Professional Documents
Culture Documents
INFORMATION SECURITY
VIII SEMESTER
Course Objectives:
1. To provide an understanding of principal concepts, major issues, technologies and basic
approaches in informationsecurity.
2. Develop an understanding of information assurance as practiced in computer operating
systems,distributedsystems,networksandrepresentativeapplications.
3. Gainfamiliaritywithprevalentnetworkanddistributedsystemattacks,defensesagainstthem
andforensicstoinvestigatetheaftermath.
4. Developabasicunderstandingofcryptography,howithasevolvedandsomekeyencryption
techniques usedtoday.
5. Develop an understanding of security policies (such as authentication, integrity and
confidentiality), as well as protocols to implement such policies in the form of message
exchanges.
Course Outcomes:
On successful completion of the module students will be able to:
1. Tomasterinformationsecuritygovernance,andrelatedlegalandregulatoryissues
2. Tobefamiliarwithhowthreatstoanorganizationarediscovered,analyzed,anddealtwith
3. Tobefamiliarwithnetworksecuritythreatsandcountermeasures
4. To be familiar with network security designs using available secure solutions (such as PGP,
SSL, IPSec,etc)
5. Tobefamiliarwithadvancedsecurityissuesandtechnologies(suchasDDoSattackdetection
and containment, and anonymous communications,)
UNIT–I
FUNDAMENTALS: Introduction to Information Security - Critical Characteristics of Information -
NSTISSC Security Model - Components of an Information System - Securing the Components -
BalancingSecurityandAccess-SDLC-SecuritySDLC.
UNIT –II
SECURITY INVESTIGATION: Need for Security - Business Needs - Threats - Attacks - Legal,
Ethical and Professional Issues.
UNIT – III
SECURITY ANALYSIS: Risk Management: Identifying and Assessing Risk - Assessing and
Controlling Risk - Trends in Information Risk Management - Managing Risk in an Intranet
Environment.
UNIT – IV
LOGICALDESIGN:BlueprintforSecurity-InformationSecurityPolicy-StandardsandPractices
- ISO 17799/BS 7799 - NIST Models - VISA International Security Model - Design of Security
Architecture - Planning for Continuity.
UNIT – V
PHYSICALDESIGN:SecurityTechnology-IDS,ScanningandAnalysisTools-Cryptography-
AccessControlDevices-PhysicalSecurity-SecurityandPersonnelissues.
Text Books:
1. Michael E Whitman and Herbert J Mattord, “Principles of Information Security”, Vikas
Publishing House, New Delhi, 2003.
Reference Books:
1. MickiKrause,HaroldF.Tipton,“HandbookofInformationSecurityManagement”,Vol1-3CRC Press
LLC,2004.
2. StuartMcClure,JoelScrambray,GeorgeKurtz,“HackingExposed”,TataMcGrawHill,2003
3. MattBishop,“ComputerSecurityArtandScience”,Pearson/PHI,2002.
Website: Website:
1. http://www.cryptography.com/
2. https://www.schneier.com/cryptography.html
3. http://www.information-security-policies-and-standards.com/
4. www.jhuapl.edu/ourwork/nsa/
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
Prepared By:
Ms.J.KANIMOZHI,AP/CSE
Verifiedby: Approvedby:
UNIT- I
FUNDAMENTALS: Introduction to Information Security - Critical Characteristics of
Information - NSTISSC Security Model - Components of an Information System - Securing
theComponents-BalancingSecurityandAccess-SDLC-SecuritySDLC.
2 MARKS
1. WhatisInformation? (MAY2017)
Knowledge communicated or received concerning a particular fact or circumstance. Information is
stimulithathasmeaninginsomecontextforitsreceiver.Wheninformationisenteredintoandstored in a
computer, it is generally referred to as data. After processing (such as formatting and printing),
outputdatacanagainbeperceivedasinformation.
2. Whatisinformationsecurity? (NOV2018)
Information security in today’s enterprise is a “well-informed sense of assurance that the
information risks and controls are in balance.”
The protection of information and its critical elements, including the systems and hardware that
use,store,andtransmitthatinformation.
Tools,suchaspolicy,awareness,training,education,andtechnologyarenecessary.
4. Tracethehistoryofinformationsecurity?
Computersecuritybeganimmediatelyafterthefirstmainframesweredeveloped.
Groups developing code-breaking computations during World War II created the first modern
computers.
Physical controls were needed to limit access to authorized personnel to sensitive military
locations.
Only rudimentary controls were available to defend against physical theft, espionage, and
sabotage.
7. What is PhysicalSecurity?
ThePhysicalSecurityistoprotectphysicalitems,objectsorareasoforganizationfromunauthorized access
andmisuse.
8. What is PersonalSecurity?
ThePersonalSecurityinvolvesprotectionofindividualsorgroupofindividualswhoareauthorizedto
accesstheorganizationanditsoperations.
9. What is OperationSecurity?
The Operations security focuses on the protection of the details of particular operations or series of
activities.
11. WhatisNetworkSecurityandInformationSecurity?
The network security is the protection of networking components, connections, and contents.
The Information security is the protection of information and its critical elements including the
systems and hardware that use, store, and transmit the information.
12. Whatarethecriticalcharacteristicsofinformation?
Availability
Accuracy
Authenticity
Confidentiality
Integrity
Utility
Possession
13. WhatismeantbyAvailabilityofinformation?
Availabilityofinformationenablesauthorizedtoaccessinformationwithoutinterferenceandreceive
itintherequiredformat.
14. WhatisAccuracyofinformation?
Accuracyofinformationreferstoinformationwhichisfreefrommistakesorerrorsandhasthevalue the end
userexpects.
15. WhatisAuthenticityofinformation?
Authenticity of information refers to quality or state of being genuine or original, rather than
reproduction. Information is authentic when the contents are original as it was created, palced or
stored or transmitted.
17. WhatismeantbyConfidentiality?
Information has confidentiality when disclosure or exposure to unauthorized individuals or systems
is prevented.
18. WriteshortnotesonIntegrity,UtilityandPossessionofInformation?
Integrity–Informationhasintegritywhenitiswhole,complete,anduncorrupted.
Utility–Theutilityofinformationisthequalityorstateofhavingvalueforsomepurposeorend.
