1.

Classify the role of an attacker in compromising the three basic security

goals confidentiality, integrity and availability. Illustrate at least three
methods of compromising each basic security goal in a network. Also
highlight the security goal exploiting the session ID and reusing it, to open
up the same session without entering the user credentials. Draw and discuss
the method to achieve the same and prevent the operation.
Confidentiality
Confidentiality refers to an organization’s efforts to keep their data private or
secret. In practice, it’s about controlling access to data to prevent
unauthorized disclosure. Typically, this involves ensuring that only those
who are authorized have access to specific assets and that those who are
unauthorized are actively prevented from obtaining access.
As an example, only authorized Payroll employees should have access to the
employee payroll database. Furthermore, within a group of authorized users,
there may be additional, more stringent limitations on precisely which
information those authorized users are allowed to access. Another example:
it’s reasonable for ecommerce customers to expect that the personal
information they provide to an organization (such as credit card, contact,
shipping, or other personal information) will be protected in a way that
prevents unauthorized access or exposure.
Integrity
In everyday usage, integrity refers to the quality of something being whole
or complete. In InfoSec, integrity is about ensuring that data has not been
tampered with and, therefore, can be trusted. It is correct, authentic, and
reliable.
Ecommerce customers, for example, expect product and pricing information
to be accurate, and that quantity, pricing, availability, and other information
will not be altered after they place an order.
Banking customers need to be able to trust that their banking information
and account balances have not been tampered with. Ensuring integrity
involves protecting data in use, in transit (such as when sending an email or
uploading or downloading a file), and when it is stored, whether on a laptop,
a portable storage device, in the data center, or in the cloud.
Availability
Systems, applications, and data are of little value to an organization and its
customers if they are not accessible when authorized users need them. Quite
simply, availability means that networks, systems, and applications are up
 and running. It ensures that authorized users have timely, reliable access to
resources when they are needed.
2.Consider a design for Defence Infrastructure Protection, which includes
the following components.
Encryption/Decryption
Hashing for passwords Mail Security
Web Security
Intrusion Detection System
Firewall
Gateway Malware detector
Antivirus
Vulnerability Assessment
Organize these components in an effective way and justify the choice of
components.
a) Encryption / Decryption:
1. Enhance Data Security
Without any doubts, one of the most critical merits is strengthened data security.
Full disk encryption uses strong encryption algorithms to encrypt drives on your
PCs, thereby protecting all data stored in the drives. With FDE, even though the
drive is removed from the current computer and put into other devices, the drive
data is still inaccessible if without a correct key.
2. Auto Encrypt Data
Besides, unlike file or folder-level encryption, full disk encryption (FDE)
encrypts the data as soon as it’s stored to the hard drive. In other words, this
encryption process is completed automatically. Hence, it’s much more
convenient
than file or folder encryption, which demands you to manually select which file
or folder to be encrypted.
3. Avoid Encryption Errors
On basis of the above point – fully automatic encryption, another virtue of FDE
is that it can avoid encryption errors. As we all know, to some extent, user
mistakes are inevitable. Hence, if you encrypt drive data manually, perhaps you
may make some mistakes. But this can be evaded in case of FDE.
b) Hashing for passwords
The advantage of hashing passwords is to further encrypt the password making
it more secure and impossible to hack. The way this happens is hashing
scrambles the original data in a deterministic way with use of an algorithm. This
process cannot be reversed, a one way process; therefore, if someone were able
to obtain these hashed passwords, they wouldn’t even be able to decipher the
information. Each password has it’s own unique hash, so 1 hash will never look
similar to another hash even though the passwords may be similar to each other,
such as ‘password’ or ‘passwords’.
c) Web Security
• Protection from malicious attacks on your network.
• Deletion and/or guaranteeing malicious elements within a pre-existing
network.
• Prevents users from unauthorized access to the network.
• Deny's programs from certain resources that could be infected.
• Securing confidential information
d) IDS
They Can Be Tuned to Specific Content in Network Packets
Firewalls may be able to show you the ports and IP addresses that are used
between two hosts, but in addition a NIDS can be tuned to show you the
specific content within the packets. This can be used to for uncovering
intrusions such as exploitation attacks or compromised endpoint devices that are
part of a botnet.
e) Firewall
Monitors Network Traffic
All of the benefits of firewall security start with the ability to monitor network
traffic. Data coming in and out of your systems creates opportunities for threats
to compromise your operations. By monitoring and analyzing network traffic,
firewalls leverage preestablished rules and filters to keep your systems
protected. With a well-trained IT team, you can manage your levels of
protection based on what you see coming in and out through your firewall.
f) Gateway Malware detector
A few systems are set up through a switch. A switch can be utilized for PCs with
comparative conventions, implying that they have comparable equipment and
programming introduced. A passage gives greater adaptability for your system
since it can interpret data from computers with various frameworks. This
implies a few various types of PCs can be set up on a similar passage, and
similar data can be gotten to from every computer.
g) Antivirus
The main role of an antivirus program is to stand against viruses and other
forms of malwares. The viruses will not only cause damages to your data, it can
degrade the overall system performance. All of them can happen without your
knowledge. The antivirus software installed on your computer detects and
removes these malwares before they cause any harms to your computer.
h) Vulnerability Assessment
• Find out the security loopholes in their security environment and classify
them based on their impacts that can be caused.
• Fix those security vulnerabilities before intruder finds and exploits them.
• Understanding of their IT infrastructure and taking a proactive approach
towards security.

