180]
Ans : a
5. Where ISO17799 was originally derived from?
(a) BS7790
(b) BS7799
(c) BS7779
(d) BS7789 [IO 1 : L2] [TB :1 Page no :191]
Ans : b
6. ________ functions like laws in an organization because they dictate acceptable and unacceptable behavior
there.
(a) Policies
(b) Heedless
(c) Unreasonable
(d) Discipline [IO 1 : L1] [TB :1 Page no :91]
Ans : a
7. _______ policy provides rules for protection of the organization’s information assets.
(a) Control Security
(b) Information Security
(c) Redundant
(d) Process Security [IO 1 : L1] [TB :1 Page no :181]
Ans : b
8. ISO ______ is focused on a broad overview of the various areas of security.
(a) 9001
(b) 22000
(c) 25000
(d) 27002 [IO 1 : L1] [TB :1 Page no :191]
Ans : d
[Type text] Page 1

9. The first phase in CP process is _____.

(a) IR Plan
(b) DR Plan
(c) BIA
(d) BC Plan [IO 1 : L2] [TB :1 Page no :214]
Ans : c
10. A ----------- ensures that the critical business functions continue, if an incident or disaster occurs.
(a) Incident response plan
(b) Continuity plan
(c) Business continuity plan
(d) Disaster recovery plan [IO 1 : L2] [TB :1 Page no :237]
Ans : b
11. --------- security to protect physical items, objects, or areas from unauthorized access and misuse
(a) Physical
(b) Personnel
(c) Operations
(d) Communications [IO 1 : L1] [TB :1 Page no :8]
Ans : a
12. ---------security, to protect the individual or group of individuals who are authorized to access the organization
(a) Physical
(b) Personnel
(c) Operations
Ans : b
13.------------- security, to protect the details of a particular operation or series of Activities
(a) Physical
(b) Personnel
(c) Operations
Ans : c
14.------------- security, to protect communications media, technology, and content
(a) Network
(b) Operations
(c) Information
Ans : d
15.-------------security, to protect networking components, connections, and contents
(a) Network
(b) Operations
(c) Information
Ans : a
16.------------------security, to protect the confidentiality, integrity and availability of information
assets, whether in storage, processing, or transmission.
(a) Network
(b) Operations
(c) Information
Ans : c
17 .-------------- responsible for the security and use of a particular set of Information
(a) Data owners
(b) Data custodians
(c) Data users
(d) Data managers [IO 1 : L1] [TB :1 Page no :30]
Ans : a
18.------------responsible for the storage, maintenance, and protection of the information

(a) Data owners

(b) Data custodians
(c) Data users
Ans : b
19. -----------work with the information to perform their daily jobs supporting the mission of the organization
(a) Data owners
(b) Data custodians
(c) Data users
Ans : c
20. -------------- People who understand the organizational culture,existing policies, and requirements for developing
and implementing successful policies.
(a) Security policy developers
(b) Risk assessment specialists
(c) Security professionals
(d) Systems administrators [IO 1 : L1] [TB :1 Page no :30]
Ans : a
21. --------------People who understand financial risk assessment techniques,the value of organizational assets, and
the security methods to be used.
Ans : b
22. -------------- Dedicated, trained, and well-educated specialists in all aspects of information security from both a
technical and nontechnical standpoint.
Ans : c
23. -------------- People with the primary responsibility for administering the systems that house the information used
by the organization.
Ans : d
24.
Category of Threat Examples
1. Compromises to intellectual property a. ISP, power, or WAN service issues from service providers
2. Software attacks b. Viruses, worms, macros, denial of service
3. Deviations in quality of service c. Piracy, copyright infringement
4. Espionage or trespass d. Unauthorized access and/or data collection
(a) 1.b,2.c,3.a,4.d
(b) 1.c,2.b,3.a,4.d
(c) 1.b,2.c,3.a,4.d
(d) 1.b,2.c,3.a,4.d [IO 1 : L1] [TB :1 Page no :44]
Ans : b
25.
1. Compromises to intellectual property a. ISP, power, or WAN service issues from service providers
2. Software attacks b. Unauthorized access and/or data collection
3. Deviations in quality of service c. Piracy, copyright infringement
4. Espionage or trespass d. Viruses, worms, macros, denial of service
(a) 1.b,2.c,3.a,4.d
(b) 1.c,2.d,3.a,4.b
(c) 1.b,2.c,3.a,4.d
Ans : b
26.
1. Forces of nature a. Accidents, employee mistakes
2. Human error or failure b. Blackmail, information disclosure
3. Information extortion c. Fire, flood, earthquake, lightning
4. Missing, inadequate, or incomplete controls d. Network compromised because no firewall security
Controls
(a) 1.c,2.a,3.b,4.d
(b) 1.c,2.b,3.a,4.d
(c) 1.b,2.c,3.a,4.d
Ans : a
27.
1. Forces of nature a. Unauthorized access and/or data collection
2. Human error or failure b. Accidents, employee mistakes
3. Information extortion c. Blackmail, information disclosure
4. Espionage or trespass d. Fire, flood, earthquake, lightning
(a) 1.b,2.c,3.a,4.d
(b) 1.d,2.b,3.c,4.a
(c) 1.b,2.c,3.a,4.d
Ans : b
28.
1. Software attacks a. Destruction of systems or information
2. Sabotage or vandalism b. Illegal confiscation of equipment or information
3. Theft c. Bugs, code problems, unknown loopholes
4. Technical software failures or errors d. Viruses, worms, macros, denial of service
(a) 1.d,2.a,3.b,4.c
(b) 1.c,2.b,3.a,4.d
(c) 1.b,2.c,3.a,4.d
Ans : a
29. -----------are software programs that hide their true nature and reveal their designed behavior only when
activated
(a) Trojan horses