Possession–thepossessionofinformationisthequalityorstateofhavingownershiporcontrol
ofsomeobjectoritem.
19. Listthecomponentsofaninformationsystem?
An Information System (IS) is the entire set of
1. Software
2. Hardware
3. Data
4. People
5. proceduresnecessarytouseinformationasaresourceintheorganization
20. Writeaboutthesoftwarecomponentofaninformationsystem?
The software component of IS comprises applications, operating systems, and assorted command
utilities. Software programs are the vessels that carry the life blood of information through an
organization. Software programs become an easy target of accidental or intentional attacks.
21. Writeaboutthehardwarecomponentofaninformationsystem?
Hardware is the physical technology that houses and executes the software, stores and carries the
data,providesinterfacesfortheentryandremovalofinformationfromthesystem.Physicalsecurity
policiesdealswiththehardwareasaphysicalassetandwiththeprotectionoftheseassetsfromtheft.
22. WriteshortnotesonDatacomponentsofaninformationsystem?
Data stored, processed, and transmitted through a computer system must be protected. Data is the
most valuable asset possessed by an organization and it is the main target of intentional attacks.
23. WriteaboutPeoplecomponentsofaninformationsystem?
Though often overlooked in computer security considerations, people have always been a threat to
informationsecurityandtheyaretheweakestlinkinasecuritychain policy,educationandtraining,
awareness, and technology should be properly employed to prevent people from accidently or
intentionallydamagingorlosinginformation.
24. WriteaboutProcedurescomponentsofaninformationsystem?
Procedures are written instructions for accomplishing when an unauthorized user obtains an
organization’s procedures, it poses threat to the integrity of the information. Educating employees
about safeguarding the procedures is as important as securing the information system. Lax in security
procedurescausedthelossofovertenmilliondollarsbeforethesituationwascorrected.
25. WriteshortnotesonNetworkscomponentsofaninformationsystem?
InformationsystemsinLANsareconnectedtoothernetworkssuchastheinternetandnewsecurity
challenges are rapidly emerge. Apart from locks and keys which are used as physical security
measures,networksecurityalsoanimportantaspecttobeconsidered.
26. Whencanacomputerbeasubjectandanobjectofattack? (NOV 2017)
Securing the Components
Thecomputercanbeeitherorboththesubjectofanattackand/ortheobjectofanattack.
When a computeris
– thesubjectofanattack,itisusedasanactivetooltoconducttheattack.
– theobjectofanattack,itistheentitybeingattacked.
27. WhatismeantbybalancingSecurityandAccess?
Balancing Security and Access
Itisimpossibletoobtainperfectsecurity-itisnotanabsolute;itisaprocess.
Securityshouldbeconsideredabalancebetweenprotectionandavailability.
Toachievebalance,thelevelofsecuritymustallowreasonableaccess,yetprotectagainstthreats.
28. Listtheapproachesusedforimplementinginformationsecurity?
1. Bottom UpApproach
2. Top-downApproach
SRI MANAKULA VINAYAGAR ENGINEERINGCOLLEGE
29. Draw the diagrammatic representation of the two approaches used for implementing
informationsecurity?
30. Whatismeantbybottomupapproach?
Securityfromagrass-rootseffort-systemsadministratorsattempttoimprovethesecurityoftheir
systems.
Keyadvantage-technicalexpertiseoftheindividualadministrators.
Seldomworks,asitlacksanumberofcriticalfeatures:
– participantsupport
– organizational stayingpower
31. WriteshortnotesonTop-downApproach?
Initiated by uppermanagement:
– issuepolicy,procedures,andprocesses
– dictatethegoalsandexpectedoutcomesoftheproject
– determinewhoisaccountableforeachoftherequiredactions
This approach has strong upper management support, a dedicated champion, dedicatedfunding,
clearplanning,andthechancetoinfluenceorganizationalculture.
Mayalsoinvolveaformaldevelopmentstrategyreferredtoasasystemsdevelopmentlifecycle.
Most successful top-downapproach.
35. WriteaboutInvestigationphaseofSDLC?
What is the problem the system is being developed to solve?
– Theobjectives,constraints,andscopeoftheprojectarespecified.
– Apreliminarycost/benefitanalysisisdeveloped.
– A feasibility analysis is performed to assesses the economic, technical, and behavioral feasibilities
of theprocess.
38. WriteaboutphysicalphaseofSDLC?
Specifictechnologiesareselectedtosupportthealternativesidentifiedandevaluatedinthelogical
design.
Selectedcomponentsareevaluatedbasedonamake-or-buydecision.
Entiresolutionispresentedtotheend-userrepresentativesforapproval.
39. WriteaboutImplementationphaseofSDLC?
Componentsareordered,received,assembled,andtested.
Usersaretrainedanddocumentationcreated.
Usersarethenpresentedwiththesystemforaperformancereviewandacceptancetest.
40. WriteaboutMaintenanceandChangephaseofSDLC?
Tasksnecessarytosupportandmodifythesystemfortheremainderofitsusefullife.
Thelifecyclecontinuesuntiltheprocessbeginsagainfromtheinvestigationphase.
Whenthecurrentsystemcannolongersupportthemissionoftheorganization,anewprojectis
implemented.
42. WriteaboutInvestigationphaseofSecuritySDLC?
Identifiesprocess,outcomesandgoalsoftheproject,andconstraints.
Beginswithastatementofprogramsecuritypolicy.
Teamsareorganized,problemsanalyzed,andscopedefined,includingobjectives,andconstraints.
notcoveredintheprogrampolicy.
Anorganizationalfeasibilityanalysisisperformed.
43. WriteaboutAnalysisphaseofSecuritySDLC?
Analysis of existing security policies or programs, along with documented current threats and
associatedcontrols.
Includesananalysisofrelevantlegalissuesthatcouldimpactthedesignofthesecuritysolution.
Theriskmanagementtask(identifying,assessing,andevaluatingthelevelsofrisk)alsobegins.
44. Write short notes on Logical & Physical Designphases of Security SDLC?
Creates blueprints forsecurity.
Criticalplanningandfeasibilityanalysestodeterminewhetherornottheprojectshouldcontinue.
In physical design, security technology is evaluated, alternatives generated, and final design
selected.
At end of phase, feasibility study determines readiness so all parties involved have a chance to
approve theproject.
