MIT Second Semester

Information Security 2024

Reading Timer

25:00

Information Security Solutions 2024 | Purbanchal University

🛡️ Information Security

Master of Information Technology (M.I.T.) - Second Semester

Final Exam 2024 | Subject Code: MIT122

Group A - Answer TWO Questions (2×12=24 Marks)

🔄 Question 1 6+6 Marks

Explain the role of security SDLC in creating secure software applications. How do businesses make sure that development operations within organizations are secure?

🔄 Role of Security SDLC (SSDLC) in Creating Secure Software Applications

Security Software Development Life Cycle (SSDLC) integrates security practices into every phase of traditional SDLC. Unlike conventional development where security is an afterthought, SSDLC adopts a "shift-left" approach embedding security from the initial planning stage.

Figure 1: Secure Software Development Life Cycle (SSDLC) Phases

Key Phases and Security Integration:

Planning & Requirements: Security requirements gathering, threat modeling, compliance mapping (GDPR, ISO 27001), and risk assessment
Design: Secure architecture design, attack surface analysis, secure design patterns implementation
Development: Secure coding standards (OWASP, CERT), static application security testing (SAST), code reviews
Testing: Dynamic application security testing (DAST), penetration testing, vulnerability scanning
Deployment: Secure configuration management, environment hardening, secrets management
Maintenance: Continuous monitoring, patch management, incident response planning

Benefits of SSDLC:

Reduces cost of fixing vulnerabilities (100x cheaper to fix in design vs production)
Ensures compliance with regulatory requirements
Builds customer trust and brand reputation
Prevents data breaches and associated financial losses

🚀 How Businesses Ensure Secure Development Operations (DevSecOps)

Figure 2: DevSecOps Integration - Security embedded in CI/CD pipeline

Organizations implement DevSecOps to automate security integration:

Automated Security Testing: Integrate SAST, DAST, and dependency scanning into CI/CD pipelines
Infrastructure as Code (IaC): Security policies defined as code ensuring consistent secure deployments
Container Security: Image scanning, runtime protection, and orchestration security (Kubernetes policies)
Secrets Management: Tools like HashiCorp Vault, AWS Secrets Manager for credential protection
Security Champions Program: Training developers in secure coding practices
Continuous Monitoring: Real-time threat detection using SIEM and SOAR platforms
Zero Trust Architecture: Never trust, always verify principle for all access requests

                            Key Insight: Microsoft's SDL (Security Development Lifecycle) reduced
                            security vulnerabilities by 50% post-implementation, demonstrating the effectiveness of
                            systematic security integration.
                        

🧱 Question 2 8+4 Marks

What are the benefits and limitations of using firewalls as defense mechanism? What features are considered while selecting an appropriate firewall for protecting an organization's information?

🧱 Benefits of Firewalls as Defense Mechanism

Figure 3: Firewall Network Security Architecture

1. Network Perimeter Protection:

Firewalls act as the first line of defense, creating a barrier between trusted internal networks and untrusted external networks (Internet). They monitor and control incoming and outgoing traffic based on predetermined security rules.

2. Access Control:

Granular control over network traffic through rule-based filtering including IP addresses, port numbers, protocols, and application-level inspection.

3. Threat Prevention:

Blocks unauthorized access attempts and port scanning
Prevents malware from communicating with command & control servers
Stops certain types of DoS attacks through rate limiting
Filters malicious content and known attack signatures

4. Logging and Monitoring:

Comprehensive logging capabilities enable security teams to analyze traffic patterns, detect anomalies, and conduct forensic investigations.

5. VPN Support:

Modern firewalls provide secure remote access through VPN termination, encrypting traffic between remote users and corporate networks.

6. Application Awareness:

Next-Generation Firewalls (NGFW) can identify and control applications regardless of port or protocol used, enabling fine-grained policy enforcement.

