university question papers

advertisement
www.getmyuni.com
QUESTION BANK
IT2042 INFORMATION SECURITY
Page 1
IT2042 INFORMATION SECURITY
www.getmyuni.com
SYLLABUS
UNIT I
FUNDAMENTALS
9
History, What is Information Security?, Critical Characteristics of Information, NSTISSC Security
Model, Components of an Information System, Securing the Components, Balancing Security and
Access, The SDLC, The Security SDLC
UNIT II
SECURITY INVESTIGATION
9
Need for Security, Business Needs, Threats, Attacks, Legal, Ethical and Professional Issues
UNIT III
SECURITY ANALYSIS
9
Risk Management: Identifying and Assessing Risk, Assessing and Controlling Risk
UNIT IV
LOGICAL DESIGN
9
Blueprint for Security, Information Security Poicy, Standards and Practices, ISO 17799/BS 7799,
NIST Models, VISA International Security Model, Design of Security Architecture, Planning for
Continuity
UNIT V
PHYSICAL DESIGN
9
Security Technology, IDS, Scanning and Analysis Tools, Cryptography, Access Control Devices,
Physical Security, Security and Personnel
TOTAL: 45 PERIODS
TEXT BOOK:
1. Michael E Whitman and Herbert J Mattord, “Principles of Information Security”, Vikas
Publishing House, New Delhi, 2003
REFERENCES:
1. Micki Krause, Harold F. Tipton, “ Handbook of Information Security Management”, Vol 1-3 CRC
Press LLC, 2004.
2. Stuart Mc Clure, Joel Scrambray, George Kurtz, “Hacking Exposed”, Tata McGraw- Hill, 2003
3. Matt Bishop, “ Computer Security Art and Science”, Pearson/PHI, 2002.
IT2042 INFORMATION SECURITY
www.getmyuni.com
Unit 1
2 Marks
1. What is information security?
2. What is C.I.A?
3. Write a note on the history of information security
4. What is Rand Report R-609?
5. What is the scope of computer security?
6. What is Security?
7. Define Physical security
8. Define Personal Security
9. Define Operations security
10. Define Communications security
11. Define Network security
12. Define Information security
13. What are the critical characteristics of information?
14. What is NSTISSC Security model?
15. What are the components of an information system?
16. What is meant by balancing Security and Access?
17. What are the approaches used for implementing information security?
18. What is SDLC?
19. Explain different phases of SDLC
20. What is Security SDLC?
21. How information security is viewed as a social science?
22. What are the information security roles to be played by various professionals in a
typical organization?
www.getmyuni.com
IT2042 INFORMATION SECURITY
23. What are the three types of data ownwership and their responsibilities?
24. What is the difference between a threat agent and a threat?
25. What is the difference between vulnerability and exposure?
26. What is attack?
27. What is hacking?
28. What is security blue print?
29. What is MULTICS?
30.What is ARPANET?
31.Define E-mail spoofing
16 Marks
1) Explain the four important functions, the information security performs in an organization
2) What are dual homed host firewalls? Explain
3) What are deliberate acts of Espionage or tresspass. Give examples.
4) What deliberate software attacks?
5) Explain in detail the different types of cryptanalytic attacks
6) Enumerate different types of attacks on computer based systems.
7) What are different US laws and International laws on computer based crimes?
8) Explain in detail the Legal, Ethical and Professional issues during the security investigation
9) What are threats? Explain the different categories of threat
10) What is the code of ethics to be adhered to by the information security personnel stipulated by
different professional organizations?
11) What is Intellectual property? How it can be protected?
12) Who are Hackers? Explain its levels
13) Explain the attack replication vectors
14) Discuss in detail the forces of Nature affecting information security
IT2042 INFORMATION SECURITY
www.getmyuni.com
15) Explain deliberate software attacks
Unit 2
2 Marks
1) What are the four important functions, the information security performs in an
organization?
2) What are threats?
3) What are the different categories of threat? Give Examples.
4) What are different acts of Human error or failure?
5) How human error can be prevented?
6) What is Intellectual property?
7) How Intellectual property can be protected?
8) What is deliberate acts of espionage or trespass?
9) Who are Hackers? What are the two hacker levels?
10) What is information extortion?
11) What is deliberate acts of sabotage and vandalism?
12) What is Cyber terrorism?
13) What are the deliberate acts of theft?
14) What are deliberate software attacks?
15) What are the forces of Nature affecting information security?
