1 3497 Both Solved Assignments Spring 2019

WARNING
1. PLAGIARISM OR HIRING OF GHOST WRITER(S) FOR SOLVING THE ASSIGNMENT(S) WILL
DEBAR THE STUDENT FROM AWARD OF DEGREE/CERTIFICATE, IF FOUND AT ANY
STAGE.
2. SUBMITTING ASSIGNMENT(S) BORROWED OR STOLEN FROM OTHER(S) AS ONE’S OWN
WILL BE PENALIZED AS DEFINED IN “AIOU PLAGIARISM POLICY”.

Course: Information Security (3497) Total Marks: 100

Level: Bachelor Pass Marks: 50

Question No. 1

What does ISO stand for? What do you mean by network security?

ANSWER
ISO

ISO stands for Information Security Officer. An ISO (information

security officer) is in charge of setting and a company's security policy.
He/she also plays a critical role in informing, advising, and alerting the
general management on matters relating to information security.

The ISO's duties are essentially managerial, and entail recruiting a

team of engineers and operations technicians, whose work he/she
organizes and controls.

Network Security

Network security is the process of taking physical and software

preventative measures to protect the underlying networking
infrastructure from unauthorized access, misuse, malfunction,
modification, destruction, or improper disclosure, thereby creating a

- Made By: ZeeKay

2 3497 Both Solved Assignments Spring 2019
secure platform for computers, users, and programs to perform their
permitted critical functions within a secure environment.

Network security methods

To implement this kind of defense in depth, there are a variety of

specialized techniques and types of network security you will want to
roll out. Cisco, a networking infrastructure company, uses the
following schema to break down the different types of network
security, and while some of it is informed by their product categories,
it's a useful way to think about the different ways to secure a network.

Access control: You should be able to block unauthorized users and

devices from accessing your network. Users that are permitted
network access should only be able to work with the limited set of
resources for which they've been authorized.

Anti-malware: Viruses, worms, and trojans by definition attempt to

spread across a network, and can lurk dormant on infected machines
for days or weeks. Your security effort should do its best to prevent
initial infection and also root out malware that does make its way
onto your network.

Application security: Insecure applications are often the vectors by

which attackers get access to your network. You need to employ
hardware, software, and security processes to lock those apps down.

Behavioral analytics: You should know what normal network behavior

looks like so that you can spot anomalies or breaches as they happen.

Data loss prevention: Human beings are inevitably the weakest

security link. You need to implement technologies and processes to
ensure that staffers don't deliberately or inadvertently send sensitive
data outside the network.

Email security: Phishing is one of the most common ways attackers

gain access to a network. Email security tools can block both incoming
attacks and outbound messages with sensitive data.

- Made By: ZeeKay

3 3497 Both Solved Assignments Spring 2019

Firewalls: Perhaps the granddaddy of the network security world, they

follow the rules you define to permit or deny traffic at the border
between your network and the internet, establishing a barrier between
your trusted zone and the wild west outside. They don't preclude the
need for a defense-in-depth strategy, but they're still a must-have.

Intrusion detection and prevention: These systems scan network

traffic to identify and block attacks, often by correlating network
activity signatures with databases of known attack techniques.

Mobile device and wireless security: Wireless devices have all the
potential security flaws of any other networked gadget — but also can
connect to just about any wireless network anywhere, requiring extra
scrutiny.

Network segmentation: Software-defined segmentation puts network

traffic into different classifications and makes enforcing security
policies easier.

Security information and event management (SIEM): These products

aim to automatically pull together information from a variety of
network tools to provide data you need to identify and respond to
threats.

VPN: A tool (typically based on IPsec or SSL) that authenticates the

communication between a device and a secure network, creating a
secure, encrypted "tunnel" across the open internet.

Web security: You need to be able to control internal staff's web use
in order to block web-based threats from using browsers as a vector
to infect your network.

Question No. 2

What is the term communication security means? Explain

its different countermeasures.

- Made By: ZeeKay

4 3497 Both Solved Assignments Spring 2019
ANSWER
Communication Security

Communications security (COMSEC) is the prevention of unauthorized

access to telecommunications traffic, or to any written information
that is transmitted or transferred.

There are several COMSEC disciplines, including:

Cryptographic security - encrypts data and renders it unreadable until

the data is decrypted.

Emission Security - prevents the release or capture of equipment

emanations to prevent information from unauthorized interception.

