©Einstein College of Engineering Page 1


UNIT - 1 : INTRODUCTION Learning Objectives Upon completion of this material, you should be able to:  Define information security  Relate the history of computer security and how it evolved into information security  Define key terms and critical concepts of information security as presented in this chapter  Discuss the phases of the security systems development life cycle  Present the roles of professionals involved in information security within an organization Introduction  Information security: a ―well-informed sense of assurance that the information risks and controls are in balance.‖ — Jim Anderson, Inovant (2002)‫‏‬  Necessary to review the origins of this field and its impact on our understanding of information security today

©Einstein College of Engineering Page 2


The 1970s and 80s     

ARPANET grew in popularity as did its potential for misuse Fundamental problems with ARPANET security were identified  No safety procedures for dial-up connections to ARPANET  Nonexistent user identification and authorization to system Late 1970s: microprocessor expanded computing capabilities and security threats Information security began with Rand Report R-609 (paper that started the study of computer security)‫‏‬ Scope of computer security grew from physical security to include:  Safety of data  Limiting unauthorized access to data  Involvement of personnel from multiple levels of an organization

The 1990s  Networks of computers became more common; so too did the need to interconnect networks  Internet became first manifestation of a global network of networks  In early Internet deployments, security was treated as a low priority The Present  The Internet brings millions of computer networks into communication with each other— many of them unsecured  Ability to secure a computer‘s data influenced by the security of every computer to which it is connected

©Einstein College of Engineering Page 3


What is Security?  ―The quality or state of being secure—to be free from danger‖  A successful organization should have multiple layers of security in place:  Physical security  Personal security  Operations security  Communications security  Network security  Information security Critical Characteristics of Information  The value of information comes from the characteristics it possesses:  Availability  Accuracy  Authenticity  Confidentiality  Integrity  Utility  Possession NSTISSC Security Model

©Einstein College of Engineering Page 4


Components of an Information System  Information system (IS) is entire set of software, hardware, data, people, procedures, and networks necessary to use information as a resource in the


Balancing security and access

©Einstein College of Engineering Page 5


SDLC Systems Development Life Cycle

The Security Systems Development Life Cycle  The same phases used in traditional SDLC may be adapted to support specialized implementation of an IS project  Investigation  Analysis  Logical design  Physical design  Implementation  Maintenance & change  Identification of specific threats and creating controls to counter them

©Einstein College of Engineering Page 6


Senior Management  Chief Information Officer (CIO)‫‏‬  Senior technology officer  Primarily responsible for advising senior executives on strategic planning  Chief Information Security Officer (CISO)‫‏‬  Primarily responsible for assessment, management, and implementation of IS in the organization  Usually reports directly to the CIO Information Security Project Team  A number of individuals who are experienced in one or more facets of required technical and nontechnical areas:  Champion  Team leader  Security policy developers  Risk assessment specialists  Security professionals  Systems administrators  End users Data Ownership  Data owner: responsible for the security and use of a particular set of information  Data custodian: responsible for storage, maintenance, and protection of information  Data users: end users who work with information to perform their daily jobs supporting the mission of the organization Information Security: Is it an Art or a Science?  Implementation of information security often described as combination of art and science  ―Security artesan‖ idea: based on the way individuals perceive systems technologists since computers became commonplace Security as Art  No hard and fast rules nor many universally accepted complete solutions  No manual for implementing security through entire system Security as Science  Dealing with technology designed to operate at high levels of performance  Specific conditions cause virtually all actions that occur in computer systems  Nearly every fault, security hole, and systems malfunction are a result of interaction of specific hardware and software  If developers had sufficient time, they could resolve and eliminate faults Security as a Social Science  Social science examines the behavior of individuals interacting with systems  Security begins and ends with the people that interact with the system  Security administrators can greatly reduce levels of risk caused by end users, and create more acceptable and supportable security profiles

©Einstein College of Engineering Page 7


Unit –II THE NEED FOR SECURITY  Dealing with technology designed to operate at high levels of performance Specific conditions Learning objective Upon completion of this chapter you should be able to: – Understand the business need for information security. – Understand a successful information security program is the responsibility of an organization‘s general management and IT management. – Understand the threats posed to information security and the more common attacks associated with those threats. – Differentiate threats to information systems from attacks against information systems. Business Needs First, Technology Needs Last Information security performs four important functions for an organization: – Protects the organization‘s ability to function – Enables the safe operation of applications implemented on the organization‘s IT systems – Protects the data the organization collects and uses – Safeguards the technology assets in use at the organization Protecting the Ability to Function  Management is responsible  Information security is – a management issue – a people issue  Communities of interest must argue for information security in terms of impact and cost Enabling Safe Operation  Organizations must create integrated, efficient, and capable applications  Organization need environments that safeguard applications  Management must not abdicate to the IT department its responsibility to make choices and enforce decisions Protecting Data  One of the most valuable assets is data  Without data, an organization loses its record of transactions and/or its ability to deliver value to its customers  An effective information security program is essential to the protection of the integrity and value of the organization‘s data Safeguarding Technology Assets

