Department of Computer Science and Engineering

Course Name : PRINCIPAL OF INFORMATION SYSTEM SECURITY

Course Number : BCO 030A

Course Designation: Specialization

Prerequisites: Computer Networks, Algorithms

IV B Tech – VII Semester

(2017-2018)

Ajay Kumar
Assistant Professor
S.No Topic Remark
1 Vision and Mission of Department
2 Academic Calendar &Syllabus
3 Program Outcomes
4 Course Outcomes
5 Mapping of COs with Pos
6 Program Educational Objectives
7 Lecture Plan
8 I Interm Details
8.1 Paper
8.2 Solutions
8.3 Award List
8.4 List of Weak Students
8.5 Result Analysis
8.6 Assignment Given to Weak Students detail etc.
9 Interm 2 Details
9.1 Paper
9.2 Solutions
9.3 Award List
9.4 List of Weak Students
9.5 Result Analysis
9.6 Assignment Given to Weak Students detail etc.

10 Assignments
10.1 Assignment Solutions(I to V)
10.2 Assignment’s award list
11 Unit Test Details
11.1 Papers
11.2 Award List
13 University Questions in last five year of related subject
14 Lecture Notes
15 Topics Beyond Syllabus
 Department of Computer Science & Engineering
 The Department of Computer Science and Engineering provides an outstanding research
environment complemented by excellence in teaching.

 The Department has a comprehensive curriculum on topics related to all aspects of Computer
Hardware and Software with an emphasis on practical learning.

 The course structure is up-to-date and includes courses on nascent topics to equip our
students with the latest developments in Computer Science and Engineering.

Vision of Department
 To promote Research and Development in the frontier areas of Information Technology.

 To generate Competent Professionals to become part of the Industry and Research

Organizations at the National and International levels.

 To provide necessary strengths to enable the Students to Innovate and become Entrepreneurs.
 SYLLABUS

Information Security: Introduction, History of Information security, What is Security,

CNSS Security Model, Components of Information System, Balancing Information
Unit – I
Security and Access, Approaches to Information Security Implementation, The Security
Systems Development Life Cycle.
Cryptography: Concepts and Techniques, symmetric and asymmetric key cryptography,
steganography, Symmetric key Ciphers: DES structure, DES Analysis, Security of DES,
Unit – II variants of DES, Block cipher modes of operation , AES structure, Analysis of AES , Key
distribution Asymmetric key Ciphers: Principles of public key cryptosystems, RSA
algorithm, Analysis of RSA, Diffie-Hellman Key exchange
Message Authentication and Hash Functions: Authentication requirements and
Unit – III functions, MAC and Hash Functions, MAC Algorithms: Secure Hash Algorithm,
Whirlpool, HMAC, Digital signatures, X.509, Kerberos.
Security at layers(Network, Transport, Application): IPSec, Secure Socket Layer(SSL),
Transport Layer Security(TLS), Secure Electronic Transaction(SET), Pretty Good
Unit – IV
Privacy(PGP), S/MIME.

Intruders, Virus and Firewalls: Intruders, Intrusion detection, password management,

Unit – V Virus and related threats, Countermeasures, Firewall design principles, Types of firewalls.
TEXT BOOKS & OTHER REFERENCES

Text Books
Principles of Information Security : Michael E. Whitman, Herbert J. Mattord,
1. CENGAGE Learning, 4th Edition.

Cryptography and Network Security : William Stallings, Pearson Education,4th

2. Edition

Cryptography and Network Security : Forouzan Mukhopadhyay, Mc Graw Hill,

3.
2nd Edition
Suggested / Reference Books
Cryptography and Network Security : C K Shyamala, N Harini, Dr T R
4.
Padmanabhan, Wiley India, 1st Edition.
5. Network Security and Cryptography: Bernard Menezes, CENGAGE Learning
6. Cryptography and Network Security : Atul Kahate, Mc Graw Hill, 2nd Edition
7. Principles of Computer Security: WM.Arthur Conklin, Greg White, TMH
Introduction to Network Security: Neal Krawetz, CENGAGE Learning 6.
8. Handbook of Security of Networks, Yang Xiao, Frank H Li, Hui Chen, World
Scientific, 2011

Websites References
1.
http://www.cs.iit.edu/~cs549/cs549s07/lectures.htm
2.
http://www.cengagebrain.com/content/whitman38214_1111138214_01.01_toc.pdf
3.
http://williamstallings.com/Extras/Security-Notes/
4. http://www.cs.hofstra.edu/~cscvjc/Spring06/

5. http://williamstallings.com/NetworkSecurity/styled/
PROGRAM EDUCATIONAL OBJECTIVES (PEO’s)

PEO- I :Students will develop themselves as effective professionals by solving real problems
through the use of computer science knowledge and with attention to team work, effective
communication, critical thinking and problem solving skills.
PEO- II: Students will develop professional skills that prepare them for immediate employment
and for life-long learning in advanced areas of computer science and related fields.
PEO- III: Students will demonstrate their ability to adapt to a rapidly changing environment by
having learned and applied new skills and new technologies.
PEO- IV: Students will be provided with an educational foundation that prepares them for
excellence, leadership roles along diverse career paths with encouragement to professional ethics
and active participation needed for a successful career.

Program Outcome (PO’s)

A graduate of the Computer Science and Engineering Program will demonstrate:

PO1. Engineering knowledge: Apply the knowledge of mathematics, science, engineering

fundamentals, and an engineering specialization to the solution of complex engineering
problems.

PO2. Problem analysis: Identify, formulate, research literature, and analyze complex
engineering problems reaching substantiated conclusions using first principles of mathematics,
natural sciences, and engineering sciences.

PO3. Design/development of solutions: Design solutions for complex engineering problems and
design system components or processes that meet the specified needs with appropriate
consideration for the public health and safety, and the cultural, societal, and environmental
considerations.

PO4. Conduct investigations of complex problems: Use research-based knowledge and research
methods including design of experiments, analysis and interpretation of data, and synthesis of the
information to provide valid conclusions.

PO5. Modern tool usage: Create, select, and apply appropriate techniques, resources, and
modern engineering and IT tools including prediction and modeling to complex engineering
activities with an understanding of the limitations.

PO6. The engineer and society: Apply reasoning informed by the contextual knowledge to
assess societal, health, safety, legal and cultural issues and the consequent responsibilities
relevant to the professional engineering practice.

PO7. Environment and sustainability: Understand the impact of the professional engineering
solutions in societal and environmental contexts, and demonstrate the knowledge of, and need
for sustainable development.

PO8. Ethics: Apply ethical principles and commit to professional ethics and responsibilities and
norms of the engineering practice.

PO9. Individual and team work: Function effectively as an individual, and as a member or leader
in diverse teams, and in multidisciplinary settings.

PO10. Communication: Communicate effectively on complex engineering activities with the

engineering community and with society at large, such as, being able to comprehend and write
effective reports and design documentation, make effective presentations, and give and receive
clear instructions.

PO11. Project management and finance: Demonstrate knowledge and understanding of the
engineering and management principles and apply these to one’s own work, as a member and
leader in a team, to manage projects and in multidisciplinary environments.