Physical security - ensures the safety of, and prevents unauthorized

access to, a network's cryptographic information, documents and
equipment.

Transmission security - protects unauthorized access when data is

physically transferred to prevent issues such as service interruption.

Question No. 3

Discuss different attacks on information. Also explain its

monitoring in detail.

ANSWER
Common types of cyberattacks

Malware

Malware is a term used to describe malicious software, including

spyware, ransomware, viruses, and worms. Malware breaches a
network through a vulnerability, typically when a user clicks a
dangerous link or email attachment that then installs risky software.
Once inside the system, malware can do the following:

- Made By: ZeeKay

5 3497 Both Solved Assignments Spring 2019

• Blocks access to key components of the network (ransomware)

• Installs malware or additional harmful software
• Covertly obtains information by transmitting data from the hard
drive (spyware)
• Disrupts certain components and renders the system inoperable

Phishing

Phishing is the practice of sending fraudulent communications that

appear to come from a reputable source, usually through email. The
goal is to steal sensitive data like credit card and login information or
to install malware on the victim’s machine. Phishing is an increasingly
common cyberthreat.

Man-in-the-middle attack

Man-in-the-middle (MitM) attacks, also known as eavesdropping

attacks, occur when attackers insert themselves into a two-party
transaction. Once the attackers interrupt the traffic, they can filter
and steal data.

Two common points of entry for MitM attacks:

1. On unsecure public Wi-Fi, attackers can insert themselves between

a visitor’s device and the network. Without knowing, the visitor passes
all information through the attacker.

2. Once malware has breached a device, an attacker can install

software to process all of the victim’s information.

Denial-of-service attack

A denial-of-service attack floods systems, servers, or networks with

traffic to exhaust resources and bandwidth. As a result, the system is
unable to fulfill legitimate requests. Attackers can also use multiple
compromised devices to launch this attack. This is known as a
distributed-denial-of-service (DDoS) attack.

- Made By: ZeeKay

6 3497 Both Solved Assignments Spring 2019

SQL injection

A Structured Query Language (SQL) injection occurs when an attacker

inserts malicious code into a server that uses SQL and forces the
server to reveal information it normally would not. An attacker could
carry out a SQL injection simply by submitting malicious code into a
vulnerable website search box.

Zero-day exploit

A zero-day exploit hits after a network vulnerability is announced but

before a patch or solution is implemented. Attackers target the
disclosed vulnerability during this window of time. Zero-day
vulnerability threat detection requires constant awareness.

Monitoring

Establish a monitoring strategy and supporting policies: Develop and

implement a monitoring strategy based on business need and an
assessment of risk. The strategy should include both technical and
transactional monitoring as appropriate. The incident management
plan as well as knowledge of previous security incidents should inform
the approach.

Monitor all systems: Ensure that all networks, systems and services
are included in the monitoring strategy. This may include the use of
the use of network, host based and wireless Intrusion Detection
Systems (IDS). These solutions should provide both signature-based
capabilities to detect known attacks, and heuristic capabilities to
detect unusual system behavior.

Monitor network traffic: Inbound and outbound traffic traversing

network boundaries should be monitored to identify unusual activity
or trends that could indicate attacks. Unusual network traffic (such
as connections from unexpected IP ranges overseas) or large data
transfers should automatically generate security alerts with prompt
investigation.

- Made By: ZeeKay

7 3497 Both Solved Assignments Spring 2019

Monitor user activity: The monitoring capability should have the ability
to identify the unauthorized or accidental misuse of systems or data.
Critically, it should be able to tie specific users to suspicious activity.
Take care to ensure that all user monitoring complies with all legal or
regulatory constraints.

Fine-tune monitoring systems: Ensure that monitoring systems are

tuned appropriately to only collect events and generate alerts that are
relevant to your needs. Inappropriate collection of monitoring
information and generation of alerts can mask the detection of real
attacks as well as be costly in terms of data storage and investigatory
resources required.

Establish a centralized collection and analysis capability: Develop and

deploy a centralized capability that can collect and analyze
information and alerts from across the organization. Much of this
should be automated due to the volume of data involved, enabling
analysts to concentrate on anomalies or high priority alerts. Ensure
that the solution architecture does not itself provide an opportunity
for attackers to bypass normal network security and access controls.

