Download Course Name : INFORMATION SECURITY

AUTONOMOUS
Department of Computer Science and Engineering
Course Name
: INFORMATION SECURITY
Course Number
:
Course Designation: CORE
Prerequisites :Computer Networks, Algorithms
IV B Tech – I Semester
(2015-2016)
G.LAVANYA
Assistant Professor
SYLLABUS
Information Security: Introduction, History of Information security, What is Security,
CNSS Security Model, Components of Information System, Balancing Information
Unit – I
Security and Access, Approaches to Information Security Implementation, The Security
Systems Development Life Cycle.
2
Cryptography: Concepts and Techniques, symmetric and asymmetric key cryptography,
steganography, Symmetric key Ciphers: DES structure, DES Analysis, Security of DES,
Unit – II
variants of DES, Block cipher modes of operation , AES structure, Analysis of AES , Key
distribution Asymmetric key Ciphers: Principles of public key cryptosystems, RSA
algorithm, Analysis of RSA, Diffie-Hellman Key exchange
Message Authentication and Hash Functions: Authentication requirements and
Unit – III
functions, MAC and Hash Functions, MAC Algorithms: Secure Hash Algorithm,
Whirlpool, HMAC, Digital signatures, X.509, Kerberos.
Security at layers(Network, Transport, Application): IPSec, Secure Socket
Unit – IV
Layer(SSL), Transport Layer Security(TLS), Secure Electronic Transaction(SET), Pretty
Good Privacy(PGP), S/MIME.
Intruders, Virus and Firewalls: Intruders, Intrusion detection, password management,
Unit – V
Virus and related threats, Countermeasures, Firewall design principles, Types of firewalls.
TEXT BOOKS & OTHER REFERENCES
Text Books
Principles of Information Security : Michael E. Whitman, Herbert J. Mattord,
1.
CENGAGE Learning, 4th Edition.
2.
Cryptography and Network Security : William Stallings, Pearson Education,4th
Edition
3
3.
Cryptography and Network Security : Forouzan Mukhopadhyay, Mc Graw Hill,
2nd Edition
Suggested / Reference Books
Cryptography and Network Security : C K Shyamala, N Harini, Dr T R
4.
Padmanabhan, Wiley India, 1st Edition.
5.
Network Security and Cryptography: Bernard Menezes, CENGAGE Learning
6.
Cryptography and Network Security : Atul Kahate, Mc Graw Hill, 2nd Edition
7.
Principles of Computer Security: WM.Arthur Conklin, Greg White, TMH
8.
Introduction to Network Security: Neal Krawetz, CENGAGE Learning 6.
Handbook of Security of Networks, Yang Xiao, Frank H Li, Hui Chen, World
Scientific, 2011
Websites References
1. http://www.cs.iit.edu/~cs549/cs549s07/lectures.htm
2. http://www.cengagebrain.com/content/whitman38214_1111138214_01.01_toc.pdf
3. http://williamstallings.com/Extras/Security-Notes/
4.
5.
http://www.cs.hofstra.edu/~cscvjc/Spring06/
http://williamstallings.com/NetworkSecurity/styled/
4
Time Table
Room No: 112
Day/Time
Monday
Tuesday
Wednesday
Thursday
Friday
Saturday
9:00-9:50
9:5010:40
IV C
IV C
10:4011:30
W.E.F:
11:3012:20
12:201:00
1:001:50
1:502:40
IV C
IV C
IV C
PROGRAM EDUCATIONAL OBJECTIVES (PEO’s)
2:4-3:30
3:30-4:20
5
PEO1
The Graduates are employable as software professionals in reputed industries.
PEO2
The Graduates analyze problems by applying the principles of computer science,
mathematics and scientific investigation to design and implement industry
accepted solutions using latest technologies.
PEO3
The Graduates work productively in supportive and leadership roles on
multidisciplinary teams with effective communication and team work skills with
high regard to legal and ethical responsibilities.
PEO4
The Graduates embrace lifelong learning to meet ever changing developments in
computer science and Engineering.
PROGRAM OUTCOMES (PO’s)
PO1
An ability to communicate effectively and work on multidisciplinary teams
PO2
An ability to identify, formulate and solve computer system problems with
professional and ethical responsibility.
PO3
A recognition of the need for, and an ability to engage in life-long learning to use
the latest techniques, skills and modern engineering tools
PO4
The broad education necessary to understand the impact of engineering solutions
in a global, economic, environmental and social context
PO5
An ability to apply knowledge of mathematics, science, and computing to analyze,
design and implement solutions to the realistic problems.
