COIT 13211 Information Security – Term 1 2009 Assignment 1 - Short/Long Answer Questions ASSIGNMENT DETAILS Due date: Part: Weighting: Submission: Notes: End of Week 6 Short/Long Answer Questions 15% of total assessment. Will be combined with Assignment 1 – Quiz (5%) to form 20% of total assessment. Electronic (see course website for details) Please use the answer format provided. Answer each question fully. Show calculations/working where possible. Answer questions in your own words. Ensure that you number and label each question as it appears on this document. Name: Student Number: Result: /30 COIT 13211 Information Security – Term 1 2009 Assignment 1 - Short/Long Answer Questions Answers will vary. Marks and part for anything sensible. Question 1 (2 Marks) Who are the people involved in the security development life cycle process? Who of these should lead the process? Your Answer 2 marks total – 1 mark each point Initiation and control of the SecSDLC is the responsibility of upper management. Responsible managers, contractors and employees are then utilized to execute the SecSDLC. The process is usually led by a senior executive, sometimes called the champion, that promotes the project and secures financial, administrative, and company wide backing of the project, then a project manager is assigned the task of managing the project. Question 2 (3 Marks) Why is a methodology important in the implementations of information security? How does a methodology improve the process? Your Answer 3 marks total – 1 mark each point A methodology is important in the implementation of information security for two main reasons. First, it entails all the rigorous steps for the organizations’ employees to follow, therefore avoiding any unnecessary mistakes that may compromise the end goal (i.e., to have a comprehensive security posture). An example of this is that a methodology guides an organization to solve the root cause of information security problem, not just its symptoms. Second, methodology increases the probability of success. Once a methodology is adopted, the personnel selected will be responsible for establishing key milestones and make accountable to achieve the project goals. The methodology can greatly improve the process. For example, following the six steps of the SDLC (Systems Development Life Cycle) (investigation, analysis, logical design, physical design, implementation, and maintenance and change) allows developments to proceed in an orderly, comprehensive fashion. Each step of the methodology may determine whether the project should be continued, outsourced, or postponed. COIT 13211 Information Security – Term 1 2009 Assignment 1 - Short/Long Answer Questions Question 3 (4 Marks) An individual threat can be represented in more than one threat category. If a hacker hacks into a network, copies a few files, defaces the Web page, and steals credit card numbers, how many different threat categories does this attack cover? Your Answer 4 marks total – 1 mark each point. This attack covers: Deliberate acts are the main threat category for this type of attack because the hacker is deliberately trying to cause harm. Alternate answer. Different subcategories that this attack could fall under are deliberate acts of espionage or trespass; deliberate acts of sabotage or vandalism; and deliberate acts of theft. Compromises to intellectual property – copying of files, defacing the web page, and stealing credit card numbers Technical failures. For instance, if part of the organizations software has an unknown trap door, then this type of hacker attack could occur. The final category is management failure. This hacker attack could happen if management were to have a lack of sufficient planning and foresight to anticipate the technology need for evolving business requirements. Question 4 (2 Marks) For a sniffer attack to succeed, what must the attacker do? How can an attacker gain access to a network to use the sniffer system Your Answer 2 marks total The attacker must first gain access to a network to install the sniffer. ½ mark Social engineering offers the best way for an attacker to gain access to a network to install a physical sniffer device. By convincing an unwitting employee to instruct the attacker as to the whereabouts of the networking equipment, the installation of the sniffer can be accomplished. 1½ marks Question 5 (2 Marks) What is due care? Why would an organization want to make sure it exercises due care in its usual course of operations? Your Answer 2 marks total Due care is a legal standpoint measuring what any prudent person would do in the same situation in order to protect information and systems. ½ mark For example, any prudent security manager will have a good security policy, use of least privilege when appropriate, implement the SETA (Security Education, Training and Awareness) program, use up-to-date technology programs, and have as much as possible passive defence mechanisms. The more the organization observes the due care concept; the less likely it will be liable for its employees’ illegal and/or unethical actions. 