ASSIGNMENT 1 IT 409
S130172857
Q1- Explain Information Security Policy Lifecycle with neat diagram and list the responsibilities associated with the policy lifecycle process are distributed throughout an organization in a table.
Ans:
Security Information Policy: as a set of laws, regulations and guidelines on how people treat information in all its forms, electronic, paper, or even oral. These laws represent the Organization’s orientation and policy in protecting its information and systems. Also,one of the important means of maintaining the security of the computer, which includes the risks to which it is exposed or the information it maintains. These risks may be intended for theft, sabotage, or natural causes of negligence or external factors such as fire.
The Using of information security policies are commonly practiced and that organizations devote significant resources to information security
management, it is commonplace that the application of a security policy fails to accomplish its goals. For example, policies may be issued but not reviewed to include new regulatory requirements or business process changes, thereby resulting in neglect of legal responsibilities and policies that are outdated. The main objective of this paper is to provide a roadmap for information security policy development which promotes sustainability .
Q2- a) Explain why standards enable the policy by defining action.
b) Provide an example to show the difference between password policy and password standard.
Ans:
A :
Policies always state required actions, and may include pointers to standards. Policy attributes include the following:
Require compliance (mandatory)
Failure to comply results in disciplinary action
Focus on desired results, not on means of implementation
Further defined by standards and guidelines
B:
password policy :
example : “The*?#>*@TrafficOnThe101Was*&#!#ThisMorning”
For example, a password policy named Test might have the following settings for a password:
Valid for 10 days
Minimum of 10 characters in length
Maximum of 20 characters in length
Must have at least two special characters
User must change default password during initial log in
Number of passwords to keep in history .
password standard.:
Passwords must be at least 8 characters in length, cannot be based on dictionary words/common names, and must contain at least 3 of the following 4 types of characters:
‘ lower case letters (i.e. a-z)
‘ upper case letters (i.e. A-Z)
‘ numbers (i.e. 0-9)
‘ special characters (e.g. -=[];,./~!@#$%^&*()_+{}|:<>?)
Q3- a) Define the CIA security model.
The CIA (Confidentiality, Integrity, and Availability) triad of information security is an information security benchmark model used to evaluate the information security of an organization. The CIA triad of information security implements security using three key areas related to information systems including confidentiality, integrity and availability.
b) Provide your own example to describe violation of integrity, confidentiality and availability
integrity of information and availability of information. Many security measures are designed to protect one or more facets of the CIA triad. I shall be exploring some of them in this post.
Confidentiality :
When we talk about confidentiality of information, we are talking about protecting the information from disclosure to unauthorized parties.
Information has value, especially in today’s world. Bank account statements, personal information, credit card numbers, trade secrets, government documents, Every one has information they wish to keep a secret. Protecting such information is a very major part of information security.
A very key component of protecting information confidentiality would be encryption.
Availability :
Availability of information refers to ensuring that authorized parties are able to access the information when needed.
Information only has value if the right people can access it at the right times. Denying access to information has become a very common attack nowadays. Almost every week you can find news about high profile websites being taken down by DDoS attacks. The primary aim of DDoS attacks is to deny users of the website access to the resources of the website. Such downtime can be very costly. Other factors that could lead to lack of availability to important information may include accidents such as power outages or natural disasters such as floods.
c) What is the difference between data integrity and system integrity.
Ans:
Data Integrity is the assurance that information is unchanged from its source, and has not been accidentally (e.g. through programming errors), or maliciously (e.g. through breaches or hacks) modified, altered or destroyed. In another words, it concerns with the completeness, soundness, and wholeness of the data that complies with the intention of data creators.
The integrity of a system refers to the capability of performing correctly according to the original specification of the system under various adversarial conditions. Learn more in: Consistency Is Not Enough in Byzantine Fault Tolerance
2.
The integrity of a system refers to the capability of performing correctly according to the original specification of the system under various adversarial conditions. Learn more in: Enhancing Service Integrity of Byzantine Fault Tolerant Applications
Q4- a) Find a recent article in the internet relating to either hacktivism or distributed denial of service (DDoS) attack(provide URL of the article).
b) Summarize the attack with your own words.
c) Explain why the attacker was successful (or not).
Ans:
A) Anonymous ” hacktivism ” attack Egyptian websites
1 ) http://www.nbcnews.com/id/41280813/ns/technology_and_science-security/t/anonymous-hacktivists-attack-egyptian-websites/#.WeOW21sjTIU
2 ) https://shehabat.wordpress.com/2013/07/12/hacktivism-and-the-arab-spring-uprisingsintroductionthe-technological-battle/
B) The Hacktivist group trained its weapons on Egypt, hitting three official government sites, the Ministry of the Interior and the Ministry of Communications and Information Technology, after the Egyptian authorities shut down the Internet and the entire mobile phone. Anonymous then worked with telcomix to create telephone access. After that, 42 points of contact were made available for Egyptians to re-connect to the Internet. Dial-up connections were established using two servers in Europe. The members then sent dial numbers to every Egyptian office, university and cafe they could find. “On 27 January 2011, millions were invited to join the protesters in Tahrir Square.
C ) The attacks were successful because unknown assailants would launch attacks against Egyptian government positions.After the Egyptian government closed the entire Internet and mobile services. Thus, Anonymous collaborated with Telcomix in creating dial- up access. And then, online crowd sourcing hypertext- hacktivists created 42 dial up access points available for Egyptians to reconnect with the internet. This is done by obtaining information about Egypt in any way from a fax, phone calls, ham radio, fucking carrier pigeons. According to Asokan (2011) ‘Telecomix set up dial-up connections using two servers in Europe. The members then faxed the dial-up numbers to every Egyptian office, university and coffee shop they could find. And then did anonymous appeal to users of the Light Server living near Tahrir Square to open their main passwords, as Nur is the only server that the Egyptian government has not provided as a service provider to the Egyptian stock exchange. In addition, they quickly created an anonymous “care package”, translated into Arabic, and offer digital activists advice on how to hide their identities on the Internet, in order to avoid detection by police. In addition, Anonymous launched attacks of direct attack from the DOS service against government sites. However, DDoS attacks cause them to be disrupted rather than destroyed because the target sites do not damage or steal information, but the volume of requests stops them, preventing anyone from reaching.