IT304/IT304L

INFORMATION
AND SECURITY 1
ASSURANCE

Name of Student:

Course/Year/Section:

Instructor/Contact Number: Rene C. Radaza, MSIT / +639283532237

1 | SLSU CCSIT MAIN CAMPUS

Module 1: Introduction to Computer, Operating Systems and Security

COURSE OVERVIEW

Course No. IT304/IT304L

Course Code IT304/IT304L

Descriptive Title INFORMATION ASSURANCE AND SECURITY 1

Credit Units 2 unit lecture / 1 unit lab

School Year/Term 2nd Semester, AY: 2021-2022

Mode of Delivery Online and Modular Learning

Name of
Instructor/ Rene C. Radaza, MSIT
Professor

This course examines fundamentals of information security and

assurance involved in confidentiality, integrity, and availability; security
policies; authentication; access control; risk management; threat and
vulnerability assessment; common attack/defense methods; ethical
Course Description
issues, creating and managing secure computer network environments.
Both hardware and software topics are consider, including
authentication methods, remote access, network security architectures
and devices, cryptography, forensics and disaster recovery plans.

Knowledge (think)
Examine the relationship between threats, vulnerabilities,
countermeasures, attacks, compromises and remediation throughout
the entire system life cycle
Skills (Do)
Course Outcomes
Adopt the key factors involved in authentication and how they are
used to verify identity and grant access to the systems
Values (Feel)
Practice the legal and ethical considerations related to the handling
and management of enterprise information assets.

A high quality corporate university of Science, Technology and

SLSU Vision
Innovation.

SLSU will:
a. Develop Science, Technology and Innovation leaders and
professionals;
SLSU Mission b. Produce high-impact technologies from research and innovations;
c. Contribute to sustainable development through responsive
community engagement programs;
d. Generate revenues to be self-sufficient and financially-viable;

2 | SLSU CCSIT MAIN CAMPUS

In this module, we will continue our exploration in the world of Object-
Oriented Programming (OOP). OOP-based architecture proves to be
beneficial especially when dealing with special types of data which need to
be packaged into one entity. What would you do if you have so much
capability at your hand? Of course, you will use it. This ideology will be
covered in this module together with the principles that surround OOP. Hard
might it be at first, however their important role in OOP’s implementation
will be evi
In this module, we will continue our exploration in the world of Object-
Oriented Programming (OOP). OOP-based architecture proves to be
beneficial especially when dealing with special types of data which need to
be packaged into one entity. What would you do if you have so much
capability at your hand? Of course, you will use it. This ideology will be
covered in this module together with the principles that surround OOP. Hard
might it be at first, however their important role in OOP’s implementation
will be eviThis module provide understanding of the Information’s Assurance and Security.

You can download the module in the following platform:

Flexible Learning Management System: https://you.slsuonline.edu.ph/
Facebook Group: https://www.facebook.com/groups/451376713340042/
Google Classroom:
 Section 3A: https://classroom.google.com/c/MjI3ODE0MDE0MTg1?cjc=pybz4b6
 Section 3B: https://classroom.google.com/c/MjI3ODE0MDE0MjM3?cjc=nzf257i
 Section 3C: https://classroom.google.com/c/MjI3ODE0MDE0Mjc3?cjc=nt7i42i
 Section 3D: https://classroom.google.com/c/MjI3ODE0MDE0MzM0?cjc=sialmht
Visit the respective distribution site in your area for collection and submission of your
modules

Hardware and Software needed for this course:

Computer, Mobile Phone, Text Editor, Paper and Pencil

Course Objective: Examine the relationship between threats, vulnerabilities,

countermeasures, attacks, compromises and remediation throughout the entire
system life cycle
Intended Learning Outcome:
ILO1. Identify the major components used in distributed denial-of-service (DDOS)
attacks.
ILO2. Explain how a computer virus works and what it does.
ILO3. Examine firewall technology and importance and role of access control in
information security

INTRODUCTION
Year by year the importance of Information Security (InfoSec) and Information Assurance
(IA) grows. In 2012, security budgets received higher priority worldwide compared with 2011. The
spending on security is expected to grow from $55 billion in 2011 to $86 billion in 2016 . The

3 | SLSU CCSIT MAIN CAMPUS

terms InfoSec and IA are often interpreted differently . For the sake of clarity, the definitions of
InfoSec and IA accepted in this work are outlined below (throughout the text all important
definitions are italicized). The definitions are adopted from where they are elaborated on the basis
of the detailed analysis of the related literature. Information Security is a multidisciplinary area of
study and professional activity which is concerned with the development and implementation of
security countermeasures of all available types (technical, organisational, human-oriented and
legal) in order to keep information in all its locations (within and outside the organisation’s
perimeter) and, consequently, information systems, where information is created, processed,
stored, transmitted and destructed, free from threats .

Information Assurance is a multidisciplinary area of study and professional activity which

aims to protect business by reducing risks associated with information and information systems by
means of a comprehensive and systematic management of security countermeasures, which is
driven by risk analysis and cost-effectiveness . In this research, we refer to the Information
Assurance & Security (IAS) knowledge area , which incorporates the knowledge acquired by both
InfoSec and IA. In the scope of IAS this includes all actions directed at keeping information secure
as well as the management of these actions. The realm of IAS is not limited to the protection of
electronic information, or to the technical security countermeasures. IAS promotes an holistic
approach to security where a sensible combination of security countermeasures of different types
is exploited for the adequate information protection.

