Click on Subject/Paper under Semester to enter.

Professional English Discrete Mathematics Environmental Sciences

Professional English - - II - HS3252 - MA3354 and Sustainability -
I - HS3152 GE3451
Digital Principles and
Statistics and Probability and
Computer Organization
Matrices and Calculus Numerical Methods - Statistics - MA3391
- CS3351
- MA3151 MA3251
3rd Semester
1st Semester

4th Semester
2nd Semester

Database Design and Operating Systems -

Engineering Physics - Engineering Graphics
Management - AD3391 AL3452
PH3151 - GE3251

Physics for Design and Analysis of Machine Learning -

Engineering Chemistry Information Science Algorithms - AD3351 AL3451
- CY3151 - PH3256
Data Exploration and Fundamentals of Data
Basic Electrical and
Visualization - AD3301 Science and Analytics
Problem Solving and Electronics Engineering -
BE3251 - AD3491
Python Programming -
GE3151 Artificial Intelligence
Data Structures Computer Networks
- AL3391
Design - AD3251 - CS3591

Deep Learning -
AD3501

Embedded Systems
Data and Information Human Values and
and IoT - CS3691
5th Semester

Security - CW3551 Ethics - GE3791

6th Semester

7th Semester

8th Semester

Open Elective-1
Distributed Computing Open Elective 2
- CS3551 Project Work /
Elective-3
Open Elective 3 Intership
Big Data Analytics - Elective-4
CCS334 Open Elective 4
Elective-5
Elective 1 Management Elective
Elective-6
Elective 2
 All Computer Engg Subjects - [ B.E., M.E., ] (Click on Subjects to enter)
Programming in C Computer Networks Operating Systems
Programming and Data Programming and Data Problem Solving and Python
Structures I Structure II Programming
Database Management Systems Computer Architecture Analog and Digital
Communication
Design and Analysis of Microprocessors and Object Oriented Analysis
Algorithms Microcontrollers and Design
Software Engineering Discrete Mathematics Internet Programming
Theory of Computation Computer Graphics Distributed Systems
Mobile Computing Compiler Design Digital Signal Processing
Artificial Intelligence Software Testing Grid and Cloud Computing
Data Ware Housing and Data Cryptography and Resource Management
Mining Network Security Techniques
Service Oriented Architecture Embedded and Real Time Multi - Core Architectures
Systems and Programming
Probability and Queueing Theory Physics for Information Transforms and Partial
Science Differential Equations
Technical English Engineering Physics Engineering Chemistry
Engineering Graphics Total Quality Professional Ethics in
Management Engineering
Basic Electrical and Electronics Problem Solving and Environmental Science and
and Measurement Engineering Python Programming Engineering
 lOMoARcPSD|45374298

www.BrainKart.com

CW3551 DATA AND INFORMATION SECURITY

ANSWER KEY
IAE-1
1. Define security? What are the multiple layers of security?
Security means “The quality or state of being secure--to be free from danger”.
The multiple layers of security are
 Physical security
 Personal security
 Operations security
 Communications security
 Network security
 Information security
2. When can a computer be a subject and an object of an attack respectively?
When a computer is the subject of attack, it is used as an active tool to conduct the attack.
When a computer is the object of an attack, it is the entity being attacked
3. Differentiate data and information.

4. Define Vulnerability.
Vulnerability refers to the security flaws in a system that allows an attack to be successful.
Weaknesses or gaps in a security program that can be expoited by threats to gain unauthorized access
to an asset.
5. What is intellectual property?
Intellectual property is “the ownership of ideas and control over the tangible or virtual
representation of those ideas” .
Many organizations are in business to create intellectual property
□ trade secrets
□ copyrights
□ trademarks
□ patents
What is a policy? How it is different from law?
Policies: A body of expectations that describe acceptable and unacceptable employee behaviors in
6. the workplace.
It functions as organizational laws, complete with penalties, judicial practices, and sanctions to require

https://play.google.com/store/apps/details?id=info.therithal.brainkart.annauniversitynotes
 lOMoARcPSD|45374298

www.BrainKart.com

complaints.
The difference between policy and a law, however, is that ignorance of a policy is an acceptable
defense.
7. Who are hackers? What are the two hacker levels?
The classic perpetrator of deliberate acts of espionage or trespass is the hacker. Hackers are
“people who use and create computer software [to] gain access to information illegally”. Generally two
skill levels among hackers:
□ Expert hacker
□ unskilled hacker(Script kiddies)
8. Distinguish between DoS and DDoS.