45. WriteaboutImplementationphaseofSecuritySDLC?
Thesecuritysolutionsareacquired(madeorbought),tested,andimplemented,andtestedagain.
Personnelissuesareevaluatedandspecifictrainingandeducationprogramsconducted.
Finally,theentiretestedpackageispresentedtouppermanagementforfinalapproval.
46. WriteaboutMaintenanceandChangephaseofSecuritySDLC?
Themaintenanceandchangephaseisperhapsmostimportant,giventhehighlevelofingenuityin
today’sthreats.
Thereparationandrestorationofinformationisaconstantduelwithanoftenunseenadversary.
Asnewthreatsemergeandoldthreatsevolve,theinformationsecurityprofileofanorganization
requires constantadaptation.
47. WriteshortnotesonInformationSecurityisanArt?
Withthelevelofcomplexityintoday’sinformationsystems,theimplementationofinformation
securityhasoftenbeendescribedasacombinationofartandscience.
Security as Art
Nohardandfastrulesnoraretheremanyuniversallyacceptedcompletesolutions.
Nomagicuser’smanualforthesecurityoftheentiresystem.
Complexlevelsofinteractionbetweenusers,policy,andtechnologycontrols.
48. WriteshortnotesonInformationSecurityasScience?
Dealingwithtechnologydesignedtoperformathighlevelsofperformance.
Specificconditionscausevirtuallyallactionsthatoccurincomputersystems.
Almost every fault, security hole, and systems malfunction is a result of the interaction of specific
hardware andsoftware.
Ifthedevelopershadsufficienttime,theycouldresolveandeliminatethesefaults
49. Howinformationsecurityisviewedasasocialscience?
Socialscienceexaminesthebehaviorofindividualsinteractingwithsystems
Securitybeginsandendswiththepeoplethatinteractwiththesystem
Endusersmaybetheweakestlinkinthesecuritychain
Securityadministratorscangreatlyreducethelevelsofriskcausedbyendusers,andcreatemore
acceptableandsupportablesecurityprofiles
50. Describe the information security roles to be played by Senior Management in a typical
organization?
Chief InformationOfficer
– the senior technologyofficer
– primarilyresponsibleforadvisingtheseniorexecutive(s)forstrategicplanning
Chief Information SecurityOfficer
– responsible for the assessment, management, and implementation of securing the
information in theorganization
– may also be referred to as the Manager for Security, the Security Administrator, or a
similartitle
51. Describe the information security roles to be played by Security Project Team in a typical
organization?
A number of individuals who are experienced in one or multiple requirements of both the
technical and non-technicalareas:
– Thechampion
– The teamleader
– Security policydevelopers
– Risk assessmentspecialists
– Securityprofessionals
– Systemsadministrators
– Endusers
52. Whatarethethreetypesofdataownershipandtheirresponsibilities?
DataOwner
DataCustodian
DataUsers
53. WhoiscalledDataowner?
Data Owner - responsible for the security and use of a particular set of information
54. Who is called DataCustodian?
Data Custodian - responsible for the storage, maintenance, and protection of the information.
57. Whatisthedifferencebetweenvulnerabilityandexposure?
The exposure of an information system is a single instance when the system is open to damage.
Weaknessorfaultsinasystemexposeinformationorprotectionmechanismthatexposeinformation
toattackordamageorknownasvulnerabilities.
58. Whatisattack?Writeitstypes.
An attack is an intentional or unintentional attempt to cause damage or otherwise compromise the
information.
If someone casually reads sensitive information not intended for his or her use ,this considered as a
passive attack.
If a hacker attempts to break into an information system, the attack is considered active.
In early days the computer enthusiasts are called hacks or hackers because they could tear apart the
computer instruction code, or even a computer itself.
Inrecentyears,thetermhackerisusedinanegativesense,thatis,thepersonsgainingillegalaccessto
others’computersystemsandprogramsandmanipulatinganddamaging.
60. Whatissecurityblueprint?
The security blue print is the plan for the implementation of new security measures in the
organization. Sometimes called a framework, the blue print presents an organized approach to the
security planning process.
1. What is Security? What are the security layers, a successful organization should have on its
security? (5MARKS)
“Thequalityorstateofbeingsecure--tobefreefromdanger”
Tobeprotectedfromadversaries
Physical Security – to protect physical items, objects or areas of organization from
unauthorized access andmisuse.
Personal Security – involves protection of individuals or group of individuals who are
authorizedtoaccesstheorganizationanditsoperations.
Operationssecurity–focusesontheprotectionofthedetailsofparticularoperationsorseries
ofactivities.
Communications security – encompasses the protection of organization’s communications
media, technology andcontent.
Networksecurity–istheprotectionofnetworkingcomponents,connections,andcontents.
Informationsecurity–istheprotectionofinformationanditscriticalelements,includingthe
systemsandhardwarethatuse,store,andtransmittheinformation.
Availabilityenablesauthorizedusers—personsorcomputersystems—toaccessinformationwithout
interferenceorobstructionandtoreceiveitintherequiredformat.
Consider, for example, research libraries that require identification before entrance. Librarians
protectthecontentsofthelibrarysothattheyareavailableonlytoauthorizedpatrons.Thelibrarianmust accept
a patron’s identification before that patron has free access to the book stacks. Once authorized
patronshaveaccesstothecontentsofthestacks,theyexpecttofindtheinformationtheyneedavailablein
auseableformatandfamiliarlanguage,whichinthiscasetypicallymeansboundinabookandwrittenin
English.
Accuracy Information has accuracy when it is free from mistakes or errors and it has the value
thattheenduserexpects.Ifinformationhasbeenintentionallyorunintentionallymodified,itisnolonger
accurate.Consider,forexample,acheckingaccount.Youassumethattheinformationcontainedinyour
checkingaccountisanaccuraterepresentationofyourfinances.Incorrectinformationinyourchecking
account can result from external or internal errors. If a bank teller, for instance, mistakenly adds or
subtractstoomuchfromyouraccount,thevalueoftheinformationischanged.Or,youmayaccidentally
enteranincorrectamountintoyouraccountregister.Eitherway,aninaccuratebankbalancecouldcause
youtomakemistakes,suchasbouncingacheck.