PO12. Life-long learning: Recognize the need for, and have the preparation and ability to engage
in independent and life-long learning in the broadest context of technological change.

Program Specific Outcome:

PSO1: The ability to understand, analyze and develop computer programs in the areas related to
algorithms, system software, multimedia, web design, big data analytics, and networking for
efficient design of computer-based systems of varying complexity.( Professional Skills)
PSO2: The ability to apply standard practices and strategies in software project development
using open-ended programming environments to deliver a quality product for business success.
(Problem-Solving Skills)
PSO3: The ability to employ modern computer languages, environments, and platforms in
creating innovative career paths to be an entrepreneur, and a zest for higher studies.( Successful
Career and Entrepreneurship)

Course Outcomes:

After undergoing the course, Students will be able to understand

CO1: Explain the objectives of information security and analyze the importance of information
Security in real world.
CO2: Analyse the trade-offs inherent in security and designing and analysis of different
encryption Algorithms.
CO3: Implementation of MAC and Hash functions, security at different layers of a network
CO4: Understand the basic categories of threats to computers and networks and explore different
types of intruders and viruses.
CO5: Discuss issues for creating security policy for a large organization
 MAPPING OF COURSE OBJECTIVES & COURSE OUT COMES WITH
PO’s & PSO’s

MAPPING COURSE OUTCOMES LEADING TO THE ACHIEVEMENT OF

PROGRAM OUTCOMES AND PROGRAM SPECIFIC OUTCOMES:
Course Program Outcome Program
Outcom Specifice
e Outcome
PO1 PO2 PO3 PO4 PO5 PO6 PO7 PO PO PO1 PO11 PO1 PSO1 PSO2 PSO3
8 9 0 2
CO1 H H M M M
CO2 H H H M M M
CO3 H L H
CO4 L H M L
CO5 M H H H M L M M

H = Highly Related; M = Medium L=Low

Time Table

Room No: LT-7 W.E.F: 16/08/2017

Ajay Kumar
08.30- 09.30- 10.30- 11.30- 01:30- 02:25-
Day/Time 12:30-1:30
09.30 10.30 11.30 12.30 02:25 3:20

MC ISS
Monday
C+D A+B

Tuesday

ISS
Wednesday OOAD Lab-C2
A+B
MC MC
Thursday
A+B LT-5 A+B LT-5

Friday OOAD-C `

ISS
Saturday OOAD-C1
A+B
 COURSE SCHEDULE

Distribution of Hours Unit – Wise

Chapters
Total No.
Unit Topic
of Hours
Book1 Book2
Book3
I Information Security introduction 1 6
Cryptography: Concepts and
II 10
Techniques 2,3,5,6,9,10
Message Authentication and Hash
III 11,12,13,14 7
Functions
Security at layers(Network,
IV 6
Transport, Application) 16,17,18
V Intruders, Virus and Firewalls 18,19,20 7

Contact classes for Syllabus coverage 36

Number of Hours / lectures available in this Semester / Year 36

The number of topic in every unit is not the same – because of the variation, all the units
have an unequal distribution of hours
 Lecture Plan

Theory (Topic to be covered) Plan Date Actual References

S.
Date
No.

Unit-1
Information Security : introduction 19-08-2017 1,4
1
History of Information security, What is Security, 21-08-2017 1,2,4
2
CNSS Security Model
3 Components of Information System, 23-08-2017 1,4

4 Balancing Information Security and Access, 26-08-2017 1,4

Approaches to Information Security 28-08-2017 1,4
5
Implementation,
The Security Systems Development Life Cycle. 30-08-2017 1,4
6

Unit-2

7 Cryptography: Concepts and Techniques, 04-09-2017 2,4

8 Symmetric and asymmetric key cryptography 06-09-2017 2,4

9 Steganography 09-09-2017 2,4

10 Symmetric key Ciphers: DES structure, 11-09-2017 2,4

11 DES Analysis, Security of DES, variants of DES, 13-09-2017 2,4

12 Block cipher modes of operation , 16-09-2017 2,4

13 AES structure, Analysis of AES 18-09-2017 2,4

14 Key distribution Asymmetric key Ciphers: 20-09-2017 2,4

Principles of public key cryptosystems, RSA 23-09-2017 2,4
15
algorithm
16 Analysis of RSA, Diffie-Hellman Key exchange. 25-09-2017 2,4

Unit-3
Message Authentication and Hash Functions: 27-09-2017 2,3,4
17
Authentication requirements and functions
18 MAC and Hash Funtions 04-10-2017 2,3,4

19 MAC Algorithms: Secure Hash Algorithm 07-10-2017 2,3,4

20 Whirlpool 09-10-2017 2,3,4

21 HMAC 11-10-2017 2,3,4

22 Digital signatures 14-10-2017 2,3,4

23 X.509, Kerberos 16-10-2017 2,3,4

Unit-4
24 IPSecurity 18-10-2017 4

25 Secure Socket Layer(SSL) 23-10-2017 4

26 Transport Layer Security(TLS) 25-10-2017 4

27 Secure Electronic Transaction(SET) 28-10-2017 4

28 Pretty Good Privacy(PGP), 30-10-2017 4

29 S/MIME 01-11-2017 4

Unit-5
30 Intruders 04-11-2017 3,4

31 Intrusion detection 06-11-2017 3,4

32 password management 08-11-2017 3,4

33 Virus and related threats 11-11-2017 3,4

34 Countermeasures 13-11-2017 3,4

35 Firewall design principles 15-11-2017 3,4

Types of firewalls. 18-11-2017 3,4
36
I Interm Details

Registration No.

JECRC UNIVERSITY
I In Sem Examination September- 2017
VII Semester, B.Tech. (CSE)
Subject: Principles of Information System Security (BCO 030A)
Time: 1:30 hrs. Maximum
marks: 50
Instructions:
1. Attempt all the questions.
2. Illustrate your answers with suitable examples and diagrams, wherever necessary.
3. Write relevant question numbers before writing the answer.

SECTION-A [1*10=10 mark each]

Q 1- Answer the following multiple choice questions.

1. In computer security, …. means that computer system assets can be modified only by
authorized parities.
A) Confidentiality B) Integrity C) Availability D) Authenticity

2. In computer security, …………………….. means that the information in a computer system

only be accessible for reading by authorized parities.
A) Confidentiality B) Integrity C) Availability D) Authenticity

3. The type of threats on the security of a computer system or network are ……………………..
i) Interruption ii) Interception iii) Modification
iv) Creation v) Fabrication

A) i, ii, iii and iv only B) ii, iii, iv and v only

C) i, ii, iii and v only D) All i, ii, iii, iv and v

4. Select the correct order for the different phases of virus execution.
i) Propagation phase ii) Dormant phase
iii) Execution phase iv) Triggering phase
A) i, ii, iii, and iv B) i, iii, ii and iv
C) ii, i, iv an iii D) ii, iii, iv and i

5. The mechanism of writing text as rows and reading as columns is called as .

A) Vernam Cipher B) Caesar Cipher
C) Simple Columnar Transposition Technique D) Homophonic Substitution Cipher
6. Cryptanalyst is a person who .
A) Devises cryptography solutions B) attempts to break cryptography solutions
C) None of these C) both of these
7. The language that we commonly use can be termed as .
A) Pure text B) simple text C) plain text D) normal text
8. The codified language can be termed as .
A) Clear text B) unclear text C) code text D) cipher text
9. In substitution cipher, the following happens.
A) Characters are replaced by other characters B) rows are replaced by columns
C) Columns are replaced by rows D) none of the above

10. Transposition cipher involves .

A) Replacement of blocks of text with other blocks
B) Replacement of characters of text with other characters
C) Strictly row-to-column replacement
D) Some permutation on the input text to produce cipher text

SECTION-B [2*4=08 mark each]

Q 2- Answer the following questions.

