Cs1014 Information Security

INFORMATION SECURITY - CS1014
CS1014 INFORMATION SECURITY
PREPARED BY
A.SHERLY ALPHONSE
L/CSE
EINSTEIN COLLEGE OF ENGINEERING
©Einstein College of Engineering

Page 1
UNIT - 1 : INTRODUCTION
Learning Objectives
Upon completion of this material, you should be able to:

 Define information security
 Relate the history of computer security and how it evolved into information security
 Define key terms and critical concepts of information security as presented in this chapter
 Discuss the phases of the security systems development life cycle
 Present the roles of professionals involved in information security within an organization
Introduction
 Information security: a ―well-informed sense of assurance that the information risks and
controls are in balance.‖ — Jim Anderson, Inovant (2002)‫‏‬
 Necessary to review the origins of this field and its impact on our understanding of
information security today

Page 2
The 1970s and 80s
 ARPANET grew in popularity as did its potential for misuse

 Fundamental problems with ARPANET security were identified
 No safety procedures for dial-up connections to ARPANET
 Nonexistent user identification and authorization to system
 Late 1970s: microprocessor expanded computing capabilities and security threats
 Information security began with Rand Report R-609 (paper that started the study of
computer security)‫‏‬
 Scope of computer security grew from physical security to include:
 Safety of data
 Limiting unauthorized access to data
 Involvement of personnel from multiple levels of an organization
The 1990s
 Networks of computers became more common; so too did the need to interconnect
networks
 Internet became first manifestation of a global network of networks
 In early Internet deployments, security was treated as a low priority
The Present
 The Internet brings millions of computer networks into communication with each other—
many of them unsecured
 Ability to secure a computer‘s data influenced by the security of every computer to which
it is connected

Page 3
What is Security?
 ―The quality or state of being secure—to be free from danger‖
 A successful organization should have multiple layers of security in place:
 Physical security
 Personal security
 Operations security
 Communications security
 Network security
 Information security
Critical Characteristics of Information

 The value of information comes from the characteristics it possesses:
 Availability
 Accuracy
 Authenticity
 Confidentiality
 Integrity
 Utility
 Possession
NSTISSC Security Model

Page 4
Components of an Information System
 Information system (IS) is entire set of software, hardware, data, people, procedures, and
networks necessary to use information as a resource in the
organization
Balancing security and access

Page 5
SDLC Systems Development Life Cycle
The Security Systems Development Life Cycle

 The same phases used in traditional SDLC may be adapted to support specialized
implementation of an IS project
 Investigation
 Analysis
 Logical design
 Physical design
 Implementation
 Maintenance & change
 Identification of specific threats and creating controls to counter them

Page 6
Senior Management
 Chief Information Officer (CIO)‫‏‬
 Senior technology officer
 Primarily responsible for advising senior executives on strategic planning
 Chief Information Security Officer (CISO)‫‏‬
 Primarily responsible for assessment, management, and implementation of IS in
the organization
 Usually reports directly to the CIO
Information Security Project Team

 A number of individuals who are experienced in one or more facets of required technical
and nontechnical areas:
 Champion
 Team leader
 Security policy developers
 Risk assessment specialists
 Security professionals
 Systems administrators
 End users
Data Ownership
 Data owner: responsible for the security and use of a particular set of information
 Data custodian: responsible for storage, maintenance, and protection of information
 Data users: end users who work with information to perform their daily jobs supporting
the mission of the organization
Information Security: Is it an Art or a Science?
 Implementation of information security often described as combination of art and science
 ―Security artesan‖ idea: based on the way individuals perceive systems technologists
since computers became commonplace
Security as Art
 No hard and fast rules nor many universally accepted complete solutions
 No manual for implementing security through entire system
Security as Science
 Dealing with technology designed to operate at high levels of performance
 Specific conditions cause virtually all actions that occur in computer systems
 Nearly every fault, security hole, and systems malfunction are a result of interaction of
specific hardware and software
 If developers had sufficient time, they could resolve and eliminate faults
Security as a Social Science

 Social science examines the behavior of individuals interacting with systems
 Security begins and ends with the people that interact with the system
 Security administrators can greatly reduce levels of risk caused by end users, and create
more acceptable and supportable security profiles

Page 7
Unit –II THE NEED FOR SECURITY
 Dealing with technology designed to operate at high levels of performance

Specific conditions
Learning objective
Upon completion of this chapter you should be able to:
– Understand the business need for information security.
– Understand a successful information security program is the responsibility of an
organization‘s general management and IT management.
– Understand the threats posed to information security and the more common
attacks associated with those threats.
– Differentiate threats to information systems from attacks against information
systems.
Business Needs First,
Technology Needs Last
Information security performs four important functions for an organization:
– Protects the organization‘s ability to function
– Enables the safe operation of applications implemented on the organization‘s IT
systems
– Protects the data the organization collects and uses
– Safeguards the technology assets in use at the organization
Protecting the Ability to Function

 Management is responsible
 Information security is
– a management issue
– a people issue
 Communities of interest must argue for information security in terms of impact and cost
Enabling Safe Operation

 Organizations must create integrated, efficient, and capable applications
 Organization need environments that safeguard applications
 Management must not abdicate to the IT department its responsibility to make choices
and enforce decisions
Protecting Data
 One of the most valuable assets is data
 Without data, an organization loses its record of transactions and/or its ability to deliver
value to its customers
 An effective information security program is essential to the protection of the integrity
and value of the organization‘s data
Safeguarding Technology Assets

Page 8
 Organizations must have secure infrastructure services based on the size and scope of the
enterprise
 Additional security services may have to be provided
 More robust solutions may be needed to replace security programs the organization has
outgrown
Threats
 Management must be informed of the various kinds of threats facing the organization
 A threat is an object, person, or other entity that represents a constant danger to an asset
 By examining each threat category in turn, management effectively protects its
information through policy, education and training, and technology controls
 The 2002 CSI/FBI survey found:
– 90% of organizations responding detected computer security breaches within the
last year
– 80% lost money to computer breaches, totaling over $455,848,000 up from
$377,828,700 reported in 2001
– The number of attacks that came across the Internet rose from 70% in 2001 to
74% in 2002
– Only 34% of organizations reported their attacks to law enforcement
 The 2002 CSI/FBI survey found:
– 90% of organizations responding detected computer security breaches within the
last year
– 80% lost money to computer breaches, totaling over $455,848,000 up from
$377,828,700 reported in 2001
– The number of attacks that came across the Internet rose from 70% in 2001 to
74% in 2002
– Only 34% of organizations reported their attacks to law enforcement
Acts of Human Error or Failure

 Includes acts done without malicious intent
 Caused by:

Page 9
– Inexperience
– Improper training
– Incorrect assumptions
– Other circumstances
 Employees are greatest threats to information security – They are closest to the
organizational data
Acts of Human Error or Failure

 Employee mistakes can easily lead to the following:
– revelation of classified data
– entry of erroneous data
– accidental deletion or modification of data
– storage of data in unprotected areas
– failure to protect information
 Many of these threats can be prevented with controls
Deviations in Quality of Service by Service Providers

 Situations of product or services not delivered as expected
 Information system depends on many inter-dependent support systems
 Three sets of service issues that dramatically affect the availability of information and
systems are
– Internet service
– Communications
– Power irregularities
Internet Service Issues

 Loss of Internet service can lead to considerable loss in the availability of information
– organizations have sales staff and telecommuters working at remote locations

Page 10
 When an organization outsources its web servers, the outsourcer assumes responsibility
for
– All Internet Services
– The hardware and operating system software used to operate the web site
Services
 Other utility services have potential impact
 Among these are
– telephone
– water & wastewater
– trash pickup
– cable television
– natural or propane gas
– custodial services
 The threat of loss of services can lead to inability to function properly
Power Irregularities
Voltage levels can increase, decrease, or cease:
– spike – momentary increase
– surge – prolonged increase
– sag – momentary low voltage
– brownout – prolonged drop
– fault – momentary loss of power
– blackout – prolonged loss
 Electronic equipment is susceptible to fluctuations, controls can be applied to manage
power quality
Espionage/Trespass
 Broad category of activities that breach confidentiality
– Unauthorized accessing of information
– Competitive intelligence (the legal and ethical collection and analysis of
information regarding the capabilities, vulnerabilities, and intentions of business
competitors) vs. espionage
– Shoulder surfing can occur any place a person is accessing confidential
information
 Controls implemented to mark the boundaries of an organization‘s virtual territory giving
notice to trespassers that they are encroaching on the organization‘s cyberspace
 Hackers uses skill, guile, or fraud to steal the property of someone else

