Information & Network Security

Unit I

Course Instructor:
Veerendra Shrivastava
Importance of the Subject
• Discussed in the class.
History of Information Security
• Discussed in the class.
Information ?
• It consists of Data, Facts and Conclusions.
Security ?
• Non Functional Requirement
• Security against:
1. S/w and Files downloaded from the internet
2. Personal information credit card etc.
Scheme & Syllabus
PERIOD PER WEEK CREDITS MAXIMUM MARKS

T P Tu. T P Tu. THEORY PRACTICAL TOTAL MARKS

CW END SEM SW END SEM 200

3 2 0 3 1 0 30 70 40 60

PRE-REQUISITE: 1. CO34007: Computer Network

Unit I: Introduction to Information Security, Security threats –
Vulnerabilities and Attacks, Security Goals, Security planning and
Risk analysis, Legal and Ethical Issues in Computer Security.

Unit II: Cryptography – Classical Cryptography, Symmetric key

Encryption: DES, Triple DES algorithm, Key Exchange; Public Key
Cryptography: RSA algorithm; Hash Functions and Message
Authentication: MD5, SHA-1, HMAC, PKI: Digital Signatures, Digital
Certificates, X.509 standard, Authentication applications like
Kerberos.
Unit III: Security in networks: Threats and Vulnerabilities, IP
Security – Overview, Architecture etc., Email Security – PGP,
S/MIME; Web Security – Requirements, Security Protocols like SSL,
TLS, SET; Firewalls.

Unit IV: Intruders, Intrusion Detection and Preventing techniques,

Program Security- Threats against programs, Secure programs,
Viruses and other malicious code; Introduction to Operating
System Security: User Authentication mechanisms, Memory and
Address protection, File system protection.

