COIT 13211 Information Security – Term 1 2009
Assignment 1 - Short/Long Answer Questions
ASSIGNMENT DETAILS
Due date:
Part:
Weighting:
Submission:
Notes:
End of Week 6
Short/Long Answer Questions
15% of total assessment. Will be combined with Assignment 1 –
Quiz (5%) to form 20% of total assessment.
Electronic (see course website for details)
 Please use the answer format provided.
 Answer each question fully. Show calculations/working where
possible.
 Answer questions in your own words.
 Ensure that you number and label each question as it appears
on this document.
Name:
Student Number:
Result:
/30
COIT 13211 Information Security – Term 1 2009
Assignment 1 - Short/Long Answer Questions
Answers will vary. Marks and part for anything sensible.
Question 1
(2 Marks)
Who are the people involved in the security development life cycle process? Who of
these should lead the process?
Your Answer
2 marks total – 1 mark each point
 Initiation and control of the SecSDLC is the responsibility of upper management.
Responsible managers, contractors and employees are then utilized to execute
the SecSDLC.
 The process is usually led by a senior executive, sometimes called the
champion, that promotes the project and secures financial, administrative, and
company wide backing of the project, then a project manager is assigned the
task of managing the project.
Question 2
(3 Marks)
Why is a methodology important in the implementations of information security? How
does a methodology improve the process?
Your Answer
3 marks total – 1 mark each point
A methodology is important in the implementation of information security for two main
reasons.
 First, it entails all the rigorous steps for the organizations’ employees to follow,
therefore avoiding any unnecessary mistakes that may compromise the end goal
(i.e., to have a comprehensive security posture). An example of this is that a
methodology guides an organization to solve the root cause of information
security problem, not just its symptoms.
 Second, methodology increases the probability of success. Once a methodology
is adopted, the personnel selected will be responsible for establishing key
milestones and make accountable to achieve the project goals.
 The methodology can greatly improve the process. For example, following the
six steps of the SDLC (Systems Development Life Cycle) (investigation, analysis,
logical design, physical design, implementation, and maintenance and change)
allows developments to proceed in an orderly, comprehensive fashion. Each step
of the methodology may determine whether the project should be continued,
outsourced, or postponed.
COIT 13211 Information Security – Term 1 2009
Assignment 1 - Short/Long Answer Questions
Question 3
(4 Marks)
An individual threat can be represented in more than one threat category. If a hacker
hacks into a network, copies a few files, defaces the Web page, and steals credit card
numbers, how many different threat categories does this attack cover?
Your Answer
4 marks total – 1 mark each point.
This attack covers:




Deliberate acts are the main threat category for this type of attack because the
hacker is deliberately trying to cause harm. Alternate answer. Different subcategories that this attack could fall under are deliberate acts of espionage or
trespass; deliberate acts of sabotage or vandalism; and deliberate acts of theft.
Compromises to intellectual property – copying of files, defacing the web page,
and stealing credit card numbers
Technical failures. For instance, if part of the organizations software has an
unknown trap door, then this type of hacker attack could occur.
The final category is management failure. This hacker attack could happen if
management were to have a lack of sufficient planning and foresight to anticipate
the technology need for evolving business requirements.
Question 4
(2 Marks)
For a sniffer attack to succeed, what must the attacker do? How can an attacker gain
access to a network to use the sniffer system
Your Answer
2 marks total
The attacker must first gain access to a network to install the sniffer. ½ mark
Social engineering offers the best way for an attacker to gain access to a network
to install a physical sniffer device. By convincing an unwitting employee to
instruct the attacker as to the whereabouts of the networking equipment, the
installation of the sniffer can be accomplished. 1½ marks
Question 5
(2 Marks)
What is due care? Why would an organization want to make sure it exercises due care
in its usual course of operations?
Your Answer
2 marks total
Due care is a legal standpoint measuring what any prudent person would do in
the same situation in order to protect information and systems. ½ mark
For example, any prudent security manager will have a good security policy, use
of least privilege when appropriate, implement the SETA (Security Education,
Training and Awareness) program, use up-to-date technology programs, and
have as much as possible passive defence mechanisms. The more the
organization observes the due care concept; the less likely it will be liable for its
employees’ illegal and/or unethical actions. 1½ marks
COIT 13211 Information Security – Term 1 2009
Assignment 1 - Short/Long Answer Questions
Question 6
(3 Marks)
Describe risk transference. Briefly describe how outsourcing can be used for risk
transference.
Your Answer
2 marks total – 1½mark each point
 Risk transference is trying to shift the risk to other assets, other processes, or
other organizations. This can be accomplished by rethinking how services are
offered, revising deployment models, outsourcing to other organizations,
purchasing insurance, or by implementing service contracts with providers.
 Outsourcing allows an organization to transfer the risk associated with the
management of complex systems to another organization that has experience in
dealing with those risks. One of the benefits of outsourcing includes that the
service provider is responsible for disaster recovery when recovery efforts are
needed.