Authenticity of information is the quality or state of being genuine or original, rather than a
reproduction or fabrication. Information is authentic when it is in the same state in which it was created,
placed, stored, or transferred. Consider for a moment some common assumptions about e-mail. When you
receive e-mail, assume that a specific individual or group created and transmitted the e-mail—assume that
the origin of the e-mail is known. This is not always the case. E-mail spoofing, the act of sending an e-mail
message with a modified field, is a problem, because often the modified field is the address of the
originator. Spoofing the sender’s address can fool e-mail recipients into thinking that messages are
legitimate traffic, thus inducing them to open e-mail they otherwise might not have. Spoofing can also alter
data being transmitted across a network, as in the case of user data protocol (UDP) packet spoofing, which
canenabletheattackertogetaccesstodatastoredoncomputingsystems.
Another variation on spoofing is phishing, when an attacker attempts to obtain personal or
financialinformationusingfraudulentmeans,mostoftenbyposingasanotherindividualororganization.
Pretending to be someone you are not is sometimes called pretexting when it is undertaken by law
enforcementagentsorprivateinvestigators.Whenusedinaphishingattack,e-mailspoofingluresvictims
toaWebserverthatdoesnotrepresenttheorganizationitpurportsto,inanattempttostealtheirprivate data such
as account numbers and passwords. The most common variants include posing as a bank or
brokeragecompany,e-commerceorganization,orInternetserviceprovider.
ConfidentialityInformationhasconfidentialitywhenitisprotectedfromdisclosureorexposureto
unauthorizedindividualsorsystems.Confidentialityensuresthatonlythosewiththerightsandprivileges
toaccessinformationareabletodoso.Whenunauthorizedindividualsorsystemscanviewinformation,
confidentiality is breached. To protect the confidentiality of information, there is number of measures,
including thefollowing:
Informationclassification
Securedocumentstorage
Application of general securitypolicies
Educationofinformationcustodiansandendusers
Thethreedimensionsofeachaxisbecomea3X3X3cubewith27cellsrepresentingareasthatmust
beaddressedtosecuretoday’sinformationsystems.Toensuresystemsecurity,eachofthe27areasmust be
properly addressed during the security process. For example, the intersection between technology,
integrity,andstoragerequiresacontrolorsafeguardthataddressestheneedtousetechnologytoprotect the
integrity of information while in storage. One such control might be a system for detecting host
intrusionthatprotectstheintegrityofinformationbyalertingthesecurityadministratorstothepotential
modificationofacriticalfile.Whatiscommonlyleftoutofsuchamodelistheneedforguidelinesand
policiesthatprovidedirectionforthepracticesandimplementationsoftechnologies
4. List and explain the various Components of anInformationSystem? (MAY, NOV2017)
(MAY, NOV2018)
Aninformationsystem(IS)ismuchmorethancomputerhardwareistheentiresetofsoftware,
hardware,data,people,procedures,andnetworksthatmakepossibletheuseofinformationresourcesin the
organization. These six critical components enable information to be input, processed, output, and
stored. Each of these IS components has its own strengths and weaknesses, as well as its own
characteristics and uses. Each component of the information system also has its own security
requirements.
Software
The software component of the IS comprises applications, operating systems, and assorted
command utilities. Software is perhaps the most difficult IS component to secure. The exploitation of
errors in software programming accounts for a substantial portion of the attacks on information. The
information technology industry is rife with reports warning of holes, bugs, weaknesses, or other
fundamentalproblemsinsoftware.Infact,manyfacetsofdailylifeareaffectedbybuggysoftware,from
smartphonesthatcrashtoflawedautomotivecontrolcomputersthatleadtorecalls.
Software carries the lifeblood of information through an organization. Unfortunately, software
programs are often created under the constraints of project management, which limit time, cost, and
manpower.Informationsecurityisalltoooftenimplementedasanafterthought,ratherthandevelopedas an
integral component from the beginning. In this way, software programs become an easy target of
accidental or intentionalattacks.
Hardware
Hardwareisthephysicaltechnologythathousesandexecutesthesoftware,storesandtransports the
data, and provides interfaces for the entry and removal of information from the system. Physical
security policies deal with hardware as a physical asset and with the protection of physical assets from
harmortheft.Applyingthetraditionaltoolsofphysicalsecurity,suchaslocksandkeys,restrictsaccessto
andinteractionwiththehardwarecomponentsofaninformationsystem.Securingthephysicallocationof
computers and the computers themselves is important because a breach of physical security can result in
a loss of information. Unfortunately, most information systems are built on hardware platforms that
cannot guarantee any level of information security if unrestricted access to the hardware is possible.
Before September 11, 2001, laptop thefts in airports were common. A two-person team worked to steal a
computerasitsownerpasseditthroughtheconveyorscanningdevices.
The first perpetrator entered the security area ahead of an unsuspecting target and quickly went
through. Then, the second perpetrator waited behind the target until the target placed his/her computer
on the baggage scanner. As the computer was whisked through, the second agent slipped ahead of the
victim and entered the metal detector with a substantial collection of keys, coins, and the like, thereby
slowing the detection process and allowing the first perpetrator to grab the computer and disappear in a
crowdedwalkway.WhilethesecurityresponsetoSeptember11,2001didtightenthesecurityprocessat
airports,hardwarecanstillbestoleninairportsandotherpublicplaces.Althoughlaptopsandnotebook
computersareworthafewthousanddollars,theinformationcontainedinthemcanbeworthagreatdeal
moretoorganizationsandindividuals.
Data
Data stored, processed, and transmitted by a computer system must be protected. Data is often the
most valuable asset possessed by an organization and it is the main target of intentional attacks. Systems
developed in recent years are likely to make use of database management systems. When done properly,
this should improve the security of the data and the application. Unfortunately, many system development
projects do not make full use of the database management system’s security capabilities, and in some
casesthedatabaseisimplementedinwaysthatarelesssecurethantraditionalfilesystems.