🧱 Limitations of Firewalls

Internal Threats: Cannot protect against insider threats or malware already inside the network
Encrypted Traffic: Difficulty inspecting encrypted traffic (TLS/SSL) without SSL inspection capabilities
Zero-Day Attacks: Signature-based detection fails against unknown threats
Social Engineering: No protection against phishing or human manipulation
Complexity: Misconfiguration can create security gaps; rule management becomes complex
Performance Impact: Deep packet inspection can introduce latency
Bypass Techniques: Tunneling, VPNs, and encrypted proxies can circumvent firewall controls

🧱 Features to Consider When Selecting a Firewall

Feature Category	Specific Considerations
Performance	Throughput capacity (Gbps), concurrent connections, new connections per second, latency impact
Security Capabilities	IPS/IDS integration, malware sandboxing, URL filtering, SSL/TLS inspection, sandboxing
Scalability	Support for growth, cloud integration, virtual firewall options, clustering capabilities
Management	Centralized management, intuitive GUI, API availability, policy optimization tools
Integration	SIEM compatibility, threat intelligence feeds, SD-WAN integration, zero trust architecture support
Compliance	Logging standards, reporting capabilities, regulatory compliance features (PCI DSS, HIPAA)
Cost	TCO including licensing, support, hardware, training; subscription models vs perpetual licensing

📋 Question 3 6+6 Marks

(a) What are employment policies and practices within an organization regarding information security?
(b) Discuss about technical and non-technical aspects of security implementation.

(a) Employment Policies and Practices for Information Security

Figure 4: Information Security Policy Components

1. Pre-Employment Phase:

Background Verification: Criminal record checks, employment history verification, education credential validation
Security Clearance: For sensitive positions, appropriate clearance levels based on data access requirements
NDA Agreements: Non-disclosure agreements protecting proprietary information
Acceptable Use Policy (AUP) Review: Candidates must acknowledge IT resource usage policies before hiring

2. During Employment:

Role-Based Access Control (RBAC): Principle of least privilege - employees access only necessary resources
Security Awareness Training: Mandatory annual training covering phishing, social engineering, password hygiene
Clear Desk Policy: Requirements for securing physical documents and devices
Remote Work Policies: VPN usage, secure Wi-Fi requirements, device encryption standards
Incident Reporting: Procedures for reporting suspicious activities or security breaches
Regular Access Reviews: Quarterly reviews of user privileges and access rights

3. Termination/Transfer Procedures:

Immediate Access Revocation: Timely disabling of accounts, VPN access, and building access
Asset Return: Collection of laptops, mobile devices, access cards, and confidential materials
Exit Interviews: Reminders of ongoing confidentiality obligations
Knowledge Transfer: Secure handover of data and system access to replacements

(b) Technical and Non-Technical Aspects of Security Implementation

Technical Aspects:

Access Control Mechanisms: Multi-factor authentication (MFA), biometric systems, smart cards, password policies
Encryption: Data at rest (AES-256), data in transit (TLS 1.3), end-to-end encryption for communications
Network Security: Firewalls, IDS/IPS, network segmentation, VLANs, VPNs
Endpoint Protection: Antivirus/EDR, host-based firewalls, device encryption, patch management
Security Monitoring: SIEM systems, log management, behavioral analytics, threat hunting
Backup and Recovery: Automated backups, disaster recovery sites, business continuity planning
Cloud Security: CASB (Cloud Access Security Broker), CSPM (Cloud Security Posture Management)

Non-Technical Aspects:

Governance and Policies: Information security policies, standards, procedures, and guidelines aligned with business objectives
Organizational Structure: Defined security roles (CISO, security officers), clear accountability and reporting lines
Human Resources: Security awareness programs, background checks, disciplinary procedures for violations
Physical Security: Facility access controls, surveillance systems, environmental controls (fire suppression, HVAC)
Legal and Compliance: Regulatory adherence (GDPR, HIPAA, PCI-DSS), contract management, intellectual property protection
Risk Management: Risk assessment methodologies, risk treatment plans, business impact analysis
Third-Party Management: Vendor risk assessments, security requirements in contracts, supply chain security
Incident Response: Communication plans, crisis management, public relations strategies
Security Culture: Executive sponsorship, security champions program, reward systems for security-conscious behavior

                            Integration is Key: Effective security requires both technical controls and
                            non-technical measures working together. Technology alone cannot protect against social
                            engineering, while policies without technical enforcement are ineffective.
                        