Unit V: Access Control Mechanisms, Security Policies: Definition,

Types, various models of security; Introduction to Security in
Distributed Systems, Introduction to Database security methods.
Resources
• Book: William Stallings: Cryptography & Network Security
• NPTEL Course:
1. Introduction to Information Security – I
Security Terms
• Information Security
• Cyber Security
• Network Security
Information Security
• “Information security refers to the processes and
methodologies that are designed and
implemented to protect print, electronic, or any
other form of confidential, private and sensitive
information or data from unauthorized access,
use, misuse, disclosure, destruction, modification
or disruption,” according to the SANS Institute.
• Information security (also known as InfoSec)
ensures that both physical and digital data is
protected.
Cyber Security
• Cybersecurity, a subset of information security, is the
practice of defending your organization’s networks,
computers and data from unauthorized digital access,
attack or damage by implementing various processes,
technologies and practices.
• According to Cisco, “Cybersecurity is the practice of
protecting systems, networks and programs from
digital attacks. These attacks are usually aimed at
accessing, changing, or destroying sensitive
information; extorting money from users; or
interrupting normal business processes.”
• Can be done through social engineering.
Network Security
• Network security is the process of taking physical and
software preventative measures to protect the underlying
networking infrastructure from unauthorized access, misuse,
malfunction, modification, destruction, or improper
disclosure, thereby creating a secure platform for computers,
users and programs to perform their permitted critical
functions within a secure environment,” according to
the SANS Institute.
• Network security experts focus on internal protection by
keeping close surveillance on passwords, firewalls, internet
access, encryption, backups and more.
• Network security, a subset of cybersecurity, aims to protect
any data that is being sent through devices in your network to
ensure that the information is not changed or intercepted.
Contd.
• The network security team implements the hardware
and software necessary to guard the security
architecture.
• There are many components to a network security
system that work together to improve the security
posture. The most common network security
components include:
1. Firewalls
2. Anti-virus software
3. Intrusion detection and prevention systems (IDS/IPS)
4. Virtual private networks (VPN)
Read More
• Link 1
• Link 2
Threats
• A threat refers to a new or newly discovered incident with
the potential to do harm to a system or your overall
organization. There are three main types of threats –
natural threats (e.g., floods or a tornado), unintentional
threats (such as an employee mistakenly accessing the
wrong information) and intentional threats.
• There are many examples of intentional threats including
spyware, malware, adware companies or the actions of a
disgruntled employee.
• In addition, worms and viruses are also categorized as
threats, because they could potentially cause harm to your
organization through exposure to an automated attack, as
opposed to one perpetrated by humans.
Vulnerabilities
• Vulnerability is a cyber-security term that refers
to a flaw in a system that can leave it open to
attack. A vulnerability may also refer to any type
of weakness in a computer system itself, in a set
of procedures, or in anything that leaves
information security exposed to a threat.
• Testing for vulnerabilities is critical to ensuring
the continued security of your systems by
identifying weak points and developing a strategy
to respond quickly.
Exploit
• The term exploit is commonly used to describe a
software program that has been developed to
attack an asset by taking advantage of a
vulnerability.
• The objective of many exploits is to gain control
over an asset. For example, a successful exploit of
a database vulnerability can provide an attacker
with the means to collect or exfiltrate all the
records from that database.
• The successful use of exploits of this kind is called
a data breach.
Risk
• Risk refers to the potential for loss or damage
when a threat exploits a vulnerability. Examples
of risk include financial losses as a result of
business disruption, loss of privacy, reputational
damage, legal implications and can even include
loss of life.
• Risk can also be defined as follows:
Risk = Threat X Vulnerability
• We can reduce the potential for risk by creating
and implementing a risk management plan.
Security Attacks
• Passive Attack
• Active Attack
Passive Attack
• A Passive Attack attempts to learn or make
use of information from the system but does
not affect system resources.
• Passive attacks are in the nature of
eavesdropping on, or monitoring of,
transmissions. The goal of the opponent is to
obtain information that is being transmitted.
Two types of passive attacks are release of
message contents and traffic analysis.
Release of Message Content
• A telephone conversation, an electronic mail
message, and a transferred file may contain
sensitive or confidential information. We
would like to prevent an opponent from
learning the contents of these transmissions.
Traffic Analysis
• Suppose that we had a way of masking the contents of
messages or other information traffic so that opponents,
even if they captured the message, could not extract the
information from the message.
• The common technique for masking contents is encryption.
If we had encryption protection in place, an opponent
might still be able to observe the pattern of these
messages.
• The opponent could determine the location and identity of
communicating hosts and could observe the frequency and
length of messages being exchanged.
• This information might be useful in guessing the nature of
the communication that was taking place.
• Passive attacks are very difficult to detect
