Various Concepts Used In ISRM

Q1. What Is DOS ?

DoS attack - Denial of Service attack is a type of attack on a network that is designed to bring the network to its knees by flooding it with useless traffic. Many DoS attacks, such as the Ping of Death and Teardrop attacks, exploit limitations in the TCP/IP protocols. For all known DoS attacks, there are software fixes that system administrators can install to limit the damage caused by the attacks. But, like viruses, new DoS attacks are constantly being dreamed up by hackers.

Q2. What Is Non Repudiation In Network Security ?

Non-repudiation is the ability to prove that an operation or event has taken place, so that this cannot be repudiated later. For e-mails, for example, non-repudiation is used to guarantee that the recipient cannot deny receiving the message, and that the sender cannot deny sending it. Non-repudiation (NR) is one of the security services (or dimensions as defined in the document X.805 by the ITU) for point to point communications. Secure communications need to integrate a service in charge of generating digital evidence (rather than simply information logs) in order to resolve disputes arisen in case of network errors or entities' misbehaviour when digital information is exchanged between both points.

Q3. what is privacy and security on the internet ?

Data Security

Data security is commonly referred to as the confidentiality, availability, and integrity of data. In other words, it is all of the practices and processes that are in place to ensure data isn't being used or accessed by unauthorized individuals or parties. Data security ensures that the data is accurate and reliable and is available when those with authorized access need it. A data security plan includes facets such as collecting only the required information, keeping it safe, and destroying any information that is no longer needed. These steps will help any business meet the legal obligations of possessing sensitive data. 

 Data Privacy

Data privacy is suitably defined as the appropriate use of data. When companies and merchants use data or information that is provided or entrusted to them, the data should be used according to the agreed purposes. The Federal Trade Commission enforces penalties against companies that have negated to ensure the privacy of a customer's data. In some cases, companies have sold, disclosed, or rented volumes of the consumer information that was entrusted to them to other parties without getting prior approval. 

Q4. What is DMZ why it is used .

In computer networks, a DMZ (demilitarized zone) is a computer host or small network inserted as a "neutral zone" between a company's private network and the outside public network. It prevents outside users from getting direct access to a server that has company data. (The term comes from the geographic buffer zone that was set up between North Korea and South Korea following the UN "police action" in the early 1950s.) A DMZ is an optional and more secure approach to a firewall and effectively acts as a proxy server as well.

Q5. For what application RSA is recommended ?

The RSA algorithm is used worldwide to secure Internet, banking and credit card transactions. 

Q6. What is the use of digital signature standard ?

Digital Signature Standard (DSS) is the digital signature algorithm (DSA) developed by the U.S. National Security Agency (NSA) to generate a digital signature for the authentication of electronic documents. DSA is a pair of large numbers that are computed according to the specified algorithm within parameters that enable the authentication of the signatory, and as a consequence, the integrity of the data attached. Digital signatures are generated through DSA, as well as verified. Signatures are generated in conjunction with the use of a private key; verification takes place in reference to a corresponding public key. Each signatory has their own paired public (assumed to be known to the general public) and private (known only to the user) keys. Because a signature can only be generated by an authorized person using their private key, the corresponding public key can be used by anyone to verify the signature.

Q7. What Is The Need Of Security Assessment?

There are many benefits to doing periodic assessments beyond simply complying with government regulations. Undertaking regular assessments can help you to:

• Find out whether your security has already been compromised. You might not know unless you look, and you will sleep better at night if you know.
• Stay on top of the latest security threats — with new attacks coming on the scene every day, you could become vulnerable even if nothing has changed since your last assessment!
• Make sure that your staff is being vigilant by maintaining a focus on IT security.
• Increase awareness and understanding of security issues throughout your company.
• Make smart security investments by prioritizing and focusing on the high-importance, high-payoff items.
• Demonstrate to your customers that security is important to you — this shows them that you care about them and their data.

Q8.What Is The Difference Between Qualitative And Quantitative Risk Management ?

Perform Qualitative Risk Analysis	Perform Quantitative Risk Analysis
Perform Qualitative Risk Analysis Process consider all the risks identified in the identify risk process.	Perform Quantitative Risk Analysis process only considers the risks which are marked for further analysis in the Perform Qualitative Risk Analysis Process. These are the risks which have high impact on the project objectives.
Perform Qualitative Risk Analysis Process does not analyze the risks mathematically to identify the probability and distribution rather stakeholders inputs (expert judgment) are used to judge the probability and impact.	Perform Quantitative Risk Analysis uses the probability distributions to characterize the risk’s probability and impact, it also use project model (e.g. Schedule, cost estimate), mathematical and simulation tools to calculate the probability and impact.
In this, we assess individual risks by assigning numeric ranking of probability and impact, usually the rank of 0 to 1 is used where 1 demonstrates high.	This predicts likely project outcomes in terms of money or time based on combined effects of risks, it estimates the likelihood of meeting targets and contingency needed to achieve desired level of comfort.
Perform Qualitative Risk Analysis process is usually applied in most of the projects.	Perform Quantitative Risk Analysis Process may not be applied to many simple or moderately complex projects. We may not find its use in software projects.

Q 9. What do you understand by VPN ?

