Name And Surname: Thato Hlongwane

Name and Surname: Thato Hlongwane

Student number: PT 2013-1671

Module name:

Module code: C_ITOO311

Assignment number: 1

Submission date: 18-22 April 2016

Lecture: Denise

TABLE OF CONTENTS

Introduction 1

Question 1

1.1 2

1.2 3

Question 2

2.1 4

2.2 5

Question 3

3.1 6

3.2 7

Question 4

4.1 8

4.2 8

4.3 9

4.4 9

Question 5

5.1 10

5.2 10

Conclusion 11

Bibliography 12 Introduction

The title of this assignment is Organisational security needs. This assignment has four questions, and each question has sub questions. I am tasked with these sub question to see if I understand the topics for Social Practices and Security module. Some of the topics which they have included in this assignment are: information security concepts; SecSDLC; computer threats and attacks; risk identification.

Question 1

1.1

Security System Development Life Cycle (SecSDLC)

This is an approach that is a slightly different form of the system development life cycle (SDLC).

It identifies threats and particular countermeasures to implement an information security system.

A sequence of procedures and processes are followed in this methodology.

By using well-defined procedures and processes gives a higher chances of success.

The phases of SecSDLC are investigation, Analysis, Logical design, Physical design, Implementation and Maintenance and Change.

1.2

Computer Fraud Act 1990 – 199[3]4

The act of fraud consists of people who pretends to have qualities or abilities that they do not really have in order to cheat somebody else, which is a misinterpretation.

Subject to the Interception and Monitoring Prohibition Act, 1992 (Act No. 127 of 1992)

A person who deliberately access or translate data without permission to do so, is guilty of offence.

1.3

Morgan Stanley Firm (Financial Firm)

An in-house financial adviser sold the wealthiest clients’ data of the bank online. He exposed the information of 350 000 clients on Pastebin online, and was fired.

According to the reports the damage was small as the company was able to find and got rid of the online dump with the data.

Military and State Department

A hundreds of thousands of private military and state department documents was leaked by a former US. Army Private Bradley Manning to the WikiLeaks organisation.

WikiLeaks is an organisation that easily processes the anonymous leaking of secrete information through a website. So the whole country got to know the secrets of the US. Army.

Switzerland’s Intelligence Service (NDB)

A terabytes of private counter-terrorism information was downloaded by a senior IT technician to physical hard-drives, and walked out of the data centre carrying them in a backpack.

The Swiss authorities believe he wanted to sell the data that he stole to foreign officials or commercial buyers.

1.4

Inside attackers are insidious and difficult to protect against.

Inside attackers have immediate access to the network, which they need to complete their duty they are hired for.

They have access to company data, and know which data is valuable to the organisation.

Lack of security measures in place to mitigate and protect against unintentional threat.

Many companies have lagged behind in responding to current technology trends.

The arrival of mobile devices and the consumerisation of IT hasn’t helped matters.

Most organisation formulate policies for securing mobile devices but, paradoxically, lack enough tools to enforce them.

1.5

Malicious Insider

The two employees planned to sabotage the system controlling the traffic lights.

That was a malicious act, which might have been caused by anger.

1.6

I would install penetration in all the computers.

• Penetration is a software attack on a computer system that looks for security weaknesses, potentially gaining access to the computer’s features and data.

• It is a proactive and authorised attempt to evaluate the security of an IT infrastructure by safely attempting to exploit system vulnerabilities, including:

o OS

o Service and application flaws

o Improper configurations

o Risky end-user behaviour.

• Such assessment are also useful in validating the efficacy of defensive mechanism, as well as end-users adherence to security policies.

Why perform penetration testing:

• Security breaches and service interruptions are costly.

• It is impossible to safeguard all information, all the time.

• Penetration testing identifies and prioritise security risks.

• To find vulnerabilities and fix them before an attacker does.

• Find holes now before somebody does.

• Report problems to management.

• Verify secure configurations.

• Secure training to network staff.

• Discover gaps in compliance.

• Testing new technology.

Benefits for penetration testing

• Intelligently manage vulnerabilities.

• Avoid the cost of network downtime.

• Meet regulatory requirements and avoid fines.

Some examples of penetration tools available are:

• Metasploit

• Nessus vulnerability scanner

• Nmap

2.1

IDPSs

It is used to enhance the security of information assets

• Intrusion detection

• Intrusion reaction

• Intrusion correction activities

Reasons to use IDPSs include:

• To prevent problem behaviours by increasing the perceived risk of discovery and punishment

• To detect attacks and other security violations that are not prevented by other security measures

• To detect and deal with attack preambles

• To document existing threats to an organisation

• To act as security design and administration quality control, especially in large and complex enterprises

• To provide useful information about intrusions that do take place; this allows for improved diagnosis, recovery and the correction of causative factors.

VPNs

• A VPN is a private and secure network connection between systems

• It uses the data communication capability of unsecured and public networks.

• It securely extends an organisation’s internal network connections to remote locations beyond trusted networks.

