Sri Lanka Institute of Advanced Technological Education

Advanced technological Institute – Tangalle

Assignment No. 05
(Report on Computer & Information Security Guideline)

Operating System And Computer Security (2020 Semester 01)

Lecturer: G.R.C. Kumara

Group No:
# Student Name Reg.No. Email address use in Contact
Coordinators goggle classroom Number
1 A.Lasith Rasanga TAN/IT/2019/F/0004 [email protected] 071 9610513
2 A.W. Janith Akalanka TAN/IT/2019/F/0014 [email protected] 0712619193
3 D.J.Hasini Kawshalya TAN/IT/2019/F/0072 [email protected] 0765914292
4 M.Ushadi madushini TAN/IT/2019/F/0069 [email protected] 0763857854
5 N.G.Deepika Chathurani TAN/IT/2019/F/0075 [email protected] 0714718503

Instructions to follow:
Page 1 of 17
  Please Upload this word file. Copying with other groups and one-to-one copying
from web sites lead to less marks.
 You have given 01-hour time to read and understand the assignment.

 Total pages around 10 Pages.

 It should be clearly labeled your diagrams and tables of any
 Use Times New Romans with font size: 12.
 Titles: font size: 14

 Fill the group list on or before 1.00 pm 16th July 2021

 This is a GROUP ASSIGNMENT (Max: 04 members)

 Duration: 72 Three Hours
 Start: 1.00 pm, 15th July 2021
 Deadline: 2.59 pm, 23nd July 2021

Question1: [ 20% Marks]

Assume that you are the information security manager of your company. Your
company is a mid-level one and have a web server, database server and other necessary
servers for securities. Currently around 1200 employees are working. Prepare a general
guideline for Information Security for the company.
Take in to consider following matters:
1. Individual responsibility of each employee.
2. Recommended policies and best practices.
3. Physical security.
A general guide to information security

Purpose

These guidelines outline our company's information security practices about the confidentiality,
integrity, and availability of our ICT infrastructure (systems and processes).

The purpose of these guidelines is to:

1. Guidelines for standards, procedures, procedures and guidelines required to implement the
Company's information security practices

2. Explain the company's information security procedures and control objectives.

3. Establishment of minimum requirements for effective and effective management of information

security through youth training centers based on risk;

4. Provide clear guidance to authorized users on the need to protect the Youth Training Center from
misuse, modification, loss or disclosure of information assets;

5. Refer youth training centers to identify, assess and manage areas that do not support the objective of
risk management for information assets;

Establish, implement, monitor, review and improve the security standards and procedures required to
ensure that the Youth Training Centers Information Security Management System (ISMS)
documentation framework and business objectives are met.

Implementing the Information Security Management System (ISMS) Documentation Framework is the
intention of the Youth Training Center and the appropriate security measures are:

1. in place or planned; and

2. Support industry guidelines, standards, procedures and procedures to ensure compliance.

Scope

These guidelines apply to all authorized users who own, manage, access or use Information and
Communication Technology (ICT) services at Youth Training Centers.

These guidelines cover all:

1. Information and communication technology systems, data and information related to youth training
center networks;
2. Youth Training Center Systems;
3. Communications sent in or out of the Youth Training Center; and
4. Data belonging to youth training centers, internally or off-campus systems.
The personal responsibility of each employee is as follows.

Account Administrator:

 People who support accounts by adding, modifying, or assigning account attributes such as
passwords, access, and roles.

Account holder:

 The person or group assigned.

Application / Module Administrator:

 Applications / Modules Ensures compliance with RIT information security standards.

Application Owner:

 Administration The application admin and system administrator ensure that the application is
supported.

Business Continuing Office:

 Identify processes / functions and provide guidance and assistance to processors / active owners
regarding important reports classified as particularly critical. Ensures that critical processes /
tasks are included in the system of academic / business integrity.

Data Owner:

 It is the responsibility of the data owner to establish standards / guidelines for granting and
revoking access privileges.

End users:

 The network ensures that all assigned RIT-owned or leased desktops and portable portables
comply with the above minimum standards.

 All portable media containing personal or confidential information are guaranteed to comply
with the minimum standards and information access and security standards.

 To improve compliance with the Standards, end users can contact support staff, such as system
administrators. The burden of compliance with each standard is placed on each end user.

 Events Report loss or compromise on portable media containing personal or confidential

information in accordance with computer event processing standards.

