Professional Documents
Culture Documents
PREPARED BY
A.SHERLY ALPHONSE
L/CSE
UNIT - 1 : INTRODUCTION
Learning Objectives
Introduction
Information security: a ―well-informed sense of assurance that the information risks and
controls are in balance.‖ — Jim Anderson, Inovant (2002)
Necessary to review the origins of this field and its impact on our understanding of
information security today
The 1990s
Networks of computers became more common; so too did the need to interconnect
networks
Internet became first manifestation of a global network of networks
In early Internet deployments, security was treated as a low priority
The Present
The Internet brings millions of computer networks into communication with each other—
many of them unsecured
Ability to secure a computer‘s data influenced by the security of every computer to which
it is connected
What is Security?
―The quality or state of being secure—to be free from danger‖
A successful organization should have multiple layers of security in place:
Physical security
Personal security
Operations security
Communications security
Network security
Information security
Information system (IS) is entire set of software, hardware, data, people, procedures, and
networks necessary to use information as a resource in the
organization
Senior Management
Chief Information Officer (CIO)
Senior technology officer
Primarily responsible for advising senior executives on strategic planning
Chief Information Security Officer (CISO)
Primarily responsible for assessment, management, and implementation of IS in
the organization
Usually reports directly to the CIO
Data Ownership
Data owner: responsible for the security and use of a particular set of information
Data custodian: responsible for storage, maintenance, and protection of information
Data users: end users who work with information to perform their daily jobs supporting
the mission of the organization
Information Security: Is it an Art or a Science?
Implementation of information security often described as combination of art and science
―Security artesan‖ idea: based on the way individuals perceive systems technologists
since computers became commonplace
Security as Art
No hard and fast rules nor many universally accepted complete solutions
No manual for implementing security through entire system
Security as Science
Dealing with technology designed to operate at high levels of performance
Specific conditions cause virtually all actions that occur in computer systems
Nearly every fault, security hole, and systems malfunction are a result of interaction of
specific hardware and software
If developers had sufficient time, they could resolve and eliminate faults
Learning objective
Upon completion of this chapter you should be able to:
– Understand the business need for information security.
– Understand a successful information security program is the responsibility of an
organization‘s general management and IT management.
– Understand the threats posed to information security and the more common
attacks associated with those threats.
– Differentiate threats to information systems from attacks against information
systems.
Business Needs First,
Technology Needs Last
Information security performs four important functions for an organization:
– Protects the organization‘s ability to function
– Enables the safe operation of applications implemented on the organization‘s IT
systems
– Protects the data the organization collects and uses
– Safeguards the technology assets in use at the organization
Protecting Data
One of the most valuable assets is data
Without data, an organization loses its record of transactions and/or its ability to deliver
value to its customers
An effective information security program is essential to the protection of the integrity
and value of the organization‘s data
Organizations must have secure infrastructure services based on the size and scope of the
enterprise
Additional security services may have to be provided
More robust solutions may be needed to replace security programs the organization has
outgrown
Threats
Management must be informed of the various kinds of threats facing the organization
A threat is an object, person, or other entity that represents a constant danger to an asset
By examining each threat category in turn, management effectively protects its
information through policy, education and training, and technology controls
The 2002 CSI/FBI survey found:
– 90% of organizations responding detected computer security breaches within the
last year
– 80% lost money to computer breaches, totaling over $455,848,000 up from
$377,828,700 reported in 2001
– The number of attacks that came across the Internet rose from 70% in 2001 to
74% in 2002
– Only 34% of organizations reported their attacks to law enforcement
The 2002 CSI/FBI survey found:
– 90% of organizations responding detected computer security breaches within the
last year
– 80% lost money to computer breaches, totaling over $455,848,000 up from
$377,828,700 reported in 2001
– The number of attacks that came across the Internet rose from 70% in 2001 to
74% in 2002
– Only 34% of organizations reported their attacks to law enforcement
– Inexperience
– Improper training
– Incorrect assumptions
– Other circumstances
Employees are greatest threats to information security – They are closest to the
organizational data
When an organization outsources its web servers, the outsourcer assumes responsibility
for
– All Internet Services
– The hardware and operating system software used to operate the web site
