Hackers of limited skill who use expertly written software to attack a system are known as

While assessing the security of an organization’s IT asset(s), ethical hacking aims to mimic an attacker. In doing so, they look for attack vectors against the target. The initial goal is to perform reconnaissance, gaining as much information as possible.

Once the ethical hacker gathers enough information, they use it to look for vulnerabilities against the asset. They perform this assessment with a combination of automated and manual testing. Even sophisticated systems may have complex countermeasure technologies which may be vulnerable.

They don’t stop at uncovering vulnerabilities. Ethical hackers use exploits against the vulnerabilities to prove how a malicious attacker could exploit it.

Some of the most common vulnerabilities discovered by ethical hackers include:

• Injection attacks
• Broken authentication
• Security misconfigurations
• Use of components with known vulnerabilities
• Sensitive data exposure

After the testing period, ethical hackers prepare a detailed report. This documentation includes steps to compromise the discovered vulnerabilities and steps to patch or mitigate them.

Question 1(Marks: 20)Multiple-choice questions: Select one correct answer for each of the following. Inyour answer booklet, write down only the number of the question and next to it, the letter of the correct answer. Q.1.1Which type of security addresses the protection of all communications media, technology, and content?(2) (a)Information; (b)Network; (c)Physical; (d)Communications.

Q.1.2Hackers of limited skill who use expertly written software to attack a system are known as which of the following?(2) (a)Cyberterrorists; (b)Script kiddies; (c)Jailbreakers; (d)Social engineers.

Q.1.3Which of the following is used to direct how issues should be addressed and technologies used in an organisation?(2) (a)Policies; (b)Standards; (c)Ethics; (d)Governance.

Q.1.4Risk identification is performed within a larger process of identifying and justifying risk controls, which is called which of the following?(2) (a)Risk assessment; (b)Risk management; (c)Risk control; (d)Risk identification. Q.1.5The method by which systems determine whether and how to admit a user into a trusted area of the organisation is known as which of the following?(2) (a)Attribute; (b)Accountability; (c)Access control; (d)Auditability .Q.1.6Which of the following is an event that triggers alarms when no actual attacks are in progress?(2) (a)Evasion; (b)False positive; (c)False attack stimulus; (d)False negative. Q.1.7Which of the following terms is used to describe the information used in conjunction with an algorithm to create the ciphertext from the plaintext or derive the plaintext from the ciphertext?(2) (a)Cipher; (b)Code; (c)Cleartext; (d)Key. Q.1.8Which community of interest is responsible for the security of the facility in which the organisation is housed and the policies and standards for secure operation?(2)(a)General management ;(b)IT technicians; (c)IT management; (d)Information security management. Q.1.9Which of the following delivers documented instructions to the individuals who are executing the implementation phase? (2) (a)Project plan; (b)Milestone; (c)Resources; (d)Project scope. Q.1.10Which of the following is defined as the direct connection of two or more information systems for sharing data and other information resources?(2) (a)System interconnection; (b)Process interconnection; (c)Resource interconnection; (d)Resource interconnection.

Question 2(Marks: 20)Fully understanding the role and responsibility of information security is essential in the context in which it is applied. The world is getting smaller and slowly becoming remotely controlled. People, hardware, software, network and data which constitutesthe component of an information system are shifting their focus toward a wide and integrated global system approach with all the risk therein. Therefore,understanding the level and presence of threat, vulnerability and risk which are associated with highlevelsof consumption of electronic data is of paramount importance. The IT security goal is to always be a step ahead of potential danger while maintaining a clear balance between supporting core business function and protecting it against adverse effects.From the above statement, please answer all the following questions: Q.2.1Distinguishbetween a threat agent and a threat?(5) Q.2.2Distinguishbetween vulnerability and exposure?(5) Q.2.3Discusshow is infrastructure protection (assuring the security of utility services) related to information security?(5) Q.2.4Identifythe three components of the C.I.A. triad? And describe what they are used for?(5) Question 3(Marks: 20)An attack on any IT infrastructure may happen anytime, anywhere and from an unknown location, from man-made disaster to natural calamity, business continuity must be ready and implemented. One of the roles of an IT chief security officer will be to prepare for any adverse effect months and years in advance, for that reason, approaching day-to-day operation as if an attack was imminent and having the worst case scenario in mind at all time.Planning for IT security is time consuming and constantly stressing,yet some senior executivesmight not fully understand the role played by suchanindividual.Based on the above statement, as if you were speaking to an executive, please answer the following questions: Q.3.1Explain how a security framework canassist in the design and implementation of a security infrastructure?(4) Q.3.2Describe whatinformation security governanceis? Who in the organisation should plan for it?(5) Q.3.3Discuss the issues associated with adopting a formal information security framework or model?(5) Q.3.4In termsof IT security, briefly describe management, operational, and technical controlsbyexplainingwhen each would be applied as part of a security framework.(6)

Question 4(Marks: 20)IT risk management can well be defined as a comprehensive approach to IT security andrisk managementwithinan overall model for businessrisk managementthat identifies security-related business processes that must be supported, save-guaded and provides guidance on security objectives, security posture, and security architecture alternatives within the context of a particular business or related subsidiaries.With the above in mind, please answer the following questions:

Q.4.1Explain what value an automated asset inventory system hasduring risk identification?(5) Q.4.2Define what vulnerabilitiesareand how they areidentified.(5) Q.4.3List and describefive strategies for controlling IT risk.(10)

Question 5(Marks: 20)When it comes to IT risk management, protecting an organisation from internal and external mass or targeted attacks will take more than just sourcing and having a well-experienced and knowledgeable IT risk manager, therefore the availability of sophisticated IT hardware and software systems such as firewalls, VPN and access control can play a pivotal role in the success or failure of an established organisation IT system, but all the above equipment might not take away the understanding of the condition under which these systems must be setup and operate in order to be effective and efficient. With the above statementin mind, please answer the following questions: Q.5.1Explain how an application layer proxy firewall isdifferent from a packet-filteringfirewall?(5)

Q.5.2Describe howstatic filtering is different from dynamic filtering of packets?(5)

Q.5.3Explain the conceptual approach that should guide the creation of firewall rule sets.(3) Q.5.4Define the term“Unified Threat Management” and explain why it mightbe a better approach than single-point solutions that perform the same functions?(5)

Q.5.5Describe what the primary technical value of a network firewallis?(2)

Question 6(Marks: 20)Many large corporations with significant dependency on intellectual property and personally identifiable information are struggling with protecting their data. Improvements in attacker proficiency, increasing numbers of analytics systems storing sensitive data, and continually evolving risks with cloud computing, mobility and outsourcing make defence capabilities difficult to build and maintain. Information security leaders must apply both their expertise and influence wisely: identifying and targeting the high priority areas with maximum business impact andinvoking the necessary implementation resources and tools. You, as an IT service provider can help tailor an organisation information security plan to an acceptable risk level if it cannot be eradicated completely.Based on your existing organisational and information security knowledge, answer the following questions: Q.6.1Identify and describeat least fivefactors that are likely to shift an organisation’s information security environment.(10) Q.6.2List and describe the five domains of the general security maintenance model.(10

What type of software do hackers use to steal sensitive information?

Which type of attacker will hack systems to conduct terrorist activities via network or Internet pathways?

What is the process of using social skills to convince people to reveal access credentials or other valuable information to the attacker?

Is an act that takes advantage of a vulnerability to compromise a controlled system?