Professional Documents
Culture Documents
Scheme of evaluation
PART – A (10 x 1 = 10 Marks) [K1 and / or K2 Level]
Answer ALL Questions. Each question carries ONE Mark
1. Define Information Security.
Information security in today’s enterprise is a “well-informed sense of
assurance that the information risks and controls are in balance.” –The
protection of information and its critical elements, including the systems and
hardware that use, store, and transmit that information
Tools, such as policy, awareness, training, education, and technology are
Necessary The C.I.A. triangle was the standard based on confidentiality,
integrity, and availability
The C.I.A. triangle has expanded into a list of critical characteristics of
information
2. What is NSTISSC Security model?
This refers to “The National Security Telecommunications and Information
Systems Security Committee” document. This document presents a comprehensive
model for information security. The model consists of three dimensions
Page 1 of 9
4. What is a malicious code?
The malicious code attack includes the execution of viruses, worms, Trojan
horses, and active Web scripts with the intent to destroy or steal information.
The state –of-the-art malicious code attack is the polymorphic or
multivector, worm.
These attack programs use up to six known attack vectors to exploit a variety
of vulnerabilities in commonly found information system devices.
5. What is Spoofing?
Spoofing is a technique used to gain unauthorized access whereby the intruder
sends messages to a computer with an IP address indicating that the message is
coming from a trusted host.
Page 2 of 9
PART – B (5 x 4 = 20 Marks) [Only K2 Level]
Answer ALL questions. Each question carries 4 Marks.
11. (a) List out the critical characteristics of Information Security. (4)
Confidentiality
Integrity
Availability
Privacy
Identification
Authentication
Authorization
Accountability
Accuracy
Utility
Possession
[OR]
(b) Information Security: Is It an Art or a Science?
With the level of complexity in today’s information systems, the
implementation of information security has often been described as a
combination of art and science
Security as Art (2)
No hard and fast rules nor are there many universally accepted
complete solutions
No magic user’s manual for the security of the entire system
Complex levels of interaction between users, policy, and technology
controls
Security as Science (2)
Dealing with technology designed to perform at high levels of
performance
Specific conditions cause virtually all actions that occur in computer
systems
Almost every fault, security hole, and systems malfunction is a result of
the interaction of specific hardware and software
If the developers had sufficient time, they could resolve and eliminate
these faults
12. (a) Describe the major types of Attacks in detail. (4)
An attack is an act of or action that takes advantage of a vulnerability to
compromise a controlled system.
It is accomplished by a threat agent that damages or steals an
organization’s information or physical asset.
Vulnerability is an identified weakness in a controlled system, where
controls are not present or are no longer effective.
Attacks exist when a specific act or action comes into play and may
cause a potential loss.
Malicious code
Hoaxes
Back Doors
Password Crack
Brute Force
Dictionary
Page 3 of 9
Attack Replication Vectors
IP scan & attack
Web browsing
Virus
Unprotected shares
Mass mail
Simple Network Management Protocol(SNMP)
[OR]
(b) Write a note on
i) Technological Obsolescence (2)
When the infrastructure becomes antiquated or outdated, it leads to
unreliable and untrustworthy systems
Management must recognize that when technology becomes outdated,
there is a risk of loss of data integrity to threats and attacks
Ideally, proper planning by management should prevent the risks from
technology obsolesce, but when obsolescence is identified,
management must take action
[OR]
(b) Explain the roles to be played by the communities of interest to manage
the risks an organization encounters? (4)
Page 4 of 9
It is the responsibility of each community of interest to manage risks;
each community has a role to play:
Information Security - best understands the threats and attacks that
introduce risk into the organization
Management and Users – play a part in the early detection and
response process - they also insure sufficient resources are allocated
Information Technology – must assist in building secure systems and
operating them safely
Accountability for Risk Management
Risk Management Process
14. (a) List the contents of NIST Special Publication SP 800-14. (4)
Generally accepted Principles and practices for Security Inf Tech Sys
Provides best practices and security principles that can direct the security team
in the development of Security Blue Print. as given below:
Security Supports the Mission of the Organization
Security is an Integral Element of Sound Management
Security Should Be Cost-Effective
Security Responsibilities and Accountability Should Be Made Explicit
Security Requires a Comprehensive and Integrated Approach
Security Should Be Periodically Reassessed
Security is Constrained by Societal Factors
33 Principles enumerated
[OR]
(b) Discuss about SETA. (4)
As soon as general security policy exists, policies to implement security
education, training and awareness (SETA) program should follow.
SETA is a control measure designed to reduce accidental security
breaches by employees.
Security education and training builds on the general knowledge the
employees must possess to do their jobs, familiarizing them with the
way to do their jobs securely
[OR]
(b) What is Cryptography? Explain the key terms associated with
cryptography. (4)
Page 6 of 9
[OR]
(b) Briefly explain the components of an information system and their security.(6)
Software
Hardware
Data
People
Procedures
Networks
17. (a) What are the four important functions of an information security
performs in an organization? (6)
18. (a) Discuss in detail about different risk control strategies? (6)
Four basic strategies are used to control the risks that result from
vulnerabilities:
Apply safeguards (avoidance)
Transfer the risk (transference)
Page 7 of 9
Reduce the impact (mitigation)
Inform themselves of all of the consequences and accept the risk without
control or mitigation (acceptance)
[OR]
(b) Explain in detail the process of asset identification for different categories.
(6)
People, Procedures, and Data Asset Identification
Unlike the tangible hardware and software elements already
described, the human resources, documentation, and data
information assets are not as readily discovered and documented
These assets should be identified, described, and evaluated by people
using knowledge, experience, and judgment
As these elements are identified, they should also be recorded into
some
reliable data handling process
Asset Information for People
Hardware, Software, and Network Asset Identification
Asset Information for Procedures
Asset Information for Data
19. (a) Explain in detail the three types of Security policies. (6)
Types of Policy
Management defines three types of security policy:
• Enterprise Information Security Policy (EISP)
• Issue-specific security policies (ISSP)
• Systems-specific security policies (SysSP)
[OR]
(b) Write Short notes on
i) Security Perimeter (3)
A Security Perimeter is the first level of security that protects all internal
systems from outside threats.
Unfortunately, the perimeter does not protect against internal attacks
from employee threats, or on-site physical threats.
Security perimeters can effectively be implemented as multiple
technologies that segregate the protected information from those who
would attack it.
Within security perimeters the organization can establish security
domains, or areas of trust within which users can freely communicate.
The presence and nature of the security perimeter is an essential element
of the overall security framework, and the details of implementing the
perimeter make up a great deal of the particulars of the completed
security blueprint.
The key components used for planning the perimeter are presented in the
following sections on firewalls, DMZs, proxy servers, and intrusion
detection systems.
Page 8 of 9
implementation of security in layers. This layered approach is called
defense in depth.
Defense in depth requires that the organization establish sufficient
security controls and safeguards, so that an intruder faces multiple layers
of controls.
Implementing multiple types of technology and thereby preventing the
failure of one system from compromising the security of the information
is referred to as redundancy.
20. (a) Discuss about the different types of intrusion detection and prevention systems
with neat sketch. (6)
• Host-based Ids
• Network-based IDS
• Signature-based IDS
• Statistical Anomaly-based IDS
• Statistical Anomaly-Based IDS(Also called Behaviour-based IDS)
• Log File Monitors(LFM)
[OR]
(b) Outline scanning and analysis tools used during the security design. (6)
o Port Scanners
o Firewall Analysis Tools
o Packet Sniffers
o Wireless Security Tools
*****
Page 9 of 9