Unit 1: Introduction to Information Security
McCumber Cube β’ IS Components β’ SDLC vs SecSDLC β’ Communities of Interest β’ Top-down vs Bottom-up
β‘ 2-Mark Q&A
1. What are the components of an information system? HOT
An information system consists of:
- People β users, managers, administrators, developers
- Hardware β physical devices like servers, computers, routers
- Software β applications and operating systems
- Data β raw facts and processed information
- Procedures β rules and instructions for operating the system
- Networks β communication channels connecting devices
2. Draw / Describe the McCumber Cube. HOT
The McCumber Cube is a 3D security framework with three dimensions:
- Information States: Storage, Transmission, Processing
- Security Goals (CIA): Confidentiality, Integrity, Availability
- Security Safeguards: Technology, Policy & Practice, Human Factors
3. Write down the four important functions of Information Security. IMP
- Protect β Safeguard information and systems from attacks
- Detect β Identify when a security breach has occurred
- Respond β React appropriately to a detected incident
- Recover β Restore normal operations after an incident
4. Differentiate top-down vs bottom-up approach to IS implementation. HOT
| Top-Down Approach | Bottom-Up Approach |
|---|---|
| Initiated by top management | Initiated by technical/IT staff |
| Policies and budgets from leaders | Lacks full management support |
| More effective and structured | Often inconsistent and less successful |
| Considered superior | Considered inferior |
5. Why is top-down approach considered superior? IMP
Top-down approach is superior because:
- Management provides strong support, authority, and funding
- Security policies are enforced across the entire organization
- Goals align with business objectives
- Ensures compliance from all employees including IT staff
6. Why is information security a management problem?
IS is a management problem because it involves policies, responsibilities, budgets, and culture β which only management can control. Management can:
- Provide resources and funding
- Enforce security policies organization-wide
- Approve training programs
- Ensure employee discipline
7. List the responsibilities of Chief Information Officer (CIO).
- Oversee IT infrastructure and systems
- Align IT strategy with business goals
- Manage IT budgets and resources
- Ensure data management and security policies
- Lead digital transformation initiatives
8. Differentiate law and ethics. IMP
- Law β Rules created and enforced by the government. Breaking a law results in legal punishment.
- Ethics β Moral principles that guide behaviour. Not legally punishable but defines what is right or wrong.
9. What are the multiple layers of security an organization should have? IMP
- Physical Security Layer
- Network Security Layer
- System/Endpoint Security Layer
- Application Security Layer
- Data Security Layer
- User (Human) Security Layer
10. Name some important functions of IS for an organization.
- Protect confidential data from unauthorized access
- Ensure business continuity during disruptions
- Comply with legal and regulatory requirements
- Safeguard organizational reputation
- Detect and respond to security incidents
π 8-Mark Topics
McCumber Cube & Components of an Information System VERY IMP
McCumber Cube β developed by John McCumber β is a 3D security framework showing that IS involves people, technology, and procedures protecting data in every state.
+------------------+
/ Confidentiality /|
/ Integrity / |
/ Availability / |
+------------------+ |
| | |
| Storage | /
| Transmission | / Policy & Practice
| Processing | / Human Factors
+------------------+/ Technology
Dimension 1 β Information States:
- Storage β Data at rest in hard disks, databases
- Transmission β Data moving across network (email, file transfer)
- Processing β Data being used by applications
Dimension 2 β Security Goals (CIA Triad):
- Confidentiality β Only authorized users can access data
- Integrity β Data is accurate and not tampered with
- Availability β Data and systems are accessible when needed
Dimension 3 β Security Safeguards:
- Technology β Firewalls, encryption, antivirus, authentication tools
- Policy & Practice β Rules, procedures, acceptable use policies
- Human Factors β Training, awareness, access control behaviour
Components of an Information System:
| Component | Description | Security Concern |
|---|---|---|
| People | Users, managers, admins, developers | Insider threats, social engineering |
| Hardware | Servers, computers, routers, storage | Physical theft, hardware failure |
| Software | OS, applications, utilities | Malware, vulnerabilities, patches |
| Data | Raw facts, processed information | Unauthorized access, corruption |
| Procedures | Policies and operational rules | Weak policies, non-compliance |
| Networks | Communication channels | Eavesdropping, DoS, intrusion |
Conclusion: The McCumber Cube ensures that security covers all three dimensions β all 27 cells must be addressed for complete protection.
SDLC vs SecSDLC β Phases Comparison VERY IMP
SDLC (Systems Development Life Cycle) is the traditional model for developing software. SecSDLC integrates security into every phase.
| SDLC Phase | SecSDLC Phase | Security Addition |
|---|---|---|
| Investigation | Investigation | Security feasibility, threats identified |
| Analysis | Analysis | Threat modeling, risk assessment |
| Logical Design | Logical Design | Security controls selected (auth, encryption, firewall) |
| Physical Design | Physical Design | Specific security products/technologies chosen |
| Implementation | Implementation | Security testing, employee security training |
| Maintenance | Maintenance | Continuous monitoring, patches, audits |
Waterfall SDLC: Linear, sequential model β Requirements β Design β Coding β Testing β Deployment β Maintenance.
Key Difference: SecSDLC treats security as a core requirement from day one, not an afterthought. Security is designed-in, not bolted-on.
Conclusion: Organizations must use SecSDLC to ensure security is built into systems at every stage of development.