1. Alice meets Bob and says “phhw ph dw jdxudy wrzhu wr qljkw”. If she is using Caesar
Cipher, what does she want to convey?
2. What is masquerade? Which principle of security is breached because of that?
3. What is the main feature of Polygram Substitution Cipher?
4. What is the application area of CFB mode?

SECTION-C [6*2=12 mark each]

Q 3- Answer the following questions.
1. Write the C program of rail fence technique.
2. Explain the cipher block chaining mode with its application area.

SECTION-D [10*2=20 mark each]

Q 4- Answer the following questions.
1. How does playfair cipher work? Assume the plain text “meet me at gaurav tower to
night” and generate the corresponding cipher text using this technique. Assume that the
keyword is”PLAYFAIR EXAMPLE”.
2. Explain the DES algorithm with help of block diagram.
Ist In Term Details
Registration No.

JECRC UNIVERSITY
I In Sem Examination September- 2017
VII Semester, B.Tech. (CSE)- Solution
Subject: Principles of Information System Security (BCO 030A)
Time: 1:30 hrs. Maximum
marks: 50
Instructions:
4. Attempt all the questions.
5. Illustrate your answers with suitable examples and diagrams, wherever necessary.
6. Write relevant question numbers before writing the answer.

SECTION-A [1*10=10 mark each]

Q 1- Answer the following multiple choice questions.

1. In computer security, …. means that computer system assets can be modified only by
authorized parities.
A) Confidentiality B) Integrity C) Availability D) Authenticity

2. In computer security, …………………….. means that the information in a computer system

only be accessible for reading by authorized parities.
A) Confidentiality B) Integrity C) Availability D) Authenticity

3. The type of threats on the security of a computer system or network are ……………………..
i) Interruption ii) Interception iii) Modification
iv) Creation v) Fabrication

A) i, ii, iii and iv only B) ii, iii, iv and v only

C) i, ii, iii and v only D) All i, ii, iii, iv and v

4. Select the correct order for the different phases of virus execution.
i) Propagation phase ii) Dormant phase
iii) Execution phase iv) Triggering phase
A) i, ii, iii, and iv B) i, iii, ii and iv
C) ii, i, iv an iii D) ii, iii, iv and i

5. The mechanism of writing text as rows and reading as columns is called as .

A) Vernam Cipher B) Caesar Cipher
C) Simple Columnar Transposition Technique D) Homophonic Substitution Cipher
6. Cryptanalyst is a person who .
A) Devises cryptography solutions B) attempts to break cryptography solutions
C) None of these C) both of these
7. The language that we commonly use can be termed as .
A) Pure text B) simple text C) plain text D) normal text
8. The codified language can be termed as .
A) Clear text B) unclear text C) code text D) cipher text
9. In substitution cipher, the following happens.
A) Characters are replaced by other characters B) rows are replaced by columns
C) Columns are replaced by rows D) none of the above

10. Transposition cipher involves .

A) Replacement of blocks of text with other blocks
B) Replacement of characters of text with other characters
C) Strictly row-to-column replacement
D) Some permutation on the input text to produce cipher text

SECTION-B [2*4=08 mark each]

Q 2- Answer the following questions.

5. Alice meets Bob and says “phhw ph dw jdxudy wrzhu wr qljkw”. If she is using Caesar
Cipher, what does she want to convey?
Ans: meet me at gaurav tower at night

6. What is masquerade? Which principle of security is breached because of that?

Ans: In terms of communications security issues, a masquerade is a type of attack where
the attacker pretends to be an authorized user of a system in order to gain access to it or
to gain greater privileges than they are authorized for. A masquerade may be attempted
through the use of stolen logon IDs and passwords, through finding security gaps in
programs, or through bypassing the authentication mechanism.
7. What is the main feature of Polygram Substitution Cipher?
A polygraphic substitution is a cipher in which a uniform substitution is performed on
blocks of letters. When the length of the block is specifically known, more precise terms are
used: for instance, a cipher in which pairs of letters are substituted is bigraphic.

8. What is the application area of CFB mode?

SECTION-C [6*2=12 mark each]

Q 3- Answer the following questions.
3. Write the C program of rail fence technique.
#include<stdio.h>
#include<conio.h>
#include<string.h>
void main()
 {
int i,j,k,l;
char a[20],c[20],d[20];
clrscr();
printf("\nEnter the input string : ");
gets(a);
l=strlen(a);

/*Ciphering*/
for(i=0,j=0;i<l;i++)
{
if(i%2==0)
c[j++]=a[i];
}
for(i=0;i<l;i++)
{
if(i%2==1)
c[j++]=a[i];
}
c[j]='\0';
printf("\nCipher text after applying rail fence :");
printf("\n%s",c);

/*Deciphering*/
if(l%2==0)
k=l/2;
else
k=(l/2)+1;
for(i=0,j=0;i<k;i++)
{
d[j]=c[i];
j=j+2;
}
for(i=k,j=1;i<l;i++)
{

d[j]=c[i];
j=j+2;
}
d[l]='\0';
printf("\nText after decryption : ");
printf("%s",d);
getch();
}
4. Explain the cipher block chaining mode with its application area.
Cipher Block Chaining (CBC) Mode
CBC mode of operation provides message dependence for generating ciphertext and makes
the system non-deterministic.
Operation
The operation of CBC mode is depicted in the following illustration. The steps are as follows
−
 Load the n-bit Initialization Vector (IV) in the top register.

 XOR the n-bit plaintext block with data value in top register.

 Encrypt the result of XOR operation with underlying block cipher with key K.

 Feed cipher text block into top register and continue the operation till all plaintext blocks are

processed.

 For decryption, IV data is XOR ed with first cipher text block decrypted. The first cipher text block is

also fed into to register replacing IV for decrypting next ciphertext block.

Analysis of CBC Mode

In CBC mode, the current plaintext block is added to the previous ciphertext block, and then
the result is encrypted with the key. Decryption is thus the reverse process, which involves
decrypting the current ciphertext and then adding the previous ciphertext block to the
result.
Advantage of CBC over ECB is that changing IV results in different ciphertext for identical
message. On the drawback side, the error in transmission gets propagated to few further
block during decryption due to chaining effect.
It is worth mentioning that CBC mode forms the basis for a well-known data origin
authentication mechanism. Thus, it has an advantage for those applications that require
both symmetric encryption and data origin authentication.

