SRA Quiz # 1
15. In the first phase of SDLC we define the :
Project Scope and stakeholders
The second phase of SDLC is known as :
Analysis Phase
Once the information security system is implemented, the next step is to provide constant maintenance
False
19. Give an example how CIA model can be used to protect data during the transmission from both active and passive attacks.
CIA model can be used to protect data during transmission from both passive and active attacks. For example, the use of encryption prevents unauthorized users from reading the packet contents (i.e., prevention from passive attacks) and the use of Hash algorithm protects the data integrity (i.e., prevention from active attacks).
CIA stands for:
Confidentiality, Integrity and Availability
Information system has the following six main components:
Data, Software, Hardware, Network, Procedures, and People
During which phase of SDLC security designer proposes several alternative solutions to the problem
Design Phase
Files on your computer can be made unreadable to others by using:
Encryption
Information Security provides security to limited computer systems and network devices.
False
User authentication ensures that the received message has not been modified during the transmission.
False
One good example of protecting networks from unauthorized access is to use:
Firewall and Intrusion Detection System
20. With the help of a real world information security project example, describe how you would use the secure SDLC in the implementation of this project.
For a real world information security project, we should strictly follow the different phases of SDLC. For instance, in the first phase, we can gather requirements in the context of security (e.g., what type of security they want us to implement. Do they want to deploy technology or they just want to design security policies and procedures that their employees can practice etc.). In the 2nd phase, we can thoroughly analyze the existing security system and find out how we will integrate the new system - what security features are currently missing in respect to customer's requirements and so on. In the same manner, we can follow the rest of the SDLC phases.
Whichever solution was approved by the organization or customer, it's developed and implemented in the:
Implementation Phase
The first phase of SDLC is known as:
Investigation Phase
The last phase of SDLC is known as:
Maintenance phase
In the Analysis Phase of SDLC, we use the results of the previous phase to analyze _________ , _______________, and ___________________
Objectives of the project, status of the organization, and integration with the new security system
Availability means:
Resources should be accessible at the required time and usable only by the authorized entity
Open End-ed question -18. Briefly describe the significance of Secure SDLC in the design and implementation of an information security system.
SDLC provides a methodology to design, develop, and implement an information security system for an organization in a systematic way.
Information security System must protect data during the following three stages:
Store, processing, and transmission
14. SDLC stands for
System Development Life Cycle
All internal security policies and procedures of an organization must be protected from unauthorized access/users.
True
Computer Security does not concern what information is stored in computer system and where that information came from.
True
_____ A user authentication ensures that the received information at the destination system is indeed coming from a legitimate claimed sender.
True
Testing Phase
When the project is implemented, we test & evaluate against different known scenarios to determine whether the project is meeting customer's requirement
HASH Algorithm
algorithm is one of the ways to ensure data integrity.
Digital Signature
are used to verify sender's identity
HASH Algorithm
can be used to implement data integrity
CIA Model
can be used to protect the data during the transmission.
Data Integrity
ensures that an attacker cannot change or destroy information, either while it is on a computer or while it is travelling across a network.
Computer Security
ensures that computer systems are working properly and they are available to authorized users whenever they need them
Message authentication
ensures that the information received at the receiver side is not modified during the transmission
The use of Encryption:
ensures the confidentiality of transmitted packets
b. Hardware
is the main technology that executes the software, store and carries the date, and provides an interface to enter and retrieve the information from the system.
Active Attack
is the one in which an attacker can intercept the transmitted packets over a wireless link and not only he/she can read the contents of the packets but can also make modifications before retransmission to the destination system.
Passive Attack
is the one in which an attacker can intercept the transmitted packets over a wireless link and read the contents without making modifications.
Personal security
is the security of all the stakeholders such as people who are authorized to access the organization and its operation.
Communication Security
is the security of organization's media, technology and its content.
Physical Security
policies ensure that the important hardware is secured by keeping them in a secure restricted area.
The use of Confidentiality :
prevents an organization from a passive attacks
The use of Data Integrity:
prevents an organization from an active attack.
System development life cycle
provides a methodology to design and implement an information system for an organization in a systematic way.
Briefly explain each security goal of the CIA model:
provides confidentiality to sensitive information by implementing encryption and decryption. Using data integrity, It ensures that information either stores on computers or transmits via communication links should not be altered by an unauthorized users. If alters, it should be detected by the destination system. The availability in CIA model ensures that all resources (such as hardware, software, network, information, etc) should be available to authorized users whenever they need them.
Confidentiality
refers to hiding information from unauthorized users
Network security
refers to the security of all networking devices, network connections (e.g., TCP connections) and its contents.
Operation security
refers to the security of all the internal operations or series of activities that are typically done on day-by-day basis.
Information Security
refers to the security of information and the information system from unauthorized access, misuse of information, modifications, and inspection.
Physical security
refers to the security of items, objects, and area that physically exist in the organization from unauthorized access or misuse.
Network security
refers to the security of routers, bridges, switches, and TCP connections
Procedure Security
security of all internal operations & series of activities done on daily basis.