UNIT I
PART A
1. What is Information Security?
Information security is the protection of information and its critical elements,
including the systems and hardware that use store and transmit that information.
2. Define security.
Security is the quality or state of being secure – to be free from danger. It is the
protection against adversaries.
3. What are the levels of security?
 Physical security
 Personal security
 Operations security
 Communications security
 Network security
 Information security
4. What is C.I.A triangle?
C.I.A triangle is the industry standard for computer security since the development of
mainframes. It is based on confidentiality, integrity and availability of information.
5. What are the characteristics of information?
Availability, accuracy, authenticity, confidentiality, integrity, utility and possession.
6. What is availability?
Availability enables authorized users to access information without interference or
obstruction and to receive it in the required format.
7. Define accuracy.
Accuracy is the state of information being free from mistakes or errors and having
values that the end users expect.
8. Define authenticity.
Authenticity is the quality or state of information being genuine or original rather
than a reproduction or fabrication. Information is authentic when it is in the same state in
which it was created, placed, stored or transferred.
9. What is confidentiality?
Information has confidentiality when disclosure or exposure to unauthorized
individuals or systems is prevented. Only the persons with the rights and privileges to access
information are able to do so.
10. What are the measures to protect the confidentiality of information?
 Information classification
 Secure document storage
 Application of general security policies
 Education of information custodians and end users.
11. What is an information system?
Information system is the entire set of software, hardware, data, people, procedures
and networks necessary to use information as a resource in the organization.
12. What are the components of an information system?
 Software
 Hardware
 Data
 People
 Procedures
 Networks
13. What is McCumber cube?
McCumber cube is the model created by John McCumber in 1991. It provides a
graphical representation of the architectural approach widely used in computer and
information security.
14. What is integrity of information?
Information has integrity when it is whole, complete and uncorrupted.
15. What is file hashing?
File hashing is a method to assure information security. Here a file is read by a
special algorithm that uses the value of the bits in the file to compute a single large number
called as hash value. If the hash value returned is different from the already posted hash
value, then the file has been compromised.
16. Define utility of data.
The utility of information is the quality or state of having value for some purpose or
end. It has value only when it can serve a particular purpose.
17. Compare the breach of possession and breach of confidentiality.
If the information is taken away from one’s possession it is called as breach of
possession. If the information could not be interpreted there is only breach of possession and
not breach of confidentiality. If for example, the decryption techniques are also found, and if
the information could be read, then there is a breach of confidentiality. Breach of possession
might not always result in breach of confidentiality. Breach of confidentiality always results
in breach of possession.
18. Differentiate direct attack and indirect attack.
In a direct attack the hacker uses his personal computer to break into a system. In an
indirect attack a system is compromised and used to attack other systems.
19. How is computer used as a subject of attack and object of attack?
Computer can be either the subject of an attack – an agent entity used to conduct the
attack , or an object of attack – the target entity.
20. What are the approaches to implement information security?
Top down approach and bottom up approach are used to used to implement
information security.
21. Define methodology. What are its advantages?
Methodology is a formal approach to solving a problem based on a structured
sequence of procedures. Using methodology ensures a rigorous process and avoids missing
those steps that can lead to compromising the end goal.
22. What are the phases in SDLC?
 Investigation
 Analysis
 Logical design
 Physical design
 Implementation
 Maintenance and change
23. What is SecSDLC?
SecSDLC unifies the process of implementing information security by identifying
specific threats and creating specific controls to counter those threats.
24. What is media sanitization?
Media sanitization ensures that the data is deleted, erased and written over as
necessary.
25. What is EISP?
EISP stands for Enterprise Information Security Policy. It outlines the
implementation of a security program within the organization.
26. What is email spoofing?
It is the process of sending an email message with the address of the originator
modified. Spoofing the sender’s address can fool the email recipient into thinking that the
message is legitimate traffic.
UNIT I
PART B
1.
2.
3.
4.
5.
Write notes on the critical characteristics of information.
Write about the components of information system.
Write notes on NSTISSC security model.
Write in brief about the levels of security in an organization.
Write notes on confidentiality and integrity.
PART C
1.
2.
3.
4.
5.
Explain in detail the history of information security.
Write in detail the Software Development Life Cycle.
Explain the phases of SecSDLC.
Explain the critical characteristics of information.
a. How will you balance the information security and information access?
b. Write about the approaches to information security implementation.
UNIT II
PART A
1. What are the important functions of information security for an organization?
Information security performs 4 important functions for an organization.
 Protects the organization’s ability to function.
 Enables the safe operation of applications implemented on the organization’s IT
systems.
 Protects the data the organization collects and uses.
 Safeguards the technology assets in use at the organization.
2. Compare threat and attack.
Threat is an object, person or other entity that represents a constant danger to an asset.
3. Name any 4 categories of threat.
Acts of human error, forces of nature, deviations in quality of service, technological
obsolescence
4. What is industrial espionage?
When information gatherers employ techniques that cross the threshold of what is
legal or ethical, they are conducting industrial espionage.
5. What is competitive intelligence?
Legal techniques of gathering information is known as competitive intelligence.
6. What is shoulder surfing?
When individuals gather information they are not authorized to have by looking over
another individual’s shoulder or viewing the information from a distance, it is called as
shoulder surfing.