PO6
An ability to apply suitable process with the understanding of software
development practice.
Course Outcomes:
6
After undergoing the course, Students will be able to understand
1. Analyze the importance of information Security in real world.
2. Designing and analysis of different encryption Algorithms.
3. Implementation of MAC and Hash functions, security at different layers of a network
4. Explore different types of intruders and viruses.
MAPPING OF COURSE OBJECTIVES & COURSE OUT COMES WITH
PO’s & PEO’s
Course Outcomes
CO1
CO2
CO3
CO4
PO’s
PEO’s
PO2
PO3,PO5
PO5
PO3
PEO2
PEO2
PEO2
PEO4
COURSE SCHEDULE
Distribution of Hours Unit – Wise
Chapters
Unit
Book1
I
Total No.
of Hours
Topic
Information Security introduction
1
Book2
Book3
8
7
Cryptography: Concepts and
Techniques
Message Authentication and Hash
Functions
Security at layers(Network,
Transport, Application)
II
III
IV
11,12,13,14
10
16,17,18
Intruders, Virus and Firewalls
V
13
2,3,5,6,9,10
18,19,20
9
Contact classes for Syllabus coverage
50
Tutorial Classes : 05 ; Online Quiz : 1 per unit
Descriptive Tests : 02 (Before Mid Examination)
Revision classes :1 per unit
10
Number of Hours / lectures available in this Semester / Year
55
The number of topic in every unit is not the same – because of the variation, all the units
have an unequal distribution of hours
Lecture Plan
S. No.
Topic
Unit-1
1
2
3
10
Information Security : introduction
History of Information security, What is Security, CNSS
Security Model
Components of Information System,
Date of Completion
8
4
Balancing Information Security and Access,
5
Approaches to Information Security Implementation,
6
The Security Systems Development Life Cycle.
Unit-2
7
Cryptography: Concepts and Techniques,
8
symmetric and asymmetric key cryptography
9
steganography
10
Symmetric key Ciphers: DES structure,
11
DES Analysis, Security of DES, variants of DES,
12
Block cipher modes of operation ,
13
AES structure, Analysis of AES
14
Key distribution Asymmetric key Ciphers:
15
Principles of public key cryptosystems, RSA algorithm
16
Analysis of RSA, Diffie-Hellman Key exchange.
Unit-3
18
Message Authentication and Hash Functions:
Authentication requirements and functions
MAC and Hash Funtions
19
MAC Algorithms: Secure Hash Algorithm
20
Whirlpool
21
HMAC
22
Digital signatures
23
X.509, Kerberos
17
Unit-4
24
IPSecurity
25
Secure Socket Layer(SSL)
26
Transport Layer Security(TLS)
27
Secure Electronic Transaction(SET)
28
Pretty Good Privacy(PGP),
9
S/MIME
29
Unit-5
30
Intruders
31
Intrusion detection
32
password management
33
Virus and related threats
34
Countermeasures
35
Firewall design principles
Types of firewalls.
36
Date of Unit Completion & Remarks
Unit – 1
Date
:
__ / __ / __
Remarks:
________________________________________________________________________
________________________________________________________________________
Unit – 2
Date
:
__ / __ / __
Remarks:
________________________________________________________________________
________________________________________________________________________
10
Unit – 3
Date
:
__ / __ / __
Remarks:
________________________________________________________________________
________________________________________________________________________
Unit – 4
Date
:
__ / __ / __
Remarks:
________________________________________________________________________
________________________________________________________________________
Unit – 5
Date
:
__ / __ / __
Remarks:
________________________________________________________________________
________________________________________________________________________
Unit Wise Assignments (With different Levels of thinking (Blooms Taxonomy))
Note: For every question please mention the level of Blooms taxonomy
Unit – 1
1.
list the six components of an information system with neat diagram?[L2]
11
2
Briefly explain security system development cycle?[L2]
Unit – 2
1.
Compare and contrast symmetric and asymmetric cryptographies? Describe DES
algorithm with example.[L4]
2.
Analyze RSA algorithm with DES? [L4]
3.
Advantage of diffie-hellman key exchange over RSA?[L3]
Unit – 3
1.
2.
3.
Explain the Secure Hash Algorithm (SHA-1) in detail with an example?[L4]
Illustrate the Digital certificates?[L4]
Describe the X.509 version 3 in detail?[L1]
Unit – 4
1.
Explain about IPSecurity?[L2]
2.