16) What are technical hardware failures or errors?
17) What are technical software failures or errors?
18) What is technological obsolescence?
19) What is an attack?
20) What is a malicious code?
21) Define Virus
www.getmyuni.com
IT2042 INFORMATION SECURITY
22) Define Hoaxes
23) What is Distributed Denial-of-service (DDoS)?
24) What is Back Door?
25) Define Dictionary attack
26) What are the various forms of attacks.
27) What are the attack replication vectors?
28) What is Denial-of-service (DoS) ?
29) Define Spoofing
30) Define Man-in-the-Middle
16 Marks
1)
Explain the four important functions, the information security performs in an organization
2)
What are dual homed host firewalls? Explain
3)
What are deliberate acts of Espionage or tresspass. Give examples.
4)
What deliberate software attacks?
5)
Explain in detail the different types of cryptanalytic attacks
6)
Enumerate different types of attacks on computer based systems.
7)
What are different US laws and International laws on computer based crimes?
8)
Explain in detail the Legal, Ethical and Professional issues during the security investigation
9)
What are threats? Explain the different categories of threat
10) What is the code of ethics to be adhered to by the information security personnel stipulated
by different professional organizations?
11) What is Intellectual property? How it can be protected?
12) Who are Hackers? Explain its levels
13) Explain the attack replication vectors
14) Discuss in detail the forces of Nature affecting information security
IT2042 INFORMATION SECURITY
www.getmyuni.com
15) Explain deliberate software attacks
Unit 3
2 Marks
1. What is risk management?
2. What the roles to be played by the communities of interest to manage the risks an
organization encounters?
• Information Technology
3. What is the process of Risk Identification?
4. What are asset identification and valuation.
5. What is Asset Information for People?
6. What are Hardware, Software, and Network Asset Identification?
7. What are Asset Information for Procedures?
8. What are the Asset Information for Data?
9. How information assets are classified?
10. Define the process of Information asset valuation.
11. What are the Questions to assist in developing the criteria to be used for asset
valuation?
12. Define data classification and management.
13. What are security clearances?
14. Explain the process of threat identification?
15. How to identify and Prioritize Threats?
18. What is Risk assessment?
16. What are the different threats faced by an information system in an Organization?
17. What is Vulnerability Identification?
19. Mention the Risk Identification Estimate Factors
www.getmyuni.com
IT2042 INFORMATION SECURITY
20. Give an example of Risk determination.
21. What is residual risk?
22. What is access control?
23. What are the different types of Access Controls?
24. What is the goal of documenting results of the risk assessment?
25. Mention the strategies to control the vulnerable risks.
26. What are the different risk control strategies?
27. Write short notes on Incidence Response Plan
28. Define Disaster Recovery Plan
29. Define Business Continuity Plan
30. What are different categories of controls?
16 Marks
1. What is risk management? State the methods of identifying and assessing risk management
2. Discuss in detail the process of assessing and controlling risk management issues
3. What is risk management? Why is the identification of risks by listing assets and vulnerabilities
is so important in the risk management process?
4. Explain in detail different risk control strategies
5. Explain asset identification and valuation
6. Explain in detail the three types of Security policies (EISP,ISSP and sysSP).
7. What is Information Security Blue print? Explain its salient features.
8. Explain the roles to be played by the communities of interest to manage the risks an
organization encounters
9. Explain the process of Risk assessment
10. Explain briefly the plans adopted for mitigation of risks
11. Explain how the risk controls are effectively maintained in an organization
IT2042 INFORMATION SECURITY
www.getmyuni.com
13) Write short notes on a) Incidence Response Plan b)Disaster Recovery Plan c)Business
