Professional Documents
Culture Documents
MECS Course File PDF
MECS Course File PDF
CERTIFICATE
I, the undersigned, have completed the course allotted to me as shown below,
Sl.No. Semester Name of the Subject Course ID Total Units
1 VII Information Security PC 703 CS V
Verifying authority:
1. Head of the Department: …………………………………..
2.
3.
PRINCIPAL
The Computer Science and Engineering Department aims to produce competent professionals with strong
analytical skills, technical skills, research aptitude and ethical values.
DEPARTMENT MISSION
COURSE DESCRIPTOR
Information Security
Course Title
PC 703 CS
Course Code
Semester VII
Regulation NIL
Theory Practical
3 1 3 NA NA
Course Faculty
Mrs Priyanka Madhiraju
I. COURSE OVERVIEW:
Information security plays an important role in protecting the assets of an organization.
This course is to provide students with an overview of information security principles and practices, including
security models, risk management, access controls, intrusion detection and prevention, cryptography,
software vulnerabilities, and ethical issues. Subsequent courses expand on this foundational material in much
greater depth.This course can be used as pre requisite for information storage and management and this course
will be use full in providing security in Mainstream Cloud and Mobile Adoption and storing the data
securely
SEE CIA
Subject Total Marks
Examination Examination
Information Security 30 70 100
PO9 Individual and team work: Function as an individual, as a member or leader in multidisciplinary
environment.
PO10 Communication: Acquire effective written and oral communication skills on technical and
general aspects.
Project management and finance: Apply engineering and management principles to manage
PO11
projects in multidisciplinary environments.
Life-long learning: Identify the need of self-learning and life-long learning in the broad context
PO12
of technological evolution.
CO1 Define the components of an information system and identify the major types of threats
CO1
3 2 2 2 3 2 2 2 - - 1 2 1 2
CO2
2 2 2 2 2 2 2 1 - - 1 1 1 2
CO3
2 2 2 2 2 2 2 2 - - 1 2 1 2
2 2 2 2 2 2 2 2 - - 1 2 1 2
CO4
CO5
3 2 2 2 2 2 2 1 - - 1 2 1 2
VIII. SYLLABUS :
UNIT I- No.of Hrs
UNIT II-
Legal, Ethical and Professional Issues: Law and ethics in information security, relevant
U.S laws-international laws and legal bodies, Ethics and information security 11
UNIT III-
Planning for Security: Security policy, Standards and practices, Security blue print,
Security education, Continuity strategies.
9
Security Technology: Firewalls and VPNs: Physical design, firewalls, protecting remote
connections.
UNIT IV-
Security Technology: Intrusion detection, Access control and other security tools:
Intrusion detection and prevention systems, Scanning and analysis tools, Access control
devices. 14
Cryptography: Foundations of cryptology, cipher methods, cryptographic Algorithms,
Cryptographic tools, Protocols for secure communications, Attacks on cryptosystems
UNIT V-
Implementing Information Security: information security project management,
technical topics of implementation, Non- technical aspects of implementation, Security
certification and accreditation 11
TEXT BOOKS:
1. Michael E. Whitman and Hebert J Mattord, Principles of Information Security, 4th edition Ed.
Cengage Learning 2011
2. Thomas R Peltier, Justing Peltier, John Blackley, Information Security. Fundamentals, Auerbacj
Publications 2010
REFERENCES:
1 Detmar W Straub, Seymor Goodman, Richard L Baskerville, Information Security. Policy proceses
and practices PHI 2008
2. Marks Merkow and Jim Breithaupt, Information Security. Principle and Practices, Pearson
Education, 2007
PPT/BB/
Text
Lecture OHP/ No. Relevant
Topics to be covered Book/Reference
No. e- of Hrs COs
Book
material
1. Introduction: BB 1 CO1 T1
2. History, critical characteristics of PPT 1 CO1 T1
information,
3. NSTISSC security model, PPT 1 CO1 T1
Components of an information
system,
4. Securing the components, PPT 1 CO1 T1
PPT/BB/
Text
Lecture OHP/ No. Relevant
Topics to be covered Book/Reference
No. e- of Hrs COs
Book
material
13. Ethics and information security BB 1 CO2 T1
PPT/BB/
Text
Lecture OHP/ No. Relevant
Topics to be covered Book/Reference
No. e- of Hrs COs
Book
material
36. Protocols for secure BB 1 CO4 T1
communications,
37. Attacks on cryptosystems BB 1 CO4 T1
LECTURE NOTES
UNIT-I:
1.1 HISTORY
Julius Caesar-Caesar Cipher c50 B.C., which was created in order to prevent his secret
messages from being, read should a message fall into the wrong hands.
The end of the 20th century and early years of the 21st century saw rapid advancements in
telecommunications, computing hardware and software, and data encryption.
Introduction
Information technology is the vehicle that stores and transports information—a company’s
most valuable resource—from one business unit to another. But what happens if the vehicle breaks
down, even for a little while? As businesses have become more fluid, the concept of computer
security has been replaced by the concept of information security.
Because this new concept covers a broader range of issues, from the protection of data to
the protection of human resources, information security is no longer the sole responsibility of a
discrete group of people in the company; rather, it is the responsibility of every employee, and
especially managers.
Organizations must realize that information security funding and planning decisions
involve more than just technical managers: Rather, the process should involve three distinct groups
of decision makers, or communities of interest:
Understanding the technical aspects of information security requires that you know the
definitions of certain information technology terms and concepts. In general, security is defined as
Physical security, which encompasses strategies to protect people, physical assets, and the
workplace from various threats including fire, unauthorized access, or natural disasters
Personal security, which overlaps with physical security in the protection of the people
within the organization
Operations security, which focuses on securing the organization’s ability to carry out its
operational activities without interruption or compromise
Confidentiality
Integrity
Availability(CIA)
CIA Triangle
The C.I.A. triangle - confidentiality, integrity, and availability - has expanded into a more
comprehensive list of critical characteristics of information. At the heart of the study of information
security is the concept of policy. Policy, awareness, training, education, and technology are vital
concepts for the protection of information and for keeping information systems from danger.
Confidentiality
Integrity
Availability
Privacy
Identification
Authentication
Authorization
Accountability
Accuracy
Utility
Possession
1.3.1 Confidentiality
Confidentiality of information ensures that only those with sufficient privileges may access
certain information. When unauthorized individuals or systems can access information,
confidentiality is breached. To protect the confidentiality of information, a number of measures
are used:
Information classification
Secure document storage
Integrity is the quality or state of being whole, complete, and uncorrupted. The integrity of
information is threatened when it is exposed to corruption, damage, destruction, or other disruption
of its authentic state. Corruption can occur while information is being compiled, stored, or
transmitted.
1.3.2 Availability
For any information system to serve its purpose, the information must be available when it
is needed.
Eg: High availability systems aim to remain available at all times, preventing service
disruptions due to power outages, hardware failures, and system upgrades.
Privacy
The information that is collected, used, and stored by an organization is to be used only for
the purposes stated to the data owner at the time it was collected. This definition of privacy does
focus on freedom from observation (the meaning usually associated with the word), but rather
means that information will be used only in ways known to the person providing it.
Identification
Authentication
Authentication occurs when a control provides proof that a user possesses the identity that
he or she claims.
In computing, e-Business and information security it is necessary to ensure that the data,
transactions, communications or documents(electronic or physical) are genuine(i.e. they
have not been forged or fabricated)
Authorization
Accountability
The characteristic of accountability exists when a control provides assurance that every
activity undertaken can be attributed to a named person or automated process. For example, audit
logs that track user activity on an information system provide accountability.
1.3.3 Accuracy
Information should have accuracy. Information has accuracy when it is free from mistakes
or errors and it has the value that the end users expects. If information contains a value different
from the user’s expectations, due to the intentional or unintentional modification of its content, it
is no longer accurate.
Utility
Information has value when it serves a particular purpose. This means that if information
is available, but not in a format meaningful to the end user, it is not useful. Thus, the value of
information depends on its utility.
Possession
The possession of Information security is the quality or state of having ownership or control
of some object or item.
It is now called the National Training Standard for Information security professionals.
While the NSTISSC model covers the three dimensions of information security, it omits
discussion of detailed guidelines and policies that direct the implementation of controls.
Another weakness of using this model with too limited an approach is to view it from a single
perspective.
The 3 dimensions of each axis become a 3x3x3 cube with 27 cells representing areas
that must be addressed to secure today’s Information systems.
To ensure system security, each of the 27 cells must be properly addressed during the
security process.
For example, the intersection between technology, Integrity & storage areas requires a
control or safeguard that addresses the need to use technology to protect the Integrity
of information while in storage.
Software
Hardware
Data
People
Procedures
Networks
1.5.1 Software
Software programs are the vessels that carry the lifeblood of information through an
organization. These are often created under the demanding constraints of project
management, which limit time, cost, and manpower.
1.5.2 Hardware
Hardware is the physical technology that houses and executes the software, stores and
carries the data, and provides interfaces for the entry and removal of information from the
system.
Physical security policies deal with hardware as a physical asset and with the protection of
these physical assets from harm or theft. Applying the traditional tools of physical
security, such as locks and keys, restricts access to and interaction with the hardware
components of an information system.
Securing the physical location of computers and the computers themselves is important
because a breach of physical security can result in a loss of information. Unfortunately,
most information systems are built on hardware platforms that cannot guarantee any level
of information security if unrestricted access to the hardware is possible.
1.5.3 Data
Data stored, processed, and transmitted through a computer system must be protected.
Data is often the most valuable asset possessed by an organization and is the main target
of intentional attacks.
The raw, unorganized, discrete(separate, isolated) potentially-useful facts and figures that
are later processed(manipulated) to produce information.
1.5.4 People
There are many roles for people in information systems. Common ones include
Systems Analyst
Programmer
Technician
Engineer
Network Manager
MIS ( Manager of Information Systems )
Data entry operator
1.5.5 Procedures
1.5.6 Networks
When information systems are connected to each other to form Local Area Network
(LANs), and these LANs are connected to other networks such as the Internet, new
security challenges rapidly emerge Steps to provide network security are essential, as is
the implementation of alarm and intrusion systems to make system owners aware of
ongoing compromises.
Protecting the components from potential misuse and abuse by unauthorized users.
Subject of an attack
Computer is used as an active tool to conduct the attack.
Object of an attack
Computer itself is the entity being attacked
1. Direct attack
2. Indirect attack
Internet
Stolen Information
REMOTE
Hacker request SYSTEM
1. Direct attack
When a Hacker uses his personal computer to break into a system.[Originate
from the threat itself]
2. Indirect attack
When a system is compromised and used to attack other system.
[Originate from a system or resource that itself has been attacked, and is malfunctioning or
working under the control of a threat].
A computer can, therefore, be both the subject and object of an attack when ,for
example, it is first the object of an attack and then compromised and used to attack other
Has to provide the security and is also feasible to access the information for its
application.
Information Security cannot be an absolute: it is a process, not a goal.
Should balance protection and availability.
Analysis
Logical design
Physical design
Implementation
1.8.1 Investigation
It is the most important phase and it begins with an examination of the event or plan that
initiates the process.
During this phase, the objectives, constraints, and scope of the project are specified.
At the conclusion of this phase, a feasibility analysis is performed, which assesses the
economic, technical and behavioral feasibilities of the process and ensures that
implementation is worth the organization’s time and effort.
1.8.2 Analysis
In this phase, the information gained from the analysis phase is used to begin creating a
systems solution for a business problem.
Based on the business need, applications are selected that are capable of providing needed
services.
Based on the applications needed, data support and structures capable of providing the
needed inputs are then chosen.
In this phase, analysts generate a number of alternative solutions, each with
corresponding strengths and weaknesses, and costs and benefits.
At the end of this phase, another feasibility analysis is performed.