List down the functions of SSL?[L1]
3
Mention the significance of dual signature in SET?[L2]
4
Clearly explain in detail the Multipurpose Internet Mail Extensions (MIME)?[L4]
5
illustrate general format of a PGP?[L4]
Unit – 5
1.
Explain: Rule-based penetration identification: intrusion detection.?[L2]
2.
Describe password management?[L1]
3.
list the various virus counter measures?[L2]
4.
Briefly describe about firewall design principles?[L4]
12
Unit Wise Case Studies (With different Levels of thinking (Blooms Taxonomy))
Note: For every Case Study please mention the level of Blooms taxonomy
1 Implement DES & RSA algorithms for the any text data.
2(Design a virus program using C language)
Unit Wise Important Questions (With different Levels of thinking (Blooms Taxonomy))
Note: For every question please mention the level of Blooms taxonomy
Unit – 1
1.
2.
Mention the essential characteristics of information security. How are they used in the
study of computer security?
Briefly explain the components of an information system and their security. How will
you balance security and access?
13
3.
4.
5
Explain the security system development life cycle
Differentiate between block and stream cipher and what are two general approaches to
attack to
a conventional encryption scheme.
Recall following terms:
Plain text, cipher text, encryption, decryption, Cryptography ,cryptanalysis,
cryptology,symmetric key encryption, Public key encryption, Secure channel, traffic
analysis, Masquerade,Non Repudiation, authentication, availability, access control
Unit – 2
1.
Describe various classical Encryption Techniques (various substitution technique &
transposition
2.
Differentiate Symmetric and Asymmetric key cryptography.
3.
4
5
6
7
8
Differentiate message confidentiality and message integrity.
What is motivation for feistel cipher structure?
Draw and explain Feistel’s structure for encryption and decryption.
Explain single round of DES
With neat illustration explain Advanced Encryption Standard algorithm (AES).
Explain the procedure involved in RSA public-key encryption algorithm. With an
example?
Unit – 3
1.
2.
Examine Hash and Mac functions ?[L4]
Illustrate the importance of Digital signatures? and its applications?[L3]
Unit – 4
1.
Investigate the importance of IP security?[L4]
2.
Compare SSL and TLS layers?[L3]
3
Illustartae the applications of MIME?
Unit – 5
14
1.
Describe importance of firewall and how it works?]L3]
2.
Mention incursion detection and steps to prevent it? [L3]
3.
Solve the problem using password management?[L4]
15
Unit Wise Multiple Choice Questions for CRT & Competitive Examinations
Unit – I:
1. which authors did not publish issue related to UNIX Security?
a. Dennis Ritchie
b. Morris & Thomson
c. Grampp & Morris
d. Reeds & Weinberger
2. ____Security Layer involves the protection of the individual or group of individuals
operations
a. Physical Layer
b. Personal Layer
c. Communication Layer
d. Network Layer
3. Which does not belong to the characteristics of information :
a. Accuracy
b. Authenticity
c. consistency
d. confidentiality
4. Security Systems Development Life cycle follows which SDLC life cycle
a. Spiral Model
b. RAD model
c. Waterfall model
d. Incremental model
Unit – II:
1.
In cryptography, what is cipher?
a. algorithm for performing encryption and decryption
b. Encrypted message
c. Both (a) and (b)
d. none
2. In asymmetric key cryptography, the private key is kept by
a. Sender
b. Receiver
c. Sender and receiver
d. all the connected devices to the network
16
3. What is data encryption standard (DES)?
a. block cipher
b. stream cipher
c. bit cipher
d. none of the above
4. Cryptanalysis is used
a. to find some insecurity in a cryptographic scheme
b. to increase the speed
c.to encrypt the data
d. none of the above
5. _________ is a block cipher.
A. DES
B. IDEA.
C. AES.
D. RSA
6. DES encrypts data in block size of __________ bits each.
A. 64.
B. 128.
C. 128.
D. 56
7. _________is the first step in DES.