People
Though often overlooked in computer security considerations, people have always been a threat to
informationsecurity.Legendhasitthataround200B.C.agreatarmythreatenedthesecurityandstability of the
Chinese empire. So ferocious were the invaders that the Chinese emperor commanded the
constructionofagreatwallthatwoulddefendagainsttheHuninvaders.Around1275A.D.,KublaiKhan
finallyachievedwhattheHunshadbeentryingforthousandsofyears.Initially,theKhan’sarmytriedto
climbover,digunder,andbreakthroughthewall.Intheend,theKhansimplybribedthegatekeeper—and
therestishistory.Whetherthiseventactuallyoccurredornot,themoralofthestoryisthatpeoplecanbe the
weakest link in an organization’s information security program. And unless policy, education and
training, awareness, and technology are properly employed to prevent people from accidentally or
intentionallydamagingorlosinginformation,theywillremaintheweakestlink.Socialengineeringcan prey
on the tendency to cut corners and the commonplace nature of human error. It can be used to
manipulatetheactionsofpeopletoobtainaccessinformationaboutasystem.
Procedures
Another frequently overlooked component of an IS is procedures. Procedures are written
instructions for accomplishing a specific task. When an unauthorized user obtains an organization’s
procedures, this poses a threat to the integrity of the information. For example, a consultant to a bank
learnedhowtowirefundsbyusingthecomputercenter’sprocedures,whichwerereadilyavailable.By
takingadvantageofasecurityweakness(lackofauthentication),thisbankconsultantorderedmillionsof
dollarstobetransferredbywiretohisownaccount.
Lax security procedures caused the loss of over ten million dollars before the situation was
corrected.Mostorganizationsdistributeprocedurestotheirlegitimateemployeessotheycanaccessthe
informationsystem,butmanyofthesecompaniesoftenfailtoprovidepropereducationontheprotection of the
procedures. Educating employees about safeguarding procedures is as important as physically securing
the information system. After all, procedures are information in their own right. Therefore,
knowledgeofprocedures,aswithallcriticalinformation,shouldbedisseminatedamongmembersofthe
organizationonlyonaneed-to-knowbasis.
Networks
TheIScomponentthatcreatedmuchoftheneedforincreasedcomputerandinformationsecurity
isnetworking.Wheninformationsystemsareconnectedtoeachothertoformlocalareanetworks(LANs), and
these LANs are connected to other networks such as the Internet, new security challenges rapidly
emerge.Thephysicaltechnologythatenablesnetworkfunctionsisbecomingmoreandmoreaccessibleto
organizationsofeverysize.Applyingthetraditionaltoolsofphysicalsecurity,suchaslocksandkeys,to restrict
access to and interaction with the hardware components of an information system are still important;
but when computer systems are networked, this approach is no longer enough. Steps to
providenetworksecurityareessential,asistheimplementationofalarmandintrusionsystemstomake
systemownersawareofongoingcompromises.
5. WriteshortnotesonBalancingInformationSecurityandAccess?
Even with the best planning and implementation, it is impossible to obtain perfect information
security. . Information security cannot be absolute: it is a process, not a goal. It is possible to make a
system available to anyone, anywhere, anytime, through any means. However, such unrestricted access
poses a danger to the security of the information. On the other hand, a completely secure information
system would not allow anyone access. For instance, when challenged to achieve a TCSEC C-2 level
security certification for its Windows operating system, Microsoft had to remove all networking
componentsandoperatethecomputerfromonlytheconsoleinasecuredroom.
To achieve balance—that is, to operate an information system that satisfies the user and the
security professional—the security level must allow reasonable access, yet protect against threats.The
figureshowssomeofthecompetingvoicesthatmustbeconsideredwhenbalancinginformationsecurity
andaccess.
The top-down approach—in which the project is initiated by upper-level managers who issue policy,
proceduresandprocesses,dictatethegoalsandexpectedoutcomes,anddetermineaccountabilityforeach
required action—has a higher probability of success. This approach has strong upper-management
support,adedicatedchampion,usuallydedicatedfunding,aclearplanningandimplementationprocess,
andthemeansofinfluencingorganizationalculture.Themostsuccessfulkindoftop-downapproachalso
involvesaformaldevelopmentstrategyreferredtoasasystemsdevelopmentlifecycle.
Bottom up Approach
Securityfromagrass-rootseffort-systemsadministratorsattempttoimprovethesecurityoftheir
systems.
Keyadvantage-technicalexpertiseoftheindividualadministrators
Seldomworks,asitlacksanumberofcriticalfeatures:
– participantsupport
– organizational stayingpower
Top-down Approach
Initiated by uppermanagement:
– issuepolicy,procedures,andprocesses
– dictatethegoalsandexpectedoutcomesoftheproject
– determinewhoisaccountableforeachoftherequiredactions
This approach has strong upper management support, a dedicated champion, dedicatedfunding,
clearplanning,andthechancetoinfluenceorganizationalculture.
Mayalsoinvolveaformaldevelopmentstrategyreferredtoasasystemsdevelopmentlifecycle
– Most successful top-downapproach
7. ExplainthecomponentsofSystemDevelopmentLifeCycle(SDLC)withneatsketch.
(MAY,NOV2017)(NOV2018)
The Systems Development Life Cycle
Information security must be managed in a manner similar to any other major system
implemented in an organization. One approach for implementing an information security system in an
organization with little or no formal security in place is to use a variation of the systems development
lifecycle(SDLC):thesecuritysystemsdevelopmentlifecycle(SecSDLC).
At the end of each phase comes a structured review or reality check, during which the team
determines if the project should be continued, discontinued, outsourced, postponed, or returned to an
earlierphasedependingonwhethertheprojectisproceedingasexpectedandontheneedforadditional
expertise,organizationalknowledge,orotherresources.
Once the system is implemented, it is maintained (and modified) over the remainder of its
operational life. Any information systems implementation may have multiple iterations as the cycle is
repeated over time. Only by means of constant examination and renewal can any system, especially an
information security program, perform up to expectations in the constantly changing environment in
which it is placed.
Investigation
Thefirstphase,investigation,isthemostimportant.Whatproblemisthesystembeingdeveloped to
solve? The investigation phase begins with an examination of the event or plan that initiates the
process.Duringtheinvestigationphase,theobjectives,constraints,andscopeoftheprojectarespecified.
Apreliminarycost-benefitanalysisevaluatestheperceivedbenefitsandtheappropriatelevelsofcostfor
thosebenefits.Attheconclusionofthisphase,andateveryphasefollowing,afeasibilityanalysisassesses the
economic, technical, and behavioural feasibilities of the process and ensures that implementation is
worththeorganization’stimeandeffort.Insummary,
Whatistheproblemthesystemisbeingdevelopedtosolve?