4 | SLSU CCSIT MAIN CAMPUS

DISCUSSION ON MODULE 1 Introduction to Information Assurance and Security

Lesson 1. Fundamentals of Information Assurance (IA) and Information Security (INFOSEC)

Objective: At the end of the lesson, students shall be able to:
5 | SLSU CCSIT MAIN CAMPUS
 1. Define IA and INFOSEC.
2. Discuss the importance of studying information assurance and security (IAS);
3. Write their own IS principle/s based on the discussion made in class; and
4. Analyze a simple case related to IAS.

What is IA?

Digital Forensic and Cyber Security Center (DFCSC) defines IA as:

“…the practice of assuring information and managing risks related to the use,
processing, storage, and transmission of information or data and the systems
and processes used for those purposes. Information assurance includes
protection of the integrity, availability, authenticity, non-repudiation and
confidentiality of user data. It uses physical, technical and administrative
controls to accomplish these tasks. While focused predominantly on
information in digital form, the full range of IA encompasses not only digital
but also analog or physical form as well. These protections apply to data in
transit, both physical and electronic forms as well as data at rest in various
types of physical and electronic storage facilities”

Why Information Assurance is Needed?

Information Assurance is very much needed in the business. Therefore, “ IA

increases the utility of information to authorized users and reduces the utility of
information to those unauthorized.”

In line with this, DFCSC stated that “IA practitioners must consider corporate
governance issues such as privacy, regulatory and standards compliance, auditing,
business continuity, and disaster recovery as they relate to information systems.”

Information Assurance Process

IA process, as enumerated in https://infogalactic.com,

https://en.wikipedia.org/wiki/Information_assurance involves the following:

1. Enumeration and classification of the information assets to be protected.

2. Conduct of risk assessment for those information assets (to be done by IA practitioners).
3. Enumerate possible threats capable of assets exploitation by determining vulnerabilities
in the information assets.
4. Consider the probability of a threat exploiting vulnerability in an asset 5. Determine the
effect and impact of a threat-exploiting vulnerability in an asset, with impact usually
measured in terms of cost to the asset's stakeholders. 6. Summarizing the products of
the threats' impact and the probability of their occurrence in the information asset.” Five
Information Assurance Pillars.

Five Information Assurance Pillars

The five (5) IA pillars, are availability, integrity, authentication, confidentiality, and non-
repudiation. These pillars and any measures taken to protect and defend information and IS, to

6 | SLSU CCSIT MAIN CAMPUS

include providing for the restoration of information systems constitute the essential underpinnings
for ensuring trust and integrity in information systems.”

The cryptology components of IA primarily concentrate on the last four pillars, namely: “…
integrity, authentication, confidentiality, and non-repudiation. These pillars are applied in
accordance with the mission needs of particular organizations.”
Tyler cybersecurity.com defines these pillars as follows:
Integrity, which means protecting against improper information modification or damage,
and includes ensuring information nonrepudiation and authenticity;
Confidentiality, which means preserving, authorized restrictions on access and disclosure,
including means for protecting personal privacy and proprietary information;
Authentication is the process of determining whether someone (or something) is, in fact,
who (or what) it is declared to be.
Non-repudiation, on the other hand, is defined by www.cryptomathic.com as “a legal
concept that is widely used in information security and refers to a service, which provides
proof of the origin of data and the integrity of the data. In other words, non-repudiation
makes it very difficult to successfully deny who/where a message came from as well as the
authenticity and integrity of that message.”
Information Security (INFOSEC)
Information security, shortened to InfoSec, is the practice of defending information from
unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or
destruction. It is a general term that can be used regardless of the form the data may take
(electronic, physical, etc...).”
The two (2) aspects of information security are explained in below.
Information assurance is an act of ensuring that data is not lost when critical
issues arise. IT security is sometimes referred to as information security applied to
technology (most often used some form of computer system).
IT security specialists are responsible for keeping all of the 6 technology within
the company secure from malicious cyber-attacks that often attempt to breach into critical
private information or gain control of the internal systems.

All institutions, both public and private, deal with a lot of confidential information. With
the advent of modern technology, most of this information is now gathered, processed
7 | SLSU CCSIT MAIN CAMPUS
and saved digitally and transmitted over computer networks. Write ways on how this
information shall be secured properly to prevent loss of sensitive or confidential
information, prevent hostile use of data or avoid damage to the organization’s
WHY SECURITY?
PRINCIPLES OF SECURITY
The CIA triad embodies the three concepts on “fundamental security objectives for both
data, information and computing services.”

Fig. 2 CIA Triad

To clearly understand these concepts, please refer to the discussion below:
1. Confidentiality

 Is a set of rules that limits access to information.