Page 11
Espionage/Trespass
 Generally two skill levels among hackers:
– Expert hacker
• develops software scripts and codes exploits
• usually a master of many skills
• will often create attack software and share with others
– Script kiddies
• hackers of limited skill
• use expert-written software to exploit a system
• do not usually fully understand the systems they hack
 Other terms for system rule breakers:
– Cracker - an individual who ―cracks‖ or removes protection designed to prevent
unauthorized duplication
– Phreaker - hacks the public telephone network
Information Extortion
 Information extortion is an attacker or formerly trusted insider stealing information from
a computer system and demanding compensation for its return or non-use
 Extortion found in credit card number theft

Page 12
Sabotage or Vandalism
 Individual or group who want to deliberately sabotage the operations of a computer
system or business, or perform acts of vandalism to either destroy an asset or damage the
image of the organization
 These threats can range from petty vandalism to organized sabotage
 Organizations rely on image so Web defacing can lead to dropping consumer confidence
and sales
 Rising threat of hacktivist or cyber-activist operations – the most extreme version is
cyber-terrorism
Deliberate Acts of Theft

 Illegal taking of another‘s property - physical, electronic, or intellectual
 The value of information suffers when it is copied and taken away without the owner‘s
knowledge
 Physical theft can be controlled - a wide variety of measures used from locked doors to
guards or alarm systems
 Electronic theft is a more complex problem to manage and control - organizations may
not even know it has occurred
Deliberate Software Attacks

 When an individual or group designs software to attack systems, they create malicious
code/software called malware
– Designed to damage, destroy, or deny service to the target systems
 Includes:
– macro virus
– boot virus
– worms
– Trojan horses
– logic bombs
– back door or trap door
– denial-of-service attacks
– polymorphic
– hoaxes

Page 13
Compromises to Intellectual Property

 Intellectual property is ―the ownership of ideas and control over the tangible or virtual
representation of those ideas‖
 Many organizations are in business to create intellectual property
– trade secrets
– copyrights
– trademarks
– patents
 Most common IP breaches involve software piracy
 Watchdog organizations investigate:
– Software & Information Industry Association (SIIA)
– Business Software Alliance (BSA)
 Enforcement of copyright has been attempted with technical security mechanisms
Forces of Nature
 Forces of nature, force majeure, or acts of God are dangerous because they are
unexpected and can occur with very little warning
 Can disrupt not only the lives of individuals, but also the storage, transmission, and use of
information
 Include fire, flood, earthquake, and lightning as well as volcanic eruption and insect
infestation
 Since it is not possible to avoid many of these threats, management must implement
controls to limit damage and also prepare contingency plans for continued operations
Technical Hardware Failures or Errors

 Technical hardware failures or errors occur when a manufacturer distributes to users
equipment containing flaws
 These defects can cause the system to perform outside of expected parameters, resulting
in unreliable service or lack of availability
 Some errors are terminal, in that they result in the unrecoverable loss of the equipment
 Some errors are intermittent, in that they only periodically manifest themselves, resulting
in faults that are not easily repeated
 This category of threats comes from purchasing software with unrevealed faults
 Large quantities of computer code are written, debugged, published, and sold only to
determine that not all bugs were resolved
 Sometimes, unique combinations of certain software and hardware reveal new bugs
 Sometimes, these items aren‘t errors, but are purposeful shortcuts left by programmers
for honest or dishonest reasons
Technological Obsolescence
 When the infrastructure becomes antiquated or outdated, it leads to unreliable and
untrustworthy systems
 Management must recognize that when technology becomes outdated, there is a risk of
loss of data integrity to threats and attacks
 Ideally, proper planning by management should prevent the risks from technology
obsolesce, but when obsolescence is identified, management must take action
Attacks
 An attack is the deliberate act that exploits vulnerability

Page 14
 It is accomplished by a threat-agent to damage or steal an organization‘s information or

physical asset
– An exploit is a technique to compromise a system
– A vulnerability is an identified weakness of a controlled system whose controls
are not present or are no longer effective
– An attack is then the use of an exploit to achieve the compromise of a controlled
system
–
Malicious Code
 This kind of attack includes the execution of viruses, worms, Trojan horses, and active
web scripts with the intent to destroy or steal information
 The state of the art in attacking systems in 2002 is the multi-vector worm using up to six
attack vectors to exploit a variety of vulnerabilities in commonly found information
system devices
Attack Descriptions
 IP Scan and Attack – Compromised system scans random or local range of IP addresses
and targets any of several vulnerabilities known to hackers or left over from previous
exploits
 Web Browsing - If the infected system has write access to any Web pages, it makes all
Web content files infectious, so that users who browse to those pages become infected
 Virus - Each infected machine infects certain common executable or script files on all
computers to which it can write with virus code that can cause infection
 Unprotected Shares - using file shares to copy viral component to all reachable locations
 Mass Mail - sending e-mail infections to addresses found in address book
 Simple Network Management Protocol - SNMP vulnerabilities used to compromise and
infect
 Hoaxes - A more devious approach to attacking computer systems is the transmission of a
virus hoax, with a real virus attached

Page 15
 Back Doors - Using a known or previously unknown and newly discovered access
mechanism, an attacker can gain access to a system or network resource
 Password Crack - Attempting to reverse calculate a password
 Brute Force - The application of computing and network resources to try every possible
combination of options of a password
 Dictionary - The dictionary password attack narrows the field by selecting specific
accounts to attack and uses a list of commonly used passwords (the dictionary) to guide
guesses
 Denial-of-service (DoS) –
– attacker sends a large number of connection or information requests to a target
– so many requests are made that the target system cannot handle them
successfully along with other, legitimate requests for service
– may result in a system crash, or merely an inability to perform ordinary functions
 Distributed Denial-of-service (DDoS) - an attack in which a coordinated stream of
requests is launched against a target from many locations at the same time
 Spoofing - technique used to gain unauthorized access whereby the intruder sends
messages to a computer with an IP address indicating that the message is coming from a
trusted host
 Man-in-the-Middle - an attacker sniffs packets from the network, modifies them, and
inserts them back into the network
 Spam - unsolicited commercial e-mail - while many consider spam a nuisance rather than
an attack, it is emerging as a vector for some attacks

Page 16
 Mail-bombing - another form of e-mail attack that is also a DoS, in which an attacker
routes large quantities of e-mail to the target
 Sniffers - a program and/or device that can monitor data traveling over a network.
Sniffers can be used both for legitimate network management functions and for stealing
information from a network
 Social Engineering - within the context of information security, the process of using
social skills to convince people to reveal access credentials or other valuable information
to the attacker
 People are the weakest link. You can have the best technology; firewalls, intrusion-
detection systems, biometric devices ... and somebody can call an unsuspecting employee.
That's all she wrote, baby. They got everything.‖
 ―brick attack‖ – the best configured firewall in the world can‘t stand up to a well placed
brick
 Buffer Overflow –
– application error occurs when more data is sent to a buffer than it can handle

Page 17
– when the buffer overflows, the attacker can make the target system execute
instructions, or the attacker can take advantage of some other unintended
consequence of the failure
 Timing Attack –
– relatively new
– works by exploring the contents of a web browser‘s cache
– can allow collection of information on access to password-protected sites
– another attack by the same name involves attempting to intercept cryptographic
elements to determine keys and encryption algorithms

Page 18
UNIT-III
RISK MANAGEMENT: IDENTIFYING AND ASSESSING RISK
Learning Objectives:

– Define risk management and its role in the SecSDLC
– Understand how risk is identified
– Assess risk based on the likelihood of occurrence and impact on an organization
– Grasp the fundamental aspects of documenting risk identification and assessment
Risk Management
 If you know the enemy and know yourself, you need not fear the result of a hundred
battles.
 If you know yourself but not the enemy, for every victory gained you will also suffer a
defeat.
 If you know neither the enemy nor yourself, you will succumb in every battle.‖ (Sun Tzu)
Know Ourselves
 First, we must identify, examine, and understand the information, and systems, currently
in place
 In order to protect our assets, defined here as the information and the systems that use,
store, and transmit it, we have to understand everything about the information
 Once we have examined these aspects, we can then look at what we are already doing to
protect the information and systems from the threats
Know the Enemy