Services
Other utility services have potential impact
Among these are
– telephone
– water & wastewater
– trash pickup
– cable television
– natural or propane gas
– custodial services
The threat of loss of services can lead to inability to function properly
Power Irregularities
Voltage levels can increase, decrease, or cease:
– spike – momentary increase
– surge – prolonged increase
– sag – momentary low voltage
– brownout – prolonged drop
– fault – momentary loss of power
– blackout – prolonged loss
Electronic equipment is susceptible to fluctuations, controls can be applied to manage
power quality
Espionage/Trespass
Broad category of activities that breach confidentiality
– Unauthorized accessing of information
– Competitive intelligence (the legal and ethical collection and analysis of
information regarding the capabilities, vulnerabilities, and intentions of business
competitors) vs. espionage
– Shoulder surfing can occur any place a person is accessing confidential
information
Controls implemented to mark the boundaries of an organization‘s virtual territory giving
notice to trespassers that they are encroaching on the organization‘s cyberspace
Hackers uses skill, guile, or fraud to steal the property of someone else
Espionage/Trespass
Generally two skill levels among hackers:
– Expert hacker
• develops software scripts and codes exploits
• usually a master of many skills
• will often create attack software and share with others
– Script kiddies
• hackers of limited skill
• use expert-written software to exploit a system
• do not usually fully understand the systems they hack
Other terms for system rule breakers:
– Cracker - an individual who ―cracks‖ or removes protection designed to prevent
unauthorized duplication
– Phreaker - hacks the public telephone network
Information Extortion
Information extortion is an attacker or formerly trusted insider stealing information from
a computer system and demanding compensation for its return or non-use
Extortion found in credit card number theft
Sabotage or Vandalism
Individual or group who want to deliberately sabotage the operations of a computer
system or business, or perform acts of vandalism to either destroy an asset or damage the
image of the organization
These threats can range from petty vandalism to organized sabotage
Organizations rely on image so Web defacing can lead to dropping consumer confidence
and sales
Rising threat of hacktivist or cyber-activist operations – the most extreme version is
cyber-terrorism
Technological Obsolescence
When the infrastructure becomes antiquated or outdated, it leads to unreliable and
untrustworthy systems
Management must recognize that when technology becomes outdated, there is a risk of
loss of data integrity to threats and attacks
Ideally, proper planning by management should prevent the risks from technology
obsolesce, but when obsolescence is identified, management must take action
Attacks
An attack is the deliberate act that exploits vulnerability
Attack Descriptions
IP Scan and Attack – Compromised system scans random or local range of IP addresses
and targets any of several vulnerabilities known to hackers or left over from previous
exploits
Web Browsing - If the infected system has write access to any Web pages, it makes all
Web content files infectious, so that users who browse to those pages become infected
Virus - Each infected machine infects certain common executable or script files on all
computers to which it can write with virus code that can cause infection
Unprotected Shares - using file shares to copy viral component to all reachable locations
Mass Mail - sending e-mail infections to addresses found in address book
Simple Network Management Protocol - SNMP vulnerabilities used to compromise and
infect
Hoaxes - A more devious approach to attacking computer systems is the transmission of a
virus hoax, with a real virus attached
Back Doors - Using a known or previously unknown and newly discovered access
mechanism, an attacker can gain access to a system or network resource
Password Crack - Attempting to reverse calculate a password
Brute Force - The application of computing and network resources to try every possible
combination of options of a password
Dictionary - The dictionary password attack narrows the field by selecting specific
accounts to attack and uses a list of commonly used passwords (the dictionary) to guide
guesses
Denial-of-service (DoS) –
– attacker sends a large number of connection or information requests to a target
– so many requests are made that the target system cannot handle them
successfully along with other, legitimate requests for service
– may result in a system crash, or merely an inability to perform ordinary functions
Distributed Denial-of-service (DDoS) - an attack in which a coordinated stream of
requests is launched against a target from many locations at the same time
Spoofing - technique used to gain unauthorized access whereby the intruder sends
messages to a computer with an IP address indicating that the message is coming from a
trusted host
Man-in-the-Middle - an attacker sniffs packets from the network, modifies them, and
inserts them back into the network
Spam - unsolicited commercial e-mail - while many consider spam a nuisance rather than
an attack, it is emerging as a vector for some attacks
Mail-bombing - another form of e-mail attack that is also a DoS, in which an attacker
routes large quantities of e-mail to the target
Sniffers - a program and/or device that can monitor data traveling over a network.
