Wednesday 8 May 2013

CS9224 - INFORMATION SECURITY -UNIT I



Subject Name: CS9224 - INFORMATION SECURITY
Unit - 1
1. What is C.I.A?
The C.I.A. triangle was the standard based on confidentiality, integrity, and availability. The C.I.A. triangle has expanded into a list of critical characteristics of information. 

2. Write a note on the history of information security
Computer security began immediately after the first mainframes were developed Groups developing code-breaking computations during World War II created the first modern computers Physical controls were needed to limit access to authorized personnel to sensitive military locations Only rudimentary controls were available to defend against physical theft, espionage, and sabotage 

 3. What is Rand Report R-609?
Information Security began with Rand Corporation Report R-609, The Rand Report was the first widely recognized published document to identify the role of management and policy issues in computer security. 

 4. What is the scope of computer security?
The scope of computer security grew from physical security to include: Safety of the data Limiting unauthorized access to that data Involvement of personnel from multiple levels of the organization 

 5. Define Physical security
Physical Security - to protect physical items, objects or areas of organization from unauthorized access and misuse 

 6. Define Personal Security
Personal Security involves protection of individuals or group of individuals who are authorized to access the organization and its operations 

 7. Define Operations security
Operations security focuses on the protection of the details of particular operations or series of activities. 

8. Define Communications security
Communications security - encompasses the protection of organization's communications media, technology and content 

9. Define Network security
Network security - is the protection of networking components,connections,and contents 

10. Define Information security
Information security - is the protection of information and its critical elements, including the systems and hardware that use, store, and transmit the information 

11. What are the critical characteristics of information?
·         Availability
·         Accuracy
·         Authenticity
·         Confidentiality
·         Integrity
·         Utility
·         Possession

12. What is NSTISSC Security model?
This refers to "The National Security Telecommunications and Information Systems Security Committee" document. This document presents a comprehensive model for information security. The model consists of three dimensions

13. What are the components of an information system?
An Information System (IS) is much more than computer hardware; it is the entire set of software, hardware, data, people, and procedures necessary to use information as a resource in the organization

14. What is meant by balancing Security and Access?

  •   Balancing Security and Access
  •  It is impossible to obtain perfect security - it is not an absolute; it is a process
  • Security should be considered a balance between protection and availability
  • To achieve balance, the level of security must allow reasonable acces, yet protect against threats

15. What are the approaches used for implementing information security?
  •   Bottom Up Approach
  •  Top-down Approach

16. What is SDLC?
·         The Systems Development Life Cycle
·   Information security must be managed in a manner similar to any other major system implemented in the organization
·         Using a methodology
·         ensures a rigorous process
·         avoids missing steps

17. Explain different phases of SDLC
Investigation, Analysis, Logical Design, Physical Design, Implementation,Maintenance and Change

18. What is Security SDLC?
  • Security Systems Development Life Cycle
  •   The same phases used in the traditional SDLC adapted to support the specialized implementation of a security project
  •  Basic process is identification of threats and controls to counter them
  • The SecSDLC is a coherent program rather than a series of random, seemingly unconnected actions

19. How information security is viewed as a social science?
·         Social science examines the behavior of individuals interacting with systems
·         Security begins and ends with the people that interact with the system
·         End users may be the weakest link in the security chain
·    Security administrators can greatly reduce the levels of risk caused by end users, and create more acceptable and supportable security profiles

20. What are the information security roles to be played by various professionals in a typical organization?
·         Senior Management - Chief Information Officer, Chief Information Security Officer
·         Security Project Team
·         The champion
·         The team leader
·         Security policy developers
·         Risk assessment specialists
·         Security professionals
·         Systems administrators
·         End users

21. What are the three types of data ownwership and their responsibilities?
Data Owner - responsible for the security and use of a particular set of information Data Custodian - responsible for the storage, maintenance, and protection of the information Data Users - the end systems users who work with the information to perform their daily jobs supporting the mission of the organization

22. What is the difference between a threat agent and a threat?
A threat is a category of objects,persons,or other entities that pose a potential danger to an asset. Threats are always present. A threat agent is a specific instance or component of a threat. (For example All hackers in the world are a collective threat Kevin Mitnick,who was convicted for hacking into phone systems was a threat agent.)

23. What is the difference between vulnerability and exposure?
The exposure of an information system is a single instance when the system is open to damage. Weakness or faults in a system expose information or protection mechanism that expose information to attack or damage or known as vulnerabilities.

24. What is attack?
An attack is an intentional or unintentional attempt to cause damage or otherwise compromise the information. If some one casually reads sensitive information not intended for his or her use ,this considered as a passive attack. If a hacker attempts to break into an information system,the attack is considered active.

25. What is hacking?
Hacking can be defined positively and negatively. To writes computer programs for enjoyment to gain access to a computer illegally

26. What is security blue print?
The security blue print is the plan for the implementation of new security measures in the organization. Some times called a framework,the blue print presents an organized approach to the security planning process.

27. What is MULTICS?
MULTICS was an operating system ,now obsolete. MULTICS is noewothy because it was the first and only OS created with security as its primary goal. It was a mainframe ,time-sharing OS developed in mid - 1960s by a consortium from GE,Bell Labs,and MIT.

28. What is ARPANET?
Department of Defense in US,started a research program on feasibility of a redundant,networked communication system to support the military's exchange of information.Larry Robers,known as the founder if internet ,developed the project from its inception.

29. Define E-mail spoofing
Information is authentic when the contents are original as it was created,palced or stored or transmitted.The information you receive as e-mail may not be authentic when its contents are modified what is known as E-mail spoofing
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)