Question 1
Assume that you have converted part of an area of general office space into a server room that will be staffed. Describe the factors you would consider when planning for each of the following:- Walls and doors
- Physical access control
- Fire detection and suppression
Correct Answer: 
- Walls and doors: Due to the construction of the walls and doors of the facility, the security of information assets can sometimes be compromised. In high security areas such as a server room, firewalls and doors with either mechanical or electromechanical locks should be used.
- Physical access control: For physical security, a secure facility is an ideal location that has been engineered with a number of controls designed to minimize the risk of attacks from physical threats. An organization should consider using as many security controls as feasible in order to secure a server room. Typical physical security controls include:
Walls, fencing, and gates: Deter unauthorized access to the facility
Guards: Evaluate each situation as it arises and make reasoned responses
ID Cards and badges: Authenticate an authorized individual with access to the facility
Locks and keys: Avoid an intruder to gain access to the secured location
Mantraps: Deny unauthorized entry and trap an intruder in a small enclosure
Electronic monitoring: Record events within a specific area that guard might miss, or to record events in areas where other types of physical controls are not practical
Alarms and alarm systems: Notify the appropriate individual when a predetermined event or activity occurs
Interior walls and doors: Provide not only physical security from potential intruders but from fires - Fire detection and suppression: Either manual or automatic fire detection systems need to be installed since you can't suppress a fire if it hasn't been detected. Automatic detection systems include thermal detections systems, smoke detection systems, and flame detector. An organization should consider placing one of these fire detection systems depending on its budget. There are a variety of fire suppression systems commonly used in many organizations including portable, manual, and automatic apparatus. One or more fire suppression systems should be prepared in case of emergency. As a server room, most sprinkler systems are inappropriate because of the risk to the equipment, though newer ultra-fine mist systems might be a good choice. These systems produce a fog-like mist that, because the droplets are much less susceptible to gravity, stays buoyant (airborne) much longer. As a result, a much smaller quantity of water is required. A gaseous fire suppression system would be ideal for the server equipment but can be lethal to humans. A carbon dioxide system would be a poor choice for this reason. Some newer gaseous clean agents present less of a risk to humans and could be considered if employees have the ability to evacuate in a timely manner.
Question 2
Name and describe the four basic conversion strategies discussed in the text that may be used when converting to a new system. Be sure to mention the advantages and disadvantages of each approach?Correct Answer: - Direct changeover: Also known as going “cold turkey,” a direct changeover involves stopping the old method and beginning the new. This could be as simple as having employees follow the existing procedure one week, and then use a new procedure the next. Some cases of direct changeover are simple, such as a change that involves requiring employees to use a new password (which uses a stronger degree of authentication) beginning on an announced date; some may be more complex, such as requiring the entire company to change procedures when the network team disables an old firewall and activates a new one. The primary drawback to the direct changeover approach is that if the new system fails or needs modification, users may be without services while the system’s bugs are worked out. Complete testing of the new system in advance of the direct changeover helps to reduce the probability of these problems.
- Phased implementation: A phased implementation is the most common conversion strategy and involves rolling out a piece of the system across the entire organization. This could mean that the security group implements only a small portion of the new security profile, giving users a chance to get used to it and resolving small issues as they arise. This is usually the best approach to security project implementation. For example, if a new VPN solution that employees can use to connect to the organization’s network while they’re traveling is to be introduced, then each week one department might be added to the group allowed to use the new VPN, and this process would continue until all departments are using the new approach.
- Pilot implementation: The pilot implementation involves implementing all security improvements in a single office, department, or division, and resolving issues within that group before expanding to the rest of the organization. The pilot implementation works well when an isolated group can serve as the “guinea pig,” which keeps the implementation from dramatically impacting the performance of the organization as a whole. The operation of a research and development group, for example, may not impact the real-time operations of the organization and could assist security in resolving issues that emerge.
- Parallel operations: The parallel operations strategy involves running the new methods alongside the old methods. In general, this means running two systems concurrently, and in terms of information systems, it might involve, for example, running two firewalls concurrently. Although this approach is usually a complex operation, it can be one that reinforces an organization’s information security by allowing the old system(s) to serve as backup for the new systems if they fail or are compromised. Drawbacks usually include the need to deal with both systems and maintain both sets of procedures.
Question 3
A proven method for prioritizing a program of complex change is the bulls-eye method. As presented in the figure below, the approach relies on a process of project plan evaluation in four layers. Explain how these layers are used and in what order.