(b) worm
(c) virus
(d) Polymorphic Threats [IO 1 : L1] [TB :1 Page no :48]
Ans : a
30. -----------is a malicious program that replicates itself constantly, without requiring another program
environment.
(a) Trojan horses
(b) worm
(c) virus
Ans : b
31. A computer ----------- consists of segments of code that perform malicious actions.
(a) Trojan horses
(b) worm
(c) virus
Ans : c
32. The infected system scans a random or local range of IP addresses and targets any of several vulnerabilities
known to hackers or left over from previous exploits such as Code Red, Back Orifice, or PoizonBox.
(a) IP scan and attack
(b) Web browsing
(c) Unprotected shares
(d) Mass mail [IO 1 : L1] [TB :1 Page no :66]
Ans : a
33. If the infected system has write access to any Web pages, it makes all Web content files (.html, .asp, .cgi, and
others) infectious, so that users who browse to those pages become infected.
(a) IP scan and attack
(b) Web browsing
(c) Unprotected shares
(d) Mass mail [IO 1 : L1] [TB :1 Page no :66]
Ans : b
34. Each infected machine infects certain common executable or script files on all computers to which it can write
with virus code that can cause infection.
(a) Trojan horses
(b) worm
(c) virus
Ans : c
35. -----------is a technique used to gain unauthorized access to computers, wherein the intruder sends messages to a
computer with an IP address indicating that the message is coming from a trusted host.
(a) Spoofing
(b) Phishing
(c) Pharming
(d) Man-in-the-middle [IO 1 : L1] [TB :1 Page no :81]
Ans : a
36. ----------- is an attempt to obtain personal or financial information using fraudulent means, usually by posing as a
legitimate entity.
(a) Spoofing
(b) Phishing
(c) Pharming
Ans : b
37. ----------- is the redirection of legitimate web traffic to an illegitimate site for the purpose of obtaining private
information.
(a) Spoofing
(b) Phishing
(c) Pharming
Ans : c
38. ----------- is a written statement of an organization’s purpose

(a) Mission
(b) Vision
(c) Policy
(d) Procedure
Ans : a
39. ----------- is the analysis of a danger to assign a risk rating or score to an information asset.
(a) risk assessment
(b) risk control
(c) risk identification
(d) risk management [IO 1 : L1] [TB :1 Page no :122]
Ans : a
40. ----------- is the process of applying controls to reduce the risks to an organization’s data and information
systems.
(a) risk assessment
(b) risk control
Ans : b
41----------- is the formal process of examining and documenting the security posture of an organization’s
information
technology and the risks it faces.
(a) risk assessment
(b) risk control
Ans : c
42. ----------- is the process of identifying vulnerabilities in an organization’s information systems and taking
carefully
reasoned steps to ensure the confidentiality, integrity, and availability of all components in the organization’s
information
system.
(a) risk assessment

