Computer Security 1st Edited
Computer Security 1st Edited
Computer Security 1st Edited
Computer and
Information
Security
Foundation of Computer Security:
Q1.Deffine computer security
Definition of Security:
1) It deals with the prevention and detection of unauthorized actions
by users of a computer system.
2) Computer security is nothing but to provide security to data,
computer system, services and supporting procedures. For this
purpose various technologies were used like access control
mechanism, cryptography.
3) Now a days computers are connected to each other via a network.
Therefore there should be network security also.
1.Confidentiality:
6.Reliability:
7,Authentication
8.authorizaion
Q4.explain three functions of computer security
1.Confidentiality:
4.Accountability:
• Assets:.
An asset is any data, device or other component of an
organisation's systems that is valuable – often because
it contains sensitive data or it can be used to access
such information.
For example, an employee's desktop computer, laptop or
Hardware,Software,Data and Documentation etc.
• Threats: Actions taken by attackers
This type of computer threats consists of software that
is traditionally referred to as malware, that is, viruses,
worms and Trojans.
• Minor threats – computer threats that are less
dangerous than major threats, but may be used by a
third person to perform malicious activity.
• Vulnerabilities: Weaknesses in the system
A vulnerability in security refers to a weakness or
opportunity in an information system that
cybercriminals can exploit and gain unauthorized
access to a computer system.
• Vulnerabilities weaken systems and open the door to
malicious attacks
RISK ANALYSIS (RA)
Risk can be calculated by Risk Analysis (RA) and it is the
identification and estimation of risks.
Q6.Deffine risk and Describe Quantitative and quantitative
risk analysis
1. Quantitative Risk Analysis
Countermeasures:
1) The result of risk analysis is a list of threats with priority and
the recommended countermeasures to mitigate the risk.
2) Usually the risk analysis tools come with a knowledge based of
countermeasures for the threats which can detected in analysis.
3) Before deciding any implementation of security measures, it is
good to go through the risk analysis. But this approach is
having problem like:
• Conducting a risk analysis for a large organization will take
much time because the IT system is changing continuously.
• The cost of a full risk analysis is difficult to justify to
management.
Threat to Security
A threat is a responsible for violation of security which exists
when there is a action that might cause harm to security.
Types of Viruses
6.Spacefiller Virus –this virus fill up the empty spaces between the
code and hence does not cause any damage to the file.
12.Dealing with Viruses :
Insiders:
• Passive
• Active attacks.
Types of atack
1.Active attacks:
1. Active attacks are the attacks in which the attacker
tries to modify the information or creates a false
message.
Prevention:
2. The prevention of these attacks is quite difficult
because of a broad range of potential physical,
network and software vulnerabilities.
3. Instead of prevention, it emphasizes on the detection
of the attack and recovery from any disruption or
delay caused by it.
There are three types of Active attacks
interruption, modification and fabrication.
ex DOS
2.Passive attack:
1. Passive attack are those where attackers aim to get
information that is transit.
2. In Passive attack ,attackers does not involves any
modification to the contents of an original message
3. So,the Passive attacks are hard to detect
Ip address spoofing
Replay :
1.Hotfix :
A hotfix is a term often used by a manufacturer or
developer to describe a vital fix or correction in
software..
Hotfixes are typically developed in reaction to a
discovered problem usually urgent fixes designed to be
implemented as quickly as possible.
2. Patch:
It is generally applied to a more formal, large software
update that may address several or many software
problems.
Patches often contain improvements or additional
capabilities and fixes for known bugs. Patches are
developed over a longer period of time.
3.Service pack:
Information:
It is a resource fundamental to the success of any
business.
2. Data: It is a collection of all types of information
which can be stored and used as per requirement.
3. Knowledge: It is based on data that is organized,
synthesized or summarized and it is carried by
experienced employees in the organization.
4. Action: It is used to pass the required information to a
person who needs it with the help of information
system.
Information Systems (IS)
2) Private Organizations
Q.Explain the criteria for information
classification
Levels in Government /Military
Organization for Information
classification:
1. Unclassified
Information that is neither sensitive nor classified. The public
release of this information does not violate confidentiality.
2. Sensitive but Unclassified (SBU)
Information that has been designated as a minor secret but
may not create serious damage if disclosed.
3. Confidential
The unauthorized disclosure of confidential information could
cause some damage to the country‘s national security .
4. Secret
The unauthorized disclosure of this information could cause
serious damage to the countries national security.
5. Top secret
This is the highest level of information classification. Any
unauthorized disclosure of top secret information will cause
grave damage to the country‘s national security.
The organizations make data available to those concerned on
a ‘need-to know’ basis. For this reason, the following
data/information classification is also prevalent in most
private organizations:
1) Public :
Information that is similar to unclassified information.
However if it is disclosed, it is not expected to seriously
impact the company.
2) Sensitive:
Information that requires a higher level of classification than
normal data. This information is protected from a loss of
confidentiality as well as from a loss of integrity owing to an
unauthorized alteration
3) Private:
Typically this is the information i.e considered of a personal
nature and is intended for company use only. Its disclosure
could adversely affect the company or its employees salary
levels and medical information could be considered as
examples of ‘private information.
Q.State the Criteria for information Classification:
1. Value
It is the most commonly used criteria for classifying data in
private sector. If the Information is valuable to an organization
it needs to be classified.
2. Age
The classification of the information may be lowered if the
information value decreases over the time.
3. Useful Life
If the information has been made available to new information,
important changes to the information can be often considered.
4. Personal association
If the information is personally associated with specific
individual or is addressed by a privacy law then it may need to
be classified.
Security
Security is the method which makes the accessibility of
information or system more reliable. Security means to
protect information or system from unauthorized user like
attackers, who do harm to system or to network
intentionally or unintentionally.
Security is not only to protect information or network, but
also allow authorized user to access the system or network
Need of Security:
1. Security protecting the Functionality of an Organization.
General Manager and IT Manager are responsible for
implementing information security that protects the functionality
of an organization. Implementing information security has more
to do with management then technology.
For e.g. Managing payroll has more to do with management then
Calculating wages, other things etc.
2. Enabling the safe operation of application.
Today organization operates on integrated efficient and capable
applications. A modern organization need to create an
environment that safeguards these Applications, specially
operating system platform, email, instant messaging application
etc.
3. Protecting data that organization use and collect.
Without data an organization losses its records of transaction and
ability to deliver a value to its customer. Protecting data at
motion and at rest are both critical aspects of information
security. The value of data motivates attackers to steal and
corrupt the data.
4. Safeguarding technology assets in organization.
To perform effectively, organizations must employ secure
infrastructure service which appropriate to the size and the scope
of the organization. For e.g. a small business uses an email
service and secure with the personal encryption tool. When an
organization grows, it must develop additional security service
that uses system of software, encryption methodology and legal
agreement that support entire information infrastructure
Basic principles od Information Security
Q.Draw and explain CIA tried
Q explain CIA security model
Q explain three pillors of info scurity with diagram
Basic principles of Information security
Q.Draw and Explain CIA Triad