Provide resilient and synchronized timing: Ensure that the monitoring

and analysis of audit logs is supported by a centralized and
synchronized timing source that is used across the entire organization
to support incident response and investigation.

Align the incident management policies: Ensure that policies and

processes are in place to appropriately manage and respond to
incidents detected by monitoring solutions.

Conduct a 'lessons learned' review: Ensure that processes are in place

to test monitoring capabilities, learn from security incidents and
improve the efficiency of the monitoring capability.

Question No. 4

- Made By: ZeeKay

8 3497 Both Solved Assignments Spring 2019
Define cryptography? What are the reasons for encryption?
Also explain different kinds of cryptography in detail.

ANSWER
Cryptography

Cryptography involves creating written or generated codes that allow

information to be kept secret. Cryptography converts data into a
format that is unreadable for an unauthorized user, allowing it to be
transmitted without unauthorized entities decoding it back into a
readable format, thus compromising the data.

Information security uses cryptography on several levels. The

information cannot be read without a key to decrypt it. The
information maintains its integrity during transit and while being
stored. Cryptography also aids in nonrepudiation. This means that the
sender and the delivery of a message can be verified.

Cryptography is also known as cryptology.

Reasons for Encryption

Cryptography, not only protects data from theft or alteration, but can
also be used for user authentication. There are, in general, three types
of cryptographic schemes typically used to accomplish these goals:
secret key (or symmetric) cryptography, public-key (or asymmetric)
cryptography, and hash functions, each of which is described below.
In all cases, the initial unencrypted data is referred to as plaintext. It
is encrypted into ciphertext, which will in turn (usually) be decrypted
into usable plaintext.

Cryptography provides information Security for

• Defending against external/internal hackers

• Defending against industrial espionage
• Securing E-commerce
• Securing bank accounts/electronic transfers

- Made By: ZeeKay

9 3497 Both Solved Assignments Spring 2019
• Securing intellectual property
• Avoiding liability
• Threats to Information Security
• Pervasiveness of email/networks
• Online storage of sensitive information
• Insecure technologies (e.g. wireless)
• Trend towards paperless society
• Weak legal protection of email privacy

Kinds of Cryptography

Cryptography also allows senders and receivers to authenticate each

other through the use of key pairs. There are various types of
algorithms for encryption, some common algorithms include:

Secret Key Cryptography

A secret key is the piece of information or parameter that is used to

encrypt and decrypt messages in a symmetric, or secret-key,
encryption.

In asymmetric encryption, two separate keys are used. One is a public

key and the other is a secret key.

When using symmetric encryption, only one key is used for encryption
and decryption. However, in asymmetric cryptography there is both a
private key and a public key involved in the encryption and decryption
processes. The secret key can be kept by one person or exchanged
with someone else when sending encrypted messages. If only one key
is available for both encryption and decryption, both the sender and
receiver of a message have to have a copy of the secret key to be able
to read the message.

The most accepted secret key cryptography scheme is Data

Encryption Standard (DES) cryptography. Other cryptography systems
used for secret-key encryption include the Advanced Encryption
Standard (AES) and CAST-128/256.

- Made By: ZeeKay

10 3497 Both Solved Assignments Spring 2019
Public key cryptography (PKC)

Public key cryptography (PKC) is an encryption technique that uses a

paired public and private key (or asymmetric key) algorithm for secure
data communication. A message sender uses a recipient's public key
to encrypt a message. To decrypt the sender's message, only the
recipient's private key may be used.

The two types of PKC algorithms are RSA, which is an acronym named
after this algorithm's inventors: Rivest, Shamir and Adelman, and
Digital Signature Algorithm (DSA). PKC encryption evolved to meet the
growing secure communication demands of multiple sectors and
industries, such as the military.

PKC is also known as public key encryption, asymmetric encryption,

asymmetric cryptography, asymmetric cipher, asymmetric key
encryption and Diffie-Hellman encryption.

Hash Function

A hash function takes a group of characters (called a key) and maps

it to a value of a certain length (called a hash value or hash). The hash
value is representative of the original string of characters, but is
normally smaller than the original.

This term is also known as a hashing algorithm or message digest

function.

Hashing is used with a database to enable items to be retrieved more

quickly. Hashing can also be used in the encryption and decryption of
digital signatures. The hash function transforms the digital signature,
then both the hash value and signature are sent to the receiver. The
receiver uses the same hash function to generate the hash value and
then compares it to that received with the message. If the hash values
are the same, it is likely that the message was transmitted without
errors.