Group B - Answer SIX Questions (6×6=36 Marks)

🛡️ Question 4 6 Marks

Write the differences between intrusion detection system and intrusion prevention system? Briefly discuss about the recent technologies used to restrict physical security breaches.

🛡️ Differences Between IDS and IPS

Figure 5: Intrusion Detection System (IDS) vs Intrusion Prevention System (IPS)

Aspect	Intrusion Detection System (IDS)	Intrusion Prevention System (IPS)
Primary Function	Monitors and alerts on suspicious activities	Monitors, detects, and actively blocks threats
Response Action	Passive - generates alerts only	Active - blocks traffic, drops packets, resets connections
Network Position	Out-of-band (taps/SPAN ports) - parallel to traffic flow	In-line - directly in the traffic path
Latency Impact	Zero latency - doesn't process live traffic	Minimal latency - must process all traffic in real-time
False Positive Impact	Low impact - just alerts	High impact - may block legitimate traffic
Deployment	Easier - no network reconfiguration needed	Complex - requires careful tuning to avoid disruption
Use Case	Forensics, compliance monitoring, threat detection	Real-time threat prevention, automated response

Types:

NIDS/NIPS: Network-based - monitors network traffic
HIDS/HIPS: Host-based - monitors individual systems
Signature-based: Matches known attack patterns
Anomaly-based: Detects deviations from baseline behavior

🏢 Recent Technologies for Physical Security

Figure 6: Biometric Access Control Systems

1. Advanced Biometric Systems:

Multi-modal Biometrics: Combining fingerprint, iris, facial recognition, and voice for higher accuracy
Behavioral Biometrics: Analyzing gait patterns, keystroke dynamics, and mouse movements
Contactless Biometrics: Touchless fingerprint and palm vein scanning (post-pandemic adoption)
3D Facial Recognition: Liveness detection preventing spoofing with photos or masks

2. AI-Powered Surveillance:

Video Analytics: Real-time detection of unauthorized access, loitering, or abandoned objects
Facial Recognition: Identifying known threats or unauthorized personnel in real-time
Predictive Analytics: Identifying patterns that precede security incidents

3. Smart Access Control:

Mobile Credentials: Smartphone-based access using Bluetooth Low Energy (BLE) or NFC
Zero Trust Physical Security: Continuous verification even after initial entry
Integration with IT Systems: Linking physical access with logical access and HR databases

4. IoT Sensors and Perimeter Security:

LiDAR and Radar: Detecting intrusions along fence lines without physical barriers
Drone Detection: RF sensors and radar detecting unauthorized UAVs
Smart Fencing: Fiber optic cables detecting vibrations and cutting attempts

5. Emergency Response Technologies:

Mass Notification Systems: Multi-channel alerts (SMS, email, PA systems, digital signage)
Lockdown Systems: Automated door locking and access denial during emergencies
Geofencing: Location-based alerts when employees enter dangerous areas

⚖️ Question 5 6 Marks

How important is ethics in information security? What are the legal and ethical issues in this regard?

⚖️ Importance of Ethics in Information Security

Figure 7: Core Principles of Cybersecurity Ethics

Ethics in information security is fundamental because security professionals hold extraordinary power and access to sensitive information. Unlike many professions, information security practitioners can access confidential data, monitor communications, and control critical systems.