©Einstein College of Engineering Page 8

 Organizations must have secure infrastructure services based on the size and scope of the enterprise  Additional security services may have to be provided  More robust solutions may be needed to replace security programs the organization has outgrown Threats  Management must be informed of the various kinds of threats facing the organization  A threat is an object, person, or other entity that represents a constant danger to an asset  By examining each threat category in turn, management effectively protects its information through policy, education and training, and technology controls  The 2002 CSI/FBI survey found: – 90% of organizations responding detected computer security breaches within the last year – 80% lost money to computer breaches, totaling over $455,848,000 up from $377,828,700 reported in 2001 – The number of attacks that came across the Internet rose from 70% in 2001 to 74% in 2002 – Only 34% of organizations reported their attacks to law enforcement  The 2002 CSI/FBI survey found: – 90% of organizations responding detected computer security breaches within the last year – 80% lost money to computer breaches, totaling over $455,848,000 up from $377,828,700 reported in 2001 – The number of attacks that came across the Internet rose from 70% in 2001 to 74% in 2002 – Only 34% of organizations reported their attacks to law enforcement

Acts of Human Error or Failure  Includes acts done without malicious intent  Caused by:

©Einstein College of Engineering Page 9

– Inexperience – Improper training – Incorrect assumptions – Other circumstances  Employees are greatest threats to information security – They are closest to the organizational data Acts of Human Error or Failure  Employee mistakes can easily lead to the following: – revelation of classified data – entry of erroneous data – accidental deletion or modification of data – storage of data in unprotected areas – failure to protect information  Many of these threats can be prevented with controls

Deviations in Quality of Service by Service Providers  Situations of product or services not delivered as expected  Information system depends on many inter-dependent support systems  Three sets of service issues that dramatically affect the availability of information and systems are – Internet service – Communications – Power irregularities Internet Service Issues  Loss of Internet service can lead to considerable loss in the availability of information – organizations have sales staff and telecommuters working at remote locations

©Einstein College of Engineering Page 10

 When an organization outsources its web servers, the outsourcer assumes responsibility for – All Internet Services – The hardware and operating system software used to operate the web site

Services  Other utility services have potential impact  Among these are – telephone – water & wastewater – trash pickup – cable television – natural or propane gas – custodial services  The threat of loss of services can lead to inability to function properly Power Irregularities Voltage levels can increase, decrease, or cease: – spike – momentary increase – surge – prolonged increase – sag – momentary low voltage – brownout – prolonged drop – fault – momentary loss of power – blackout – prolonged loss  Electronic equipment is susceptible to fluctuations, controls can be applied to manage power quality Espionage/Trespass  Broad category of activities that breach confidentiality – Unauthorized accessing of information – Competitive intelligence (the legal and ethical collection and analysis of information regarding the capabilities, vulnerabilities, and intentions of business competitors) vs. espionage – Shoulder surfing can occur any place a person is accessing confidential information  Controls implemented to mark the boundaries of an organization‘s virtual territory giving notice to trespassers that they are encroaching on the organization‘s cyberspace  Hackers uses skill, guile, or fraud to steal the property of someone else

©Einstein College of Engineering Page 11


Espionage/Trespass  Generally two skill levels among hackers: – Expert hacker • develops software scripts and codes exploits • usually a master of many skills • will often create attack software and share with others – Script kiddies • hackers of limited skill • use expert-written software to exploit a system • do not usually fully understand the systems they hack  Other terms for system rule breakers: – Cracker - an individual who ―cracks‖ or removes protection designed to prevent unauthorized duplication – Phreaker - hacks the public telephone network Information Extortion  Information extortion is an attacker or formerly trusted insider stealing information from a computer system and demanding compensation for its return or non-use  Extortion found in credit card number theft

©Einstein College of Engineering Page 12

Sabotage or Vandalism  Individual or group who want to deliberately sabotage the operations of a computer system or business, or perform acts of vandalism to either destroy an asset or damage the image of the organization  These threats can range from petty vandalism to organized sabotage  Organizations rely on image so Web defacing can lead to dropping consumer confidence and sales  Rising threat of hacktivist or cyber-activist operations – the most extreme version is cyber-terrorism Deliberate Acts of Theft  Illegal taking of another‘s property - physical, electronic, or intellectual  The value of information suffers when it is copied and taken away without the owner‘s knowledge  Physical theft can be controlled - a wide variety of measures used from locked doors to guards or alarm systems  Electronic theft is a more complex problem to manage and control - organizations may not even know it has occurred Deliberate Software Attacks  When an individual or group designs software to attack systems, they create malicious code/software called malware – Designed to damage, destroy, or deny service to the target systems  Includes: – macro virus – boot virus – worms – Trojan horses – logic bombs – back door or trap door – denial-of-service attacks – polymorphic – hoaxes