A. Key transformation.
B. Expansion permutation.
C. S-box substitution.
D. P-box substitution.
8. The study of principles/methods of deciphering ciphertext without knowing key is known as
________.
A. code breaking
B. cryptanalysis
C. both a and b
D. decipher analysis
9. The coded message is known as ____.
A. plain text
B. cipher text
C. key
D. none
10. The method of hiding the secret is _____.
A. cryptography
B. steganography
C. stenography
17
D. cryptanalysis
11. The RSA public key encryption algorithm was developed by___.
A. John
B. Rivert
C. Mohammed
D. schildt
12. The most commonly used conventional algorithms are ____.
A. block ciphers
B. transposition cipher
C. both a and b
D. none of the above
13. The ________ method provides a one-time session key for two parties.
A. Diffie-Hellman
B. RSA
C. DES
D. AES
Unit – III:
1. Digital signature provides ________.
a. Authentication
b. Nonrepudiation
c. Both a & b
d. None
2. A_____function creates a message digest out of a message.
a. Encryption
b. Decryption
c. hash
d. None
3. A(n)______ creates a secret key only between a member and the enter
a. CA
b. KDC
c. KDD
d. None
4. _______ is a popular session key creator protocol that requires an authentication server
and a ticket-granting server
a. KDC
b. Kerberos
c. CA
d. None
18
5. Kerberos version 4 requires the use of __________
A. MAC address IP address
B. Ethernet link address
C. IP address
D. ISO network address
6. X.509 recommends ____ algorithm.
A. DES
B. Triple DES
C. RSA
D. Blowfish
7. In X.509 format , signature field covers ___.
A. hash code
B. private key
C. algorithm
D. all of the above
8. The digital signature standard proposed in ____.
A. 1991
B. 1993
C. 1995
D. 1997
Unit – IV:
1.
IPSec is designed to provide the security at the
a. transport layer
b. network layer
c. application layer
d. session layer
2. Pretty good privacy (PGP) is used in
a. browser security
b. email security
c. FTP security
d. none of the above
3. Transport layer protocols deals with
a. application to application communication
b. process to process communication
c. node to node communication
d. none of the above
19
4. The cryptography algorithms used in S/MIME are _________.
A. IDEA.
B. RC4.
C. RSA,DES-3.
D. RC5.
5. Which one is the application of IPSec?
A. Secure Remote access
B. Secure branch office connectivity
C. Secure E-Commerce
D. all of the above
6. PGP can be used for ___.
A. email
B. file storage application
C. both a and b
D. none of the above
7. In PGP, a hash code of a message is created using ____.
A. SHA-1
B. IDEA
C. 3DES
D. none of the above
8. The use of S/MIME ___.
A. commercial
B. organization
C. both a and b
D. none of the above
Unit – V:
1. Network layer firewall has two sub-categories as
a. stateful firewall and stateless firewall
b. bit oriented firewall and byte oriented firewall
c. frame firewall and packet firewall
d. none of the above
2. Firewalls are often configured to block
a. UDP traffic
b. TCP traffic
c. Both of the above
d. None of the above
20
3. Transport layer protocols deals with
a. application to application communication
b. process to process communication
c. node to node communication
d. none of the above
University Question Papers
JNTU B.Tech II Semester INFORMATION SECURITY Examinations, Apr/May 2008
(Computer Science & Engineering)
Time: 3 hours Max Marks: 80
SET-I
Answer any FIVE Questions
All Questions carry equal marks
1. (a) Define a Security attack. Explain in detail about the various types of attacks an Inter
network is vulnerable to.
(b) Write about Man-in-the-middle attacks. [10+6]
2. (a) Differentiate between the symmetric block ciphers and symmetric stream ciphers.
(b) Write about Key distribution. [8+8]
3. (a) Alice and Bob wish to share private messages, where each of them of two separate keys
generated. What kind of strategy would you suggest to ensure confidentiality, key management
and authentication for the conversation between Alice and Bob? Explain the strategy and also
highlight the design issues related to the strategy proposed.
(b) Describe the X.509 version 3 in detail. [8+8]
4. (a) What is Radix-64 format? Explain how both PGP and S/MIME perform the Radix-64
conversion is performed.
21
(b) Describe the five principal services that Pretty Good Privacy (PGP) provides. [8+8]
5. (a) Discuss about the documents regarding IPSec protocol?
(b) Describe any four ISAKMP payload types listing the parameters of the pay-load? [8+8]
6. (a) Draw the diagrams showing the relative location of security facilities in TCP/IP
protocol stack? Discuss the advantages of each?
(b) What is SSL session? Can a session be shared among multiple connections?
What are the parameters that define a session state? [8+8]
7. (a) Draw the figure showing VACM logic and explain?
(b) The encryption scheme used for UNIX passwords is one way; it is not possible to reverse it.
Therefore, would it be accurate to say that this is, in fact, a hash code rather than an encryption
of the password. [8+8]
8. (a) List the characteristics of a good firewall implementation?
(b) Explain in detail the two broad categories of statistical anomaly detection? [6+10]
******************************************************************************
INFORMATION SECURITY JNTU previous years question papers
Time: 3 hours Max Marks: 80
Answer any FIVE Questions
All Questions carry equal marks
1. (a) “Gaining control over the Routing tables at layer 3 is one of the attacks” explain how
Route tables modification is crucial.