continuity plan
12. Explain in detail the process of asset identification for different categories
13. Explain the process of Information asset valuation
14. Discuss briefly data classification and management
15. Explain the process of threat identification?
16. Explain the process of vulnerability identification and assessment for different threats faced by
an information security system
Unit 4
2 Marks
1. What is a policy?
2. What are the three types of security policies?
3. What is Security Program Policy?
4. Define Issue-Specific Security Policy (ISSP)
5. What are ACL Policies?
6. What is Information Security Blueprint?
7. Define ISO 17799/BS 7799 Standards and their drawbacks
8. Mention the Drawbacks of ISO 17799/BS 7799
9. What are the objectives of ISO 17799?
10. What is the alternate Security Models available other than ISO 17799/BS 7799?
11. List the management controls of NIST SP 800-26
12. Mention the Operational Controls of NIST SP 800-26
13. What are the Technical Controls of NIST 800-26?
14. What is Sphere of protection?
15. What is Defense in Depth?
www.getmyuni.com
IT2042 INFORMATION SECURITY
16. What is Security perimeter?
17. What are the key technological components used for security implementation?
18. What is Systems-Specific Policy (SysSP)?
19. What is the importance of blueprint?
20. What are the approaches of ISSP?
16 Marks
1. What are ISO 7799 and BS7799? Explain their different sections and salient features.
2. Explain salient features of NIST security models.
3. Explain with diagrams the design of security architecture.
4. Explain how information security policy is implemented as procedure
5. What are the three types of security policies? Explain
6. Compare and contrast the ISO 17700 wit BS 7799 NIST security model
7. Explain the NIST security model
8. List the styles of security architecture models. Discuss them in detail
9. Explain NIST SP 800-14
10. Explain Sphere of protection with a neat sketch
11. Explain the key technological components used for security implementation
12. Write short notes on
i. Defense in depth ii. Security perimeter
13. Write short notes on
i. Incident Response plan(IRP)
ii. Disaster Recovery Plan
iii. Business Continuity Plan
14. What is Business Impact Analysis? Explain different stages of BIA in detail.
15. Explain Key technology component
www.getmyuni.com
IT2042 INFORMATION SECURITY
Unit 5
2 Marks
1. What are firewalls?
2. Explain different generations of firewalls.
3. Mention the functions of first generation firewall
4. What are the restrictions of first generation firewall?
5. What is the advantage of Second Generation firewalls?
6. Define stateful inspection firewall
7. What is the disadvantage of third generation firewalls?
8. What is the function of Fifth Generation firewall?
9. How firewalls are categorized by processing mode?
10. What is the drawback of packet-filtering router?
11. What are Screened-Host Firewall Systems
12. What is the use of an Application proxy?
13. What are dual homed host firewalls?
14. What is the use of NAT?
15. What are Screened-Subnet Firewalls?
16. What are the factors to be considered while selecting a right firewall?
17. What are Sock Servers?
18. What are the recommended practices in designing firewalls?
19. What are intrusion detection systems(IDS)?
20. What are different types of IDSs?
21. Define NIDS
22. What is HIDS?
www.getmyuni.com
IT2042 INFORMATION SECURITY
23. What is the use of HIDS?
24. What is Application-based IDS?
25. What is Signature-based IDS?
26. What is LFM?
27. What are Honey Pots?
29. What are Honey Nets?
30. What are Padded Cell Systems?
31. What are the advantages and disadvantages of using honey pot or padded cell
approach?
32. What are foot printing and finger printing?
33. What are Vulnerability Scanners?
34. Define Packet Sniffers
35. What is Cryptography?.
36. What is Cryptoanalysis?
37. Define Encryption
38. Define Decryption
39. What is Public Key Infrastructure (PKI)?
40. What are the PKI Benefits
41. How E-mail systems are secured?
42. What are the seven major sources of physical loss?
43. What is a Secure Facility?
44. What are the controls used in a Secure Facility?
45. What are the functions of Chief Information Security officer?
16 Marks
1. Explain in detail
www.getmyuni.com
IT2042 INFORMATION SECURITY
i. Firewalls categorized by processing mode
ii. Different generations of firewall
2. Explain in detail different firewall architectures (OR) Write short notes on
iii. Packet filtering Routers
iv. Screened Host fire wall
v. Screened subnet firewalls (with DMZ)
3. What are the factors to be considered in selecting a right firewall?
4. Explain how firewalls are configured and managed?
5. Outline some of the best practices for firewall use.
6. What are fire wall rules? Explain different fire wall rule sets.
7. What is intrusion Detection System(IDS)? Explain different reasons for using IDS and different
terminologies associated with IDS.
8. What are different types of Intrusion Detection Systems available? Explain with diagrams
9. Write short notes on
vi. Network-based IDS
vii. Host-based IDS
viii. Application-based IDS
ix. Signature-based IDS
10. What are Honey pots,Honey Nets and Padded cell systems? Explain each.
11. What is Attacking Protocol? Explain a) Foot printing and b) Finger printing.
12. What are the purposes of Scanning and Analysis tools? Who will be using these tools?
Explain the functioning of few of these tools.