In this phase, specific technologies are selected to support the solutions developed in the
logical design.
The selected components are evaluated based on a make-or-buy decision.
Final design integrate various components and technologies.
1.8.5 Implementation
The same phases used in the traditional SDLC can be adapted to support the
implementation of an information security project.
Analysis
In this phase, the documents from the investigation phase are studied.
The developed team conducts a preliminary analysis of existing security policies or
programs, along with that of documented current threats and associated controls.
The risk management task also begins in this phase.
Risk management is the process of identifying, assessing, and evaluating the levels of risk
facing the organization, specifically the threats to the organization’s security and to the information
stored and processed by the organization.
Logical design
This phase creates and develops the blueprints for information security, and examines
and implements key policies.
The team plans the incident response actions.
Plans business response to disaster.
Determines feasibility of continuing and outsourcing the project.
Physical design
In this phase, the information security technology needed to support the blueprint
outlined in the logical design is evaluated.
Alternative solutions are generated.
Designs for physical security measures to support the proposed technological solutions
are created.
At the end of this phase, a feasibility study should determine the readiness of the
organization for the proposed project.
At this phase, all parties involved have a chance to approve the project before
implementation begins.
Implementation
Assessment
Management
And implementation of information security in the organization
Champion
- Promotes the project
- Ensures its support, both financially & administratively.
Team Leader
- Understands project management
- Personnel management
- And information Security technical requirements.
Security policy developers
- individuals who understand the organizational culture,
- existing policies
- Requirements for developing & implementing successful policies.
Risk assessment specialists
- Individuals who understand financial risk assessment techniques.
- The value of organizational assets,
- and the security methods to be used.
Security Professionals
- Dedicated
- Trained, and well educated specialists in all aspects of information security from both a
technical and non technical stand point.
System Administrators
- Administrating the systems that house the information used by the organization.
End users
Data Owner
- Responsible for the security and use of a particular set of information.
- Determine the level of data classification
- Work with subordinate managers to oversee the day-to-day administration of the data.
Data Custodians
Asset
-An asset is the organizational resource that is being protected.
-An Asset can be logical ,such as
Website, information or data
- Asset can be physical, such as
person , computer system
Attack
- An attack is an intentional or unintentional attempt to cause damage to or otherwise
compromise the information and /or the systems that support it. If someone casually reads
sensitive information not intended for his use, this is considered a passive attack. If a
hacker attempts to break into an information system, the attack is considered active.
Risk
- Risk is the probability that something can happen. In information security, it could be the
probability of a threat to a system.
Security Blueprint
- It is the plan for the implementation of new security measures in the organization.
Sometimes called a frame work, the blueprint presents an organized approach to the
security planning process.
Security Model
- A security model is a collection of specific security rules that represents the
implementation of a security policy.
Threats
- A threat is a category of objects, persons, or other entities that pose a potential danger to
an asset. Threats are always present. Some threats manifest themselves in accidental
occurrences, while others are purposeful. For example, all hackers represent potential
danger or threat to an unprotected information system. Severe storms are also a threat to
buildings and their contents.
Threat agent
- A threat agent is the specific instance or component of a threat. For example, you can
think of all hackers in the world as a collective threat, and Kevin Mitnick, who was
convicted for hacking into phone systems, as a specific threat agent. Likewise, a specific
lightning strike, hailstorm, or tornado is a threat agent that is part of the threat of severe
storms.
Vulnerability
- Weaknesses or faults in a system or protection mechanism that expose information to
attack or damage are known as vulnerabilities. Vulnerabilities that have been examined,
documented, and published are referred to as well-known vulnerabilities.
Exposure
- The exposure of an information system is a single instance when the system is open to
At the most practical level, securing the information on your computer means:
Ensuring that your information remains confidential and only those who should access
that information, can.
Knowing that no one has been able to change your information, so you can depend on its
accuracy (information integrity).
Making sure that your information is available when you need it (by making back-up
copies and, if appropriate, storing the back-up copies off-site).
Must add secure infrastructure services based on the size and scope of the
enterprise.
Organizational growth could lead to the need for public key infrastructure,
PKI, an integrated system of software, encryption methodologies.
1.12 THREATS
1. Know yourself
(i.e) be familiar wit the information to be protected, and the systems that store,
transport and process it.
A threat is an object, person, or other entity, that represents a constant danger to an asset.
1.12.1 Threats to Information Security
information
1.12.2 Threats
One of the greatest threats to an organization’s information security is the organization’s own
employees.
Intellectual Property is defined as the ownership of ideas and control over the tangible
or virtual representation of those ideas.
Intellectual property includes trade secrets, copyrights, trademarks, and patents.
Once intellectual property has been defined and properly identified, breaches to IP
constitute a threat to the security of this information.
Organization purchases or leases the IP of other organizations.
Most Common IP breach is the unlawful use or duplication of software based intellectual
property more commonly known as software Piracy.
Software Piracy affects the world economy.
U.S provides approximately 80% of world’s software.
In addition to the laws surrounding software piracy, two watch dog organizations
investigate allegations of software abuse.
Another effort to combat (take action against) piracy is the online registration
process.
Electronic and human activities that can breach the confidentiality of information.
When an unauthorized individual’s gain access to the information an organization is
trying to protect is categorized as act of espionage or trespass.
Attackers can use many different methods to access the information stored in an
information system.
Trespass
Can lead to unauthorized real or virtual actions that enable information gatherers to enter
premises or systems they have not been authorized to enter.
Sound principles of authentication & authorization can help organizations protect
valuable information and systems.
Hackers-> “People who use and create computer software to gain access to information
illegally”
There are generally two skill levels among hackers.
Expert Hackers-> Masters of several programming languages, networking protocols,
and operating systems .
Unskilled Hackers
Destroy an asset or
Damage the image of organization
Cyber terrorism-Cyber terrorists hack systems to conduct terrorist activities through
network or internet pathways.
7.1 Virus
7.2 Worms
A worm is a malicious program that replicates itself constantly, without requiring another
program to provide a safe environment for replication.
Worms can continue replicating themselves until they completely fill available resources,
such as memory, hard drive space, and network bandwidth.
Eg: MS-Blaster, MyDoom, Netsky, are multifaceted attack worms.
Once the worm has infected a computer , it can redistribute itself to all e-mail addresses
found on the infected system.
Furthermore, a worm can deposit copies of itself onto all Web servers that the infected
systems can reach, so that users who subsequently visit those sites become infected.
Are software programs that hide their true nature and reveal their designed behavior only
when activated.
Trojan horse releases its
Trojan horse Trojan horse is
payload, monitors
arrives via E- activated when
computer activity,
mail or software the software or
installs back door, or
such as free attachment is
transmits information to
games executed.
hacker
Polymorphism
A Polymorphic threat is one that changes its apparent shape over time, making it
undetectable by techniques that look for preconfigured signatures.
These viruses and Worms actually evolve, changing their size, and appearance to elude
detection by antivirus software programs.
Virus
A program or piece of code that be loaded on to your computer, without your
knowledge and run against your wishes.
Worm
A program or algorithm that replicates itself over a computer network and usually
performs malicious actions.
Trojan Horse
Blended threat
Blended threats combine the characteristics of virus, worm, Trojan horses &
malicious code with server and Internet Vulnerabilities.
Antivirus Program
A Utility that searches a hard disk for viruses and removes any that found.
Fire: Structural fire that damages the building. Also encompasses smoke damage
from a fire or water damage from sprinkles systems.
Flood: Can sometimes be mitigated with flood insurance and/or business
interruption Insurance.
Earthquake: Can sometimes be mitigated with specific causality insurance
and/or business interruption insurance, but is usually a separate policy.
Lightning: An Abrupt, discontinuous natural electric discharge in the
atmosphere.
Landslide/Mudslide: The downward sliding of a mass of earth & rocks directly
damaging all parts of the information systems.
Tornado/Severe Windstorm
Huricane/typhoon
Tsunami
Electrostatic Discharge (ESD)
Dust Contamination
Since it is not possible to avoid force of nature threats, organizations must implement
controls to limit damage.
They must also prepare contingency plans for continued operations, such as disaster
recovery plans, business continuity plans, and incident response plans, to limit losses in the
face of these threats.
7.9 Deviations in Quality of Service
Other utility services can affect the organizations are telephone, water, waste water, trash
pickup, cable television, natural or propane gas, and custodial services.
The loss of these services can impair the ability of an organization to function.
For an example, if the waste water system fails, an organization might be prevented from
allowing employees into the building.
This would stop normal business operations.
Power Irregularities
This can pose problems for organizations that provide inadequately conditioned
power for their information systems equipment.
This category involves threats that come from purchasing software with unknown, hidden
faults.
Large quantities of computer code are written, debugged, published, and sold before all
their bugs are detected and resolved.
These failures range from bugs to untested failure conditions.
1.13 ATTACKS
The malicious code attack includes the execution of viruses, worms, Trojan horses, and
active Web scripts with the intent to destroy or steal information.
The state –of-the-art malicious code attack is the polymorphic or multivector, worm.
These attack programs use up to six known attack vectors to exploit a variety of
vulnerabilities in commonly found information system devices.
2. Web browsing
If the infected system has write access to any Web pages, it makes all Web content files
(.html,.asp,.cgi & others) infectious, so that users who browse to those pages become
infected.
3. Virus
Each infected machine infects certain common executable or script files on all computers
to which it can write with virus code that can cause infection.
4. Unprotected shares
Using vulnerabilities in file systems and the way many organizations configure them, the
infected machine copies the viral component to all locations it can reach.
5. Mass Mail
By sending E-mail infections to addresses found in the address book, the infected machine
infects many users, whose mail -reading programs also automatically run the program &
infect other systems.
1.13.3 Examples
Hoaxes
A more devious approach to attacking the computer systems is the transmission of a virus
hoax with a real virus attached.
Even though these users are trying to avoid infection, they end up sending the attack on
to their co-workers.
Backdoors
Password Crack
Brute Force
The application of computing & network resources to try every possible combination of
options of a password is called a Brute force attack.
This is often an attempt to repeatedly guess passwords to commonly used accounts, it is
sometimes called a password attack.
Spoofing
sends messages to a computer that has an IP address that indicates that the messages are
coming from a trusted host.
Original IP packet
Spoofed (modified)
IP packet
This is another form of the brute force attack noted above for guessing passwords.
The dictionary attack narrows the field by selecting specific accounts to attack and
uses a list of commonly used passwords instead of random combinations.
Man-in-the –Middle
Another form of E-mail attack that is also a DOS called a mail bomb.
Attacker routes large quantities of e-mail to the target.
The target of the attack receives unmanageably large volumes of unsolicited e-mail.
By sending large e-mails, attackers can take advantage of poorly configured e-mail
systems on the Internet and trick them into sending many e-mails to an address chosen
by the attacker.
The target e-mail address is buried under thousands or even millions of unwanted e-
mails.
Sniffers
A sniffer is a program or device that can monitor data traveling over a network.
Unauthorized sniffers can be extremely dangerous to a network’s security, because they
are virtually impossible to detect and can be inserted almost anywhere.
Sniffer often works on TCP/IP networks, where they are sometimes called “packet
Sniffers”.
Social Engineering
It is the process of using social skills to convince people to reveal access credentials or
other valuable information to the attacker.
An attacker gets more information by calling others in the company and asserting his/her
authority by mentioning chief’s name.
Buffer Overflow
A buffer overflow is an application error that occurs when more data is sent to a buffer
than it can handle.
Attacker can make the target system execute instructions.