Communities of Interest in Information Security IMP
A community of interest is a group of people who work together to protect an organization's information and systems. Three major communities:
| Community | Responsibilities | Focus |
|---|---|---|
| Information Security Community | Protect CIA, develop policies & standards, manage firewalls, encryption, monitoring | Security expertise |
| IT Community | Provide technical infrastructure, maintain networks/servers/apps, implement security tools | Technology support |
| Management Community | Provide leadership, funding & resources, approve policies, set security priorities | Governance & direction |
Why collaboration is essential: If they act separately, the security program becomes fragmented and weak. When they collaborate:
- Management provides authority and budget
- IT provides technical implementation
- InfoSec provides expertise and strategy
Together they achieve a strong, balanced, and complete security program.
Categorizing IS Components & Critical Characteristics of Information
Critical Characteristics of Information (C.I.A + A.A.A):
| Characteristic | Meaning | Impact if violated |
|---|---|---|
| Confidentiality | Only authorized access to data | Data breach, privacy violation |
| Integrity | Data is accurate and unmodified | Wrong decisions, fraud |
| Availability | Data accessible when needed | Business disruption, loss of service |
| Authenticity | Data is genuine, from trusted source | Impersonation, fraud |
| Accuracy | Data is correct and error-free | Incorrect processing |
| Utility | Data is in a usable format | Unusable encrypted data without key |
| Possession | Owner has control of the data | Ransomware, unauthorized copy |
Each characteristic must be maintained across all three information states (Storage, Transmission, Processing) to ensure complete security of the information system.
Unit 2: Security Threats & Attacks
Types of Threats β’ Attack Types β’ Malware β’ Worms vs Viruses β’ Trojans
β‘ 2-Mark Q&A
1. Differentiate direct and indirect attacks. IMP
- Direct Attack: The attacker interacts directly with the target system (e.g., password cracking, port scanning, SQL injection).
- Indirect Attack: The attacker uses a third-party device or compromised computer to launch attacks (e.g., botnets, zombie computers).
2. List the categories of threats. HOT
- Human threats β intentional or accidental actions by people
- Technical threats β software bugs, malware, system crashes
- Natural threats β floods, fire, earthquakes, storms
- Environmental/Physical threats β theft, vandalism, power failures
- Internal and external threats β insiders vs outsiders
- Operational threats β process failures, poor data handling
3. Give a scenario to explain a man-in-the-middle attack. IMP
Scenario: You connect to public Wi-Fi in a cafΓ©. An attacker creates a fake Wi-Fi network with a similar name. When you connect, the attacker secretly sits between you and the real server. He can read your messages, passwords, and data without your knowledge. This is a Man-in-the-Middle (MitM) attack.
4. Define attack. Describe the major types of attacks. HOT
Attack: An attempt to exploit a vulnerability to cause harm to an information system.
Types:
Types:
- Passive Attacks β Eavesdropping, traffic analysis (no modification)
- Active Attacks β Masquerade, replay, modification, DoS
- Close-in Attacks β Physical proximity β shoulder surfing, dumpster diving
- Insider Attacks β By employees or trusted insiders
5. Outline the difference between attack and vulnerability. IMP
- Vulnerability β A weakness in a system (e.g., unpatched software, weak password)
- Attack β An actual attempt to exploit that vulnerability (e.g., brute force on weak password)
6. Compare worms and viruses. Do Trojans carry viruses or worms? IMP
| Virus | Worm |
|---|---|
| Needs a host file to spread | Spreads on its own through networks |
| Requires user action to execute | Self-replicates without user action |
| Attaches to executable files | Exploits network vulnerabilities |
7. Summarize major types of attacks and means to avoid them.
Attacks: DoS, Malware, Unauthorized access, Data interception, Social engineering
Prevention:
Prevention:
- Strong passwords and MFA
- Firewalls and IDS/IPS
- Updated antivirus and patches
- Access controls and least privilege
- Employee security awareness training
8. Why do employees constitute one of the greatest threats to IS? IMP
Employees have direct access to systems and data. They can cause harm through:
- Weak passwords or password sharing
- Clicking phishing links (unintentional)
- Careless handling of sensitive data
- Intentional misuse by disgruntled employees
- Shoulder surfing vulnerabilities
9. What are the different categories of threat? Give examples.
| Category | Examples |
|---|---|
| Human | Hackers, disgruntled employees, social engineering |
| Technical | Malware, ransomware, software bugs |
| Natural | Floods, fire, earthquakes |
| Physical | Device theft, vandalism, power failure |
| External | Cyber attackers, competitors, terrorists |
10. Why do networking components need more security examination?
Networking components connect internal systems to the outside world. They need more examination because:
- They are exposed to public networks constantly
- They handle critical data flow across the organization
- A single network weakness can compromise the entire organization
- They are common targets for DoS, eavesdropping, and intrusion
π 8-Mark Topics
Types of Threats Faced by an Organization VERY IMP
A threat is any event, action, or situation that can cause damage, loss, or unauthorized access to information or systems.
| Threat Type | Description | Examples |
|---|---|---|
| Human Threats | Caused by people β intentionally or accidentally | Hackers, disgruntled employees, social engineering, phishing, user errors |
| Technical Threats | Caused by technology failures or malicious software | Malware, ransomware, software bugs, system crashes, network failures |
| Natural Threats | Environmental hazards beyond human control | Floods, fire, earthquakes, lightning, storms |
| Physical Threats | Damage to hardware and physical facilities | Theft of devices, vandalism, power failures, hardware destruction |
| Operational Threats | Affect day-to-day business operations | Process failures, incorrect data handling, poor system management |
| External Threats | Threats from outside the organization | Competitors, cyber attackers, terrorist attacks |
How to handle:
- Identify assets β identify threats β assess likelihood and impact
- Apply appropriate controls for each threat type
- Prioritize high-likelihood, high-impact threats
Conclusion: Understanding each threat group helps organizations plan proper security controls and reduce risks effectively.