7. What are hackers? What are the types of hackers?
Hackers are people who use and create computer software to gain access to
information illegally. There are 2 major types of hackers.
 Expert hackers or elite hackers
 Unskilled hackers
8. What do you mean by script kiddies?
Script kiddies are hackers of limited skill who use expertly written software to attack
a system.
9. What are packet monkeys?
Script kiddies who use automated exploits to engage in distributed denial-of-service
attacks are packet monkeys.
10. What is cracker?
An individual who cracks or removes software protection that is designed to prevent
unauthorized duplication is called cracker.
11. What is phreaker?
A phreaker hacks the public telephone network to make free calls or disrupt services.
12. Define malware.
Malware is malicious code created with the intent to destroy or steal information.
13. What are worms, viruses, and trojan horses ?
Worm is a malicious program that replicates itself constantly without requiring
another program environment.
Virus consists of segments of code that perform malicious actions. This code attaches
itself to the existing program and takes control of that program’s access to the targeted
computer.
Trojan horses are software programs that hide their true nature, and reveal their
designed behavior only when activated.
14. What is hoax?
A hoax is a deliberately fabricated falsehood made to masquerade as truth.
15. What are the various power irregularities?
 Spike – a momentary increase in voltage level.
 Surge – a prolonged increase in voltage level.
 Sag – a momentary low voltage.
 Brownout – a prolonged drop in voltage.
 Fault – loss of power for a moment.
 Blackout – lengthy loss of power.
16. What is brute force attack?
The application of computing and network resources to try every possible
combination of options of a password is called a brute force attack.
17. What is spoofing?
Spoofing is a technique used to gain unauthorized access to computers, wherein the
intruder sends messages with a source IP address that has been forged to indicate that the
messages are coming from a trusted host.
18. What are zombies?
Zombies are machines that are directed remotely by the attacker to participate in the
DDoS attack.
19. What is DDoS?
DDoS stands for Distributed Denial of Service. It is an attack in which a coordinated
stream of requests is launched against a target from many locations at the same time.
20. Give the difference between spam and mail bomb.
Spam is unsolicited commercial e-mail. In mail bombing, an attacker routes large
quantities of e-mail to the target.
21. What are sniffers?
Sniffers are programs or devices that can monitor data traveling over a network. It
can be used for legitimate network management functions and for stealing information.
22. What is pharming?
Pharming is the redirection of legitimate web traffic to an illegitimate site for the
purpose of obtaining private information.
23. What is DNS cache poisoning?
The Domain Name Server can be exploited by causing it to transform the legitimate
host name into the invalid site’s IP address. This form of pharming is called as DNS cache
poisoning.
24. Define the terms laws, ethics and policy.
Laws are rules that mandate or prohibit certain behavior in society. They are drawn
from ethics.
Ethics are based on the moral attitudes or customs of a particular group.
Policy is a body of expectations that describe acceptable and unacceptable employee
behaviors in the workplace.
25. What are the types of laws?
 Criminal law
 Civil law
 Private law
 Public law
These are the four types of laws.
26. What are the US general computer crime laws?
The US general computer crime laws are as follows.
 Computer Fraud and Abuse Act of 1986
 National Information Infrastructure Protection Act of 1996
 USA PATRIOT act of 2001
 USA PATRIOT Improvement and Reauthorization Act
 Computer Security Act of 1987
27. What are the categories of US laws relevant to information security?
The various categories of US laws with respect to information security are:
 General computer crime laws
 Privacy related laws
 Export and Espionage laws
 U.S. copyright laws
 Laws related to financial reporting
 State and local regulations
28. What are laws regarding privacy of customer information?
The laws regarding to privacy of customer information are :
 The Federal Privacy Act of 1974




Electronic communications Privacy Act of 1986
Health Insurance Portability and Accountability Act of 1996
Financial Services Modernization Act
Fraud and Related Activity in Connection with Identification Documents,
Authentication Features, And Information.
29. What are the fundamental principles of HIPAA?
The five fundamental principles of HIPAA are:
 Consumer control of medical information
 Boundaries on the use of medical information
 Accountability for the privacy of private information
 Balance of public responsibility for the use of medical information for the
greater good measured against impact to the individual.
 Security of health information.
30. What is FOIA?
FOIA stands for Freedom of Information Act of 1966. It allows any person to request
access to federal agency records or information that are not determined to be a matter of
national security.
31. What is TRIPS?
TRIPS stands for Agreement on Trade Related Aspects of Intellectual Property
Rights. It is created by the World Trade Organization.
32. What is DHS?
DHS stands for Department of Homeland Security. It was created in 2003 through the
Homeland Security Act of 2002. DHS is made up of five directorates through which it carries
out its mission of protecting the people as well as the physical and informational assets of the
United States.
1.
2.
3.
4.
5.
1.
2.
3.
4.
5.
UNIT II
PART B
Write notes on any four categories of threats.
Write notes on the US laws related to privacy.
Write notes on HIPAA.
Write notes on TRIPS and DMCA.
What are the acts of trespass in information that breach the confidentiality of
information?
PART C
Explain the categories of threats.
Explain the various attacks on information.
Explain the US laws related to Information Security.
Write in detail about the international laws and legal bodies.
Write in detail about the professional organizations for information security.