Sniffers can be used both for legitimate network management functions and for stealing
information from a network
Social Engineering - within the context of information security, the process of using
social skills to convince people to reveal access credentials or other valuable information
to the attacker
People are the weakest link. You can have the best technology; firewalls, intrusion-
detection systems, biometric devices ... and somebody can call an unsuspecting employee.
That's all she wrote, baby. They got everything.‖
―brick attack‖ – the best configured firewall in the world can‘t stand up to a well placed
brick
Buffer Overflow –
– application error occurs when more data is sent to a buffer than it can handle
– when the buffer overflows, the attacker can make the target system execute
instructions, or the attacker can take advantage of some other unintended
consequence of the failure
Timing Attack –
– relatively new
– works by exploring the contents of a web browser‘s cache
– can allow collection of information on access to password-protected sites
– another attack by the same name involves attempting to intercept cryptographic
elements to determine keys and encryption algorithms
UNIT-III
RISK MANAGEMENT: IDENTIFYING AND ASSESSING RISK
Learning Objectives:
Risk Management
If you know the enemy and know yourself, you need not fear the result of a hundred
battles.
If you know yourself but not the enemy, for every victory gained you will also suffer a
defeat.
If you know neither the enemy nor yourself, you will succumb in every battle.‖ (Sun Tzu)
Know Ourselves
First, we must identify, examine, and understand the information, and systems, currently
in place
In order to protect our assets, defined here as the information and the systems that use,
store, and transmit it, we have to understand everything about the information
Once we have examined these aspects, we can then look at what we are already doing to
protect the information and systems from the threats
For information security this means identifying, examining, and understanding the threats
that most directly affect our organization and the security of our organization‘s
information assets
We then can use our understanding of these aspects to create a list of threats prioritized
by importance to the organization
Risk Identification
A risk management strategy calls on us to ―know ourselves‖ by identifying, classifying,
and prioritizing the organization‘s information assets
These assets are the targets of various threats and threat agents and our goal is to protect
them from these threats
Next comes threat identification:
– Assess the circumstances and setting of each information asset
– Identify the vulnerabilities and begin exploring the controls that might be used to
manage the risks
Classification
Many organizations already have a classification scheme
Examples of these kinds of classifications are:
– confidential data
– internal data
– public data
Informal organizations may have to organize themselves to create a useable data
classification model
The other side of the data classification scheme is the personnel security clearance
structure
Vulnerability Identification
Examine how each of the threats that are possible or likely could be perpetrated and list
the organization‘s assets and their vulnerabilities
The process works best when groups of people with diverse backgrounds within the
organization work iteratively in a series of brainstorming sessions
At the end of the process, an information asset / vulnerability list has been developed
– this list is the starting point for the next step, risk assessment
Risk Assessment
We can determine the relative risk for each of the vulnerabilities through a process called
risk assessment
Risk assessment assigns a risk rating or score to each specific information asset, useful in
gauging the relative risk introduced by each vulnerable information asset and making
comparative ratings later in the risk control process
Risk Determination
For the purpose of relative risk assessment:
risk =
likelihood of vulnerability occurrence times
value (or impact)
minus
percentage risk already controlled
plus
an element of uncertainty
Access Controls
One particular application of controls is in the area of access controls
Access controls are those controls that specifically address admission of a user into a
trusted area of the organization
There are a number of approaches to controlling access
Access controls can be
– discretionary
– mandatory
– nondiscretionary
Lattice-based Control
Another type of nondiscretionary access is lattice-based control, where a lattice structure
(or matrix) is created containing subjects and objects, and the boundaries associated with
each pair is contained
This specifies the level of access each subject has to each object
In a lattice-based control the column of attributes associated with a particular object are
referred to as an access control list or ACL
The row of attributes associated with a particular subject (such as a user) is referred to as
a capabilities table
UNIT-IV
BLUEPRINT FOR SECURITY
Learning Objectives
Upon completion of this chapter you should be able to:
– Understand management‘s responsibilities and role in the development,
maintenance, and enforcement of information security policy, standards,
practices, procedures, and guidelines
– Understand the differences between the organization‘s general information
security policy and the requirements and objectives of the various issue-
specific and system-specific policies.
– Know what an information security blueprint is and what its major
components are.