1½ marks COIT 13211 Information Security – Term 1 2009 Assignment 1 - Short/Long Answer Questions Question 6 (3 Marks) Describe risk transference. Briefly describe how outsourcing can be used for risk transference. Your Answer 2 marks total – 1½mark each point Risk transference is trying to shift the risk to other assets, other processes, or other organizations. This can be accomplished by rethinking how services are offered, revising deployment models, outsourcing to other organizations, purchasing insurance, or by implementing service contracts with providers. Outsourcing allows an organization to transfer the risk associated with the management of complex systems to another organization that has experience in dealing with those risks. One of the benefits of outsourcing includes that the service provider is responsible for disaster recovery when recovery efforts are needed. Question 7 (5 Marks) A small bank has decided to create a web based transaction system. Given the following two hardware assets, which vulnerability should be evaluated for additional controls first? Why? (Be sure to show all calculations) An evaluation of the two hardware asset vulnerabilities gave: Asset A: A web server. Its vulnerability involves a DoS attack with a likelihood of 0.1 The web server has an impact rating of 135. Assumptions made on this asset have a 95% certainty of occurring. Asset B: This is a database server It has a major vulnerability with a likelihood of 0.2 and an impact rating of 170. Assumptions made on this asset have an 80% certainty of occurring. Your Answer 5 marks total. 2 marks each calculation. 1 mark for explanation. Note: Formula does not need to be shown only the working Calculating each risk/vulnerability Risk = (L x V) – CC + U L = the likelihood of the occurrence of a vulnerability V = the value of information asset CC = the percentage of risk mitigated by current controls U = the uncertainty of current knowledge of the vulnerability Or in another form Risk = (LxV) – CC*(LXV) + U*(LxV) where all percentages are converted to decimal notation) Risk; Asset A Web Server: L = 0.1, V =135, U = 1 -.95 = .05 CC = 0 = (0.1)(135) - 0 + (0.1)(135)(0.05) (don’t really need to show the 0) = 14.175 COIT 13211 Information Security – Term 1 2009 Assignment 1 - Short/Long Answer Questions Risk; Asset B Database Server: L = 0.20, V =170, U = 1 - .80 = .20 CC = 0 = (0.20)(170) – 0 + (0.20)(170)(0.20) (don’t really need to show the 0) = 40.8 Based on the above information, the vulnerability that should be evaluated first due to its highest risk rating is the Asset B (Database Server). 1 mark Question 8 (4 Marks) (a) Your organization is in a cyclone/hurricane area which can experience at least one cyclone/hurricane per year. This leaves the company without electrical power for days which impacts on the company web server and its on-line Internet sales. When calculating the risk due to power outages, the annualized loss expectancy (ALE) is $250,000. As a countermeasure, it has been decided to purchase a backup diesel generator for standby electricity for the organization. The cost for this generating facility for the year is estimated to be $235,000, but it will lower the ALE to $35,000. Is this a cost-effective countermeasure? Why or why not? (b) Your organization has decided to centralize anti-virus support on a server which automatically updates virus signatures on user’s PCs when the log onto the network or when anti-virus upgrades are available. When calculating risk due to viruses, the annualized loss expectancy (ALE) is $145,000. The cost for this antivirus countermeasure in a year is estimated to be $24,000, but it will lower the ALE to $65,000. Is this a cost-effective countermeasure? Why or why not? ALE = Annualized Loss Expectancy ACS = Annual Cost of Safeguard CBA = Cost Benefit Analysis CBA is whether or not the control alternative being evaluated is worth the associated cost incurred to control the specific vulnerability. Your Answer (a) 1 mark for calculation + 1 mark for explanation. ALE (prior) = $250,000 ALE (post) = $ 35,000 ACS = $235,000 CBA = ALE(Prior) – ALE(Post) – ACS = $250,000 - $35,000 - $235,000 = -$20,000 In this case the cost of the backup diesel generator plus its annual cost is greater than the loss expected by the loss of Internet sales. There are no positive benefits by installing the generator to provide backup power. COIT 13211 Information Security – Term 1 2009 Assignment 1 - Short/Long Answer Questions (b) 1 mark for calculation + 1 mark for explanation. ALE (prior) = $145,000 ALE (post) = $ 65,000 ACS = $ 24,000 CBA = ALE(Prior) – ALE(Post) – ACS = $145,000 -$65,000 – $24,000 = +$56,000 In this case the cost of the anti-virus countermeasures plus its annual cost are less than the loss expected from virus attacks. There are positive benefits to installing the virus countermeasures. Question 9 (3 Marks) What are some of the security documents available from the NIST Computer Resource Centre and why are they useful for the development of a security framework? You will need to browse to the NIST site and look around. Your Answer 3 marks total The documents available from the NIST Computer Resource Centre that can assist in the design of a security framework are: 2 marks. ½ mark each document up to 4. SP 800-12: Computer Security Handbook SP 800-14: Generally Accepted Security Principles and Practices SP 800-18: Guide for Developing Security Plans SP 800-26: Security Self-Assessment Guide for Information Technology Systems SP 800-30: Risk Management for Information Technology Systems These documents can support the development of a computer framework because they provide organizations with a basic skeleton for planning a blueprint. 1 mark Question 10 When is IRP used? Is an IRP proactive planning? Your Answer (2 Marks) 2 marks total. 1 mark each point. An Incident Response Plan (IRP) covers the identification of classification of, and response to an incident. So it will be used when an incident is first detected by an organization. An IRP is more reactive, than proactive, with the exception of the planning that must occur to prepare the IR teams to be ready to react to an incident.