22
(b) Explain how Buffer overflow is created for any known platforms (eg., WINDOWS NT /
LINUX). [8+8]
2. (a) Compare and contrast between Cryptography and Cryptology.
(b) Explain the various Key distribution methods. [8+8]
3. (a) Explain the procedure involved in RSA public-key encryption algorithm.
(b) Explain what Kerberos is and give its requirements. [8+8]
4. Clearly explain in detail the Multipurpose Internet Mail Extensions (MIME). [16]
5. (a) What is the default length of Authentication data field? On what fields is it calculated?
(b) Explain how Diffie-Hellman protocol is vulnerable to man-in-the-middle attack? How is
rectified in Oakley protocol? [8+8]
6. Describe how brute-force attack and man-in-the-middle attack can be counted by SSL? [16]
7. (a) Explain how proxy accommodates devices that do not implement SNMP?
(b) Discuss SNMPV1 administrative concepts. [8+8]
8. (a) What is a firewall? Explain the capabilities that are within the scope of a firewall?
(b) What are the measures that may be used for intrusion detection?
- See more at: http://topengineeringcollegesintamilnadu.blogspot.in/2011/11/informationsecurity-jntu-previous.html#sthash.jnx7CXyw.dpuf
Tutorial Sheet
Unit-I
Topics Revised
Date:
23
Quick Test Topics
Date:
Case Study Discussed
Date:
Topics Revised
Date:
Unit-II
24
Quick Test Topics
Date:
Case Study Discussed
Date:
Unit-III
Topics Revised
Date:
25
Quick Test Topics
Date:
Case Study Discussed
Date:
Unit-IV
Topics Revised
Date:
Quick Test Topics
Date:
26
Case Study Discussed
Date:
Unit-V
Topics Revised
Date:
Quick Test Topics
Date:
Case Study Discussed
Date:
27
TOPICS BEYOND SYLLABUS
Unit – 1
1.
2.
3.
4.
Unit – 2
28
1.
2.
3.
4.
Unit – 3
1.
2.
3.
4.
Unit – 4
1.
2.
3.
4.
Unit – 5
1.
2.
3.
4.
29
ASSESMENT OF COURSE OUTCOMES: DIRECT
Blooms Taxonomy:
LEVEL 1
REMEMBERING
LEVEL 2
LEVEL 3
S.No.
1
2
3
4
5
6
7
8
Exhibit memory of previously learned material by recalling facts,
terms, basic concepts, and answers
UNDERSTANDING Demonstrate understanding of facts and ideas by organizing,
comparing, translating, interpreting, giving descriptions, and
stating main ideas.
Solve problems to new situations by applying acquired
APPLYING
knowledge, facts, techniques and rules in a different way
LEVEL 4
ANALYZING
LEVEL 5
EVALUATING
LEVEL 6
CREATING
Hall
Ticket
Number
I-Internal
Marks
Examine and break information into parts by identifying motives
or causes. Make inferences and find evidence to support
generalizations.
Present and defend opinions by making judgments about
information, validity of ideas, or quality of work based on a set of
criteria.
Compile information together in a different way by combining
elements in a new pattern or proposing alternative solutions.
Assignment
Marks
Remarks
&
Blooms
Taxonom
y
Assessme
nt
IIInternal
Marks
Assignment
Marks
Remark
s&
Blooms
Taxono
my
Assessm
ent
Avg
.
Ma
rks
30
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
31
54
55
56
57
58
59
60
32
1
Criteria
Oral
Communication
S.N
0
LEVEL
( Level : 5-Excellent
Level :4-Very Good
Level :3-Good
Level :2-Satisfactory
Level : 1-Poor )
Student speaks in phase with the given topic confidently using Audio-Visual aids.
5
Vocabulary is exceptional
Student speaking with proper planning, fair usage of Audio-Visual aids.
4
Vocabulary is good
Student speaking without proper planning, fair usage of Audio-Visual aids.
3
Vocabulary is not good
2 Student speaks in phase but no synchronization among the talk and Visual Aids.
Writing Skills
1 Student speaks vaguely not in phase with the given topic.
2
Proper structuring of the document with relevant subtitles, readability of document
5 is high with correct use of grammar. Work is genuine and not published anywhere
else.
Information gathered is relevant to the given task. sentences were framed
4
properly with correct use of grammar.
