Give a concise definition of the following concepts

a. Threat - This is a potential violation of security to a controlled system.

b. Attack - Act that takes advantage of a vulnerability to compromise a controlled system.
c. Vulnerability - This refers to a flaw in a system that can leave it open to attack.

Security management must manage risks in terms of causes, effects and costs of a
security loss. The costs resulting from a security breach must be balanced with the costs
resulting from enhanced security measures. This means that systematic security
management allows counter measures to be chosen in a planned and managed way,
since too much security wastes money while too little security wastes IS capability.
Explain your understanding to the following stages in systematic management of
security.
a. Risk identification - Is the process of determining risks that could potentially occur, how
they could affect a system and their outcomes. It typically includes documenting and
communicating the concern.
b. Risk analysis or assessment - This is the study of identified risks to determine the
extent to which an organization information assets are exposed to risk. The risks may be
ranked by determining the risk magnitude, likelihood of occurrence and potential losses
that could be met in case they occur. One can make decisions whether the risk is
unacceptable or whether it is serious enough to warrant handling.
c. Risk Handling - This is the application of control to reduce risk to organizational assets
i.e.by managing identified risks so as to minimize or eliminate potential effects of the risk
to a system. Systems with contingencies to handle risks will be better prepared and have
a more cost-effective way of dealing with them.
d. Disaster Recovery - This a strategic security planning that aims to protect a system
from significant events of risks. Disaster recovery allows a system to maintain or quickly
resume to its functionality following a disaster occurrence.
e. Risk management - This is the process of identifying risk as represented by
vulnerabilities to an organization and taking steps to reduce the risk to an acceptable
level.

Briefly describe four critical characteristic of information

● Availability - Refers to the ability to use the information or resource desired.
● Accuracy - Free from mistake or error and having the value that the end-user expects.
● Confidentiality - State of preventing disclosure to unauthorized personnel.
● Integrity - Refers to the trustworthiness of data or resources
● Authenticity - State of being genuine/original, rather than a reproduction/fabrication.

Explain the following in relation to computer security

a. Secrecy - State of preventing disclosure to unauthorized personnel.
b. Authentication - The process of identifying an giving individuals access to system
objects based on their identity.
c. Integrity - Refers to the trustworthiness of data or resources.
d. Redundancy
Explain the difference between the following terms
a. Computer security and network security
Computer security is concerned with the control of risks related to computer use
whereas Network security is concerned on defending the network, as well as connected
resources, from threats.
b. Risk and penetration
A risk is any event or action that could cause a loss of or damage to a computer system
whereas penetration is an authorized simulated attack on a computer system, performed
to evaluate the security of the system.
c. Plaintext and Cipher text
Plaintext refers to a message before or after decryption. That is, a message in a form
that is readable by humans. On the contrary a Cipher text is an encrypted text

Explain the following terms

a. Physical security
Describes measures designed to ensure the physical protection of IT assets like
facilities, equipment, personnel, resources and other properties from damage and
unauthorized physical access.
b. Logical security
Consists of software safeguards for an organization's systems, including user
identification and password access, authenticating, access rights and authority levels.

An attack in an act that takes advantage of a vulnerability to compromise a controlled

system. State and explain any five attacks that exist when a specific act may cause a loss
● Virus - Consists of segments of code that perform malicious actions. The code may
attach itself to existing programs and take control of that programs access to the
targeted computer.
● Worms - Malicious programs that replicate itself continuously without requiring another
program environment until they fill available resource such as memory or hard disk
space.
● Trojan Horses - Software programs that hide their true nature and reveal their designed
behavior only when activated.
● Back door - Involves a virus or worm creating a trap door which may allow an attacker
to access a system at will with special privileges.
● Polymorphic threats - Whereby worm and virus changes over time making them
undetectable by i.e. Antivirus programs

Explain the following terms in computer security policies

a. Laws - Rules that mandate or prohibit a certain behavior i.e. the use of technology.
b. Ethics - Rules that define socially acceptable behaviors.
c. Policies - A security policy is a statement of what is, and what is not, allowed i.e. sets
the context in which we can define a secure system.
What is a firewall?
This is a security program that monitors and controls incoming and outgoing network traffic
based on predetermined security rules. A firewall typically establishes a barrier between a
trusted internal network and untrusted external network, such as the Internet.

Firewalls fall into five major processing-mode categories. List and explain three
● Packet-filtering firewalls - Examine header information of data packets that come into the
network looking for compliance with or violation of the rules of the firewall.
● Application gateways - Application level firewall frequently installed on a dedicated
computer. Runs on a special software that acts as a proxy for a service request.
● Circuit gateways - Prevent direct connections between one network to another by
creating tunnels connecting specific processes or systems on each side of the firewall
and then allowing only authorized traffic.
● MAC Layer firewalls - Links the addresses of specific host computers to ACL entries that
identify the specific types of packets that can be sent to each host, and block all other
traffic.
● Hybrid firewalls - Combine elements of other types of firewalls.