SECTION-D [10*2=20 mark each]

Q 4- Answer the following questions.
3. How does playfair cipher work? Assume the plain text “meet me at gaurav tower to
night” and generate the corresponding cipher text using this technique. Assume that the
keyword is”PLAYFAIR EXAMPLE”.

The 'key' for a playfair cipher is generally a word, for the sake of example we will choose
'monarchy'. This is then used to generate a 'key square', e.g.

monar

chybd

efgik

lpqst

uvwxz

Any sequence of 25 letters can be used as a key, so long as all letters are in it and there are no
repeats. Note that there is no 'j', it is combined with 'i'. We now apply the encryption rules to
encrypt the plaintext.

1. Remove any punctuation or characters that are not present in the key square (this may
mean spelling out numbers, punctuation etc.).
2. Identify any double letters in the plaintext and replace the second occurence with an 'x'
e.g. 'hammer' -> 'hamxer'.
3. If the plaintext has an odd number of characters, append an 'x' to the end to make it even.
4. Break the plaintext into pairs of letters, e.g. 'hamxer' -> 'ha mx er'
5. The algorithm now works on each of the letter pairs.
6. Locate the letters in the key square, (the examples given are using the key square above)
a. If the letters are in different rows and columns, replace the pair with the letters on
the same row respectively but at the other pair of corners of the rectangle defined by
the original pair. The order is important – the first encrypted letter of the pair is the one
that lies on the same row as the first plaintext letter. 'ha' -> 'bo', 'es' -> 'il'
b. If the letters appear on the same row of the table, replace them with the letters to
their immediate right respectively (wrapping around to the left side of the row if a
letter in the original pair was on the right side of the row). 'ma' -> 'or', 'lp' -> 'pq'
 c. If the letters appear on the same column of the table, replace them with the letters
immediately below respectively (wrapping around to the top side of the column if a
letter in the original pair was on the bottom side of the column). 'rk' -> 'dt', 'pv' -> 'vo'

4. Explain the DES algorithm with help of block diagram

..
 Course: BCO 030A - Preinciples of Information System Security, Marking Scheme
Group: THEORY SCHEME JULY 2014 ONWARD

Uni. Roll I IN-TERM[Min/Max:0.0/50.0]

S.No. Number Student Name [W:100.0%]Obt. Marks | Remarks
Abhinav Bhargava -
1 1402041002 BCO 27.00
2 1402041003 Abhishek Gupta - BCO Ab
3 1402041005 Abhishek Verma - BCO Ab
4 1402041006 Aditi Agrawal - BCO Ab
5 1402041007 Aditi Duggal - BCO Ab
6 1402041008 Aditya Jain - BCO 22.00
7 1402041009 Aditya Yadav - BCO Ab
8 1402041016 Aman Sharma - BCO Ab
9 1402041018 Amreen Pathan - BCO Ab
10 1402041020 Anish Arora - BCO 20.00
11 1402041021 Anisha Mohanka - BCO Ab
Anjnee Bhatnagar -
12 1402041022 BCO Ab
13 1402041025 Ankita Rinwa - BCO Ab
14 1402041026 Anshul Goyal - BCO 24.00
15 1402041029 Anukriti Athaiya - BCO 32.00
16 1402041030 Anurag Bula - BCO 32.00
17 1402041032 Arpit Chordia - BCO Ab
Arun Deep Singh Bains
18 1402041033 - BCO 13.00
19 1402041037 Ayasha . - BCO Ab
20 1402041039 Ayush Shrimali - BCO Ab
21 1402041040 Ayushi Goyal - BCO 26.00
Baljeet Singh Malhotra
22 1402041042 - BCO Ab
23 1402041043 Bhaavya Agarwal - BCO 26.00
24 1402041044 Bhavya Sharma - BCO Ab
25 1402041045 Chaitanya Jain - BCO Ab
26 1402041047 Chayan Dashora - BCO 24.00
Chhayank Sharma -
27 1402041048 BCO 36.00
Chirag Khandelwal -
28 1402041049 BCO Ab
29 1402041050 Chirag Khera - BCO 39.00
30 1402041051 Darshit Mulani - BCO 40.00
31 1402041053 Devam . - BCO 23.00
32 1402041057 Disha Jain - BCO Ab
33 1402041058 Disha P Vyas - BCO 37.00
34 1402041059 Divyani Pathak - BCO Ab
35 1402041060 Divyanshu Gupta - BCO Ab
36 1402041061 Diwanshu Payal - BCO Ab
37 1402041063 Faraaz Khan - BCO Ab
38 1402041064 Garvit Jain - BCO Ab
39 1402041065 Gunjan Sharma - BCO 15.00
40 1402041066 Hanish . - BCO Ab
41 1402041069 Harshit Pareek - BCO Ab
42 1402041071 Harvindra Puri - BCO 20.00
43 1402041072 Himani Khatri - BCO 25.00
Result Analysis Attached in Separate File

Assignment given to Weak Students

1. Explain security attacks, services and the related mechanisms.

2. Explain internetwork security.
3. Explain how gateway works in internetwork security model
4. Explain Substitution and Transposition techniques
5. Explain about conventional principles for encryption
6. Describe basic fiestel cipher structure for principle encryption algorithms
7. Explain basic DES algorithm and how it is dependent on fiestal structure
8. Describe public-key cryptography principles
9. Explain how public key cryptography algorithms are framed depending upon the principles
10. Explain RSA algorithms in detail
11. Explain how key exchange is done using Diffie-Hellman key exchange .
IInd In Term Details
Registration No.

JECRC UNIVERSITY
II In Sem Examination November- 2017
VII Semester, B.Tech. (CSE)
Subject: Principles of Information System Security (BCO 030A)
Time: 1:30 hrs. Maximum
marks: 50
Instructions:
7. Attempt all the questions.
8. Illustrate your answers with suitable examples and diagrams, wherever necessary.
9. Write relevant question numbers before writing the answer.

SECTION-A [1*10=10 mark each]

Q 1- Answer the following multiple choice questions.

1. Which one of the following is not a public key distribution means?
a) Public-Key Certificates b) Hashing Certificates
c) Publicly available directories d) Public-Key authority

2. “When communication is unknowingly going through an adversary/intermediate.” Which type

of Wireless network threat would you classify this under?
a) Malicious Association b) Man in the middle attack
c) Network Injection d) Accidental Association

3. When there is a lack of a central point of control.” Which type of Wireless network threat
would you classify this under?
a) Man in the middle attack b) Identity Theft
c) Ad Hoc Networks d) Non-Traditional Networks

4. In computer security, …………………….. means that the information in a computer system

only be accessible for reading by authorized parities.
a) Confidentiality b) Integrity c) Availability d)
Authenticity

5. Use Caesar’s Cipher to decipher the following :HQFUBSWHG WHAW

a) ABANDONED LOCK b) ENCRYPTED TEXT
c) ABANDONED TEXT d) ENCRYPTED LOCK
6. The S-Box is used to provide confusion, as it is dependent on the unknown key.(T/F)

7. If the sender and receiver use different keys, the system is referred to as conventional cipher
system.(T/F)
8. Wired networks are far more susceptible to eavesdropping and jamming than wireless
networks.(T/F)
9. In substitution cipher, the following happens.
a) Characters are replaced by other characters b) rows are replaced by columns
c) Columns are replaced by rows d) none of the above

10. Transposition cipher involves .

a) Replacement of blocks of text with other blocks
b) Replacement of characters of text with other characters
c) Strictly row-to-column replacement
d) Some permutation on the input text to produce cipher text

SECTION-B [2*4=08 mark each]

Q 2- Answer the following questions.