Page 19
 For information security this means identifying, examining, and understanding the threats
that most directly affect our organization and the security of our organization‘s
information assets
 We then can use our understanding of these aspects to create a list of threats prioritized
by importance to the organization
Accountability for Risk Management

 It is the responsibility of each community of interest to manage risks; each community
has a role to play:
– Information Security - best understands the threats and attacks that introduce risk
into the organization
– Management and Users – play a part in the early detection and response process -
they also insure sufficient resources are allocated
– Information Technology – must assist in building secure systems and operating
them safely
Accountability for Risk Management

 All three communities must also:
– Evaluate the risk controls
– Determine which control options are cost effective
– Assist in acquiring or installing needed controls
– Ensure that the controls remain effective
Risk Management Process

 Management reviews asset inventory
 The threats and vulnerabilities that have been identified as dangerous to the asset
inventory must be reviewed and verified as complete and current
 The potential controls and mitigation strategies should be reviewed for completeness
 The cost effectiveness of each control should be reviewed as well, and the decisions
about deployment of controls revisited
Risk Identification
 A risk management strategy calls on us to ―know ourselves‖ by identifying, classifying,
and prioritizing the organization‘s information assets
 These assets are the targets of various threats and threat agents and our goal is to protect
them from these threats
 Next comes threat identification:
– Assess the circumstances and setting of each information asset
– Identify the vulnerabilities and begin exploring the controls that might be used to
manage the risks
Asset Identification and Valuation

 This iterative process begins with the identification of assets, including all of the
elements of an organization‘s system: people, procedures, data and information, software,
hardware, and networking elements
 Then, we classify and categorize the assets adding details as we dig deeper into the
analysis

Page 20
Hardware, Software, and Network Asset Identification

 Automated tools can sometimes uncover the system elements that make up the hardware,
software, and network components
 Once created, the inventory listing must be kept current, often through a tool that
periodically refreshes the data
Network Asset Identification

 What attributes of each of these information assets should be tracked?
 When deciding which information assets to track, consider including these asset
attributes:
 Name
 IP address
 MAC address
 Element type
 Serial number
 Manufacturer name
 Manufacturer‘s model number or part number
 Software version, update revision, or FCO number
 Physical location
 Logical location
 Controlling entity
People, Procedures, and Data Asset Identification

 Unlike the tangible hardware and software elements already described, the human
resources, documentation, and data information assets are not as readily discovered and
documented
 These assets should be identified, described, and evaluated by people using knowledge,
experience, and judgment
 As these elements are identified, they should also be recorded into some reliable data
handling process

Page 21
Asset Information for People

 For People:
– Position name/number/ID – try to avoid names and stick to identifying positions,
roles, or functions
– Supervisor
– Security clearance level
– Special skills
Asset Information for procedures
 For Procedures:
– Description
– Intended purpose
– What elements is it tied to
– Where is it stored for reference
– Where is it stored for update purposes
Asset Information for Data
 For Data:
– Classification
– Owner/creator/manager
– Size of data structure
– Data structure used – sequential, relational
– Online or offline
– Where located
– Backup procedures employed
Classification
 Many organizations already have a classification scheme
 Examples of these kinds of classifications are:
– confidential data
– internal data
– public data
 Informal organizations may have to organize themselves to create a useable data
classification model
 The other side of the data classification scheme is the personnel security clearance
structure
Information Asset Valuation

 Each asset is categorized
 Questions to assist in developing the criteria to be used for asset valuation:
– Which information asset is the most critical to the success of the organization?
– Which information asset generates the most revenue?
– Which information asset generates the most profitability?
– Which information asset would be the most expensive to replace?
– Which information asset would be the most expensive to protect?
– Which information asset would be the most embarrassing or cause the greatest
liability if revealed?

Page 22
Information Asset Valuation

 Create a weighting for each category based on the answers to the previous questions
Which factor is the most important to the organization?
 Once each question has been weighted, calculating the importance of each asset is
straightforward
 List the assets in order of importance using a weighted factor analysis worksheet

Page 23
Data Classification and Management

 A variety of classification schemes are used by corporate and military organizations
 Information owners are responsible for classifying the information assets for which they
are responsible
 Information owners must review information classifications periodically
 The military uses a five-level classification scheme but most organizations do not need
the detailed level of classification used by the military or federal agencies
Security Clearances
 The other side of the data classification scheme is the personnel security clearance
structure
 Each user of data in the organization is assigned a single level of authorization indicating
the level of classification
 Before an individual is allowed access to a specific set of data, he or she must meet the
need-to-know requirement
 This extra level of protection ensures that the confidentiality of information is properly
maintained
Management of Classified Data

 Includes the storage, distribution, portability, and destruction of classified information
– Must be clearly marked as such
– When stored, it must be unavailable to unauthorized individuals
– When carried should be inconspicuous, as in a locked briefcase or portfolio
 Clean desk policies require all information to be stored in its appropriate storage
container at the end of each day
 Proper care should be taken to destroy any unneeded copies
 Dumpster diving can prove embarrassing to the organization
Threat Identification
 Each of the threats identified so far has the potential to attack any of the assets protected
 This will quickly become more complex and overwhelm the ability to plan
 To make this part of the process manageable, each step in the threat identification and
vulnerability identification process is managed separately, and then coordinated at the
end of the process

Page 24
Identify and Prioritize Threats

 Each threat must be further examined to assess its potential to impact organization - this
is referred to as a threat assessment
 To frame the discussion of threat assessment, address each threat with a few questions:
– Which threats present a danger to this organization‘s assets in the given
environment?
– Which threats represent the most danger to the organization‘s information?
– How much would it cost to recover from a successful attack?
– Which of these threats would require the greatest expenditure to prevent?
Vulnerability Identification
 We now face the challenge of reviewing each information asset for each threat it faces
and creating a list of the vulnerabilities that remain viable risks to the organization
 Vulnerabilities are specific avenues that threat agents can exploit to attack an information
asset

Page 25
Vulnerability Identification
 Examine how each of the threats that are possible or likely could be perpetrated and list
the organization‘s assets and their vulnerabilities
 The process works best when groups of people with diverse backgrounds within the
organization work iteratively in a series of brainstorming sessions
 At the end of the process, an information asset / vulnerability list has been developed
– this list is the starting point for the next step, risk assessment
Risk Assessment
 We can determine the relative risk for each of the vulnerabilities through a process called
risk assessment

Page 26
 Risk assessment assigns a risk rating or score to each specific information asset, useful in
gauging the relative risk introduced by each vulnerable information asset and making
comparative ratings later in the risk control process
Introduction to Risk Assessment

 Risk Identification Estimate Factors
– Likelihood
– Value of Information Assets
– Percent of Risk Mitigated
– Uncertainty
Risk Determination
For the purpose of relative risk assessment:
risk =
likelihood of vulnerability occurrence times
value (or impact)
minus
percentage risk already controlled
plus
an element of uncertainty
Identify Possible Controls

 For each threat and its associated vulnerabilities that have any residual risk, create a
preliminary list of control ideas
 Residual risk is the risk that remains to the information asset even after the existing
control has been applied
Access Controls
 One particular application of controls is in the area of access controls
 Access controls are those controls that specifically address admission of a user into a
trusted area of the organization
 There are a number of approaches to controlling access
 Access controls can be
– discretionary
– mandatory
– nondiscretionary
Types of Access Controls

 Discretionary Access Controls (DAC) are implemented at the discretion or option of the
data user
 Mandatory Access Controls (MACs) are structured and coordinated with a data
classification scheme, and are required
 Nondiscretionary Controls are those determined by a central authority in the organization
and can be based on that individual‘s role (Role-Based Controls) or a specified set of
duties or tasks the individual is assigned (Task-Based Controls) or can be based on
specified lists maintained on subjects or objects

Page 27
Lattice-based Control
 Another type of nondiscretionary access is lattice-based control, where a lattice structure
(or matrix) is created containing subjects and objects, and the boundaries associated with
each pair is contained
 This specifies the level of access each subject has to each object
 In a lattice-based control the column of attributes associated with a particular object are
referred to as an access control list or ACL
 The row of attributes associated with a particular subject (such as a user) is referred to as
a capabilities table
Documenting Results of Risk Assessment