(b) risk control
Ans : d
43. -----------attack in which an abuser has successfully broken an encryption and attempts to resubmit the deciphered
authentication to gain entry to a secure source.
(a) Spoofing
(b) Phishing
(c) Replay attack
Ans : c
44-----------attack in which the abuser records data packets from the network, modifies them, and inserts them back
into the network.
(a) Spoofing
(b) Phishing
(c) Pharming
Ans : d
45. ----------- method of attacking a cryptosystem that relies on knowledge of some or all of the plaintext
that was used to generate a ciphertext.
(a) Replay attack
(b) Pharming
(c) Man-in-the-middle attack
(d) Phishing [IO 1 : L1] [TB :1 Page no :85]
Ans : c
46. Which defines the boundary between the outer limit of organization and the beginning of outer world?
(a) Security Perimeter
(b) Defense in Depth
(c) DMZ
(d) DFS [IO 1 : L1] [TB :1 Page no :205]
Ans : a
47. One of the basic tenets of security architectures is the layered implementation of security. This layered
approach is
called ---------.
(a) Security Perimeter
(b) Defense in Depth
(c) DMZ
(d) DFS [IO 1 : L1] [TB :1 Page no :205]
Ans : b
48. Which of the following is no man land in between inside and outside of network?
(a) DFS
(b) DMZ
(c) DNZ
(d) DSE [IO 1 : L1] [TB :1 Page no :207]
Ans : b
49. A separate host in an organization for security is known as _____.

(a) Bastion Host

(b) Local Host
(c) Control Host
(d) Data Host [IO 1 : L1] [TB :1 Page no :264]
Ans : a
50. The boundary between the outer limit of an organization’s security and the beginning of the outside world is
defined by
(a) Security domain
(b) Demilitarized zone
(c) Framework
(d) Security perimeter [IO 1 : L1] [TB :1 Page no :205]
Ans : d
Part-B (4 Marks questions)
1. Write short notes on Business Continuity Plan. [TB :1 Page no :148]

Business continuity planning (BCP) is the process involved in creating a system of prevention and recovery
from potential threats to a company. The plan ensures that personnel and assets are protected and are able to
function quickly in the event of a disaster. The BCP is generally conceived in advance and involves input from
key stakeholders and personnel.
BCP involves defining any and all risks that can affect the company's operations, making it an important part
of the organization's risk management strategy. Risks may include natural disasters—fire, flood, or weather-
related events—and cyber attacks. Once the risks are identified, the plan should also include:
Determining how those risks will affect operations
Implementing safeguards and procedures to mitigate the risks
Testing procedures to ensure they work
Reviewing the process to make sure that it is up to date
2. Give an overview of Content Filters. [TB :1 Page no :277]

A content filter is a software filter—technically not a firewall—that allows administrators to restrict access to
content from within a network. It is essentially a set of scripts or programs that restricts user access to certain
networking protocols and Internet locations, or restricts users from receiving general types or specific examples
of Internet content. Some refer to content filters as reverse firewalls, as their primary purpose is to restrict
internal access to external material. In most common implementation models, the content filter has two
components: rating and filtering. The rating is like a set of firewall rules for Web sites and is common in
residential content filters.
3.List the various NIST documents in the design of security framework. [TB :1 Page no :198]
SP 800-12: An Introduction to Computer Security: The NIST Handbook