©Einstein College of Engineering Page 13

Compromises to Intellectual Property  Intellectual property is ―the ownership of ideas and control over the tangible or virtual representation of those ideas‖  Many organizations are in business to create intellectual property – trade secrets – copyrights – trademarks – patents  Most common IP breaches involve software piracy  Watchdog organizations investigate: – Software & Information Industry Association (SIIA) – Business Software Alliance (BSA)  Enforcement of copyright has been attempted with technical security mechanisms Forces of Nature  Forces of nature, force majeure, or acts of God are dangerous because they are unexpected and can occur with very little warning  Can disrupt not only the lives of individuals, but also the storage, transmission, and use of information  Include fire, flood, earthquake, and lightning as well as volcanic eruption and insect infestation  Since it is not possible to avoid many of these threats, management must implement controls to limit damage and also prepare contingency plans for continued operations Technical Hardware Failures or Errors  Technical hardware failures or errors occur when a manufacturer distributes to users equipment containing flaws  These defects can cause the system to perform outside of expected parameters, resulting in unreliable service or lack of availability  Some errors are terminal, in that they result in the unrecoverable loss of the equipment  Some errors are intermittent, in that they only periodically manifest themselves, resulting in faults that are not easily repeated  This category of threats comes from purchasing software with unrevealed faults  Large quantities of computer code are written, debugged, published, and sold only to determine that not all bugs were resolved  Sometimes, unique combinations of certain software and hardware reveal new bugs  Sometimes, these items aren‘t errors, but are purposeful shortcuts left by programmers for honest or dishonest reasons Technological Obsolescence  When the infrastructure becomes antiquated or outdated, it leads to unreliable and untrustworthy systems  Management must recognize that when technology becomes outdated, there is a risk of loss of data integrity to threats and attacks  Ideally, proper planning by management should prevent the risks from technology obsolesce, but when obsolescence is identified, management must take action Attacks  An attack is the deliberate act that exploits vulnerability

©Einstein College of Engineering Page 14

 It is accomplished by a threat-agent to damage or steal an organization‘s information or physical asset – An exploit is a technique to compromise a system – A vulnerability is an identified weakness of a controlled system whose controls are not present or are no longer effective – An attack is then the use of an exploit to achieve the compromise of a controlled system – Malicious Code  This kind of attack includes the execution of viruses, worms, Trojan horses, and active web scripts with the intent to destroy or steal information  The state of the art in attacking systems in 2002 is the multi-vector worm using up to six attack vectors to exploit a variety of vulnerabilities in commonly found information system devices

Attack Descriptions  IP Scan and Attack – Compromised system scans random or local range of IP addresses and targets any of several vulnerabilities known to hackers or left over from previous exploits  Web Browsing - If the infected system has write access to any Web pages, it makes all Web content files infectious, so that users who browse to those pages become infected  Virus - Each infected machine infects certain common executable or script files on all computers to which it can write with virus code that can cause infection  Unprotected Shares - using file shares to copy viral component to all reachable locations  Mass Mail - sending e-mail infections to addresses found in address book  Simple Network Management Protocol - SNMP vulnerabilities used to compromise and infect  Hoaxes - A more devious approach to attacking computer systems is the transmission of a virus hoax, with a real virus attached

©Einstein College of Engineering Page 15

 Back Doors - Using a known or previously unknown and newly discovered access mechanism, an attacker can gain access to a system or network resource  Password Crack - Attempting to reverse calculate a password  Brute Force - The application of computing and network resources to try every possible combination of options of a password  Dictionary - The dictionary password attack narrows the field by selecting specific accounts to attack and uses a list of commonly used passwords (the dictionary) to guide guesses  Denial-of-service (DoS) – – attacker sends a large number of connection or information requests to a target – so many requests are made that the target system cannot handle them successfully along with other, legitimate requests for service – may result in a system crash, or merely an inability to perform ordinary functions  Distributed Denial-of-service (DDoS) - an attack in which a coordinated stream of requests is launched against a target from many locations at the same time

 Spoofing - technique used to gain unauthorized access whereby the intruder sends messages to a computer with an IP address indicating that the message is coming from a trusted host  Man-in-the-Middle - an attacker sniffs packets from the network, modifies them, and inserts them back into the network  Spam - unsolicited commercial e-mail - while many consider spam a nuisance rather than an attack, it is emerging as a vector for some attacks

©Einstein College of Engineering Page 16


 Mail-bombing - another form of e-mail attack that is also a DoS, in which an attacker routes large quantities of e-mail to the target  Sniffers - a program and/or device that can monitor data traveling over a network. Sniffers can be used both for legitimate network management functions and for stealing information from a network  Social Engineering - within the context of information security, the process of using social skills to convince people to reveal access credentials or other valuable information to the attacker  People are the weakest link. You can have the best technology; firewalls, intrusiondetection systems, biometric devices ... and somebody can call an unsuspecting employee. That's all she wrote, baby. They got everything.‖  ―brick attack‖ – the best configured firewall in the world can‘t stand up to a well placed brick  Buffer Overflow – – application error occurs when more data is sent to a buffer than it can handle

©Einstein College of Engineering Page 17

when the buffer overflows, the attacker can make the target system execute instructions, or the attacker can take advantage of some other unintended consequence of the failure  Timing Attack – – relatively new – works by exploring the contents of a web browser‘s cache – can allow collection of information on access to password-protected sites – another attack by the same name involves attempting to intercept cryptographic elements to determine keys and encryption algorithms –