– Theobjectives,constraints,andscopeoftheprojectarespecified
– Apreliminarycost/benefitanalysisisdeveloped
– A feasibility analysis is performed to assesses the economic, technical, and behavioral
feasibilities of theprocess
Analysis
Theanalysisphasebeginswiththeinformationgainedduringtheinvestigationphase.Thisphase
consistsprimarilyofassessmentsoftheorganization,itscurrentsystems,anditscapabilitytosupportthe
proposedsystems.Analystsbeginbydeterminingwhatthenewsystemisexpectedtodoandhowitwill
interactwithexistingsystems.Thisphaseendswiththedocumentationofthefindingsandanupdateof
thefeasibilityanalysis.Insummary,
Consists primarilyof
– assessments of theorganization
– thestatusofcurrentsystems
– capabilitytosupporttheproposedsystems
Analysts begin todetermine
– whatthenewsystemisexpectedtodo
– howthenewsystemwillinteractwithexistingsystems
Endswiththedocumentationofthefindingsandafeasibilityanalysisupdate
Logical Design
In the logical design phase, the information gained from the analysis phase is used to begin
creatingasystemssolutionforabusinessproblem.Inanysystemssolution,itisimperativethatthefirst
anddrivingfactoristhebusinessneed.Basedonthebusinessneed,applicationsareselectedtoprovide
neededservices,andthendatasupportandstructurescapableofprovidingtheneededinputsarechosen.
Finally,basedonalloftheabove,specifictechnologiestoimplementthephysicalsolutionaredelineated.
Thelogicaldesignis,therefore,theblueprintforthedesiredsolution.Thelogicaldesignisimplementation
independent, meaning that it contains no reference to specific technologies, vendors, or products. It
addresses, instead, how the proposed system will solve the problem at hand. In this stage, analysts
generateanumberofalternativesolutions,eachwithcorrespondingstrengthsandweaknesses,andcosts and
benefits, allowing for a general comparison of available options. At the end of this phase, another
feasibilityanalysisisperformed.Insummary,
Basedonbusinessneed,applicationsareselectedcapableofprovidingneededservices
Basedonapplicationsneeded,datasupportandstructurescapableofprovidingtheneededinputs
areidentified
Finally, based on all of the above, select specific ways to implement the physical solution are
chosen
Attheend,anotherfeasibilityanalysisisperformed
Physical Design
During the physical design phase, specific technologies are selected to support the alternatives
identifiedandevaluatedinthelogicaldesign.Theselectedcomponentsareevaluatedbasedonamake-or-
buydecision(developthecomponentsin-houseorpurchasethemfromavendor).Finaldesignsintegrate
various components and technologies. After yet another feasibility analysis, the entire solution is
presentedtotheorganizationalmanagementforapproval.Insummary,
Specifictechnologiesareselectedtosupportthealternativesidentifiedandevaluatedinthelogical
design
Selectedcomponentsareevaluatedbasedonamake-or-buydecision
Entiresolutionispresentedtotheend-userrepresentativesforapproval
Implementation
Intheimplementationphase,anyneededsoftwareiscreated.Componentsareordered,received,
andtested.Afterward,usersaretrainedandsupportingdocumentationcreated.Onceallcomponentsare
testedindividually,theyareinstalledandtestedasasystem.Againafeasibilityanalysisisprepared,and the
sponsors are then presented with the system for a performance review and acceptance test. In
summary,
Componentsareordered,received,assembled,andtested
Usersaretrainedanddocumentationcreated
Usersarethenpresentedwiththesystemforaperformancereviewandacceptancetest
Maintenance and Change
Themaintenanceandchangephaseisthelongestandmostexpensivephaseoftheprocess.This
phaseconsistsofthetasksnecessarytosupportandmodifythesystemfortheremainderofitsusefullife cycle.
Even though formal development may conclude during this phase, the life cycle of the project
continues until it is determined that the process should begin again from the investigation phase. At
periodic points, the system is tested for compliance, and the feasibility of continuance versus
discontinuance is evaluated. Upgrades, updates, and patches are managed. As the needs of the
organization change, the systems that support the organization must also change. It is imperative that
thosewhomanagethesystems,aswellasthosewhosupportthem,continuallymonitortheeffectiveness
ofthesystemsinrelationtotheorganization’senvironment.Whenacurrentsystemcannolongersupport
theevolvingmissionoftheorganization,theprojectisterminatedandanewprojectisimplemented.In
summary,
Tasksnecessarytosupportandmodifythesystemfortheremainderofitsusefullife
Thelifecyclecontinuesuntiltheprocessbeginsagainfromtheinvestigationphase
Whenthecurrentsystemcannolongersupportthemissionoftheorganization,anewprojectis
implemented
8. WhatisSecuritySDLC?Explainitsdifferentphases.
Security Systems Development LifeCycle
ThesamephasesusedinthetraditionalSDLCadaptedtosupportthespecializedimplementation of a
securityproject
Basicprocessisidentificationofthreatsandcontrolstocounterthem
TheSecSDLCisacoherentprogramratherthanaseriesofrandom,seeminglyunconnectedactions
Investigation
TheinvestigationphaseoftheSecSDLCbeginswithadirectivefromuppermanagement,dictating
theprocess,outcomes,andgoalsoftheproject,aswellasitsbudgetandotherconstraints.Frequently,this
phasebeginswithanenterpriseinformationsecuritypolicy(EISP),whichoutlinestheimplementation of a
security program within the organization. Teams of responsible managers, employees, and contractors
are organized; problems are analyzed; and the scope of the project, as well as specific goals
andobjectivesandanyadditionalconstraintsnotcoveredintheprogrampolicy,aredefined.Finally,an
organizationalfeasibilityanalysisisperformedtodeterminewhethertheorganizationhastheresources
andcommitmentnecessarytoconductasuccessfulsecurityanalysisanddesign.Insummary,
Identifiesprocess,outcomesandgoalsoftheproject,andconstraints
Beginswithastatementofprogramsecuritypolicy
Teamsareorganized,problemsanalyzed,andscopedefined,includingobjectives,andconstraints
notcoveredintheprogrampolicy
Anorganizationalfeasibilityanalysisisperformed
Analysis
In the analysis phase, the documents from the investigation phase are studied. The development
team conducts a preliminary analysis of existing security policies or programs, along with that of
documentedcurrentthreatsandassociatedcontrols.Thisphasealsoincludesananalysisofrelevantlegal
issuesthatcouldaffectthedesignofthesecuritysolution.Increasingly,privacylawshavebecomeamajor
consideration when making decisions about information systems that manage personal information.