 Administration defines a system ad as the end user with administrative rights or system sharing
capabilities

System (s) Administrator:

  Members of an organization that supports IT services at the enterprise, division or departmental
level. System Administrators facilitate end-user privilege management in their area of
responsibility, and Youth Training Centers implement operational procedures that comply with
information security standards and guidelines.

 Ensures that all existing RIT portable media that contain personal or confidential information
are configured to support the above minimum standards or that their information holder is
provided with an alternative risk management plan.

Systems, applications or webpage administrator:

Includes network and system administrators that support systems that contain confidential or personal
information. They can be

 Implementation of IT Access Controls based on IT Information Security Security Standards

 Confirm the transfer of data rights from outgoing or former employees or contractors to current
employees or contractors

 Provide technical support for information integrity, business integrity, and retirement or
electronic data destruction.

System Owner:

 The system owner is ultimately responsible for providing the owner's services / activities to the
campus. Often the system owner is the manager / director, department head or CEO. It is the
responsibility of the system owner to ensure that the operating procedures comply with the
standards / guidelines set by the data owner.

third party :

 Access Information compliance with any RIT management regulations relating to access and
security standards and the handling of confidential or personal information. Access to
confidential or legally regulated information is granted only when specifically permitted.
Web System Administrator:

 The person responsible for certifying the client who provides web services and applications
complies with the client's standards. This person ensures that all web servers are configured to
support the minimum standard.

Volunteers:

 Includes loosely affiliated but non-employee trustees, agents, members of affiliate groups, etc.
Volunteers comply with this standard and comply with any RIT management order regarding
the handling of confidential or personal information. Volunteers have limited access to
confidential or personal information.

Web Services / Application Administrator:

  Service The person responsible for administering a web service or application. This person
ensures that all web services and applications (including web tools) are configured to support
the minimum standard. Web Services / Application Administrator is responsible for ensuring
that third party applications comply with the standard.

Web Content Administrator:

 Service The person responsible for developing and administering the content of a web service or
application.

Recommended policies

Password / PIN Policy:

 Creating a password and personal identification policy helps ensure that employees securely
create their logins or credentials. The general guideline is not to use birthdays, names, or other
readily available information.

Device control:

 To control access to computers, proper access systems must be installed for computers, tablets,
and smartphones. The methods can include access card readers, passwords, and PINs.

 Devices must be locked when the user exits. Access cards should be removed, passwords and
PINs should be written and should not be stored in accessible locations.

Internet / Web Usage:

 Internet access to the workplace should be restricted to business purposes only. Not only does
personal web use tie up resources, it also introduces the risks of viruses and allows hackers to
access information.

 Business Email Business should only be done through email clients and clients if your business
is built around a model that does not allow it.

Encryption & Physical Security:

 You may want to develop encryption procedures for your information. If your business has
information such as customer credit card numbers stored in a database, encrypting files provides
additional security.

Security Policy Reporting Requirements:

 Report employees need to understand what they want to report, how they should report it and to
whom it should be reported. Clear instructions should be published. The policy should
implement training and ensure that all employees understand the reporting procedures.
Best practices

Data protection:

 Use encryption to transmit and store transmissions, and set user permissions so that only people
who are qualified to read, add, modify, or delete data in your records (or fields in the data
records). Also consider enabling DLP (Data Loss Prevention) tools, which can track what data
is going where and block unauthorized data streams.

Restrict access:

 Focus on strong passwords, and consider two-factor authentication

Audit channels must have:

 Devices This applies to anyone who uses your devices, across all data access points, and for
administrative changes to software and systems.

Be physically safe:

 On Make sure there are no web servers and repositories on the site, they are placed behind a
locked door.

Secure all WiFi:

 Office Your office (network) network must be secure.

Training and Encouraging Employees on Basic IT Security:

 Use Prepare basic guidelines for appropriate use, read and sign them to employees.

Physical safety

Close and / or lock office doors when you are outside:

 This increases the physical security of your computer and computer peripherals, makes it
difficult to install any unauthorized malware or devices, and reduces the likelihood of theft. If
you have sensitive data on paper, CDs, DVDs, or external hard drives, make sure they are
invisible, preferably in a key-removed locker.
Keep your backup, external hard disks and media in safe areas:

 Data If your data is encrypted and stored on portable media, make sure access to that media is
limited.

 Keep external hard drives, USB drives and CDs / DVDs invisible, preferably in a locked
container that is sensitive to information.
Install and use only hardware from reputable sources:
  Hardware You can usually modify computer hardware (eg cables and keyboards) to spy on
keyboard activity.