Key Reasons for Ethical Importance:

Trust: Organizations and individuals trust security professionals with their most sensitive data
Power Imbalance: Security professionals possess technical capabilities that far exceed oversight capabilities
Privacy Protection: Balancing security needs against individual privacy rights
Professional Integrity: Maintaining standards that elevate the profession
Public Safety: Critical infrastructure protection affects public welfare

📜 Legal Issues in Information Security

1. Data Protection Laws:

GDPR (EU): Strict requirements for data handling, breach notification (72 hours), right to erasure
CCPA/CPRA (California): Consumer rights to know, delete, and opt-out of data sale
HIPAA (US Healthcare): Protected Health Information (PHI) security requirements
PIPEDA (Canada): Personal information protection in commercial activities

2. Computer Crime Legislation:

CFAA (US): Computer Fraud and Abuse Act - unauthorized access prohibitions
Computer Misuse Act (UK): Unauthorized access, modification, and malware distribution
Information Technology Act (India): Cybercrime penalties and digital signature regulations

3. Intellectual Property:

Software licensing compliance
Trade secret protection
Copyright infringement in security research

Ethical Issues in Information Security

1. Privacy vs. Security Dilemma:

The tension between monitoring for security threats and respecting employee privacy. Key considerations include:

Extent of monitoring (email, web traffic, keystrokes)
Transparency about monitoring practices
Purpose limitation - using data only for stated security purposes

2. Responsible Disclosure:

When security researchers discover vulnerabilities
Balancing public safety with vendor reputation
Coordinated vulnerability disclosure timelines
Bug bounty program ethics

3. Whistleblowing:

Reporting illegal activities vs. loyalty to employer
Protection for ethical whistleblowers
Proper channels for reporting concerns

4. Professional Conduct:

Certification requirements (CISSP Code of Ethics, EC-Council Code)
Confidentiality obligations
Avoiding conflicts of interest
Competence and continuous learning requirements

5. Artificial Intelligence Ethics:

Algorithmic bias in security tools
Automated decision-making accountability
Surveillance capitalism concerns

                            Ethical Frameworks: Security professionals should follow (1) Utilitarian
                            approach (greatest good), (2) Deontological approach (duty-based), and (3) Virtue ethics
                            (character-based) when making difficult decisions.
                        

🔐 Question 6 6 Marks

What are the protocols used for secure communications and how do they maintain security?

📡 Secure Communication Protocols

Figure 8: TLS/SSL Handshake Process for Secure Communication

1. Transport Layer Security (TLS) / Secure Sockets Layer (SSL):

TLS is the successor to SSL and is the standard for securing web communications (HTTPS).

Encryption: Uses symmetric encryption (AES, ChaCha20) for data confidentiality after handshake
Authentication: X.509 certificates verify server (and optionally client) identity
Integrity: Message Authentication Codes (MAC) or AEAD ciphers prevent tampering
Handshake Process:
1. Client sends supported cipher suites and random number
2. Server responds with certificate, selected cipher, and random number
3. Key exchange (Diffie-Hellman or RSA) establishes pre-master secret
4. Both parties derive session keys from pre-master secret
5. Encrypted communication begins

2. Internet Protocol Security (IPsec):

Network layer security providing protection for IP communications.

Authentication Header (AH): Provides integrity and authentication but not encryption
Encapsulating Security Payload (ESP): Provides confidentiality, integrity, and authentication
Security Associations (SA): Establish parameters for secure communication
Internet Key Exchange (IKE): Automates key exchange and SA establishment
Modes: Transport mode (end-to-end) and Tunnel mode (gateway-to-gateway, used in VPNs)

Figure 9: SSL VPN Architecture for Secure Remote Access

3. Secure Shell (SSH):

Protocol for secure remote login and command execution.