9. What is access control? How different is it from availability?

10. What are the key of the message digest?
11. What are the three main application of packet filter?
12. What is the application area of CFB mode?

SECTION-C [6*2=12 mark each]

Q 3- Answer the following questions.
5. Write the C program of Ceaser cipher technique.
6. Explain the password management.

SECTION-D [10*2=20 mark each]

Q 4- Answer the following questions.
5. What do you understand by the firewall? Explain its various types. Discuss the technique
by which attacker can break the security of packet filter.
6. Explain the SET with help of block diagram.
 College: JECRC University
Report Name: Calculate Student Marks
Academic Year: 2017-2018, Academic Session: JULY-DEC, Exam: ODD SEMESTERS EXAM
2017-2018
Course: BCO 030A - Preinciples of Information System Security, Marking Scheme Group:
THEORY SCHEME JULY 2014 ONWARD

S.No. Uni. Roll Number Student Name II IN-TERM

1 1402041002 Abhinav Bhargava - BCO 32.00
2 1402041003 Abhishek Gupta - BCO 38.00
3 1402041005 Abhishek Verma - BCO Ab
4 1402041006 Aditi Agrawal - BCO 42.00
5 1402041007 Aditi Duggal - BCO 23.00
6 1402041008 Aditya Jain - BCO 28.00
7 1402041009 Aditya Yadav - BCO 34.00
8 1402041016 Aman Sharma - BCO 20.00
9 1402041018 Amreen Pathan - BCO 37.00
10 1402041020 Anish Arora - BCO 15.00
11 1402041021 Anisha Mohanka - BCO 37.00
12 1402041022 Anjnee Bhatnagar - BCO 34.00
13 1402041025 Ankita Rinwa - BCO 41.00
14 1402041026 Anshul Goyal - BCO 26.00
15 1402041029 Anukriti Athaiya - BCO 34.00
16 1402041030 Anurag Bula - BCO 37.00
17 1402041032 Arpit Chordia - BCO 0.00
18 1402041033 Arun Deep Singh Bains - BCO 34.00
19 1402041037 Ayasha . - BCO 29.00
20 1402041039 Ayush Shrimali - BCO 28.00
21 1402041040 Ayushi Goyal - BCO 28.00
22 1402041042 Baljeet Singh Malhotra - BCO Ab
23 1402041043 Bhaavya Agarwal - BCO 38.00
24 1402041044 Bhavya Sharma - BCO 37.00
25 1402041045 Chaitanya Jain - BCO 13.00
26 1402041047 Chayan Dashora - BCO 19.00
27 1402041048 Chhayank Sharma - BCO 23.00
28 1402041049 Chirag Khandelwal - BCO 41.00
29 1402041050 Chirag Khera - BCO 40.00
30 1402041051 Darshit Mulani - BCO 43.00
31 1402041053 Devam . - BCO 22.00
32 1402041057 Disha Jain - BCO 33.00
33 1402041058 Disha P Vyas - BCO 38.00
34 1402041059 Divyani Pathak - BCO 29.00
35 1402041060 Divyanshu Gupta - BCO 14.00
36 1402041061 Diwanshu Payal - BCO 27.00
37 1402041063 Faraaz Khan - BCO 7.00
38 1402041064 Garvit Jain - BCO Ab
39 1402041065 Gunjan Sharma - BCO 22.00
40 1402041066 Hanish . - BCO Ab
41 1402041069 Harshit Pareek - BCO Ab
42 1402041071 Harvindra Puri - BCO 8.00
43 1402041072 Himani Khatri - BCO 28.00
44 1402041076 Hitesh Kumar - BCO 12.00
45 1402041077 Hunny Meghnani - BCO 29.00
46 1402041078 Jay Kumar - BCO 24.00
47 1402041080 Jitendra Chandwani - BCO 34.00
48 1402041081 Kajol Jaswani - BCO 36.00
49 1402041082 Karan Lalit Daryani - BCO 20.00
50 1402041084 Karandeep Singh - BCO 23.00
51 1402041085 Kartikay Bansal - BCO 28.00
52 1402041087 Kratika Agarwal - BCO 18.00
53 1402041088 Kratika Sharma - BCO 42.00
54 1402041089 Kriti Agarwal - BCO 36.00
55 1402041091 Lavika Agarwal - BCO 30.00
56 1402041092 Maanas Chaturvedi - BCO 9.00
57 1402041094 Mahender Vishnoi - BCO Ab
58 1402041099 Manya Shree - BCO 28.00
59 1402041101 Megha Gupta - BCO 41.00
60 1402041102 Mehul Agarwal - BCO 29.00
61 1402041104 Mohd Zaki Ansari - BCO 22.00
62 1402041105 Mohit Agarwal - BCO 21.00
63 1402041106 Mohit Mathur - BCO 30.00
64 1402041107 Mukesh Kumar Mahala - BCO 18.00
65 1402041108 Muni Divy Pankajbhai - BCO 26.00
66 1402041109 Narendra Arya - BCO Ab
67 1402041110 Naveen Kumar - BCO 30.00
68 1402041111 Naveen Kumar Jain - BCO 31.00
69 1402041113 Neha Kumawat - BCO 30.00
70 1402041115 Nikhil Gupta - BCO 31.00
71 1402041116 Nikunj Chaturvedi - BCO 19.00
72 1402041117 Nimmi Tulsyan - BCO 44.00
73 1402041119 Nishant Singh - BCO 24.00
74 1402041121 Nitin Bharti - BCO Ab
Result Analysis Attached in Separate File

Assignment given to Weak Students

1. . Explain how SHA-512 works for message authentication

2. 2. Describe hoe hash functions was developed based on MAC code
3. 3. Describe one way hash functions for message authentication
4. 4. In detail explain Kerberos 4 and version 4 authentication dialogue
5. 5. Explain how certification are issued using x.509 authentication service
6. 6. Explain Kerberos realms and multiple kerberos
7. 1. Explain the features of PGP
8. 2. Explain how key rings work during message authentication and encryption
9. 3. Explain S/MIME?
10. 4. Describe the concepts of MIME 221
11. 5. Explain the following

a. Compatability b. Key legitimacy c. Multipart and message type in MIME

12. Explain the architecture of IPSec
13. With a neat diagram explain the architecture of authentication header
14. Explain how encapsulation security payload works
15. Describe security association
16. Explain how key exchange is done using Diffie-Hellman key exchange .
Unit Wise Assignments (With different Levels of thinking (Blooms Taxonomy))
Note: For every question please mention the level of Blooms taxonomy

Unit – 1
list the six components of an information system with neat diagram?[L2]
1.