Recently,manystateshaveimplementedlegislationmakingcertaincomputer-relatedactivitiesillegal.A
detailed understanding of these issues is vital. Risk management also begins in this stage. Risk
management is the process of identifying, assessing, and evaluating the levels of risk facing the
organization, specifically the threats to the organization’s security and to the information stored and
processedbytheorganization.Insummary,
Analysis of existing security policies or programs, along with documented current threats and
associatedcontrols
Includesananalysisofrelevantlegalissuesthatcouldimpactthedesignofthesecuritysolution
Theriskmanagementtask(identifying,assessing,andevaluatingthelevelsofrisk)alsobegins
Logical & Physical Design
The logical design phase creates and develops the blueprints for information security, and
examinesandimplementskeypoliciesthatinfluencelaterdecisions.Alsoatthisstage,theteamplansthe
incidentresponseactionstobetakenintheeventofpartialorcatastrophicloss.Theplanninganswersthe
followingquestions:
Continuityplanning:Howwillbusinesscontinueintheeventofaloss?
Incidentresponse:Whatstepsaretakenwhenanattackoccurs?
Disasterrecovery:Whatmustbedonetorecoverinformationandvitalsystemsimmediatelyafter a
disastrousevent?
The physical design phase evaluates the information security technology needed to support the
blueprintoutlinedinthelogicaldesigngeneratesalternativesolutions,anddeterminesafinaldesign.The
information security blueprint may be revisited to keep it in line with the changes needed when the
physical design is completed. Criteria for determining the definition of successful solutions are also
preparedduringthisphase.Includedatthistimearethedesignsforphysicalsecuritymeasurestosupport
theproposedtechnologicalsolutions.Attheendofthisphase,afeasibilitystudydeterminesthereadiness
oftheorganizationfortheproposedproject,andthenthechampionandsponsorsarepresentedwiththe design.
At this time, all parties involved have a chance to approve the project before implementation begins.
Insummary,
Creates blueprints forsecurity
Criticalplanningandfeasibilityanalysestodeterminewhetherornottheprojectshouldcontinue
In physical design, security technology is evaluated, alternatives generated, and final design
selected
At end of phase, feasibility study determines readiness so all parties involved have a chance to
approve theproject
Implementation
The implementation phase in of SecSDLC is also similar to that of the traditional SDLC. The
securitysolutionsareacquired(madeorbought),tested,implemented,andtestedagain.Personnelissues
areevaluated,andspecifictrainingandeducationprogramsconducted.Finally,theentiretestedpackage
ispresentedtouppermanagementforfinalapproval.Insummary,
Thesecuritysolutionsareacquired(madeorbought),tested,andimplemented,andtestedagain
Personnelissuesareevaluatedandspecifictrainingandeducationprogramsconducted
Finally,theentiretestedpackageispresentedtouppermanagementforfinalapproval
Maintenance and Change
Maintenanceandchangeisthelast,thoughperhapsmostimportant,phase,giventhecurrentever-
changing threat environment. Today’s information security systems need constant monitoring, testing,
modification, updating, and repairing. Applications systems developed within the framework of the
traditionalSDLCarenotdesignedtoanticipateasoftwareattackthatrequiressomedegreeofapplication
reconstruction. In information security, the battle for stable, reliable systems is a defensive one. Often,
repairing damage and restoring information is a constant effort against an unseen adversary. As new
threatsemergeandoldthreatsevolve,theinformationsecurityprofileofanorganizationmustconstantly
adapttopreventthreatsfromsuccessfullypenetratingsensitivedata.Thisconstantvigilanceandsecurity can
be compared to that of a fortress where threats from outside as well as from within must be
constantlymonitoredandcheckedwithcontinuouslynewandmoreinnovativetechnologies.Insummary,
Themaintenanceandchangephaseisperhapsmostimportant,giventhehighlevelofingenuityin
today’sthreats
Thereparationandrestorationofinformationisaconstantduelwithanoftenunseenadversary
Asnewthreatsemergeandoldthreatsevolve,theinformationsecurityprofileofanorganization
requires constantadaptation
9. List the steps that are common between SDLC and Security SDLC and also write the unique steps
of SecuritySDLC?
Steps common to both the systems
Life cycle Steps unique to the
development life cycle and the
S.No Phases security systems development life
security systems developmentlife
cycle
cycle
Outlineprojectscopeandgoals Management defines project
Phase 1: Estimatecosts processes and goals and
1
Investigation Evaluate existingresources documentstheseintheprogram
Analyzefeasibility security policy
Assesscurrentsystemagainstplan
developed in Phase1 Analyze existing securitypolicies
Develop preliminary system andprograms
Phase 2: requirements Analyzecurrentthreatsand
2
Analysis Studyintegrationofnewsystemwith controls
existingsystem Examine legalissues
Documentfindingsandupdate Perform riskanalysis
feasibility analysis
Assesscurrentbusinessneedsagainst
Develop securityblueprint
plandevelopedinPhase2
Planincidentresponseactions
Selectapplications,datasupport,and
Planbusinessresponseto
Phase 3: Logical structures
3 disaster
Design Generatemultiplesolutionsfor
Determine feasibility of
consideration
continuing and/oroutsourcing
Documentfindingsandupdate
theproject
feasibility analysis
Selecttechnologiesneededto
Selecttechnologiestosupport support securityblueprint
solutionsdevelopedinPhase3 Develop definition ofsuccessful
Phase 4: Select the bestsolution solution
4
Physical Design Decidetomakeorbuycomponents Design physical security
Document findings and update measures to supporttechno
feasibilityanalysis logicalsolutions
Reviewandapproveproject
Develop or buysoftware Buyordevelopsecuritysolutions
Phase 5: Ordercomponents Atendofphase,presenttested
5
Implementation Document thesystem package to managementfor
Trainusers approval
Update feasibilityanalysis
Present system tousers
Testsystemandreviewperformance
Supportandmodifysystemduringits
Phase 6:
usefullife Constantly monitor, test,modify,
Maintenance
6 Testperiodicallyforcompliancewith update, and repair to meet
and
businessneeds changingthreats
Change
Upgradeandpatchasnecessary
10. WriteaboutCommunitiesofInterest?(6MARKS)
Each organization develops and maintains its own unique culture and values. Within each
organizational culture, there are communities of interest that develop and evolve. As defined here, a
community of interest is a group of individuals who are united by similar interests or values within an
organizationandwhoshareacommongoalofhelpingtheorganizationtomeetitsobjectives.Whilethere
canbemanydifferentcommunitiesofinterestinanorganization.