– Understand how an organization institutionalizes its policies, standards,
and practices using education, training, and awareness programs.
– Become familiar with what viable information security architecture is,
what it includes, and how it is used.
–
Information Security Policy, Standards, and Practices
Management from all communities of interest must consider policies as the basis
for all information security efforts
Policies direct how issues should be addressed and technologies used
Security policies are the least expensive control to execute, but the most difficult
to implement
Shaping policy is difficult because:
– Never conflict with laws
– Stand up in court, if challenged
– Be properly administered
Definitions
A policy is
A plan or course of action, as of a government, political party, or business,
intended to influence and determine decisions, actions, and other matters
Policies are organizational laws
Standards, on the other hand, are more detailed statements of what must be done
to comply with policy
Practices, procedures, and guidelines effectively explain how to comply with
policy
For a policy to be effective it must be properly disseminated, read, understood and
agreed to by all members of the organization
Types of Policy
Management defines three types of security policy:
– General or security program policy
Limitations of Liability
ACL Policies
Both Microsoft Windows NT/2000 and Novell Netware 5.x/6.x families of
systems translate ACLs into sets of configurations that administrators use to
control access to their respective systems
ACLs allow configuration to restrict access from anyone and anywhere
ACLs regulate:
– Who can use the system
– What authorized users can access
– When authorized users can access the system
– Where authorized users can access the system from
– How authorized users can access the system
Rule Policies
Rule policies are more specific to the operation of a system than ACLs
Many security systems require specific configuration scripts telling the systems
what actions to perform on each set of information they process
Policy Management
Policies are living documents that must be managed and nurtured, and are
constantly changing and growing
Documents must be properly managed
Special considerations should be made for organizations undergoing mergers,
takeovers, and partnerships
In order to remain viable, policies must have:
an individual responsible for reviews
a schedule of reviews
a method for making recommendations for reviews
a specific effective and revision date
Information Classification
The classification of information is an important aspect of policy
The same protection scheme created to prevent production data from accidental
release to the wrong party should be applied to policies in order to keep them
freely available, but only within the organization
In today‘s open office environments, it may be beneficial to implement a clean
desk policy
A clean desk policy stipulates that at the end of the business day, all classified
information must be properly stored and secured
Systems Design
At this point in the Security SDLC, the analysis phase is complete and the design
phase begins – many work products have been created
Designing a plan for security begins by creating or validating a security blueprint
Then use the blueprint to plan the tasks to be accomplished and the order in which
to proceed
Setting priorities can follow the recommendations of published sources, or from
published standards provided by government agencies, or private consultants
security
Several countries have not adopted 17799 claiming there are fundamental
problems:
– The global information security community has not defined any
justification for a code of practice as identified in the ISO/IEC 17799
– 17799 lacks ―the necessary measurement precision of a technical
standard‖
– There is no reason to believe that 17799 is more useful than any other
approach currently available
– 17799 is not as complete as other frameworks available
– 17799 is perceived to have been hurriedly prepared given the tremendous
impact its adoption could have on industry information security controls
Organizational Security Policy is needed to provide management direction and
support
Objectives:
– Operational Security Policy
– Organizational Security Infrastructure
NIST SP 800-14
Security Supports the Mission of the Organization
Security is an Integral Element of Sound Management
Security Should Be Cost-Effective
Systems Owners Have Security Responsibilities Outside Their Own
Organizations
Security Responsibilities and Accountability Should Be Made Explicit
Security Requires a Comprehensive and Integrated Approach
Security Should Be Periodically Reassessed
Security is Constrained by Societal Factors
33 Principles enumerated
VISA Model
VISA International promotes strong security measures and has security guidelines
Developed two important documents that improve and regulate its information
systems
– ―Security Assessment Process‖
– ―Agreed Upon Procedures‖
Using the two documents, a security team can develop a sound strategy for the
design of good security architecture
The only down side to this approach is the very specific focus on systems that can
or do integrate with VISA‘s systems
Professional Membership
It may be worth the information security professional‘s time and money to join
professional societies with information on best practices for its members
Many organizations have seminars and classes on best practices for implementing
security
Finding information on security design is the easy part, sorting through the
collected mass of information, documents, and publications can take a substantial
investment in time and human resources
NIST SP 800-26
Management Controls
– Risk Management
– Review of Security Controls
– Life Cycle Maintenance