- Made By: ZeeKay

11 3497 Both Solved Assignments Spring 2019
One example of a hash function is called folding. This takes an original
value, divides it into several parts, then adds the parts and uses the
last four remaining digits as the hashed value or key.

Learn More from Techopedia

Question No. 5

Write a brief note on accountability and access control.

ANSWER

Accountability

Accountability is an essential part of an information security plan. The

phrase means that every individual who works with an information
system should have specific responsibilities for information
assurance. The tasks for which an individual is responsible are part
of the overall information security plan and can be readily measurable
by a person who has managerial responsibility for information
assurance. One example would be a policy statement that all
employees must avoid installing outside software on a company-
owned information infrastructure. The person in charge of
information security should perform periodic checks to be certain
that the policy is being followed.

Access Control

Access control is a way of limiting access to a system or to physical

or virtual resources. In computing, access control is a process by
which users are granted access and certain privileges to systems,
resources or information.

In access control systems, users must present credentials before

they can be granted access. In physical systems, these credentials
may come in many forms, but credentials that can't be transferred
provide the most security.

- Made By: ZeeKay

12 3497 Both Solved Assignments Spring 2019
For example, a key card may act as an access control and grant the
bearer access to a classified area. Because this credential can be
transferred or even stolen, it is not a secure way of handling access
control.

A more secure method for access control involves two-factor

authentication. The person who desires access must show
credentials and a second factor to corroborate identity. The second
factor could be an access code, a PIN or even a biometric reading.

There are three factors that can be used for authentication:

• Something only known to the user, such as a password or PIN

• Something that is part of the user, such as a fingerprint, retina
scan or another biometric measurement
• Something that belongs to the user, such as a card or a key.

END OF 1ST ASSIGNMENT

Question No. 1

Illustrate different security management concepts and its principles

in detail.
ANSWER

Concepts or lessons on security management

If you could make business/executive management more aware about

five concepts or lessons on security, what would they be?

Getting it down to 5 is really hard, but here goes:

1. Security is a journey, not a destination: Executives need to

understand that security is never done. If a new user or application or

- Made By: ZeeKay

13 3497 Both Solved Assignments Spring 2019
trading partner has been introduced to the organization, then new
risks have been introduced as well. Security is not a box that can be
checked. That is probably the most important concept to convey.

2. Nobody can protect what's important, unless it's been made clear
exactly what is important. Security is not generic. It's important not
to treat every system and asset the same. Some stuff is important
and should be protected at all costs. Some stuff isn't, and therefore
resources shouldn't be expended to protect it. The executive
managers have to decide what's important, and they need to tell the
security team. Help them understand the choices they need to make.

3. Compliance is not the goal of information security. This is related

to No. 1, but important in its own right because many executives
believe that once they get the compliance stamp from an annual audit,
they don't need to think about security anymore. Being compliant does
not mean the organization is secure. That's extremely important to get
across.

4. The users are the weakest links. The reality is that many serious
data breaches are caused by human error and are not intentional. That
means it's still important to train users on a continual basis about
what they can and can't do.

5. Incidents are going to happen. There is no way around it: EVERY

organization will eventually be faced with an information security
incident. Many executives freak out when incidents occur, and that's
because the security team has done a poor job of managing
expectations. The important part is how well the organization
recovers. How much data was lost? What are the ramifications? Help
the executives understand the need for a formal response plan,
because having one in place when the inevitable happens will make it
much easier to deal with.

Security's fundamental principles are confidentiality, integrity, and

availability.

Confidentiality

- Made By: ZeeKay

14 3497 Both Solved Assignments Spring 2019

Confidentiality determines the secrecy of the information asset.

Determining confidentiality is not a matter of determining whether
information is secret or not. When considering confidentiality,
managers determine the level of access in terms of how and where
the data can be accessed. For information to be useful to the
organization, it can be classified by a degree of confidentiality.

To prevent attackers from gaining access to critical data, a user who

might be allowed access to confidential data might not be allowed to
access the service from an external access port. The level of
confidentiality determines the level of availability that is controlled
through various access control mechanisms.

Protections offered to confidential data are only as good as the

security program itself. To maintain confidentiality, the security
program must consider the consequences of an attacker monitoring
the network to read the data. Although tools are available that can
prevent the attacker from reading the data in this manner, safeguards
should be in place at the points of transmission, such as by using
encryption or physically safeguarding the network.