Encryption: Symmetric encryption (AES, 3DES, Blowfish) for session data
Authentication: Password-based or public key authentication (RSA, ECDSA, Ed25519)
Host Verification: Server fingerprint verification prevents man-in-the-middle attacks
Port Forwarding: Secure tunneling for other protocols

4. Secure/Multipurpose Internet Mail Extensions (S/MIME):

Email security standard providing:

Digital Signatures: Sender authentication and non-repudiation
Encryption: Content confidentiality using public key cryptography
Certificate-based: X.509 certificates for identity verification

5. Pretty Good Privacy (PGP) / OpenPGP:

End-to-end encryption for email and files.

Hybrid Cryptosystem: Combines symmetric encryption (for speed) with asymmetric encryption (for key exchange)
Web of Trust: Decentralized trust model vs. certificate authorities
Hashing: SHA-256/SHA-512 for integrity verification

6. Virtual Private Network (VPN) Protocols:

OpenVPN: Open-source, uses TLS/SSL, highly configurable
WireGuard: Modern, lightweight, uses Curve25519 for key exchange
L2TP/IPsec: Layer 2 Tunneling Protocol combined with IPsec security
IKEv2/IPsec: Fast reconnection, mobile-friendly, built-in NAT traversal

7. DNS Security Extensions (DNSSEC):

Cryptographic verification of DNS responses
Prevents DNS spoofing and cache poisoning
Uses digital signatures and chain of trust from root DNS servers

8. Secure Real-time Transport Protocol (SRTP):

Encryption and authentication for VoIP communications
AES encryption for media streams
HMAC-SHA1 for message authentication

                            Security Mechanisms Summary: All secure protocols implement (1)
                            Confidentiality through encryption, (2) Integrity through hashing/MACs, (3) Authentication
                            through certificates or shared secrets, and (4) Non-repudiation through digital signatures.
                        

⚠️ Question 7 6 Marks

Describe about the contemporary threats and attacks that organizations are facing in terms of their network and information security.

⚠️ Contemporary Network and Information Security Threats

Figure 10: Major Cybersecurity Threats Facing Organizations

1. Ransomware and Extortion:

Ransomware has evolved from simple file encryption to double and triple extortion models:

Double Extortion: Encrypt data AND threaten to leak it publicly
Triple Extortion: Also threaten customers/partners or launch DDoS attacks
Ransomware-as-a-Service (RaaS): Affiliate models lowering technical barriers
Supply Chain Ransomware: Targeting MSPs to access multiple victims
Notable families: LockBit, BlackCat (ALPHV), Cl0p, Play

2. Advanced Persistent Threats (APTs):

Sophisticated, long-term targeted attacks typically nation-state sponsored:

Characteristics: Long dwell time (months/years), specific targets, advanced techniques
Tactics: Living off the land (using legitimate tools), fileless malware, zero-day exploits
Objectives: Espionage, intellectual property theft, critical infrastructure disruption
Examples: APT29 (Cozy Bear), APT28 (Fancy Bear), Lazarus Group

3. Supply Chain Attacks:

Software Supply Chain: Compromising legitimate software updates (SolarWinds, Kaseya)
Hardware Supply Chain: Implants in manufactured devices
Third-Party Compromise: Attacking less secure vendors to reach primary targets
Open Source Risks: Malicious packages in npm, PyPI, GitHub repositories

4. Cloud Security Threats:

Misconfiguration: Exposed S3 buckets, open databases, default credentials
Identity and Access Management (IAM) Attacks: Credential stuffing, privilege escalation
API Vulnerabilities: Insecure APIs exposing cloud resources
Multi-Cloud Complexity: Inconsistent security policies across providers
Cryptojacking: Unauthorized mining using compromised cloud resources

5. Social Engineering and Phishing:

Spear Phishing: Highly targeted attacks using personal information
Business Email Compromise (BEC): Impersonating executives for wire fraud
Deepfake Attacks: AI-generated audio/video for impersonation
Quishing: QR code phishing bypassing email filters
Vishing: Voice phishing using VoIP and caller ID spoofing