3. Mr.X wants to develop an application for calculating the employee salary

as per the revised norms. Considering you as an expert in security, explain
him some of the control mechanisms that can be applied during the
software development in order to protect his application against program
threats.
1. PREVENTIVE CONTROLS
➢ It first controls the met by an Opponent to prevent security violations and
enforce access control.
➢ Like other controls, these may be physical, administrative or technical.
➢ Examples: Doors, security procedures and authentication requirements.
2. DETECTIVE CONTROLS
➢ Used to detect security violations and alert the defenders.
➢ They come into play when preventive controls have failed and are no less
crucial than detective controls.
 ➢ Detective controls include cryptographic checksums, file integrity
checkers, audit trails and logs.
3. CORRECTIVE CONTROLS
➢ Try to correct the situation after a security violation has occurred.
➢ Although a violation occurred, but the data remains secure, so it makes
sense to try and fix the situation.
➢ Corrective controls vary widely, depending on the area being targeted,
and they may be technical or administrative in nature.
4. DETERRENT CONTROLS
➢ Intended to discourage potential attackers.
➢ Examples include notices of monitoring and logging as well as the visible
practice of sound information security management.
5. RECOVERY CONTROLS
➢ Rather like corrective controls, but they are applied in more serious
situations to recover from security violations and restore information and
information processing resources.
➢ Recovery controls may include disaster recovery and business continuity
mechanisms, backup systems and data, emergency key management
arrangements and similar controls.
6. COMPENSATING CONTROLS
are intended to be alternative arrangements for other controls when the
original controls have failed or cannot be used.
➢ When a second set of controls addresses the same threats that are
addressed by another set of controls, it acts as a compensating control.

4. Email communication is unavoidable nowadays for information sharing

among all types of users. Do you agree that email is secure? If yes, justify
you answer with examples.
• You shouldn't be using your school email account for personal business.
Consider having all personal email forwarded to a Gmail account. Remember, if
you signed up for your Google account with a different email address - you
don't have a Gmail account but if you have a Gmail account - then you already
have a Google account
• With Gmail you aren't tied to one computer to retrieve your email. You can
access your Gmail account from any computer that has Internet access and even
your mobile phone! Just go to http://mail.google.com.
• Take advantage of Keyboard Shortcuts in Gmail to get through your email
even faster. To turn these case-sensitive shortcuts on or off, click Settings, and
then pick an option next to Keyboard shortcuts.
• Themes allow you to customize the look and feel of your Gmail account. Get
creative and choose one of the colored or artistic THEMES for your Gmail
page. In the upper right hand side of your Gmail page choose Settings / Themes
and pick the one that suits you.
• Gmail uses labels to help you organize with more flexibility. A conversation
can have several labels, so you're not forced to choose one particular folder for
messages. You can also create filters to automatically manage incoming mail.
Starring messages is another way you can organize your inbox.
• You can use Google SEARCH within Gmail to find the exact message you
want - no matter when it was sent or received. Don't sort your mail - SEARCH!
• You get TONS of space with Gmail. Instead of wasting time deleting old
messages - you can ARCHIVE email - which frees up space but is still
searchable if you need it sometime.
• You don't waste time with junk mail and unwanted messages. If an unwanted
message slips through to your inbox, just click on the SPAM button and the
spam filters will catch any further incoming mail from the sender BEFORE it
ever reaches your inbox.
• You can organize your replies into conversations. Within Gmail, each message
you SEND is grouped with all the responses you RECEIVE. As you receive
more responses, the threaded conversation grows and keeps track of it all in
chronological order.

