Dr.G.

NIRMALA

CYBER SECURITY AND DIGITAL FORENSICS

UNIT-6
Asset Valuation:

An important step in risk analysis is to appraise the value of an organization’s assets. If an asset
has no value, then there is no need to provide protection for it. A primary goal of risk analysis is
to ensure that only cost-effective safeguards are deployed. It makes no sense to spend $100,000
protecting an asset that is worth only $1,000. The value of an asset directly affects and guides the
level of safeguards and security deployed to protect it. As a rule, the annual costs of safeguards
should not exceed the expected annual cost of asset loss. When the cost of an asset is evaluated,
there are many aspects to consider. The goal of asset valuation is to assign to an asset a specific c
dollar value that encompasses tangible costs as well as intangible ones. Determining an exact
value is often difficult if not impossible, but nevertheless, a specific c value must be established.
(Note that the discussion of qualitative versus quantitative risk analysis in the next section may
clarify this issue.) Improperly assigning value to assets can result in failing to properly protect an
asset or implementing financially infeasible safeguards. The following list includes some of the
tangible and intangible issues that contribute to the valuation of assets:

■ Purchase cost

■ Development cost

■ Administrative or management cost

■ Maintenance or upkeep cost

■ Cost in acquiring asset

■ Cost to protect or sustain asset

■ Value to owners and users

■ Value to competitors

■ Intellectual property or equity value

■ Market valuation (sustainable price)

■ Replacement cost

■ Productivity enhancement or degradation

Dr.G.NIRMALA

■ Operational costs of asset presence and loss

■ Liability of asset loss

■ Usefulness

Assigning or determining the value of assets to an organization can fulfill numerous

requirements. It serves as the foundation for performing a cost/benefit t analysis of asset
protection through safeguard deployment. It serves as a means for selecting or evaluating
safeguards and countermeasures. It provides values for insurance purposes and establishes an
overall net worth or net value for the organization. It helps senior management understand
exactly what is at risk within the organization. Understanding the value of assets also helps to
prevent negligence of due care and encourages compliance with legal requirements, industry
regulations, and internal security policies. Risk reporting is a key task to perform at the
conclusion of a risk analysis. Risk reporting involves the production of a risk report and a
presentation of that report to the interested/relevant parties. For many organizations, risk
reporting is an internal concern only, whereas other organizations may have regulations that
mandate third-party or public reporting of their risk findings. A risk report should be accurate,
timely, comprehensive of the entire organization, clear and precise to support decision making,
and updated on a regular basis.
Business Impact Assessment:

Business impact analysis (BIA) is a systematic process to determine and evaluate the potential
effects of an interruption to critical business operations as a result of a disaster, accident or
emergency. A BIA is an essential component of an organization’s business continuance plan; it
includes an exploratory component to reveal vulnerabilities and a planning component to
develop strategies for minimizing risk. The result is a business impact analysis report, which
describes the potential risks specific to the organization studied. One of the basic assumptions
behind BIA is that every component of the organization is reliant upon the continued functioning
of every other component, but the some are more crucial than others and require a greater
allocation of funds in the wake of a disaster. For example, a business may be able to continue
more or less normally if the cafeteria has to close, but would come to complete halt if the
information system crashes.

Risk Identification:

Risk identification is a process for identifying and recording potential project risks that can affect
the project delivery. This step is crucial for efficient risk management throughout the project.
The outputs of the risk identification are used as an input for risk analysis, and they reduce a
project manager's uncertainty. It is an iterative process that needs to be continuously repeated
throughout the duration of a project. The process needs to be rigorous to make sure that all
possible risks are identified.
Dr.G.NIRMALA

An effective risk identification process should include the following steps:

Creating a systematic process​ - The risk identification process should begin with project
objectives and success factors.

Gathering information from various sources​ - Reliable and high quality information is
essential for effective risk management.

Applying risk identification tools and techniques​ - The choice of the best suitable techniques
will depend on the types of risks and activities, as well as organizational maturity.