Another attack to confidentially is the use of social engineering to

access the data or obtain access. Social engineering is difficult to
defend because it requires a comprehensive and proactive security
awareness program. Users should be educated about the problems
and punishments that result when they intentionally or accidentally
disclose information. This can include safeguarding usernames and
passwords from being used by an attacker.

Cryptography is the study of how to scramble, or encrypt, information

to prevent everyone but the intended recipient from being able to read
it. Encryption implements cryptography by using mathematical
formulas to scramble and unscramble the data. These formulas use
an external piece of private data called a key to lock and unlock the
data.

- Made By: ZeeKay

15 3497 Both Solved Assignments Spring 2019
Cryptography can trace its roots back 4,000 years to ancient Egypt
where funeral announcements were written using modified
hieroglyphics to add to their mystery. Today, cryptography is used to
keep data secret. For more information on cryptography, see Chapter
5, "Cryptography."

Integrity

With data being the primary information asset, integrity provides the
assurance that the data is accurate and reliable. Without integrity, the
cost of collecting and maintaining the data cannot be justified.
Therefore, policies and procedures should support ensuring that data
can be trusted.

Mechanisms put in place to ensure the integrity of information should

prevent attacks on the storage of that data (contamination) and on its
transmission (interference). Data that is altered on the network
between the storage and the user's workstation can be as
untrustworthy as the attacker altering or deleting the data on the
storage media. Protecting data involves both storage and network
mechanisms.

Attackers can use many methods to contaminate data. Viruses are the
most frequently reported in the media. However, an internal user,
such as a programmer, can install a back door into the system or a
logic bomb that can be used attack the data. After an attack is
launched, it might be difficult to stop and thus affect the integrity of
the data. Some of the protections that can be used to prevent these
attacks are intrusion detection, encryption, and strict access controls.

Not all integrity attacks are malicious. Users can inadvertently store
inaccurate or invalid data by incorrect data entry, an incorrect decision
made in running programs, or not following procedures. They can also
affect integrity through system configuration errors at their
workstations or even by using the wrong programs to access the data.
To prevent this, users should be taught about data integrity during
their information security awareness training. Additionally, programs
should be configured to test the integrity of the data before storing it

- Made By: ZeeKay

16 3497 Both Solved Assignments Spring 2019
in the system. In network environments, data can be encrypted to
prevent its alteration.

Availability

Availability is the ability of the users to access an information asset.

Information is of no use if it cannot be accessed. Systems should have
sufficient capacity to satisfy user requests for access, and network
architects should consider capacity as part of availability. Policies can
be written to enforce this by specifying that procedures be created to
prevent denial-of-service (DoS) attacks.

More than just attackers can affect system and network availability.
The environment, weather, fire, electrical problems, and other factors
can prevent systems and networks from functioning. To prevent these
problems, your organization's physical security policies should specify
various controls and procedures to help maintain availability.

Yet access does not mean that data has to be available immediately.
Availability of information should recognize that not all data has to be
available upon request. Some data can be stored on media that might
require user or operator intervention to access. For example, if your
organization collects gigabytes of data daily, you might not have the
resources to store it all online. This data can be stored on an offline
storage unit, such as a CD jukebox, that does not offer immediate
access.

Question No. 2

What are policies and roles in assets clarification?

ANSWER

An asset refers to anything that is used in the regular operation of an

organization. It can refer to physical objects, such as buildings,
equipment, or raw materials, as well as intangible things, such as staff
or money. Asset management includes not just assets used for

- Made By: ZeeKay

17 3497 Both Solved Assignments Spring 2019
maintenance, like machinery and spare parts, but assets used by the
entire organization, such as computers, people, and infrastructure.

Policy statement

In managing the assets belonging to (Insert Company), we are

committed to:

• Taking steps to connect the appropriate departments, functions, and

support activities in order to
build effective working relationships and encourage information-
sharing.

• Using asset management decision-making to drive optimum value

for customers.

• Ensuring decisions are made collaboratively. Ensure decisions

consider all life-cycle stages and
interrelationships between asset, operational and service
performance.

• Focusing on decision-making that recognizes the interconnected

nature of asset systems and how
decisions about one set of assets may potentially interact with or
affect assets controlled by other
departments and functions.