Correct Answer: - Policies: This is the outer, or first, ring in the bull’s-eye diagram. The critical importance of policies has been emphasized throughout the text. The foundation of all effective information security programs is sound information security and information technology policy. Since policy establishes the ground rules for the use of all systems and describes what is appropriate and what is inappropriate, it enables all other information security components to function correctly. When deciding how to implement complex changes and choose from conflicting options, you can use policy to clarify what the organization is trying to accomplish with its efforts.
- Networks: In the past, most information security efforts focused on this layer, and so until recently information security was often considered synonymous with network security. In today’s computing environment, implementing information security is more complex because networking infrastructure often comes into contact with threats from the public network. Those organizations new to the Internet find (as soon as their policy environment defines how their networks should be defended) that designing and implementing an effective DMZ is the primary way to secure an organization’s networks. Secondary efforts in this layer include providing the necessary authentication and authorization when allowing users to connect over public networks to the organization’s systems.
- Systems: Many organizations find that the problems of configuring and operating information systems in a secure fashion become more difficult as the number and complexity of these systems grow. This layer includes computers used as servers, desktop computers, and systems used for process control and manufacturing systems.
- Applications: The layer that receives attention last is the one that deals with the application software systems used by the organization to accomplish its work. This includes packaged applications, such as office automation and e-mail programs, as well as high-end enterprise resource planning (ERP) packages that span the organization. Custom application software developed by the organization for its own needs is also included.
The bull’s-eye model can also be used to evaluate the sequence of steps taken to integrate parts of the information
security blueprint into a project plan. As suggested by its bull’s-eye shape, this model dictates the following:- Until sound and useable IT and information security policies are developed, communicated, and enforced, no additional resources should be spent on other controls.
- Until effective network controls are designed and deployed, all resources should go toward achieving this goal (unless resources are needed to revisit the policy needs of the organization).
- After policies and network controls are implemented, implementation should focus on the information, process, and manufacturing systems of the organization. Until there is well-informed assurance that all critical systems are being configured and operated in a secure fashion, all resources should be spent on reaching that goal.
- Once there is assurance that policies are in place, networks are secure, and systems are safe, attention should move to the assessment and remediation of the security of the organization’s applications. As in all planning efforts, attention should be paid to the most critical applications first.
Question 4
Answer one of the two options:- Compare and contrast the functions of a CISO, a security manager, and a security technician.
- Describe the options available for the location of the information security functions within the organization, including the advantages and disadvantages of each. Be sure to mention at least three of the likely locations, including the most common location.
Correct Answer: - Chief Information Security Officer (CISO): This is typically the top information security officer in the organization. Though CISOs are business managers first and technologists second, they must be conversant in all areas of information security, including the technical, planning, and policy areas. In many cases, the CISO is the major definer or architect of the information security program. The CISO performs the following functions:
- Manages the overall information security program for the organization
- Drafts or approves information security policies
- Works with the CIO on strategic plans, develops tactical plans, and works with security managers on operational plans
- Develops information security budgets based on available funding
- Sets priorities for the purchase and implementation of information security projects and technology
- Makes decisions or recommendations on the recruiting, hiring, and firing of security staff
- Acts as the spokesperson for the information security team
Security Technician: Security technicians are the technically qualified individuals tasked to configure firewalls, deploy IDPSs, implement security software, diagnose and troubleshoot problems, and coordinate with systems and network administrators to ensure that an organization’s security technology is properly implemented. The position of security technician is often entry level, but to be hired in this role, candidates must possess some technical skills. - There are several valid choices for positioning the information security department within an organization. The model commonly used by large organizations places the information security department within the information technology department and usually designates as its head the CISO, who reports directly to the company’s top computing executive, or CIO. Such a structure implies that the goals and objectives of the CISO and CIO are aligned. This is not always the case, however. By its very nature, an information security program can, at times, be at odds with the goals and objectives of the information technology department as a whole. The CIO, as the executive in charge of the organization’s technology, strives to create efficiency in the processing and accessing of the organization’s information, and thus, anything that limits access or slows information processing can impede the CIO’s mission for the entire organization. The CISO’s function is more like that of an internal auditor in that the CISO must direct the information security department to examine existing systems in order to discover information security faults and flaws in technology, software, and employees’ activities and processes. These examinations can disrupt the processing and accessing of an organization’s information. Because the addition of multiple layers of security inevitably slows the data users’ access to information, information security may be viewed as a hindrance to the organization’s operations.