Information gathered is relevant to the given task. sentences were framed properly
3
with inappropriate use of grammar
2
1
3
Social and Ethical
Awareness
5
4
3
2
Information is gathered without continuity of topic, sentences were not framed
properly. Few topics are copied from other documents
Information gathered was not relevant to the given task. Content is copied from
other documents
Student identifies most potential ethical or societal issues and provides solutions
for them discussing with peers
Student identifies most potential ethical or societal issues and provides partial
solutions for them discussing with peers
Student identifies the societal and ethical issues but tries to provide solutions for
them discussing with peers
Student identifies the societal and ethical issues but fails to provide any solutions
discussing with peers
1 Student makes no attempt in identifying the societal and ethical issues
4
Content Knowledge
5 Student uses appropriate methods, techniques to model and solve the problem
accurately
4 Student uses appropriate methods, techniques to model and solve the problem
. partially.
3 Student uses appropriate methods to model the problem but attempts to solve the
problem
2 Student tries to model the problem and fails to solve the problem
33
6
Technical and analytical Skills
5
Student Participation
1 Student fails to model the problem and also fails to solve the problem
5 Listens carefully to the class and answer the questions confidently
4 Listens carefully to the class and tries to answer questions confidently.
3 Listens carefully to the lecture and attempts to answer the questions
2 Student listens to the class but doesn’t attempts to answer the questions
1 Student neither listens to the class nor attempts to answer the questions
5
4
3
2
1
8
Understanding of
Engineering core
7
Practical Knowledge
5
The program structure is well organized with appropriate use of technologies and
methodology. Code is easy to read and well documented. Student is able to
implement the algorithm producing accurate results
Program structure is well organized with appropriate use of technologies and
methodology. Code is easy to read and not properly documented. Student is able to
implement the algorithm providing accurate results.
Program structure is well organized with appropriate use of technologies and
methodology. Code is quite difficult to read and not properly documented.
Student is able to implement the algorithm providing accurate results.
Program structure is well organized with usage of appropriate technologies and
methodology. Code is difficult to read and not documented properly and not able to
execute the program
Program structure is not well organized with mistakes in usage of appropriate
technologies and methodology. Code is difficult to read and student is not able to
execute the program
Independently able to write programs for any given context to strengthen the
concepts covered in theory
4 Independently able to write programs to strengthen the concepts covered in theory
3
Independently able to write programs and able to strengthen the concepts learned in
theory
2
Not able to write programs but able to strengthen the concepts learned in theory.
1 Not able to write programs and not able to strengthen the concepts learned in
theory
Student uses appropriate methods, techniques to model and solve the problem
5
accurately in the context of multidisciplinary projects
Student tries to model the problem and solve the problem in the context of
4
multidisciplinary projects
3 Student tries to model the problem and attempts to solve the problem in the context
of multidisciplinary projects.
34
2 Student tries to model the problem but fails to solve the problem in the context
of multidisciplinary projects.
1 Student fails to model the problem and also fails to solve the problem in the context
of multidisciplinary projects
CSP Rubric Name & Number:
S.No.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Hall Ticket
Number
Rubric Assessment
Blooms Taxonomy
Assessment
Remarks
35
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
Remedial Classes:
Unit Number
Unit-I
Unit-II
Unit-III
Unit-IV
Date Conducted
Topics Revised
36
Unit-V
Add-on Programmes:
1 To conduct lab
2
3
4
Guest Lectures:
1.
2.
3.
4.
Unit Wise PPTs
Unit Wise lecture Notes:
UNIT-I
Introduction:
Information security in today’s enterprise is a “well-informed sense of assurance that the
information risks and controls are in balance.” –Jim Anderson, Invent (2002)
 The protection of information and its critical elements, including the systems and
hardware that use, store, and transmit that information
 Tools, such as policy, awareness, training, education, and technology are necessary
 The C.I.A. triangle was the standard based on confidentiality, integrity, and availability
 The C.I.A. triangle has expanded into a list of critical characteristics of information
History of Information Security:
 Computer security began immediately after the first mainframes were developed
 Groups developing code-breaking computations during World War II created the first
modern computers
 Physical controls were needed to limit access to authorized personnel to sensitive
military locations
 Only rudimentary controls were available to defend against physical theft, espionage,
and sabotage
37
MULTICS was an operating system, now obsolete. MULTICS is noteworthy because it
was the first and only OS created with security as its primary goal. It was a mainframe, timesharing OS developed in mid – 1960s by a consortium from GE,Bell Labs, and MIT.
Department of Defense in US, started a research program on feasibility of a redundant,
networked communication system to support the military’s exchange of information. Larry
Robers, known as the founder if internet ,developed the project from its inception.