Types of Malware β Worms vs Viruses vs Trojans VERY IMP
| Malware Type | Description | Spread Method |
|---|---|---|
| Virus | Attaches to files; runs when file is executed | Host file execution, file sharing |
| Worm | Self-replicates automatically across networks | Network vulnerabilities, no user action needed |
| Trojan Horse | Appears legitimate but carries malicious payload | Downloads, email attachments, fake software |
| Spyware | Secretly collects user information | Bundled with software, browser exploits |
| Adware | Displays unwanted advertisements | Free software bundles |
| Ransomware | Encrypts data and demands payment for key | Phishing emails, drive-by downloads |
| Rootkits | Hides malicious processes from detection | Exploiting admin privileges |
| Keyloggers | Records all keystrokes β captures passwords | Trojans, physical installation |
Worms vs Viruses β Key Differences:
- A virus needs a host file and user action to spread
- A worm spreads on its own through network vulnerabilities β no user action needed
- Worms typically cause more widespread damage faster
Do Trojans carry viruses or worms?
Yes. A Trojan horse acts as a carrier program that can deliver viruses, worms, or any other malicious payload into a system once trusted and executed by the user.
Detailed Analysis of Attack Types IMP
1. Passive Attacks β Observer only, no modification:
- Eavesdropping β Capturing data transmitted over a network (packet sniffing)
- Traffic Analysis β Analyzing communication patterns even when data is encrypted
Hard to detect but easy to prevent with encryption.
2. Active Attacks β Modifies data or system:
- Masquerade β Pretending to be an authorized user using stolen credentials
- Replay β Capturing and retransmitting valid messages to gain access
- Message Modification β Altering, delaying, or reordering messages
- Denial of Service (DoS) β Overwhelming a system to deny legitimate users access
Easy to detect but hard to prevent entirely.
3. Close-in Attacks β Physical proximity required:
- Shoulder Surfing β Watching user type passwords or PINs
- Dumpster Diving β Searching discarded materials for sensitive info
- Eavesdropping β Listening to conversations in proximity
4. Insider Attacks β From within the organization:
- Disgruntled employees stealing or destroying data
- Careless employees accidentally exposing data
- Authorized users misusing their access privileges
5. Password Attacks: Brute force, dictionary attacks, rainbow tables, credential stuffing.
Prevention: Strong passwords, MFA, encryption, access controls, employee training, monitoring.
Analyse Threat, Threat Agent, Vulnerability, Risk, Attack & Exploit on a Personal Computer VERY IMP
Example Scenario: Information stored on your personal computer: photos, college documents, passwords saved in browser, project files, login details.
| Term | Definition | Example (Personal PC) |
|---|---|---|
| Threat | Potential event that can cause harm | Unauthorized access or data theft |
| Threat Agent | Entity that carries out the threat | A hacker, malware, or someone using your PC without permission |
| Vulnerability | Weakness that can be exploited | Weak password, outdated antivirus, unsecured Wi-Fi |
| Exposure | Condition of being open to damage | If someone logs into your PC, personal files and accounts can be misused |
| Risk | Likelihood Γ Impact of a threat | Loss of personal information, identity theft, financial loss |
| Attack | Actual attempt to exploit the vulnerability | Malware infection, phishing attempt, brute-force password attack |
| Exploit | Specific technique used in the attack | Using a browser vulnerability or Wi-Fi weakness to enter the system |
Conclusion: Every information system has these risk components. Identifying them systematically helps prioritize protection measures.
Security Threats β Statement Discussion: "80% are Internal"
"Information security is a major concern for the software industry today as the number of internal threats is nearly 80%"
Why internal threats dominate:
- Employees have legitimate access to systems β easy to misuse
- They know the internal network layout and data locations
- Their activities may not be as closely monitored as outsiders
- Disgruntled employees may intentionally cause harm
- Accidents and negligence are common internal threats
Types of internal threats:
- Data theft by employees leaving the organization
- Misconfiguration of systems by IT staff
- Falling victim to phishing (unintentional insider)
- Sharing login credentials with colleagues
Controls to address internal threats:
- Principle of least privilege β give minimum access needed
- Separation of duties β no single person controls critical processes
- Employee monitoring and audit logs
- Security awareness training (SETA program)
- Background verification before hiring
- Revoking access immediately when employee leaves
Unit 3: Risk Management
Risk Identification β’ Risk Control Strategies β’ CBA β’ SLE β’ Asset Valuation β’ Intellectual Property
β‘ 2-Mark Q&A
1. What are the major stages of Risk Assessment? HOT
- Identify assets
- Identify threats and vulnerabilities
- Analyze likelihood and impact
- Calculate and evaluate risk
2. List down the components of risk management. HOT
- Risk Identification β Finding assets, threats, and vulnerabilities
- Risk Assessment β Analyzing likelihood and impact
- Risk Control β Choosing strategies to reduce or handle risk
- Risk Monitoring β Continuously checking if risks change
3. How do you calculate Single Loss Expectancy (SLE)? HOT
SLE = Asset Value (AV) Γ Exposure Factor (EF)
AV = monetary value of the asset
EF = percentage of asset lost in one incident (0 to 1)
Example: AV = βΉ10,00,000 | EF = 0.30
SLE = 10,00,000 Γ 0.30 = βΉ3,00,000
SLE represents the expected financial loss from a single occurrence of a risk event.