Documenting the risks​ - Identified risks should be documented in a risk register and a risk
breakdown structure, along with its causes and consequences.

Documenting the risk identification process​ - To improve and ease the risk identification
process for future projects, the approach, participants, and scope of the process should be
recorded.

Assessing the process' effectiveness​ - To improve it for future use, the effectiveness of the
chosen process should be critically assessed after the project is completed.

Risk qualification:

Risk Qualification involves evaluating risks and risk interaction to assess the range of possible
project outcomes. It is primarily concerned with determining which risk events warrant response
by considering the following factors:

● Opportunities and threats can interact in unanticipated ways.

● A single risk event can cause multiple effects.
● Opportunities for one stakeholder may be threats to another.
● Mathematical techniques can create a false sense of precision

Risk Response Development And Control :

Risk response development involves defining enhancement steps for opportunities and responses
to threats. These generally fall into three categories:

● Avoidance - eliminating a specific threat, usually by eliminating the cause

● Mitigation - reducing the expected monetary value of a risk event by reducing the
probability of occurrence, reduce the risk event value, or both.
● Acceptance - accepting the consequences.

Inputs:

1. Opportunities to pursue, threats to respond to

2. Opportunities to ignore, threats to accept
Dr.G.NIRMALA

Tools and techniques:

1. Procurement
2. Contingency planning
3. Alternative stratagies
4. Insurance

Ouputs:

1. Risk management plan

2. Inputs to other processes
3. Contingency plans
4. Reserves
5. Contractual agreements

Control:

Reassessment
Project risk reassessments should be regularly scheduled to keep the risk register updated. The
amount and detail of repetition that is appropriate depends on how the project progresses relative
to its objectives, as well as, which risks (if any) actually manifest themselves.

Audits
these should be scheduled in the risk plan and examine the effectiveness of risk responses in
dealing with identified risks and their root causes. The objectives should be clearly defined in
advance and the audit may form part of the routine ​project review​ meetings, or may be run
separately, each producing its own project ​audit report​.
Dr.G.NIRMALA

TrendAnalysis
Earned value analysis and other methods of project variance and trend analysis may be used for
monitoring overall project performance. Outcomes from these analysis may forecast potential
deviation of the project at completion from cost and schedule targets. Deviation from the
baseline plan may indicate the potential impact of threats or opportunities.

Performance Measurement
this is designed to indicate the degree of technical risk faced by the project. Where deliverables
can be measured against the plans in a quantitative way e.g.: Response times, Number of defects,
etc. This can predict the degree of success in achieving the technical aims of the project.

Reserve Analysis
this compares the contingency reserves remaining to the amount of risk remaining at any time in
the project in order to determine if the remaining reserve is adequate.

Implementing contingency plans or workarounds sometimes results in a ​change request​.

• Recommended preventive actions are documented directions to perform on activity that can
reduce the probability of negative consequences associated with project risks.
• Recommended corrective actions include contingency plans and workarounds.
The latter are responses that were not initially planned, but are required to deal with emerging
risks that were previously unidentified or accepted passively.

If the approved change requests have an effect on the process of managing risk, the
corresponding component documents of the ​project plan​ are revised and reissued to reflect the
approved changes.
Security policy:

Information security policy is a set of policies issued by an organization to ensure that all
information technology users within the domain of the organization or its networks comply with
rules and guidelines related to the security of the information stored digitally at any point in the
network or within the organization's boundaries of authority.

The evolution of computer networks has made the sharing of information ever more prevalent.
Information is now exchanged at the rate of trillions of bytes per millisecond, daily numbers that
might extend beyond comprehension or available nomenclature. A proportion of that data is not
intended for sharing beyond a limited group and much data is protected by law or intellectual
property. An information security policy endeavors to enact those protections and limit the
distribution of data not in the public domain to authorized recipients.
Every organization needs to protect its data and also control how it should be distributed both
within and without the organizational boundaries. This may mean that information may have to
be encrypted, authorized through a third party or institution and may have restrictions placed on
its distribution with reference to a classification system laid out in the information security
policy.
An example of the use of an information security policy might be in a data storage facility which
stores database records on behalf of medical facilities. These records are sensitive and cannot be
Dr.G.NIRMALA