 Prevent the disclosure of information to unauthorized individuals or systems.
 Measures undertaken to ensure confidentiality are designed to prevent sensitive
information from reaching the wrong people, while making sure that the right
people can in fact get it.
The terms privacy and secrecy are sometimes used to distinguish between the protection of
personal data (privacy) and the protection of data belonging to an organization (secrecy).
Let us take this as an example:
“…credit card transaction on the Internet requires the credit card number to
be transmitted from the buyer to the merchant and from the merchant to a
transaction processing network. The system attempts to enforce confidentiality by
encrypting the card number during transmission, by limiting the places where it
might appear (in databases, backups, printed receipts, etc.), and by restricting
access to the places where it is stored. If an unauthorized party obtains the card
number in any way, a breach of confidentiality has occurred.”
In summary, confidentiality is important in maintaining people’s privacy. Unauthorized
disclosure of information will likely to occur when confidentiality is loss.
2. Integrity

8 | SLSU CCSIT MAIN CAMPUS

  Is the assurance that the information is trustworthy and accurate.
 Involves maintaining the consistency, accuracy, and trustworthiness of data over its
entire life cycle.
 Data must not be changed in transit, and steps must be taken to ensure that data
cannot be altered by unauthorized people (for example, in a breach of
confidentiality).
 This goal defines how we avoid our data from being altered. MiTM (Man in the
middle attacks) is the example threat for this goal.

Additional qualifications like “being authorized to do what one does or following the correct
procedures have also been included under the term integrity ensuring that users of a system, even if
authorized, are not permitted to modify data items in such a way that assets(i.e., accounting records)
of the company are lost or corrupted.

3. Availability

 It means that assets are accessible to authorized parties at appropriate times.

 Availability is very much a concern beyond the traditional boundaries of computer
security. We want to ensure that legitimate users will have reasonable access to
their systems without fear of being attacked by unauthorized users.

Assignment:

Why do we need to keep important corporate information confidential? What kinds of abuses
can you think of in the absence of controls on confidentiality? What criminal activities could
be reduced or eliminated if confidentiality controls were effectively implemented?

9 | SLSU CCSIT MAIN CAMPUS

Assessment 1:
Directions: Read and understand the following questions carefully. Encircle the letter of the correct
answer.

10 | SLSU CCSIT MAIN CAMPUS

Assessment 2:
Test I.

Test II.

11 | SLSU CCSIT MAIN CAMPUS

Lesson 2. Governance and Risk Management
Objective: At the end of the lesson, students shall be able to:
1. Identify assets ,
2. Identify vulnerabilities ,
3. Identify threats ,
4. Identify controls;

ASSETS, ATTACKS, RISKS, THREATS, VULNERABILITIES AND COUNTERMEASURES

Now that we have already defined the main objective of this course, we will be discussing the
Common Body of Knowledge in the areas of Information Assurance and Security.

ASSETS

Crown Jewels refer to a precious ornament or jewelries worn by a sovereign on certain state occasions.
Simply, crown jewels are particularly valuable or prized possession or something we secure to a safe
place.

This analogy will give us what an ASSET is. In every Information System we develop, we treat every
data as a “crown jewels”.

In Information Security, ASSET refers to any pieces of information, device or some other parts
related to them that supports business activities. Assets are either components of a computer
and/or the data that are stored in it. Basically, assets are the stuff that should be put under strict
security measure because failure to do so may result into losses to the organization.
To put is simply, assets are the main reason why we need to secure and assure our information
system, that once these are exposed, it may lead to problems leading to the organizations’ losses.
On a detailed part, mismanagement on the assets may lead into attacks. Attacks refer to activities
that are intended to snatch assets for the intention of using them for bad interests. This attacks are
everywhere whether on public or private sectors. One example of attacks is Data Breaches.
Data Breaches is an event wherein an information is accessed without the consent of the
authorized. This data breach is widely observed on the Web-based Information Systems because
many assets exposed over the internet are attacker’s apple of the eye. In fact, victims rise at 80% in
India in 2019. The chart below shows the different types of attacks happened in the web recorded
in the Month of September, 2019.

12 | SLSU CCSIT MAIN CAMPUS

The following are the list of Assets that Information Assurance and Security is trying to protect;
1. Customer Data
2. IT and Network Infrastructure
3. Intellectual Property
4. Finances and Financial Data
5. Service Availability and Productivity
6. Reputation