– Authorization of Processing (Certification and Accreditation)
– System Security Plan
Operational Controls
– Personnel Security
– Physical Security
– Production, Input/Output Controls
– Contingency Planning
– Hardware and Systems Software
– Data Integrity
– Documentation
– Security Awareness, Training, and Education
– Incident Response Capability
Technical Controls
– Identification and Authentication
– Logical Access Controls
– Audit Trails
Sphere of Use
Generally speaking, the concept of the sphere is to represent the 360 degrees of
security necessary to protect information at all times
The first component is the ―sphere of use‖
Information, at the core of the sphere, is available for access by members of the
organization and other computer-based systems:
– To gain access to the computer systems, one must either directly access
the computer systems or go through a network connection
– To gain access to the network, one must either directly access the network
or go through an Internet connection
Sphere of Protection
The ―sphere of protection‖ overlays each of the levels of the ―sphere of use‖ with
a layer of security, protecting that layer from direct or indirect use through the
next layer
The people must become a layer of security, a human firewall that protects the
information from unauthorized access and use
Information security is therefore designed and implemented in three layers
– policies
– people (education, training, and awareness programs)
– technology
Controls
Management controls cover security processes that are designed by the strategic
planners and performed by security administration of the organization
Operational controls deal with the operational functionality of security in the
organization
Operational controls also address personnel security, physical security, and the
protection of production inputs and outputs
Technical controls address those tactical and technical issues related to designing
and implementing security in the organization
The Framework
Management Controls
– Program Management
– System Security Plan
– Life Cycle Maintenance
– Risk Management
– Review of Security Controls
– Legal Compliance
Operational Controls
– Contingency Planning
– Security ETA
– Personnel Security
– Physical Security
– Production Inputs and Outputs
– Hardware & Software Systems Maintenance
– Data Integrity
Technical Controls
– Logical Access Controls
– Identification, Authentication, Authorization, and Accountability
– Audit Trails
– Asset Classification and Control
– Cryptography
SETA
As soon as the policies exist, policies to implement security education, training,
and awareness (SETA) should follow
SETA is a control measure designed to reduce accidental security breaches
Supplement the general education and training programs in place to educate staff
on information security
Security education and training builds on the general knowledge the employees
must possess to do their jobs, familiarizing them with the way to do their jobs
securely
SETA Elements
The SETA program consists of three elements
– security education
– security training
– security awareness
The organization may not be capable or willing to undertake all three of these
elements but may outsource them
The purpose of SETA is to enhance security by:
– Improving awareness of the need to protect system resources
– Developing skills and knowledge so computer users can perform their jobs
more securely
– Building in-depth knowledge, as needed, to design, implement, or operate
security programs for organizations and systems
Security Education
Everyone in an organization needs to be trained and aware of information security,
but not every member of the organization needs a formal degree or certificate in
information security
When formal education for appropriate individuals in security is needed an
employee can identify curriculum available from local institutions of higher
learning or continuing education
©Einstein College of Engineering
Page 39
INFORMATION SECURITY - CS1014
Comments
Defense in Depth
– One of the foundations of security architectures is the requirement to
implement security in layers
– Defense in depth requires that the organization establish sufficient security
controls and safeguards, so that an intruder faces multiple layers of
controls
Security Perimeter
– The point at which an organization‘s security protection ends, and the
outside world begins
– Referred to as the security perimeter
– Unfortunately the perimeter does not apply to internal attacks from
employee threats, or on-site physical threats
UNIT-V
PHYSICAL SECURITY
Physical security describes both measures that prevent or deter attackers from accessing
a facility, resource, or information stored on physical media, and guidance on how to
design structures to resist various hostile acts. [1] It can be as simple as a locked door or as
elaborate as multiple layers of armed security guards and guardhouse placement.
Physical security is not a modern phenomenon. Physical security exists in order to deter
persons from entering a physical facility. Historical examples of physical security include
city walls, moats, etc.
The key factor is the technology used for physical security has changed over time. While
in past eras, there was no passive infrared (PIR) based technology, electronic access
control systems, or video surveillance system (VSS) cameras, the essential methodology
of physical security has not altered over time
The field of security engineering has identified the following elements to physical
security:
explosion protection;
obstacles, to frustrate trivial attackers and delay serious ones;
alarms, security lighting, security guard patrols or closed-circuit television
cameras, to make it likely that attacks will be noticed; and
security response, to repel, catch or frustrate attackers when an attack is detected.