Application of policy

(Insert Company) will develop and maintain appropriate plans for the
renewal, purchase, construction and decommissioning of assets. This
includes:

• Developing long-term projections of investment needs and applying

rigorous analysis, including consideration of risk, to identify short-
term needs.

- Made By: ZeeKay

18 3497 Both Solved Assignments Spring 2019
• Implementing processes to ensure investments address needs
efficiently and effectively, and address operational budget
implications of capital investments.

• Exploring efficiency opportunities where appropriate, including new

technologies.

• Analyzing investment plans and associated funding requirements

and putting in place mechanisms to ensure long-term financial
sustainability.

• Evaluating relevant asset investment decisions based on

consideration of the costs associated with managing an asset through
its entire lifecycle.

• Developing prioritized capital investment plans that reflect

community and stakeholder expectations with regard to the level of
service and other strategic objectives.

Roles and responsibilities

The roles and responsibilities for executing this policy include the
following:

• The executive committee is responsible for approving asset

management policy, articulating organizational values, defining
priorities, approving funding and resources to implement the asset
management policy and associated requirements, and approving asset
funding through multiyear and long-range financial plans.

• The chief reliability officer is responsible for leading the

implementation of this policy across the organization.

• Departmental managers are responsible for leading the adoption of

this policy within their departments and allocating appropriate
resources to its implementation.

- Made By: ZeeKay

19 3497 Both Solved Assignments Spring 2019
• All staff involved in the application of asset management are
responsible for observing the requirements of this policy.

Question No. 3

Discuss the issues occurs in data and application security.

ANSWER

Data Security Issues

The nine key big data security issues

So, with that in mind, here’s a shortlist of some of the obvious big
data security issues (or available tech) that should be considered.

Distributed frameworks. Most big data implementations actually

distribute huge processing jobs across many systems for faster
analysis. Hadoop is a well-known instance of open source tech
involved in this, and originally had no security of any sort. Distributed
processing may mean less data processed by any one system, but it
means a lot more systems where security issues can crop up.

Non-relational data stores. Think NoSQL databases, which by

themselves usually lack security (which is instead provided, sort of,
via middleware).

Storage. In big data architecture, the data is usually stored on multiple

tiers, depending on business needs for performance vs. cost. For
instance, high-priority “hot” data will usually be stored on flash media.
so, locking down storage will mean creating a tier-conscious strategy.

Endpoints. Security solutions that draw logs from endpoints will need
to validate the authenticity of those endpoints, or the analysis isn’t
going to do much good.

- Made By: ZeeKay

20 3497 Both Solved Assignments Spring 2019
Real-time security/compliance tools. These generate a tremendous
amount of information; the key is finding a way to ignore the false
positives, so human talent can be focused on the true breaches.

Data mining solutions. These are the heart of many big data
environments; they find the patterns that suggest business strategies.
For that very reason, it’s particularly important to ensure they’re
secured against not just external threats, but insiders who abuse
network privileges to obtain sensitive information – adding yet
another layer of big data security issues.

Access controls. Just as with enterprise IT as a whole, it’s critically

important to provide a system in which encrypted
authentication/validation verifies that users are who they say they are,
and determine who can see what.

Finally, some specific thoughts on the data itself:

Granular auditing can help determine when missed attacks have

occurred, what the consequences were, and what should be done to
improve matters in the future. This in itself is a lot of data, and must
be enabled and protected to be useful in addressing big data security
issues.

Data provenance primarily concerns metadata (data about data),

which can be extremely helpful in determining where data came from,
who accessed it, or what was done with it. Usually, this kind of data
should be analyzed with exceptional speed to minimize the time in
which a breach is active. Privileged users engaged in this type of
activity must be thoroughly vetted and closely monitored to ensure
they don’t become their own big data security issues.

Application Security

Whilst a growing number of organizations are aware of the need for

application security, few are tackling the issue in an effective way. In
a survey of over 640 IT professionals, 7 crucial problems were
repeatedly identified as recurrent barriers to effective application

- Made By: ZeeKay

21 3497 Both Solved Assignments Spring 2019
security. Resolving these problems will help your organization improve
developer security knowledge, and reduce the costs of software
vulnerabilities - helping you to improve the maturity of your
application security processes, and share in the competencies of high-
performing software organizations.