On the other hand, the person with a bad intention to attack one’s asset is a Hacker. Hackers refer
to anyone with a professional skill to access assets without any authorization. Their intention is
basically to commit crimes, mostly to steal and destroy systems. Sometimes, systems were being
hacked to hold the assets of the system in hostage wherein ransom is being collected in condition
to bringing back the assets.
However, good hackers also exist. They are the one who uses their skills in hardware and software
to bypass security of a device or a network. Their intention is to provide service to the victims of
attacks. Either public or private sectors are hiring good hackers to help them keep their systems
safe.
Computer Security Professional named hackers metaphorically using hat colors such as White,
Black and Gray. This name comes from the old spaghetti in the western country sides where black
has been worn by bad cowboys, white has been worn by the good ones and gray in neutral.
Black Hat Hackers
Black Hat Hackers basically have an advanced knowledge in destroying networks. They perform
the hacking through bypassing the security measures of the networks. This type of hacker also has
a knowledge in creating malware which intends to gain access to the systems to steal personal and
financial assets.
White Hat Hackers
Hackers who utilizes their skills to do good is referred to as White Hat Hackers. Most of the big
companies intentionally employs white hat hackers to work for them. Their main responsibility is
to check and find ditch in their systems through hacking. The main difference of White Hat Hackers
to the Black ones is that, white hat performs hacking with the owner’s permission while the black
one, doesn’t. In fact, they are some trainings and certifications for ethical hacking.
Grey Hat Hackers
Grey can neither be white or black. This analogy applies with the Grey Hat Hackers. They are
combinations of ethical and unethical hackers. Sometimes, they will find for a system or
organizations’ weakness without authorized access and report it to the company. Companies then
will hire them to secure the asset. However, if they do not employ the Grey Hat Hackers, they will
exploit the said assets online for the other Black Hat Hackers perform their intentions.
The term hacker always means not good to us. However, it is very important for us to understand
that our judgement to them shall always depend on their intentions.
Aside from hackers, we also have someone who violate or breaks the security of the remote
machines. They are known as Crackers. Initially, crackers get unauthorized access to the vital data
and deprive it to the original user or owner.
Crackers can be identified as fortunately few and far between—experts who discovers security
ditch and exploit them and/or the script kiddie—one who knows how to get programs and run
them legitimately.
13 | SLSU CCSIT MAIN CAMPUS
These hackers and crackers are the one whom Information Security is trying to catch.
Every Attacker, whether a Hacker or a Cracker, uses tools to perform their attacks. The following
are the tools they utilize to do their intentions;
1. Protocol Analyzers (Sniffers). These applications put the host NIC into mode that
passes all traffic to the CPU rather than to the controller it is designed to receive.
2. Port Scanner is an application that intends to probe a host for open port.
3. Finger scanning, is a way to acquire human biometric like fingerprints.
4. Vulnerability Scanning Tools are automated tools that scans web-based applications and
finds vulnerability. Examples are Cross-site scripting, SQL Injection, Command Injection,
Path Traversal and insecure server configuration.
5. Exploit Software is a bit of technology, a chunk of data or a series of commands that
compromises a bug or vulnerability to trigger unintended or unforeseen behavior to
occur on computer software, hardware or anything electronic.
6. Wardialers. This can be used to find backdoors into your network. This dials telephones
to check if there is a line that contains data through a modem and the like.
7. Password Cracker. This software is used to retrieve a forgotten password or other
network resources. Sometimes, these are used to access resources without permission.
8. Keystroke Loggers. Keylogger refers to a surveillance application that has the ability to
record every keystroke that is made on the system. This intends to record log file that is
usually encrypted.

Security Breach

Security breaches happen a lot — not at your house necessarily, but in large and small
organizations. Intention to destroy a company’s standing and finances is one concrete reason why
Security Breach exists.

Security and data breaches can happen on a large uncontrollable scale.

This happens when an attacker or intruder gains access without the permission of the asset’s
owner or keeper. They use bypass mechanism that typically can reach the restricted areas. Security
breach is a violation that can lead to damage and even loss of assets.

Simply, Security Breaches refers to any action that would result in a violation of any rules of the
Central Intelligence Agency. Most of these breaches disrupt services intentionally. However, some
of them are accidental but both can cause hardware or software failures.

The following are activities that cause Security Breaches;

1. Attack through Denial of Service (DoS). This refers to an attack that kills a machine or
network, resulting for a legitimate user not to use the destroyed asset.
2. Distributed denial-of-service (DDoS). This happens when an attacker floods network
traffic to the target making it impossible for a legitimate user be denied to use the
network or a node.
3. Unacceptable Web Browsing. Acceptable web browsing is defined in an Acceptable Use
Policy (AUP) like finding for a file in the directory or browsing restricted sites.
4. Wiretapping. Wiretapping refers to the practice of connecting a listening device to a
telephone line to secretly monitor a conversation.
5. Backdoors. This refers to the hidden access included by the developers. Backdoors are
used to obtain exposure to the data repositories.
6. Data Modifications. Refers to the change in data that happens purposely or accidentally. It
may also include incomplete and truncated data.

Additional Security Challenges may include:

14 | SLSU CCSIT MAIN CAMPUS
 1. Spam and Spim. Spam refers to unsolicited email spim are spams over instant
messaging.
2. Cookies. Cookies contain little chunks of data that may include login credentials that
make it possible for a user to have a great browsing experience.
3. Hoaxes. A hoax is a message that claims to warn recipients of a (non-existent) computer
virus threat.

RISK, THREATS AND VULNERABILITIES

Risk, Threats and Vulnerabilities are some characteristics that describes something that is needs to
be taken care. Failing to do so may lead into an attack,

Risk refers to the probability that bad things will happen to a specific asset.
Threat is defined as any action that might compromise or destroy an asset.
Vulnerability is a weakness that may harm systems or networks.

There are a wide variety of threats that spread out specially in the internet. Many call the internet
as marketplace of threats.

Threats can be categorized into Three Types which includes:

1. Disclosure Threats. These threats may include sabotage and espionage.

2. Unauthorized Threats. One of the examples in relation to Unauthorized Threats is the
Unauthorized Changes—modifications made exceeding the policy that has been agreed
upon
3. Denial or Destruction Threats. DoS and/or DDoS best explains these threats.

Categories of Malicious Attacks

Malicious Attacks can be regarded according to the intent of actions. These may include the
following:

1. An interception refers to an access gained by an unauthorized party to an asset. This

may include elicit program copying and/or wiretapping.
2. Interruption happens when a system becomes lost, unavailable or unusable.
3. Modification occurs when an unauthorized attacker tampers an asset.
4. Fabrication refers to the counterfeiting of a system or network that is done by
unauthorized party.

