Name: MARK T.

MURILLO
Course yr&sec: BSIT 3H

General Directions: Read and understand the statements carefully. Follow all the
instructions stated in each type of test. Write your answer legibly. No abbreviation of
answers. All answers must be in uppercase. Anyone who is caught cheating in any form
will automatically get a failing grade of 5.0.

Test 1. Answer without originality is Plagiarism, not Research. (5 points each)

1. What is the difference between a threat agent and a threat?

THREAT AGENT: FACILITATOR OF AN ATTACK
THREAT: A CATEGORY OF PEOPLE OR ENTITIES THAT REPRESENT A
POTENTIAL TO AN ASSET

2. What is the difference between vulnerability and exposure?

VULNERABILITY: A POTENTIAL WEAKNESS IN ASSETS.
EXPOSURE: IS A SINGLE INSTANCE WHEN A SYSTEM IS OPEN TO DAMAGE.

3. Describe the critical characteristics of information. How are they used in the study of
computer security?
AVAILABILITY: USER TO ACCESS INFORMATION AND RECEIVE IT IN THE
REQUIRED FORMAT
ACCURACY: FREE FROM MISTAKES OR ERRORS
AUTHENCITY: INFORMATION IS AUTHENTIC
CONFIDENTIALITY: RESTRICTION FOR AUTHORIZED PERSONNEL TO ACCESS
THE INFORMATION
INTEGRITY: MAINTAIN THE WHOLE INFORMATION AND NOT CORRUPTED
UTILITY: INFORMATION QUALITY, FOR EXAMPLE, IF IT'S IN A MEANINGFUL
FORMAT TO THE END-USER, IS NOT USEFUL.
POSSESSION: OWNERSHIP OR ONE POSSESSION IF ONE OBTAIN IT.
4. Identify the six components of an information system. Which are most directly
affected by the study of computer security? Which are most commonly associated with
its study?
SOFTWARE: PROGRAMS, OPERATING SYSTEM IS PROBABLY THE MOST
DIFFICULT COMPONENT TO SECURE.
HARDWARE: A PHYSICAL TECHNOLOGY THAT EXECUTES THE SOFTWARE,
STORES, AND DATA AND PROVIDES INTERFACES FOR THE REMOVAL OF
INFORMATION FROM THE SYSTEM
DATA: THE MOST VALUABLE ASSET TO AN ORGANIZATION AND THE MAIN
TARGET OF INTENTIONAL ATTACKS
PEOPLE: THE WEAKEST LINK IN AN ORGANIZATION INFORMATION SECURITY.
PROCEDURES: WRITTEN INSTRUCTIONS FOR ACCOMPLISHING A SPECIFIC
TASK.
NETWORKS: IS A COMPONENT THAT CREATED A DATA SHARING AND
INCREASED COMPUTER INFORMATION SECURITY. TO PROVIDE NETWORK
SECURITY THRU INSTALLING A FIREWALL TO DETECTION SYSTEM TO MAKE
SYSTEM OWNERS AWARE OF GOING COMPROMISES

5. Why is the top-down approach to information security superior to the bottom-up

approach?
TOP-DOWN IS SUPERIOR TO BUTTON-UP BECAUSE TOP-DOWN GOES FROM
THE GENERAL TO THE SPECIFIC THE INFORMATION IS FROM THE DIFFERENT
DATA TO BECOME A SPECIFIC DATA THEN BOTTOM-UP BEGINS FROM
SPECIFIC AND MOVES TO THE GENERAL.

6. Why is a methodology important in the implementation of information security? How

does a methodology improve the process?
THE METHODOLOGY IS IMPORTANT BECAUSE IT GIVES TO THE SYSTEM
BETTER PERFORMANCE AND INTERFACE. THE METHODOLOGY IMPROVES THE
PROCESS BECAUSE IT IS THE ONE WHO DESIGNS AND IMPLEMENTS THE
SYSTEM.

7. What was important about Rand Report R-609?

THE IMPORTANT ABOUT RAND R-609 IS THE IT BEGAN TO KNOW THE
INFORMATION SECURITY, A PAPER THAT STARTED THE STUDY OF COMPUTER
SECURITY.