9. What is web security?

Web security means protecting a website or web application by detecting, preventing, and
responding to cyber threats.
10. Define web server.
Web server is a program that stores files and makes them accessible via the network or the
internet. A web server requires both hardware and software.
PART-B
11.a) i) Discuss about the various critical characteristics that are possessed by information.
 Availability – enables authorized users – persons or computer systems – to access information
without interference or obstruction and receive it in the required format
 Accuracy – Accuracy of information refers to information which is free from mistakes or
errors and has the value the end user expects(Eg inaccuracy of your bank account may result in
mistakes such as bouncing of a check)
 Authenticity – refers to quality or state of being genuine or original, rather than reproduction
or fabrication. Information is authentic when the contents are original as it was created, placed
or stored or transmitted.(The information you receive as e-mail may not be authentic when its
contents are modified what is known as E-mail spoofing)
 Confidentiality – Information has confidentiality when disclosure or exposure to unauthorized
individuals or systems is prevented Confidentiality ensures that only those with the rights and
privileges to access information are able to do so. When unauthorized individuals or systems
can view information. confidentiality is breached.
 Integrity – Information has integrity when it is whole, complete, and uncorrupted The
integrity of information is threatened when it is exposed to corruption, damage, destruction,
other disruption of its authentic state.(Many computer viruses or worm are designed with the
explicit purpose of corrupting data. Information integrity is the corner stone of information
systems, because information is of no value or use if users cannot verify its integrity.
Redundancy bits and check bits can compensate for internal and external threats to integrity of
information.
 Utility – The utility of information is the quality or state of having value for some purpose or

https://play.google.com/store/apps/details?id=info.therithal.brainkart.annauniversitynotes
 lOMoARcPSD|45374298

www.BrainKart.com

end. (For example, the US census data reveals information about the voters like their gender,
age, race, and so on.
 Possession – the possession of information is the quality or state of having ownership or
control of some object or item. Breach of possession does not result in breach of
confidentiality.(Illegal possession of encrypted data never allows someone to read it without
proper decryption methods)
ii) Explain any five professional in information security with their role and focus.
Senior Management
 Chief Information Officer
• The senior technology officer
• Primarily responsible for advising the senior executive(s) for strategic planning
 Chief Information Security Officer
 Responsible for the assessment, management, and implementation of securing the
information in the organization
 Referred to as the Manager for Security
Security Project Team
A number of individuals who are experienced in one or multiple requirements of both the
technical and non-technical areas:
 The champion
 The team leader
 Security policy developers
 Risk assessment specialists
 Security professionals
 Systems administrators
 End users
Data Ownership
 Data owner: responsible for the security and use of a particular set of information
 Data custodian: responsible for storage, maintenance, and protection of information
 Data users: end users who work with information to perform their daily jobs supporting the
mission of the organization
11.b) i) Explain in detail about the various components of an information system.
An Information System (IS) is much more than computer hardware; it is the entire set of software,
hardware, data, people, and procedures necessary to use information as a resource in the organization
 Software component of IS comprises applications, operating systems, and assorted command
utilities.
 Hardware is the physical technology that houses and executes the software, stores and carries
the data, provides interfaces for the entry and removal of information from the system.
 Data – Data stored, processed, and transmitted through a computer system must be protected.
Data is the most valuable asset possessed by an organization and it is the main target of
intentional attacks.
 People – Though often overlooked in computer security considerations, people have always
been a threat to information security and they are the weakest link in a security chain..
 Procedures – Procedures are written instructions for accomplishing when an unauthorized
user obtains an organization’s procedures, it poses threat to the integrity of the information.
 Networks - Information systems in LANs are connected to other networks such as the internet
and new security challenges are rapidly emerge.
ii) Give a brief note on NSTISSC security model.
‘National Security Telecommunications & Information systems security committee’ document.
- It is now called the National Training Standard for Information security professionals.
The NSTISSC Security Model provides a more detailed perspective on security.
While the NSTISSC model covers the three dimensions of information security, it omits
discussion of detailed guidelines and policies that direct the implementation of controls.
Another weakness of using this model with too limited an approach is to view it from a single
perspective.