Types of Active Threats

The following enlists types of threats that is currently active that developers or Information
Security Professional shall be aware of:

1. Birthday Attacks
2. Brute-Force Password Attacks
3. Dictionary Password Attacks
4. IP Addressing Spoofing
5. Hijacking
6. Replay Attacks
7. Man-In-The-Middle Attacks
8. Masquerading
9. Social Engineering
10. Phishing
11. Phreaking

15 | SLSU CCSIT MAIN CAMPUS

 12. Pharming

Malicious Software (Malware)

In the context of installing before, during and after installing software to our systems, we can say
that is it malicious if it;

1. Causes damage
2. Escalates security privileges
3. Divulges private data
4. Modifies or deletes data

General Classification of Malware

Virus

Like human being, our systems or assets can be infected by a virus too. In computing, virus comes
into another program or application. Basically, it contaminate a program and can cause it to be
copied to other computers themselves. Most of the time, when the user uses an infected
application, the virus triggers.

Worm

Worm refers to a program that is self-contained. This also duplicates and send itself to other hosts
without any user intervention. One scary thing about worm is that, it does not need an application
that is installed to contaminate the whole system.

Trojan Horse

Trojan Horse is a malware that hides into a useful program. This collects sensitive information, and
may open backdoors into computers. Trojan Horse can actively upload and download files.

Rootkit

A rootkit is a group of software that is malicious. Basically, these applications gets access to a
machine unauthorizedly and hides their existence on the other applications.

Spyware

Spywares are type of malwares. They target the confidential data. Mostly, they can monitor the
actions and even can do a course of actions like scanning, snooping and installing another spyware.
They can even change the default browser of a computer.

COUNTERMEASURES

As our Old English Saying states, prevention is better than cure, in information security we can also
cure, if not prevent these attacks to happen. There are suggested activities and tools so that we, as
Information Security Professional can do as an antidote or defense from the said attacks.

Countermeasures, basically is an action to detect vulnerabilities, prevent attacks and/or react to

the impacts of positive attacks. In cases of an attack, a victim can get help from the security
consultants, law enforcement offices and/ or experts.

The following are countermeasures that can help in preventing and/or curing malware:

16 | SLSU CCSIT MAIN CAMPUS

 1. Training events for users
2. Regular updates and bulletins about malwares
3. Do not transfer assets to untrusted or unknown sources.
4. Evaluate new programs or quarantine files on a computer
5. Purchase and install anti-malware software and scan your files on a regular basis
6. Use comprehensive login credentials

On the other hand, Firewall can defend your system from various forms of attacks too. Basically,
firewall is a program or a dedicated device that inspects network traffic present in a network. It’s
purpose is to deny or permit traffic depending on protocols.

Assessment 3:

Test I.

17 | SLSU CCSIT MAIN CAMPUS

TEST II.

TEST III.

18 | SLSU CCSIT MAIN CAMPUS

Lesson 3. Risk, Response and Recovery Security Operations and Administrations
Objective: At the end of the lesson, students shall be able to:

1. Define the concepts of risk management, specific response strategies and issues related to
IT systems recovery;
What is Risk Management?

The risk management process involves identifying and taking measures to reduce this risk to
an acceptable level, as represented by vulnerabilities, to the information resources and
infrastructure of an organization.

Purpose of Risk Management

Risk management aim is to detect potential issues before they arise so that risk-handling
measures can be prepared and used as required during the product or project life to minimize
adverse impacts on achieving goals.

Risk identification

19 | SLSU CCSIT MAIN CAMPUS

 Risk Identification is the analysis and recording of an organization's IT security situation, and
the threats that it faces. A risk management strategy includes information security professionals
understanding their organization's information assets — that is, identifying, recognizing, and
prioritizing those assets.

Organize and plan the process

 Start by organizing a team, typically made up of representatives of all affected groups;
 The process shall then be organized with regular deliverables, updates and management
presentations
 Tasks are set out, tasks are made and plans are addressed. Only then is the organization
ready to actually begin the next step—identifying and categorizing assets

Identifying, Inventorying and Classifying properties

 The iterative cycle starts with the enumeration of assets, including all aspects of an
organization's structure, such as staff, procedures, data and information, software,
hardware and networking aspects.
 Then the pro perties are classified and graded, adding information to analyze you dig
deeper.

Categorization of information system elements

Identification of the individuals, procedures and data properties
 Human resources, documents and data assets are more difficult to classify than the
hardware and software properties.
 The task should be delegated to the individuals with expertise, experience and judgment.
 Since the persons, procedures and data assets are known, they should be registered using a
reliable data method.

20 | SLSU CCSIT MAIN CAMPUS

Identification of the hardware, applications, and network properties
 What monitoring feature of the information depends on:
- Organizational / risk-management requirements
- The preferences / needs of the defense and the information technology communities
 Asset attribute to be consider:
- Name of - Model number of the maker, or component number
- IP-address - Version of the program, revision
update or FCO number
- Media access control (MAC) address - Physical location
- Element type - Logical emplacement
- Serial number
- Name of Manufacturer - Supervising entity

Asset Categorization

 People comprise employees and nonemployees.