 The goal of this process has been to identify the information assets of the organization
that have specific vulnerabilities and create a list of them, ranked for focus on those most
needing protection first
 In preparing this list we have collected and preserved factual information about the assets,
the threats they face, and the vulnerabilities they experience
Introduction to Risk Assessment
 The process you develop for risk identification should include designating what function
the reports will serve, who is responsible for preparing the reports, and who reviews them
 We do know that the ranked vulnerability risk worksheet is the initial working document
for the next step in the risk management process: assessing and controlling risk

Page 28
UNIT-IV
BLUEPRINT FOR SECURITY
Learning Objectives
– Understand management‘s responsibilities and role in the development,
maintenance, and enforcement of information security policy, standards,
practices, procedures, and guidelines
– Understand the differences between the organization‘s general information
security policy and the requirements and objectives of the various issue-
specific and system-specific policies.
– Know what an information security blueprint is and what its major
components are.
– Understand how an organization institutionalizes its policies, standards,
and practices using education, training, and awareness programs.
– Become familiar with what viable information security architecture is,
what it includes, and how it is used.
–
Information Security Policy, Standards, and Practices
 Management from all communities of interest must consider policies as the basis
for all information security efforts
 Policies direct how issues should be addressed and technologies used
 Security policies are the least expensive control to execute, but the most difficult
to implement
 Shaping policy is difficult because:
– Never conflict with laws
– Stand up in court, if challenged
– Be properly administered
Definitions
 A policy is
A plan or course of action, as of a government, political party, or business,
intended to influence and determine decisions, actions, and other matters
 Policies are organizational laws
 Standards, on the other hand, are more detailed statements of what must be done
to comply with policy
 Practices, procedures, and guidelines effectively explain how to comply with
policy
 For a policy to be effective it must be properly disseminated, read, understood and
agreed to by all members of the organization
Types of Policy
Management defines three types of security policy:
– General or security program policy

Page 29
– Issue-specific security policies

– Systems-specific security policies
Security Program Policy

 A security program policy (SPP) is also known as
– A general security policy
– IT security policy
– Information security policy
 Sets the strategic direction, scope, and tone for all security efforts within the
organization
 An executive-level document, usually drafted by or with, the CIO of the
organization and is usually 2 to 10 pages long
Issue-Specific Security Policy (ISSP

 As various technologies and processes are implemented, certain guidelines are
needed to use them properly
 The ISSP:
– addresses specific areas of technology
– requires frequent updates
– contains an issue statement on the organization‘s position on an issue
 Three approaches:
– Create a number of independent ISSP documents
– Create a single comprehensive ISSP document
– Create a modular ISSP document
Example ISSP Structure

 Statement of Policy
 Authorized Access and Usage of Equipment
 Prohibited Usage of Equipment
 Systems Management
 Violations of Policy
 Policy Review and Modification
Page 30
 Limitations of Liability
Systems-Specific Policy (SysSP)

 While issue-specific policies are formalized as written documents, distributed to
users, and agreed to in writing, SysSPs are frequently codified as standards and
procedures used when configuring or maintaining systems
 Systems-specific policies fall into two groups:
– Access control lists (ACLs) consist of the access control lists, matrices,
and capability tables governing the rights and privileges of a particular
user to a particular system
– Configuration rules comprise the specific configuration codes entered into
security systems to guide the execution of the system
ACL Policies
 Both Microsoft Windows NT/2000 and Novell Netware 5.x/6.x families of
systems translate ACLs into sets of configurations that administrators use to
control access to their respective systems
 ACLs allow configuration to restrict access from anyone and anywhere
 ACLs regulate:
– Who can use the system
– What authorized users can access
– When authorized users can access the system
– Where authorized users can access the system from
– How authorized users can access the system
Rule Policies
 Rule policies are more specific to the operation of a system than ACLs

Page 31
 Many security systems require specific configuration scripts telling the systems
what actions to perform on each set of information they process
 Policy Management
 Policies are living documents that must be managed and nurtured, and are
constantly changing and growing
 Documents must be properly managed
 Special considerations should be made for organizations undergoing mergers,
takeovers, and partnerships
 In order to remain viable, policies must have:
 an individual responsible for reviews
 a schedule of reviews
 a method for making recommendations for reviews
 a specific effective and revision date
Information Classification
 The classification of information is an important aspect of policy
 The same protection scheme created to prevent production data from accidental
release to the wrong party should be applied to policies in order to keep them
freely available, but only within the organization
 In today‘s open office environments, it may be beneficial to implement a clean
desk policy
 A clean desk policy stipulates that at the end of the business day, all classified
information must be properly stored and secured
Systems Design
 At this point in the Security SDLC, the analysis phase is complete and the design
phase begins – many work products have been created
 Designing a plan for security begins by creating or validating a security blueprint

Page 32
 Then use the blueprint to plan the tasks to be accomplished and the order in which
to proceed
 Setting priorities can follow the recommendations of published sources, or from
published standards provided by government agencies, or private consultants
Information Security Blueprints

 One approach is to adapt or adopt a published model or framework for
information security
 A framework is the basic skeletal structure within which additional detailed
planning of the blueprint can be placed as it is developed of refined
 Experience teaches us that what works well for one organization may not
precisely fit another
ISO 17799/BS 7799

 One of the most widely referenced and often discussed security models is the
Information Technology – Code of Practice for Information Security Management,
which was originally published as British Standard BS 7799
 This Code of Practice was adopted as an international standard by the
International Organization for Standardization (ISO) and the International
Electrotechnical Commission (IEC) as ISO/IEC 17799 in 2000 as a framework
for information

Page 33
security
ISO 17799 / BS 7799
 Several countries have not adopted 17799 claiming there are fundamental
problems:
– The global information security community has not defined any
justification for a code of practice as identified in the ISO/IEC 17799
– 17799 lacks ―the necessary measurement precision of a technical
standard‖
– There is no reason to believe that 17799 is more useful than any other
approach currently available
– 17799 is not as complete as other frameworks available
– 17799 is perceived to have been hurriedly prepared given the tremendous
impact its adoption could have on industry information security controls
 Organizational Security Policy is needed to provide management direction and
support
 Objectives:
– Operational Security Policy
– Organizational Security Infrastructure

Page 34
– Asset Classification and Control

– Personnel Security
– Physical and Environmental Security
– Communications and Operations Management
– System Access Control
– System Development and Maintenance
– Business Continuity Planning
– Compliance
NIST Security Models
 Another approach available is described in the many documents available from

the Computer Security Resource Center of the National Institute for Standards
and Technology (csrc.nist.gov) – Including:
– NIST SP 800-12 - The Computer Security Handbook
– NIST SP 800-14 - Generally Accepted Principles and Practices for
Securing IT Systems
– NIST SP 800-18 - The Guide for Developing Security Plans for IT
Systems
NIST SP 800-14
 Security Supports the Mission of the Organization
 Security is an Integral Element of Sound Management
 Security Should Be Cost-Effective
 Systems Owners Have Security Responsibilities Outside Their Own
Organizations
 Security Responsibilities and Accountability Should Be Made Explicit
 Security Requires a Comprehensive and Integrated Approach
 Security Should Be Periodically Reassessed
 Security is Constrained by Societal Factors
 33 Principles enumerated
IETF Security Architecture

 The Security Area Working Group acts as an advisory board for the protocols and
areas developed and promoted through the Internet Society
– No specific architecture is promoted through IETF
 RFC 2196: Site Security Handbook provides an overview of five basic areas of
security
 Topics include:
– security policies
– security technical architecture
– security services
– security incident handling

Page 35
VISA Model
 VISA International promotes strong security measures and has security guidelines
 Developed two important documents that improve and regulate its information
systems
– ―Security Assessment Process‖
– ―Agreed Upon Procedures‖
 Using the two documents, a security team can develop a sound strategy for the
design of good security architecture
 The only down side to this approach is the very specific focus on systems that can
or do integrate with VISA‘s systems
Baselining and Best Practices

 Baselining and best practices are solid methods for collecting security practices,
but they can have the drawback of providing less detail than would a complete
methodology
 It is possible to gain information by baselining and using best practices and thus
work backwards to an effective design
 The Federal Agency Security Practices Site (fasp.csrc.nist.gov) is designed to
provide best practices for public agencies
 Baselining and best practices are solid methods for collecting security practices,
but they can have the drawback of providing less detail than would a complete
methodology
 It is possible to gain information by baselining and using best practices and thus
work backwards to an effective design
 The Federal Agency Security Practices Site (fasp.csrc.nist.gov) is designed to
provide best practices for public agencies
Professional Membership
 It may be worth the information security professional‘s time and money to join
professional societies with information on best practices for its members
 Many organizations have seminars and classes on best practices for implementing
security
 Finding information on security design is the easy part, sorting through the
collected mass of information, documents, and publications can take a substantial
investment in time and human resources
NIST SP 800-26
Management Controls
– Risk Management
– Review of Security Controls
– Life Cycle Maintenance
– Authorization of Processing (Certification and Accreditation)
– System Security Plan
Operational Controls