Security as Science
Technology developed by computer scientists and engineers—which is designed for rigorous
performance levels—makes information security a science as well as an art. Most scientists agree that
specificconditionscausevirtuallyallactionsincomputersystems.Almosteveryfault,securityhole,and
systemsmalfunctionisaresultoftheinteractionofspecifichardwareandsoftware.Ifthedevelopershad
sufficienttime,theycouldresolveandeliminatethesefaults.Thefaultsthatremainareusuallytheresult of
technology malfunctioning for any one of a thousand possible reasons. There are many sources of
recognizedandapprovedsecuritymethodsandtechniquesthatprovidesoundtechnical securityadvice. Best
practices, standards of due care, and other tried-and-true methods can minimize the level of
guessworknecessarytosecureanorganization’sinformationandsystems.
Dealingwithtechnologydesignedtoperformathighlevelsofperformance
Specificconditionscausevirtuallyallactionsthatoccurincomputersystems
Almost every fault, security hole, and systems malfunction is a result of the interaction of specific
hardware andsoftware
Ifthedevelopershadsufficienttime,theycouldresolveandeliminatethesefaults
12. Describe the information security roles to be played by various professionals in a typical
organization?
Ittakesawiderangeofprofessionalstosupportadiverseinformationsecurityprogram.Asnoted
earlierinthischapter,informationsecurityisbestinitiatedfromthetopdown.Seniormanagementisthe key
component and the vital force for a successful implementation of an information security program. But
administrative support is also essential to developing and executing specific security policies and
procedures, and technical expertise is of course essential to implementing the details of the information
security program. The following sections describe the typical information security responsibilities of
variousprofessionalrolesinanorganization.
Senior Management
The senior technology officer is typically the chief information officer (CIO), although other titles
such as vice president of information, VP of information technology, and VP of systems may be used. The
CIO is primarily responsible for advising the chief executive officer, president, or company owner on the
strategic planning that affects the management of information in the organization. The CIO translates the
strategic plans of the organization as a whole into strategic information plans for the information systems
or data processing division of the organization. Once this is accomplished, CIOs work with subordinate
managers to develop tactical and operational plans for the division and to enable planning and
managementofthesystemsthatsupporttheorganization.
The chief information security officer (CISO) has primary responsibility for the assessment,
management, and implementation of information security in the organization. The CISO may also be
referredtoasthemanagerforITsecurity,thesecurityadministrator,orasimilartitle.TheCISOusually
reportsdirectlytotheCIO,althoughinlargerorganizationsitisnotuncommonforoneormorelayersof
management to exist between the two. However, the recommendations of the CISO to the CIO must be
given equal, if not greater, priority than other technology and information-related proposals. The
placementoftheCISOandsupportingsecuritystaffinorganizationalhierarchiesisthesubjectofcurrent debate
across theindustry.
Chief InformationOfficer
– the senior technologyofficer
– primarilyresponsibleforadvisingtheseniorexecutive(s)forstrategicplanning
Chief Information SecurityOfficer
– responsible for the assessment, management, and implementation of securing the
information in theorganization
– may also be referred to as the Manager for Security, the Security Administrator, or a
similartitle
Data custodians: Working directly with data owners, data custodians are responsible for the storage,
maintenance,andprotectionoftheinformation.Dependingonthesizeoftheorganization,thismaybea
dedicatedposition,suchastheCISO,oritmaybeanadditionalresponsibilityofasystemsadministrator or
other technology manager. The duties of a data custodian often include overseeing data storage and
backups,implementingthespecificproceduresandpolicieslaidoutinthesecuritypoliciesandplans,and
reportingtothedataowner.
Data users: End users who work with the information to perform their assigned roles supporting the
missionoftheorganization.Everyoneintheorganizationisresponsibleforthesecurityofdata,sodata
usersareincludedhereasindividualswithaninformationsecurityrole.
PONDICHERRY UNIVERSITY QUESTIONS
2 MARKS
1. What is Information? (MAY 2017) (Ref.Qn.No.1,Pg.no.5)
2. WhatismeantbyEmailSpoofing?(MAY2017)(Ref.Qn.No.62,Pg.no.16)
3. DefineSecurity.Whatarethemultilayersofsecurity?(NOV2017)(Ref.Qn.No.6,Pg.no.6)
4. Whencanacomputerbeasubjectandanobjectofattack?(NOV2017)(Ref.Qn.No.26,Pg.no.9)
5. ListthefunctionalitiesofanalysisphaseinSDLC.(MAY2018)(Ref.Qn.No.36,Pg.no.11)
6. Givethebasicprinciplesofinformationsecurity.(MAY2018)(Ref.Qn.No.63,Pg.no.16)
7. DefineInformationSecurity.(NOV2018)(Ref.Qn.No.2,Pg.no.5)
8. ExplainSDLC.(NOV2018)(Ref.Qn.No.32,Pg.no.10)
11 MARKS
MAY 2017 (REGUALR)
1. (a).Explain in detail about SDLC?(8MARKS)(Ref.Qn.No.7,Pg.no.28)
(b). What is CIA Triangle? (3 MARKS) (Ref.Qn.No.3, Pg.no.5)
(OR)
2. (a).WhatarethecomponentsofanInformationsystem?(7MARKS)(Ref.Qn.No.4,Pg.no.22)
(b). Explain the characteristics of information. (4 MARKS) (Ref.Qn.No.2, Pg.no.17)
1. Identify the five components of information system. Which are mostly affected by the study of
computer security? Which are the most commonly associated with its study?
(Ref.Qn.No.4,Pg.no.22)
(OR)