13. What is cryptography? Define various encryption terms used.
14. What is RSA algorithm? Explain different steps>
15. What are different possible attacks on crypto systems?
IT2042 INFORMATION SECURITY
www.getmyuni.com
16. List and describe four categories of locks?
17. Explain with a diagram different positions in Information security.
18. What are the functions of a)CISO,b) Information Security Manager, and c)Security Technician
19. How the credentials of Information Security Personnels are assessed?
20. What are the certifications the Information Security Personnels should aquire for fitting into
their roles?
UNITWISE IMPORTANT QUESTIONS
UNIT I
1. Explain in detail about software development life cycle process
2. What is SDLC? Illustrate the security of SDLC
3. Explain in detail about components of information system.
4. Discuss in detail NSTISSC security model
UNIT II
1. Discuss in detail the Legal , Ethical and Professionalism issues during security
investigation
2. Explain in detail the different types of cryptanalytic attacks.
3. Explain in detail about different type of threats
4. Explain in detail about legal issues during security investigation?
UNIT III
1. Explain in detail about Risk Control strategy
2. What is risk Management?.State the methods of identifying and assessing risk
management
3. Explain in detail about Risk Control Cycle
4. Explain in detail about Risk handling decision points
5. Explain in detail Cost Benefit Analysis and Exposure Factor
UNIT IV
1. List the styles of architecture security models .Discuss them in detail
2. Briefly explain the NIST SECURITY MODEL
3. Explain in detail about designing of security architecture
IT2042 INFORMATION SECURITY
www.getmyuni.com
4. Explain in detail about planning for continuity.
UNIT V
1. Explain in detail about IDS and its types.
2. Write short notes on scanning and analysis tools used during design
3. Write notes on the control devices used in security design
4. What is cryptography?.Discuss the authentication models used in cryptography.
5. What is intrusion detection system?.Explain its types in detail.
UNIVERSITY QUESTION
PAPERS
B.E/B.Tech DEGREE EXAMINATION,NOVEMBER/DECEMBER 2007
Seventh Semester
Computer Science and Engineering
CS 1014- INFORMATION SECURITY
(Regulation 2004)
Time :Three hours
Maximum:100 Marks.
Answer ALL questions
PART A-(10*2=20)
1. State the critical Characteristics of information.
2. List the components used in security models.
3. Name the counter measure on threats.
4. Differentiate between threats and attacks.
5. Mention the benefits of risk management.
6. State the roles involved in risk management.
7. Name the people affected in security policies.
8. State the pros of VISA international security model.
9. List any two IDS. Mention its category of classification.
10. What are the basic functions of access control devices?
IT2042 INFORMATION SECURITY
www.getmyuni.com
PART B-(5*16=80)
11 (a) Discuss in detail the NSTISSC security model. (16)
Or
(b) What is SDLC? Illustrate the security of SDLC. (16)
12 (a) Explain in detail the different types of cryptanalytic attacks. (16)
Or
(b) Discuss in detail the Legal, Ethical and Professional issues during the security investigation.
(16)
13 (a) What is risk management? State the methods of identifying and assessing risk
management. (16)
Or
(b) Discuss in detail the process of assessing and controlling risk management issues. (16)
14 (a) (i) Compare and contrast the ISO 17700 with BS 7799 NIST security models. (10)
(ii) Briefly explain the NIST security model. (6)
Or
(b) List the styles of architecture security models. Discuss them in detail. (16)
15 (a) (i) What is intrusion detection system? Explain its types in detail. (10)
(ii) Write short notes on scanning and analysis tools used during the security design. (6)
Or
(b) (i) What is cryptography? Discuss the authentication models used in cryptography. (10)
(ii) Write short notes on the control devices used in security design. (6)
******************************************************************************************************
B.E/B.Tech DEGREE EXAMINATION,NOVEMBER/DECEMBER 2008
Seventh Semester
Computer Science and Engineering
CS 1014- INFORMATION SECURITY
(Regulation 2004)
Time :Three hours
Maximum:100 Marks.
Answer ALL questions
PART A (10 x 2 =20 marks)
1. Mention the components of Information security.
2.How is the top-down approach to information Security superior to the bottom-up approach?
3.What are the types of password attacks?
4. What is the difference between Criminal law and Civil law?
5.Why do networking components need more examination from an Information Security perspective
than from a Systems development perspective?
www.getmyuni.com
IT2042 INFORMATION SECURITY
6.What is a cost-benefit analysis?