 Procedures often do not reveal a potential intruder to useful information or are vulnerable
and may lead the attacker to gain an advantage.
 The data components account for the information being distributed, processed and stored.
 The software components include applications, operating systems, or components for
security.
 Hardware: either normal system equipment and peripherals, or a component of
information security control systems

Evaluation of Information Assets

• Questions help to formulate asset valuation criteria.

• Which information asset:
• Was it the most important to the performance of the organization?
– Does revenue / profitability generate the most?
– Will it play the biggest part in revenue generation or service delivery?
– Will repairing or preserving it be the costliest?
– Unless it were published, would it be the most disgusting act, or would it suffer the
biggest liability?
• Prioritization of information assets
– Build weightings based on responses to questions for each division.
– Prioritize every commodity using the weighted factor analysed.
– List the property according to their importance using the workbook for the weighted
factor analysis

Identification and prioritization of risks

• Practical hazards call for investigation; minor risks are put aside.
• Assessment of the threat:
– What are the risks to assets that pose danger?
– Which threats pose the greatest risk to information?
– How much does the successful attack cost to recover?
– Which threat needs the greatest preventive expenditure?

Specifying the properties vulnerabilities

• Specific threatening avenues may be used to exploit vulnerabilities to attack an

organization's information.

21 | SLSU CCSIT MAIN CAMPUS

 • Analyse how to perpetrate each hazard, and list the strengths and vulnerabilities of the
organization.
• System works better when people with different backgrounds work iteratively within an
organization through a series with brainstorming sessions.

Risk Assessment

 Risk evaluation assesses the inherent risk in relation to increased vulnerability.

 Each information asset is given a risk rating or ranking.
 Preparation and coordination in risk management
– The goal at this point is to develop a risk assessment approach for each vulnerability
identified.

Likelihood

 Likelihood is a chance that a particular vulnerability will be the target of a devastating

attack.
 In risk evaluation, a numerical value is given to the likelihood.
 In Special Publication 800-30 by the NIST suggest that a number should be assigned
between 0.1 (low) and 1.0 (high).
 Wherever possible, use external sources for probability values that have been checked and
modified for your particular circumstances. Most combinations of assets and vulnerability
have sources of likelihood, for instance:
– The possibility of any given email containing a virus or worm being investigated.
– The number of attacks on a network can be estimated based to the number of assigned
addresses for a business.

Assessing the Magnitude of Loss

• The next move is to determine how much of the information resources might be lost in a
successful attack.
• Combines the valuation of the intelligence asset with the amount of data destroyed in the
event of a successful attack.
• Issues include:
– Value of the information resources
– Measure the amount of information destroyed in best-case scenarios, worst-case
scenarios and most probable scenarios

Risk Calculation

• For the purposes of relative risk assessment, the risk is equal to:
– probability of occurrence of vulnerability Times value (or impact)
– minus percentage of risk already controlled
– plus an element of insecurity

22 | SLSU CCSIT MAIN CAMPUS

Identify Potential Controls
• Create a ranking of relative risk levels for each hazard and related residual risk
vulnerabilities.
– Residual risk is the danger that persists to the information asset even after the
controls have been carried out.
• There are three general types of controls:
– Policies - Policies-documents specifying the security approach of an organization
• There are four types of security policies:
- General security policies - Policies related to the topic
- Program security policies - Specific policies for the systems
– Programs - is being carried out inside the company to strengthen security.
– Technologies - Technical implementation of organizationally defined policies.
• Where the risk appetite is lower than the residual risk, additional risk reduction strategies
need to be sought.

Documenting Risk Assessment Results

• The Ranked Vulnerability Risk Worksheet is the final summary document.

• Worksheet describes assets, relative value of assets, vulnerabilities, frequency of losses and
magnitude of losses.
• The goal so far has been to identify and list information assets with specific vulnerabilities,
ranked by those most in need of protection.
• The worksheet shown in Ranked Vulnerability Risk Worksheet is organized as follows:
– Asset: List each identified vulnerable asset.
– Asset Impact: Show results for this asset from weighted factor analysis workbook. This
is a number from 1 to 100, in the example.
– Vulnerability: List every vulnerability unchecked.
– Risk-Rating Factor:
 Enter the amount of the asset impact calculation
 Multiply by the Likelihood
 Example, the number of the calculation is from 1 to 100.
• The most pressing risk in the table below is the vulnerable mail server. While the
information asset represented by the customer support e-mail has an impact rating of only
55, the fairly high probability of hardware failure makes it the most urgent problem.
 Now that you've completed the risk identification process,
 What should the documentation look like for this process? What are the outcomes of this
project phase?
– Contains a description of the role and reports, who is responsible for preparing and
reviewing the reports.
– The Vulnerability Risk Worksheet is the first reference paper for the next procedure of
the risk management process: risk evaluation and monitoring.

What is Risk Response?

Risk response is the process of developing strategic options and identifying actions, enhancing
opportunities and reducing threats to the objectives of the project.