6. IoT and Edge Device Threats:

Botnets: Mirai and variants compromising IoT devices for DDoS
Default Credentials: Unchanged factory passwords
Unpatched Firmware: Devices difficult to update
Shadow IoT: Unauthorized devices on corporate networks

7. AI-Powered Attacks:

Adversarial Machine Learning: Poisoning training data or evading detection
Deepfake Technology: Synthetic media for social engineering
Automated Vulnerability Discovery: AI scanning for weaknesses faster
Polymorphic Malware: AI-generated code that constantly changes signature

8. Insider Threats:

Malicious Insiders: Disgruntled employees stealing data or sabotaging systems
Compromised Insiders: Credentials stolen through social engineering
Negligent Insiders: Unintentional data leaks through carelessness

9. Zero-Day Exploits:

Vulnerabilities unknown to vendors and users
Premium prices on underground markets
Used in targeted attacks before patches available

10. Distributed Denial of Service (DDoS):

Volumetric Attacks: Overwhelming bandwidth (UDP floods)
Protocol Attacks: Consuming server resources (SYN floods)
Application Layer Attacks: Targeting specific application functions
Amplification: Using DNS, NTP, or memcached to magnify attack size

📉 Question 8 6 Marks

What factors need to be considered while selecting an appropriate risk control strategy for an organization?

📉 Factors for Selecting Risk Control Strategy

Figure 11: Risk Management Framework (RMF) Process

Selecting an appropriate risk control strategy requires systematic evaluation of multiple organizational, technical, and business factors. The four primary risk treatment options are: Risk Avoidance, Risk Mitigation, Risk Transfer, and Risk Acceptance.

1. Risk Assessment Results:

Likelihood of Occurrence: Probability based on threat intelligence and historical data
Impact Analysis: Financial, operational, reputational, and regulatory consequences
Risk Appetite: Organization's willingness to accept risk levels
Risk Tolerance: Acceptable variation relative to risk appetite

2. Cost-Benefit Analysis:

Implementation Costs: Capital expenditure, operational costs, training
ROI of Controls: Annualized Loss Expectancy (ALE) vs. control costs
Residual Risk Cost: Cost of remaining risk after controls
Opportunity Cost: Resources diverted from other initiatives

3. Regulatory and Compliance Requirements:

Mandatory Controls: Legally required safeguards (GDPR, HIPAA, PCI-DSS)
Industry Standards: ISO 27001, NIST CSF, CIS Controls
Audit Requirements: Evidence and documentation needs
Geographic Considerations: Data residency and cross-border transfer laws

4. Business Context:

Criticality of Assets: Value of information assets being protected
Business Process Impact: Effect on operations, productivity, and customer service
Strategic Alignment: Support for business objectives and growth
Competitive Advantage: Security as differentiator in market

5. Technical Feasibility:

Compatibility: Integration with existing infrastructure
Scalability: Ability to grow with organization
Complexity: Implementation difficulty and maintenance overhead
Performance Impact: Effect on system speed and availability

6. Organizational Factors:

Security Maturity: Current capabilities and readiness
Resource Availability: Skilled personnel, budget constraints
Cultural Readiness: Employee acceptance and change management
Time Constraints: Urgency of implementation

7. Threat Landscape:

Emerging Threats: Relevance to current attack vectors
Threat Actor Capabilities: Sophistication of potential adversaries
Threat Intelligence: Industry-specific threat data

8. Control Effectiveness:

Preventive vs Detective vs Corrective: Layered defense strategy
Single Point of Failure: Redundancy requirements
Automation Level: Manual vs automated response capabilities
Monitoring and Metrics: Ability to measure control effectiveness

9. Third-Party Considerations:

Vendor Risk: Reliability of control providers
Supply Chain Security: Dependencies on external parties
Insurance Requirements: Cyber insurance policy conditions

10. Residual Risk Evaluation:

Acceptable Residual Risk: Whether remaining risk is tolerable
Compensating Controls: Alternative safeguards if primary controls fail
Continuous Monitoring: Ongoing assessment of risk levels

                            Decision Framework: Use a risk matrix combining impact and likelihood to
                            prioritize risks. High-impact/high-likelihood risks typically require mitigation;
                            low-impact/low-likelihood risks may be accepted. Always document the rationale for risk
                            acceptance decisions.
                        