8. What are the types of password attacks? What can a systems administrator do to
protect against them?
THE TYPES OF PASSWORD ATTACKS ARE PASSWORD CRACK, BRUTE FORCE,
AND DICTIONARY. THEREFORE, TO PROTECT AGAINST THEM, DO NOT PUT A
WEAK PASSWORD AND DO NOT USE YOUR INFORMATION AS A PASSWORD TO
YOUR FB OR OTHERS APPS.

9. For a sniffer attack to succeed, what must the attacker do? How can an attacker gain
access to a network to use the sniffer system?
THE ATTACKER DO MONITOR THE DATA TRAVELING OVER A NETWORK. SO TO
GAIN ACCESS TO A NETWORK IN THE USE OF THE SNIFFER SYSTEM, WE GET
THE INFORMATION OF THE USER, FOR EXAMPLE SOMEONE CHAT ON YOU OR
TEXTED YOU THAT YOU WIN, SO WE NEED YOUR INFO LIKE GMAIL ACCOUNT
TO SIGN IN.

10. What methods does a social engineering hacker use to gain information about a
user's login id and password? How would this method differ from other methods of
attack?
THE METHODS DOES A SOCIAL ENGINEERING USE TO GAIN INFORMATION ARE
IP SPOOFING, SYN SPOOFING AND SCANNING. THIS METHOD IS DIFFER FROM
OTHER METHODS OF ATTACK BECAUSE IT USE A FALSE IP ADDRESS TO THE
SYSTEM TO IMPERSONATE ANOTHER COMPUTING SYSTEM.

11. What are the various types of malware? How do worms differ from viruses?
TROJAN HORSE, BACK DOOR, POLYMORPHISM AND HOAXES. THE WORMS
ARE NO NEED TO ACTIVATED BY HOST IT CAN STAND-ALONE WHILE THE
VIRUSES NEEDS THE ACTIVATION OF THE HOST

12. What is information extortion? Describe how such an attack can cause losses.
INFORMATION EXTORTION IS STEALING OF INFORMATION OR SOMEONE
THINGS, AND AN ATTACK CAN CAUSE LOSSES BECAUSE IT INTENTIONALLY
DESTROY SOMETHING THAT CAN CAUSE DAMAGE TO THE ORGANIZATION.

13. Why do employees constitute one of the greatest threats to information security?
THE EMPLOYEES CONSTITUTE OF THE GREATEST THREATS OF INFORMATION
SECURITY BECAUSE IT IS THE ONE WHO HANDLED INFORMATION, HAS
ACCESS TO ALSO THE EMPLOYEES ARE THE USERS OF THE COMPUTER IT
CAN DO WHAT THEY WANT TO DO IN THE COMPUTER.

14. What measures can individuals take to protect against shoulder surfing?
TO PROTECT AGAINST SHOULDER SURFING, PREVENT USING OF PERSONAL
INFORMATION AS YOUR PASSWORD, AND YOU CAN USE A SCREEN
PROTECTOR TO SECURED YOUR INFO AND ALWAYS ALERT AND BE CAREFUL
TO YOUR SURROUNDINGS.

15. According to Sun Tzu Wu, what two key understandings must you achieve to be
successful in battle?
ACCORDING TO SUN TZU WU, THE TWO KEY MUST YOU ACHIEVE TO BE
SUCCESSFUL IN BATTLE TO BE VICTORIOUS, YOU A DEFENDER, MUST KNOW
YOURSELF AND KNOW THE ENEMY.

Test II. Quote Identification. State the author and a brief overall idea of the
following quotations: (5 points each— 2 point each for author, and 3 points for
significance)
• Information security: a "well-informed sense of assurance that the information
risks and controls are in balance."
HE SAID THAT THE RISK AND CONTROLS ARE IN BALANCE.
THEREFORE, SECURITY SHOULD BE CONSIDERED A BALANCE
BETWEEN PROTECTION AND AVAILABILITY.
-JIM ANDERSON, INOVANT (2002)

• "Computer systems are not vulnerable to attack. We are vulnerable to attack

through our computer systems."
 THIS LINE SAID THAT WE ARE VULNERABLE TO ATTACK THROUGH OUR
COMPUTER SYSTEMS BECAUSE WE CAN USE THE COMPUTER TO GET
THE INFORMATION THAT WE HAVE AND ALSO WE USING OUR PERSONAL
INFORMATION TO OUR PASSWORD AND OTHER APPS.
-ROBERT SEACORD