 These are called "key loggers" because they are typed on a keyboard. The goal is usually to add
usernames and passwords.

Beware of connecting unknown devices to your computer:

 One method of attack is to land a USB drive near the target workplace, home or vehicle. The
target can see it and connect it to their computer to identify their owner - by doing so they may
accidentally or intentionally install malicious software stored on the USB drive.

Lock your computer screen when you are outside and use password-protected screen protection:

 Computer If you've running your computer and logged in, any intruder can pretend to be you
and do whatever you normally would. This can be as minimal as posting a funny but fake
Facebook update, or as serious as permanently deleting all your files and pictures.
Question2: [ 15% Marks]
Classify security attack types, list security attacks and prevention methods and tools
as according to the following table.
Eg: Google Search “classification of computer and network security attacks”
# Type of Name of Precaution methodology Security tools
Security Security available
Attack attack
Type1 Viruses  Antivirus software must be Antivirus
Malware installed on the computer. software,
 The firewall of the computer antimalware
network must be kept active. software,
 If it is a public computer or a
computer on a public network, the
access to USB ports should be
restricted.
 The use of flash memory on public
computer networks should be
limited as much as possible.
Trojans  Avoid using cracked software. Trojans removal
 Torrent downloads should be tools
limited as much as possible.
 Use of software downloaded from
unknown websites should be
restricted as much as possible.
Worms  Anti-malware must be used. antimalware
 Be careful when opening software, anti
messages received from unknown worms
email addresses.
 If it is a public computer or a
computer on a public network, the
access to USB ports should be
restricted.
 The use of flash memory on public
computer networks should be
limited as much as possible.
Ransomware  Avoid using cracked software. antimalware
 Torrent downloads should be software
limited as much as possible.
 Use of software downloaded from
unknown websites should be
restricted as much as possible
 Be careful when opening
messages received from unknown
email addresses.
Spyware  Anti-malware must be used.
 Be careful when opening
messages received from unknown
email addresses.
 If it is a public computer or a
 computer on a public network, the
access to USB ports should be
restricted.
 The use of flash memory on public
computer networks should be
limited as much as possible.
 Avoid using cracked software.
 Torrent downloads should be
limited as much as possible.
 Use of software downloaded from
unknown websites should be
restricted as much as possible
 Care should be taken when giving
device access to extremely
personal devices such as phones

Type2 Spear  Be wary of emails from unknown Firewalls and

Phishing Phishing addresses. antimalware
 Be careful when chatting with
strangers.
 The firewall must be kept active.
 It is important to have anti-
malware installed, as the attacker
can install malware remotely.
Whaling  Be wary of emails from unknown Firewalls and
addresses. antimalware
 Be careful when chatting with
strangers.
 The firewall must be kept active.
 It is important to have anti-
malware installed, as the attacker
can install malware remotely.
Pharming  It is important to be aware of links
coming through chat rooms or
chat boxes and be aware of web
addresses.
 Extreme care should be taken
when giving one's sensitive data to
suspicious websites.

Type3  A firewall should be used to Firewalls and

Man-in-the- prevent unauthorized access to the antimalware
Middle (MitM) computer network.
Attacks  Strong passwords should be used.
 Computer network equipment
details should be kept confidential.
 You need to protect yourself from
spyware and Trojans by using
anti-malware.
Type4 flood attack,  A firewall should be used to Firewalls and
Denial-of- teardrop prevent unauthorized access to the antimalware
Service (DOS) attack, smurf computer network.
Attack attack, ping-  Strong passwords should be used.
 of-death  Computer network equipment
attack, and details should be kept confidential.
botnets.  You need to protect yourself from
spyware and Trojans by using
anti-malware.
Type5  Secure coding practices such as
SQL Injections using prepared statements with
parameterized queries is an
effective way to prevent SQL
injections.
 Safe coding can prevent SQL
injection
Type6  preventing zero-day attacks
Zero-day requires constant monitoring,
Exploi proactive detection, and agile
threat management practices.
Type7  Account Lockout Best practices
Password and two factor authentication are
Attack very helpful in preventing a
password attack.

 Account lockout features can

freeze an account after a number
of invalid password attempts, and
verifying two factors adds an extra
layer of security.