🔑 Question 9 6 Marks

Explain the foundation and objectives of cryptology.

🔑 Foundation and Objectives of Cryptology

Figure 12: Encryption and Decryption Process in Cryptography

Definition: Cryptology is the science of secure communication, encompassing both Cryptography (the art of writing secret codes) and Cryptanalysis (the art of breaking them). It forms the mathematical foundation of information security.

Historical Foundations

1. Ancient Origins:

Caesar Cipher (100 BC): Substitution cipher shifting letters by fixed amount
Scytale (Spartans): Transposition cipher using cylindrical rods
Arabic Contributions (9th century): Systematic cryptanalysis methods by Al-Kindi

2. Mathematical Foundations:

Number Theory: Prime numbers, modular arithmetic, discrete logarithms
Probability Theory: Claude Shannon's information theory (1949)
Complexity Theory: Computational hardness assumptions (P vs NP)
Algebraic Structures: Groups, rings, fields (especially finite fields/Galois fields)

3. Modern Cryptography Era:

1976 (Diffie-Hellman): First practical public-key exchange
1977 (RSA): First practical public-key encryption and signature scheme
2001 (AES): Advanced Encryption Standard replacing DES
Post-Quantum: Lattice-based, hash-based cryptography for quantum resistance

🔑 Core Objectives of Cryptology (CIA+)

1. Confidentiality (Privacy):

Ensuring information is accessible only to authorized parties:

Encryption: Transforming plaintext to ciphertext using algorithms and keys
Access Control: Restricting decryption capabilities to authorized entities
Forward Secrecy: Protecting past sessions even if long-term keys are compromised

2. Integrity:

Assuring information has not been altered in storage or transmission:

Hash Functions: MD5, SHA-256, SHA-3 producing fixed-size digests
Message Authentication Codes (MAC): HMAC using shared secrets
Digital Signatures: Asymmetric integrity verification with non-repudiation

3. Authentication:

Verifying the identity of communicating parties:

Entity Authentication: Proving identity (passwords, certificates, biometrics)
Message Authentication: Verifying message origin
Multi-factor Authentication: Combining knowledge, possession, and inherence factors

4. Non-repudiation:

Preventing denial of previous commitments or actions:

Digital Signatures: Binding identity to documents using private keys
Timestamping: Trusted third-party verification of time
Audit Trails: Immutable logs of actions

5. Availability (Extended Objective):

Ensuring systems and data are accessible when needed:

Distributed Systems: Threshold cryptography, secret sharing
Key Escrow: Recovery mechanisms for lost keys

Cryptographic Primitives

Primitive	Symmetric (Secret Key)	Asymmetric (Public Key)
Encryption	AES, ChaCha20, 3DES	RSA, ECC, ElGamal
Key Exchange	Diffie-Hellman (hybrid)	RSA, ECDH, Post-Quantum
Digital Signatures	HMAC	RSA, ECDSA, EdDSA
Hash Functions	SHA-256, SHA-3, BLAKE2

Kerckhoffs's Principle

A fundamental tenet stating that a cryptosystem should be secure even if everything about the system, except the key, is public knowledge. This emphasizes:

Security should not rely on obscurity
Algorithms should be publicly vetted
Keys must remain secret

                            Shannon's Maxim: "The enemy knows the system." Modern cryptography assumes
                            adversaries have complete knowledge of algorithms; security depends solely on key secrecy
                            and computational hardness.
                        