Timing Attack
UNIT-2
2.1 LEGAL, ETHICAL, AND PROFESSIONAL ISSUES IN INFORMATION SECURITY
2.1.1 Law and Ethics in Information Security
Laws are rules that mandate or prohibit certain behavior in society; they are drawn from
ethics, which define socially acceptable behaviors. The key difference between laws and
ethics is that laws carry the sanctions of a governing authority and ethics do not. Ethics in
turn are based on Cultural mores. Types of Law
Civil law
Criminal law
Tort law
Private law
Public law
2.1.2 Relevant U.S. Laws – General
Computer Fraud and Abuse Act of 1986
National Information Infrastructure Protection Act of 1996
USA Patriot Act of 2001
Telecommunications Deregulation and Competition Act of 1996
Communications Decency Act (CDA)
Computer Security Act of 1987
Privacy
The issue of privacy has become one of the hottest topics in information
The ability to collect information on an individual, combine facts from separate sources,
and merge it with other information has resulted in databases of information that were
previously impossible to set up
The aggregation of data from multiple sources permits unethical organizations to build
databases of facts with frightening capabilities
Privacy of Customer Information
Privacy of Customer Information Section of Common Carrier Regulations
Federal Privacy Act of 1974
The Electronic Communications Privacy Act of 1986
The Health Insurance Portability & Accountability Act Of 1996 (HIPAA) also known as
the Kennedy-Kassebaum Act
The Financial Services Modernization Act or Gramm-Leach-Bliley Act of 1999
Table 2.1.2.1 Key U.S Laws of Interest to Information Security Professionals
US Copyright Law
Intellectual property is recognized as a protected asset in the US
US copyright law extends this right to the published word, including electronic formats
Fair use of copyrighted materials includes
- the use to support news reporting, teaching, scholarship, and a number of other
related permissions
- the purpose of the use has to be for educational or library purposes, not for
profit, and should not be excessive
Freedom of Information Act of 1966 (FOIA)
The Freedom of Information Act provides any person with the right to request access to
federal agency records or information, not determined to be of national security
Digital Millennium Copyright Act (DMCA) Digital Millennium Copyright Act (DMCA)
The Digital Millennium Copyright Act (DMCA) is the US version of an international effort
to reduce the impact of copyright, trademark, and privacy infringement
The European Union Directive 95/46/EC increases protection of individuals with regard to
the processing of personal data and limits the free movement of such data
The United Kingdom has already implemented a version of this directive called the
Database Right
United Nations Charter
To some degree the United Nations Charter provides provisions for information security
during Information Warfare
Information Warfare (IW) involves the use of information technology to conduct offensive
operations as part of an organized and lawful military operation by a sovereign state
IW is a relatively new application of warfare, although the military has been conducting
electronic warfare and counter-warfare operations for decades, jamming, intercepting, and
spoofing enemy communications
Policy Versus Law
Most organizations develop and formalize a body of expectations called policy Policies
function in an organization like laws
For a policy to become enforceable, it must be:
- Distributed to all individuals who are expected to comply with it
- Readily available for employee reference
- Easily understood with multi-language translations and translations for
visually impaired, or literacy-impaired employees
Risk Management
Classifying Assets
Management must ensure that sufficient resource are allocated to the information security
& Information technology groups to meet the security needs of the organization. Users
work with the systems and the data and are therefore well positioned to understand the
value of the information assets.
Information Technology
Must build secure systems and operate them safely.
Three communities of interest are also responsible for the following
Evaluating the risk controls.
Determining which control options are cost effective.
Acquiring or installing the needed controls.
Overseeing that the controls remain effective.
2.2.4 Important Risk Factors of information Security are
1. Understand the threats and attacks that introduce risk into the organization.
2. Taking asset inventory.
3. Verify the threats and vulnerabilities that have been identified as dangerous to the
asset inventory, as well as the current controls and mitigation strategies.
4. Review the cost effectiveness of various risk control measures.
People include employees and nonemployees. There are two categories of employees:
those who hold trusted roles and have correspondingly greater authority and accountability,
and other staff who have assignments without special privileges. Nonemployees include
contractors and consultants, members of other organizations with which the organization
has a trust relationship, and strangers.
Procedures fall into two categories: IT and business standard procedures, and IT and
business sensitive procedures. The business sensitive procedures are those that may assist
a threat agent in crafting an attack against the organization or that have some other content
or feature that may introduce risk to the organization.
Data Components have been expanded to account for the management of information in
all stages: Transmission, Processing, and Storage.
Software Components can be assigned to one of three categories: Applications, Operating
Systems, or security components. Software Components that provide security controls may
span the range of operating systems and applications categories, but are differentiated by
the fact that they are the part of the information security control environment and must be
protected more thoroughly than other system components.
Hardware is assigned to one of two categories: the usual systems devices and their
peripherals, and the devices that are part of information security control systems. The latter
must be protected more thoroughly than the former.
2.3.1.2 People, Procedures,& Data Asset Identification
People : Position name/number/ID: Supervisor; Security clearance level; special
skills. Procedures : Description/intended purpose/relationship to software /
hardware and networking elements; storage location for update; storage location for
reference. Data : Classification; owner; Creator; Manager; Size of data
structure; data structure used; online/offline/location/backup procedures employed.
2.3.1.3 Hardware, Software, and Network Asset Identification
Depends on the needs of the organization and its risk management efforts.
Name: Should adopt naming standards that do not convey information to potential system
attackers.
IP address: Useful for network devices & Servers. Many organizations use the dynamic
host control protocol (DHCP) within TCP/IP that reassigns IP numbers to devices as
needed, making the use of IP numbers as part of the asset identification process
problematic. IP address use in inventory is usually limited to those devices that use static
IP addresses.
Media Access Control (MAC) address: Electronic serial numbers or hardware addresses.
All network interface hardware devices have a unique number. The MAC address number
is used by the network operating system as a means to identify a specific network device.
It is used by the client’s network software to recognize traffic that it must process.
Element Type: Document the function of each Element by listing its type. For hardware,
a list of possible element types, such as servers, desktops, networking devices or test
equipment.
One server might be listed as
- Device class= S (Server)
- Device OS= W2K ( Windows 2000)
- Device Capacity = AS ( Advanced Server )
Serial Number: For hardware devices, the serial number can uniquely identify a specific
device.
Manufacturer Name: Record the manufacturer of the device or software component. This
can be useful when responding to incidents that involve these devices or when certain
manufacturers announce specific vulnerabilities.
Manufacturer’s Model No or Part No: Record the model or part number of the element.
This record of exactly what the element is can be very useful in later analysis of
vulnerabilities, because some vulnerability instances only apply to specific models of
certain devices and software components.
Software Version, Update revision, or FCO number: Document the specific software
or firmware revision number and, for hardware devices, the current field change order
(FCO) number. An FCO is an authorization issued by an organization for the repair,
modification, or update of a piece of equipment. Documenting the revision number and
FCO is particularly important for networking devices that function mainly through the
software running on them. For example, firewall devices often have three versions: an
operating system (OS) version, a software version, and a basic input/output system ( BIOS)
firmware version.
Physical location: Note where this element is located physically (Hardware)
Logical Location: Note where this element can be found on the organization’s network.
The logical location is most useful for networking devices and indicates the logical network
where the device is connected.
Controlling Entity: Identify which organizational unit controls the element.
2.3.1.4 Automated Risk Management Tools
Automated tools identify the system elements that make up the hardware, software, &
network components.
Many organizations use automated asset inventory systems.
The inventory listing is usually available in a data base.
Once stored, the inventory listing must be kept current, often by means of a tool that
periodically refreshes the data.
2.3.2 Information Asset Classification
In addition to the categories, it is advisable to add another dimension to represent the
sensitivity & Security priority of the data and the devices that store, transmit & process the
data.
Eg: Kinds of classifications are confidential data, internal data and public data.
2.3.3 Information Asset Valuation
As each asset is assigned to its category, posing a number of questions assists in developing
the weighting criteria to be used for information asset valuation or impact evaluation.
Before beginning the inventory process, the organization should determine which criteria
can best be used to establish the value of the information assets. Among the criteria to be
considered are:
- Which information Asset is the most critical to the success of the
organization.
- Which information asset generates the most revenue?
- Which information asset generates the most probability?
- Which Information asset would be the expensive to replace?
2. Sensitive But Unclassified data (SBU) : Any information of which the loss,
misuse, or unauthorized access to, or modification of might adversely affect U.S. national
interests, the conduct of Department of Defense(DoD) programs, or the privacy of DoD
personnel.
3. Confidential data: Any information or material the unauthorized disclosure of
which reasonably could be expected to cause damage to the national security.
4. Secret: Any information or material the unauthorized disclosure of which
reasonably could be cause serious damage to the national security.
5. Top Secret Data: Any information or material the unauthorized disclosure of
which reasonably could be expected to cause exceptionally grave damage to the national
security.
A clean desk policy requires that employees secure all information in appropriate storage
containers at the end of each day.
- When Information are no longer valuable, proper care should be taken to destroy
them by means of shredding, burning or transferring to a service offering
authorized document destruction.
Dumpster diving to retrieve information that could embarrass a company or compromise
information security.
2.3.5 Threat Identification
After identifying the information assets, the analysis phase moves on to an examination of
the threats facing the organization.
Identify and Prioritize Threats and Threat Agents
Figure 2.3.5.1 Threats to Information Security
This examination is known as a threat assessment. You can address each threat with a few
Technical hardware failures or errors Hardware can fail and cause an outage.
Forces of nature
All information assets in the
organization are subject to forces of
nature, unless suitable controls are
provided.
3. Security Technologies
Technical Implementation Policies
Access Controls
Specially addresses admission of a user into a trusted area of the organization.
Eg: Computer rooms, Power Rooms.
Combination of policies , Programs, & Technologies
Types of Access controls
Mandatory Access Controls (MACs)
- Give users and data owners limited control over access to information resources.
Nondiscretionary Controls
- Managed by a central authority in the organization; can be based on individual’s role (role-
based controls) or a specified set of assigned tasks (task-based controls)
Discretionary Access Controls ( DAC)
- Implemented at discretion or option of the data user
Lattice-based Access Control
- Variation of MAC - users are assigned matrix of authorizations for particular areas of
access.
2.4.5 Documenting the Results of Risk Assessment
By the end of the Risk Assessment process, you probably have a collection of long lists of information
assets with data about each of them.
The goal of this process is to identify the information assets that have specific vulnerabilities and list
them, ranked according to those most needing protection. You should also have collected some
information about the controls that are already in place. The final summarized document is the ranked
vulnerability risk worksheet, a sample of which is shown in the following table.
Table 2.4.5.1 Ranked vulnerability risk worksheet
55 0.2 11
Customer Service Request E-mail disruption
via e-mail(inbound) due to hardware
Failure
100 0.1 10
Customer order via SSL - Lost orders due to
(inbound) Web server
hardware failure
100 0.1 10
Customer order via SSL - Lost orders due to
(inbound) Web server or ISP
service failure
55 0.1 5.5
Customer Service Request E-mail disruption
via e-mail(inbound) due to SMTP mail
relay attack
55 0.1 5.5
Customer Service Request E-mail disruption
via e-mail(inbound) due to ISP service
failure
100 0.01 1
Customer order via SSL Lost orders due to
(inbound)SSL-Secure Web server software
Sockets Layer Failure
It is the choice to do nothing to protect a vulnerability and do accept the outcome of its exploitation.
This strategy occurs when the organization has:
- Determined the level of risk.
- Assessed the probability of attack.
- Estimated the potential damage that could occur from attacks.
- Performed a thorough cost benefit analysis.
- Evaluated controls using each appropriate type of feasibility.
- Decided that the particular function, service, information, or asset did not justify the cost
of protection.
2.5.5 Selecting a Risk Control Strategy
Level of threat and value of asset play major role in selection of strategy Rules of thumb
on strategy selection can be applied:
- When vulnerability (flaw or weakness) exists: Implement security controls to reduce the
likelihood of a vulnerability being exercised.
- When vulnerability can be exploited: Apply layered protections, architectural designs, and
administrative controls to minimize the risk.