 ARPANET grew in popularity as did its potential for misuse
 Fundamental problems with ARPANET security were identified
– No safety procedures for dial-up connections to the ARPANET
– User identification and authorization to the system were non-existent
 In the late 1970s the microprocessor expanded computing capabilities and security threats
Information Security began with Rand Corporation Report R-609
The Rand Report was the first widely recognized published document to identify the role of
management and policy issues in computer security.
The scope of computer security grew from physical security to include:
a. Safety of the data
b. Limiting unauthorized access to that data
c. Involvement of personnel from multiple levels of the organization
What is Security?
“The quality or state of being secure--to be free from danger”
To be protected from adversaries
 Physical Security – to protect physical items, objects or areas of organization from
unauthorized access and misuse
38
 Personal Security – involves protection of individuals or group of individuals who are
authorized to access the organization and its operations
 Operations security – focuses on the protection of the details of particular operations
or series of activities.
 Communications security – encompasses the protection of organization’s
communications media ,technology and content
 Network security – is the protection of networking components, connections, and
contents
 Information security – is the protection of information and its critical elements,
including the systems and hardware that use ,store, and transmit the information
CNSS Model or NSTISSC MODEL
The Committee on National Security Systems (CNSS) is a United States
intergovernmental organization that sets policy for the security of the US security systems. The
CNSS holds discussions of policy issues, sets national policy, directions, operational procedures,
and guidance for the information systems operated by the U.S. Government, its contractors or
agents that either contain classified information, involve intelligence activities, involve
cryptographic activities related to national security, involve command and control of military
forces, involve equipment that is an integral part of a weapon or weapons system(s), or are
critical to the direct fulfillment of military or intelligence missions.
This refers to “The National Security Telecommunications and Information Systems
Security Committee” document. This document presents a comprehensive model for information
security. The model consists of three dimensions
39
Components of an information system:
An Information System (IS) is much more than computer hardware; it is the entire set of
software, hardware, data, people, and procedures necessary to use information as a resource
in the organization
The software component of IS comprises applications, operating systems, and assorted
command utilities. Software programs are the vessels that carry the life blood of information
through an organization. Information security is often implemented as an afterthought rather than
developed as an integral component from the beginning. Software programs become an easy
target of accidental or intentional attacks.
Hardware is the physical technology that houses and executes the software, stores and
carries the data, provides interfaces for the entry and removal of information from the system.
Physical security policies deal with the hardware as a physical asset and with the protection of
these assets from harm or theft.
Data – Data stored, processed, and transmitted through a computer system must be
protected. Data is the most valuable asset possessed by an organization and it is the main target
of intentional attacks.
People – Though often overlooked in computer security considerations, people have
always been a threat to information security and they are the weakest link in a security chain..
Policy, education and training, awareness, and technology should be properly employed to
prevent people from accidently or intentionally damaging or losing information.
Procedures – Procedures are written instructions for accomplishing when an
unauthorized user obtains an organization’s procedures, it poses threat to the integrity of the
information. Educating employees about safeguarding the procedures is as important as securing
the information system. Lax in security procedures caused the loss of over ten million dollars
before the situation was corrected.
Networks - Information systems in LANs are connected to other networks such as the
internet and new security challenges are rapidly emerge. Apart from locks and keys which are
used as physical security measures, network security also an important aspect to be considered.
Securing the Components
 The computer can be either or both the subject of an attack and/or the object of an attack
 When a computer is
– the subject of an attack, it is used as an active tool to conduct the attack
– the object of an attack, it is the entity being attacked
40
Balancing Information Security and Access
 It is impossible to obtain perfect security - it is not an absolute; it is a process
 Security should be considered a balance between protection and availability
 To achieve balance, the level of security must allow reasonable access, yet protect against
threats
Approaches to Information Security Implementation:
Bottom Up Approach
 Security from a grass-roots effort - systems administrators attempt to improve the
security of their systems
41
 Key advantage - technical expertise of the individual administrators
 Seldom works, as it lacks a number of critical features:
– participant support
– organizational staying power
Top-down Approach
 Initiated by upper management:
– issue policy, procedures, and processes
– dictate the goals and expected outcomes of the project
– determine who is accountable for each of the required actions
 This approach has strong upper management support, a dedicated champion, dedicated
funding, clear planning, and the chance to influence organizational culture
 May also involve a formal development strategy referred to as a systems development
life cycle
– Most successful top-down approach
The Security Systems Development Life Cycle:
Systems Development Life Cycle:
 Information security must be managed in a manner similar to any other major system
implemented in the organization
 Using a methodology
– ensures a rigorous process
– avoids missing steps
 The goal is creating a comprehensive security posture/program
42
Investigation
 What is the problem the system is being developed to solve?