 The user needs to enter a

secondary code that is only
available on their 2FA devices (s).
Type8  If possible, avoid HTML in
Cross-site applications
Scripting  Input validation
 Data hygiene
 Cookie security measures
 Making WAF rules
Type9  Beware of insecure emails.
Rootkits  Avoid accessing unsafe websites
Type9  Best practices to help prevent an
Internet of IoT attack include updating the
Things (IoT) operating system and keeping a
Attacks strong password for every IoT
device on your network, and often
changing passwords.

Questio3: [ 05% Marks]

Fill the following table.
# Security Professional Scope covered Job Area covered
Certification exam
name
1 CISSP Accelerate your cybersecurity career with  Chief
(Certified Information the CISSP certification. Information
Systems Security Security Officer
Professional) Earning the CISSP proves you have what it  Director of
takes to effectively design, implement and Security
manage a best-in-class cybersecurity  Network
program. With a CISSP, you validate your Architect
expertise and become an (ISC)² member,
 Security
unlocking a broad array of exclusive
Consultant
resources, educational tools, and peer-to-
peer networking opportunities.  Security Manager
 Security Auditor
Prove your skills, advance your career, help  Security Analyst
earn the salary you want and gain the  IT
support of a community of cybersecurity Director/Manager
leaders here to support you throughout your  Managing Cloud
career security
 Security Systems
CISSP- full form Certified Information Engineer
Systems Security Professional is considered
as a quality standard in the field of
information security.

This Cyber certification is offered

by (ISC)2 which is an international non-profit
organization with more than 200k certified
members. The certification was introduced
in 1994 and is most required security
certification on LinkedIn. The exam is
available in 8 languages at 882 locations in
114 countries. The certification meets
ISO/IEC Standard 17024.

Today, many IT security professionals

prefer CISSP certification training. It
provides information security professional
with an objective to measure competence
and a globally recognized standard of
achievement.

CISSP Exam Review Class Syllabus:

 Security and Risk Management –
15%
 Asset Security – 10%
 Security Architecture and
Engineering – 13%
 Communication and Network
Security – 14%
 Identity and Access Management
(IAM) – 13%
  Security Assessment and Testing –
12%
 Security Operations – 13%
 Software Development Security –
10%

2 CISA ISACA offers the most recognized  Auditing

(Certified Information certification in the world for IS auditors: the Information
Systems Auditor) Certified Information Systems Auditor Systems
(CISA) certification. It is recognized  Governance and
worldwide by all corporations and 153 Management of
governments of the World Trade IT
Organization. ISACA has active members
 Information
in more than 140 countries and is
recognized as the de facto leader in IT Systems
governance, control, and assurance. This Acquisition,
association was founded in 1969 as the Development and
Electronic Data Processing Auditors Implementation
Association, with an objective to develop  Information
specific international IS auditing and Systems
control standards derived from the Operations and
worldwide financial controls issued by Business
Committee of Sponsoring Organizations Resilience
(COSO). As a result, ISACA has created  Protection of
the number one information systems audit Information
certification in the world, the CISA.ISACA Assets
controls and administers the CISA exam
worldwide. More than 50,000   profession-
als have earned their CISA to date. It is one
of the most requested credentials in
governance and consulting

CISA Exam Review Class Syllabus:

Management, Planning, and Organization

of IS (11%)

Technical Infrastructure and Operational

Practices (13%)

Protection of Information Assets (25%)

Disaster Recovery and Business Continuity

(10%)

Business Application System Development,

Acquisition, Implementation, and
Maintenance (16%)
 Business Process Evaluation and Risk
Management (15%)

The IS Audit Process (10%)

CISM The Certified Information Security  Information

(Certified Information Manager (CISM) course helps the Security Manager
Security Manager) candidates to achieve the CISM  Chief
certification. The certification is offered by Information
the Information Systems Audit and Control Officer
Association (ISACA) to validate the
 Information Risk
expertise and knowledge of the candidates
Compliance
regarding the relationship between an
information security program and the Specialist
broader business targets. The certification
also validates that the candidate has the
hands-on knowledge of developing,
managing and implementing an information
security program for an organization.
CISM certification is a certification by
ISACA for experienced Information
security management professionals with
work experience in developing and
managing information security programs.
The CISM course covers the four domains
of the CISM certification exam. The course
is an ideal preparatory course for the
students seeking to gain CISM certification
as well as the IT security and information
security professionals looking to build on
their practical experience.