Because the goals and objectives of CIOs and CISOs tend to contradict each other, the trend among many organizations has been to separate their information security function from their IT division. The information security function can be placed within any of the other following organizational functions:- Physical security function, as a peer of physical security or protective services
- Administrative services function, as a peer of human resources or purchasing
- Insurance and risk management function
- Legal department
Question 5
In digital forensics, most investigations follow the same basic methodology. Describe the steps involved after permission to investigate has been granted.Correct Answer: In digital forensics, all investigations follow the same basic methodology:- Identify relevant items of evidentiary value (EM) - One of the crucial aspects of any digital forensic investigation is the process of identifying the potential EM and its probable location. Users have access to many online server locations, via free e-mail archives, ftp servers, video archives, and the like, and could have terabytes of information stored in offsite locations across the Web or on their local systems. Unless investigators have an idea of what to look for, they may never find it in such a vast array of possible locations.
- Acquire (seize) the evidence without alteration or damage - The principal responsibility of the response team is to acquire the information without altering it. A normal system consequence of the search for EM could be portrayed by a defense attorney as affecting the authenticity or integrity of the EM, which could lead a jury to suspect that the EM was planted or is otherwise suspect. The biggest challenge is to show that the person under investigation is the one who stored, used, and maintained the EM, or who conducted the unauthorized activity.
- Take steps to assure that the evidence is at every step verifiably authentic and is unchanged from the time it was seized - Once the evidence is acquired, both the copy image and the original drive should be handled so as to avoid legal challenges based on authenticity and preservation of integrity. If the organization or law enforcement cannot demonstrate that no one had physical access to the evidence, they cannot provide strong assurances that it has not been altered. Once the evidence is in the possession of investigators, they must track its movement, storage, and access until the resolution of the event or case. This is typically accomplished by means of chain of evidence or chain of custody procedures.
- Analyze the data without risking modification or unauthorized access - The copy or image is typically transferred to the laboratory for the next stage of authentication. The team must be able to demonstrate that any analyzed copy or image is a true and accurate replica of the source EM. This is accomplished by the use of cryptographic hash tools. The most complex part of an investigation is the analysis of the copy
or image for potential EM. Two industry leading applications dominate the market for digital forensics: Guidance Software’s EnCase and AccessData Forensics Tool Kit (FTK). Each of these tools is designed to support a law enforcement investigation and assist in the management of the entire case. - Report the findings to the proper authority - As investigators examine the analyzed copies or images and identify potential EM, they can tag it and add it to their case files. Once they have found a suitable amount of information they can summarize their findings, along with a synopsis of their investigatory procedures, in a report and submit it to the appropriate authority. This authority could be law enforcement or management.
Question 6
Does the use of passwords (as a single factor) to authenticate users for access to systems (especially online) still provide the necessary security? A complete answer will need to explain what problems exist and how they might be resolved going forward. So, if you're going to support passwords, you'll have to explain how they can still offer security given the problems identified in class and in the referenced articles. If you're going to support other options, you'll have to explain how they address the problems identified in class and in the referenced articles (explaining why they are better). This is a critical thinking question, so there is no right or wrong answer prescribed in advance. You'll earn the points by defending whatever position you take.Correct Answer: This is a critical thinking question, so there is no right or wrong answer prescribed in advance. You'll earn the points by defending whatever position you take.Question 7
Extra Credit: The text's recommended model for dealing with change caused by information security maintenance (the maintenance model) is based on five subject areas or domains. Name and briefly describe each of these domains.Correct Answer: The five domains on the maintenance model are:- External Monitoring – provide early awareness of new and emerging threats, threat agents, vulnerabilities, and attacks that is needed to mount an effective and timely defense. External monitoring entails collecting intelligence from various data sources and then giving that intelligence context and meaning for use by decision makers within the organization.
- Internal Monitoring – maintain an informed awareness of the state of all of the organization’s networks, information systems, and information security defenses. This awareness must be communicated and documented, especially for components that are exposed to the external network. The value of internal monitoring is high when the resulting knowledge of the network and systems configuration is fed into the vulnerability assessment and remediation maintenance domain. But this knowledge becomes invaluable when incident response processes are fully integrated with the monitoring processes.