1) NO DEFINED SOFTWARE DEVELOPMENT PROCESS

Secure application development starts with a defined software

development process; with formal processes in place to address
software requirements, design, implementation and testing. Many
organizations approach these issues in an ad-hoc way, without any
emphasis on following procedural guidelines. Without the ability to
develop software in a repeatable, measured and uniform way, it's
almost impossible to integrate security into the development process.
Only 43% of surveyed organizations had a defined software
development process. Of that 43%, only 69% adhered to the process
- resulting in only 30% of all organizations working to a defined
development process.

2) NOT TESTING FOR APPLICATION SECURITY

Despite the common sense nature of this problem, simple inaction is

one of the biggest security threats faced by organizations. Only 43%
of surveyed organizations have a defined process in place to mitigate
the risk of bugs and defects in developed applications. Even then,
most organizations are in the panic scramble phase of application
security maturity - acting in a purely reactive way to security threats.

3) SECURITY POLICIES ARE NOT INTEGRATED INTO THE SDLC

In order to improve the efficacy of secure application development

processes, it's essential to integrate security policies directly into the
software development lifecycle (SDLC). The costs of remediating bugs
and vulnerabilities grow hugely as an application progresses through
the SDLC. When issues are identified during production and post-
release, fixing a vulnerability can cost thirty times more to resolve

- Made By: ZeeKay

22 3497 Both Solved Assignments Spring 2019
than a problem detected during the requirement and architecture
phase.

4) NO FORMAL APPLICATION SECURITY TRAINING PROGRAM

Defined security policies and requirements are an important part of

securing the development process. However, without developer
training to help the dev team understand and implement these best
practices, security policies will have a negligible impact on
vulnerabilities and remediation costs. More than half of organizations
(51%) have no application security training program in place. Even
fewer organizations are rolling out the security training program in an
effective way - combining standards, education and assessment to aid
developers in adhering to security policy.

5) DEV TEAMS NOT MEASURED FOR COMPLIANCE

With a training program in place, it's vital for your organization to

monitor adherence to security policies - both in terms of improving
the efficacy of training programs, and measuring their return on
investment. There are three primary areas development teams need
to be assessed across: compliance with regulatory requirements,
compliance with secure architecture standards and compliance with
secure coding standards.

6) MOST ORGANISATIONS DON'T UNDERSTAND APPLICATION

SECURITY RISKS

Application development poses an ever-changing threat, with the

security risks faced by your organization changing in a highly fluid and
dynamic way. In order to create and maintain effective security
standards, your organization needs to conduct regular audits to assess
potential threats. Most mature organizations use a threat modelling
process to achieve this; identifying new threats, and prioritizing the
need for action.

7) EXECUTIVES AND PRACTITIONERS HAVE DIFFERENT

UNDERSTANDINGS OF APPLICATION SECURITY MATURITY

- Made By: ZeeKay

23 3497 Both Solved Assignments Spring 2019
In most organizations, there's a serious disconnect between high-level
executives and security practitioners, with the C-suite often holding
an unrealistic (and unduly optimistic) view of application security in
the organization. This misalignment of priorities is a driving force
behind some of the biggest problems faced by organizations -
including costly shelf ware, ineffective security training, and the poor
reputation of security. To remedy this problem, it's important to
priorities security from the top-down, and allow for effective
communication between all areas of the organization - from dev
teams, to security, to the C-suite.

Question No. 4

Define malicious code. Also explain application attacks in detail.

ANSWER

Malicious Code

Malicious code is the term used to describe any code in any part of a
software system or script that is intended to cause undesired effects,
security breaches or damage to a system. Malicious code describes a
broad category of system security terms that includes attack scripts,
viruses, worms, Trojan horses, backdoors, and malicious active
content.

Application attacks and its types

When one uses the internet, it's the important thing that he takes
some measures to stay secure. Because now the attacks are not just
done on the user by the viruses but they are done through some
applications as well. The applications which one uses everyday might
contain the infections which can damage the system seriously. Here
are some application type's attacks which are being used commonly;

Cross-site scripting:

- Made By: ZeeKay

24 3497 Both Solved Assignments Spring 2019
This attack is the type of an injection in which there are some
malicious scripts inserted into the websites which are pretty trusted
ones by the users. The XXS attack can happen there the hacker uses
some website applications to transfer some bad malicious code. That
code is normally in the form of some browser scripts. Hence it can be
sent to some different user as well. Those flaws which are successes
can cause the infection to bet spread at some high rate and then this
thing can happen whenever there is some website application which
is using the input from some user and the output of that website is
generated without any encoding or the validation of it. Also, the
attacks can make use of the XXS attack to send some malicious
scripts to the user who is unsuspecting. The browser used at the
user's end might not know that the script shouldn't be trusted. Hence
the browser will automatically execute the script. The reason is, that
browser will automatically think that the script has come from some
source which is a trusted one and that bad script can have access to
the cookies, sensitive information, session tokens etc. and hence the
browser's data which has been retained can be stolen easily. Also,
these scripts can be so powerful that they might write up the HTML
page's contents as well.