shared, under penalty of law, with any unauthorized recipient whether a real person or another
device. An information security policy would be enabled within the software that the facility
uses to manage the data they are responsible for. In addition, workers would generally be
contractually bound to comply with such a policy and would have to have sight of it prior to
operating the data management software.
A business might employ an information security policy to protect its digital assets and
intellectual rights in efforts to prevent theft of industrial secrets and information that could
benefit competitors.
A typical security policy might be hierarchical and apply differently depending on whom they
apply to. For example, the secretarial staff who type all the communications of an organization
are usually bound never to share any information unless explicitly authorized, whereby a more
senior manager may be deemed authoritative enough to decide what information produced by the
secretaries can be shared, and to who, so they are not bound by the same information security
policy terms. To cover the whole organization therefore, information security policies frequently
contain different specifications depending upon the authoritative status of the persons they apply
to.
Compailance:

The cyber security landscape is plagued by the fact that cybercriminals seem to be permanently
one step ahead and rather than addressing the problem, it seems that regulation is, in some cases,
compounding the problem. Understandably, many organizations are opting to define security
policies based on regulatory requirements, however the result is that their security postures
become very quickly out of date. Not only are regulations typically at least 24 months old by the
time they are implemented, but a compliance-only approach actually provides hackers with an
‘access blueprint’ – as weaknesses in the security model that are not covered by regulation are
clearly visible​.
Disturbing trend
With high profile security breaches continuing to hit the headlines, organizations are clearly
struggling to lock down data against the continuously evolving threat landscape. Yet these
breaches are not occurring at companies that have failed to recognize the risk to customer data;
many have occurred at organizations that are meeting regulatory compliance requirements to
protect customer data.
Given the huge investment companies in every market are making in order to comply with the
raft of regulation that has been introduced over the past couple of decades, this continued
vulnerability is – or should be – a massive concern. Regulatory compliance is clearly no
safeguard against data breach.
Hacking blueprint

Yet despite this obvious vulnerability, organizations are actually moving towards a compliance
first model, rather than away. Rather than extending the remit of the Chief Information Security
Officer (CISO), growing numbers of organizations are recruiting Chief Compliance Officers
(CCO), effectively side-lining the data security requirements of the business. Compliance is
Dr.G.NIRMALA

important, clearly, but it should be a subset of the overall security strategy – with the CCO
reporting to, not replacing, the CISO.
Following this attitude to its logical conclusion can only further undermine an organization’s
security posture: organizations looking to meet compliance requirements may avoid penalties,
but they are not secure. In fact, by taking a compliance-first approach, organizations are
effectively advertising their security posture to hackers. A published regulation, while open to
some interpretation, outlines requirements very clearly – effectively presenting a hacker with a
network blueprint that highlights potential vulnerabilities.
Attaining regulatory compliance is offering organizations a false sense of security on many
levels – not only as a result of the new threat landscape but also when we consider the ways in
which emerging connected technology is being used. The adoption of the Internet of Things
(IoT) is a prime example of regulations’ inability to keep pace. The Health Insurance Portability
and Accountability Act (HIPPA), for example, has specific requirements related to patient data
management – but a hacker breaching an IoT patient monitoring device may not just compromise
a patient’s data but potentially his life if that were to tamper with its settings. Would compliance
to the existing HIPPA requirements stand up in court should that patient’s family sue for
mismanagement? Put a security expert on the witness stand and most probably not. Security
teams know that prioritizing compliance demands over effective data security is wrong – and
businesses that fail to listen will pay the price.
New mindset
The entire security model is flawed not least because most regulatory bodies are still adhering to
the ‘secure the border’ model. Breach prevention, even breach detection, are not adequate
security postures. They assume a level of trust – that anyone or anything inside the border is
trusted until proved otherwise. But this is patently untrue, as the raft of breaches - many of them
undetected for months – reveal.
Organizations and regulators alike need to stop trying to build trust into an infrastructure and
adopt a ‘Zero Trust’ mindset. This means decoupling security from the complexity of the IT
infrastructure and addressing specific user/ IoT device vulnerability. Instead of firewalls,
network protocols and IoT gateways, organizations should consider data assets and applications;
and then determine which user roles require access to those assets.
Building on the existing policies for user access and identity management, organizations can
very quickly use cryptographic segmentation to ensure only privileged users have access to
privileged applications or information. Each cryptographic domain has its own encryption key,
making it impossible for a hacker to move from one compromised domain or segment into
another – it is simply not possible to escalate user privileges to access sensitive or critical data,
meaning any breach is contained.
It is by creating a Zero Trust approach to data security first, and only then overlaying any
specific compliance requirements, that organizations can lock down the business against threat
and meet regulatory demands.
Business continuity:
Dr.G.NIRMALA

