—— SOLUTIONS ——
King’s College London
This paper is part of an examination of the College counting towards the award of a degree. Examinations are governed by the College Regulations under the authority of the Academic Board.
Degree Programmes
Module Code Module Title Examination Period
MSc, MSci
7CCSMSEM
Security Management January 2019 (Period 1)
Time Allowed Two hours
Rubric ANSWER ALL QUESTIONS.
ANSWER EACH QUESTION ON A NEW PAGE OF YOUR AN- SWER BOOK AND WRITE ITS NUMBER IN THE SPACE PRO- VIDED.
Calculators Calculators may be used. The following models are permit- ted: Casio fx83 / Casio fx85.
Notes Books, notes or other written material may not be brought into this examination
PLEASE DO NOT REMOVE THIS PAPER FROM THE EXAMINATION ROOM
TURN OVER WHEN INSTRUCTED 2019 King’s College London
January 2019 Question One
a. What is Information Security and what is its primary focus?
Answer
Syllabus: Security concepts and fundamentals
7CCSMSEM
[4 marks]
The practice of preventing unauthorised access, use, disclosure, disruption, modification, inspection, recording or destruction of information. It focuses on confidentiality, integrity and availability of information.
Marking scheme
2 marks for the definition and 2 marks for the CIA triad.
b. What is a threat, vulnerability, risk and impact?
Answer
Syllabus: Security concepts and fundamentals
[4 marks]
Threat: A potential cause of an incident that may result in the harm to a system or organisation.
Vulnerability: A weakness of an asset or group of assets that can be exploited by one or more threats.
Risk. The potential that a given threat will exploit vulnerabilities of an asset or group of assets and thereby cause harm to the organisation.
Impact: The result of an information security incident, caused by a threat, which affects assets.
Marking scheme
1 mark for each definition
Page 2
SEE NEXT PAGE
—— SOLUTIONS ——
—— SOLUTIONS ——
January 2019 7CCSMSEM c. What is a policy and procedure? And how are they different?
Answer
Syllabus: Security policies.
d. What is an anti-virus and firewall? And how are they different?
Answer
Syllabus: Security Controls
[4 marks]
[4 marks]
Policy is a high level state of an organisation’s values, goals, and objectives in a specific area. A procedure is a set of detailed working instructions that describe what, when, how and by whom something should be done. They are different as a policy sets out the high-level goals and a procedure specifies how something can be done.
Marking scheme
1 mark for each definition. 2 marks for explaining the difference.
A firewall is a network security system designed to prevent unauthorised access to or from a private network. An anti-virus scans all files on the computer to detect if they look like a known virus. The difference is that an anti-virus is concerned with finding malware and removing it. Firewall does not scan files, but it is designed to prevent unauthorised access from an external source.
Marking scheme
1 mark for each definition. 2 marks for explaining the difference.
Page 3
SEE NEXT PAGE
January 2019 7CCSMSEM e. What is a man in the middle attack and what technical control can prevent
it?
Answer
Syllabus: Security Controls
[4 marks]
An attack where the attacker secretly relays and possibly alters the commu- nication between two parties who believe they are directly communicating with each other. To prevent it, a secure communication channel must be established using cryptography and public key infrastructure.
Marking scheme
2 mark for definition and 2 marks for explaining how to prevent it.
f. What is Residual Risk? Why is it useful to consider it?
Answer
Syllabus: Risk Management.
[4 marks]
Residual Risk is the risk left after treating an existing risk (e.g. implementing a security control as a countermeasure). It is useful to consider it to evaluate how much risk is left, as a 100% secure system is impossible to achieve.
Marking scheme
2 marks if residual risk is defined well, 2 marks if it is explained why it is useful correctly.
Page 4
SEE NEXT PAGE
—— SOLUTIONS ——
January 2019 7CCSMSEM g. Name 8 assurance techniques that can be used for vulnerability assessments.
Answer
Syllabus: Vulnerability Assessment.
Answer
Syllabus: Risk Assessment.
—— SOLUTIONS ——
Quantitative risk assessment aims to produce reliable statistic evidence, with quantitative probabilities for risk likelihood and quantitative risk impact. A usual methodology is to calculate the annual loss expectancy, which in- cludes the annual rate of occurrence and the single loss expectancy for each risk (ALE = ARO × SLE). Qualitative risk assessment avoids the over simplification to numbers, which helps to draw together the apparently in- consequential bits of information. It considers qualitative probabilities and qualitative/quantitative impacts.
Page 5
SEE NEXT PAGE
[4 marks]
Any of the following techniques will be accepted at least: Review of Doc- umented Policies, Procedures, and Processes; Review of Client-Completed Self-Assessment Form; Architectural Review; Configuration Review; Source Code Review; Observations; Interviews; Penetration Test; Read Team Ex- ercise; Vulnerability Scan; Social Engineering Testing; Static Analysis; Dy- namic Analysis; Fuzzing; Formal Verification; Cryptographic Validation; Em- anation Analysis; Witnessed Test; Public Review.