5. Assume that you are working as a Network administrator in VIT CC.

You have been asked to set up a new laboratory in 8th Floor of the
Academic block. Discuss about your choice of network security mechanism
for controlling the incoming and outgoing network traffic for the new
laboratory.
A firewall is a network security device that monitors incoming and outgoing
network traffic and permits or blocks data packets based on a set of security
rules. Its purpose is to establish a barrier between your internal network and
incoming traffic from external sources (such as the internet) in order to block
malicious traffic like viruses and hackers.
How it works:
Firewalls carefully analyze incoming traffic based on pre-established rules and
filter traffic coming from unsecured or suspicious sources to prevent attacks.
Firewalls guard traffic at a computer’s entry point, called ports, which is where
information is exchanged with external devices. For example, “Source address
172.18.1.1 is allowed to reach destination 172.18.2.1 over port 22."
Think of IP addresses as houses, and port numbers as rooms within the house.
Only trusted people (source addresses) are allowed to enter the house
(destination address) at all—then it’s further filtered so that people within the
house are only allowed to access certain rooms (destination ports), depending
on if they're the owner, a child, or a guest. The owner is allowed to any room
(any port), while children and guests are allowed into a certain set of rooms
(specific ports).

6. Social networking sites are becoming ever more popular, and many other
sites now let users add each other as friends. Discuss the effect that social
context has on (i) phishing; (ii) inference control; (iii) the market for
privacy; (iv) community detection.
a) Phishing
Phishing is a type of social engineering attack often used to steal user data,
including login credentials and credit card numbers. It occurs when an attacker,
masquerading as a trusted entity, dupes a victim into opening an email, instant
message, or text message. The recipient is then tricked into clicking a malicious
link, which can lead to the installation of malware, the freezing of the system as
part of a ransom ware attack or the revealing of sensitive information.
b) Inference control
Inference control in databases, also known as Statistical Disclosure Control
(SDC), is a discipline that seeks to protect data so they can be published without
revealing confidential information that can be linked to specific individuals
among those to which the data correspond. SDC is applied to protect respondent
privacy in areas such as official statistics, health statistics, e-commerce (sharing
of consumer data), etc. Since data protection ultimately means data
modification, the challenge for SDC is to achieve protection with minimum loss
of the accuracy sought by database users.
c) Market for privacy
People value privacy differently. For example, different people are willing to
pay a range of premiums to conduct online transactions with added privacy
guarantees. Similarly, some individuals demand significantly more
compensation than others for having their location data tracked. These results
suggest the potential for a market in privacy interests. Allowing individuals to
buy and sell their privacy freely might be a boon to efficiency, in the same way
that removing a price floor or ceiling on a good reduces deadweight loss.
d) Community detection
The field of community detection aims to identify highly connected groups of
individuals or objects inside these networks, these groups are called
communities. The motives behind community detection are diverse: it can help
a brand understand the different groups of opinion toward its products, target
certain groups of people or identify influencers, it can also help an e-commerce
website build a recommendation system based on co-purchasing, the examples
are numerous.
7. The Children Act 2004 empowers the Government to establish child
protection databases for England and Wales which will, it is hoped, identify
cases of child abuse at an early stage. These databases will be fed with
medical and school records, police intelligence data, and social work
assessments. Social workers, doctors, nurses, teachers and police officers
will be able to query them. Sketch a possible security policy for such a
database, and discuss the most likely implementation problems.
Information Security Policy:
An information security policy (ISP) is a set of rules that guide individuals who
work with IT assets. Your company can create an information security policy to
ensure your employees and other users follow security protocols and
procedures. An updated and current security policy ensures that sensitive
information can only be accessed by authorized users.
8 Elements of an Information Security Policy:
• Purpose
Create an overall approach to information security. Detect and pre-empt
information security breaches such as misuse of networks, data, applications,
and computer systems.
• Audience
Define the audience to whom the information security policy applies. You may
also specify which audiences are out of the scope of the policy (for example,
staff in another business unit which manages security separately may not be in
the scope of the policy).
• Objectives
Confidentiality—only individuals with authorization can should access data and
information assets
