King’s College London
This paper is part of an examination of the College counting towards the award of a degree. Examinations are governed by the College Regulations under the authority of the Academic Board.
Degree Programmes
Module Code Module Title Examination Period
MSc, MSci
7CCSMSEM
Security Management January 2019 (Period 1)
Time Allowed Two hours
Rubric ANSWER ALL QUESTIONS.
ANSWER EACH QUESTION ON A NEW PAGE OF YOUR AN- SWER BOOK AND WRITE ITS NUMBER IN THE SPACE PRO- VIDED.
Calculators Calculators may be used. The following models are permit- ted: Casio fx83 / Casio fx85.
Notes Books, notes or other written material may not be brought into this examination
PLEASE DO NOT REMOVE THIS PAPER FROM THE EXAMINATION ROOM
TURN OVER WHEN INSTRUCTED 2019 King’s College London
January 2019
Question One
a. What is Information Security and what is its primary focus?
b. What is a threat, vulnerability, risk and impact?
c. What is a policy and procedure? And how are they different?
d. What is an anti-virus and firewall? And how are they different?
e. What is a man in the middle attack and what technical control can prevent it?
f. What is Residual Risk? Why is it useful to consider it?
[4 marks]
[4 marks]
g. Name 8 assurance techniques that can be used for vulnerability assessments. [4 marks]
QUESTION 1 CONTINUES ON NEXT PAGE
Page 2
SEE NEXT PAGE
7CCSMSEM
[4 marks]
[4 marks]
[4 marks]
[4 marks]
January 2019 7CCSMSEM
h. What are the differences between qualitative and quantitative risk assess- ment?
[4 marks]
i. What is a Market for Lemons and how does it apply to security economics? [4 marks]
j. What does compliance with ISO27001 mean? Does it certify the state of security of an organisation? Explain.
[4 marks]
Page 3
SEE NEXT PAGE
January 2019 7CCSMSEM
Question Two
GANT is an organisation with over 100,000 members world-wide, it operates in 42 countries and its ultimate goal is to preserve the natterjack toad. Over the past year, GANT’s website has suffered several cyberattacks and this has led to usernames, passwords and credit card details for many members being leaked on the internet. To prevent further cyberattacks, GANT is ready to make informa- tion security a top priority amongst its workforce and third-party contractors and has already put in place a chief information security officer (CISO).
a. What is the purpose of a chief information security officer (CISO)?
[6 marks]
b. Identify and explain four new security roles that will need to exist in GANT in addition to the CISO.
[12 marks]
c. The C-level executives at GANT believe cloud computing can be used to help protect against cyber attacks.
What is cloud computing and why is it useful? What are the legal impli- cations and security risks if the organisation relies on cloud computing for their infrastructure?
[12 marks]
Page 4
SEE NEXT PAGE
January 2019 7CCSMSEM
Question Three
SEM Ltd. is a company that operates an online service 24/7 all days of the year serving 10,000 customers all over the world. SEM Ltd. suffered 90 Denial of Service (DoS) attacks since they started operating 3 years ago. Every time this attack happens, it causes loses of £1 per customer, as their services are not available to their customers until SEM Ltd.’s IT team manage to relaunch the online platform.
a. What is the Annualized Rate of Occurrence (ARO) for this risk?
[3 marks]
b. What is the Annual Loss Expectancy (ALE) for this risk?
[6 marks]
c. If an off-the-shelf DoS mitigation appliance costs £50,000 per year, what type of risk treatment would you recommend? Explain why and include the specific name of the risk treatment type, together with the particular action recommended for this risk.
[4 marks]
d. If the off-the-shelf DoS mitigation appliance costs £300,000 per year, what type of risk treatment would you recommend? Explain why and include the specific name of the risk treatment type, together with the particular action recommended for this risk.
QUESTION 3 CONTINUES ON NEXT PAGE
Page 5
SEE NEXT PAGE
[6 marks]
January 2019 7CCSMSEM
e. If the off-the-shelf DoS mitigation appliance costs £300,000 per year and SEM Ltd. would like to maintain customer confidence, what type of risk treatment would you recommend? Explain why and include the specific name of the risk treatment type, together with the particular action recom- mended for this risk.
[6 marks]
f. Beyond DoS attacks, SEM Ltd. seem to have received other types of at- tacks too. In order to know more about who might be interested in attacking them, they have hired company Testers Ltd. to perform a Threat Assess- ment. This will hopefully inform them of the Threat Agents that might be interested in attacking them. Imagine that you are Testers Ltd., what are the characteristics you would need to study for each Threat Agent to characterise them? Enumerate and explain them.
[5 marks]
Page 6
FINAL PAGE