2 Briefly explain security system development cycle?[L2]

Unit – 2
Compare and contrast symmetric and asymmetric cryptographies? Describe DES
1.
algorithm with example.[L4]
2. Analyze RSA algorithm with DES? [L4]
Advantage of diffie-hellman key exchange over RSA?[L3]
3.

Unit – 3

1. Explain the Secure Hash Algorithm (SHA-1) in detail with an example?[L4]

Illustrate the Digital certificates?[L4]
2.
Describe the X.509 version 3 in detail?[L1]
3.

Unit – 4

1. Explain about IPSecurity?[L2]

2. List down the functions of SSL?[L1]

3 Mention the significance of dual signature in SET?[L2]

4 Clearly explain in detail the Multipurpose Internet Mail Extensions (MIME)?[L4]

5 illustrate general format of a PGP?[L4]

Unit – 5

1. Explain: Rule-based penetration identification: intrusion detection.?[L2]

2. Describe password management?[L1]

3. list the various virus counter measures?[L2]

4. Briefly describe about firewall design principles?[L4]

Unit Wise Case Studies (With different Levels of thinking (Blooms Taxonomy))
Note: For every Case Study please mention the level of Blooms taxonomy

1 Implement DES & RSA algorithms for the any text data.

2(Design a virus program using C language)

Unit Wise Important Questions (With different Levels of thinking (Blooms Taxonomy))
Note: For every question please mention the level of Blooms taxonomy
Unit – 1
Mention the essential characteristics of information security. How are they used in the
1.
study of computer security?
Briefly explain the components of an information system and their security. How will
2.
you balance security and access?
3. Explain the security system development life cycle
Differentiate between block and stream cipher and what are two general approaches to
4. attack to
a conventional encryption scheme.
Recall following terms:
Plain text, cipher text, encryption, decryption, Cryptography ,cryptanalysis,
5
cryptology,symmetric key encryption, Public key encryption, Secure channel, traffic
analysis, Masquerade,Non Repudiation, authentication, availability, access control
Unit – 2
Describe various classical Encryption Techniques (various substitution technique &
1.
transposition
2. Differentiate Symmetric and Asymmetric key cryptography.
Differentiate message confidentiality and message integrity.
3.
What is motivation for feistel cipher structure?
4
Draw and explain Feistel’s structure for encryption and decryption.
5
Explain single round of DES
6
With neat illustration explain Advanced Encryption Standard algorithm (AES).
7
Explain the procedure involved in RSA public-key encryption algorithm. With an
8
example?
Unit – 3

1. Examine Hash and Mac functions ?[L4]

Illustrate the importance of Digital signatures? and its applications?[L3]
2.

Unit – 4

1. Investigate the importance of IP security?[L4]

 2. Compare SSL and TLS layers?[L3]

3 Illustartae the applications of MIME?

Unit – 5

1. Describe importance of firewall and how it works?]L3]

2. Mention incursion detection and steps to prevent it? [L3]

3. Solve the problem using password management?[L4]

Unit Wise Multiple Choice Questions for CRT & Competitive Examinations
Unit – I:

1. which authors did not publish issue related to UNIX Security?

a. Dennis Ritchie
b. Morris & Thomson
c. Grampp & Morris
d. Reeds & Weinberger
2. ____Security Layer involves the protection of the individual or group of individuals
operations
a. Physical Layer
b. Personal Layer
c. Communication Layer
d. Network Layer
3. Which does not belong to the characteristics of information :
a. Accuracy
b. Authenticity
c. consistency
d. confidentiality
4. Security Systems Development Life cycle follows which SDLC life cycle
a. Spiral Model
b. RAD model
c. Waterfall model
d. Incremental model

Unit – II:

1. In cryptography, what is cipher?

a. algorithm for performing encryption and decryption
b. Encrypted message
c. Both (a) and (b)
d. none

2. In asymmetric key cryptography, the private key is kept by

a. Sender
b. Receiver
c. Sender and receiver
d. all the connected devices to the network

3. What is data encryption standard (DES)?

a. block cipher
b. stream cipher
c. bit cipher
d. none of the above

4. Cryptanalysis is used
a. to find some insecurity in a cryptographic scheme
 b. to increase the speed
c.to encrypt the data
d. none of the above

5. _________ is a block cipher.

A. DES
B. IDEA.
C. AES.
D. RSA

6. DES encrypts data in block size of __________ bits each.

A. 64.
B. 128.
C. 128.
D. 56

7. _________is the first step in DES.

A. Key transformation.
B. Expansion permutation.
C. S-box substitution.
D. P-box substitution.

8. The study of principles/methods of deciphering ciphertext without knowing key is known as

________.
A. code breaking
B. cryptanalysis
C. both a and b
D. decipher analysis

9. The coded message is known as ____.

A. plain text
B. cipher text
C. key
D. none

10. The method of hiding the secret is _____.

A. cryptography
B. steganography
C. stenography
D. cryptanalysis

11. The RSA public key encryption algorithm was developed by___.
A. John
B. Rivert
C. Mohammed
D. schildt
12. The most commonly used conventional algorithms are ____.
A. block ciphers
B. transposition cipher
C. both a and b
D. none of the above

13. The ________ method provides a one-time session key for two parties.
A. Diffie-Hellman
B. RSA
C. DES
D. AES

Unit – III:

1. Digital signature provides ________.

a. Authentication
b. Nonrepudiation
c. Both a & b
d. None

2. 2. A_____function creates a message digest out of a message.

a. Encryption
b. Decryption
c. hash
d. None

3. A(n)______ creates a secret key only between a member and the enter

a. CA
b. KDC
c. KDD
d. None

4. _______ is a popular session key creator protocol that requires an authentication server
and a ticket-granting server
a. KDC
b. Kerberos
c. CA
d. None

5. Kerberos version 4 requires the use of __________

A. MAC address IP address
B. Ethernet link address
C. IP address
D. ISO network address

6. X.509 recommends ____ algorithm.

 A. DES
B. Triple DES
C. RSA
D. Blowfish

7. In X.509 format , signature field covers ___.

A. hash code
B. private key
C. algorithm
D. all of the above

8. The digital signature standard proposed in ____.

A. 1991
B. 1993
C. 1995
D. 1997

Unit – IV:

1. IPSec is designed to provide the security at the

a. transport layer
b. network layer
c. application layer
d. session layer

2. Pretty good privacy (PGP) is used in

a. browser security
b. email security
c. FTP security
d. none of the above

3. Transport layer protocols deals with

a. application to application communication
b. process to process communication
c. node to node communication
d. none of the above

4. The cryptography algorithms used in S/MIME are _________.

A. IDEA.
B. RC4.
C. RSA,DES-3.
D. RC5.

5. Which one is the application of IPSec?

 A. Secure Remote access
B. Secure branch office connectivity
C. Secure E-Commerce
D. all of the above

6. PGP can be used for ___.

A. email
B. file storage application
C. both a and b
D. none of the above

7. In PGP, a hash code of a message is created using ____.

A. SHA-1
B. IDEA
C. 3DES
D. none of the above

8. The use of S/MIME ___.

A. commercial
B. organization
C. both a and b
D. none of the above

Unit – V:

1. Network layer firewall has two sub-categories as

a. stateful firewall and stateless firewall
b. bit oriented firewall and byte oriented firewall
c. frame firewall and packet firewall
d. none of the above

2. Firewalls are often configured to block

a. UDP traffic
b. TCP traffic
c. Both of the above
d. None of the above

3. Transport layer protocols deals with

a. application to application communication
b. process to process communication
c. node to node communication
d. none of the above

University Question Papers

Registration No.