©Einstein College of Engineering Page 18


Upon completion of this chapter you should be able to: – Define risk management and its role in the SecSDLC – Understand how risk is identified – Assess risk based on the likelihood of occurrence and impact on an organization – Grasp the fundamental aspects of documenting risk identification and assessment

Risk Management  If you know the enemy and know yourself, you need not fear the result of a hundred battles.  If you know yourself but not the enemy, for every victory gained you will also suffer a defeat.  If you know neither the enemy nor yourself, you will succumb in every battle.‖ (Sun Tzu) Know Ourselves  First, we must identify, examine, and understand the information, and systems, currently in place  In order to protect our assets, defined here as the information and the systems that use, store, and transmit it, we have to understand everything about the information  Once we have examined these aspects, we can then look at what we are already doing to protect the information and systems from the threats

Know the Enemy

©Einstein College of Engineering Page 19

 For information security this means identifying, examining, and understanding the threats that most directly affect our organization and the security of our organization‘s information assets  We then can use our understanding of these aspects to create a list of threats prioritized by importance to the organization Accountability for Risk Management  It is the responsibility of each community of interest to manage risks; each community has a role to play: – Information Security - best understands the threats and attacks that introduce risk into the organization – Management and Users – play a part in the early detection and response process they also insure sufficient resources are allocated – Information Technology – must assist in building secure systems and operating them safely Accountability for Risk Management  All three communities must also: – Evaluate the risk controls – Determine which control options are cost effective – Assist in acquiring or installing needed controls – Ensure that the controls remain effective Risk Management Process  Management reviews asset inventory  The threats and vulnerabilities that have been identified as dangerous to the asset inventory must be reviewed and verified as complete and current  The potential controls and mitigation strategies should be reviewed for completeness  The cost effectiveness of each control should be reviewed as well, and the decisions about deployment of controls revisited Risk Identification  A risk management strategy calls on us to ―know ourselves‖ by identifying, classifying, and prioritizing the organization‘s information assets  These assets are the targets of various threats and threat agents and our goal is to protect them from these threats  Next comes threat identification: – Assess the circumstances and setting of each information asset – Identify the vulnerabilities and begin exploring the controls that might be used to manage the risks Asset Identification and Valuation  This iterative process begins with the identification of assets, including all of the elements of an organization‘s system: people, procedures, data and information, software, hardware, and networking elements  Then, we classify and categorize the assets adding details as we dig deeper into the analysis

©Einstein College of Engineering Page 20


Hardware, Software, and Network Asset Identification  Automated tools can sometimes uncover the system elements that make up the hardware, software, and network components  Once created, the inventory listing must be kept current, often through a tool that periodically refreshes the data Network Asset Identification  What attributes of each of these information assets should be tracked?  When deciding which information assets to track, consider including these asset attributes:  Name  IP address  MAC address  Element type  Serial number  Manufacturer name  Manufacturer‘s model number or part number  Software version, update revision, or FCO number  Physical location  Logical location  Controlling entity People, Procedures, and Data Asset Identification  Unlike the tangible hardware and software elements already described, the human resources, documentation, and data information assets are not as readily discovered and documented  These assets should be identified, described, and evaluated by people using knowledge, experience, and judgment  As these elements are identified, they should also be recorded into some reliable data handling process

©Einstein College of Engineering Page 21


Asset Information for People  For People: – Position name/number/ID – try to avoid names and stick to identifying positions, roles, or functions – Supervisor – Security clearance level – Special skills Asset Information for procedures  For Procedures: – Description – Intended purpose – What elements is it tied to – Where is it stored for reference – Where is it stored for update purposes Asset Information for Data  For Data: – Classification – Owner/creator/manager – Size of data structure – Data structure used – sequential, relational – Online or offline – Where located – Backup procedures employed Classification  Many organizations already have a classification scheme  Examples of these kinds of classifications are: – confidential data – internal data – public data  Informal organizations may have to organize themselves to create a useable data classification model  The other side of the data classification scheme is the personnel security clearance structure Information Asset Valuation  Each asset is categorized  Questions to assist in developing the criteria to be used for asset valuation: – Which information asset is the most critical to the success of the organization? – Which information asset generates the most revenue? – Which information asset generates the most profitability? – Which information asset would be the most expensive to replace? – Which information asset would be the most expensive to protect? – Which information asset would be the most embarrassing or cause the greatest liability if revealed?