Page 36
– Physical Security
– Production, Input/Output Controls
– Contingency Planning
– Hardware and Systems Software
– Data Integrity
– Documentation
– Security Awareness, Training, and Education
– Incident Response Capability
Technical Controls
– Identification and Authentication
– Logical Access Controls
– Audit Trails
Sphere of Use
 Generally speaking, the concept of the sphere is to represent the 360 degrees of
security necessary to protect information at all times
 The first component is the ―sphere of use‖
 Information, at the core of the sphere, is available for access by members of the
organization and other computer-based systems:
– To gain access to the computer systems, one must either directly access
the computer systems or go through a network connection
– To gain access to the network, one must either directly access the network
or go through an Internet connection
Sphere of Protection
 The ―sphere of protection‖ overlays each of the levels of the ―sphere of use‖ with
a layer of security, protecting that layer from direct or indirect use through the
next layer

Page 37
 The people must become a layer of security, a human firewall that protects the
information from unauthorized access and use
 Information security is therefore designed and implemented in three layers
– policies
– people (education, training, and awareness programs)
– technology
Controls
 Management controls cover security processes that are designed by the strategic
planners and performed by security administration of the organization
 Operational controls deal with the operational functionality of security in the
organization
 Operational controls also address personnel security, physical security, and the
protection of production inputs and outputs
 Technical controls address those tactical and technical issues related to designing
and implementing security in the organization
The Framework
 Management Controls
– Program Management
– System Security Plan
– Life Cycle Maintenance
– Risk Management
– Review of Security Controls
– Legal Compliance
 Operational Controls
– Contingency Planning
– Security ETA
– Physical Security
– Production Inputs and Outputs
– Hardware & Software Systems Maintenance
– Data Integrity
 Technical Controls
– Logical Access Controls
– Identification, Authentication, Authorization, and Accountability
– Audit Trails
– Asset Classification and Control
– Cryptography
SETA
 As soon as the policies exist, policies to implement security education, training,
and awareness (SETA) should follow
 SETA is a control measure designed to reduce accidental security breaches

Page 38
 Supplement the general education and training programs in place to educate staff
on information security
 Security education and training builds on the general knowledge the employees
must possess to do their jobs, familiarizing them with the way to do their jobs
securely
SETA Elements
 The SETA program consists of three elements
– security education
– security training
– security awareness
 The organization may not be capable or willing to undertake all three of these
elements but may outsource them
 The purpose of SETA is to enhance security by:
– Improving awareness of the need to protect system resources
– Developing skills and knowledge so computer users can perform their jobs
more securely
– Building in-depth knowledge, as needed, to design, implement, or operate
security programs for organizations and systems
Security Education
 Everyone in an organization needs to be trained and aware of information security,
but not every member of the organization needs a formal degree or certificate in
information security
 When formal education for appropriate individuals in security is needed an
employee can identify curriculum available from local institutions of higher
learning or continuing education
Page 39
 A number of universities have formal coursework in information security

(See for example http://infosec.kennesaw.edu)
Security Training
 Security training involves providing members of the organization with detailed
information and hands-on instruction designed to prepare them to perform their
duties securely
 Management of information security can develop customized in-house training or
outsource the training program
Security Awareness
 One of the least frequently implemented, but the most beneficial programs is the
security awareness program
 Designed to keep information security at the forefront of the users‘ minds
 Need not be complicated or expensive
 If the program is not actively implemented, employees begin to ‗tune out‘, and the
risk of employee accidents and failures increases
Comments
 Defense in Depth
– One of the foundations of security architectures is the requirement to
implement security in layers
– Defense in depth requires that the organization establish sufficient security
controls and safeguards, so that an intruder faces multiple layers of
controls
 Security Perimeter
– The point at which an organization‘s security protection ends, and the
outside world begins
– Referred to as the security perimeter
– Unfortunately the perimeter does not apply to internal attacks from
employee threats, or on-site physical threats

Page 40

Page 41
Key Technology Components

 Other key technology components
– A firewall is a device that selectively discriminates against information
flowing into or out of the organization
– The DMZ (demilitarized zone) is a no-man‘s land, between the inside and
outside networks, where some organizations place Web servers
– In an effort to detect unauthorized activity within the inner network, or on
individual machines, an organization may wish to implement Intrusion
Detection Systems or IDS

Page 42

Page 43
UNIT-V
PHYSICAL SECURITY
Physical security describes both measures that prevent or deter attackers from accessing
a facility, resource, or information stored on physical media, and guidance on how to
design structures to resist various hostile acts. [1] It can be as simple as a locked door or as
elaborate as multiple layers of armed security guards and guardhouse placement.
Physical security is not a modern phenomenon. Physical security exists in order to deter
persons from entering a physical facility. Historical examples of physical security include
city walls, moats, etc.
The key factor is the technology used for physical security has changed over time. While
in past eras, there was no passive infrared (PIR) based technology, electronic access
control systems, or video surveillance system (VSS) cameras, the essential methodology
of physical security has not altered over time
The field of security engineering has identified the following elements to physical
security:
 explosion protection;
 obstacles, to frustrate trivial attackers and delay serious ones;
 alarms, security lighting, security guard patrols or closed-circuit television
cameras, to make it likely that attacks will be noticed; and
 security response, to repel, catch or frustrate attackers when an attack is detected.
In a well designed system, these features must complement each other. [2] There are at
least four layers of physical security:
 Environmental design
 Mechanical, electronic and procedural access control
 Intrusion detection
 Video monitoring
 Personnel Identification
The goal is to convince potential attackers that the likely costs of attack exceed the value
of making the attack.

Page 44
The initial layer of security for a campus, building, office, or physical space uses crime
prevention through environmental design to deter threats. Some of the most common
examples are also the most basic - barbed wire, warning signs and fencing, concrete
bollards, metal barriers, vehicle height-restrictors, site lighting and trenches.
Electronic access control
The next layer is mechanical and includes gates, doors, and locks. Key control of the
locks becomes a problem with large user populations and any user turnover. Keys quickly
become unmanageable forcing the adoption of electronic access control. Electronic
access control easily manages large user populations, controlling for user lifecycles
times, dates, and individual access points. For example a user's access rights could allow
access from 0700 to 1900 Monday through Friday and expires in 90 days. Another form
of access control (procedural) includes the use of policies, processes and procedures to
manage the ingress into the restricted area. An example of this is the deployment of
security personnel conducting checks for authorized entry at predetermined points of
entry. This form of access control is usually supplemented by the earlier forms of access
control (i.e. mechanical and electronic access control), or simple devices such as physical
passes.
An additional sub-layer of mechanical/electronic access control protection is reached by

integrating a key management system to manage the possession and usage of mechanical
keys to locks or property within a building or campus.
The third layer is intrusion detection systems or alarms. Intrusion detection monitors for
attacks. It is less a preventative measure and more of a response measure, although
some[who?] would argue that it is a deterrent. Intrusion detection has a high incidence of
false alarms. In many jurisdictions, law enforcement will not respond to alarms from
intrusion detection systems.[citation needed]

Page 45
Closed-circuit television sign
The last layer is video monitoring systems. Security cameras can be a deterrent [citation
needed]
in many cases, but their real power comes from incident verification[3] and
historical analysis.[4] For example, if alarms are being generated and there is a camera in
place, the camera could be viewed to verify the alarms. In instances when an attack has
already occurred and a camera is in place at the point of attack, the recorded video can be
reviewed. Although the term closed-circuit television (CCTV) is common, it is quickly
becoming outdated as more video systems lose the closed circuit for signal transmission
and are instead transmitting on computer networks. Advances in information technology
are transforming video monitoring into video analysis. For instance, once an image is
digitized it can become data that sophisticated algorithms can act upon. As the speed and
accuracy of automated analysis increases, the video system could move from a
monitoring system to an intrusion detection system or access control system. It is not a
stretch to imagine a video camera inputting data to a processor that outputs to a door
lock. Instead of using some kind of key, whether mechanical or electrical, a person's
visage is the key. FST21, an Israeli company that entered the US market this year,
markets intelligent buildings that do just that. [5] When actual design and implementation
is considered, there are numerous types of security cameras that can be used for many
different applications. One must analyze their needs and choose accordingly. [6]
Private factory guard