- When the attacker’s cost is less than his potential gain: Apply protections to increase the
attacker’s cost.
- When potential loss is substantial: Apply design principles, architectural designs, and
technical and non-technical protections to limit the extent of the attack, thereby reducing
the potential for loss.
There is no exit from this cycle; it is a process that continues for as long as the organization continues
to function.
Preventive controls stop attempts to exploit a vulnerability by implementing a security principle, such
as authentication, or Confidentiality.
Preventive controls use a technical procedure, such as encryption, or some combination of technical
means and enforcement methods.
Detective controls – warn organizations of violations of security principles, organizational
policies, or attempts to exploit vulnerabilities.
Detective controls use techniques such as audit trails, intrusion detection and configuration
monitoring.
Architectural Layer
Controls apply to one or more layers of an organization’s technical architecture. The following entities
are commonly regarded as distinct layers in an organization’s
Information architecture.
1. Organizational policy.
2. External Networks.
3. Extranets ( or demilitarized zones )
4. Intranets ( WANs and LANs )
5. Network devices that interface network zones.(Switches, Routers, firewalls and hubs)
6. Systems [ Mainframe, Server, desktop]
7. Applications.
Strategy Layer
Controls are sometimes classified by the risk control strategy they operate within:
1. Avoidance
2. Mitigation
3. transference
Characteristics of Secure Information
1. Confidentiality
2. Integrity
3. Availability
4. Authentication 5. Authorization
6. Accountability
7. Privacy
Confidentiality: The control assures the confidentiality of data when it is stored, processed, or transmitted.
An example of this type of control is the use of Secure Sockets Layer ( SSL ) encryption technology to secure
Web content as it moves from Web server to browser.
Integrity: The control assures that the information asset properly, completely, and correctly receives,
processes, stores, and retrieves data in a consistent and correct manner .Ex: Use of parity or cyclical
redundancy checks in data transmission protocols.
Availability: The control assures ongoing access to critical information assets. Ex: Deployment of a network
operations center using a sophisticated network monitoring toolset.
Authentication: The control assures that the entity (person or computer) accessing information assets is in
fact the stated entity. Ex: The use of cryptographic certificates to establish SSL connections, or the use of
cryptographic hardware tokens such as SecurID cards as a second authentication of identity.
Authorization: The control assures that a user has been specifically and explicitly authorized to access,
update, or delete the contents of an information asset. Ex: Use of access control lists and authorization groups
in the Windows networking environment. Another example is the use of a database authorization scheme to
verify the designated users for each function.
Accountability: The control assures that every activity undertaken can be attributed to a specific named
person or automated process. Ex: Use of audit logs to track when each user logged in and logged out of each
computer.
Privacy: The control assures that the procedures to access, update, or remove personally identifiable
information comply with the applicable laws and policies for that kind of information.
2.5.7 Feasibility Studies
Before deciding on the strategy (Avoidance, transference, mitigation, or acceptance), for a specific
vulnerability, all the economic and non-economic consequences of the vulnerability facing the
information asset must be explored.
Cost Avoidance- It is the process of avoiding the financial impact of an incident by implementing a
control. Includes
1. Cost Benefit analysis
2. Organizational feasibility
3. Operational Feasibility
4. Technical Feasibility
5. Political feasibility.
Cost Benefit Analysis (CBA)
Organizations are urged to begin the cost benefit analysis by evaluating the worth of the information
assets to be protected and the loss in value if those information assets were compromised by the
exploitation of a specific vulnerability.
The formal process to document this decision making process is called a Cost Benefit analysis or an
economic feasibility study.
Cost Benefit Analysis or an Economic Feasibility study
Some of the items that affect the cost of a control or safeguard include:
1. Cost of development or acquisition [purchase cost] of hardware, software and services.
2. Training Fees(cost to train personnel)
3. Cost of Implementation[Cost to install, Configure, and test hardware, software and services]
4. service Costs[Vendor fees for maintenance and upgrades]
5. Cost of maintenance[Labor expense to verify and continually test, maintain and update]
Benefit is the value that an organization realizes by using controls to prevent losses associated with a
specific vulnerability.
Amount of benefit = Value of the Information asset and Value at risk.
Asset Valuation is the process of assigning financial value or worth to each information asset.
Some of the components of asset valuation include:
1. Value retained from the cost of creating the information asset.
2. Value retained from past maintenance of the information asset.
3. Value implied by the cost of replacing the information.
4. Value from providing the information.
5. Value incurred from the cost of protecting the information.
6. Value to owners.
7. Value of intellectual property.
8. Value to adversaries.
9. Loss of Productivity while the information assets are unavoidable.
10. Loss of revenue while information assets are unavailable.
The organization must be able to place a dollar value on each collection of information and the
information assets it owns. This value is based on the answers to these questions:
Process-based measures are generally less focused on numbers and more strategic than metrics-
based-measures.
Due Care/Due Diligence
When organizations adopt levels of security for a legal defense, they may need to show that they have
done what any prudent organization would do in similar circumstances this is referred to as a standard
of due care
Due diligence is the demonstration that the organization is diligent in ensuring that the implemented
standards continue to provide the required level of protection
Failure to support a standard of due care or due diligence can open an organization to legal liability
Best Business Practices
Security efforts that provide a superior level of protection of information are referred to as best
business practices
Best security practices (BSPs) are security efforts that are among the best in the industry When
considering best practices for adoption in your organization, consider the following:
– Does your organization resemble the identified target?
– Are the resources you can expend similar?
– Are you in a similar threat environment?
Microsoft’s Ten Immutable Laws of Security
1. If a bad guy can persuade you to run his program on your computer, it’s not your computer anymore
2. If a bad guy can alter the operating system on your computer, it’s not your computer anymore
3. If a bad guy has unrestricted physical access to your computer, it’s not your computer anymore
4. If you allow a bad guy to upload programs to your web site, it’s not your web site anymore
5. Weak passwords trump strong security
6. A machine is only as secure as the administrator is trustworthy
7. Encrypted data is only as secure as the decryption key
8. An out of date virus scanner is only marginally better than no virus scanner at all
9. Absolute anonymity isn't practical, in real life or on the web
10. Technology is not a panacea
Problems
The biggest problem with benchmarking in information security is that organizations don’t talk to
each other.
Another problem with benchmarking is that no two organizations are identical A third
problem is that best practices are a moving target.
One last issue to consider is that simply knowing what was going on a few years ago, as in
benchmarking, doesn’t necessarily tell us what.
Baselining
Baselining is the analysis of measures against established standards,
In information security, baselining is comparing security activities and events against the
organization’s future performance.
When baselining it is useful to have a guide to the overall process
Feasibility Studies and the Cost Benefit analysis
Before deciding on the strategy for a specific vulnerability all information about the economic and
non-economic consequences of the vulnerability facing the information asset must be explored.
Fundamentally we are asking “What are the actual and perceived advantages of implementing a
control contrasted with the actual and perceived disadvantages of implementing the control?”
Cost Benefit Analysis (CBA)
The most common approach for a project of information Security controls and safeguards is the
economic feasibility of implementation.
Begins by evaluating the worth of information assets are compromised.
It is only common sense that an organization should not spend more to protect an asset than it is
worth.
The formal process to document this is called a cost benefit analysis or an economic feasibility study.
CBA: Cost Factors
Some of the items that the cost of a control or safeguard include:
Cost of Development or Acquisition
Training Fees
Cost of implementation.
Service Costs
Cost of Maintenance
CBA: Benefits
Benefit is the value that the organization recognizes by using controls to prevent losses associated
with a specific vulnerability.
This is usually determined by valuing the information asset or assets exposed by the vulnerability and
then determining how much of that value is at risk.
CBA: Asset Valuation
Asset Valuation is the process of assigning financial value or worth to each information asset.
The valuation of assets involves estimation of real and perceived costs associated with the design,
development, installation, maintenance, protection, recovery, and defense against market loss and
litigation.
These estimates are calculated for each set of information bearing systems or information assets.
There are many components to asset valuation.
CBA: Loss Estimates
Once the worth of various assets is estimated examine the potential loss that could occur from the
exploitation of vulnerability or a threat occurrence.
This process results in the estimate of potential loss per risk. The questions
that must be asked here include:
What damage could occur, and what financial impact would it have?
What would it cost to recover from the attack, in addition to the costs above? What is the
single loss expectancy for each risk?
Organizational Feasibility
Organizational Feasibility examines how well the proposed information security alternatives will
contribute to the efficiency, effectiveness, and overall operation of an organization.
Above and beyond the impact on the bottom line, the organization must determine how the proposed
alternatives contribute to the business objectives of the organization.
Operational feasibility
Addresses user acceptance and support, management acceptance and support, and the overall
requirements of the organization’s stake holders.
Sometimes known as behavioral feasibility, because it measures the behavior of users. One of the
fundamental principles of systems development is obtaining user buy in on a project and one of the
most common methods for obtaining user acceptance and support is through user involvement
obtained through three simple steps:
- Communicate
- Educate
- Involve
Technical Feasibility
The project team must also consider the technical feasibilities associated with the design,
implementation, and management of controls.
Examines whether or not the organization has or can acquire the technology necessary to implement
and support the control alternatives.
Political feasibility
For some organizations, the most significant feasibility evaluated may be political
Within Organizations, political feasibility defines what can and cannot occur based on the consensus
and relationships between the communities of interest.
The limits placed on an organization’s actions or a behavior by the information security
controls must fit within the realm of the possible before they can be effectively implemented, and that
realm includes the availability of staff resources.
Risk Management Discussion Points
Not every organization has the collective will to manage each vulnerability through the application
of controls
Depending on the willingness to assume risk, each organization must define its risk appetite
Risk appetite defines the quantity and nature of risk that organizations are willing to accept as
they evaluate the tradeoffs between perfect security and unlimited accessibility
Residual Risk
When we have controlled any given vulnerability as much as we can, there is often risk that has not
been completely removed or has not been completely shifted or planned for this remainder is called
residual risk.
To express it another way, “Residual risk is a combined function of
1. A threat less the effect of some threat –reducing safeguards.
2. Vulnerability less the effect of some vulnerability- reducing safeguards.
3. an asset less the effect of some asset value-reducing safeguards “
Documenting Results
At minimum, each information asset-vulnerability pair should have a documented control strategy
that clearly identifies any residual risk remaining after the proposed strategy has been executed.
Some organizations document the outcome of the control strategy for each information asset-
vulnerability pair as an action plan
This action plan includes concrete tasks, each with accountability assigned to an organizational unit
or to an individual
Recommended Practices in Controlling Risk
We must convince budget authorities to spend up to the value of the asset to protect a particular asset
from an identified threat
Each and every control or safeguard implemented will impact more than one threat-asset pair
Qualitative Measures
The spectrum of steps described above was performed with real numbers or best guess estimates of
real numbers-this is known as a quantitative assessment.
However, an organization could determine that it couldn’t put specific numbers on these values.
Fortunately, it is possible to repeat these steps using estimates based on a qualitative assessment.
Instead of using specific numbers, ranges or levels of values can be developed simplifying the process
Delphi Technique
One technique for accurately estimating scales and values is the Delphi Technique.
The Delphi Technique, named for the Oracle at Delphi, is a process whereby a group of individuals
rate or rank a set of information
The individual responses are compiled and then returned to the individuals for another iteration
This process continues until the group is satisfied with the result.
Unit III
Introduction:
To secure its network environment, organization must establish a functional and well-
designed information security program. Information security program begins with creation or
review of organization’s information security policies, standards, and practices. Selection or
creation of information security architecture and development and use of detailed information
security blueprint will create plan for future success. Without policy, blueprints, and planning,
organization’s security needs will not be met. The creation of an information security program
begins with an information security blueprint, and before we can discuss the creation and
development of a blueprint, it is important to look at management’s responsibility in shaping
policy. It is prudent for information security professionals to know the information security
polices and how these policies contribute to the overall objectives of the organization.