Integrity—data should be intact, accurate and complete, and IT systems must be
kept operational
Availability—users should be able to access information or systems when
needed
• Authority and access control
Network security policy—users are only able to access company networks and
servers via unique logins that demand authentication, including passwords,
biometrics, ID cards, or tokens. You should monitor all systems and record all
login attempts.
• Data classification
To ensure that sensitive data cannot be accessed by individuals with lower
clearance levels. To protect highly important data, and avoid needless security
measures for unimportant data.
• Data support
Data protection regulations—systems that store personal data, or other sensitive
data, must be protected according to organizational standards, best practices,
industry compliance standards and relevant regulations. Most security standards
require, at a minimum, encryption, a firewall, and anti-malware protection.
• Security awareness
Share IT security policies with your staff. Conduct training sessions to inform
employees of your security procedures and mechanisms, including data
protection measures, access protection measures, and sensitive data
classification. Social engineering—place a special emphasis on the dangers of
social engineering attacks (such as phishing emails). Make employees
responsible for noticing, preventing and reporting such attacks.
8. Describe briefly security policy models that might be suitable for
protecting
(i) medical records;
(ii) police intelligence data;
(iii) school records.
a) Medical records
The Departmental of Behavioral Health (DBH clinical/medical records are the
property of the department and are maintained for the treatment of the client and
the medical staff. It is the responsibility of the department to safeguard and
secure the medical information against loss, defacement, tampering, or use by
unauthorized person(s). Records may be removed from the department's
jurisdiction and safekeeping only as provided by law.
The Medical Records unit's responsibilities are to protect and safeguard
information and information systems against unauthorized user(s). This policy
statement applies to the security and confidentiality of patient information
created electronically or paper documents. Under no circumstances will any
staff member examine and/or divulge confidential client information unless
required in the clinical and/or administrative care of the client.
b) Police intelligence data
Protecting a computer network can be a very daunting task. Here we identify
some of the more important items that a police chief should consider. These
issues will apply whether the chief maintains and operates her own network, or
simply wants to be informed about the critical issues. For example, below we
discuss the following:
• Separating the Data and Segmenting the Network
• Protecting the Network
• Educating Users and Protecting the Host
• Planning for a Cyber Incident
c) school records
• All staff are responsible for the security of buildings and property.
• At the end of the School day each member of staff should ensure that all
windows and external doors are securely fastened prior to a final check by the
building supervisor.
• All staff are responsible for keeping buildings clear of all materials that can be
used for arson or vandalism.
• Adequate security lighting is installed and maintained/monitored by site staff.
• Risk assessments are in place and are reviewed by the person responsible for
health and safety and the Board of Governors annually.
9. You are developing a multi-user computer game, and wish to make it
harder for players to cheat. (a) Discuss the possible benefits of using (i)
encryption/authentication (ii) virus detection technology (iii) intrusion
detection techniques.
Benefits of using encryption/authentication:
1. Enhance Data Security
Without any doubts, one of the most critical merits is strengthened data security.
Full disk encryption uses strong encryption algorithms to encrypt drives on your
PCs, thereby protecting all data stored in the drives. With FDE, even though the
drive is removed from the current computer and put into other devices, the drive
data is still inaccessible if without a correct key.
2. Auto Encrypt Data
Besides, unlike file or folder-level encryption, full disk encryption (FDE)
encrypts the data as soon as it’s stored to the hard drive. In other words, this
encryption process is completed automatically. Hence, it’s much more
convenient than file or folder encryption, which demands you to manually select
which file or folder to be encrypted.
Benefits of using virus detection technology:
The main role of an antivirus program is to stand against viruses and other
forms of malwares. The viruses will not only cause damages to your data, it can
degrade the overall system performance. All of them can happen without your
knowledge. The antivirus software installed on your computer detects and
removes these malwares before they cause any harms to your computer.
Benefits of using Intrusion detection techniques:
Firewalls may be able to show you the ports and IP addresses that are used
between two hosts, but in addition a NIDS can be tuned to show you the
specific content within the packets. This can be used to for uncovering
intrusions such as exploitation attacks or compromised endpoint devices that are
part of a botnet.