https://play.google.com/store/apps/details?id=info.therithal.brainkart.annauniversitynotes
 lOMoARcPSD|45374298

www.BrainKart.com

-The 3 dimensions of each axis become a 3x3x3 cube with 27 cells representing areas that must be
addressed to secure today’s Information systems.
- To ensure system security, each of the 27 cells must be properly addressed during the security
process.
-For ex, the intersection between technology, Integrity & storage areas requires a control or
safeguard that addresses the need to use technology to protect the Integrity of information while in
storage.

12.a) Explain the components of System Development Life Cycle (SDLC) with neat sketch.
Information security must be managed in a manner similar to any other major system implemented in
the organization
Using a methodology
– ensures a rigorous process
– avoids missing steps
The goal is creating a comprehensive security posture/program
Investigation
What is the problem the system is being developed to solve?
– The objectives, constraints, and scope of the project are specified
– A preliminary cost/benefit analysis is developed
– A feasibility analysis is performed to assesses the economic, technical, and behavioral feasibilities
of the process.
Analysis
Consists primarily of
– assessments of the organization
– the status of current systems
– capability to support the proposed systems
Analysts begin to determine
– what the new system is expected to do
– how the new system will interact with existing systems
Ends with the documentation of the findings and a feasibility analysis update
Logical Design
Based on business need, applications are selected capable of providing needed services
Based on applications needed, data support and structures capable of providing the needed inputs
are identified
Finally, based on all of the above, select specific ways to implement the physical solution are
chosen
At the end, another feasibility analysis is performed
Physical Design
Specific technologies are selected to support the alternatives identified and evaluated in the logical
design
Selected components are evaluated based on a make-or-buy decision
Entire solution is presented to the end-user representatives for approval
Implementation
Components are ordered, received, assembled, and tested
Users are trained and documentation created
Users are then presented with the system for a performance review and acceptance test

https://play.google.com/store/apps/details?id=info.therithal.brainkart.annauniversitynotes
 lOMoARcPSD|45374298

www.BrainKart.com

Maintenance and Change

Tasks necessary to support and modify the system for the remainder of its useful life
The life cycle continues until the process begins again from the investigation phase
When the current system can no longer support the mission of the organization, a new project is
implemented
12.b) i) Brief about the various cryptography tools.
 Cryptography, which comes from the Greek work kryptos, meaning “hidden”, meaning “to
write”, is a process of making and using codes to secure the transmission of information.
 Cryptanalysis is the process of obtaining the original message (called plaintext) from an
encrypted message (called the cipher text) without knowing the algorithms and keys used to
perform the encryption.
 Encryption is the process of converting an original message into a form that is unreadable to
unauthorized individuals-that is, to anyone without the tools to convert the encrypted message
back to its original format.
 Decryption is the process of converting the cipher text into a message that conveys readily
understood meaning.
ii) List and discuss about the role and focus of any four professional organizations in providing
information security.
 Several professional organizations have established codes of conduct/ethics
 Codes of ethics can have positive effect; unfortunately, many employers do not encourage
joining of these professional organizations
 Responsibility of security professionals to act ethically and according to policies of employer,
professional organization, and laws of society.
 ACM established in 1947 as “the world's first educational and scientific computing society”
 Code of ethics contains references to protecting information confidentiality, causing no harm,
protecting others’ privacy, and respecting others’ intellectual property. International
Information Systems Security Certification Consortium, Inc.
 Non-profit organization focusing on development and implementation of information security
certifications and credentials
 Code primarily designed for information security professionals who have certification from
 Code of ethics focuses on four mandatory canons System Administration, Networking, and
Security Institute (SANS)
 Professional organization with a large membership dedicated to protection of information and
systems
 SANS offers set of certifications called Global Information Assurance Certification (GIAC)
Information Systems Audit and Control Association (ISACA)
 Professional association with focus on auditing, control, and security
 Concentrates on providing IT control practices and standards
 ISACA has code of ethics for its professionals.
13.a) Explain the major types of attacks in detail.
 IP Scan and Attack – Compromised system scans random or local range of IP
addresses and targets any of several vulnerabilities known to hackers or left over from
previous exploits
 Web Browsing - If the infected system has write access to any Web pages, it makes
all Web content files infectious, so that users who browse to those pages become
infected
 Virus - Each infected machine infects certain common executable or script files on
all computers to which it can write with virus code that can cause infection
 Unprotected Shares - using file shares to copy viral component to all reachable locations
 Mass Mail - sending e-mail infections to addresses found in address book
 Simple Network Management Protocol - SNMP vulnerabilities used to compromise and infect
 Hoaxes - A more devious approach to attacking computer systems is the transmission
of a virus hoax, with a real virus attached
 Back Doors - Using a known or previously unknown and newly discovered access

