Tuesday, January 14, 2014

CIS 481-20: INTRO TO INFORM SECURITY EXAM 1 PART 2

  • Question 1

    9.5 out of 10 points
    Name and describe the three characteristics of information (the so-called "CIA triangle") that must be protected by information security. Does the CIA triangle completely describe the critical characteristics of information? Explain.
    Correct Answer:
    Correct
    The three components of the CIA triangle are: confidentiality (assurance that the information is shared only among authorized persons or organizations); integrity (assurance that the information is complete and uncorrupted); and availability (assurance that the information systems and the necessary data are available for use when they are needed). These three components are frequently used to conveniently articulate the objectives of a security program that must be used in harmony to assure an information system is secure and usable. No, the CIA triangle is incomplete but convenient because of the amount of material that is based on it. A more robust set of critical characteristics of information would include accuracy, authenticity, utility, and possession as well.


  • Question 2

    10 out of 10 points
    Why is information security a management problem? What can management do that technology cannot? Why do employees constitute one of the greatest threats to information security?


    Correct Answer:
    Correct
    Both general management and IT management are responsible for implementing information security to protect the ability of the organization to function. Decision-makers in organizations must set policy and operate their organization in a manner that complies with the complex, shifting political legislation on the use of technology. Management is responsible for informed policy choices and the enforcement of decisions that affect applications and the IT infrastructures that support them. Management can also implement an effective information security program to protect the integrity and value of the organization’s data. Employees are one of the greatest threats since they are the closest to the organizational data and will have access by nature of their assignments. They are the ones who use it in everyday activities, and employee mistakes represent a very serious threat to the data. Employee mistakes can easily lead to the revelation of classified data, entry of erroneous data, accidental deletion or modification of data, storage of data in unprotected areas, and failure to protect information. People are a part of the systems and good management impacts how people behave in an organization.


  • Question 3

    10 out of 10 points
    There are three common types of password attacks. Name and describe each. Describe at least two controls that may be used to prevent successful password attacks.


    Correct Answer:
    Correct
    The three types of password attacks are: Password Crack, Brute Force, and Dictionary. Password crack: Attempting to reverse calculate the password is called "cracking." Cracking is used when a copy of the Security Account Manager data file can be obtained. A possible password is run through the hashing algorithm and compared against the SAM file in an attempt to match up the password. Brute Force: The application of computing and network resources to try every possible combination of options for a password. Dictionary: A form of brute force for guessing passwords. The dictionary attack selects specific accounts and uses a list of commonly used passwords with which to guess. To protect against password attacks, security administrators can implement controls that limit the number of attempts allowed (timeout) and require use of more characters and additional numbers and/or special characters to create stronger passwords.


  • Question 4

    10 out of 10 points
    Answer one of the two options:
    1. Name and describe the three general causes of unethical and illegal behavior.
    2. Deterrence is an effective method of preventing unethical and illegal behavior. However, to be effective, three conditions about the system of deterrence must be met. Name and describe these conditions.


    Correct Answer:
    Correct
    1.  The three general causes of unethical and illegal behavior are ignorance, accident, and intent. First, ignorance about policies and procedures may be a valid excuse for an employee if the organization had not properly disseminated the policy and trained the employees. Second, individuals with authorization and privileges to manage important company information may cause harm or damage by accident. Proper training and controls may help reduce accidental damage. Third, some individuals will simply choose unethical or illegal behavior with a clear intent to cause harm. Often, strong technical controls combined with vigorous prosecution (if the controls fail) can help protect your system from those with an intent to harm
    2. It is generally agreed that laws and policies and their associated penalties only deter if the following three conditions are present:
      • Fear of penalty: Potential offenders must fear the penalty. Significant fines or imprisonment are more effective than verbal warnings and reprimands.
      • Probability of being caught: Potential offenders must believe there is a strong possibility of being caught. If they don't think they will be caught, the penalties themselves may not matter.
      • Probability of penalty being administered: Potential offenders must believe that once caught, the penalty will, in fact, be administered.


  • Question 5

    10 out of 10 points
    The text identified five risk control strategies. Name and describe each, including a specific example of each strategy.
    Correct Answer:
    Correct
    Defend - This risk control strategy attempts to prevent exposure by avoiding the exploitation of vulnerabilities. It is the preferred approach when feasible. Commonly, risk avoidance is accomplished by applying policy, training and education, and technology. For example, password attacks may be avoided by establishing a policy requiring use of strong passwords (with minimum length and complexity).
    Transfer - This risk control strategy attempts to shift risk to other assets, other processes, or other organizations. This can be accomplished through outsourcing certain services or purchasing insurance to limit exposure.
    Mitigate - This approach to risk control attempts to reduce the impact caused by an exploitation of vulnerability through proper planning and preparation. Typically, it involves the creation of incident response, disaster recovery, and business continuity plans.
    Accept - This approach is the choice to do nothing and accept the status quo. Proper use of this approach should be based on the conclusion that the cost of protecting an asset is not justified based on the asset's value to the organization. Unfortunately, this approach is sometimes taken in error when an organization chooses to ignore risk or assume that "it won't happen to them".
    Terminate - This approach directs the organization to avoid those business activities that introduce uncontrollable risks. For example, if a legacy system relies on a software package that is beyond the vendor's support period, it may need to be retired and replaced with a new system.


  • Question 6

    10 out of 10 points
    If an organization has three information assets to evaluate for risk management, as shown in the accompanying data, which vulnerability should be evaluated for additional controls first? Which one should be evaluated last? Show your work in calculating the risk. Remember, risk can be calculated using the following formula:
    R = (V * L) - ((V * L) * PoC)) + ((V * L) * PoU)), where V is the asset value (impact rating, etc.), L is the likelihood, PoC is percent controlled, and PoU is percent uncertainty.
    Asset A has two vulnerabilities: it is susceptible to hardware failure at a likelihood of 0.2, and it is subject to a buffer overflow attack at a likelihood of 0.25. This asset has an impact rating of 80 with controls in place for the buffer overflow that reduces the impact of this vulnerability by 10 percent. You are 85 percent certain of the assumptions and data.
    Asset B has a Web server version that can be attacked by sending it invalid Unicode values. The likelihood of that attack is estimated at 0.125. The server has been assigned an impact value of 96, and a control has been implemented that reduces the impact of the vulnerability by 75 percent. You are 90 percent certain of the assumptions and data.
    Asset C has no passwords and is susceptible to unlogged misuse by the operators. Estimates show the likelihood of misuse is 0.2. There are no controls in place on this asset; it has an impact rating of 25. You are 85 percent certain of the assumptions and data.


    Correct Answer:
    Correct
    Asset A - Hardware Failure
    R = (80*.2) - (80*.2*0) + (80*.2*.15) = 16 - 0 + 2.4 = 18.4
    Asset A - Buffer Overflow
    R = (80*.25) - (80*.25*.1) + (80*.25*.15) = 20 - 2 + 3 = 21
    Asset B - Invalid Unicode values
    R = (96*.125) - (96*.125*.75) + (96*.125*.1) = 12 - 9 + 1.2 = 4.2
    Asset C - Unlogged Misuse
    R = (25*.2) - (25*.2*0) + (25*.2*.15) = 5 - 0 + .75 = 5.75
    From this data, we should focus first on Asset A's Buffer Overflow vulnerability, given its risk score of 21. The last vulnerability to be considered should be Asset B's invalid Unicode value vulnerability, given it's low risk score of 4.2 .


Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)