🔍 Question 10 6 Marks

Write short notes on Any TWO: (a) Risk management (b) Security blueprint (c) Digital forensics

📉 (a) Risk Management

Definition: Risk management is the systematic process of identifying, assessing, and controlling threats to an organization's capital, earnings, and operations. In information security, it specifically addresses risks to information assets.

Risk Management Process:

Risk Identification: Cataloging assets, threats, vulnerabilities, and existing controls
Risk Assessment: Analyzing likelihood and impact to determine risk levels
Risk Treatment: Selecting and implementing appropriate strategies (avoid, mitigate, transfer, accept)
Risk Monitoring: Continuous tracking of risk landscape and control effectiveness
Communication: Reporting to stakeholders and maintaining risk awareness

Key Risk Calculation Formulas:

Single Loss Expectancy (SLE): Asset Value × Exposure Factor
Annualized Rate of Occurrence (ARO): Expected frequency per year
Annualized Loss Expectancy (ALE): SLE × ARO

Frameworks: ISO 31000, NIST SP 800-30, FAIR (Factor Analysis of Information Risk), OCTAVE

🗺️ (b) Security Blueprint

Figure 13: Security Architecture Blueprint Example

Definition: A security blueprint (or security architecture) is a comprehensive plan that describes the structure and behavior of an organization's security processes, information security systems, personnel, and organizational sub-units. It shows how security components fit together and interact.

Components of Security Blueprint:

Security Policies: High-level statements of management intent
Standards: Mandatory requirements for hardware, software, and procedures
Procedures: Step-by-step instructions for specific tasks
Guidelines: Recommendations and best practices
Baseline Configurations: Minimum security settings for systems

Architecture Layers:

Business Layer: Security governance, risk appetite, compliance requirements
Information Layer: Data classification, ownership, lifecycle management
Application Layer: Secure coding standards, authentication mechanisms
Technology Layer: Network segmentation, encryption protocols, monitoring tools
Physical Layer: Facility security, environmental controls

Frameworks: SABSA (Sherwood Applied Business Security Architecture), TOGAF Security Architecture, NIST CSF

🔍 (c) Digital Forensics

Figure 14: Digital Forensics Investigation Process

Definition: Digital forensics (or computer forensics) is the scientific process of identifying, preserving, analyzing, and presenting digital evidence in a manner that is legally acceptable. It involves the investigation of computer systems, networks, and digital storage media.

Phases of Digital Forensics:

Identification: Recognizing potential evidence sources (computers, mobile devices, cloud, IoT)
Preservation: Creating forensic images (bit-for-bit copies) using write blockers to prevent evidence alteration
Collection: Documenting chain of custody, seizing devices, capturing volatile memory
Examination: Using forensic tools (EnCase, FTK, Autopsy) to extract relevant data
Analysis: Correlating evidence, timeline reconstruction, file recovery, metadata examination
Reporting: Documenting findings in clear, legally admissible format for courts

Types of Digital Forensics:

Computer Forensics: Desktop/laptop hard drives and storage media
Network Forensics: Network traffic analysis, intrusion investigation
Mobile Forensics: Smartphones, tablets, GPS devices
Cloud Forensics: Virtual machines, cloud storage, SaaS applications
Memory Forensics: RAM analysis for malware and running processes
Database Forensics: Transaction logs, deleted records recovery

Legal Principles:

Chain of Custody: Documented evidence handling from seizure to court
Integrity Verification: Cryptographic hashing (MD5, SHA-256) to prove evidence hasn't changed
Admissibility Standards: Daubert standard for scientific evidence in US courts
Privacy Laws: Compliance with search warrants and data protection regulations

Tools: EnCase, AccessData FTK, Cellebrite (mobile), Volatility (memory), Sleuth Kit/Autopsy (open source), X-Ways Forensics

My Notes

Achievement Unlocked!

Scan to Share