Information Security Policy, Standards and Practices
Management from all communities of interest must consider policies as the basis for all
information security planning, design, and deployment.
In general, policies direct how issues should be addressed and technologies used, not cover
the specifics on the proper operation of equipment or software.
Quality security programs begin and end with policy.
Types of Law
Civil law comprises a wide variety of laws that govern a nation or state and deal with the
relationships and conflicts between organizational entities and people.
Criminal law addresses activities and conduct harmful to society, and is actively
enforced by the state.
Law can also be categorized as private or public. Private law encompasses family law,
commercial law, and labour law, and regulates the relationship between individuals and
organizations. Public law regulates the structure and administration of government agencies
and their relationships with citizens, employees, and other governments. Public law includes
criminal, administrative, and constitutional law.
Definitions
3. Standards, on the other hand, are more detailed statements of what must be done to
comply with policy
4. Practices, procedures, and guidelines effectively explain how to comply with policy
A policy is
A plan or course of action, as of a government, political party, or business, intended to
influence and determine decisions, actions, and other matters
Policies are organizational laws
Policies must contain information on what is right, and what is not; what the penalties are for
violating policy, and what the appeal process is
Standards, on the other hand, are more detailed statements of what must be done to
comply with policy
Practices, procedures and guidelines effectively explain how to comply with policy
For a policy to be effective it must be properly disseminated, read, understood and agreed to
by all members of the organization.
A security program policy (SPP) is also known as a general security policy, IT security
policy, or information security policy. This policy sets the strategic direction, scope, and tone
for all security efforts within the organization. The SPP is an executive-level document,
usually drafted by or with, the CIO of the organization and is usually 2 to 10 pages long.
When the SPP has been developed, the CISO begins forming the security team and initiates
the SecSDLC process.
Management must define three types of security policy, according to the National Institute of
Standards and Technology’s Special Publication 800-14 (a publication that is discussed in
much greater detail later in this chapter):
1. Enterprise information security policies
2. Issue-specific security policies
3. Systems-specific security policies
EISP Elements Although the specifics of EISPs vary from organization to organization, most
EISP documents should include the following elements:
1. An overview of the corporate philosophy on security
2. Information on the structure of the information security organization and individuals
who fulfil the information security role
3. Fully articulated responsibilities for security that are shared by all members of the
organization (employees, contractors, consultants, partners, and visitors)
4. Fully articulated responsibilities for security that are unique to each role within the
organization
Issue-Specific Security Policy (ISSP)
A modular ISSP document that unifies policy creation and administration, while maintaining
each specific issue’s requirements
The optimal balance between the independent and comprehensive ISSP is the modular ISSP.
It is also centrally managed and controlled but is tailored to the individual technology issues.
Access control lists (ACLs) consist of access control lists, matrices, and capability tables
governing rights and privileges of a particular user to a particular system
Configuration rule policies comprise specific configuration codes entered into security
systems to guide execution of the system
Policy Management
Policies are living documents that must be managed and nurtured, and are constantly
changing and growing. These documents must be properly disseminated and managed.
Special considerations should be made for organizations undergoing mergers, takeovers and
partnerships.
In order to remain viable, these policies must have:
an individual responsible for reviews,
a schedule of reviews,
a method for making recommendations for reviews, and
an indication of policy and revision date.
Frameworks and Industry Standards
With general idea of vulnerabilities in IT systems, security team develops security
blueprint, which is used to implement security program
Security blueprint is basis for design, selection, implementation of all security
program elements including policy implementation, ongoing policy management, risk
management programs, education and training programs, technological controls, and
maintenance of security program
Security framework is outline of overall information security strategy and roadmap
for planned changes to the organization’s information security environment
Number of published information security frameworks, including ones from
government sources
Because each information security environment is unique, security team may need to
modify or adapt pieces from several frameworks
Benchmarking and Best Practices
Benchmarking and best practices are reliable methods used by some organizations
to assess security practices
Possible to gain information by benchmarking and using best practices and thus
work backwards to effective design
Federal Agency Security Practices Site (fasp.nist.gov) designed to provide best
practices for public agencies and is adapted easily to private organizations
Figure 6-16, showing the sphere of security, is the foundation of the security framework.
Generally speaking, the sphere of security represents the fact that information is under attack
from a variety of sources. The sphere of use, at the left of the figure, illustrates the ways in
which people can directly access information: for example, people read hard copies of
documents; they also access information through systems, such as the electronic storage of
information. Information, as the most important asset to security, is illustrated at the core of
the sphere. Information is always at risk from attacks through the people and computer
systems that have direct access to the information. Networks and the Internet represent
indirect threats, as exemplified by the fact that a person attempting to access information from
the Internet must first go through the local networks and then access systems that contain the
information. The sphere of protection, at the right of the figure, illustrates that between each
layer of the sphere of use there must exist a layer of protection to prevent access to the inner
layer from the outer layer. Each shaded band is a layer of protection and control. For example,
the layer labeled “policy education and training” is located between people and the
information. Controls are also implemented between systems and the information, between
networks and the computer systems, and between the Internet and internal networks. This
reinforces the concept of defense in depth. As illustrated in the sphere of protection portion of
Figure 6-16, a variety of controls can be used to protect the information. The list in the figure
is not intended to be comprehensive but illustrates individual safeguards that protect the
various systems that are located closer to the center of the sphere. However, as people can
directly access each ring as well as the information at the core of the model, people require
unique approaches to security.
In fact, the resource of people must become a layer of security, a human firewall that protects
the information from unauthorized access and use. The members of the organization must
become a safeguard, which is effectively trained, implemented, and maintained, or else they,
too, become a threat to the information.
continuing education
A number of universities have formal coursework in information security
– (See, for example, http://infosec.kennesaw.edu)
Security Training
Involves providing members of the organization with detailed information and hands-
on instruction designed to prepare them to perform their duties securely
Management of information security can develop customized in-house training or
outsource the training program
Security Awareness
One of the least frequently implemented but most beneficial programs is the security
awareness program
Designed to keep information security at forefront of users’ minds
Need not be complicated or expensive
If program is not actively implemented, employees begin to ‘tune out,’ and the risk of
employee accidents and failures increases
Continuity Strategies
Plans for events of this type are referred to in a number of ways:
– Business continuity plans (BCPs)
– Disaster recovery plans (DRPs)
– Incident response plans (IRPs)
– Contingency plans
Large organizations may have many types of plans and small organizations may have
one simple plan, but most have inadequate planning
Figure 3-9 Contingency Planning Timeline
Before any planning can begin, a team has to plan the effort and prepare the resulting
documents Champion - A high-level manager to support, promote, and endorse the findings
of the project
Project Manager - Leads the project and makes sure a sound project planning process is used,
a complete and useful project plan is developed, and project resources are prudently managed
Team Members - Should be the managers or their representatives from the various
communities of interest like Business, IT, and Information Security
– Indicators of attack
– Broad consequences
Attack success scenario details are added to attack profile, including best, worst, and
most likely outcomes
Potential Damage Assessment
From previously developed attack success scenarios, BIA planning team must
estimate cost of best, worst, and most likely cases
Costs include actions of response team
This final result is referred to as an attack scenario end case
Incident Response Planning
Incident response planning covers identification of, classification of, and response to
an incident
Incident is attack against an information asset that poses clear threat to the
confidentiality, integrity, or availability of information resources
Attacks are only classified as incidents if they have the following characteristics:
– Are directed against information assets
– Detection
– Reaction
– Recovery
Incident or Disaster
When does an incident become a disaster?
– The organization is unable to mitigate the impact of an incident during the
incident
– The level of damage or destruction is so severe that the organization is unable
to quickly recover
Difference may be subtle
Up to the organization to decide which incidents are to be classified as disasters and
thus receive the appropriate level of response
Disaster Recovery Planning
Disaster recovery planning (DRP) is planning the preparation for and recovery from a
disaster
Contingency planning team must decide which actions constitute disasters and which
constitute incidents
When situations are classified as disasters, plans change as to how to respond; take
action to secure the system’s most valuable assets to preserve value for the longer
term even at the risk of more disruption in the immediate term
DRP strives to reestablish operations at the ‘primary’ site
DRP Steps
There must be a clear establishment of priorities
There must be a clear delegation of roles and responsibilities
Someone must initiate the alert roster and notify key personnel
Someone must be tasked with the documentation of the disaster
If and only if it is possible, some attempts must be made to mitigate the impact of the
disaster on the operations of the organization
Crisis Management
Crisis management occurs during and after a disaster and focuses on the people
involved and addressing the viability of the business
Crisis management team responsible for managing event from enterprise perspective
by:
– Supporting personnel and families during crisis
Firewalls
1. Packet-filtering firewalls
2. Application gateways
3. Circuit gateways
4. MAC layer firewalls and
5. Hybrids
Packet filtering firewalls examine header information of data packets most often based
on combination of:
a. Internet Protocol (IP) source and destination address
– Static filtering: requires that filtering rules governing how the firewall decides
which packets are allowed and which are denied are developed and installed
– Dynamic filtering: allows firewall to react to emergent event and update or
• Application gateways
– Since proxy server is often placed in unsecured area of the network (e.g.,
DMZ), it is exposed to higher levels of risk from less trusted networks
– Additional filtering routers can be implemented behind the proxy server,
further protecting internal systems
• Circuit gateway firewall
–
Like filtering firewalls, do not usually look at data traffic flowing between two
networks, but prevent direct connections between one network and another
– Accomplished by creating tunnels connecting specific processes or systems on
each side of the firewall, and allow only authorized traffic in the tunnels
• MAC layer firewalls
– Designed to operate at the media access control layer of OSI network model
– MAC addresses of specific host computers are linked to access control list
(ACL) entries that identify specific types of packets that can be sent to each
host; all other traffic is blocked
• Hybrid firewalls
• Fourth generation: dynamic packet filtering firewalls; allow only packets with
particular source, destination, and port addresses to enter
• Fifth generation: kernel proxies; specialized form working under kernel of Windows
NT
– Bastion host contains two network interface cards (NICs): one connected to
external network, one connected to internal network
– Implementation of this architecture often makes use of network address
translation (NAT), creating another barrier to intrusion from external attackers
• Commonly consists of two or more internal bastion hosts behind packet filtering
router, with each host protecting trusted network:
– Connections from outside (untrusted network) routed through external filtering
router
– Connections from outside (untrusted network) are routed into and out of
routing firewall to separate network segment known as DMZ
– Connections into trusted internal network allowed only from DMZ bastion
host servers
• Screened subnet performs two functions:
–
Protects DMZ systems and information from outside threats
–
Protects the internal networks by limiting how external connections can gain
access to internal systems
• Another facet of DMZs: extranets
• SOCKS servers
– SOCKS is the protocol for handling TCP traffic via a proxy server
– A proprietary circuit-level proxy server that places special SOCKS client-side
agents on each workstation
– A SOCKS system can require support and management resources beyond
those of traditional firewalls
– What firewall offers right balance between protection and cost for needs of
organization?
– Which features are included in base price and which are not?
– Ease of setup and configuration? How accessible are staff technicians who can
configure the firewall?
– Can firewall adapt to organization’s growing network?