©Einstein College of Engineering Page 22


Information Asset Valuation  Create a weighting for each category based on the answers to the previous questions Which factor is the most important to the organization?  Once each question has been weighted, calculating the importance of each asset is straightforward  List the assets in order of importance using a weighted factor analysis worksheet

©Einstein College of Engineering Page 23


Data Classification and Management  A variety of classification schemes are used by corporate and military organizations  Information owners are responsible for classifying the information assets for which they are responsible  Information owners must review information classifications periodically  The military uses a five-level classification scheme but most organizations do not need the detailed level of classification used by the military or federal agencies Security Clearances  The other side of the data classification scheme is the personnel security clearance structure  Each user of data in the organization is assigned a single level of authorization indicating the level of classification  Before an individual is allowed access to a specific set of data, he or she must meet the need-to-know requirement  This extra level of protection ensures that the confidentiality of information is properly maintained Management of Classified Data  Includes the storage, distribution, portability, and destruction of classified information – Must be clearly marked as such – When stored, it must be unavailable to unauthorized individuals – When carried should be inconspicuous, as in a locked briefcase or portfolio  Clean desk policies require all information to be stored in its appropriate storage container at the end of each day  Proper care should be taken to destroy any unneeded copies  Dumpster diving can prove embarrassing to the organization Threat Identification  Each of the threats identified so far has the potential to attack any of the assets protected  This will quickly become more complex and overwhelm the ability to plan  To make this part of the process manageable, each step in the threat identification and vulnerability identification process is managed separately, and then coordinated at the end of the process

©Einstein College of Engineering Page 24


Identify and Prioritize Threats  Each threat must be further examined to assess its potential to impact organization - this is referred to as a threat assessment  To frame the discussion of threat assessment, address each threat with a few questions: – Which threats present a danger to this organization‘s assets in the given environment? – Which threats represent the most danger to the organization‘s information? – How much would it cost to recover from a successful attack? – Which of these threats would require the greatest expenditure to prevent? Vulnerability Identification  We now face the challenge of reviewing each information asset for each threat it faces and creating a list of the vulnerabilities that remain viable risks to the organization  Vulnerabilities are specific avenues that threat agents can exploit to attack an information asset

©Einstein College of Engineering Page 25


Vulnerability Identification  Examine how each of the threats that are possible or likely could be perpetrated and list the organization‘s assets and their vulnerabilities  The process works best when groups of people with diverse backgrounds within the organization work iteratively in a series of brainstorming sessions  At the end of the process, an information asset / vulnerability list has been developed – this list is the starting point for the next step, risk assessment Risk Assessment  We can determine the relative risk for each of the vulnerabilities through a process called risk assessment

©Einstein College of Engineering Page 26

 Risk assessment assigns a risk rating or score to each specific information asset, useful in gauging the relative risk introduced by each vulnerable information asset and making comparative ratings later in the risk control process Introduction to Risk Assessment  Risk Identification Estimate Factors – Likelihood – Value of Information Assets – Percent of Risk Mitigated – Uncertainty Risk Determination For the purpose of relative risk assessment: risk = likelihood of vulnerability occurrence times value (or impact) minus percentage risk already controlled plus an element of uncertainty Identify Possible Controls  For each threat and its associated vulnerabilities that have any residual risk, create a preliminary list of control ideas  Residual risk is the risk that remains to the information asset even after the existing control has been applied Access Controls  One particular application of controls is in the area of access controls  Access controls are those controls that specifically address admission of a user into a trusted area of the organization  There are a number of approaches to controlling access  Access controls can be – discretionary – mandatory – nondiscretionary Types of Access Controls  Discretionary Access Controls (DAC) are implemented at the discretion or option of the data user  Mandatory Access Controls (MACs) are structured and coordinated with a data classification scheme, and are required  Nondiscretionary Controls are those determined by a central authority in the organization and can be based on that individual‘s role (Role-Based Controls) or a specified set of duties or tasks the individual is assigned (Task-Based Controls) or can be based on specified lists maintained on subjects or objects

©Einstein College of Engineering Page 27

Lattice-based Control  Another type of nondiscretionary access is lattice-based control, where a lattice structure (or matrix) is created containing subjects and objects, and the boundaries associated with each pair is contained  This specifies the level of access each subject has to each object  In a lattice-based control the column of attributes associated with a particular object are referred to as an access control list or ACL  The row of attributes associated with a particular subject (such as a user) is referred to as a capabilities table Documenting Results of Risk Assessment  The goal of this process has been to identify the information assets of the organization that have specific vulnerabilities and create a list of them, ranked for focus on those most needing protection first  In preparing this list we have collected and preserved factual information about the assets, the threats they face, and the vulnerabilities they experience Introduction to Risk Assessment  The process you develop for risk identification should include designating what function the reports will serve, who is responsible for preparing the reports, and who reviews them  We do know that the ranked vulnerability risk worksheet is the initial working document for the next step in the risk management process: assessing and controlling risk