because they do not involve any alteration of
the data. Typically, the message traffic is sent and
received in an apparently normal fashion and
neither the sender nor receiver is aware that a
third party has read the messages or observed
the traffic pattern.
• However, it is feasible to prevent the success of
these attacks, usually by means of encryption.
Thus, the emphasis in dealing with passive
attacks is on prevention rather than detection.
Active Attack
• Active attacks involve some modification of
the data stream or the creation of a false
stream and can be subdivided into four
categories: masquerade, replay, modification
of messages, and denial of service.
Masquerade
• A masquerade takes place when one entity pretends to
be a different entity. A masquerade attack usually
includes one of the other forms of active attack.
• A masquerade attack is an attack that uses a fake
identity, such as a network identity, to gain
unauthorized access to personal computer
information through legitimate access identification.
• A standard strategy to resist this kind of attack is to
create innovative algorithms that can efficiently detect
the suspicious actions, which could result in the
detection of imposters.
Replay
• A replay attack occurs when a cybercriminal
eavesdrops on a secure network communication,
intercepts it, and then fraudulently delays or
resends it to misdirect the receiver into doing
what the hacker wants.
• One of the best techniques to avert replay attacks
is by using strong digital signatures with
timestamps.
• A one-time password for each request also helps
in preventing replay attacks and is frequently
used in banking operations.
How it works
• Consider this real-world example of an attack. A staff
member at a company asks for a financial transfer by
sending an encrypted message to the company's financial
administrator. An attacker eavesdrops on this message,
captures it, and is now in a position to resend it.
• Because it's an authentic message that has simply been
resent, the message is already correctly encrypted and
looks legitimate to the financial administrator.
• In this scenario, the financial administrator is likely to
respond to this new request unless he or she has a good
reason to be suspicious. That response could include
sending a large sum of money to the attacker's bank
account.
Modification of Message
• Modification of messages simply means that
some portion of a legitimate message is
altered, or that messages are delayed or
reordered, to produce an unauthorized effect.
• For example, a message meaning "Allow John
Smith to read confidential file accounts" is
modified to mean "Allow Fred Brown to read
confidential file accounts."
Denial of Service
• The denial of service prevents or inhibits the
normal use or management of communications
facilities. This attack may have a specific target;
for example, an entity may suppress all messages
directed to a particular destination (e.g., the
security audit service).
• Another form of service denial is the disruption
of an entire network, either by disabling the
network or by overloading it with messages so as
to degrade performance.
• Active attacks present the opposite characteristics of
passive attacks. Whereas passive attacks are difficult
to detect, measures are available to prevent their
success.
• On the other hand, it is quite difficult to prevent active
attacks absolutely, because of the wide variety of
potential physical, software, and network
vulnerabilities.
• Instead, the goal is to detect active attacks and to
recover from any disruption or delays caused by
them. If the detection has a deterrent effect, it may
also contribute to prevention.
Common Attack
• XSS
• SQL Injection
• Man In The Middle
• DoS and DDoS
• Phishing Attack
• Zero Day Attack
XSS
• Cross-site scripting (XSS) is a code injection attack
that allows an attacker to execute malicious
JavaScript in another user's browser.
• The attacker does not directly target his victim.
Instead, he exploits a vulnerability in a website
that the victim visits, in order to get the website
to deliver the malicious JavaScript for him.
• To the victim's browser, the malicious JavaScript
appears to be a legitimate part of the website,
and the website has thus acted as an
unintentional accomplice to the attacker.
How it Works
• http://localhost:8080/DVWA/vulnerabilities/xss_r/?name=<h3>Pl
ease login to proceed</h3><form
action=http://192.168.149.128>Username:<br><input
type="username" name="username"></br>Password:<br><input
type="password" name="password"></br><br><input
type="submit" value="Logon"></br>
SQL Injection Attack
• An SQL query is a request for some action to be
performed on a database, most commonly on a web
page that asks for a username or password.
• But since most websites don’t monitor inputs other
than usernames and passwords, a hacker can use the
input boxes to send their own requests – that is, inject
SQL into the database.
• This way, hackers can create, read, update, alter or
delete data stored in the back-end database, usually to
access sensitive information such as social security
numbers and credit card data as well as other financial
information.
How it works
Man In The Middle Attack
• A man-in-the-middle attack is a type of
cyberattack where a malicious actor inserts
him/herself into a conversation between two
parties, impersonates both parties and gains
access to information that the two parties were
trying to send to each other.
• A man-in-the-middle attack allows a malicious
actor to intercept, send and receive data meant
for someone else, or not meant to be sent at all,
without either outside party knowing until it is
too late.
DoS Attack
• A Denial-of-Service (DoS) is a type of attack
where the attackers (hackers) attempt to prevent
legitimate users from accessing the service.
• A DoS attack can be done in a several ways. The
basic types of DoS attack include:
I. Flooding the network to prevent legitimate
network traffic.