JECRC UNIVERSITY
End Term Examination ,December- 2017
VII Semester, B.Tech. (CSE)
Principles of Information System Security (BCO 030A)
Time: 3:00 hrs. Maximum
marks: 100
Instructions:
10. Attempt all the questions.
11. Illustrate your answers with suitable examples and diagrams, wherever necessary.
12. Write relevant question numbers before writing the answer.
Course Outcome:
1. CO1:Explain the objectives of information security
2. CO2:Analyse the trade-offs inherent in security
3. CO3:Describe the enhancements made to IPv4 by IPSec
4. CO4:Understand the basic categories of threats to computers and networks
5. CO5:Discuss issues for creating security policy for a large organization

SECTION-A [1*10=10 mark each]

Answer the following multiple choice questions.

i/co1. A ………….. is a program that can infect other programs by modifying them, the
modification includes a copy of the virus program, which can go on to infect other
programs.
A) Worm B) Virus C) Zombie D) Trap doors
ii/co1. In computer security, ……………………means that computer system assets can be
modified
only by authorized parities.
A) Confidentiality B) Integrity C) Availability D) Authenticity
iii/co2. …………… is to protect data and passwords.
A) Authentication B) EncryptionC) Authorization D) Non-repudiation
iv/co5. A firewall is installed at the point where the secure internal network and untrusted
external
network meet which is also known as ………………
A) meeting point B) Chock point C) firewall point D) secure point
v/co4. The components of IP security includes ………………….
A) Authentication Header (AH) B) Encapsulating Security Payload (ESP)
 C) Internet key Exchange (IKE) D) All of the above
vi/co4. ………………….. is used to carry traffic of one protocol over network that does not
support that protocol directly.
A) Transferring B) Tunneling C) Trafficking D) Switching
vii/co3. The S-Box is used to provide confusion, as it is dependent on the unknown key.(T/F)
viii/co3. If the sender and receiver use different keys, the system is referred to as conventional
cipher
system.(T/F)
ix/co5. Wired networks are far more susceptible to eavesdropping and jamming than wireless
(T/F)
x/co3. What is the number of round computation steps in the SHA-1 algorithm?
A). 4 B). 8 C). 16 D). 32

SECTION-B [2*5=10 mark each]

Answer the following questions.

i/co1: What is the replay attack? Give the example of replay attack/
ii/co2: What is the problem with exchanging of public key?
iii/co3: What is the initialization vector(IV)?what is its significance?
iv/co4: Why SSL layer is positioned between the application layer and the transport layer?
v/co5: What are the problems associated with clear text passwords?

SECTION-C [6*5=30 mark each]

Answer the following questions.
i/co1: Differentiate between block and stream cipher and what are two general approaches to
attack to a
conventional encryption scheme.
ii/co2: Differentiate message confidentiality and message integrity.
iii/co3: Illustrate the importance of Digital signatures? and its applications?
iv/co4: Explain how HMAC is better than MD5? Also explain HMAC algorithm with suitable
block
diagrams.
v/co5: Explain the password management.

SECTION-D [10*5=50 mark each]

Answer the following questions.

i/co1: What is the Encryption? What is Decryption? Draw the block diagram showing plain text,
cipher text, encryption and Decryption. Explain your answer with help of postal system.
ii/co2: Alice and Bob want to establish a secret key using the Diffe-Hellman Key exchange
protocol.
Assuming the values as n=11 ,g-5,x=2 and y=3.Find the values of A&B and the secret
key
 K1&k2.
iii/co3: What is message digest and which security principle is achieved through message digest?
Also
Explain MD5 algorithm with suitable block diagram.
iv/co4: Explain the SET with help of block diagram.
v/co5: What do you understand by the firewall? Explain its various types. Discuss the technique
by
which attacker can break the security of packet filter.

Unit Wise lecture Notes:

UNIT-I

Introduction:

Information security in today’s enterprise is a “well-informed sense of assurance that the

information risks and controls are in balance.” –Jim Anderson, Invent (2002)
 The protection of information and its critical elements, including the systems and
hardware that use, store, and transmit that information
 Tools, such as policy, awareness, training, education, and technology are necessary
 The C.I.A. triangle was the standard based on confidentiality, integrity, and availability
 The C.I.A. triangle has expanded into a list of critical characteristics of information

History of Information Security:

 Computer security began immediately after the first mainframes were developed
 Groups developing code-breaking computations during World War II created the first
modern computers
 Physical controls were needed to limit access to authorized personnel to sensitive
military locations
 Only rudimentary controls were available to defend against physical theft, espionage,
and sabotage

MULTICS was an operating system, now obsolete. MULTICS is noteworthy because it was
the first and only OS created with security as its primary goal. It was a mainframe, time-sharing
OS developed in mid – 1960s by a consortium from GE,Bell Labs, and MIT.

Department of Defense in US, started a research program on feasibility of a redundant,

networked communication system to support the military’s exchange of information. Larry
Robers, known as the founder if internet ,developed the project from its inception.
  ARPANET grew in popularity as did its potential for misuse
 Fundamental problems with ARPANET security were identified
– No safety procedures for dial-up connections to the ARPANET
– User identification and authorization to the system were non-existent
 In the late 1970s the microprocessor expanded computing capabilities and security threats

Information Security began with Rand Corporation Report R-609

The Rand Report was the first widely recognized published document to identify the role of
management and policy issues in computer security.
The scope of computer security grew from physical security to include:
a. Safety of the data
b. Limiting unauthorized access to that data
c. Involvement of personnel from multiple levels of the organization

What is Security?

“The quality or state of being secure--to be free from danger”

To be protected from adversaries
 Physical Security – to protect physical items, objects or areas of organization from
unauthorized access and misuse
 Personal Security – involves protection of individuals or group of individuals who are
authorized to access the organization and its operations
 Operations security – focuses on the protection of the details of particular operations
or series of activities.
 Communications security – encompasses the protection of organization’s
communications media ,technology and content
  Network security – is the protection of networking components, connections, and
contents
 Information security – is the protection of information and its critical elements,
including the systems and hardware that use ,store, and transmit the information

CNSS Model or NSTISSC MODEL

The Committee on National Security Systems (CNSS) is a United States

intergovernmental organization that sets policy for the security of the US security systems. The
CNSS holds discussions of policy issues, sets national policy, directions, operational procedures,
and guidance for the information systems operated by the U.S. Government, its contractors or
agents that either contain classified information, involve intelligence activities, involve
cryptographic activities related to national security, involve command and control of military
forces, involve equipment that is an integral part of a weapon or weapons system(s), or are
critical to the direct fulfillment of military or intelligence missions.