In a well designed system, these features must complement each other. [2] There are at
least four layers of physical security:
Environmental design
Mechanical, electronic and procedural access control
Intrusion detection
Video monitoring
Personnel Identification
The goal is to convince potential attackers that the likely costs of attack exceed the value
of making the attack.
The initial layer of security for a campus, building, office, or physical space uses crime
prevention through environmental design to deter threats. Some of the most common
examples are also the most basic - barbed wire, warning signs and fencing, concrete
bollards, metal barriers, vehicle height-restrictors, site lighting and trenches.
The next layer is mechanical and includes gates, doors, and locks. Key control of the
locks becomes a problem with large user populations and any user turnover. Keys quickly
become unmanageable forcing the adoption of electronic access control. Electronic
access control easily manages large user populations, controlling for user lifecycles
times, dates, and individual access points. For example a user's access rights could allow
access from 0700 to 1900 Monday through Friday and expires in 90 days. Another form
of access control (procedural) includes the use of policies, processes and procedures to
manage the ingress into the restricted area. An example of this is the deployment of
security personnel conducting checks for authorized entry at predetermined points of
entry. This form of access control is usually supplemented by the earlier forms of access
control (i.e. mechanical and electronic access control), or simple devices such as physical
passes.
The third layer is intrusion detection systems or alarms. Intrusion detection monitors for
attacks. It is less a preventative measure and more of a response measure, although
some[who?] would argue that it is a deterrent. Intrusion detection has a high incidence of
false alarms. In many jurisdictions, law enforcement will not respond to alarms from
intrusion detection systems.[citation needed]
The last layer is video monitoring systems. Security cameras can be a deterrent [citation
needed]
in many cases, but their real power comes from incident verification[3] and
historical analysis.[4] For example, if alarms are being generated and there is a camera in
place, the camera could be viewed to verify the alarms. In instances when an attack has
already occurred and a camera is in place at the point of attack, the recorded video can be
reviewed. Although the term closed-circuit television (CCTV) is common, it is quickly
becoming outdated as more video systems lose the closed circuit for signal transmission
and are instead transmitting on computer networks. Advances in information technology
are transforming video monitoring into video analysis. For instance, once an image is
digitized it can become data that sophisticated algorithms can act upon. As the speed and
accuracy of automated analysis increases, the video system could move from a
monitoring system to an intrusion detection system or access control system. It is not a
stretch to imagine a video camera inputting data to a processor that outputs to a door
lock. Instead of using some kind of key, whether mechanical or electrical, a person's
visage is the key. FST21, an Israeli company that entered the US market this year,
markets intelligent buildings that do just that. [5] When actual design and implementation
is considered, there are numerous types of security cameras that can be used for many
different applications. One must analyze their needs and choose accordingly. [6]
Intertwined in these four layers are people. Guards have a role in all layers, in the first as
patrols and at checkpoints. In the second to administer electronic access control. In the
third to respond to alarms. The response force must be able to arrive on site in less time
than it is expected that the attacker will require to breach the barriers. And in the fourth to
monitor and analyze video. Users obviously have a role also by questioning and reporting
suspicious people. Aiding in identifying people as known versus unknown are
identification systems. Often photo ID badges are used and are frequently coupled to the
electronic access control system. Visitors are often required to wear a visitor badge.
Fire alarm systems are increasingly becoming based on Internet Protocol, thus leading to
them being accessible via local and wide area networks within organisations. Emergency
notification is now a new standard in many industries, as well as physical security
information management (PSIM). A PSIM application integrates all physical security
systems in a facility, and provides a single and comprehensive means of managing all of
these resources. It consequently saves on time and cost in the effectual management of
physical security
The presence of PIR-based motion detectors are common in many places, as a means of
noting intrusion into a physical installation. Moreover, VSS/CCTV cameras are
becoming increasingly common, as a means of identifying persons who intrude into
physical locations.
Businesses use a variety of options for physical security, including security guards,
electric security fencing, cameras, motion detectors, and light beams.
ATMs (cash dispensers) are protected, not by making them invulnerable, but by spoiling
the money inside when they are attacked. Money tainted with a dye could act as a flag to
the money's unlawful acquisition.