https://play.google.com/store/apps/details?id=info.therithal.brainkart.annauniversitynotes
 lOMoARcPSD|45374298

www.BrainKart.com

mechanism, anattacker can gain access to a system or network resource

 Password Crack - Attempting to reverse calculate a password
 Brute Force - The application of computing and network resources to try every
possible combinationof options of a password
 Dictionary - The dictionary password attack narrows the field by selecting specific
accounts to attack and uses a list of commonly used passwords (the dictionary) to
guide guesses
 Denial-of-service (DoS) –
o attacker sends a large number of connection or information requests to a target
o so many requests are made that the target system cannot handle them
successfully along withother, legitimate requests for service
o may result in a system crash, or merely an inability to perform ordinary
functions
 Distributed Denial-of-service (DDoS) - an attack in which a coordinated stream
of requests is launched against a target from many locations at the same time
 Spoofing - technique used to gain unauthorized access whereby the intruder
sends messages to a computer with an IP address indicating that the message is
coming from a trusted host
 Man-in-the-Middle - an attacker sniffs packets from the network, modifies them,
and inserts themback into the network
 Spam - unsolicited commercial e-mail - while many consider spam a nuisance rather
than an attack, it is emerging as a vector for some attacks

13.b) Discuss the ethical concepts in information security and the prevention to illegal and unethical
behavior.
 They shall not use a computer to harm other people
 They shall not interfere with other people's computer work
 They shall not snoop around in other people's computer files
 They shall not use a computer to steal
 They shall not use a computer to bear false witness
 They shall not copy or use proprietary software for which you have not paid
 They shall not use other people's computer resources without authorization or proper
compensation
 They shall not appropriate other people's intellectual output
 They shall think about the social consequences of the program you are writing or the system
you are designing
 They shall always use a computer in ways that insure consideration and respect for your fellow
humans
Ethical Differences across Cultures
 Cultural differences create difficulty in determining what is and is not ethical
 Difficulties arise when one nationality’s ethical behavior conflicts with ethics of another
national group
 Example: many of ways in which Asian cultures use computer technology is software piracy
Ethics and Education Overriding factor in leveling ethical perceptions within a small
population is education
 Employees must be trained in expected behaviours of an ethical employee, especially in
areas of information security
 Proper ethical training vital to creating informed, well prepared, and low-risk system user
Deterring Unethical and Illegal Behavior
– Responsibility of information security personnel to do everything in their power to
deter(prevent) unethical and illegal acts, using policy, education, training, and
technology as controls or safeguards to protect the information and systems
– Many underestimate the value of policy
– Three general categories of unethical behavior that organizations and society should seek
to eliminate:

https://play.google.com/store/apps/details?id=info.therithal.brainkart.annauniversitynotes
 lOMoARcPSD|45374298

www.BrainKart.com

–Ignorance
• The first method of deterrence is education.This is
accomplished by means ofdesigning ,publishing and
disseminating organization policies and relevant laws.
• Training and awareness program
–Accident
Individuals with authorization and privileges to manage
information within theorganization are most likely to cause
harm or damage by accident.
• Careful planning and control helps prevent accidental modification to
systems data.
–Intent
Protecting a system against those with intent to cause
harm or damage is best accomplished by means of
technical controls and vigorous litigation or
prosecutionif these controls fail.
– Deterrence(to prevent from occurring) is the best method for preventing an
illegal or unethicalactivity
–Example: laws, policies, and technical controls
– Generally agreed that laws, policies and their associated penalties only deter if
three conditions are present:
–Fear of penalty
–Probability of being caught
–Probability of penalty being administered

14.a) List the different types of threats and also explain any four of them.

https://play.google.com/store/apps/details?id=info.therithal.brainkart.annauniversitynotes
 lOMoARcPSD|45374298

www.BrainKart.com

14.b) i) List and explain the different types of access control.

ii) Which model is used for confidentiality policy? Explain.