4. What is Cost-Benefit Analysis (CBA)? IMP
CBA determines whether the cost of implementing a security control is worth the protection it provides. If the benefit exceeds the cost, the control is justified.
CBA = ALE(before) β ALE(after) β Cost of Control
ALE = Annual Loss Expectancy = SLE Γ ARO
ARO = Annualized Rate of Occurrence
5. How to identify and prioritize threats? IMP
Identify threats by analyzing:
- Assets β what needs protection
- Vulnerabilities β existing weaknesses
- Existing controls β what is already protected
- Possible attackers β who might attack
- Likelihood of occurring
- Impact or damage if it occurs
- Cost of prevention
6. Who is responsible for risk management in an organization? IMP
Risk management is the responsibility of the entire organization, but:
- Top Management β Approves risk strategies, provides funding
- InfoSec Team β Identifies risks, suggests controls (usually takes the lead)
- IT Department β Implements technical solutions
- Users/Employees β Follow security practices
7. What are vulnerabilities? How do you identify them?
A vulnerability is a weakness in a system that can be exploited by an attacker.
Identified through:
Identified through:
- Vulnerability scanning tools (Nessus, OpenVAS)
- Security audits and reviews
- Penetration testing
- Reviewing system configurations
8. What is Intellectual Property (IP)? Is it protected the same worldwide?
IP refers to creations of the mind: software, books, music, designs, inventions, trademarks.
No, IP protection varies by country. Key laws:
No, IP protection varies by country. Key laws:
- USA: Copyright Act, Patent Act, Lanham Act, DMCA
- Europe: EU Copyright Directive, European Patent Convention, GDPR
9. What is meant by Cost Benefit Analysis? State the rules followed while designing policy.
CBA compares the cost of a control versus the benefit (reduced risk). Rules for policy design:
- Policy must be achievable and realistic
- Must be communicated to all employees
- Must be enforceable with consequences
- Must be reviewed and updated regularly
- Must have management support
10. Tabulate the components of risk management.
| Component | Activity |
|---|---|
| Risk Identification | List assets, threats, vulnerabilities |
| Risk Assessment | Calculate likelihood Γ impact = risk level |
| Risk Control | Select avoidance, mitigation, transfer, acceptance, deterrence |
| Risk Monitoring | Continuously review and update risk status |
π 8-Mark Topics
Risk Identification Components VERY IMP
Risk identification involves understanding all possible risks to an organization's assets.
| Component | Description |
|---|---|
| 1. Asset Identification | List all hardware, software, data, people, and processes that have value |
| 2. Threat Identification | Find all possible events that may harm the asset (human, natural, technical) |
| 3. Vulnerability Identification | Detect weaknesses in systems, processes, and people that threats can exploit |
| 4. Control Analysis | Check what security measures are already in place and their effectiveness |
| 5. Risk Assessment | Combine threats + vulnerabilities + asset values to determine overall risk level |
| 6. Documentation | Record all findings for management decision-making and audit purposes |
Risk Calculation:
Risk = Likelihood Γ Impact
SLE = AV Γ EF
ALE = SLE Γ ARO
CBA = ALE(before) - ALE(after) - Annual Cost of Control
Outcome: Prioritized list of risks that need to be controlled, based on their level of impact and likelihood of occurrence.
Five Risk Control Strategies with Decision Points VERY IMP
| Strategy | Description | Example | Decision Point |
|---|---|---|---|
| 1. Avoidance | Stop or eliminate the risky activity completely | Disabling a vulnerable service; not using a risky application | When risk is too high and alternatives exist |
| 2. Mitigation | Reduce the impact or likelihood of the risk | Firewalls, antivirus, backups, patches, training | When risk cannot be avoided but can be reduced |
| 3. Transference | Shift responsibility to a third party | Cyber insurance, outsourcing security operations | When specialized external support is cheaper or safer |
| 4. Acceptance | Accept the risk when cost of protection exceeds impact | Ignoring very low-risk, low-probability threats | When impact is minimal and cost of control is too high |
| 5. Deterrence | Discourage attackers through obstacles or warnings | CCTV cameras, legal notices, warning banners, strict policies | When goal is to reduce motivation of attackers |
Exam Tip: Remember as A-M-T-A-D β Avoidance, Mitigation, Transference, Acceptance, Deterrence. PDCA + these 5 strategies = complete risk management answer.
Cost-Benefit Analysis β Items Affecting Cost of Control VERY IMP
Cost-Benefit Analysis (CBA) determines whether implementing a security control is financially justified.