• Each firewall device must have own set of configuration rules regulating its actions
• Firewall policy configuration is usually complex and difficult
• Configuring firewall policies is both an art and a science
• When security rules conflict with the performance of business, security often loses
• Best practices for firewalls
• When Web services offered outside firewall, HTTP traffic should be denied
from reaching internal networks
• Firewall rules
• Operate by examining data packets and performing comparison with
predetermined logical rules
• Logic based on set of guidelines most commonly referred to as firewall rules,
rule base, or firewall logic
• Most firewalls use packet heade r information to determine whether
specific packet should be allowed or denied
Note that the rule allowing responses to internal communications comes first (appearing in
Table 6-16 as Rule #1), followed by the four rules prohibiting direct communications to or
from the firewall (Rules #2 through 5 in Table 6-16). After this comes the rule stating that all
outgoing internal communications are allowed, followed by the rules governing access to the
SMTP server and denial of Ping, Telnet access, and access to the HTTP server. If heavy traffic
to the HTTP server is expected, move the HTTP server rule closer to the top (for example, into
the position of Rule #2), which would expedite rule processing for external communications.
The final rule in Table 6-16 denies any other types of communications.
Note the similarities and differences in the two rule sets. The internal filtering router/firewall
rule set, shown in Table 6-17, has to both protect against traffic and allow traffic from the
internal network (192.168.2.0). Most of the rules in Table 6-17 are similar to those in Table 6-
16: allowing responses to internal communications (Rule #1); denying communications
to/from the firewall itself (Rules #2 through 5); and allowing all outbound internal traffic (Rule
#6). Note that there is no permissible traffic from the DMZ systems, except as in Rule #1. Why
isn’t there a comparable rule for the 192.168.2.1 subnet? Because this is an unrouteable
network, external communications are handled by the NAT server, which maps internal
(192.168.2.0) addresses to external (10.10.10.0) addresses. This prevents a hacker from
compromising one of the internal boxes and accessing the internal network with it. The
exception is the proxy server (Rule #7 in Table 6-17), which should be very carefully
configured. If the organization does not need the proxy server, as in cases where all externally
accessible services are provided from machines in the DMZ, then Rule #7 is not needed. Note
that there are no Ping and Telnet rules in Table 6-17. This is because the external firewall
filters these external requests out. The last rule, Rule #8, provides cleanup.
Content Filters
• Most common content filters restrict users from accessing non-business Web sites or
deny incoming span
Protecting Remote Connections
• Installing Internetwork connections requires leased lines or other data channels; these
connections are usually secured under requirements of formal service agreement
• When individuals seek to connect to organization’s network, more flexible option
must be provided
• Options such as virtual private networks (VPNs) have become more popular due to
spread of Internet
Remote Access
• It is a widely held view that these unsecured, dial-up connection points represent a
substantial exposure to attack.
• An attacker who suspects that an organization has dial-up lines can use a device called
a war dialer to locate the connection points.
• A war dialer is an automatic phone-dialing program that dials every number in a
configured range and checks to see if a person, answering machine, or modem picks
up.
• Some technologies, such as RADIUS systems, TACACS, and CHAP password
systems, have improved the authentication process.
• RADIUS, TACACS, and Diameter
• Sesame
•
Token then presented to privilege attribute server as proof of identity to
gain privilege attribute certificate
• Uses public key encryption; adds additional and more sophisticated
access control features; more scalable encryption systems; improved
manageability; auditing features; delegation of responsibility for
allowing access
Virtual Private Networks (VPNs)
• Private and secure network connection between systems; uses data communication
capability of unsecured and public network
• Transport mode
Unit IV
Introduction
• An intrusion occurs when an attacker attempts to gain entry into or disrupt the normal
operations of an information system, almost always with the intent to do harm. Even
when such attacks are self-propagating, as in the case of viruses and distributed
denial-of-service attacks
• Intrusion prevention consists of activities that deter an intrusion.
Three activities to summarize
• Intrusion detection: consists of procedures and systems that identify system
intrusions.
• Intrusion reaction: encompasses the actions an organization takes when an intrusion is
detected. These actions seek to limit the loss from an intrusion and return operations
to a normal state as rapidly as possible.
• Intrusion correction: activities finalize the restoration of operations to a normal state
and seek to identify the source and method of the intrusion in order to ensure that the
same type of attack cannot occur again—thus reinitiating intrusion prevention.
How it works??
• An IDS works like a burglar alarm in that it detects a violation (some system activity
analogous to an opened or broken window) and activates an alarm. This alarm can be
audible and/or visual (producing noise and lights, respectively), or it can be silent (an
e-mail message or pager alert).
Terminology
• Alert or alarm: An indication that a system has just been attacked or is under attack.
IDPS alerts and alarms take the form of audible signals, e-mail messages, pager
notifications, or pop-up windows.
• Evasion: The process by which attackers change the format and/or timing of their
activities to avoid being detected by the IDPS.
• False attack stimulus: An event that triggers an alarm when no actual attack is in
progress. Scenarios that test the configuration of IDPSs may use false attack stimuli to
determine if the IDPSs can distinguish between these stimuli and real attacks.
• False negative: The failure of an IDPS to react to an actual attack event. This is the
most grievous failure, since the purpose of an IDPS is to detect and respond to
attacks.
• False positive: An alert or alarm that occurs in the absence of an actual attack. A false
positive can sometimes be produced when an IDPS mistakes normal system activity
for an attack. False positives tend to make users insensitive to alarms and thus reduce
their reactivity to actual intrusion events.
• True attack stimulus: An event that triggers alarms and causes an IDPS to react as if a
real attack is in progress. The event may be an actual attack, in which an attacker is at
work on a system compromise attempt, or it may be a drill, in which security
personnel are using hacker tools to conduct tests of a network segment.
• Tuning: The process of adjusting an IDPS to maximize its efficiency in detecting true
positives, while minimizing both false positives and false negatives.
• Confidence value: The measure of an IDPS’s ability to correctly detect and identify
certain types of attacks. The confidence value an organization places in the IDPS is
• According to the NIST documentation on industry best practices, there are several
compelling reasons to acquire and use an IDPS:
1. To prevent problem behaviours by increasing the perceived risk of discovery and
punishment for those who would attack or otherwise abuse the system
2. To detect attacks and other security violations that are not prevented by other security
measures
3. To detect and deal with the preambles to attacks (commonly experienced as network
probes and other “doorknob rattling” activities)
4. To document the existing threat to an organization
5. To act as quality control for security design and administration, especially in large and
complex enterprises
6. To provide useful information about intrusions that do take place, allowing improved
diagnosis, recovery, and correction of causative factors
According to the NIST 800-94 guide, IPS technologies are differentiated from IDS technologies
by one characteristic:
1. IPS technologies can respond to a detected threat by attempting to prevent it from
succeeding. They use several response techniques, which can be divided into the
following groups:
2. The IPS stops the attack itself. Examples of how this could be done are as follows:
3. Terminate the network connection or user session that is being used for the attack
4. Block access to the target (or possibly other likely targets) from the offending user
account, IP address, or other attacker attribute
5. Block all access to the targeted host, service, application, or other resource.
The IPS changes the security environment. The IPS could change the
configuration of other security controls to disrupt an attack. Common
examples are reconfiguring a network device (e.g., firewall, router, switch) to
block access from the attacker or to the target and altering a host-based
firewall on a target to block incoming attacks. Some IPSs can even cause
patches to be applied to a host if the IPS detects that the host has
vulnerabilities.
The IPS changes the attack’s content. Some IPS technologies can remove or
replace malicious portions of an attack to make it benign.
A simple example is an IPS removing an infected file attachment from an e-
mail and then permitting the cleaned e-mail to reach its recipient.
A more complex example is an IPS that acts as a proxy and normalizes
incoming requests, which means that the proxy repackages the payloads of the
requests, discarding header information. This might cause certain attacks to be
Types of IDPS
• In the process of protocol stack verification, the NIDPSs look for invalid data packets
—that is, packets that are malformed under the rules of the TCP/IP protocol. A data packet is
verified when its configuration matches one that is defined by the various Internet protocols.
• Many types of intrusions, especially DoS and DDoS attacks, rely on the creation of
improperly formed packets to take advantage of weaknesses in the protocol stack in
certain operating systems or applications.
1. Good network design and placement of NIDPS devices can enable an organization to
use a few devices to monitor a large network.
2. NIDPSs are usually passive devices and can be deployed into existing networks with
little or no disruption to normal network operations.
3. NIDPSs are not usually susceptible to direct attack and, in fact, may not be detectable
by attackers.
The disadvantages of NIDPSs
1. A NIDPS can become overwhelmed by network volume and fail to recognize attacks
it might otherwise have detected
2. NIDPSs require access to all traffic to be monitored
3. NIDPSs cannot analyze encrypted packets, making some of the network traffic
invisible to the process.
4. NIDPSs cannot reliably ascertain if an attack was successful or not. This requires the
network administrator to be engaged in an ongoing effort to evaluate the results of the
logs of suspicious network activity.
5. Some forms of attack are not easily discerned by NIDPSs, specifically those
involving fragmented packets. In fact, some NIDPSs are particularly vulnerable to
malformed packets and may become unstable and stop functioning
Wireless NIDPS
• A wireless IDPS monitors and analyzes wireless network traffic, looking for potential
problems with the wireless protocols (Layers 2 and 3 of the OSI model).
• Wireless IDPS capability can be built into a device that provides a wireless access
point
• Sensor locations for wireless networks can be located at the access points, on
specialized sensor components, or incorporated into selected mobile stations.
• Centralized management stations collect information from these sensors, much as
other network-based IDPSs do, and aggregate information into a comprehensive
assessment of wireless network intrusions.
• Some issues associated with the implementation of wireless IDPSs include:
1. Physical security: Unlike wired network sensors, which can be physically secured,
many wireless sensors are located in public areas like conference rooms, assembly
areas, and hallways in order to obtain the widest possible network range.
2. Sensor range: A wireless device’s range can be affected by atmospheric conditions,
building construction, and the quality of both the wireless network card and access
point.
3. Sensor range: A wireless device’s range can be affected by atmospheric conditions,
building construction, and the quality of both the wireless network card and access
point.
4. Wired network connections: Wireless network components work independently of the
wired network when sending and receiving between stations and access points.
5. Cost: The more sensors deployed, the more expensive the configuration.
• NBA systems examine network traffic in order to identify problems related to the
flow of traffic.
• They use a version of the anomaly detection method described later in this section to
identify excessive packet flows such as might occur in the case of equipment
malfunction, DoS attacks, virus and worm attacks, and some forms of network policy
violations.
• The types of events most commonly detected by NBA sensors include the following:
• DoS attacks (including DDoS attacks)
• Scanning
• Worms
• Unexpected application services (e.g., tunneled protocols, back doors, use of
forbidden application protocols)
• Policy violations
• NBA sensors offer various intrusion prevention capabilities, including the following
(grouped by sensor type
• Passive only
Ending the current TCP session. A passive NBA sensor can attempt to end an existing
TCP session by sending TCP reset packets to both endpoints
• Inline only
Performing inline firewalling. Most inline NBA sensors offer firewall capabilities that can be
used to drop or reject suspicious network activity.
• Both passive and inline
Reconfiguring other network security devices. Many NBA sensors can instruct network
security devices such as firewalls and routers to reconfigure themselves to block certain
types of activity or route it elsewhere, such as a quarantine virtual local area network
(VLAN).
Running a third-party program or script. Some NBA sensors can run an administrator-
specified script or program when certain malicious activity is detected.
Host-Based IDPS
1. An HIDPS can detect local events on host systems and also detect attacks that may
elude a network-based IDPS.
2. An HIDPS functions on the host system, where encrypted traffic will have been
decrypted and is available for processing.
3. The use of switched network protocols does not affect an HIDPS.
4. An HIDPS can detect inconsistencies in how applications and systems programs were
used by examining the records stored in audit logs. This can enable it to detect some
types of attacks, including Trojan horse programs
1. HIDPSs pose more management issues because they are configured and managed on
each monitored host. Operating an HIDPS requires more management effort to install,
configure, and operate than does a comparably sized NIDPS solution.
2. An HIDPS is vulnerable both to direct attacks and to attacks against the host
operating system. Either circumstance can result in the compromise and/or loss of
HIDPS functionality.