SP 800-14: Generally Accepted Security Principles and Practices for Securing Information
Technology Systems
SP 800-18 Rev. 1: Guide for Developing Security Plans for Federal Information
Systems
SP 800-26: Security Self-Assessment Guide for Information Technology Systems
(removed from active list but still available in archives)
SP 800-30: Risk Management Guide for Information Technology Systems
4. Why is data the most important asset an organization possesses? [TB :1 Page no :205]
Technical controls are the tactical and technical implementations of security in the organization. While
operational controls address specific operational issues, such as developing and integrating controls into the business
functions, technical controls are the components put in place to protect an organization’s information assets. They
include logical access controls, such as identification, authentication, authorization, accountability (including audit
trails), cryptography, and the classification of assets and users.
5. Define Spheres of Security? [TB :1 Page no :204]
The spheres of security, shown in Figure 5-8, are the foundation of
the security framework. Generally speaking, the spheres of security illustrate how information is under attack
from a variety of sources. illustrates the ways in which people access information. For example, people read hard
copies of
documents and can also access information through systems. Information, as the most important asset in this
model, is at the center of the sphere. Information is always at risk from attacks whenever it is accessible by people or
computer systems.
6. Which management groups are responsible for implementing information security to protect the
organization’s ability to function? [TB :1 Page no :204]
Information security safeguards provide three levels of control: managerial, operational, and technical.
Managerial controls are security processes that are designed by strategic planners and implemented by the security
administration of the organization. Management controls set the direction and scope of the security process and
provide detailed instructions for its conduct, as well as addressing the design and implementation of the security
planning process and security program management. They also address risk management and security control
reviews
7. What is a policy?
A policy is the outline for a goal that an institution intends to accomplish. A law is an established procedure or
standard that must be followed by members of society. Policies are used to guide the decisions of an organization or
institution, while laws are used to implement justice and order. A policy is informal in nature and is typically a
document that states the intentions of an institution
8. How is Policy different from a law?
A law is an enforceable restriction or permission by the government.
A policy is unenforceable but often forms the reasoning behind the creation of a law.
A policy is that which outlines what a government is going to do and what it can achieve for the society as a whole.
“Policy” also means what a government does not intend to do. It also evolves the principles that are needed for
achieving the goal. Policies are only documents and not law, but these policies can lead to new laws.
Laws are set standards, principles, and procedures that must be followed in society. Law is mainly made for
implementing justice in the society. There are various types of laws framed like criminal laws, civil laws, and
international laws. While a law is framed for bringing justice to the society, a policy is framed for achieving certain
goals.
9. What are the three general categories of unethical and illegal behavior? [TB :1 Page no :107]
Ignorance—Ignorance of the law is no excuse; however, ignorance of policy and procedures is. The first method of
deterrence is education. This is accomplished by means of designing, publishing, and disseminating organization
policies and relevant laws, and also obtaining agreement to comply with these policies and laws from all members
of the organization. Reminders, training, and awareness programs keep the policy information in front of the
individual and thus better support retention and compliance.
Accident—Individuals with authorization and privileges to manage information within the organization are most
likely to cause harm or damage by accident. Careful planning and control helps prevent accidental modification to
systems and data.
Intent—Criminal or unethical intent goes to the state of mind of the person performing the act; it is often necessary
to establish criminal intent to successfully prosecute offenders. Protecting a system against those with intent to cause
harm or damage is best accomplished by means of technical controls, and vigorous litigation or prosecution if
these controls fail.
10. What is the difference between a threat agent and a threat? [TB :1 Page no :255]
threat An object, person, or other entity that represents a constant danger to an asset.
threat agent A specific instance or component that represents a danger to an organization’s assets. Threats can be
accidental or purposeful, for example lightning strikes or hackers.
11. What is the difference between vulnerability and exposure? [TB :1 Page no :260]
vulnerability Weakness in a controlled system, where controls are not present or are no longer effective.
exposure A single instance of a system being open to damage.
exposure factor (EF) An element of a formula for calculating the value associated with the most likely loss from an
attack, or single loss expectancy (SLE). In SLE asset value x exposure factor (EF), exposure factor equals the expected
percentage of loss that would occur from a particular attack.
12. What are the three components of the C.I.A. triangle? What are they used for?
The industry standard for computer security since the development of the mainframe. It is based on three
characteristics that describe the utility of information: confidentiality, integrity, and availability.
13. Describe the critical characteristics of information. How are they used in the study of computer
security? [TB :1 Page no :09]
14.Discuss the system specific security policy .How managerial guidelines and technical specification can be
used in SysSP?
systems-Specific Policy (SysSP)
While issue-specific policies are formalized as written documents, distributed to sers, and agreed to in writing,
SysSPs are frequently codified as standards and procedures to be used When configuring or maintaining systems
Systems-specific policies fall into two groups:
– Access control lists (ACLs) consist of the access control lists, matrices, and capability tables
governing the rights and privileges of a particular user to a particular system. An ACL is a list of access rights
used by file storage systems, object brokers, or other network communications devices to determine which individuals
or groups may access an object that it controls.(Object Brokers are system components that handle message requests
between the software components of a system)
– A similar list, which is also associated with users and groups, is called a Capability Table. This specifies which
subjects and objects a user or group can access. Capability tables are frequently complex matrices, rather than
simple lists or tables.
15. Who is responsible for policy management? How a policy is managed. Explain?
Responsible Individual The policy champion and manager is called the policy administrator.
– Policy administrator is a mid-level staff member and is responsible for the creation, revision,
distribution, and storage of the policy.
– It is good practice to actively solicit input both from the technically adept information security
experts and from the business-focused managers in each community of interest when making revisions to security
policies.
– This individual should also notify all affected members of the organization when the policy is modified.
– The policy administrator must be clearly identified on the policy document as the primary point of
contact for additional information or for revision suggestions to the policy.
16.Draw a systematic diagram showing the major steps in contingency Planning.