If ALE(before) - ALE(after) > Annual Cost of Control
Then Control is JUSTIFIED (benefit > cost)
Else Control is NOT cost-effective
Items affecting the COST of a control:
| # | Cost Item | Description |
|---|---|---|
| 1 | Purchase Cost | Hardware, software, and tools needed for the control |
| 2 | Installation Cost | Labour, configuration, and testing expenses |
| 3 | Training Cost | Teaching employees to use or manage the system |
| 4 | Maintenance Cost | Upgrades, patching, repairs, licensing fees |
| 5 | Operational Cost | Power consumption, manpower, continuous monitoring |
| 6 | Cost of Loss Without Control | Data loss, downtime, legal penalties if control not implemented |
Conclusion: CBA ensures smart, justified use of the organization's security budget. Not every risk needs maximum investment.
Asset Value Parameters & International IS Laws
Parameters to calculate asset value:
| Parameter | Description |
|---|---|
| Confidentiality Value | How sensitive the information is β cost if exposed |
| Integrity Value | How important accuracy is β cost if tampered |
| Availability Value | How critical for daily operations β cost of downtime |
| Replacement Cost | Cost to replace hardware or recover lost data |
| Legal/Regulatory Impact | Penalties and fines if data is breached |
| Business Impact | Loss of customers, reputation damage, operational downtime |
| Recovery Cost | Time and money needed to restore the system |
International Laws relating to Privacy and IS:
| Law/Standard | Region | Focus |
|---|---|---|
| GDPR | Europe | Privacy rights and data protection |
| OECD Guidelines | Global | Privacy principles for data collection |
| Council of Europe Convention 108 | Europe | First international treaty on data protection |
| ISO/IEC 27001 | Global | ISMS β Information Security Management System |
| HIPAA | USA | Protection of health-related personal data |
| Privacy Shield Framework | USβEU | Controls data transfer between US and Europe |
Unit 4: Security Policies & Standards
NIST SP 800-14 β’ ISO 27000 β’ PDCA Cycle β’ BS7799 β’ Contingency Planning β’ BCP
β‘ 2-Mark Q&A
1. Outline the Plan-Do-Check-Act (PDCA) cycle described in ISO 27000 series. HOT
- Plan β Identify problems, set security goals, create policies and procedures
- Do β Implement security controls and procedures
- Check β Audit and monitor performance and results
- Act β Improve the system based on audit findings and repeat
2. What do you mean by crisis management? IMP
Crisis management is the process of handling events that threaten the organization's reputation, operations, or safety. It includes:
- Communication with employees, public, and media
- Activating emergency response plans
- Stabilizing operations during and after the crisis
3. What is contingency planning? How is it different from routine management planning? IMP
Contingency planning prepares an organization to respond to unexpected disruptions (disasters, major incidents). It includes disaster recovery plans and business continuity plans.
Difference from routine planning:
Difference from routine planning:
- Routine planning handles normal, day-to-day operations
- Contingency planning handles abnormal, crisis situations
- Contingency plans are activated only when routine plans fail
4. Mention the precepts of incident response that apply to disaster recovery. IMP
- Preparation first β Plans, procedures, and training must be ready before incidents occur
- Contain the damage β Stop the incident from spreading to other systems
- Recover quickly β Restore services as fast as possible
- Learn from the incident β Update plans to prevent future recurrence
5. State the rules followed while designing a policy. IMP
A policy is effective and legally enforceable when it:
- Is written in clear, unambiguous language
- Has management approval and support
- Is communicated to all relevant employees
- Is achievable and realistic
- Is enforceable with defined consequences for non-compliance
- Is reviewed and updated regularly
6. Indicate the significance of a security perimeter.
A security perimeter is a boundary that defines the area to be secured. Its significance:
- Controls who and what enters/exits the secure zone
- Reduces unauthorized physical and network access
- Layers perimeters (outer fence β building β server room) for defense-in-depth
7. Compare ISO 17700 with NIST security model. IMP
| Aspect | ISO 17799/27001 | NIST SP 800-14 |
|---|---|---|
| Origin | International (British Standard BS7799) | USA (National Institute of Standards) |
| Focus | Information Security Management System (ISMS) | Principles for securing IT systems |
| Structure | Plan-Do-Check-Act cycle; 14 control domains | 14 guiding principles for security |
| Certification | Organizations can be ISO 27001 certified | No formal certification; advisory only |
8. Illustrate the criteria for a policy to be effective and legally enforceable.
For a policy to be legally enforceable:
- Dissemination β Policy must be distributed to all employees
- Review β Employees must have read and understood it
- Comprehension β Must be written in understandable language
- Compliance β Employees must acknowledge and agree to comply
- Uniform Enforcement β Applied consistently to everyone
9. Summarize SETA (Security, Education, Training, Awareness) and its elements.
SETA is a program to reduce security mistakes by educating people:
- Security Education β In-depth knowledge for security professionals (degree, certification)
- Security Training β Skills to perform specific security tasks (hands-on)
- Security Awareness β General knowledge for all employees (posters, emails, briefings)
10. What is Business Continuity Planning (BCP)? Elements?
BCP ensures critical operations continue during and after a disaster.