Question 7
(5 Marks)
A small bank has decided to create a web based transaction system. Given the following
two hardware assets, which vulnerability should be evaluated for additional controls
first? Why? (Be sure to show all calculations)
An evaluation of the two hardware asset vulnerabilities gave:
Asset A: A web server.
Its vulnerability involves a DoS attack with a likelihood of 0.1
The web server has an impact rating of 135. Assumptions made on this asset
have a 95% certainty of occurring.
Asset B: This is a database server
It has a major vulnerability with a likelihood of 0.2 and an impact rating of 170.
Assumptions made on this asset have an 80% certainty of occurring.
Your Answer
5 marks total. 2 marks each calculation. 1 mark for explanation.
Note: Formula does not need to be shown only the working
Calculating each risk/vulnerability
Risk = (L x V) – CC + U
L = the likelihood of the occurrence of a vulnerability
V = the value of information asset
CC = the percentage of risk mitigated by current controls
U = the uncertainty of current knowledge of the vulnerability
Or in another form
Risk = (LxV) – CC*(LXV) + U*(LxV)
where all percentages are converted to decimal notation)
Risk; Asset A Web Server: L = 0.1, V =135, U = 1 -.95 = .05 CC = 0
= (0.1)(135) - 0 + (0.1)(135)(0.05) (don’t really need to show the 0)
= 14.175
COIT 13211 Information Security – Term 1 2009
Assignment 1 - Short/Long Answer Questions
Risk; Asset B Database Server: L = 0.20, V =170, U = 1 - .80 = .20 CC = 0
= (0.20)(170) – 0 + (0.20)(170)(0.20) (don’t really need to show the 0)
= 40.8
Based on the above information, the vulnerability that should be evaluated first due to its
highest risk rating is the Asset B (Database Server). 1 mark
Question 8
(4 Marks)
(a) Your organization is in a cyclone/hurricane area which can experience at least
one cyclone/hurricane per year. This leaves the company without electrical
power for days which impacts on the company web server and its on-line Internet
sales. When calculating the risk due to power outages, the annualized loss
expectancy (ALE) is $250,000. As a countermeasure, it has been decided to
purchase a backup diesel generator for standby electricity for the organization.
The cost for this generating facility for the year is estimated to be $235,000, but it
will lower the ALE to $35,000. Is this a cost-effective countermeasure? Why or
why not?
(b) Your organization has decided to centralize anti-virus support on a server which
automatically updates virus signatures on user’s PCs when the log onto the
network or when anti-virus upgrades are available. When calculating risk due to
viruses, the annualized loss expectancy (ALE) is $145,000. The cost for this antivirus countermeasure in a year is estimated to be $24,000, but it will lower the
ALE to $65,000. Is this a cost-effective countermeasure? Why or why not?
ALE = Annualized Loss Expectancy
ACS = Annual Cost of Safeguard
CBA = Cost Benefit Analysis
CBA is whether or not the control alternative being evaluated is worth the associated
cost incurred to control the specific vulnerability.
Your Answer
(a) 1 mark for calculation + 1 mark for explanation.
ALE (prior)
= $250,000
ALE (post)
= $ 35,000
ACS
= $235,000
CBA = ALE(Prior) – ALE(Post) – ACS
= $250,000 - $35,000 - $235,000
= -$20,000
In this case the cost of the backup diesel generator plus its annual cost is greater than
the loss expected by the loss of Internet sales. There are no positive benefits by
installing the generator to provide backup power.
COIT 13211 Information Security – Term 1 2009
Assignment 1 - Short/Long Answer Questions
(b) 1 mark for calculation + 1 mark for explanation.
ALE (prior)
= $145,000
ALE (post)
= $ 65,000
ACS
= $ 24,000
CBA = ALE(Prior) – ALE(Post) – ACS
= $145,000 -$65,000 – $24,000
= +$56,000
In this case the cost of the anti-virus countermeasures plus its annual cost are less than
the loss expected from virus attacks. There are positive benefits to installing the virus
countermeasures.
Question 9
(3 Marks)
What are some of the security documents available from the NIST Computer Resource
Centre and why are they useful for the development of a security framework? You will
need to browse to the NIST site and look around.
Your Answer
3 marks total
The documents available from the NIST Computer Resource Centre that can assist in
the design of a security framework are: 2 marks. ½ mark each document up to 4.
SP 800-12: Computer Security Handbook
SP 800-14: Generally Accepted Security Principles and Practices
SP 800-18: Guide for Developing Security Plans
SP 800-26: Security Self-Assessment Guide for Information Technology Systems
SP 800-30: Risk Management for Information Technology Systems
These documents can support the development of a computer framework
because they provide organizations with a basic skeleton for planning a blueprint.
1 mark
Question 10
When is IRP used? Is an IRP proactive planning?
Your Answer
(2 Marks)
2 marks total. 1 mark each point.
 An Incident Response Plan (IRP) covers the identification of classification of, and
response to an incident. So it will be used when an incident is first detected by an
organization.
 An IRP is more reactive, than proactive, with the exception of the planning that
must occur to prepare the IR teams to be ready to react to an incident.
Download

COIT13211_T109_Ass1_Solution