Plans Risk Response

23 | SLSU CCSIT MAIN CAMPUS

 Risk Management Plan – Includes Roles & Responsibilities, Risk Analysis Definitions, and
Timeframes for Reviews and Risk Thresholds for low, moderate and high risks.
Positive risks are situations that may bring great possibilities if you just take good
advantage of them.
Formal management approaches for reacting to positive threats are as follows:
 Exploit - Taking a proactive risk requires ensuring that all is in position to improve
the probability of the incident happening.
 Share - Positive risk includes the allocation to a third party of any or all length of the
opportunity to achieve the prospect that will eventually support the project.
 Enhance - The enhance strategy improves the likelihood of the positive impacts of
an opportunity.
 Accept - This strategy is typically applied to low-priority or costly opportunities.

Negative risks or threats.

The four basic strategies for dealing with negative risks or threats are as follows:
 Mitigate - Attempts to reduce the attack's impact rather than mitigate the
attack's effectiveness itself.
 Transfer - Threat attempts at shifting to other properties, structures or
organizations
 Accept - Accept-is the choice to do little to protect a vulnerability, and to
allow the product between abuses. It may or may not be a deliberate business
judgment.
 Avoid - acts to eliminate the threat or protect the project from its impact.

Protecting Physical Security

 HVAC - stands for heating, ventilation and air conditioning.

 Fire Suppression - Fire is dangerous to any organization. It often happens when the
electrical equipment is managed improperly.
 EMI Shielding - The shielding of electromagnetic interference (EMI) is necessary for both
power distribution cables and network communication cables.
 Proper Lighting - Although lighting is not a sufficient deterrent, it can be used to
discourage intruders, prowlers, and intruders.
 Signs- Signs are used to display security alerts and to signify security cameras.
 Video Surveillance - Video surveillance and closed-circuit television.
 Access List - To help track down the perpetrators and verify all workers when an incident
occurs, a list of all visitors should be created.

Choosing Countermeasures

 Patch identified exploitable bugs in applications

 Build and execute organizational and access control (data and system) procedures
 Gives encryption capabilities
 Improve physical protections
 Disconnect Networks Unreliable

Risk Management and Risk Control

Project risk management and risk analysis is where you keep track of how the risk
responses are being conducted against the schedule, as well as where new project risks are being
handled.

24 | SLSU CCSIT MAIN CAMPUS

Function of risk management:

– Identify events that can affect directly on project outputs

– Give a qualitative and quantitative weight to the possibilities and consequences of an
occurrence that can impact the result.
– Generate alternative execution paths for events which are outside your influence or
impossible to be remedied
– Implement an incremental process for the identification, qualification, quantification and
response of new risks

Make sure that you provide a response plan for each identified risk. It's not very helpful if the risk
becomes a reality or an issue and you don't have an alternate execution path or any other
emergency procurement plan.

Main inputs to effectively monitor and control risks:

– Risk management plan – Project communications
– Risk Register / Risk Tracker – New risk identification
– Risk response plan – Scope changes

Business Continuity Management (BCM)

 Business Continuity Plan (BCP)

– BCP is a plan to help the business process to continue even an accident or emergency
occurs.
– Organizations should analyze all these future risks and prepare with BCP to ensure
effective compliance if the danger become a reality.
– When developing a BCP all threats that might stop regular business should be identified.
The next step is to evaluate the most critical activities required for continuity of operations.
 Who are the people needed, and what resources and knowledge are required to
maintain operation?
 BCP should include a list of executives and their contact details.
 There should be backup of data and disaster recovery guidelines.
 Disaster recovery plan (DRP)
 DRP is a recorded, organized method outlining how a company should restart its function
immediately following an unplanned event.
 The objective of the DRP is to help an organization resolve data loss and restore system
functionality so that it can perform after an incident, even if it operates at a minimal level.
 The step-by - step plan is made up of precautions to minimize the impact of a disaster, so
that the organization can continue to function or resume mission-critical functions quickly.
 Disruptions include extreme weather events, illegal activity, civil unrest / terrorism,
organizational disruption and disruption of program failures

Backing up Data - Why is it important?

Backing up data allows you to retrieve the data you've lost. It’s like hitting the rewind
button and making your computer go back to the previous state before a tragic accident took place.

Data Backup – What to Back Up?

So how do we classify the files needed and where do we find them? As a rule of thumb, files
you make are the sort of files you are expected to backup. System files, directories for the
Operating System, installed programs, and temporary files are files not needed for backup.

Backup Frequency

25 | SLSU CCSIT MAIN CAMPUS

 How often you make changes to your files can rely on that. When you update your
documents and save them regularly, you can make a backup at least once a day. For some cases,
some files (such as data logs) may be updated several times a day, in which case a backup process
designed for real time backups is more suitable.

Where to back up your data?

Media option will rely on multiple factors including backup size, setup complexity, portability and
security requirements, budget, on-site or off-site backup.

Some Example:

 External hard drives

 USB flash drives
 Network Attached Storage (NAS)
 Cloud Backup
 FTP/FTPS/SFT

Different Backup and Recovery Types

The various forms of backups accessible to IT personnel include:

 Full backups - All data is copied to another location in a complete data or device backup.
 Incremental Backup - This type only supports the information that has been altered since
the recent backup.
 Differential backups - Similar to incremental backup, a differential backup copies all data
that has changed from the last full back up each time it is run.