- Business Impact Analysis (BIA) β Identify critical functions and their dependencies
- Recovery Time Objective (RTO) β Maximum acceptable downtime
- Recovery Point Objective (RPO) β Maximum acceptable data loss
- Disaster Recovery Plan (DRP) β Steps to restore IT systems
- Testing β Regular drills and simulations
π 8-Mark Topics
NIST SP 800-14 β 14 Principles for Securing IT Systems VERY IMP
NIST Special Publication 800-14 provides 14 key principles for building secure IT systems:
| # | Principle | Meaning |
|---|---|---|
| 1 | Security supports mission | Security exists to enable business goals, not obstruct them |
| 2 | Part of the system life cycle | Security must be built in from day one, not added later |
| 3 | Cost-effective | Security controls should be proportional to the risk they address |
| 4 | Responsibilities must be explicit | Everyone must know their security role and accountability |
| 5 | Responsibilities shared | Security is everyone's job β not just IT |
| 6 | Security should be enforced | Policies must be enforced consistently β not optional |
| 7 | Review security periodically | Regular audits and reviews to stay current with threats |
| 8 | Least privilege | Give users only the minimum access needed for their job |
| 9 | Fail-safe defaults | Default state should be denial of access β not open |
| 10 | Simple mechanisms | Complex systems are harder to secure; keep it simple |
| 11 | Open design | Security should not rely on secrecy of design (no security by obscurity) |
| 12 | Holistic security | Security must cover people, processes, and technology together |
| 13 | Consider future needs | Design systems that can adapt to future security requirements |
| 14 | Environmental awareness | Be aware of physical and operational environment changes |
Exam Tip: The most frequently asked are principles 2, 4, 7, 8, 9, and 12. Know the principle name + one line explanation.
PDCA Cycle (ISO 27000) & IDPS Detection Methods VERY IMP
PDCA (Plan-Do-Check-Act) Cycle β describes continuous improvement of the ISMS:
βββββββββββββββββββββββββββββββββββββββ
β PDCA Cycle (ISO 27000) β
βββββββββββββββββββββββββββββββββββββββ
PLAN βββ DO βββ CHECK βββ ACT βββ (back to PLAN)
PLAN: Identify risks, set objectives, create policies
DO: Implement controls and procedures
CHECK: Monitor, audit, measure effectiveness
ACT: Take corrective actions, improve system
IDPS Detection Methods:
| Method | How it works | Strength |
|---|---|---|
| Signature-Based | Compares traffic against database of known attack signatures | Highly accurate for known attacks |
| Anomaly-Based | Detects deviation from established baseline of normal behaviour | Can detect unknown/new attacks |
| Stateful Protocol Analysis | Checks whether protocols behave according to RFC standards | Detects protocol abuse |
| Heuristic Detection | Uses rules and AI to identify suspicious activities | Adaptive, catches new threats |
These methods analyze packets, logs, and patterns continuously to detect threats in real time.
BS7799:2 Security Standards & Contingency Planning IMP
BS7799 / ISO 27001 β Information Security Management System standard:
Major Process Steps for Implementation:
| Step | Activity |
|---|---|
| 1. Scope Definition | Define what the ISMS will cover β systems, locations, departments |
| 2. Risk Assessment | Identify assets, threats, vulnerabilities; calculate risk level |
| 3. Control Selection | Choose controls from Annex A (114 controls across 14 domains) |
| 4. Statement of Applicability | Document which controls apply and why |
| 5. ISMS Implementation | Deploy controls, train staff, document procedures |
| 6. Internal Audit | Verify controls are working correctly |
| 7. Management Review | Top management reviews ISMS performance |
| 8. Certification Audit | External auditor verifies compliance for ISO 27001 certification |
Contingency Planning Components:
- Business Impact Analysis (BIA) β Identify critical functions and recovery priorities
- Incident Response Plan (IRP) β Steps to handle security incidents
- Disaster Recovery Plan (DRP) β IT system restoration procedures
- Business Continuity Plan (BCP) β Keep business running during/after disaster
Classify Occurrences as Incident or Disaster + BCP Activation VERY IMP
Incident: An event that disrupts normal operations but can be handled with existing resources.
Disaster: A severe disruption that requires activation of the Business Continuity Plan.
| Scenario | Classification | BCP Needed? | Law Enforcement? |
|---|---|---|---|
| Hacker gets into network and deletes files from a server | Incident | Maybe (if critical systems affected) | Yes |
| Fire in storeroom β some computers damaged, contained quickly | Disaster | Yes β equipment damaged | Maybe (investigate cause) |
| Tornado hits power company β no power for 3β5 days | Disaster | Yes β extended outage | No |
| Employees strike β critical workers absent for weeks | Disaster | Yes β alternate staffing needed | No |
| Disgruntled employee steals critical server after hours | Disaster | Yes β critical equipment lost | Yes β theft occurred |
Steps to restore operations:
- Activate DRP/BCP immediately
- Assess scope of damage
- Restore from backups
- Switch to alternate/recovery site if needed
- Involve law enforcement for criminal acts
- Document the incident for future prevention
Unit 5: Physical Security & Personnel
Physical Controls β’ IDPS Deployment β’ Scanning Tools β’ CISO β’ Hiring Process β’ Access Control
β‘ 2-Mark Q&A
1. Define Demilitarized Zone (DMZ). HOT
A DMZ is a separate, isolated network segment placed between an organization's internal network and the internet. It hosts public-facing services (web servers, mail servers, DNS) to protect internal systems from direct internet exposure.
Internet βββ [ Firewall 1 ] βββ [ DMZ: Web/Mail Servers ]
βββ [ Firewall 2 ] βββ Internal Network
2. How does a Mantrap work? IMP
A mantrap is a small enclosure with two interlocking doors. Only one door can open at a time. A person must be authenticated (biometrics/keycard) at the first door before the second door opens. It prevents tailgating (unauthorized entry by following an authorized person).