3. An HIDPS is not optimized to detect multihost scanning, nor is it able to detect the
scanning of non-host network devices, such as routers or switches. Unless complex
correlation analysis is provided, the HIDPS will not be aware of attacks that span
multiple devices in the network.
4. An HIDPS is susceptible to some denial-of-service attacks.
5. An HIDPS can use large amounts of disk space to retain the host OS audit logs; to
function properly, it may be necessary to add disk capacity to the system.
IDPS Detection Methods
• IDPSs use a variety of detection methods to monitor and evaluate network traffic.
• Three methods dominate:
• the signature-based approach,
• the statistical-anomaly approach, and
• the stateful packet inspection approach.
• Signature-Based IDPS A signature-based IDPS (sometimes called a knowledge-based
IDPS or a misuse-detection IDPS) examines network traffic in search of patterns that
match known signatures—that is, preconfigured, predetermined attack patterns
• Signaturebased IDPS technology is widely used because many attacks have clear and
distinct signatures, for example:
(1) footprinting and fingerprinting activities use ICMP, DNS querying, and e-mail routing
analysis;
(2) exploits use a specific attack sequence designed to take advantage of a vulnerability to
gain access to a system
(3) DoS and DDoS attacks, during which the attacker tries to prevent the normal usage of a
system, overload the system with requests so that the system’s ability to process them
efficiently is compromised or disrupted
• A potential problem with the signature-based approach is that new attack strategies
must continually be added into the IDPS’s database of signatures; otherwise, attacks
that use new strategies will not be recognized and might succeed.
• Another weakness of the signaturebased method is that a slow, methodical attack
might escape detection if the relevant IDPS attack signature has a shorter time frame.
• The only way a signature-based IDPS can resolve this vulnerability is to collect and
analyze data over longer periods of time
Statistical Anomaly-Based IDPS
computer as well as the number of false positives it can generate, this type of IDPS is
less commonly used than the signature-based type
Stateful Protocol Analysis IDPS
• stateful inspection firewalls track each network connection between internal and
external systems using a state table to record which station sent which packet and
when, essentially pairing communicating parties.
• An IDPS extension of this concept is stateful protocol analysis.
• “Stateful protocol analysis (SPA) is a process of comparing predetermined profiles of
generally accepted definitions of benign activity for each protocol state against
observed events to identify deviations. Stateful protocol analysis relies on vendor-
developed universal profiles that specify how particular protocols should and should not be
used.”
• Essentially, the IDPS knows how a protocol, such as FTP, is supposed to work, and
therefore can detect anomalous behavior.
• This process is sometimes called deep packet inspection because SPA closely
examines packets at the application layer for information that indicates a possible
intrusion
• Stateful protocol analysis can also examine authentication sessions for suspicious
activity as well as for attacks that incorporate “unexpected sequences of commands,
such as issuing the same command repeatedly or issuing a command without first
issuing a command upon which it is dependent, as well as ‘reasonableness’ for
commands such as minimum and maximum lengths for arguments.”
• Unfortunately, the analytical complexity of session-based assessments is the principal
drawback to this type of IDPS method, which also requires heavy processing
overhead to track multiple simultaneous connections.
• Additionally, unless a protocol violates its fundamental behavior, this IDPS method
may completely fail to detect an intrusion.
• One final issue is that the IDPS may in fact interfere with the normal operations of the
protocol it’s examining, especially with client- and server-differentiated operations.
Log File Monitors
Introduction
To maintain secure networks, information security professionals must be prepared to
identify system vulnerabilities, whether by hiring system assessment experts or by
conducting self-assessments using scanning and penetration tools
Network security vulnerability is defect in product, process, or procedure that, if
exploited, may result in violation of security policy, which in turn might lead to loss of
revenue, loss of information, or loss of value to the organization
Common Vulnerabilities
Scanners, sniffers, and other such vulnerability analysis tools are invaluable because
they enable administrators to see what attackers see
Scanning tools are typically used as part of an attack protocol
Attack protocol is a series of steps or processes used by attacker, in logical sequence,
to launch attack against target system or network
This may begin with a collection of publicly available information about a potential
target, a process known as footprinting
Attacker uses public Internet data sources to perform searches to identify network
addresses of the organization
Footprinting
Most important information for footprinting purposes is IP address range
Another piece of useful information is name, phone number, and e-mail address of the
technical contact
This research is augmented by browsing the organization’s Web pages since Web
pages usually contain information about internal systems, individuals developing Web
pages, and other tidbits, which can be used for social engineering attacks
To assist in footprint intelligence collection process, an enhanced Web scanner can be
used that, among other things, can scan entire Web sites for valuable pieces of
information, such as server names and e-mail addresses
Fingerprinting
Next phase of attack protocol is data-gathering process called fingerprinting, a
Vulnerability Validation
Often, an organization requires proof that system is actually vulnerable to certain
attacks
May require such proof to avoid having system administrators attempt to repair
systems that are not broken or because they have not yet built satisfactory relationship
with vulnerability assessment team
Class of scanners exists that exploit remote machine and allow vulnerability analyst
(penetration tester) to create accounts, modify Web pages, or view data
Packet Sniffers
Network tool that collects copies of packets from network and analyzes them
Penetration Testing
Penetration test involves using all techniques and tools available to attacker in order
to attempt to compromise or penetrate an organization’s defenses
Penetration testing can be performed by internal group (so called “red teams”) or
outsourced to external organization
A variable of the penetration test, whether performed internally or outsourced, is
amount of information provided to the red team
Three categories of testing:
Black box: red team is given no information whatsoever about the
organization and approaches the organization as external attacker
Gray box: red team is given some general information about the organization
such as general structure, network address ranges, software and versions
White box: red team has full information on the organization and its structure
Cryptography Cipher
Methods
Plaintext can be encrypted through bit stream or block cipher method
Bit stream: each plaintext bit transformed into cipher bit one bit at a time
Block cipher: message divided into blocks (e.g., sets of 8- or 16-bit blocks) and each
is transformed into encrypted block of cipher bits using algorithm and key
Cryptosystems typically made up of algorithms, data handling techniques, and
procedures
Substitution cipher: substitute one value for another
Monoalphabetic substitution: uses only one alphabet
Polyalphabetic substitution: more advanced; uses two or more alphabets
Vigenère cipher: advanced cipher type that uses simple polyalphabetic code; made up
of 26 distinct cipher alphabets
01100001 = a
01100010 = b
01100011 = c
Hash Functions
Mathematical algorithms that generate message summary/digest to confirm message
identity and confirm no content has changed
Hash algorithms: publicly known functions that create hash value
Use of keys not required; message authentication code (MAC), however, may be
attached to a message
Used in password verification systems to confirm identity of user
Cryptographic Algorithms
Often grouped into two broad categories, symmetric and asymmetric; today’s popular
cryptosystems use hybrid combination of symmetric and asymmetric algorithms
Symmetric and asymmetric algorithms distinguished by types of keys used for
encryption and decryption operations
Symmetric encryption: uses same “secret key” to encipher and decipher message
Encryption methods can be extremely efficient, requiring minimal processing
Both sender and receiver must possess encryption key
If either copy of key is compromised, an intermediate can decrypt and read
messages
Cryptographic Tools
Public Key Infrastructure (PKI): integrated system of software, encryption
methodologies, protocols, legal agreements, and third-party services enabling users to
communicate securely
PKI systems based on public-key cryptosystems; include digital certificates and
certificate authorities (CAs)
PKI protects information assets in several ways:
Authentication
Integrity
Privacy
Authorization
Nonrepudiation
Digital Signatures
Encrypted messages that can be mathematically proven to be authentic
Created in response to rising need to verify information transferred using electronic
systems
Asymmetric encryption processes used to create digital signatures
Digital Certificates
Electronic document containing key value and identifying information about entity
that controls key
Digital signature attached to certificate’s container file to certify file is from entity it
claims to be from
Steganography
Process of hiding information; in use for a long time
Most popular modern version hides information within files appearing to contain
digital pictures or other images
Some applications hide messages in .bmp, .wav, .mp3, and .au files, as well as in
unused space on CDs and DVDs
Protocols for Secure Communications
Securing Internet Communication with S-HTTP and SSL
Secure Socket Layer (SSL) protocol: uses public key encryption to secure
channel over public Internet
Secure Hypertext Transfer Protocol (S-HTTP): extended version of Hypertext
Transfer Protocol; provides for encryption of individual messages between
client and server across Internet
S-HTTP is the application of SSL over HTTP; allows encryption of
information passing between computers through protected and secure virtual
connection
Securing e-mail with S/MIME, PEM, and PGP
Secure Multipurpose Internet Mail Extensions (S/MIME): builds on
Multipurpose Internet Mail Extensions (MIME) encoding format by adding
encryption and authentication
Privacy Enhanced Mail (PEM): proposed as standard to function with public-
key cryptosystems; uses 3DES symmetric key encryption
Pretty Good Privacy (PGP): uses IDEA Cipher for message encoding
Attacks on Cryptosystems
Attempts to gain unauthorized access to secure communications have typically used
brute force attacks (ciphertext attacks)
Attacker may alternatively conduct known-plaintext attack or selected-plaintext attach
schemes
Man-in-the-Middle Attack
Designed to intercept transmission of public key or insert known key structure in
place of requested public key
From victim’s perspective, encrypted communication appears to be occurring
normally, but in fact attacker receives each encrypted message, decodes, encrypts, and
sends to originally intended recipient
Establishment of public keys with digital signatures can prevent traditional man-in-
the-middle attack
Correlation Attacks
Collection of brute-force methods that attempt to deduce statistical relationships
between structure of unknown key and ciphertext
Differential and linear cryptanalysis have been used to mount successful attacks
Only defense is selection of strong cryptosystems, thorough key management, and
strict adherence to best practices of cryptography in frequency of changing keys
Timing Attacks
Attacker eavesdrops during victim’s session; uses statistical analysis of user’s typing
patterns and inter-keystroke timings to discern sensitive session information
Can be used to gain information about encryption key and possibly cryptosystem in
use
Once encryption successfully broken, attacker may launch a replay attack (an attempt
to resubmit recording of deciphered authentication to gain entry into secure source)
Defending Against Attacks
No matter how sophisticated encryption and cryptosystems have become, if key is
discovered, message can be determined
Key management is not so much management of technology but rather management
of people
Unit - V
Introduction
• SecSDLC implementation phase accomplished through changing configuration and
operation of organization’s information systems
• Implementation includes changes to procedures, people, hardware, software, and data
• Organization translates blueprint for information security into a concrete project plan
• Once organization’s vision and objectives are understood, process for creating project
plan can be defined
• Major steps in executing project plan are:
– Planning the project
– Supervising tasks and action steps
– Wrapping up
•Each organization must determine its own project management methodology for IT and
information security projects
Developing the Project Plan
• Creation of project plan can be done using work breakdown structure (WBS)
• Major project tasks in WBS are work to be accomplished; individuals assigned; start and
end dates; amount of effort required; estimated capital and noncapital expenses; and
identification of dependencies between/among tasks
• Each major WBS task further divided into smaller tasks or specific action steps
• No matter what information security needs exist, amount of effort that can be
expended depends on funds available
• Cost-benefit analysis must be verified prior to development of project plan
• Both public and private organizations have budgetary constraints, though of a
different nature
• To justify an amount budgeted for a security project at either public or for-profit
organizations, may be useful to benchmark expenses of similar organizations
Priority Considerations
Procurement Considerations
• IT and information security planners must consider acquisition of goods and services
• Many constraints on selection process for equipment and services in most