A VPN must accomplish the following:

• Encapsulate incoming and outgoing data

• Encrypt incoming and outgoing data

• Authenticate remote computers and users

Three VPN technologies are:

• Trusted VPNs

• Secure VPNs

• Hybrid VPNs

IDSP because is the best because:

• Many IDPSs enable administrators to configure systems to notify them directly of trouble.

• Systems can also be configured to notify external security service organisations.

3.1

Risk assessment is a process to identify potential hazards and analyse what could happen if a hazard occurs. Risk assessment are very important as they form an integral part of a good occupational health and safety management plan.

Vulnerability assessment

3.2

Incidence response plan

It is a set of written instructions for detecting, responding to and limiting the effects of an information security event.

Without an IRP in place, organisations may either not detect the attack in the first place, or not follow proper protocol to contain the threat and recover from it when a breach is detected.

Preparation, Identification, Containment, Eradication, Recovery, Lesson learned.

3.3

Avoidance

• This is the preferred approach as it seeks to avoid risks rather than to wait for threats to be found.

It is accomplished through:

• Access control

• Threat countering

• The removal of asset vulnerabilities

• Employing safeguards.

Common methods of risk avoidance are:

• Applying policies

• Training and education

• Applying technologies

•

3.4

Incident

It is a warning that there may be a threat to information or security.

The warning could also be that a threat has already occurred.

In the scenario, the incident occurred

By the incident that occurred, the computer security incident response team should be activated to handle the threat.

3.5

No, I don’t think the University should implement Kerberos protocol.

• Kerberos requires continuous availability of a trusted TGS, which is the basis for access control and authentication thus constant access to such is crucial.

• Server authenticity requires a trusted relationship between the TGS and server, a TGS must share a unique encryption key with each ‘trustworthy’ server.

• The TGS or that server’s human administrator must be convinced of the authenticity of the server. In a local environment, this degree of trust is warranted.

• In a widely distributed environment, an administrator at one site can seldom justify trust in the authenticity of servers at other sites.

• Kerberos requires timely transactions: to prevent replay attacks, Kerberos limits the validity of tickets.

• A replay attack could succeed during the period of validity, however, setting said period fairly is hard: too long increases the exposure to replay attacks, while too short requires prompt user action.

• Subverting a server’s clock allows for the reuse of an expired ticket

• A subverted workstation can save and later replay user passwords: this vulnerability exists in any system, in which passwords, encryption keys or other constant, sensitive information is entered

• Password guessing works: a user’s initial ticket is returned under such password.

• An attacker can submit an initial authentication request to the KS and then try to decrypt the response by guessing the password

• Kerberos does not scale well: the architecture of Kerberos assumes one KS and one TGS as well as a collection of other servers.

• Duplication increases the risk of exposure and complicates key updates; second keys more than double the work for each server to act on a ticket

• Kerberos is a complete solution: all applications should use Kerberos authentication and access control.

• Currently, however, few applications use such; integrating Kerberos into an existing environment requires the modification of existing applications, which is not feasible

3.6

Policy

This policy applies to all Maryland University employees, student and/or non-employees who may be authorised to use the Maryland University Computer Lab as defined by this policy.

Goals

The goals of the Maryland University computer lab are to:

Provide a computer lab environment across campus that is supportive of learning.

Establish appropriate guidelines for use of Maryland University owned technology.

Permission

Authorised users of Maryland University computer lab may:

Use Maryland University owned computers, programs and data at the individual’s authorised access level.

Use Maryland University provided networking, including access to the internet.

Prohibitions

Those specifically prohibited uses of any Maryland University resource include:

Subverting, attempting to subvert, or assisting others to subvert or breach the security of any Maryland University network or technology resource, or to facilitate unauthorised access.

Participate in activities involving disclosure or masquerading as defined in this policy.

Access to Computer Lab

Maryland University computer Lab are open for computer use only by authorised faculty, staff, and currently enrolled Maryland University students.

Non-student adult visitors may be allowed, to assist or tutor currently enrolled students, provided they do not use computer resources for personal use.

Security Rights

Maryland University users are granted standard security privileges, or access, to the computing equipment in Maryland University computer lab sufficient to accomplish their educational goals.

Additional security privileges, if needed, can be requested from computing services; individual decisions to elevate security rights will be made by a network system administrator.

Question 4

4.1

Mono-alphabetic ciphers.

4.2

Advantages

Easy to remember.

Disadvantages

Easy to predict the pattern of encryption.

Not very secure and can be easily broken by statistical means

4.3

• The amount of secrecy needed should determine the amount of work needed for the encryption and decryption of the data.

• The set of keys and the enciphering algorithm should be free from complexity.

• The implementation of the enciphering process should be as simple as possible.

• Any errors in the ciphering should not propagate and cause corruption of further data.

• The size of the cipher text should no larger than the text of the original message.

4.4

Plain text: A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Cypher text: X Y Z A B C D E FG H I J K L M N O P Q R S T U V W

Encrypted text: QL YBIFBSB FK QEB EBOLFC JXHBP EBOLBP

Decrypted text: TO BELIEVE IN THE HEROIF MAKES HEROES