Page 46
Intertwined in these four layers are people. Guards have a role in all layers, in the first as
patrols and at checkpoints. In the second to administer electronic access control. In the
third to respond to alarms. The response force must be able to arrive on site in less time
than it is expected that the attacker will require to breach the barriers. And in the fourth to
monitor and analyze video. Users obviously have a role also by questioning and reporting
suspicious people. Aiding in identifying people as known versus unknown are
identification systems. Often photo ID badges are used and are frequently coupled to the
electronic access control system. Visitors are often required to wear a visitor badge.
Other physical security tools
In recent times, new developments in information and communications technology, as

well as new demands on security managers, have widened the scope of physical security
apparatus.
Fire alarm systems are increasingly becoming based on Internet Protocol, thus leading to
them being accessible via local and wide area networks within organisations. Emergency
notification is now a new standard in many industries, as well as physical security
information management (PSIM). A PSIM application integrates all physical security
systems in a facility, and provides a single and comprehensive means of managing all of
these resources. It consequently saves on time and cost in the effectual management of
physical security
Many installations, serving a myriad of different purposes, have physical obstacles in

place to deter intrusion. This can be high walls, barbed wire, glass mounted on top of
walls, etc.
The presence of PIR-based motion detectors are common in many places, as a means of
noting intrusion into a physical installation. Moreover, VSS/CCTV cameras are
becoming increasingly common, as a means of identifying persons who intrude into
physical locations.
Businesses use a variety of options for physical security, including security guards,
electric security fencing, cameras, motion detectors, and light beams.
ATMs (cash dispensers) are protected, not by making them invulnerable, but by spoiling
the money inside when they are attacked. Money tainted with a dye could act as a flag to
the money's unlawful acquisition.
Safes are rated in terms of the time in minutes which a skilled, well equipped safe-
breaker is expected to require to open the safe. These ratings are developed by highly
Page 47
skilled safe breakers employed by insurance agencies, such as Underwriters Laboratories.

In a properly designed system, either the time between inspections by a patrolling guard
should be less than that time, or an alarm response force should be able to reach it in less
than that time.
Hiding the resources, or hiding the fact that resources are valuable, is also often a good
idea as it will reduce the exposure to opponents and will cause further delays during an
attack, but should not be relied upon as a principal means of ensuring security. (See
security through obscurity and inside job.)
Not all aspects of Physical Security need be high tech. Even something as simple as a
thick or thorny bush can add a layer of physical security to some premises, especially in a
residential setting.

Page 48
Firewalls
A firewall is any device that prevents a specific type of information from moving
between the untrusted network outside and the trusted network inside
There are five recognized generations of firewalls
The firewall may be:
a separate computer system
a service running on an existing router or server
a separate network containing a number of supporting devices
Different generations of firewalls:.

First Generation Called packet filtering firewalls Examines every incoming packet
header and selectively filters packets based on address, packet type, port request, and
others factors The restrictions most commonly implemented are based on: IP source
and destination address Direction (inbound or outbound)
Second Generation
TCP or UDP source and destination port-requests Second Generation Called
application-level firewall or proxy server
 Often a dedicated computer separate from the filtering router
 With this configuration the proxy server, rather than the Web server, is exposed to
the outside world in the DMZ
 Additional filtering routers can be implemented behind the proxy server
 The primary disadvantage of application-level firewalls is that they are designed
for a specific protocol and cannot easily be reconfigured to protect against
attacks on protocols for which they are not designed
Third Generation
 Called stateful inspection firewalls
 Keeps track of each network connection established between internal and external
systems using a state table which tracks the state and context of each packet in the
conversation by recording which station sent what packet.
 These firewalls can track connectionless packet traffic such as UDP and remote
procedure calls (RPC) traffic
Fourth Generation

Page 49
 While static filtering firewalls, such as first and third generation, allow entire sets
of one type of packet to enter in response to authorized requests, a dynamic
packet filtering firewall allows only a particular packet with a particular source,
destination,and port address to enter through the firewall
 It does this by understanding how the protocol functions, and opening and closing
―doors‖ in the firewall, based on the information contained in the packet header.
In this manner, dynamic packet filters are an intermediate form, between
traditional static packet filters and application proxies
Fifth Generation
 The final form of firewall is the kernel proxy, a specialized form that works under
the Windows NT Executive, which is the kernel of Windows NT
 It evaluates packets at multiple layers of the protocol stack, by checking security
in the kernel as data is passed up and down the stack
Firewalls are categorized by processing modes

The five processing modes are
1) Packet filtering
2) Application gateways
3) Circuit gateways
4) MAC layer firewalls
5) Hybrids
Packet-filtering Routers
 Most organizations with an Internet connection have some form of a router as the
interface at the perimeter between the organization‘s internal networks and the
external service provider
 Many of these routers can be configured to filter packets that the organization
does not allow into the network
 This is a simple but effective means to lower the organization‘s risk to external
attack
 The drawback to this type of system includes a lack of auditing and strong
authentication
 The complexity of the access control lists used to filter the packets can grow and
degrade network performance

Page 50
Screened-Host Firewall Systems

 Combine the packet-filtering router with a separate, dedicated firewall
such as an application proxy server

Page 51
Dual homed host firewalls
 Dual-homed Host Firewalls

 The bastion-host contains two NICs (network interface cards)
One NIC is connected to the external network, and one is connected to the
internal network. With two NICs all traffic must physically go through the
firewall to move between the internal and external networks
 A technology known as network-address translation (NAT) is commonly
implemented with this architecture to map from real, valid, external IP
addresses to ranges of internal IP addresses that are non-routable

Page 52

Page 53
Screened-Subnet Firewalls?
Screened-Subnet Firewalls (with DMZ)
 Consists of two or more internal bastion-hosts, behind a packet-filtering router,
with each host protecting the trusted network
 The first general model consists of two filtering routers, with one or more dual-
homed bastion-host between them
 The second general model involves the connection from the outside or untrusted
network going through this path:
o Through an external filtering router
o Into and then out of a routing firewall to the separate network segment known
as the DMZ.
The factors to be considered while selecting a right firewall

Selecting the Right Firewall
 What type of firewall technology offers the right balance of protection features
and cost for the needs of the organization?
 What features are included in the base price? What features are available at extra
cost? Are all cost factors known?
 How easy is it to set up and configure the firewall? How accessible are staff
technicians with the mastery to do it well?
 Can the candidate firewall adapt to the growing network in the target
organization?
What are Sock Servers?

SOCKS Servers
 The SOCKS system is a proprietary circuit-level proxy server that places special
SOCKS client-side agents on each workstation
 Places the filtering requirements on the individual workstation, rather than on a
single point of defense (and thus point of failure)
 This frees the entry router of filtering responsibilities, but then requires each
A SOCKS system can require additional support and management resources to
configure and manage possibly hundreds of individual clients, versus a single device or
set of devices
The recommended practices in designing firewalls

Firewall Recommended Practices
 All traffic from the trusted network is allowed out
The firewall device is always inaccessible directly from the public network

Page 54
Allow Simple Mail Transport Protocol (SMTP) data to pass through your firewall,
but insure it is all routed to a well-configured SMTP gateway to filter and route
messaging traffic securely
 All Internet Control Message Protocol (ICMP) data should be denied
 Block telnet (terminal emulation) access to all internal servers from the public
networks
 When Web services are offered outside the firewall, deny HTTP traffic from
reaching your internal networks by using some form of proxy access or DMZ
architecture
Intrusion Detection Systems (IDSs)

An IDS operates as either network-based, when the technology is focused on
protecting network information assets, or host-based, when the technology is focused
on protecting server or host information assets
IDSs use one of two detection methods, signature-based or statistical anomaly-based