- Planning and risk assessment – keep a lookout over the entire information security program, in part by identifying and planning ongoing information security activities that further reduce risk. In fact, the bulk of the security management maintenance model could fit in this domain. Also, the risk assessment group identifies and documents risks introduced by both IT projects and information security projects. It also identifies and documents risks that may be latent in the present environment.
- Vulnerability assessment and remediation – the identification of specific, documented vulnerabilities and their timely remediation. This would include using documented vulnerability assessment procedures to collect intelligence about networks (internal and public-facing), platforms (servers, desktops, and process control), dial-in modems, and wireless network systems safely. Penetration testing might also be performed.
- Readiness and review – keep the information security program functioning as designed and to keep it continuously improving over time.
Tuesday, January 14, 2014
CIS 481-20: INTRO TO INFORM SECURITY EXAM 3 PART 2
CIS 481-20: INTRO TO INFORM SECURITY EXAM 2 PART 2
Question 1
Answer one of the two options:- Explain the differences between a policy, a standard, and a practice. In what order should they be created? Why?
- Name and describe the three general types of security policies. Give an example of each, explaining when/where they would be used.
Correct Answer: - A policy is a plan or course of action intended to influence and determine decisions, actions, and other matters. Policies are organizational laws because they dictate acceptable and unacceptable behavior within the context of the organization’s culture. A standard, like a policy, has the same requirement for compliance, but it provides more detail as to what must be done to comply with policy. The level of acceptance of standards may be informal (as in de facto standards) or formal (as in de jure standards). Finally, practices, procedures, and guidelines effectively explain how to comply with policy. Typically, you would start by developing policies. The policies then drive the creation of organization standards that meet the requirements laid out in policy. These standards, in turn, drive the development of practices, procedures, and guidelines that are compliant with the policies and standards.
- There are three general types of information security policies. First are the enterprise information security policies (EISPs), which are usually drafted by the chief information officer of the organization and are executive-level. The EISPs are used to directly support the mission, vision, and direction of the organization and set the strategic direction, scope, and tone for all security efforts within the organization. Second are issue-specific security policies (ISSPs) that are formally written to instruct employees to properly use the technologies of the organization such as use of the Internet, electronic email, and use of photocopy equipment. The ISSPs require frequent updates and must contain a statement on the organization’s position on a specific issue. Third are system-specific security policies (SysSPs). The SysSPs that are usually codified as standards and procedures used when configuring or maintaining systems. For example, there might be a SysSP that describes the proper default configuration for web servers being deployed.
Question 2
Name and describe the three general forms of authentication and give an example of each. What is meant by multi-factor authentication? Give an example.Correct Answer: Something a Supplicant Knows: This factor of authentication relies upon what the supplicant knows and can recall—for example, a password, passphrase, or other unique authentication code, such as a personal identification number (PIN).
Something a Supplicant Has: This authentication factor relies upon something a supplicant has and can produce when necessary. One example is dumb cards, such as ID cards or ATM cards with magnetic stripes containing the digital (and often encrypted) user PIN, against which the number a user input is compared.
Something a Supplicant Is or Can Produce: This authentication factor relies upon individual characteristics, such as fingerprints, palm prints, hand topography, hand geometry, or retina and iris scans, or something a supplicant can produce on demand, such as voice patterns, signatures, or keyboard kinetic measurements.
Multi-factor authentication requires a minimum of two different authentication mechanisms drawn from different factors of authentication, most often something you have and something you know. For example, access to a bank’s ATM services requires a banking card (something you have) plus a PIN (something you know).Question 3
VPNs are increasingly being used to establish connections between remote users and their office network using the Internet. Can this be a secure connection? Explain how transport mode differs from tunnel mode VPNs.Correct Answer: A virtual private network (VPN) is a private and secure network connection between systems that uses the data communication capability of an unsecured and public network, such as the Internet. Yes, they can produce secure connections using security protocols and encrypting traffic transmitted across unsecured public networks.
In transport mode, the data within an IP packet is encrypted, but the header information is not. This allows the user to establish a secure link directly with the remote host, encrypting only the data contents of the packet. The downside to this implementation is that packet eavesdroppers can still identify the destination system.
Tunnel mode establishes two perimeter tunnel servers that encrypt all traffic that will traverse an unsecured network. In tunnel mode, the entire client packet is encrypted and added as the data portion of a packet addressed from one tunneling server to another. The receiving server decrypts the packet and sends it to the final address. The primary benefit to this model is that an intercepted packet reveals nothing about the true destination system.Question 4
Choose from the following options:- How does a network-based IDPS differ from a host-based IDPS?