Safes are rated in terms of the time in minutes which a skilled, well equipped safe-
breaker is expected to require to open the safe. These ratings are developed by highly
©Einstein College of Engineering
Page 47
INFORMATION SECURITY - CS1014
Hiding the resources, or hiding the fact that resources are valuable, is also often a good
idea as it will reduce the exposure to opponents and will cause further delays during an
attack, but should not be relied upon as a principal means of ensuring security. (See
security through obscurity and inside job.)
Not all aspects of Physical Security need be high tech. Even something as simple as a
thick or thorny bush can add a layer of physical security to some premises, especially in a
residential setting.
Firewalls
A firewall is any device that prevents a specific type of information from moving
between the untrusted network outside and the trusted network inside
There are five recognized generations of firewalls
The firewall may be:
a separate computer system
a service running on an existing router or server
a separate network containing a number of supporting devices
Second Generation
TCP or UDP source and destination port-requests Second Generation Called
application-level firewall or proxy server
Often a dedicated computer separate from the filtering router
With this configuration the proxy server, rather than the Web server, is exposed to
the outside world in the DMZ
Additional filtering routers can be implemented behind the proxy server
The primary disadvantage of application-level firewalls is that they are designed
for a specific protocol and cannot easily be reconfigured to protect against
attacks on protocols for which they are not designed
Third Generation
Called stateful inspection firewalls
Keeps track of each network connection established between internal and external
systems using a state table which tracks the state and context of each packet in the
conversation by recording which station sent what packet.
These firewalls can track connectionless packet traffic such as UDP and remote
procedure calls (RPC) traffic
Fourth Generation
While static filtering firewalls, such as first and third generation, allow entire sets
of one type of packet to enter in response to authorized requests, a dynamic
packet filtering firewall allows only a particular packet with a particular source,
destination,and port address to enter through the firewall
It does this by understanding how the protocol functions, and opening and closing
―doors‖ in the firewall, based on the information contained in the packet header.
In this manner, dynamic packet filters are an intermediate form, between
traditional static packet filters and application proxies
Fifth Generation
The final form of firewall is the kernel proxy, a specialized form that works under
the Windows NT Executive, which is the kernel of Windows NT
It evaluates packets at multiple layers of the protocol stack, by checking security
in the kernel as data is passed up and down the stack
Packet-filtering Routers
Most organizations with an Internet connection have some form of a router as the
interface at the perimeter between the organization‘s internal networks and the
external service provider
Many of these routers can be configured to filter packets that the organization
does not allow into the network
This is a simple but effective means to lower the organization‘s risk to external
attack
The drawback to this type of system includes a lack of auditing and strong
authentication
The complexity of the access control lists used to filter the packets can grow and
degrade network performance
Screened-Subnet Firewalls?
Screened-Subnet Firewalls (with DMZ)
Consists of two or more internal bastion-hosts, behind a packet-filtering router,
with each host protecting the trusted network
The first general model consists of two filtering routers, with one or more dual-
homed bastion-host between them
The second general model involves the connection from the outside or untrusted
network going through this path:
o Through an external filtering router
o Into and then out of a routing firewall to the separate network segment known
as the DMZ.
Allow Simple Mail Transport Protocol (SMTP) data to pass through your firewall,
but insure it is all routed to a well-configured SMTP gateway to filter and route
messaging traffic securely
All Internet Control Message Protocol (ICMP) data should be denied
Block telnet (terminal emulation) access to all internal servers from the public
networks
When Web services are offered outside the firewall, deny HTTP traffic from
reaching your internal networks by using some form of proxy access or DMZ
architecture
IDSs. These systems look for patterns and signatures in the log files that may indicate an
attack or intrusion is in process or has already succeeded.
When a collection of honey pots connects several honey pot systems on a subnet,it may
be called a honey net.
A Padded Cell is a honey pot that has been protected so that it cannot be easily
compromised. In otherwords, a padded cell is a hardened honey spot..
How Scanning and Analysis tools are useful in enforcing Information Security?