The NIS Directive

By May 2018, ​the Directive on Security of Network and Information Systems (NIS
Directive)​ will be transposed into national law. The Directive requires operators of essential
services (OESs) and digital service providers (DSPs) that support the nation’s infrastructure to
enhance their cyber security by employing risk management and appropriate security measures,
as well as measures that minimise the impact of incidents and ensure business continuity.
The GDPR
On 25 May 2018, the EU’s ​General Data Protection Regulation (GDPR)​ will come into effect
with a wide-reaching and significant shift in the way that organisations are expected to protect
personal data.
Although the GDPR grants data subjects a number of new rights, it also requires organisations to
adopt “appropriate technical and organisational measures” to protect personal data, as well as
“the ability to restore the availability and access to personal information” in the event of an
incident.
Targeted cyber attacks
According to a survey conducted at ​Black Hat Europe 2017​, the biggest cause for concern among
cyber security professionals is targeted cyber attacks aimed at their organisation, and the
detrimental effects these might have.
These cyber attacks could completely disrupt business operations, cause immeasurable damage
to functionality and bring business operations to a standstill.
An increase in cyber attacks on critical infrastructure
Security professionals also predict a ​100% increase in attacks​ on organisations involved in
critical infrastructure within the next two years. If these cyber attacks were to strike one of the
nation’s critical facilities, it could have devastating consequences and may cause untold damage
to a specific sector.
The recent ​NotPetya attack and the impact it had on the shipping industry​ is an example of how
substandard security measures can result in devastation. In the NotPetya case, IT systems were
shut down, ​shipping companies were unable to unload containers​, customer orders went missing
or were cancelled, and ships had to be rerouted to alternative destinations.
Increasing natural disasters
As well as cyber attacks, natural disasters are a real threat to an organization’s business resilience
and can disrupt information security, networks and systems.
Natural disasters are unpredictable and unstoppable. Although organizations can protect against a
cyber attack and potentially prevent a data breach from happening, an effective BCMS helps you
to look at and evaluate the environment.
Business continuity management solutions
In the event of a disruptive incident, returning to ‘business as usual’ is a priority. An effective
BCMS will give you the peace of mind that your organization can recover from a damaging
incident as quickly as possible, and minimize interruption to business operations.
IT Governance offers a variety of business continuity solutions to help you ensure your
organisation is as prepared as it can be for a disruptive incident, and compliant with the
requirements of upcoming EU legislation
Dr.G.NIRMALA

Forensic investigation using access data FTK:

FTK imager:

This free tool for acquisition of data from Access data. It creates forensic image as a bit stream.
Some other features of FTK imager include the following : collection of volatile data from
RAM, preanalysis of data, information research, etc.,

This tool takes a snapshot of the entire disk drive and then copies every bit of analysis. It
supports file system such as FAT 12/16/32, NTFS,NTFS compressed, and linux ext2 and ext 3. It
is a full suite of forensic application.