II. Disrupting the connections between two
machines, thus preventing access to a service
III. Preventing a particular individual from
accessing a service.
IV. Disrupting the state of information, such
resetting of TCP sessions
DDoS Attack
• Distributed denial of service (DDoS) attacks represent the
next step in the evolution of DoS attacks as a way of
disrupting the Internet. Cyber criminals began using DDoS
attacks around 2000.
• The attacks use large numbers of compromised
computers, as well as other electronic devices — such as
webcams and smart televisions that make up the ever-
increasing Internet of Things — to force the shutdown of
the targeted website, server or network.
• Security vulnerabilities in Internet-of-Things devices can
make them accessible to cybercriminals seeking to
anonymously and easily launch DDoS attacks. In contrast, a
DoS attack generally uses a single computer and a single
IP address to attack its target, making it easier to defend
against.
Phishing Attack
• “Phishing” refers to an attempt to steal sensitive
information, typically in the form of usernames,
passwords, credit card numbers, bank account
information or other important data in order to
utilize or sell the stolen information.
• By masquerading as a reputable source with an
enticing request, an attacker lures in the victim in
order to trick them, similarly to how a fisherman
uses bait to catch a fish.
Zero Day Attack
• The term “zero-day” refers to a newly discovered software
vulnerability. Because the developer has just learned of the
flaw, it also means an official patch or update to fix the
issue hasn’t been released.
• So, “zero-day” refers to the fact that the developers have
“zero days” to fix the problem that has just been exposed
— and perhaps already exploited by hackers.
• Once the vulnerability becomes publicly known, the vendor
has to work quickly to fix the issue to protect its users.
• But the software vendor may fail to release a patch before
hackers manage to exploit the security hole. That’s known
as a zero-day attack.
Security Goals: CIA
• Confidentiality
• Integrity
• Availability
Confidentiality
• Keeping the secrets secret.
• Information has confidentiality when it is
protected from disclosure or exposure to
unauthorized individuals or systems.
• Confidentiality ensures that only those with the
rights and privileges to access information are
able to do so.
• When unauthorized individuals or systems can
view information, confidentiality is breached.
• Confidentiality is the protection of transmitted data from
passive attacks. With respect to the content of a data
transmission, several levels of protection can be identified.
• The other aspect of confidentiality is the protection of
traffic flow from analysis.
• This requires that an attacker not be able to observe the
source and destination, frequency, length, or other
characteristics of the traffic on a communication facility.
• The value of confidentiality of information is especially high
when it is personal information about employees,
customers, or patients.
• Salami theft or attack
Integrity
• It can be achieved by: Identification, Authentication,
Authorization
• Integrity can apply to a stream of messages, a single message,
or selected fields within a message.
• A connection-oriented integrity service, one that deals with a
stream of messages, assures that messages are received as sent,
with no duplication, insertion, modification, reordering, or
replays.
• A connection-less integrity service, one that deals with
individual messages without regard to any larger context,
generally provides protection against message modification
only.
• The integrity of information is threatened when the
information is exposed to corruption, damage, destruction, or
other disruption of its authentic state.
• Corruption can occur while information is being stored or
transmitted.
• Many computer viruses and worms are designed with the
explicit purpose of corrupting data.
• Another key method of assuring information integrity is file
hashing, in which a file is read by a special algorithm that
uses the value of the bits in the file to compute a single
large number called a hash value.
• The hash value for any combination of bits is unique. If a
computer system performs the same hashing algorithm on
a file and obtains a different number than the recorded
hash value for that file, the file has been compromised
and the integrity of the information is lost.
• Noise in the transmission media, for instance, can also
cause data to lose its integrity.
• Transmitting data on a circuit with a low voltage level
can alter and corrupt the data. Redundancy bits and
check bits can compensate for internal and external
threats to the integrity of information.
• During each transmission, algorithms, hash values, and
the error-correcting codes ensure the integrity of the
information. Data whose integrity has been
compromised is retransmitted.
Availability
• Availability enables authorized users—persons or computer
systems—to access information without interference or obstruction
and to receive it in the required format.
• Consider, for example, research libraries that require identification
before entrance. Librarians protect the contents of the library so
that they are available only to authorized patrons. The librarian
must accept a patron’s identification before that patron has free
access to the book stacks.
• Once authorized patrons have access to the contents of the stacks,
they expect to find the information they need available in a useable
format and familiar language, which in this case typically means
bound in a book and written in English.
Nonrepudiation
• Nonrepudiation prevents either sender or
receiver from denying a transmitted message.
• Thus, when a message is sent, the receiver can
prove that the alleged sender in fact sent the
message.
• Similarly, when a message is received, the sender
can prove that the alleged receiver in fact
received the message.
Components of an Information System