3. Distinguish between False Reject Rate (FRR) and False Accept Rate (FAR). IMP
- False Reject Rate (FRR): A legitimate, authorized user is wrongly rejected by the biometric system. (Type I Error)
- False Accept Rate (FAR): An unauthorized user is wrongly accepted by the biometric system. (Type II Error)
4. Outline the roles of Chief Information Security Officer (CISO). HOT
- Develop and enforce information security policies
- Lead the information security team
- Manage risk assessment and mitigation programs
- Ensure compliance with laws, standards, and regulations
- Oversee incident detection and response
- Report security posture and status to top management
5. What are the tasks that should be done when an employee leaves an organization? HOT
- Revoke all system access rights immediately
- Collect ID cards, laptops, and company devices
- Disable user accounts and email
- Conduct an exit interview
- Remove physical access (gate pass, biometrics, key fobs)
- Ensure signed non-disclosure agreements are on file
6. Differentiate Discretionary and Non-Discretionary Access Control. IMP
| DAC (Discretionary) | NDAC (Non-Discretionary) |
|---|---|
| Resource owners decide access | Access assigned by central authority based on rules/roles |
| Flexible but less secure | More secure, centrally controlled |
| User can grant access to others | Users cannot change access settings |
| Example: File permissions in Windows | Example: RBAC in enterprise systems |
7. Identify the need for Intrusion Detection Systems (IDS). IMP
IDS is needed to:
- Monitor network traffic and system activity continuously
- Detect unauthorized access and suspicious behaviour
- Alert administrators before significant damage occurs
- Provide audit trails for forensic investigation
- Complement firewalls (IDS detects what firewalls miss)
8. Write four physical security controls used in the real world.
- CCTV cameras β Monitor and record all entry/exit activity
- Biometric scanners β Fingerprint/retinal scan for access control
- Mantraps β Prevent tailgating at secure entrances
- Security guards β Human presence to deter and respond to threats
9. Differentiate honeypot and honeynet.
- Honeypot β A single decoy system designed to attract and trap attackers. Used to study attack methods.
- Honeynet β A network of multiple honeypots creating a realistic decoy environment to observe sophisticated attack techniques.
10. Compare TCP and UDP packet.
| TCP | UDP |
|---|---|
| Connection-oriented (3-way handshake) | Connectionless β no handshake |
| Reliable, ordered delivery | No guarantee of delivery or order |
| Error checking and acknowledgement | Minimal error checking |
| Slower but reliable | Faster but unreliable |
| HTTP, HTTPS, FTP, Email | DNS, VoIP, Video streaming, Gaming |
π 8-Mark Topics
IDPS Deployment & Implementation VERY IMP
Intrusion Detection and Prevention Systems (IDPS) detect and respond to security threats on networks and hosts.
Types of IDPS:
- NIDS β Network-based IDS: monitors network traffic at strategic points
- HIDS β Host-based IDS: monitors activity on individual hosts/servers
- IPS β Inline prevention: can actively block threats
Deployment Steps:
| Step | Activity |
|---|---|
| 1. Planning | Identify network size, traffic volume, threat landscape, placement locations |
| 2. Type Selection | Choose NIDS/HIDS/IPS and detection method (signature/anomaly) |
| 3. Deployment Locations | Network perimeter, inside critical segments, near firewalls/routers, on important servers |
| 4. Configuration | Define rules, signatures, alert thresholds, response actions |
| 5. Integration | Connect IDPS with SIEM, firewalls, log management servers |
| 6. Testing | Simulate attacks to verify detection accuracy and reduce false positives |
| 7. Monitoring | 24/7 monitoring, alert review, incident response triggers |
| 8. Maintenance | Regular signature updates, policy tuning, periodic audits |
Placement diagram:
Internet βββ [Firewall] βββ [NIDS sensor] βββ DMZ
βββ [NIDS sensor] βββ Internal LAN
HIDS on: Web Server, DB Server, File Server
Scanning & Analysis Tools β Functions and Types VERY IMP
Scanning and analysis tools help security professionals identify vulnerabilities and gather attacker information.
Functions:
- Detect open ports and running services
- Identify software versions and patch levels
- Find known vulnerabilities in systems
- Monitor network traffic for anomalies
- Analyze logs for suspicious activity
- Track attacker behaviour for forensics
| Tool Type | Example | Purpose |
|---|---|---|
| Port Scanners | Nmap | Find open ports and running services on target systems |
| Vulnerability Scanners | Nessus, OpenVAS | Identify known security weaknesses in systems |
| Network Sniffers / Packet Analyzers | Wireshark | Capture and analyze network packets in real time |
| Log Analyzers | Splunk, ELK Stack | Parse and search logs for suspicious patterns |
| Password Auditing Tools | John the Ripper, Hashcat | Test password strength; check for weak/cracked passwords |
| Malware Analysis Tools | Cuckoo Sandbox | Safely execute and analyze malware behaviour |
| Protocol Analyzers | Wireshark, tcpdump | Examine protocol behaviour for abnormalities |
How they integrate into proactive security: These tools are run regularly in authorized vulnerability assessments, combined with IDPS for real-time monitoring, and results feed into the risk management process.