This refers to “The National Security Telecommunications and Information Systems

Security Committee” document. This document presents a comprehensive model for information
security. The model consists of three dimensions

Components of an information system:

An Information System (IS) is much more than computer hardware; it is the entire set of
software, hardware, data, people, and procedures necessary to use information as a resource
in the organization
 The software component of IS comprises applications, operating systems, and assorted
command utilities. Software programs are the vessels that carry the life blood of information
through an organization. Information security is often implemented as an afterthought rather than
developed as an integral component from the beginning. Software programs become an easy
target of accidental or intentional attacks.

Hardware is the physical technology that houses and executes the software, stores and
carries the data, provides interfaces for the entry and removal of information from the system.
Physical security policies deal with the hardware as a physical asset and with the protection of
these assets from harm or theft.

Data – Data stored, processed, and transmitted through a computer system must be
protected. Data is the most valuable asset possessed by an organization and it is the main target
of intentional attacks.

People – Though often overlooked in computer security considerations, people have

always been a threat to information security and they are the weakest link in a security chain..
Policy, education and training, awareness, and technology should be properly employed to
prevent people from accidently or intentionally damaging or losing information.
Procedures – Procedures are written instructions for accomplishing when an
unauthorized user obtains an organization’s procedures, it poses threat to the integrity of the
information. Educating employees about safeguarding the procedures is as important as securing
the information system. Lax in security procedures caused the loss of over ten million dollars
before the situation was corrected.

Networks - Information systems in LANs are connected to other networks such as the
internet and new security challenges are rapidly emerge. Apart from locks and keys which are
used as physical security measures, network security also an important aspect to be considered.

Securing the Components

 The computer can be either or both the subject of an attack and/or the object of an attack
 When a computer is
– the subject of an attack, it is used as an active tool to conduct the attack
– the object of an attack, it is the entity being attacked
Balancing Information Security and Access
 It is impossible to obtain perfect security - it is not an absolute; it is a process
 Security should be considered a balance between protection and availability
 To achieve balance, the level of security must allow reasonable access, yet protect against
threats

Approaches to Information Security Implementation:

Bottom Up Approach
 Security from a grass-roots effort - systems administrators attempt to improve the
security of their systems
  Key advantage - technical expertise of the individual administrators
 Seldom works, as it lacks a number of critical features:
– participant support
– organizational staying power
Top-down Approach
 Initiated by upper management:
– issue policy, procedures, and processes
– dictate the goals and expected outcomes of the project
– determine who is accountable for each of the required actions
 This approach has strong upper management support, a dedicated champion, dedicated
funding, clear planning, and the chance to influence organizational culture
 May also involve a formal development strategy referred to as a systems development
life cycle
– Most successful top-down approach

The Security Systems Development Life Cycle:

Systems Development Life Cycle:

 Information security must be managed in a manner similar to any other major system
implemented in the organization
 Using a methodology
– ensures a rigorous process
– avoids missing steps
 The goal is creating a comprehensive security posture/program
Investigation
 What is the problem the system is being developed to solve?
– The objectives, constraints, and scope of the project are specified
– A preliminary cost/benefit analysis is developed
– A feasibility analysis is performed to assesses the economic, technical, and
behavioral feasibilities of the process
Analysis
 Consists primarily of
– assessments of the organization
– the status of current systems
– capability to support the proposed systems
 Analysts begin to determine
– what the new system is expected to do
– how the new system will interact with existing systems
 Ends with the documentation of the findings and a feasibility analysis update
Logical Design
 Based on business need, applications are selected capable of providing needed services
 Based on applications needed, data support and structures capable of providing the
needed inputs are identified
 Finally, based on all of the above, select specific ways to implement the physical solution
are chosen
 At the end, another feasibility analysis is performed
Physical Design
 Specific technologies are selected to support the alternatives identified and evaluated in
the logical design
 Selected components are evaluated based on a make-or-buy decision
  Entire solution is presented to the end-user representatives for approval
Implementation
 Components are ordered, received, assembled, and tested
 Users are trained and documentation created
 Users are then presented with the system for a performance review and acceptance test
Maintenance and Change
 Tasks necessary to support and modify the system for the remainder of its useful life
 The life cycle continues until the process begins again from the investigation phase
 When the current system can no longer support the mission of the organization, a new
project is implemented

Security Systems Development Life Cycle:

 The same phases used in the traditional SDLC adapted to support the specialized
implementation of a security project
 Basic process is identification of threats and controls to counter them
 The SecSDLC is a coherent program rather than a series of random, seemingly
unconnected actions
Investigation
 Identifies process, outcomes and goals of the project, and constraints
 Begins with a statement of program security policy
 Teams are organized, problems analyzed, and scope defined, including objectives, and
constraints not covered in the program policy
 An organizational feasibility analysis is performed
Analysis
 Analysis of existing security policies or programs, along with documented current threats
and associated controls
 Includes an analysis of relevant legal issues that could impact the design of the security
solution
 The risk management task (identifying, assessing, and evaluating the levels of risk) also
begins
Logical & Physical Design
 Creates blueprints for security
 Critical planning and feasibility analyses to determine whether or not the project should
continue
 In physical design, security technology is evaluated, alternatives generated, and final
design selected
 At end of phase, feasibility study determines readiness so all parties involved have a
chance to approve the project
Implementation
 The security solutions are acquired (made or bought), tested, and implemented, and tested
again
 Personnel issues are evaluated and specific training and education programs conducted
 Finally, the entire tested package is presented to upper management for final approval
Maintenance and Change
 The maintenance and change phase is perhaps most important, given the high level of
ingenuity in today’s threats
  The reparation and restoration of information is a constant duel with an often unseen
adversary
 As new threats emerge and old threats evolve, the information security profile of an
organization requires constant adaptation

Information Security: Is It an Art or a Science?:

 With the level of complexity in today’s information systems, the implementation of

information security has often been described as a combination of art and science
Security as Art
 No hard and fast rules nor are there many universally accepted complete solutions
 No magic user’s manual for the security of the entire system
 Complex levels of interaction between users, policy, and technology controls
Security as Science
 Dealing with technology designed to perform at high levels of performance
 Specific conditions cause virtually all actions that occur in computer systems
 Almost every fault, security hole, and systems malfunction is a result of the interaction of
specific hardware and software
 If the developers had sufficient time, they could resolve and eliminate these faults.

information security is viewed as a social science?:

Security as a Social Science

 Social science examines the behavior of individuals interacting with systems
 Security begins and ends with the people that interact with the system
 End users may be the weakest link in the security chain
 Security administrators can greatly reduce the levels of risk caused by end users, and
create more acceptable and supportable security profiles

The information security roles to be played by various professionals in a typical

organization?:

Senior Management
 Chief Information Officer
– the senior technology officer
– primarily responsible for advising the senior executive(s) for strategic planning
 Chief Information Security Officer
– responsible for the assessment, management, and implementation of securing the
information in the organization
– may also be referred to as the Manager for Security, the Security Administrator, or
a similar title
Security Project Team
 A number of individuals who are experienced in one or multiple requirements of both the
technical and non-technical areas:
– The champion
– The team leader
 – Security policy developers
– Risk assessment specialists
– Security professionals
– Systems administrators
– End users
Previous Question Papers