7.What is a policy? How does it different from a law?
8.When do we call attacks as incidents?
9.Differentiate Symmetric encryption and Asymmetric encryption.
10. What is a honey pot?
PART B (5 x 16 = 80)
11. (a) (i) How has Computer Security evolved into modern Information security? Explain. (8)
(ii) Why is a methodology important in the implementation of Information Security?
How does a methodology improve the process? Explain. (8)
(or)
(b) What are the phases in the Security Systems development life cycle? Explain in detail. 16)
12. (a) (i) Describe the three general categories of unethical and illegal behaviour. (8)
(ii) What can be done to deter someone from committing a crime? Explain. (8)
(or)
(b)(i) What is a buffer overflow? How is it used against a web server? Explain. (12)
(ii) How do worms differ from viruses? (4)
13.(a) Describe Risk mitigation. Explain the planning approaches to mitigate risks. (16)
(or)
(b) Define risk management, risk identification and risk control. Illustrate it with a real time
application. (16)
14. (a) Classify each of the following occurrences as an incident or disaster. If an occurrence is a disaster, determine
whether business continuity plans would be called into play.
(i) A hacker gets into the network and deletes files from a server.
(ii) A fire breaks out in the storeroom and sets off sprinklers on that floor. Some computers a are damaged, but the
fire is controlled. (iii) Employees go on strike, and the company could be without critical workers for weeks. (iv) A
disgruntled employee takes a critical server home, sneaking it out after hours.
For each of the scenarios above, describe the steps necessary to restore operations. Indicate whether law
enforcement would be involved. (4+4+4+4)
(or)
(b) What is Contingency planning? Describe its components. How is it different from routine management
planning? Explain. (16).
15. (a) (i) How do the security considerations for temporary or contract employees differ from those
IT2042 INFORMATION SECURITY
www.getmyuni.com
of regular full-time employees? Explain. (8)
(ii) What is Collusion? How does the separation of duties influence collusion? Explain. (8)
(or)
(b) Describe the categories and operating models of Intrusion Detection Systems (IDS) in detail. (16)
****************************************************************************************************************************************
B.E./B.Tech. DEGREE EXAMINATION, NOVEMBER/DECEMBER 2011.
Seventh Semester
IT 2042 — INFORMATION SECURITY (Regulation 2008)
Answer ALL questions
PART A — (10 × 2 = 20 marks)
1. What is information security? 2. Why is a methodology important in implementing the information
security?
3. Why is information security a management problem?
4. Distinguish between DoS and DDoS.
5. What is risk management?
6. What is the difference between benchmark and baseline?
7. What is information security policy?
8. What are the inherent problems with ISO 17799?
9. Distinguish between symmetric and asymmetric encryption.
10. What are the credentials of information security professionals?
PART B — (5 × 16 = 80 marks)
11. (a) (i) Describe the critical characteristics of information. How are they used in the study of computer
security? (8)
(ii) Explain the security system development life cycle in detail. (8)
Or 2webworld 2webworld
(b) (i) Explain the NSTISSC security model and the top-down approach to security implementation.(8)
(ii) Briefly explain the components of an information system and their security. (8)
12. (a) (i) Explain the various groups of threats faced by an organization. (8)
(ii) Discuss the ethical concepts in information security and the prevention to illegal and unethical
behavior. (8)
Or 2
(b) (i) Explain the four important functions of information security in an organization. (8)
www.getmyuni.com
IT2042 INFORMATION SECURITY
(ii) Describe the attack replication vectors and the major types of attacks. (8)
13. (a) (i) Describe the process of risk identification in detail. (8)
(ii) Discuss the risk control strategies that guide an organization. (8)
Or 2
We b) (i) Discuss the risk assessment and the documentation of its results. (8)
(ii) Explain the various feasibility studies considered for a project of information security controls
and safeguards. (8)
14. (a) (i) Explain the different types of information security policies. (8)
(ii) Discuss the features of VISA international security model. (8)
Or 2webworld 2webworld
(b) (i) Explain the NIST Security model in detail. (8)
(ii) Explain the various components used in designing the security architecture. (8)
15. (a) (i) Discuss the different types of intrusion detection systems. (8)
(ii) Describe the access controls used for providing physical security. (8)
Or 2webworld 2webworld
(b) (i) Write notes on scanning and analysis tools used during design.(8)
(ii) Discuss the cryptographic tools used for providing the security.(8)
******************************************************************************************************
Download