Scanning and Analysis Tools
Scanners, sniffers, and other analysis tools are useful to security administrators in
enabling them to see what the attacker sees
Scanner and analysis tools can find vulnerabilities in systems
One of the preparatory parts of an attack is known as footprinting – collecting IP
addresses and other useful data
The attack protocol is a series of steps or processes used by an attacker ,in a logical
sequence ,to launch an attack against a target system or netweok. One of the preparatory
part of the attack protocol is the collection of publicly available information about a
potential target,a process known as footprinting.
The next phase of the attack protocol is a second intelligence or data-gathering process
called fingerprinting. This is systematic survey of all of the target organization‘s
Internet addresses (which are collected during the footprinting phase); the survey is
conducted to ascertain the network services offered by the hosts in that range.
Fingerprinting reveals useful information about the internal structure and operational
nature of the target system or network for the anticipated attack.
Port Scanners
Port scanners fingerprint networks to find ports and services and other useful
information
Vulnerability Scanners
Vulnerability scanners are capable of scanning networks for very detailed
information
As a class, they identify exposed usernames and groups, show open network
shares,expose configuration problems, and other vulnerabilities in servers
Packet Sniffers
A network tool that collects copies of packets from the network and analyzes them
Can be used to eavesdrop on the network traffic
To use a packet sniffer legally, you must be:
on a network that the organization owns
under direct authorization of the owners of the network
have knowledge and consent of the content creators (users)
Content Filters
Although technically not a firewall, a content filter is a software filter that allows
administrators to restrict accessible content from within a network
The content filtering restricts Web sites with inappropriate content
What is Cryptography?
Cryptography ,which comes from the Greek work kryptos,meaning ―hidden‖,and
graphein, meaning ―to write‖,is aprocess of making and using codes to secure the
transmission of information.
Cryptoanalysis is the process of obtaining the original message (called plaintext) from an
encrypted message (called the cipher ext) without knowing the algorithms and keys used
to perform the encryption.
Encryption is the process of converting an original message into a form that is unreadable
to unauthorized individuals-that is; to anyone without the tools to convert the encrypted
message back to its original format.
Decryption is the process of converting the cipher text into a message that conveys
readily understood meaning.
Digital Signatures
An interesting thing happens when the asymmetric process is reversed, that is the
private key is used to encrypt a short message
The public key can be used to decrypt it, and the fact that the message was sent by
the organization that owns the private key cannot be refuted
This is known asnonrepudiat ion, which is the foundation of digital signatures
Digital Signatures are encrypted messages that are independently verified by a
central facility (registry) as authentic
PKI Benefits
PKI protects information assets in several ways:
Authentication
Integrity
Privacy
Authorization
Nonrepudiation
Securing E-mail
Encryption cryptosystems have been adapted to inject some degree of security
into e-mail:
S/MIME builds on the Multipurpose Internet Mail Extensions (MIME)
encoding format by adding encryption and authentication
Privacy Enhanced Mail (PEM) was proposed by the Internet Engineering
Task Force (IETF) as a standard to function with the public key
cryptosystems
PEM uses 3DES symmetric key encryption and RSA for key exchanges
and digital signatures
Pretty Good Privacy (PGP) was developed by Phil Zimmerman and uses
the IDEA Cipher along with RSA for key exchange
Secure facility
A secure facility is a physical location that has been engineered with controls designed
to minimize the risk of attacks from physical threats A secure facility can use the natural
terrain; traffic flow, urban development, and can complement these features with
protection mechanisms such as fences, gates, walls, guards, and alarms
Ties physical security to information access with identification cards (ID) and/or
name badges
ID card is typically concealed
Name badge is visible
These devices are actually biometrics (facial recognition)
Should not be the only control as they can be easily duplicated, stolen, and modified
Tailgating occurs when unauthorized individuals follow authorized users through the
control
when the lock of a door fails and the door becomes unlocked, that is a fail-safe
lock
when the lock of a door fails and the door remains locked, this is a fail-secure
lock
Electronic Monitoring
Records events where other types of physical controls are not practical
May use cameras with video recorders
Drawbacks:
o reactive and do not prevent access or prohibited activity
o recordings often not monitored in real time and must be reviewed to have any
value
Water and water mist systems reduce the temperature and saturate some fuels
to prevent ignition
Carbon dioxide systems rob fire of its oxygen
Soda acid systems deny fire its fuel, preventing spreading
Gas-based systems disrupt the fire‘s chemical reaction but leave enough
oxygen for people to survive for a short time