Phases of the response to the incident

Typically, incident response is divided into six phases:

1) Preparation - Preparation is as simple as ensuring that you have a qualified emergency

management team, either hired, on hold or at least somebody's business card so you know
who to call.
2) Identification - Initially, the incident is identified in a variety of ways, which allows you to
continue your response plan with a vague knowledge of what the incident could be. This
portion is intended to describe and clear up for better identification process. This process
also involves an inquiry into the extent, source and success or failure of the compromise.
3) Containment - Containment also occurs concurrently with recognition, or directly
afterwards. Damaged systems are withdrawn from production, computers are
disconnected, and accounts compromised are locked.
4) Eradication - Eradication is the same tone of that. Removal of any damage found during
the discovery process and remediation.
5) Recovery - Recovery is recovery of missing data and testing of fixes in the process of
eradication and the return to normal operations.
6) Lessons Learned - Lessons Learned-Lessons Learned includes evaluating the steps taken
during each phase and strengthening both your response capability to accidents and your
footprint for protection are crucial steps away from this process. The Lessons Learned
stage is about taking protection seriously and working for potential change wherever
possible.

Trigger the disaster response program

Activation includes the entirety of all relevant methods and procedures to insure that the DRP can
be activated:
26 | SLSU CCSIT MAIN CAMPUS
  Requirements for activation. Identify the different disaster conditions that cause plan
activation (depending on type, intensity, impact and duration).
 Evaluation Methods. To evaluate future incidents of an incident to ensure the conditions
for activation have been achieved.
 Authorization structures. In order to obtain sufficient approvals for the activation of the
programmed, consideration should be extended to IT management personnel, business
management staff and company executives.
 Infrastructure Activation. To insure that sufficient resources and facilities are accessible
to promote plan execution, including the site of the appointed Command Center, where
much, if not any, of the "command and control" operations conducted throughout the
disaster recovery phase.
 The protocols for contact. To remind all workers and other interested parties (customers,
vendors, suppliers, and the public) of all decisions and activities related to activation.

Guidelines for Activation Based on Case Analysis

Some of the most critical steps in DRP activation is to know if activation is sufficient. As the
activation procedures are prepared, the activities of the event analysis must be adequately
specified by the following questions:
1. Which types of events would cause the activation of the plan?
2. How will these incidents be measured to ensure that program activation is appropriate?
3. Who is going to be involved in the event evaluation process?
4. How will the appraisal guidelines be tailored to the correct decision-makers?
5. Who needs to approve program activation?
6. How many approvals are needed for this?
7. How will the activation of the program be communicated?

Primary Step to Disaster Recovery

Steps to disaster recovery:
1. Ensure the safety of every one
2. Contain the damage
3. Assess damage and launch recovery operations in accordance with DRP and BCP

Restore Damaged Systems

You must plan for rebuilding damage system.
 Know where to find configuration maps, inventory lists, backup software and data
 Use access control lists to make sure that the program allows only legitimate personnel.
 Upgrade operating systems and software with the most recent patches
 Ensure that applications and operating systems are current and secure;
 Trigger rules for access control, directories and remote access systems to enable users to
access new systems;

Recovery Alternatives
Three choice usually are considered if a business (or some part of it) has to be moved for recovery:
 A dedicated business location, such as a secondary distribution center;
 Commercially leased installations, such as hot sites or mobile facilities;

POST TEST:

Direction. Explain your own understanding on the question given below.

1. Why do we need to study risk management?
2. How to identify positive and negative risks?
3. Importance of risk assessment?
27 | SLSU CCSIT MAIN CAMPUS
 4. What are the vulnerabilities?
5. Why do we need to know the maximum tolerable downtime?
6. Why risk response is important?
7. How to negate negative risk?
8. How to exploit positive risk?
9. Importance of backup data?
10. What to consider when choosing back up medium?

REFERENCE
1. Cherdantseva, Y., & Hilton, J. (2013, September). A reference model of information
assurance & security. In 2013 International Conference on Availability, Reliability and
Security (pp. 546-555). IEEE.
2. Stamp, M. (2011). Information security: principles and practice. John Wiley & Sons.
3. Taylor, A., Finch, A., Alexander, D., & Sutton, D. (2013). Information security management
principles. BCS Learning & Development.
4. Whitman, M. E., & Mattord, H. J. (2011). Principles of information security. Cengage
Learning.
5. Whitman, M. E., & Mattord, H. J. (2011). Principles of information security. Cengage
Learning.

Methods on sending your answers (Offline) in Hand delivery or Courier:

1. Compile all your outputs accordingly and place it on a brown envelop.
2. Write your full name, course and section, and instructor’s name at the back.
Ex. Juan Dela Cruz, Jr.
BS InfoTech 3A
RENE C. RADAZA, MSIT
3. Send your outputs thru
 LBC, JRS Express, J&T or Hand-deliver by your friends or peers address to SLSU-Main, Brgy.
San Roque, Sogod, Southern Leyte. Or just submit it to the nearest SLSU-LGU Link or
 Upload on Google Form https://forms.gle/rXcSphP4Vv3GbGbT7
For more information and concerns you may contact the following:

NAME OF INSTRUCTOR CONTACT NUMBER FACEBOOK ACCOUNT

Rene C. Radaza, MSIT 09283532237 https://www.facebook.com/RadazaReneC

28 | SLSU CCSIT MAIN CAMPUS