CISM Exam Syllabus

 Information security governance –
24%
 Information risk management and
compliance – 33%
 Information security program
development and management –
25%
 Information security incident
management – 18%

CEH Certified Ethical Hacker (C|EH) is one of  Information

(Certified Ethical the most Advanced Ethical Hacking security analyst:
Hacker) courses in the world which help $70,721
 information security professionals to grasp  Penetration
the fundamentals of Ethical Hacking. It is tester: $80,334
an internationally recognized certification
issued by the EC-Council, USA. The  Information
accredited course provides the advanced security
hacking tools and techniques used by manager:
hackers and information security $108,352
professionals alike to break into an  Security
organization. This training will enable engineer:
learners to assess the security posture of an $88,062
organization by identifying vulnerabilities
in the network and system infrastructure to  Cyber security
determine if unauthorized access is analyst: $74,360
possible.
 Information
security
engineer:
$91,075

CEH Exam Syllabus

Module 01: Introduction to Ethical
Hacking 
Module 02: Foot printing and
Reconnaissance 
Module 03: Scanning Networks 
Module 04: Enumeration 
Module 05: Vulnerability Analysis 
Module 06: System Hacking 
Module 07: Malware Threats 
Module 08: Sniffing 
Module 09: Social Engineering 
Module 10: Denial-of-Service 
Module 11: Session Hijacking 
Module 12: Evading IDS, Firewalls, and
Honeypots 
Module 13: Hacking Web Servers 
Module 14: Hacking Web Applications 
Module 15: SQL Injection 
Module 16: Hacking Wireless Networks 
Module 17: Hacking Mobile Platforms 
Module 18: IoT Hacking 
Module 19: Cloud Computing 
Module 20: Cryptography 

GSEC The GIAC Security Essentials (GSEC)  Junior Security

(GIAC Security certification validates a practitioner's Operations
Essentials certification) knowledge of information security beyond Analyst
simple terminology and concepts. GSEC
certification holders are demonstrating that  Senior
they are qualified for hands-on IT systems Information
roles with respect to security tasks. Security Analyst
  Chief
GSEC Exam Syllabus Information
Network Security and Cloud Essentials Security Officer
Defense in Depth
Vulnerability Management and Response  Security
Cryptography Technical
Windows and Azure Security Specialist
Linux, AWS, and Mac Security
 Entry Level
Systems
Administrator

 IT Security
Manager

 Forensic
Investigator

 Information
Systems Security
Officer

 Security
Engineer

SSCP Earning a globally recognized advanced  Information

(Systems Security security administration and operations Security Analyst:
Certified Practitioner) certification like the SSCP is a great way to $64,000
grow your career and better secure your  Security Analyst:
organization’s critical assets. $65,000
 Cyber Security
SSCP certification demonstrates you have Analyst: $69,000
the advanced technical skills and  Security
knowledge to implement, monitor and Engineer:
administer IT infrastructure using security $79,000
best practices, policies and procedures  Information
established by the cybersecurity experts at Security
(ISC)². Specialist:
$83,000
Prove your skills, advance your career, and  Information
gain the support of a community of Security
cybersecurity leaders here to help you Engineer:
throughout your career. $89,000
 Security
Architect, IT:
SSCP Exam Syllabus
$121,000

 Asset Security
 Communications and Network
Security
 Identity and Access Management
 Security and Risk Management
 Security Architecture and
 Engineering
 Security Assessment and Testing
 Security Operations
 Software Development Security

CASP Critical Assessment of protein Structure  Cyber Security

(Critical Assessment of Prediction (CASP) is a community-wide, Analyst
protein Structure worldwide experiment for protein structure
Prediction) prediction taking place every two years  Security
since 1994. CASP provides research groups Engineer
with an opportunity to objectively test their
structure prediction methods and delivers  Network
an independent assessment of the state of Engineer
the art in protein structure modeling to the
research community and software users.
Even though the primary goal of CASP is
to help advance the methods of
identifying protein three-dimensional
structure from its amino acid sequence,
many view the experiment more as a
“world championship” in this field of
science. More than 100 research groups
from all over the world participate in CASP
on a regular basis and it is not uncommon
for entire groups to suspend their other
research for months while they focus on
getting their servers ready for the
experiment and on performing the detailed
predictions.

CASP Exam Syllabus

 Risk Management 19%

 Enterprise Security Architecture
25%
 3.Enterprise Security Operations
20%
 Technical Integration of Enterprise
Security 23%
 Research, Development and
Collaboration 13%