©Einstein College of Engineering Page 28


Learning Objectives Upon completion of this chapter you should be able to: – Understand management‘s responsibilities and role in the development, maintenance, and enforcement of information security policy, standards, practices, procedures, and guidelines – Understand the differences between the organization‘s general information security policy and the requirements and objectives of the various issuespecific and system-specific policies. – Know what an information security blueprint is and what its major components are. – Understand how an organization institutionalizes its policies, standards, and practices using education, training, and awareness programs. – Become familiar with what viable information security architecture is, what it includes, and how it is used. – Information Security Policy, Standards, and Practices  Management from all communities of interest must consider policies as the basis for all information security efforts  Policies direct how issues should be addressed and technologies used  Security policies are the least expensive control to execute, but the most difficult to implement  Shaping policy is difficult because: – Never conflict with laws – Stand up in court, if challenged – Be properly administered Definitions  A policy is A plan or course of action, as of a government, political party, or business, intended to influence and determine decisions, actions, and other matters  Policies are organizational laws  Standards, on the other hand, are more detailed statements of what must be done to comply with policy  Practices, procedures, and guidelines effectively explain how to comply with policy  For a policy to be effective it must be properly disseminated, read, understood and agreed to by all members of the organization Types of Policy Management defines three types of security policy: – General or security program policy ©Einstein College of Engineering Page 29

INFORMATION SECURITY - CS1014 – – Issue-specific security policies Systems-specific security policies

Security Program Policy  A security program policy (SPP) is also known as – A general security policy – IT security policy – Information security policy  Sets the strategic direction, scope, and tone for all security efforts within the organization  An executive-level document, usually drafted by or with, the CIO of the organization and is usually 2 to 10 pages long Issue-Specific Security Policy (ISSP  As various technologies and processes are implemented, certain guidelines are needed to use them properly  The ISSP: – addresses specific areas of technology – requires frequent updates – contains an issue statement on the organization‘s position on an issue  Three approaches: – Create a number of independent ISSP documents – Create a single comprehensive ISSP document – Create a modular ISSP document Example ISSP Structure  Statement of Policy  Authorized Access and Usage of Equipment  Prohibited Usage of Equipment  Systems Management  Violations of Policy  Policy Review and Modification ©Einstein College of Engineering Page 30

INFORMATION SECURITY - CS1014  Limitations of Liability

Systems-Specific Policy (SysSP)  While issue-specific policies are formalized as written documents, distributed to users, and agreed to in writing, SysSPs are frequently codified as standards and procedures used when configuring or maintaining systems  Systems-specific policies fall into two groups: – Access control lists (ACLs) consist of the access control lists, matrices, and capability tables governing the rights and privileges of a particular user to a particular system – Configuration rules comprise the specific configuration codes entered into security systems to guide the execution of the system ACL Policies  Both Microsoft Windows NT/2000 and Novell Netware 5.x/6.x families of systems translate ACLs into sets of configurations that administrators use to control access to their respective systems  ACLs allow configuration to restrict access from anyone and anywhere  ACLs regulate: – Who can use the system – What authorized users can access – When authorized users can access the system – Where authorized users can access the system from – How authorized users can access the system Rule Policies  Rule policies are more specific to the operation of a system than ACLs ©Einstein College of Engineering Page 31

INFORMATION SECURITY - CS1014  Many security systems require specific configuration scripts telling the systems what actions to perform on each set of information they process  Policy Management  Policies are living documents that must be managed and nurtured, and are constantly changing and growing  Documents must be properly managed  Special considerations should be made for organizations undergoing mergers, takeovers, and partnerships  In order to remain viable, policies must have:  an individual responsible for reviews  a schedule of reviews  a method for making recommendations for reviews  a specific effective and revision date Information Classification  The classification of information is an important aspect of policy  The same protection scheme created to prevent production data from accidental release to the wrong party should be applied to policies in order to keep them freely available, but only within the organization  In today‘s open office environments, it may be beneficial to implement a clean desk policy  A clean desk policy stipulates that at the end of the business day, all classified information must be properly stored and secured

Systems Design  At this point in the Security SDLC, the analysis phase is complete and the design phase begins – many work products have been created  Designing a plan for security begins by creating or validating a security blueprint ©Einstein College of Engineering Page 32

INFORMATION SECURITY - CS1014  Then use the blueprint to plan the tasks to be accomplished and the order in which to proceed  Setting priorities can follow the recommendations of published sources, or from published standards provided by government agencies, or private consultants

Information Security Blueprints  One approach is to adapt or adopt a published model or framework for information security  A framework is the basic skeletal structure within which additional detailed planning of the blueprint can be placed as it is developed of refined  Experience teaches us that what works well for one organization may not precisely fit another ISO 17799/BS 7799  One of the most widely referenced and often discussed security models is the Information Technology – Code of Practice for Information Security Management, which was originally published as British Standard BS 7799  This Code of Practice was adopted as an international standard by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) as ISO/IEC 17799 in 2000 as a framework for information

©Einstein College of Engineering Page 33


ISO 17799 / BS 7799  Several countries have not adopted 17799 claiming there are fundamental problems: – The global information security community has not defined any justification for a code of practice as identified in the ISO/IEC 17799 – 17799 lacks ―the necessary measurement precision of a technical standard‖ – There is no reason to believe that 17799 is more useful than any other approach currently available – 17799 is not as complete as other frameworks available – 17799 is perceived to have been hurriedly prepared given the tremendous impact its adoption could have on industry information security controls  Organizational Security Policy is needed to provide management direction and support  Objectives: – Operational Security Policy – Organizational Security Infrastructure ©Einstein College of Engineering Page 34