Marking scheme
0.5 marks per correct assurance technique named.
h. What are the differences between qualitative and quantitative risk assess- ment?
[4 marks]
—— SOLUTIONS ——
January 2019 7CCSMSEM
Marking scheme
1 mark for appropriate description of each risk assessment approach (x2), 2 marks if they highlight well the difference between the two.
i. What is a Market for Lemons and how does it apply to security economics? [4 marks]
Answer
Syllabus: Security Economics.
The ’market for lemons’ was an example introduced by Akerlof (Noble prize winner) in 1970 to explain the concept of asymmetric information in eco- nomics. It presents the following simple yet profound insight: suppose that there are 100 used cars for sale in a town: 50 well-maintained cars worth $2000 each, and 50 ’lemons’ worth $1000. The sellers know which is which, but the buyers don’t. What is the market price of a used car? You might think $1500; but at that price no good cars will be offered for sale. So the market price will be close to $1000. This is one reason poor security products predominate. When users can’t tell good from bad, they might as well buy a cheap antivirus product for $10 as a better one for $20, and we may expect a race to the bottom on price.
Marking scheme
1 mark for relationship to asymmetric information, 1 mark for relationship with how good cyber security products might or might not be, 1 mark if lemons example explained well, 1 mark if example of how it applies to security economics
Page 6
SEE NEXT PAGE
—— SOLUTIONS ——
January 2019 7CCSMSEM j. What does compliance with ISO27001 mean? Does it certify the state of
security of an organisation? Explain.
Answer
Syllabus: Standards and Compliance.
[4 marks]
27001 compliance means that the information security management process described by the ISO27000-series of standards is in place, but it does not certify the state of security an organisation has. That is an organisation compliant with 27001 is not free from cyber security issues.
Marking scheme
2 marks for correctly stating what compliance means; 2 marks for explaining well why it does not certify the state of security of an organisation.
Page 7
SEE NEXT PAGE
January 2019 7CCSMSEM
Question Two
GANT is an organisation with over 100,000 members world-wide, it operates in 42 countries and its ultimate goal is to preserve the natterjack toad. Over the past year, GANT’s website has suffered several cyberattacks and this has led to usernames, passwords and credit card details for many members being leaked on the internet. To prevent further cyberattacks, GANT is ready to make informa- tion security a top priority amongst its workforce and third-party contractors and has already put in place a chief information security officer (CISO).
a. What is the purpose of a chief information security officer (CISO)?
[6 marks]
Answer
Syllabus: Security Policies and Organisation
Responsible for protecting their organisation’s computers, networks and data against threats, such as security breaches, computer viruses or attacks by cyber-criminals.
Marking scheme
6 marks if they explain the purpose of a CISO well.
Page 8
SEE NEXT PAGE
—— SOLUTIONS ——
—— SOLUTIONS ——
January 2019 7CCSMSEM b. Identify and explain four new security roles that will need to exist in GANT
in addition to the CISO.
Answer
Syllabus: Security Policies and Organisation
[12 marks]
Security Administrator. A person who manages the operation of a computer system or particular electronic communication service.
Security Auditor. A person who works with a company to provide an audit of security systems used by that company.
Security User. A person who interacts with a system, typically through an interface, to extract some functional benefit.
Incident Response Member. A person who interacts with a system, typically through an interface, to extract some functional benefit.
Security Champion. A person who is appointed to oversee that a security policy within their group is enforced and to report incidents to management.
Security Officer. A person employed by the organisation to protect the assets from a variet of hazards by enforcing preventative measures.
This is not an exhaustive list of possible roles.
Marking scheme
Up to 4 marks for each role, and up to 8 marks for an explanation of the role.
Page 9
SEE NEXT PAGE
January 2019 7CCSMSEM c. The C-level executives at GANT believe cloud computing can be used to
help protect against cyber attacks.
What is cloud computing and why is it useful? What are the legal impli- cations and security risks if the organisation relies on cloud computing for their infrastructure?
Answer
Syllabus: Security Policies and Controls
Cloud computing is the practice of using a network of remote serves hosted on the Internet to store, manage, and process data, rather than a local server or a personal computer. It is useful as it allows a small company to gain access to powerful computers that would normally be out of reach.
Legal implications: They must consider the physical location of services (Data Protection Rules), access to information (cloud provider can read all data), if GANT can audit the cloud provider (verify if the cloud is keeping the data secure) and legal issues around the cloud providers sub-contractors.
Security Risks: Cloud providers can be hacked and the information is leaked publicly. This is an example of risk-sharing as while the cloud provider is liable – the data leaked can be embarassing to the organisation. Also the data can be deleted/lost if the cloud provider suffers a crash and does not keep regular backups. Or the data could not be deleted completely when needed.
Marking scheme
4 marks for a definition of cloud computing and explaining why it is useful. 4 marks for explaining the legal implications and 4 marks for the security risks.