• An information system (IS) is much more than

computer hardware; it is the entire set of software,
hardware, data, people, procedures, and networks
that make possible the use of information resources in
the organization.
• These six critical components enable information to be
input, processed, output, and stored. Each of these IS
components has its own strengths and weaknesses, as
well as its own characteristics and uses.
• Each component of the information system also has its
own security requirements.
Software
• The software component of the IS comprises
applications, operating systems, and assorted
command utilities.
• Software is perhaps the most difficult IS
component to secure.
• The exploitation of errors in software
programming accounts for a substantial
portion of the attacks on information.
Hardware
• Hardware is the physical technology that
houses and executes the software, stores and
transports the data, and provides interfaces
for the entry and removal of information from
the system.
Data
• Data stored, processed, and transmitted by a
computer system must be protected. Data is
often the most valuable asset possessed by an
organization and it is the main target of
intentional attacks.
People
• People can be the weakest link in an organization’s
information security program. And unless policy,
education and training, awareness, and technology are
properly employed to prevent people from accidentally
or intentionally damaging or losing information, they
will remain the weakest link.
• Social engineering can prey on the tendency to cut
corners and the commonplace nature of human error.
It can be used to manipulate the actions of people to
obtain access information about a system.
Procedures
• Procedures are written instructions for
accomplishing a specific task. When an
unauthorized user obtains an organization’s
procedures, this poses a threat to the integrity
of the information.
Network
• The IS component that created much of the
need for increased computer and information
security is networking.
• When information systems are connected to
each other to form local area networks (LANs),
and these LANs are connected to other
networks such as the Internet, new security
challenges rapidly emerge.
Security Planning and Risk Analysis
• Security measures cannot assure 100%
protection against all threats.
• Risk analysis, which is the process of evaluating
system vulnerabilities and the threats facing it,
is an essential part of any risk management
program
Risk Management
• Risk management involves three major undertakings: risk
identification, risk assessment, and risk control.
• Risk identification is the examination and documentation
of the security posture of an organization’s information
technology and the risks it faces.
• Risk assessment is the determination of the extent to
which the organization’s information assets are exposed
or at risk.
• Risk control is the application of controls to reduce the
risks to an organization’s data and information systems.
• An observation made over 2,400 years ago by Chinese
General Sun Tzu Wu has direct relevance to information
security today.
If you know the enemy and know yourself, you need not fear
the result of a hundred battles. If you know yourself but not
the enemy, for every victory gained you will also suffer a
defeat. If you know neither the enemy nor yourself, you will
succumb in every battle.
• Information security managers and technicians are the
defenders of information.
• In order to be victorious, you, a defender, must know yourself
and know the enemy.
Risk Identification
• A risk management strategy requires that information
security professionals know their organizations’ information
assets—that is, identify, classify, and prioritize them.
• A Risk Identification is a six step process:
1. Plan and organize the process
2. Asset Identification and Inventory
3. Classifying and Prioritizing Information Assets
4. Information Asset Valuation
5. Identifying and Prioritizing Threats
6. Vulnerability Identification
Risk Assessment
• After identifying the information asset and threat
& vulnerabilities, we evaluate the relative risk for
each of the vulnerabilities. This process is called
Risk Assessment
• Risk assessment assigns a risk rating or score to
each information asset.
• While this number does not mean anything in
absolute terms, it is useful in gauging the relative
risk to each vulnerable information asset and
facilitates the development of comparative
ratings later in the risk control process.
• Following factors can be used to calculate the relative
risk for each of the vulnerabilities.
• Likelihood is the probability that a specific vulnerability
will be the object of a successful attack. In risk
assessment, we assign a numeric value to likelihood.
• The National Institute of Standards and Technology
(NIST) recommends in Special Publication 800-30
assigning a number between 0.1 (low) and 1.0 (high).
• Risk Determination
• Documenting:
• Asset: List each vulnerable asset.
• Asset Impact: Show the results for this asset from the
weighted factor analysis worksheet. In the example, this is a
number from 1 to 100.
• Vulnerability: List each uncontrolled vulnerability.
• Vulnerability Likelihood: State the likelihood of the realization
of the vulnerability by a threat agent, as noted in the
vulnerability analysis step. In the example, the number is from
0.1 to 1.0.
• Risk-Rating Factor: Enter the figure calculated from the asset
impact multiplied by likelihood. In the example, the
calculation yields a number from 1 to 100.
Sample Document
Risk Controls
• Once the project team for information
security development has created the ranked
vulnerability worksheet, the team must
choose one of five basic strategies to control
each of the risks that result from these
vulnerabilities. The five strategies are defend,
transfer, mitigate, accept, and terminate.
Defend
• The defend control strategy attempts to
prevent the exploitation of the vulnerability.
• This is the preferred approach and is
accomplished by means of countering threats,
removing vulnerabilities from assets, limiting
access to assets, and adding protective
safeguards.
Transfer
• The transfer control strategy attempts to shift
risk to other assets, other processes, or other
organizations.
• This can be accomplished by rethinking how
services are offered, revising deployment
models, outsourcing to other organizations,
purchasing insurance, or implementing service
contracts with providers.
Mitigate
• The mitigate control strategy attempts to
reduce the impact caused by the exploitation
of vulnerability through planning and
preparation.
• Mitigation begins with the early detection that
an attack is in progress and a quick, efficient,