INFORMATION SECURITY - CS1014 – – – – – – – – Asset Classification and Control Personnel Security Physical and Environmental Security Communications and Operations Management System Access Control System Development and Maintenance Business Continuity Planning Compliance

NIST Security Models  Another approach available is described in the many documents available from the Computer Security Resource Center of the National Institute for Standards and Technology ( – Including: – NIST SP 800-12 - The Computer Security Handbook – NIST SP 800-14 - Generally Accepted Principles and Practices for Securing IT Systems – NIST SP 800-18 - The Guide for Developing Security Plans for IT Systems NIST SP 800-14  Security Supports the Mission of the Organization  Security is an Integral Element of Sound Management  Security Should Be Cost-Effective  Systems Owners Have Security Responsibilities Outside Their Organizations  Security Responsibilities and Accountability Should Be Made Explicit  Security Requires a Comprehensive and Integrated Approach  Security Should Be Periodically Reassessed  Security is Constrained by Societal Factors  33 Principles enumerated


IETF Security Architecture  The Security Area Working Group acts as an advisory board for the protocols and areas developed and promoted through the Internet Society – No specific architecture is promoted through IETF  RFC 2196: Site Security Handbook provides an overview of five basic areas of security  Topics include: – security policies – security technical architecture – security services – security incident handling

©Einstein College of Engineering Page 35

INFORMATION SECURITY - CS1014 VISA Model  VISA International promotes strong security measures and has security guidelines  Developed two important documents that improve and regulate its information systems – ―Security Assessment Process‖ – ―Agreed Upon Procedures‖  Using the two documents, a security team can develop a sound strategy for the design of good security architecture  The only down side to this approach is the very specific focus on systems that can or do integrate with VISA‘s systems Baselining and Best Practices  Baselining and best practices are solid methods for collecting security practices, but they can have the drawback of providing less detail than would a complete methodology  It is possible to gain information by baselining and using best practices and thus work backwards to an effective design  The Federal Agency Security Practices Site ( is designed to provide best practices for public agencies  Baselining and best practices are solid methods for collecting security practices, but they can have the drawback of providing less detail than would a complete methodology  It is possible to gain information by baselining and using best practices and thus work backwards to an effective design  The Federal Agency Security Practices Site ( is designed to provide best practices for public agencies Professional Membership  It may be worth the information security professional‘s time and money to join professional societies with information on best practices for its members  Many organizations have seminars and classes on best practices for implementing security  Finding information on security design is the easy part, sorting through the collected mass of information, documents, and publications can take a substantial investment in time and human resources NIST SP 800-26 Management Controls – Risk Management – Review of Security Controls – Life Cycle Maintenance – Authorization of Processing (Certification and Accreditation) – System Security Plan Operational Controls – Personnel Security ©Einstein College of Engineering Page 36

INFORMATION SECURITY - CS1014 – Physical Security – Production, Input/Output Controls – Contingency Planning – Hardware and Systems Software – Data Integrity – Documentation – Security Awareness, Training, and Education – Incident Response Capability Technical Controls – Identification and Authentication – Logical Access Controls – Audit Trails

Sphere of Use  Generally speaking, the concept of the sphere is to represent the 360 degrees of security necessary to protect information at all times  The first component is the ―sphere of use‖  Information, at the core of the sphere, is available for access by members of the organization and other computer-based systems: – To gain access to the computer systems, one must either directly access the computer systems or go through a network connection – To gain access to the network, one must either directly access the network or go through an Internet connection Sphere of Protection  The ―sphere of protection‖ overlays each of the levels of the ―sphere of use‖ with a layer of security, protecting that layer from direct or indirect use through the next layer ©Einstein College of Engineering Page 37

INFORMATION SECURITY - CS1014  The people must become a layer of security, a human firewall that protects the information from unauthorized access and use  Information security is therefore designed and implemented in three layers – policies – people (education, training, and awareness programs) – technology Controls  Management controls cover security processes that are designed by the strategic planners and performed by security administration of the organization  Operational controls deal with the operational functionality of security in the organization  Operational controls also address personnel security, physical security, and the protection of production inputs and outputs  Technical controls address those tactical and technical issues related to designing and implementing security in the organization The Framework  Management Controls – Program Management – System Security Plan – Life Cycle Maintenance – Risk Management – Review of Security Controls – Legal Compliance  Operational Controls – Contingency Planning – Security ETA – Personnel Security – Physical Security – Production Inputs and Outputs – Hardware & Software Systems Maintenance – Data Integrity  Technical Controls – Logical Access Controls – Identification, Authentication, Authorization, and Accountability – Audit Trails – Asset Classification and Control – Cryptography SETA  As soon as the policies exist, policies to implement security education, training, and awareness (SETA) should follow  SETA is a control measure designed to reduce accidental security breaches ©Einstein College of Engineering Page 38