A virtual private network (VPN) extends a private network across a public network, such as the Internet. It enables a computer or network-enabled device to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security and management policies of the public network. A VPN is created by establishing a virtual point-to-point connection through the use of dedicated connections, virtual tunneling protocols, or traffic encryption. Major implementations of VPNs include OpenVPN and IPsec.
A VPN connection across the Internet is similar to a wide area network (WAN) link between websites. From a user perspective, the extended network resources are accessed in the same way as resources available within the private network.

Q 10. What Are The Essential Ingredients Of A Symmetric Cipher?

A symmetric encryption scheme has different ingredients
Plaintext:

This is the original message or data that is fed into the algorithm as input.
Encryption algorithm: The encryption algorithm performs various substitutions and transformations on the plaintext.
Secret key:

 The secret key is also input to the encryption algorithm. The exact substitutions and transformations performed by the algorithm depend on the key.
Ciphertext:

This is the scrambled message produced as output. It depends on the plaintext and the secret key. For a given message, two different keys will produce two different ciphertexts.
Decryption algorithm:

This is essentially the encryption algorithm run in reverse. It takes the ciphertext and the secret key and produces the original plaintext.

Q11. What is Tipple DES ?

In cryptography, Triple DES (3DES) is the common name for the Triple Data Encryption Algorithm (TDEA or Triple DEA) symmetric-key block cipher, which applies the Data Encryption Standard (DES) cipher algorithm three times to each data block.

The original DES cipher's key size of 56 bits was generally sufficient when that algorithm was designed, but the availability of increasing computational power made brute-force attacks feasible. Triple DES provides a relatively simple method of increasing the key size of DES to protect against such attacks, without the need to design a completely new block cipher algorithm.

Q12 What is massage authentication code ?

In cryptography, a message authentication code (often MAC) is a short piece of information used to authenticate a message and to provide integrity and authenticity assurances on the message. Integrity assurances detect accidental and intentional message changes, while authenticity assurances affirm the message's origin.
A MAC algorithm, sometimes called a keyed (cryptographic) hash function (however, cryptographic hash function is only one of the possible ways to generate MACs), accepts as input a secret key and an arbitrary-length message to be authenticated, and outputs a MAC (sometimes known as a tag). The MAC value protects both a message's data integrity as well as its authenticity, by allowing verifiers (who also possess the secret key) to detect any changes to the message content.

Q13. what is digital signature ?

A digital signature is a mathematical scheme for demonstrating the authenticity of a digital message or document. A valid digital signature gives a recipient reason to believe that the message was created by a known sender, such that the sender cannot deny having sent the message (authentication and non-repudiation) and that the message was not altered in transit (integrity). Digital signatures are commonly used for software distribution, financial transactions, and in other cases where it is important to detect forgery or tampering.

Q14. What is key distribution center ?

Domain services that use directories for holding account databases and global catalogs are called key distribution centers. In addition to holding these databases and catalogs, a key distribution center uses them to refer to the key distribution centers of other domains. The idea of the key distribution center is based on cryptography and is used in computer network security. The cryptography used in these centers is a system of secret codes that reduces the risk of exchanging keys, which are a form of information that is encrypted and controls an algorithm’s operation. Oftentimes, this kind of center operates within a system that allows a limited amount of users access or allows users access within limited times.
A key distribution center operates using Kerberos™, which is a protocol for network authentication. These centers ensure secure methods of authentication when requests are made for a computer network’s services. Generally, the distribution center operates as follows: a user requests access to particular services within a computer network, and the center uses encrypted techniques to authenticate that the user making the request is who he claims to be. The first request is sent to the server, which sends a notice for the user to authenticate himself. Upon completing this request, the request is then sent to a server for ticket granting.

Q15 What Is Risk Management ?
Risk management is the identification, assessment, and prioritization of risks followed by coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events  or to maximize the realization of opportunities. Risk management’s objective is to assure uncertainty does not deviate the endeavor from the business goals.
Risks can come from different ways e.g. uncertainty in financial markets, threats from project failures (at any phase in design, development, production, or sustainment life-cycles), legal liabilities, credit risk, accidents, natural causes and disasters as well as deliberate attack from an adversary, or events of uncertain or unpredictable root-cause. There are two types of events i.e. negative events can be classified as risks while positive events are classified as opportunities. Several risk management standards have been developed including the Project Management Institute, the National Institute of Standards and Technology, actuarial societies, and ISO standards. Methods, definitions and goals vary widely according to whether the risk management method is in the context of project management, security, engineering, industrial processes, financial portfolios, actuarial assessments, or public health and safety.

Q16 What is PGP ?
PGP (Pretty good Privacy) is the most widely recognized public key encryption program in the world. It can be used to protect the privacy of email, data files, drives and instant messaging.
Traffic on the Internet is susceptible to snooping by third parties with a modicum of skill. Data packets can be captured and stored for years. Even mail servers will often indefinitely store messages, which can be read now or at a future point, sometimes long after the author has changed his or her point of view. Email, unlike a phone call or letter, is not legally protected as private communication, and can therefore be read by third parties, legal or otherwise, without permission or knowledge of the author. Many privacy watchdog groups advocate, if you aren't using encryption, don't include anything in an email you wouldn't want to see published. Ideally this includes personal information as well, such as name, address, phone number, passwords, and so on.
PGP encryption provides privacy missing from online communication. It changes plain, readable text into a complex code of characters that is completely unreadable. The email or instant message travels to the destination or recipient in this cyphered form. The recipient uses PGP to decrypt the message back into readable form.