17. What are the components of ISSP.
18. Draw neat diagram for components of contingency planning. [TB :1 Page no :212]
19. What is the Business Impact Analysis?
The first phase in the development of the CP process is the Business Impact Analysis.
A BIA is an investigation and assessment of the impact that various attacks can have on the organization.
It begins with the prioritized list of threats and vulnerabilities identified in the risk management.
The BIA therefore adds insight into what the organization must do to respond to attack, minimize the damage
from the attack, recover from the effects, and return to normal operations.
20. Explain the ISO/IEC 270 01 : 2005 plan-DO-Check-Act cycle.
21. Explain the importance of incident response planning strategy Incident response planning covers the
identification of, classification of, and response to an incident.
What is incident? What is incident Response?
An incident is an attack against an information asset that poses a clear threat to the confidentiality, integrity, or
availability of information resources.
If an action that threatens information occurs and is completed, the action is classified as an incident. an incident.
Attacks are only classified as incidents if they have the following characteristics:
1) . They are directed against information assets.
2) . They have a realistic chance of success.
3) . They could threaten the confidentiality, integrity, or availability of information resources.
22. Define the terms: Policy, Standards and practices in the context of information security. Draw a
schematic diagram depicting the inter-relationship between the above.
A policy is a plan or course of action used by an organization to convey instructions from its senior-most
management to those who make decisions, take actions, and perform other duties on behalf of the organization.
Standards, on the other hand, are more detailed statements of what must be done to comply with policy. Standards
may be published, scrutinized, and ratified by a group, as in formal or de jury standards.

Practices, procedures, and guidelines effectively explain how to comply with policy.
Part- C (12 Marks

questions)
1. Discuss the
system
specific security policy .How managerial guidelines and technical specification can be used in SysSP?
2. Who is responsible for policy management? How a policy is managed. Explain? Responsible
individual.
3. Explain issue-specific Security policy?
4. Draw a systematic diagram showing the major steps in contingency Planning. Explain in Detail.
Business impact analysis
5. Explain the Pipkin‘s three categories of incident indicators
6. Explain the ISO/IEC 270 01 : 2005 plan-DO-Check-Act cycle.
7. Define policy and explain issue specific security policy.
8. Explain the importance of incident response planning strategy.
9. Define the terms: Policy, Standards and practices in the context of information security. Draw a
schematic diagram depicting the inter-relationship between the above.
10. What are the policies that must be defined by the management (of organizations) as per NIST SP 800-
14 ? Describe briefly the specific areas covered by any two of these policies.
11. What are the components of contingency planning? Describe briefly the important steps involved in
the recovery process after the extent of damage caused by an incident has been assessed.

Unit 1

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Unit 1

Uploaded by

Copyright:

Available Formats

15IT42IE - INFORMATION AND NETWORK SECURITY

I 5IT42IE - INFORMATION AND NETWORK SECURITY

[Type text] Page 1

9. The first phase in CP process is _____.

18.------------responsible for the storage, maintenance, and protection of the information

(a) Data owners

(a) Trojan horses

38. ----------- is a written statement of an organization’s purpose

(a) risk assessment

49. A separate host in an organization for security is known as _____.

(a) Bastion Host

Part-B (4 Marks questions)

1. Write short notes on Business Continuity Plan. [TB :1 Page no :148]

2. Give an overview of Content Filters. [TB :1 Page no :277]

SP 800-12: An Introduction to Computer Security: The NIST Handbook

16.Draw a systematic diagram showing the major steps in contingency Planning.

17. What are the components of ISSP.

19. What is the Business Impact Analysis?

20. Explain the ISO/IEC 270 01 : 2005 plan-DO-Check-Act cycle.

may be published, scrutinized, and ratified by a group, as in formal or de jury standards.

Part- C (12 Marks

You might also like