Page 55
Different types of IDSs

a) Network-based IDS
A network-based IDS(NIDS) resides on a computer or an appliance connected to a
segment of an organization‘s network and monitors traffic on that network
segment,looking for indications of ongoing or successful attacks.
b) Host-based IDS
A Host-based IDS(HIDS) works differently from a network-based version of IDS.
While a netwerok-based-IDS resides on a network segment and monitors activities
across that segment,a host-based IDS resides on a particular computer or server,known
as the host and monitors activity only on that system. HIDs are also known as System
Integrity Verifiers as they benchmark and monitor the status of key system files and
detect when an intruder creates, modifies or deletes monitored files. A HIDs is also
capable of monitoring system configuration databases, such as windows registries, in
addition to stored configuration files like .ini, .cfg, and .dat files.
c) Application-based IDS
A refinement of Host-based IDs is the application-based IDS(AppIDS). Whereas
the HIDs examines a single system for file modification, the application based IDs
examines an application for abnormal incidents. It looks for anomalous occurrences such
as users exceeding their authorization, invalid file executions etc.
d) Signature-based IDS
It is based on detection methods. A signature-based IDS (also called Knowledge-
based IDs) examines data traffic in search of patterns that match known signatures – that
is, preconfigured, predetermined attack patterns.
Many attacks have clear and distinct signatures such as (i) footprinting and
fingerprinting activities, have an attack pattern that includes the use of ICMP,DNS
querying,and e-mail routing analysis (ii) Exploits involve a specific attack sequence
designed to take advantage of a vulnerability to gain access to a system (iii) Denial of
Service(DoS) and Distributed Denial of Service(DDoS) attacks.
e)Statistical Anomaly-Based IDS(Also called Behaviour-based IDS)
This approach is used for detecting intrusions based on the frequency with which certain
network activities takes place. Statistical Anomaly-Based IDS collects statistical
summaries by observing traffic that is known to be normal. A baseline is
established based on normal period. The Stats IDs periodically sample network
activity, and using statistical methods ,compares the sampled network activity to the
baseline. When the measured activities are outside the baseline parameters,it is said to be
exceeding the clipping level; at this point, the IDS will trigger an alert to notify the
administrator.
f) Log File Monitors(LFM)
Log File Monitor(LFM) is an approach to IDS that is similar to NIDS. Using L Fm
the system reviews the log files generated by servers, network devices, and when other
Page 56
IDSs. These systems look for patterns and signatures in the log files that may indicate an
attack or intrusion is in process or has already succeeded.
What are Honey Pots, Honey Nets,and Padded Cell Systems?

A class of powerful security tools that go beyond routine intrusion detection is
known variously as honey pots, honey nets,and padded cell systems.
Oney pots are decoy systems designed to lure potential attackers away from critical
systems and encourage attacks against the themselves. These systems are created for the
sole purpose of deceiving potential attackers. In Industry they are known as decoys, lures,
and fly-traps.
When a collection of honey pots connects several honey pot systems on a subnet,it may
be called a honey net.
In sum, honey pots are designed to

i) Divert an attacker from accessing critical systems.
ii) Collect information about the attacker‘s activity
iii) Encourage the attacker to stay on the system long enough for administrators to
document the event and, perhaps ,respond.
A Padded Cell is a honey pot that has been protected so that it cannot be easily
compromised. In otherwords, a padded cell is a hardened honey spot..
The advantages and disadvantages of using honey pot or padded cell

approach
Advantages:
 Attackers can be diverted to targets that they cannot damage.
 Administrators have time to decide how to respond to an attacker.
Attackers action can be easily and extensively monitored
 Honey pots may be effective at catching insiders who are snooping around a
network.
Disadvantages:
 The legal implication of using such devices are not well defined.
 Honey pots and Padded cells have not yet been shown to be generally useful
security technologies.
 An expert attacker,once diverted into a decoy system,may become angry and
launch a hostile attack against an organization‘s systems
 Admins and security managers will need a high level of expertise to use these
systems.

Page 57
Scanning and Analysis Tools

 Scanners, sniffers, and other analysis tools are useful to security administrators in
enabling them to see what the attacker sees
 Scanner and analysis tools can find vulnerabilities in systems
 One of the preparatory parts of an attack is known as footprinting – collecting IP
addresses and other useful data
 The next phase of pre-attack data gathering process is called fingerprinting –
scanning all known addresses to make a network map of the target
How Scanning and Analysis tools are useful in enforcing Information Security?
Scanning and Analysis Tools
 Scanners, sniffers, and other analysis tools are useful to security administrators in
enabling them to see what the attacker sees
 Scanner and analysis tools can find vulnerabilities in systems
One of the preparatory parts of an attack is known as footprinting – collecting IP
addresses and other useful data

Page 58
 The next phase of pre-attack data gathering process is called fingerprinting –

scanning all known addresses to make a network map of the target
What are foot printing and finger printing?
The attack protocol is a series of steps or processes used by an attacker ,in a logical
sequence ,to launch an attack against a target system or netweok. One of the preparatory
part of the attack protocol is the collection of publicly available information about a
potential target,a process known as footprinting.
Footprinting is the organized research of the Internet addresses owned or controlled by

the target organization. The attacker uses public Internet data sources to perform keyword
searches to identify the network addresses of the organization. This research ios
augmented by browsing the organization‘s web pages.
The next phase of the attack protocol is a second intelligence or data-gathering process
called fingerprinting. This is systematic survey of all of the target organization‘s
Internet addresses (which are collected during the footprinting phase); the survey is
conducted to ascertain the network services offered by the hosts in that range.
Fingerprinting reveals useful information about the internal structure and operational
nature of the target system or network for the anticipated attack.
Different types of the Scanning and Analysis tools available.
Port Scanners
 Port scanners fingerprint networks to find ports and services and other useful
information
Why secure open ports?

An open port can be used to send commands to a computer, gain access to a
server, and exert control over a networking device
o The general rule of thumb is to remove from service or secure any port not
absolutely necessary for the conduct of business
Vulnerability Scanners
 Vulnerability scanners are capable of scanning networks for very detailed
information
 As a class, they identify exposed usernames and groups, show open network
shares,expose configuration problems, and other vulnerabilities in servers

Page 59
Packet Sniffers
 A network tool that collects copies of packets from the network and analyzes them
 Can be used to eavesdrop on the network traffic
 To use a packet sniffer legally, you must be:
 on a network that the organization owns
 under direct authorization of the owners of the network
 have knowledge and consent of the content creators (users)
Content Filters
 Although technically not a firewall, a content filter is a software filter that allows
administrators to restrict accessible content from within a network
 The content filtering restricts Web sites with inappropriate content
Trap and Trace

 Trace: determine the identity of someone using unauthorized access
 Better known as honey pots, they distract the attacker while notifying the
Administrator
What is Cryptography?
Cryptography ,which comes from the Greek work kryptos,meaning ―hidden‖,and
graphein, meaning ―to write‖,is aprocess of making and using codes to secure the
transmission of information.
Cryptoanalysis is the process of obtaining the original message (called plaintext) from an
encrypted message (called the cipher ext) without knowing the algorithms and keys used
to perform the encryption.
Encryption is the process of converting an original message into a form that is unreadable
to unauthorized individuals-that is; to anyone without the tools to convert the encrypted
message back to its original format.
Decryption is the process of converting the cipher text into a message that conveys
readily understood meaning.
Basic Encryption Definitions.

Encryption Definitions
Algorithm: the mathematical formula used to convert an unencrypted message into
an encrypted message.
Cipher: the transformation of the individual components (characters, bytes, or bits) of
an unencrypted message into encrypted components.

Page 60
Ciphertext or cryptogram: the unintelligible encrypted or encoded message

resulting from an encryption.
Code: the transformation of the larger components (words or phrases) of an
unencrypted message into encrypted components.
Cryptosystem: the set of transformations necessary to convert an unencrypted
message into an encrypted message.
Decipher: to decrypt or convert ciphertext to plaintext.
Encipher: to encrypt or convert plaintext to ciphertext.
Key or cryptovariable: the information used in conjunction with the algorithm to
create ciphertext from plaintext.
Keyspace: the entire range of values that can possibly be used to construct an
individual key.
Link encryption: a series of encryptions and decryptions between a number of
systems, whereby each node decrypts the message sent to it and then re-encrypts it
using different keys and sends it to the next neighbor, until it reaches the final
destination.
Plaintext: the original unencrypted message that is encrypted and results from
successful decryption.
Steganography: the process of hiding messages in a picture or graphic.
Work factor: the amount of effort (usually in hours) required to perform
cryptanalysis on an encoded message.
Data Encryption Standard(DES)

 Data Encryption Standard (DES)
 Developed in 1977 by IBM
Based on the Data Encryption Algorithm (DEA)
Uses a 64-bit block size and a 56-bit key
 With a 56-bit key, the algorithm has 256 possible keys to choose from (over
quadrillion)
 DES is a federally approved standard for non classified data
 DES was cracked in 1997 when RSA put a bounty on the algorithm offering
$10,000 to the team to crack the algorithm - fourteen thousand users collaborated
over the Internet to finally break the encryption
Triple DES (3DES)