and effective response.
Accept
• The accept control strategy is the choice to do
nothing to protect a vulnerability and to
accept the outcome of its exploitation. This
may or may not be a conscious business
decision.
Terminate
• The terminate control strategy directs the
organization to avoid those business activities
that introduce uncontrollable risks.
Legal and Ethical Issues in Computer
Security
• Law: The law may be understood as the
systematic set of universally accepted rules
and regulation created by an appropriate
authority such as government, which may be
regional, national, international, etc.
• Ethics: also described as moral philosophy, is a
system of moral principles which is concerned
with what is good for individuals and society.
Law vs Ethics
• Ethics comes from people’s awareness of what is right and
what is wrong while laws are written and approved by
governments.
• It means that ethics may vary from people to people because
different people may have different opinions on a certain
issue, but laws describe clearly what is illegal no matter how
people arguing.
• To some extent, ethics is not well defined but laws are defined
and precise.
• Ethics can also be distinguished by looking at whether people
are being punished after they violate the rules.
• Nobody will be punished when they violate ethics; but
whoever violates laws is going to receive punishment
carried out by relevant authorities.
• Besides, an action can be illegal, but morally right.
• For example, in ancient China, some people rob properties
from rich people, and give it to poor people, and it is
considered to be morally right but be illegal.
• Similarly, an action that is legal can be morally wrong.
• For instance, some people spend thousands of dollars on
their pets while some poor people on the street can not
have enough food.
• Ethics emphasizes more on positive aspects while laws are
more concerned with negative actions.
• Policies: Internal (organizational) rules that:
– Describe acceptable and unacceptable employee
behaviors.
– Organizational laws --- including penalties and
sanctions.
– Must be complete, appropriate and fairly applied in
the work place.
– In order to be enforceable, policies must be
• Disseminated. Distributed to all individuals and readily
available for employee reference.
• Reviewed. Document distributed in a format that could be
read by employees.
• Comprehended. Employees understand the requirements --
- e.g., quizzes or other methods of assessment.
• Compliance. Employee agrees to comply with the policy.
• Uniformly enforced, regardless of employee status or
assignment.
Types of Laws
• Civil law comprises a wide variety of laws that govern a
nation or state and deal with the relationships and conflicts
between organizational entities and people.
• Criminal law addresses activities and conduct harmful to
society, and is actively enforced by the state. Law can also
be categorized as private or public.
• Private law encompasses family law, commercial law, and
labor law, and regulates the relationship between
individuals and organizations.
• Public law regulates the structure and administration of
government agencies and their relationships with citizens,
employees, and other governments.
Types of Policies
• There are four types of security policies:
1. General security policies
2. Program security policies,
3. Issue-specific policies
4. Systems-specific policies.
• General security policy is an executive-level document that outlines
the organization’s approach and attitude toward information
security and relates the strategic value of information security
within the organization. This document, typically created by the CIO
in conjunction with the CEO and CISO, sets the tone for all
subsequent security activities.
• Program security policy is a planning document that outlines the
process of implementing security in the organization. This policy is
the blueprint for the analysis, design, and implementation of
security.
• Issue-specific policies address the specific implementations or
applications of which users should be aware. These policies are
typically developed to provide detailed instructions and restrictions
associated with security issues. Examples
include policies for Internet use, e-mail, and access to the building.
• Systems-specific policies address the particular use of certain
systems. This could include firewall configuration policies, systems
access policies, and other technical configuration areas.
Cyber Law
• The virtual world of internet is known as
cyberspace and the laws governing this area are
known as Cyber laws and all the netizens of this
space come under the ambit of these laws as it
carries a kind of universal jurisdiction.
• Cyber law can also be described as that branch of
law that deals with legal issues related to use of
inter-networked information technology.
• In short, cyber law is the law governing
computers and the internet.
• Cyber law is important because it touches almost all
aspects of transactions and activities on and involving
the internet, World Wide Web and cyberspace.
• Every action and reaction in cyberspace has some legal
and cyber legal perspectives.
• Cyber law encompasses laws relating to:
1. Cyber crimes
2. Electronic and digital signatures
3. Intellectual property
4. Data protection and privacy
Indian IT Act
• Will be updated later.
Formula: Risk Rating Factor
Exercise:

If an organization has three information assets to evaluate for risk management, as

shown in the accompanying data, which vulnerability should be evaluated for additional
controls first? Which one should be evaluated last?
Data for Exercise:
1. Switch L47 connects a network to the Internet. It has two vulnerabilities: it is
susceptible to hardware failure at a likelihood of 0.2, and it is subject to an SNMP buffer
overflow attack at a likelihood of 0.1. This switch has an impact rating of 90 and has no
current controls in place. You are 75 percent certain of the assumptions and data.

2. Server WebSrv6 hosts a company Web site and performs e-commerce transactions. It
has a Web server version that can be attacked by sending it invalid Unicode values. The
likelihood of that attack is estimated at 0.1. The server has been assigned an impact value
of 100, and a control has been implanted that reduces the impact of the vulnerability by
75 percent. You are 80 percent certain of the assumptions and data.

3. Operators use an MGMT45 control console to monitor operations in the server room. It
has no passwords and is susceptible to unlogged misuse by the operators. Estimates
show the likelihood of misuse is 0.1. There are no controls in place on this asset; it has
an impact rating of 5. You are 90 percent certain of the assumptions and data.