Security Architecture & Spheres of Security VERY IMP
Security Architecture is the overall framework for securing systems. It includes:
- Security policies and standards
- Access control mechanisms
- Network layout and segmentation
- Hardware/software security controls
- Monitoring and incident response
Spheres of Security show how information is protected at different concentric layers:
ββββββββββββββββββββββββββββββββββ
β 6. External World / Internet β
β ββββββββββββββββββββββββββββ β
β β 5. Environment / Buildingβ β
β β ββββββββββββββββββββββ β β
β β β 4. Users / People β β β
β β β ββββββββββββββββ β β β
β β β β 3. Networks β β β β
β β β β ββββββββββ β β β β
β β β β β 2.Systemsβ β β β β
β β β β ββββββββββ β β β β
β β β β ββ1.Dataββ β β β β
β β β β ββββββββββ β β β β
β β β β ββββββββββ β β β β
β β β ββββββββββββββββ β β β
β β ββββββββββββββββββββββ β β
β ββββββββββββββββββββββββββββ β
ββββββββββββββββββββββββββββββββββ
How spheres work: Controls at each outer layer protect the next inner layer. An attacker must breach all outer spheres to reach the core data. This implements defense in depth.
Example controls per sphere:
| Sphere | Control Example |
|---|---|
| External World | Firewalls, ISP-level filtering |
| Environment | Physical perimeter fence, CCTV |
| Users | SETA training, access controls |
| Networks | IDS/IPS, VPN, network segmentation |
| Systems | Antivirus, patch management |
| Data (Core) | Encryption, database access control |
Physical Security Control Types IMP
| Control Type | Purpose | Examples |
|---|---|---|
| Deterrent Controls | Discourage attacks before they happen | CCTV cameras, warning signs, security fences |
| Preventive Controls | Physically block unauthorized access | Locks, biometrics, mantraps, security guards |
| Detective Controls | Identify when a breach is occurring | Fire alarms, motion sensors, CCTV monitoring, audit logs |
| Corrective Controls | Fix damage or stop an ongoing incident | Fire suppression systems, emergency power cutoff |
| Recovery Controls | Restore operations after a disruption | Backup systems, alternate site, disaster recovery plans |
| Compensatory Controls | Substitute when primary controls fail | Temporary guards, manual procedures, isolation |
Hiring Process β Security Integration Steps IMP
A secure hiring process integrates employment policies with security practices:
| Step | Activity | Security Consideration |
|---|---|---|
| 1 | Define job role | Identify security clearance level needed |
| 2 | Advertise the vacancy | Internal vs external hiring β insiders vs outsiders risk |
| 3 | Receive applications | Screen for red flags in employment history |
| 4 | Shortlist candidates | Verify qualifications match security requirements |
| 5 | Conduct interviews | Assess security awareness and integrity |
| 6 | Background verification | Criminal history, previous employer references, identity verification |
| 7 | Issue appointment letter | Include security responsibilities clause |
| 8 | Onboarding training | Security awareness and policy training (SETA) |
| 9 | Assign access rights | Principle of least privilege β minimum access needed |
| 10 | Sign security agreements | NDA, acceptable use policy, confidentiality agreements |
β‘ Score 50+ Guaranteed Path
| Section | Marks | Strategy |
|---|---|---|
| Part A (2-mark Γ 10) | 20 | All 10 compulsory β know short definitions |
| Part B (any 5 of 6 Γ 12 or 5Γ16) | 60β80 | Attempt 5, choose familiar topics |
| Total Target | 70+ | All Part A + 4 solid Part B answers |
π₯ Most Likely 8/16-Mark Questions (from QP analysis)
| Topic | Unit | Appeared |
|---|---|---|
| McCumber Cube + IS Components | 1 | Every end-sem |
| SDLC vs SecSDLC comparison | 1 | 3 of 5 papers |
| Types of threats / threat categories | 2 | Every paper |
| Malware types / Worms vs Viruses | 2 | 3 of 5 papers |
| Risk identification components | 3 | 4 of 5 papers |
| 5 risk control strategies with decision points | 3 | 4 of 5 papers |
| CBA + items affecting cost of control | 3 | 3 of 5 papers |
| NIST SP 800-14 β 14 principles | 4 | 3 of 5 papers |
| PDCA Cycle (ISO 27000) | 4 | Every paper |
| Incident vs Disaster classification + BCP | 4 | 3 of 5 papers |
| IDPS deployment and implementation | 5 | 4 of 5 papers |
| Scanning and analysis tools | 5 | 4 of 5 papers |
| Spheres of security + Security architecture | 5 | 3 of 5 papers |
| Physical security control types | 5 | 3 of 5 papers |
π
Study Hour Plan (3 days before exam)
| Day | Focus | Target |
|---|---|---|
| Day 1 AM | Unit 1 + Unit 2 | All 2-marks + McCumber + Threat types + Malware |
| Day 1 PM | Unit 3 | Risk components + 5 strategies + CBA formula |
| Day 2 AM | Unit 4 | NIST 14 principles + PDCA + Incident/Disaster table |
| Day 2 PM | Unit 5 | IDPS deployment + Scanning tools + Spheres diagram |
| Day 3 | QP practice | Write answers for 2 past papers from QP tab |
Pro Tips:
- For any 8-mark answer: intro (1 line) + table/list body + conclusion (1 line) = full marks
- The PDCA cycle question appears in EVERY paper β memorize all 4 steps with one example each
- Write formulas (SLE, ALE, CBA) with example values β examiners love seeing calculations
- For threat/malware questions, always include a comparison table β saves writing time
- Diagrams for: McCumber Cube, Spheres of Security, PDCA cycle β practice drawing these
- For NIST 800-14 β write all 14 as a numbered list with 1-line description each