[12 marks]
Page 10
SEE NEXT PAGE
—— SOLUTIONS ——
—— SOLUTIONS ——
January 2019 7CCSMSEM
Question Three
SEM Ltd. is a company that operates an online service 24/7 all days of the year serving 10,000 customers all over the world. SEM Ltd. suffered 90 Denial of Service (DoS) attacks since they started operating 3 years ago. Every time this attack happens, it causes loses of £1 per customer, as their services are not available to their customers until SEM Ltd.’s IT team manage to relaunch the online platform.
a. What is the Annualized Rate of Occurrence (ARO) for this risk?
[3 marks]
Answer
The Annualized Rate of Occurrence (ARO) is a business-friendly measure of the probability of occurrence of an event that measures how likely an event is to happen during a year. For this risk the ARO is 90/3 = 30 attacks/year.
Marking scheme
2 marks if they describe well what ARO is. 1 mark if they are able to calculate it correctly for this particular case.
b. What is the Annual Loss Expectancy (ALE) for this risk?
Answer
[6 marks]
The Annual Loss Expectancy (ALE) is a business-friendly measure of a risk in a quantitative risk assessment approach. It is calculated based on the annual rate of occurrence (ARO) and the single loss expectancy (SLE) for each risk. For this risk, the ARO is as above and the SLE is £10,000 (10,000 customers at £1 each per attack). Therefore, ALE = ARO×SLE = 30×10,000 = £300,000.
Marking scheme Page 11
SEE NEXT PAGE
—— SOLUTIONS ——
January 2019 7CCSMSEM
2 marks if they describe well what ALE is. 2 marks if they identified the impact correctly. 2 marks if they are able to calculate the total ALE correctly for this particular case.
c. If an off-the-shelf DoS mitigation appliance costs £50,000 per year, what type of risk treatment would you recommend? Explain why and include the specific name of the risk treatment type, together with the particular action recommended for this risk.
[4 marks]
Answer
Given that the ALE for this risk is £300,000 and the off-the-shelf DoS mit- igation appliance costs £50,000, the most reasonable risk treatment type is reduce the risk by buying and installing the appliance.
Marking scheme
2 marks for identifying the name of the risk treatment type as reduce, 2 marks depending on the detail and correctness of the rationale given for explaining the treatment.
d. If the off-the-shelf DoS mitigation appliance costs £300,000 per year, what type of risk treatment would you recommend? Explain why and include the specific name of the risk treatment type, together with the particular action recommended for this risk.
[6 marks]
Answer
Given that the ALE for this risk is £300,000 and the off-the-shelf DoS mit- igation appliance costs £300,000, the most reasonable risk treatment type is accept the risk, as it will be costing the company the same. However, this is open to interpretation and one could think that other risk treatment options are possible. Alternative answers should be fine as long as the name
Page 12
SEE NEXT PAGE
—— SOLUTIONS ——
January 2019 7CCSMSEM
of the particular risk treatment type suggested is correct, and there is a well-explained rationale to support it.
Marking scheme
2 marks for identifying the name of the risk treatment type; 4 marks de- pending on the detail and correctness of the rationale given for explaining the treatment.
e. If the off-the-shelf DoS mitigation appliance costs £300,000 per year and SEM Ltd. would like to maintain customer confidence, what type of risk treatment would you recommend? Explain why and include the specific name of the risk treatment type, together with the particular action recom- mended for this risk.
[6 marks]
Answer
Given that the ALE for this risk is £300,000, the off-the-shelf DoS mitiga- tion appliance costs £300,000, and the fact that SEM Ltd. would like to maintain customer confidence, the most reasonable risk treatment type is reduce the risk, as even if it may be costing the company the same, buying and installing the appliance will certainly improve user experience which will help maintain customer confidence in the infrastructure. However, this is open to interpretation and one could think that other risk treatment options are possible. This should be fine as long as the particular risk treatment type name is identified and a well-explained rationale is given for this.
Marking scheme
2 marks for identifying the name of the risk treatment type; 4 marks de- pending on the detail and correctness of the rationale given for explaining the treatment.
Page 13
SEE NEXT PAGE
—— SOLUTIONS ——
January 2019 7CCSMSEM
f. Beyond DoS attacks, SEM Ltd. seem to have received other types of at- tacks too. In order to know more about who might be interested in attacking them, they have hired company Testers Ltd. to perform a Threat Assess- ment. This will hopefully inform them of the Threat Agents that might be interested in attacking them. Imagine that you are Testers Ltd., what are the characteristics you would need to study for each Threat Agent to characterise them? Enumerate and explain them.
[5 marks]
Answer
Threat agent Characteristics:Motivation – Why are they doing this?, Capa- bility – Can they do it and to what level?, Catalyst – What set them off?, Inhibitors – What has/could put them off?, Amplifiers – What has/could push them on?
Marking scheme
1 marks per each correct characteristic and explanation.
Page 14
FINAL PAGE