Implementing information security involves identifying specific threats and creating

specific threats. Using illustrations, describe the Sec SDLC that unifies this process into
a coherent program as opposed to a series of random and unconnected actions.

● Investigation - Outline project scope and goals, estimate costs, Evaluate existing
resources and analyses feasibility.
● Analysis - Assess current system against plans developed during the investigation.
Develop preliminary system requirements. Study integration of new system with existing
system. Document finding and updating the feasibility findings
● Logical Design - Assess current business needs against plans developed during the
analysis phase. Select applications, data support and structures. Generate multiple
solutions or considerations.
● Physical Design - Select technologies to support solutions to the logical design i.e. select
best solutions.
● Implementation - Develop and document the software. Present the system to users and
train them. Testing and system review can also be done here.
 ● Maintenance - Done to support and modify the system during its useful life. Tests done
periodically to determine compliance with business needs

What is meant by the term risk management?

This is the process of identifying risk as represented by vulnerabilities to an organization and
taking steps to reduce the risk to an acceptable level.

Risk management involves three major undertakings. List and explain them.
● Risk identification - Is the process of determining risks that could potentially occur, how
they could affect a system and their outcomes. It typically includes documenting and
communicating the concern.
● Risk assessment - This is the study of identified risks to determine the extent to which
an organization information assets are exposed to risk. The risks may be ranked by
determining the risk magnitude, likelihood of occurrence and potential losses that could
be met in case they occur. One can make decisions whether the risk is unacceptable or
whether it is serious enough to warrant handling.
● Risk Handling - This is the application of control to reduce risk to organizational assets
i.e.by managing identified risks so as to minimize or eliminate potential effects of the risk
to a system. Systems with contingencies to handle risks will be better prepared and have
a more cost-effective way of dealing with them.

List any five basic strategies used to control the risks

● Defense - Attempts to prevent exploitation of vulnerability.
● Transferal - Attempts to shift risks to other areas or to outside entities
● Mitigation - Attempts to reduce the impact caused by an exploitation of vulnerability
through planning and preparation.
● Acceptance - Is the choice to do nothing to protect a vulnerability and to accept the
outcome of its exploitation.
● Termination - Directs the organization to avoid those business activities that introduce
uncontrollable risks.

Explain the term access control

This is the method by which system determine whether and how to admit someone into a
trusted area of an organization i.e. information system.

Access control is achieved by means of combinational policies, programs and

technologies. State and explain the three main access control methods
● Identification - For access control to be effective, it must provide some way to identify
an individual. The identification capabilities will simply identify someone as part of a
group of users who should have access to the system i.e a username/password
provides some form of identification.
● Authentication - Identification requires authentication. This is the process of ensuring
that the identity in use is authentic — that it's being used by the right person. In its most
common form in IT security, authentication involves validating a password linked to a
 username. Other forms of authentication also exist, such as fingerprints, smart cards,
and encryption keys.
● Authorization - The set of actions allowed to a particular identity makes up the meat of
authorization. On a computer, authorization typically takes the form of read, write, and
execution permissions tied to a username.
Describe any four mechanism used in access control approaches
● Mandatory Access Control (MAC) - Gives only the owner and custodian management
of the access controls. This means the end user has no control over any settings that
provide any privileges to anyone.
● Role Based Access Control (RBAC) - Provides access control based on the position
an individual fits in an organization i.e. instead of assigning John permissions as a
security manager, the position of a security manager already has permissions assigned
to it. In essence, John would just need access to the security manager profile.
● Discretionary Access Control (DAC) - This is the least restrictive model. It allows an
individual complete control over any objects they own along with the programs
associated with those objects.
● Rule Based Access Control (RBAC) - Dynamically assign roles to users based on
criteria defined by the system administrator. For example, if someone is only allowed
access to files during certain hours of the day, RBAC would be the tool of choice.

Explain any four components of information system

● Hardware - This is the physical technology that works with information. Can be as small
as a phone that fits in a pocket or as large as a supercomputer fills a building. Hardware
also includes the peripheral devices that work with computers, such as keyboards,
external disk drives, and routers
● Software - Programs that allow the hardware to process the data.
● Databases - Help in gathering and storage of associated files or tables containing
related data.
● Telecommunications - Serves to connect the hardware together to form a network.
Connections can be through wires, such as Ethernet cables or fibre optics, or wireless,
such as Wi-Fi.
● Procedures - Commands for combining the components above to process information
and produce the preferred output.