Bell-LaPadula model is a security method created for the US government to preserve the
confidentiality of information

The BLP Security Model

https://play.google.com/store/apps/details?id=info.therithal.brainkart.annauniversitynotes
 lOMoARcPSD|45374298

www.BrainKart.com

15.a) What is SSL? Explain the various protocols used in SSL.

• SSL(Secure Socket Layer) provide a secure transport connection between applications (e.g., a
web server and a browser)
• SSL was developed by Netscape

SSL ARCHITECTURE

SSL components
• Four Protocols
– Handshake Protocol
– Change Cipher Spec Protocol
– Alert Protocol
– Record Protocol

Handshake protocol

https://play.google.com/store/apps/details?id=info.therithal.brainkart.annauniversitynotes
 lOMoARcPSD|45374298

www.BrainKart.com

Handshake protocol-Phase 1

Handshake protocol-Phase 2

Handshake protocol-Phase 3

Handshake protocol-Phase 4

https://play.google.com/store/apps/details?id=info.therithal.brainkart.annauniversitynotes
 lOMoARcPSD|45374298

www.BrainKart.com

Record Protocol

15.b) i) Define TLS. Discuss the concept of TLS.

• Transport Layer Security (TLS) is a protocol that provides security for communication over
the Internet. TLS encrypts segments of network connections, in order to provide
confidentiality when communicating via the Internet.

– The handshake is started by the client.

– During the handshake, the client and server negotiate four cryptographic algorithms, one
algorithm for key exchange, one algorithm for digital signatures, one algorithm for bulk
encryption and an algorithm for hashing. In these guidelines, this set of four algorithms is
called an algorithm selection.
– Then, the client verifies the authenticity of the certificate that the server provides. If the
client offers a certificate to the server, its authenticity is verified by the server.
– After the handshake phase completes, the application phase starts.
– During the application phase, the TLS session is available as a secure tunnel for data
transfer. Applications can use this tunnel to send their traffic between client and server.
Applications do not have to concern themselves with the inner working of this tunnel: they
can trust it as an abstract communications channel that guarantees confidentiality and
integrity of information.

https://play.google.com/store/apps/details?id=info.therithal.brainkart.annauniversitynotes
 lOMoARcPSD|45374298

www.BrainKart.com

ii) Compare SSL and TLS.

16.a) Explain the working of SET in detail with suitable diagrams.

• Developed by Visa and MasterCard
• Designed to protect credit card transactions
• Confidentiality: all messages encrypted
• Trust: all parties must have digital certificates
• Privacy: information made available only when and where necessary

Participants in the SET System

https://play.google.com/store/apps/details?id=info.therithal.brainkart.annauniversitynotes
 lOMoARcPSD|45374298

www.BrainKart.com

SET transactions

Dual Signature for SET

• Browsing, Selecting, and Ordering is Done

• Purchasing Involves 4 Messages:
– Initiate Request
– Initiate Response
– Purchase Request
– Purchase Response

https://play.google.com/store/apps/details?id=info.therithal.brainkart.annauniversitynotes
 lOMoARcPSD|45374298

www.BrainKart.com

Purchase Request

Merchant Verifies Purchase Request

• The payment process is broken down into two steps:

– Payment authorization
– Payment capture
16.b) i) What is Security SDLC? Explain its different phases.
Security Systems Development Life Cycle
The same phases used in the traditional SDLC adapted to support the specialized implementation of
a security project

https://play.google.com/store/apps/details?id=info.therithal.brainkart.annauniversitynotes
 lOMoARcPSD|45374298

www.BrainKart.com

Basic process is identification of threats and controls to counter them

The SecSDLC is a coherent program rather than a series of random, seemingly unconnected actions
Investigation
Identifies process, outcomes and goals of the project, and constraints
Begins with a statement of program security policy
Teams are organized, problems analyzed, and scope defined, including objectives, and constraints
not covered in the program policy
An organizational feasibility analysis is performed
Analysis
Analysis of existing security policies or programs, along with documented current threats and
associated controls
Includes an analysis of relevant legal issues that could impact the design of the security solution
The risk management task (identifying, assessing, and evaluating the levels of risk) also begins
Logical & Physical Design
Creates blueprints for security
Critical planning and feasibility analyses to determine whether or not the project should continue
In physical design, security technology is evaluated, alternatives generated, and final
design selected
At end of phase, feasibility study determines readiness so all parties
involved have a chance to approve the project
Implementation
The security solutions are acquired (made or bought), tested, and implemented, and tested again
Personnel issues are evaluated and specific training and education programs conducted
Finally, the entire tested package is presented to upper management for final approval
Maintenance and Change
The maintenance and change phase is perhaps most important, given the high
level of ingenuity in today’s threats
The reparation and restoration of information is a constant duel with an often unseen adversary
As new threats emerge and old threats evolve, the information security
profile of an organization requires constant adaptation
ii) What is meant by balancing security and access? Discuss.
 It is impossible to obtain perfect security - it is not an absolute; it is a process
 Security should be considered a balance between protection and availability
 To achieve balance, the level of security must allow reasonable access, yet protect
against threats

https://play.google.com/store/apps/details?id=info.therithal.brainkart.annauniversitynotes
 Click on Subject/Paper under Semester to enter.
Professional English Discrete Mathematics Environmental Sciences
Professional English - - II - HS3252 - MA3354 and Sustainability -
I - HS3152 GE3451
Digital Principles and
Statistics and Probability and
Computer Organization
Matrices and Calculus Numerical Methods - Statistics - MA3391
- CS3351
- MA3151 MA3251
3rd Semester
1st Semester

4th Semester
2nd Semester

Database Design and Operating Systems -

Engineering Physics - Engineering Graphics
Management - AD3391 AL3452
PH3151 - GE3251

Physics for Design and Analysis of Machine Learning -

Engineering Chemistry Information Science Algorithms - AD3351 AL3451
- CY3151 - PH3256
Data Exploration and Fundamentals of Data
Basic Electrical and
Visualization - AD3301 Science and Analytics
Problem Solving and Electronics Engineering -
BE3251 - AD3491
Python Programming -
GE3151 Artificial Intelligence
Data Structures Computer Networks
- AL3391
Design - AD3251 - CS3591

Deep Learning -
AD3501

Embedded Systems
Data and Information Human Values and
and IoT - CS3691
5th Semester

Security - CW3551 Ethics - GE3791

6th Semester

7th Semester

8th Semester

Open Elective-1
Distributed Computing Open Elective 2
- CS3551 Project Work /
Elective-3
Open Elective 3 Intership
Big Data Analytics - Elective-4
CCS334 Open Elective 4
Elective-5
Elective 1 Management Elective
Elective-6
Elective 2
 All Computer Engg Subjects - [ B.E., M.E., ] (Click on Subjects to enter)
Programming in C Computer Networks Operating Systems
Programming and Data Programming and Data Problem Solving and Python
Structures I Structure II Programming
Database Management Systems Computer Architecture Analog and Digital
Communication
Design and Analysis of Microprocessors and Object Oriented Analysis
Algorithms Microcontrollers and Design
Software Engineering Discrete Mathematics Internet Programming
Theory of Computation Computer Graphics Distributed Systems
Mobile Computing Compiler Design Digital Signal Processing
Artificial Intelligence Software Testing Grid and Cloud Computing
Data Ware Housing and Data Cryptography and Resource Management
Mining Network Security Techniques
Service Oriented Architecture Embedded and Real Time Multi - Core Architectures
Systems and Programming
Probability and Queueing Theory Physics for Information Transforms and Partial
Science Differential Equations
Technical English Engineering Physics Engineering Chemistry
Engineering Graphics Total Quality Professional Ethics in
Management Engineering
Basic Electrical and Electronics Problem Solving and Environmental Science and
and Measurement Engineering Python Programming Engineering