Registry viewer:

The following are some of the free and open-source tools available for registry analysis:

1. Regshot​:
Regshot is an open-source registry compare utility that helps to quickly take a
snapshot of the registry and compare it with a second one. This is usually done
after doing system changes or installing a new software product. The change
report can be produced in text or HTML format and contains a list of all
modifications that have taken place between the two snapshots. In addition, the
folders (with subfolders) that have to be scanned for changes can be specified.
2. RegRipper​:
Red Ripper written in perl is a windows registry data extraction tool, and is an
open-source forensic software application developed by Harlan Carvey. It is the
fastest, the easiest, and the best tool for registry analysis in forensic examinations.
It is not a registry viewer but is used to perform Windows registry have file
analysis. This tool is specifically intended for Windows 2000, XP, and 2003 hive
files.
RegRipper can be customized to the examiners needs through the use of
available plug-in or by users writing piugins to suit specific needs.
RegRipper bypasses Win32API and uses James McFarlane’s
Parse::Win32Registry module to access a Window registry hive file in an
object-oriented manner. This module is used to locate and access registry key
nodes within the hive file as well as value nodes and their data. When accessing a
key node, the last Write time is retrieved, parsed, and translated so that it is
readable by an examiner. Data is retrieved in the same manner and if necessary,
the plugin that retrieves the data will also perform translation of that data into
something readable.
Dr.G.NIRMALA

Password Recovery Toolkit:

The following are some of the tools that facilitate the recovery of passwords:

1. Passware Kit Forensic:

Passware Kit Forensic is the complete electronic evidence discovery solution that reports
all password-protected items on a computer and decrypts them. It reduces the time spent
on recovering passwords, improves recovery rates, and gets more control over the
password recovery process. Some of its features are as follows:
1. Recovers passwords for more than 200 file types and decrypts hard disks providing
an aa-in-one user interface.
2. Scans computers and the network for password-protected files.
3. Acquires memory images of the seized computers
4. Retrieves electronic evidence in a matter of minute from a Windows desktop search
database
5. Suppose distributed password recovery
6. Runs from a USB thumb drive and recovers passwords without installation on a target
PC.
2. ElcomSoft:
ElcomSoft offers GPU-accelerated password recovery and decryption tools and supplies
a range of mobiles extraction and analysis tools for iOS, Android, etc. It offers a range of
products, which are listed here:
ElcomSoft Password Recovery Bundle(Forensic Edition) come with all the
password recovery tools in a single value pack. It helps to unlock documents, decrypt
archieves, and break into encrypted containers.
ElcomSoft Distributed Password Recovery breaks complex passwords, recovers
encryption keys, and unlocks documents in production environment.
ElcomSoft Mobile Forensic Bundle can perform physical, logical, and
over-the-air acquisition of smart phone a and tablets, break mobile backup passwords and
decrypt encrypted backups, and view and analyze the information stored in mobile
devices.
ElcomSoft Cloud explorer extracts everything from the Google Accounts,
downloads users location history, contacts, Hangouts messages, Google Keep, Chrome
browsing history, search history and page transitions, Calendars, images, etc.
3. Ophcrack:
Ophcrack is a free Windows password cracker based on a time-memory trade-off using
rainbow tables. This is a new variant of Hellman’s original trade-off with better
performance. It recovers 99.9% of the alphanumeric passwords in seconds. It comes with
GUI and can run on multiple platforms.
Dr.G.NIRMALA

Encase:

This tool is used to analyze digital Media. It performs the following function Data acquisition,
file recovery, file parsing, and hard disk format recovery. It is a network enabled incident
response system which offers immediate and complete forensic analysis of volatile and static
data on compromised servers and workstations anywhere on the network, without disrupting
operations. It is used for the verification of the data after verifying it gives the hash value. There
are three components of Encase tool which are discussed below:

1. The first of these components is the Examiner software this software is installed on a secure
system where Investigations and audits are performed.

2. The second component is called SAFE, which stands for Secure Authentication of EnCase.
SAFE is a server which is used to authenticate users, administer access rights, maintain logs of
EnCase transactions, and provide for secure data transmission.

3. The final component is Servlet, an efficient component installed on network workstations and
servers to establish connectivity between the Examiner, SAFE, and the networked workstations,
servers, or services being investigated.