 Developed as an improvement to DES
 Uses up to three keys in succession and also performs three different encryption
operations:
 3DES encrypts the message three times with three different keys, the most

Page 61
secure level of encryption possible with 3DES

 In 1998, it took a dedicated computer designed by the Electronic Freedom
 Frontier (www.eff.org) over 56 hours to crack DES
 The successor to 3DES is Advanced Encryption Standard (AES), based on the
Rijndael Block Cipher, a block cipher with a variable block length and a key length of
either128, 192, or 256 bits
 It would take the same computer approximately 4,698,864 quintillion years to
crack AES
Digital Signatures
 An interesting thing happens when the asymmetric process is reversed, that is the
private key is used to encrypt a short message
 The public key can be used to decrypt it, and the fact that the message was sent by
the organization that owns the private key cannot be refuted
 This is known asnonrepudiat ion, which is the foundation of digital signatures
 Digital Signatures are encrypted messages that are independently verified by a
central facility (registry) as authentic
PKI or Public Key Infrastructure

Public Key Infrastructure is the entire set of hardware, software, and
cryptosystems necessary to implement public key encryption
PKI systems are based on public-key cryptosystems and include digital certificates
and certificate authorities (CAs) and can:
 Issue digital certificates
 Issue crypto keys
 Provide tools to use crypto to secure information
 Provide verification and return of certificates
PKI Benefits
PKI protects information assets in several ways:
 Authentication
 Integrity
 Privacy
 Authorization
 Nonrepudiation
Securing E-mail
Encryption cryptosystems have been adapted to inject some degree of security

Page 62
into e-mail:
 S/MIME builds on the Multipurpose Internet Mail Extensions (MIME)
encoding format by adding encryption and authentication
 Privacy Enhanced Mail (PEM) was proposed by the Internet Engineering
Task Force (IETF) as a standard to function with the public key
cryptosystems
 PEM uses 3DES symmetric key encryption and RSA for key exchanges
and digital signatures
 Pretty Good Privacy (PGP) was developed by Phil Zimmerman and uses
the IDEA Cipher along with RSA for key exchange
Seven Major Sources of Physical Loss

Temperature extremes
Gases
Liquids
Living organisms
Projectiles
Movement
Energy anomalies
Secure facility
A secure facility is a physical location that has been engineered with controls designed
to minimize the risk of attacks from physical threats A secure facility can use the natural
terrain; traffic flow, urban development, and can complement these features with
protection mechanisms such as fences, gates, walls, guards, and alarms
Controls for Protecting the Secure Facility

 Walls, Fencing, and Gates
 Guards
 Dogs, ID Cards, and Badges
 Locks and Keys
 Mantraps
 Electronic Monitoring
 Alarms and Alarm Systems
 Computer Rooms
 Walls and Doors
Controls used in a Secure Facility

ID Cards and Badges

Page 63
 Ties physical security to information access with identification cards (ID) and/or
name badges
 ID card is typically concealed
 Name badge is visible
These devices are actually biometrics (facial recognition)
Should not be the only control as they can be easily duplicated, stolen, and modified
Tailgating occurs when unauthorized individuals follow authorized users through the
control
Locks and Keys

There are two types of locks
 mechanical and electro-mechanical
Locks can also be divided into four categories

 manual, programmable, electronic, and biometric
Locks fail and facilities need alternative procedures for access

Locks fail in one of two ways:
 when the lock of a door fails and the door becomes unlocked, that is a fail-safe
lock
 when the lock of a door fails and the door remains locked, this is a fail-secure
lock
Electronic Monitoring
 Records events where other types of physical controls are not practical
 May use cameras with video recorders
 Drawbacks:
o reactive and do not prevent access or prohibited activity
o recordings often not monitored in real time and must be reviewed to have any
value
Alarms and Alarm Systems

Alarm systems notify when an event occurs
Used for fire, intrusion, environmental disturbance, or an interruption in services
These systems rely on sensors that detect the event: motion detectors, smoke detectors,
thermal detectors, glass breakage detectors, weight sensors, and contact sensors

Page 64
Computer Rooms and Wiring Closets

 Computer rooms and wiring and communications closets require special attention
 Logical controls are easily defeated, if an attacker gains physical access to the
computing equipment
 Custodial staff are often the least scrutinized of those who have access to offices and
are given the greatest degree of unsupervised access
Interior Walls and Doors

 The walls in a facility are typically either:
o standard interior
o firewall
 All high-security areas must have firewall grade walls to provide physical security
from potential intruders and improves the facility's resistance to fires
 Doors that allow access into secured rooms should also be evaluated
 Doors that allow access into secured rooms should also be evaluated
 Computer rooms and wiring closets can have push or crash bars installed to meet
building codes and provide much higher levels of security than the standard door pull
handle
Fire Safety
 The most serious threat to the safety of the people who work in the organization is
the possibility of fire
 Fires account for more property damage, personal injury, and death than any other
threat
 It is imperative that physical security plans examine and implement strong
measures to detect and respond to fires and fire hazards
Fire Detection and Response

 Fire suppression systems are devices installed and maintained to detect and
respond to a fire
 They work to deny an environment of one of the three requirements for a fire to
burn: heat, fuel, and oxygen
Water and water mist systems reduce the temperature and saturate some fuels
to prevent ignition
 Carbon dioxide systems rob fire of its oxygen
 Soda acid systems deny fire its fuel, preventing spreading
 Gas-based systems disrupt the fire‘s chemical reaction but leave enough
oxygen for people to survive for a short time

Page 65
Chief Information Security Officer

 The top information security position in the organization, not usually an executive
and frequently reports to the Chief Information Officer
 The CISO performs the following functions:
 Manages the overall InfoSec program
 Drafts or approves information security policies
 Works with the CIO on strategic plans, develops tactical plans, and works with
 security managers on operational plans
 Develops InfoSec budgets based on funding
 Sets priorities for InfoSec projects & technology
 Makes decisions in recruiting, hiring, and firing of security staff
 Acts as the spokesperson for the security team

Page 66

Cs1014 Information Security

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Cs1014 Information Security

Uploaded by

Copyright:

Available Formats

INFORMATION SECURITY - CS1014

CS1014 INFORMATION SECURITY

EINSTEIN COLLEGE OF ENGINEERING

©Einstein College of Engineering

Upon completion of this material, you should be able to:

©Einstein College of Engineering

The 1970s and 80s

 ARPANET grew in popularity as did its potential for misuse

©Einstein College of Engineering

Critical Characteristics of Information

NSTISSC Security Model

©Einstein College of Engineering

Components of an Information System

Balancing security and access

©Einstein College of Engineering

SDLC Systems Development Life Cycle

The Security Systems Development Life Cycle

 Identification of specific threats and creating controls to counter them

©Einstein College of Engineering

Information Security Project Team

Security as a Social Science

©Einstein College of Engineering

Unit –II THE NEED FOR SECURITY

 Dealing with technology designed to operate at high levels of performance

Protecting the Ability to Function

Enabling Safe Operation

Safeguarding Technology Assets

©Einstein College of Engineering

Acts of Human Error or Failure

©Einstein College of Engineering

Acts of Human Error or Failure

Deviations in Quality of Service by Service Providers

Internet Service Issues

©Einstein College of Engineering

©Einstein College of Engineering

©Einstein College of Engineering

Deliberate Acts of Theft

Deliberate Software Attacks

©Einstein College of Engineering

Compromises to Intellectual Property

Technical Hardware Failures or Errors

©Einstein College of Engineering

 It is accomplished by a threat-agent to damage or steal an organization‘s information or

©Einstein College of Engineering

©Einstein College of Engineering

©Einstein College of Engineering

©Einstein College of Engineering

Upon completion of this chapter you should be able to:

Know the Enemy

©Einstein College of Engineering

Accountability for Risk Management

Accountability for Risk Management

Risk Management Process

Asset Identification and Valuation

©Einstein College of Engineering

Hardware, Software, and Network Asset Identification

Network Asset Identification

People, Procedures, and Data Asset Identification

©Einstein College of Engineering

Asset Information for People

Information Asset Valuation

©Einstein College of Engineering

Information Asset Valuation

©Einstein College of Engineering