– The objectives, constraints, and scope of the project are specified
– A preliminary cost/benefit analysis is developed
– A feasibility analysis is performed to assesses the economic, technical, and
behavioral feasibilities of the process
Analysis
 Consists primarily of
– assessments of the organization
– the status of current systems
– capability to support the proposed systems
 Analysts begin to determine
– what the new system is expected to do
– how the new system will interact with existing systems
 Ends with the documentation of the findings and a feasibility analysis update
Logical Design
 Based on business need, applications are selected capable of providing needed services
 Based on applications needed, data support and structures capable of providing the
needed inputs are identified
 Finally, based on all of the above, select specific ways to implement the physical solution
are chosen
 At the end, another feasibility analysis is performed
Physical Design
 Specific technologies are selected to support the alternatives identified and evaluated in
the logical design
43
 Selected components are evaluated based on a make-or-buy decision
 Entire solution is presented to the end-user representatives for approval
Implementation
 Components are ordered, received, assembled, and tested
 Users are trained and documentation created
 Users are then presented with the system for a performance review and acceptance test
Maintenance and Change
 Tasks necessary to support and modify the system for the remainder of its useful life
 The life cycle continues until the process begins again from the investigation phase
 When the current system can no longer support the mission of the organization, a new
project is implemented
Security Systems Development Life Cycle:
 The same phases used in the traditional SDLC adapted to support the specialized
implementation of a security project
 Basic process is identification of threats and controls to counter them
 The SecSDLC is a coherent program rather than a series of random, seemingly
unconnected actions
Investigation
 Identifies process, outcomes and goals of the project, and constraints
 Begins with a statement of program security policy
 Teams are organized, problems analyzed, and scope defined, including objectives, and
constraints not covered in the program policy
 An organizational feasibility analysis is performed
Analysis
 Analysis of existing security policies or programs, along with documented current threats
and associated controls
 Includes an analysis of relevant legal issues that could impact the design of the security
solution
 The risk management task (identifying, assessing, and evaluating the levels of risk) also
begins
Logical & Physical Design
 Creates blueprints for security
 Critical planning and feasibility analyses to determine whether or not the project should
continue
 In physical design, security technology is evaluated, alternatives generated, and final
design selected
 At end of phase, feasibility study determines readiness so all parties involved have a
chance to approve the project
Implementation
 The security solutions are acquired (made or bought), tested, and implemented, and tested
again
 Personnel issues are evaluated and specific training and education programs conducted
 Finally, the entire tested package is presented to upper management for final approval
Maintenance and Change
44
 The maintenance and change phase is perhaps most important, given the high level of
ingenuity in today’s threats
 The reparation and restoration of information is a constant duel with an often unseen
adversary
 As new threats emerge and old threats evolve, the information security profile of an
organization requires constant adaptation
Information Security: Is It an Art or a Science?:
 With the level of complexity in today’s information systems, the implementation of
information security has often been described as a combination of art and science
Security as Art
 No hard and fast rules nor are there many universally accepted complete solutions
 No magic user’s manual for the security of the entire system
 Complex levels of interaction between users, policy, and technology controls
Security as Science
 Dealing with technology designed to perform at high levels of performance
 Specific conditions cause virtually all actions that occur in computer systems
 Almost every fault, security hole, and systems malfunction is a result of the interaction of
specific hardware and software
 If the developers had sufficient time, they could resolve and eliminate these faults.

information security is viewed as a social science?:
Security as a Social Science
 Social science examines the behavior of individuals interacting with systems
 Security begins and ends with the people that interact with the system
 End users may be the weakest link in the security chain
 Security administrators can greatly reduce the levels of risk caused by end users, and
create more acceptable and supportable security profiles
The information security roles to be played by various professionals in a typical organization?:
Senior Management
 Chief Information Officer
– the senior technology officer
– primarily responsible for advising the senior executive(s) for strategic planning
 Chief Information Security Officer
– responsible for the assessment, management, and implementation of securing the
information in the organization
– may also be referred to as the Manager for Security, the Security Administrator,
or a similar title
Security Project Team
 A number of individuals who are experienced in one or multiple requirements of both the
technical and non-technical areas:
45
– The champion
– The team leader
– Security policy developers
– Risk assessment specialists
– Security professionals
– Systems administrators
– End users
Previous Question Papers