organizations, specifically in selection of service vendors or products from
manufacturers/suppliers
• These constraints may eliminate a technology from realm of possibilities
• Size of organization and normal conduct of business may preclude a single large
training program on new security procedures/technologies
• Thus, organization should conduct phased-in or pilot approach to implementation
Scope Considerations
•Project scope: concerns boundaries of time and effort-hours needed to deliver planned
features and quality level of project deliverables
• In the case of information security, project plans should not attempt to implement
entire security system at one time
The Need for Project Management
Supervising Implementation
• Often, project manager can adjust one of three parameters for task being corrected:
effort and money allocated; scheduling impact; quality or quantity of deliverable
• Negative feedback loop
Project Wrap-up
• Some parts of implementation process are technical in nature, dealing with application of
technology
• Others are not, dealing instead with human interface to technical systems
Conversion Strategies
• As components of new security system are planned, provisions must be made for
changeover from previous method of performing task to new method
• Four basic approaches
– Direct changeover
– Phased implementation
– Pilot implementation
– Parallel operations
To Outsource or Not
•Other parts of implementation process are not technical in nature, dealing with the
human interface to technical systems
• Include creating a culture of change management as well as considerations for
organizations facing change
The Culture of Change Management
• The more ingrained the previous methods and behaviors, the more difficult the change
• Best to improve interaction between affected members of organization and project
planners in early project phases
• Three-step process for project managers: communicate, educate, and involve
Introduction
Maintaining a secure environment requires that the InfoSec department be carefully
– Staffing budget
technology alone
–
Work well with people in general and communicate effectively using both
strong written and verbal communication skills
– Acknowledge the role of policy in guiding security efforts
– Understand the essential role of information security education and training,
which helps make users part of the solution, rather than part of the problem
When hiring information security professionals at all levels, organizations frequently
look for individuals who have the following abilities (continued):
– Perceive the threats facing an organization, understand how these threats can
become transformed into attacks, and safeguard the organization from
information security attacks
– Understand how technical controls can be applied to solve specific
information security problems
– Demonstrate familiarity with the mainstream information technologies
Security technicians are technically qualified individuals who ensure that the security
technology is properly implemented
The role of security technician is the typical information security entry-level position,
albeit a technical one
Security technicians often tend to be specialized
Organizations typically prefer expert, certified, proficient technicians
Job requirements usually include some level of experience
Security Manager Qualifications and Position Requirements
Security Manager is accountable for day to day operations of information security
program
These individuals require an understanding of the technology administered
Several types of information security managers exist, and the people who fill these
roles tend to be much more specialized
It is not uncommon for a security manager to have a CISSP
These individuals must have experience in traditional business activities
Chief Information Security Officer (CISO) Qualifications and Position Requirements
The CISO is considered the top information security officer in the organization
This individual is the spokesperson for the security team and is responsible for the
overall information security program
The most common qualification for the CISO is the Certified Information Systems
Security Professional (CISSP)
A graduate degree in criminal justice, business, technology, or another related field is
usually required as well
Information Security Professional Credentials
Many organizations rely to some extent on recognizable professional certifications to
Security Checks
A background check should be conducted before the organization
extends an offer to any candidate
Background checks differ in their levels of detain and depth
Common Background Checks
Some of the common security background checks include
– Identity checks
– Education and credential checks
– Previous employment verification
– Reference checks
– Worker’s compensation history
– Motor vehicle records
– Drug history
– Medical history
– Credit history
– Civil court history
– Criminal court history
Integrating information security into the hiring process requires that security
considerations are applied to (continued):
– Contracts and Employment
Monitoring and nondisclosure agreements must be made a part of the
employment contracts
Apply “employment contingent upon agreement” where required
– New Hire Orientation
New employees should receive, as part of their orientation, an
extensive information security briefing
Job rotation
Task rotation
Mandatory vacation
Principle of least privilege
Hostile Departure
Security cuts off all logical and keycard access, before the employee is terminated
The employee reports for work, and is escorted into the supervisor’s office to receive the
bad news
The individual is then escorted from the workplace and informed that his or her
personal property will be forwarded, or is escorted to his or her office, cubicle, or
personal area to collect personal effects under supervision
Once personal property has been gathered, the employee is asked to surrender all
remaining company property, and is then escorted from the building
Friendly Departure
The employee may have tendered notice well in advance of the actual departure date
Employee accounts are usually allowed to continue, with a new expiration date
The employee can come and go at will and usually collects any belongings and leaves
without escort
The employee is asked to drop off all organizational property before departing.
Termination Issues
In either circumstance, the offices and information used by departing employees must be
inventoried, their files stored or destroyed, and all property returned to organizational
stores
It is possible that departing employees have collected and taken home information or
assets that could be valuable in their future jobs
Only by scrutinizing system logs during the transition period can the organization
determine whether a breach of policy or a loss of information has occurred
QUESTION BANK
UNIT -1
Blooms Course
Taxonomy Outcome
S.NO QUESTION Level
1. Differentiate between threat and attack. L2 CO1
5. How would you categorize data ownership and explain their L3 CO1
responsibilities?
6. What is 3-D NSTISSC model of security? L1 CO1
Blooms Course
Taxonomy Outcome
S.NO QUESTION Level
1. Explain the theme of SSDLC. (What approach would you use to L3 CO1
implement Information Security system in an organization?
Explain?)
2. Describe critical characteristics of information. How are they L3 CO1
used in the study of computer
security?
3. Discuss in detail about the important characteristics of L2 CO1
information from Information Security point of view.
4. Will you state in your words about different types of attacks on L2 CO1
Information System.
5. Can you list and describe all possible threats to Information L1 CO1
Systems.
UNIT –II
PART-A: SHORT ANSWER QUESTIONS
Blooms Course
Taxonomy Outcome
S.NO QUESTION Level
1. How does due diligence differ from due care? Explain the L4 CO2
Important of them?
2. What are the three general causes of unethical and illegal L1 CO2
behavior. What could be done to deter those behaviors?
3. How is an organizational policy different from Law? L1 CO2
Blooms Course
Taxonomy Outcome
S.NO QUESTION Level
1. Explain in details about relevant US laws regarding computer L1 CO2
security?
2. List and explain different risks control strategies. L1 CO2
Blooms Course
Taxonomy Outcome
S.NO QUESTION Level
1. How does packet filtering firewall work. L1 CO3
Blooms Course
Taxonomy Outcome
S.NO QUESTION Level
1. Explain in detail about design of security architecture L1 CO3
Blooms Course
Taxonomy Outcome
S.NO QUESTION Level
6. What is foot printing? L1 CO4
12. Is AES more secure to attack than DES. Justify your answer. L2 CO4
Blooms Course
Taxonomy Outcome
S.NO QUESTION Level
1. Explain in detail about cipher methods. L1 CO4
5. What are the different types of IDPS that you can used in the L1 CO4
design of IS system? Discuss in depth.
6. What is the effective bio-metric authorization technology? Why L1 CO4
it is to be most effective in view of security professionals.
7. Describe in detail about attacks on cryptosystems L1 CO4
Blooms Course
Taxonomy Outcome
S.NO QUESTION Level
1. What is digital forensic and when is it used in a business setting. L2 CO5
Blooms Course
Taxonomy Outcome
S.NO QUESTION Level
1. Explain in details about Information Security Project L2 CO5
Management.
2. Discuss about Technical and Non-Technical aspects of L2 CO5
information security management.
3. What functions does the security technician perform and what L3 CO5
are the key qualification and requirements for the position.
4. Discuss about Employment policies and practices followed by L2 CO5
an organization.
5. Discuss the steps in configuration management L1 CO5
ASSIGNMENT QUESTIONS
Assignment-1
1. Describe the critical characteristics of information. How are they used in the study of
computer security? [CO1][L1] -1M
2. Explain the various types of law? What is the primary example of public
law?[CO2][L2]- 1M
3. Explain the Mc Cumber cube and illustrate its role in information security?[CO1][L2]- 1M
Assignment-2
1. Define scanning. What are the various types for scanning and analysis tools [CO3][L2]
-1M
4. What is honey pot and honey net? Explain its role. [CO4][L2]-1M
3. With a neat diagram summarize the Bull’s Eye model.Diagram: depict bull’s eye – 1M
Explanation: 1Mark
1. Fear of Penalty
2. Probability of being Caught
3. Probability of peanlty being administered -1Mark
3. Definition of 1. Intrusion
2. Intrusion reaction
3. Intrusion prevention 2 Marks
4. Intrusion correction
5. Intrusion detection
2. Definition of Ethics. -1 M
List and explanation of the ten commandments of Computer ethics. -1M
3. Definition of Benchmark. -1 M
Need of benchmark and how benchmarks are created for any information security system.
-1 M
4. Definition of Attack. -1 M
Listing of any 7 attacks on an information system. -2 M
Explanation of each attack and its impact on information system. -4 M
3. Definition of Firewall. -1 M
Description regarding the working procedure of Packet Filtering firewall -1 M
4. Definition of Intrusion. -1 M
Listing of various Intrusion detection and prevention techniques. -2 M
Comparison of its pros and cons regarding Information security. -5 M
6. Definition of Cryptography. -1 M
Listing of different types of cryptographic mechanisms. -1 M
Explanation of different cryptographic algoritms. -6 M
TOPIC Description:
1. Cyber Security and its Threats: A cyber or cybersecurity threat is a malicious act that seeks to
damage data, steal data, or disrupt digital life in general. Cyber attacks include threats like
computer viruses, data breaches, and Denial of Service (DoS) attacks. There are ten common
types of cyber threats:
1. Malware. Software that performs a malicious task on a target device or network, e.g.
corrupting data or taking over a system.
2. Phishing. An email-borne attack that involves tricking the email recipient into
disclosing confidential information or downloading malware by clicking on a
hyperlink in the message.
3. Spear Phishing. A more sophisticated form of phishing where the attacker learns
about the victim and impersonates someone he or she knows and trusts.
4. “Man in the Middle” (MitM) attack. Where an attacker establishes a position between
the sender and recipient of electronic messages and intercepts them, perhaps changing
them in transit. The sender and recipient believe they are communicating directly
with one another. A MitM attack might be used in the military to confuse an enemy.
5. Trojans. Named after the Trojan Horse of ancient Greek history, the Trojan is a type
of malware that enters a target system looking like one thing, e.g. a standard piece of
software, but then lets out the malicious code once inside the host system.
6. Ransomware. An attack that involves encrypting data on the target system and
demanding a ransom in exchange for letting the user have access to the data again.
These attacks range from low-level nuisances to serious incidents like the locking
down of the entire city of Atlanta’s municipal government data in 2018.
7. Denial of Service attack or Distributed Denial of Service Attack (DDoS). Where an
attacker takes over many (perhaps thousands) of devices and uses them to invoke the
functions of a target system, e.g. a website, causing it to crash from an overload of
demand.
8. Attacks on IoT Devices. IoT devices like industrial sensors are vulnerable to multiple
types of cyber threats. These include hackers taking over the device to make it part of
a DDoS attack and unauthorized access to data being collected by the device. Given
their numbers, geographic distribution and frequently out-of-date operating systems,
IoT devices are a prime target for malicious actors.
9. Data Breaches. A data breach is a theft of data by a malicious actor. Motives for data
breaches include crime (i.e. identity theft), a desire to embarrass an institution (e.g.
Edward Snowden or the DNC hack) and espionage.
10. Malware on Mobile Apps. Mobile devices are vulnerable to malware attacks just like
other computing hardware. Attackers may embed malware in app downloads, mobile
websites or phishing emails and text messages. Once compromised, a mobile device
can give the malicious actor access to personal information, location data, financial
accounts and more.
3. Internet Security issues: Top 5 Most Common Security Issues and How to Fix Them
1. Code Injection. Hackers are sometimes able to exploit vulnerabilities in
applications to insert malicious code. ...
2. Data Breach. The cost of data breaches is well documented. ...
3. Malware Infection. ...
4. Distributed Denial of Service Attack. ...
5. Malicious Insiders.
*************END************