SQL injection:

This attack is the technique in which some code injection method is

used. This is used to make some attacks on the applications which
are data driven. There the SQL statements which are malicious are
inserted into the fields for some executions. This injection of SQP also
exploits the security vulnerability in some application software. User
might put some input which is not correct and is not filtered or there
is some string character which has been embedded in the SQL
statements. It might also happen that the input given by the user is
not types so strongly and is handled badly. This SQO injection thing is
also known as the attack done it the vector for the websites which
can be the easy victim of the SQL database.

XML injection:

- Made By: ZeeKay

25 3497 Both Solved Assignments Spring 2019
When this attack is taken place, the attack mainly makes some efforts
and has an aim to inject some XML tags into the SOAP message and
hence he wants to modify the source of XML. If the injection of XML
is successful, then the result is the execution of the operation which
is restricted. Also, it depends on the operation that the security
objectives done might get violated as well,

Directory traversal/command injection:

One must know that the proper control of the web access content is
something very crucial for someone who is running the server and safe
web server. Directory traversal is the HPTTP exploit which can allow
some hacks to get access to some directories which are restricted
and hence can help them in execution of some commands which are
outside the scope of the root directory of webserver. The webservers
normally contain two levels of the security mechanism. One is the
Root directory while the other is the access control listings. When the
attackers see that some website's security has been compromised
and it vulnerable, he can make use of it to get out of the root directory
and then can get some access to the parts of the system where there
are other files as well. Hence it gives that attacks some abilities to
watch and save the restricted filed. The worst case can be that it may
allow that hackers to launch some of the very powerful attacks on
the web server which might also lead to the full fledge compromise
of that specific system.

Flash Cookies:

Flash cookies are so much like LSO. This is basically a message which
is used in the adobe flash. It is sent from the webserver to some web
browser and then is stored as a single data file in the bowers. They
can behave like some conventional coolies by having the user's
experiences personalized.

Malicious add-ons:

- Made By: ZeeKay

26 3497 Both Solved Assignments Spring 2019
Sometimes the ads on which are available to get can get injected and
they can turn the computers into botnets, it happened once in the
past when the Firefox got some ad on which created this problem.

Session hijacking:

This is also known as the cookie hijack. In this case, the computer
session or the key session is simply exploited and hence the access
to some unauthorized area is gained to get some information or the
service in a computer. Specially, this thing is used for the theft of
some magic cookie which is used for the authentication of user to
some remote access.

Header manipulation:

This type vulnerability takes place when there is some data which has
entered the website through some source which isn't trusted and it
used by the HTTP request. If the data which is included into the HTTP
response has been sent to the website users without getting
validated, then too this grave problem can happen.

Some others are:

Arbitrary code execution / remote code execution

Buffer Overflow
Integer Overflow
Zero Day
Cookies and Attachments
LSO (Local Shared Objects)

https://www.examcollection.com/certification-training/security-
plus-application-attacks-and-their-types.html

Question No. 5

Write a brief note on the Private Key algorithm.

- Made By: ZeeKay

27 3497 Both Solved Assignments Spring 2019
ANSWER

A private key, also known as a secret key, is a variable in cryptography

that is used with an algorithm to encrypt and decrypt code. Secret
keys are only shared with the key’s generator, making it highly secure.
Private keys play an important role in symmetric cryptography,
asymmetric cryptography and cryptocurrencies.

The complexity and length of the private key determine how feasible
it is for an interloper to carry out a brute force attack and try out
different keys until the right one is found.

How does a private key work?

Private key encryption is referred to as symmetric encryption, where

the same private key is used for both encryption and decryption
purposes. A private key is typically a long, randomly generated number
that cannot easily be guessed. Since only one key is involved, the
process is fast and simple.

The End

- Made By: ZeeKay