- How does a signature-based IDPS differ from a statistical anomaly-based IDPS?
Correct Answer: - A network-based IDPS (NIDPS) resides on a computer or appliance connected to a segment of an organization’s network and monitors network traffic on that network segment, looking for indications of ongoing or successful attacks. When the NIDPS identifies activity that it is programmed to recognize as an attack, it responds by sending notifications to administrators. When examining incoming packets, an NIDPS looks for patterns within network traffic such as large collections of related items of a certain type—which could indicate that a denial-of-service attack is underway—or the exchange of a series of related packets in a certain pattern—which could indicate that a port scan is in progress. An NIDPS can detect many more types of attacks than a host-based IDPS, but it requires a much more complex configuration and maintenance program. While a network-based IDPS resides on a network segment and monitors activities across that segment, a host-based IDPS (HIDPS) resides on a particular computer or server, known as the host, and monitors activity only on that system. HIDPSs are also known as system integrity verifiers because they benchmark and monitor the status of key system files and detect when an intruder creates, modifies, or deletes monitored files. An HIDPS has an advantage over an NIDPS in that it can access encrypted information traveling over the network and use it to make decisions about potential or actual attacks.
- A signature-based system looks for patterns of behavior that match a library of known behaviors. A potential problem with the signature-based approach is that new attack strategies must continually be added into the IDPS’s database of signatures; otherwise, attacks that use new strategies will not be recognized and might succeed. A statistical anomaly-based system collects statistical summaries by observing traffic that is known to be normal. This normal period of evaluation establishes a performance baseline. Once the baseline is established, the stat IDPS periodically samples network activity and, using statistical methods, compares the sampled network activity to this baseline. When the measured activity is outside the baseline parameters the IDPS sends an alert to the administrator. The advantage of the statistical anomaly-based approach is that the IDPS can detect new types of attacks, since it looks for abnormal activity of any type. Unfortunately, these systems require much more overhead and processing capacity than signature-based IDPSs, because they must constantly compare patterns of activity against the baseline.
Question 5
Correct Answer: Asymmetric encryption is also known as public key encryption. It uses two different keys to encrypt messages, the public key and the private key. Symmetric is different because it uses only one key to encrypt and decrypt messages. Symmetric encryption is much faster for the computer to process, however it raises the costs of key management. Symmetric encryption, also called private key encryption, is where the same key is used to conduct both the encryption and decryption of the message. Both the sender and receiver must possess the key. The problem with symmetric encryption is getting a copy of the key to the sender, traditionally using an out of band approach. Hybrid methods such as Diffie-Hellman combine the best features of both symmetric and asymmetric encryption. By using the more computationally difficult asymmetric encryption to first exchange a secret session key between the parties allows the faster symmetric encryption to be used for the duration of the message passing.Question 6
Choose from the following options:- Alex wants to send a message to Bob ensuring that:
- Bob knows that the message could only have come from Alex
- Only Bob can read the message
- Bob knows that the message was not modified in transit
- Using the Vigenere Square provided, encode the message "THIS TEST IS EASY" using the key "ENCRYPT". What is your newly encoded message? A paper copy of the Vigenere Square is available from your instructor, as well.
Correct Answer: - Alex takes the plaintext message and runs it through a secure hash function creating a message digest. Both the original plaintext message and the message digest get encrypted first using Alex's private key. This will ensure that the message must have come from Alex, as only he has access to his private key. Let's call this result CipherText1. Next, we encrypt a second time, now using Bob's public key. This will ensure that only Bob can decrypt the message. Let's call this result CipherText2. This new ciphertext is sent to Bob and he uses his private key to extract the signed message and message digest, CipherText1. He decrypts a second time using Alex's public key (thus verifying that the message must have come from Alex). This leave the plaintext message and message digest. He runs the extracted message through the same secure hash function producing a new message digest. Bob can now compare the new message digest to the one sent in the signed message. If they match, he knows that the message wasn't changed at any point during transmission.
- ENCRYPTENCRYPT
THISTESTISEASY
--------------
XUKJRTLXVUVYHR
Response Feedback: one off- Alex wants to send a message to Bob ensuring that:
Subscribe to:
Comments (Atom)