• In order to be victorious, you, a defender, must know yourself and know the
enemy

IN THIS LINE, THERE ARE THE THINGS THAT WE NEED TO BE ACHIEVE,

OR IF YOU WANT TO BE SUCCESSFUL IN THE BATTLE, YOU MUST
ALWAYS KNOW YOURSELF AND KNOW THE ENEMY
-SUN TZU WU

Test III. Short Essays. Choose two of the following and answer/discuss them in a
short essay (one to two paragraphs each). (15 points each)
• Man in the Middle Attack
THE MAN IN THE MIDDLE OF THE ATTACK WHERE THE INFORMATION OF
THE USER 1 IS RECEIVED BY USER 2, WHO IS IN THE MIDDLE THAT
CREATES A PROBLEM OF MISUNDERSTANDING ABOUT THE INFO THAT
CAUSES A PROBLEM OR BARRIER TO THE INFORMATION RECEIVES BY THE
USER 3.

• TCP – Initial Three-Way Handshake

USING A 3-WAY HANDSHAKE, THE SYSTEM ENSURES THAT BOTH SIDES

CAN RECEIVE TRAFFIC FROM EACH OTHER. 2ND PHASE CONFIRMS
THAT THE REMOTE SYSTEM CAN RECIEVE TRAFFIC FROM INITIATOR.
3RD PHASE CONFIRMS THAT THE INITIATOR CAN RECEIVE TRAFFIC
FROM THE REMOTE SYSTEM.

• Ten Commandments of Computer Ethics

• "Information security has more to do with management than with technology"

 INFORMATION SECURITY HAS MORE TO WITH MANAGEMENT THAN WITH
TECHNOLOGY BECAUSE INFORMATION SECURITY SECURES THE
INFORMATION TO MAINTAIN THE DATA PRIVATE AND PROTECT IT FROM
THREATS. THE INFORMATION SECURITY HAS A MANY LOT TO DO NOT ONLY
TO SECURE DATA BUT TO MANAGE THE CHANGES OF THE INFORMATION.

THE TECHNOLOGY IS DOING IS TO PROTECT THE DATA. HOWEVER, THE

INFORMATION SECURITY, ALMOST ALL THE FUNCTIONS OR CHANGES THAT
HAPPEN IN THE INFORMATION OR THE SYSTEM ARE ALL ITS WORK.

• "Organizations must understand the environment in which information systems

operate so their information security programs can address actual and potential
problems."

Test IV. Provide the solution for the asset vulnerabilities rate. (10 points each)
Formula: Risk equals likelihood of vulnerability occurrence multiplied by the value (or
impact) minus the percentage risk already controlled plus an element of uncertainty
Data for Exercise:
• Switch L47 connects a network to the Internet. It has two vulnerabilities: it is
susceptible to a hardware failure at a likelihood of 0.8, and it is subject to an
SNMP buffer overflow attack at a likelihood of 0.4. This switch has an impact
rating of 90 and has no current controls in place. You are 80 percent certain of
the assumptions and data.

Susceptibility to Hardware failure

=(0.8*90)-0%+20%
=(0.8*90)-(0.8*90)*0.0+(0.8*90)*0.20
=72- 0+14.4
=86.4

Susceptibility to an SNMP buffer overflow attack

=(0.4*90)-0%+20%
=(0.4*90)-(0.4*90)*0+(0.4*90)*.2
=36- 0+7.2
=43.2
 Server WebSrv6 hosts a company Web site and performs e-commerce
transactions. It has a Web server version that can be attacked by sending it
invalid Unicode values. The likelihood of that attack is estimated at 0.9. The
server has been assigned an impact value of 75, and a control has been
implanted that reduces the impact of the vulnerability by 85 percent. You are 80
percent certain of the assumptions and data.

=(0.9*75%)-85%+20%
=(0.9*75)-(0.9*75)*.85+(0.9*75)*.2
=67.5- 57.375+13.5
=23.625

Operators use an MGMT45 control console to monitor operations in the server

room. It has no passwords and is susceptible to unlogged misuse by the operators.
Estimates show the likelihood of misuse is 0.5. There are no controls in place on this
asset; it has an impact rating of 10. You are 60 percent certain of the assumptions and
data.
=(0.5*10)-0%+40%
=(0.5*10)-(0.5*10)*0+(0.5*10)*.4
=5- 0+2
=7