INFORMATION SECURITY - CS1014  Supplement the general education and training programs in place to educate staff on information security  Security education and training builds on the general knowledge the employees must possess to do their jobs, familiarizing them with the way to do their jobs securely SETA Elements  The SETA program consists of three elements – security education – security training – security awareness  The organization may not be capable or willing to undertake all three of these elements but may outsource them  The purpose of SETA is to enhance security by: – Improving awareness of the need to protect system resources – Developing skills and knowledge so computer users can perform their jobs more securely – Building in-depth knowledge, as needed, to design, implement, or operate security programs for organizations and systems

Security Education  Everyone in an organization needs to be trained and aware of information security, but not every member of the organization needs a formal degree or certificate in information security  When formal education for appropriate individuals in security is needed an employee can identify curriculum available from local institutions of higher learning or continuing education ©Einstein College of Engineering Page 39

INFORMATION SECURITY - CS1014  A number of universities have formal coursework in information security (See for example Security Training  Security training involves providing members of the organization with detailed information and hands-on instruction designed to prepare them to perform their duties securely  Management of information security can develop customized in-house training or outsource the training program Security Awareness  One of the least frequently implemented, but the most beneficial programs is the security awareness program  Designed to keep information security at the forefront of the users‘ minds  Need not be complicated or expensive  If the program is not actively implemented, employees begin to ‗tune out‘, and the risk of employee accidents and failures increases

Comments  Defense in Depth – One of the foundations of security architectures is the requirement to implement security in layers – Defense in depth requires that the organization establish sufficient security controls and safeguards, so that an intruder faces multiple layers of controls  Security Perimeter – The point at which an organization‘s security protection ends, and the outside world begins – Referred to as the security perimeter – Unfortunately the perimeter does not apply to internal attacks from employee threats, or on-site physical threats

©Einstein College of Engineering Page 40


©Einstein College of Engineering Page 41


Key Technology Components  Other key technology components – A firewall is a device that selectively discriminates against information flowing into or out of the organization – The DMZ (demilitarized zone) is a no-man‘s land, between the inside and outside networks, where some organizations place Web servers – In an effort to detect unauthorized activity within the inner network, or on individual machines, an organization may wish to implement Intrusion Detection Systems or IDS

©Einstein College of Engineering Page 42


©Einstein College of Engineering Page 43



Physical security describes both measures that prevent or deter attackers from accessing a facility, resource, or information stored on physical media, and guidance on how to design structures to resist various hostile acts. [1] It can be as simple as a locked door or as elaborate as multiple layers of armed security guards and guardhouse placement. Physical security is not a modern phenomenon. Physical security exists in order to deter persons from entering a physical facility. Historical examples of physical security include city walls, moats, etc. The key factor is the technology used for physical security has changed over time. While in past eras, there was no passive infrared (PIR) based technology, electronic access control systems, or video surveillance system (VSS) cameras, the essential methodology of physical security has not altered over time The field of security engineering has identified the following elements to physical security:
   

explosion protection; obstacles, to frustrate trivial attackers and delay serious ones; alarms, security lighting, security guard patrols or closed-circuit television cameras, to make it likely that attacks will be noticed; and security response, to repel, catch or frustrate attackers when an attack is detected.

In a well designed system, these features must complement each other. [2] There are at least four layers of physical security:
    

Environmental design Mechanical, electronic and procedural access control Intrusion detection Video monitoring Personnel Identification

The goal is to convince potential attackers that the likely costs of attack exceed the value of making the attack.

©Einstein College of Engineering Page 44

INFORMATION SECURITY - CS1014 The initial layer of security for a campus, building, office, or physical space uses crime prevention through environmental design to deter threats. Some of the most common examples are also the most basic - barbed wire, warning signs and fencing, concrete bollards, metal barriers, vehicle height-restrictors, site lighting and trenches.

Electronic access control The next layer is mechanical and includes gates, doors, and locks. Key control of the locks becomes a problem with large user populations and any user turnover. Keys quickly become unmanageable forcing the adoption of electronic access control. Electronic access control easily manages large user populations, controlling for user lifecycles times, dates, and individual access points. For example a user's access rights could allow access from 0700 to 1900 Monday through Friday and expires in 90 days. Another form of access control (procedural) includes the use of policies, processes and procedures to manage the ingress into the restricted area. An example of this is the deployment of security personnel conducting checks for authorized entry at predetermined points of entry. This form of access control is usually supplemented by the earlier forms of access control (i.e. mechanical and electronic access control), or simple devices such as physical passes. An additional sub-layer of mechanical/electronic access control protection is reached by integrating a key management system to manage the possession and usage of mechanical keys to locks or property within a building or campus. The third layer is intrusion detection systems or alarms. Intrusion detection monitors for attacks. It is less a preventative measure and more of a response measure, although some[who?] would argue that it is a deterrent. Intrusion detection has a high incidence of false alarms. In many jurisdictions, law enforcement will not respond to alarms from intrusion detection systems.[citation needed]

©Einstein College of Engineering Page 45


Closed-circuit television sign The last layer is video monitoring systems. Security cameras can be a deterrent [citation needed] in many cases, but their real power comes from incident verification[3] and historical analysis.[4] For example, if alarms are being generated and there is a camera in place, the camera could be viewed to verify the alarms. In instances when an attack has already occurred and a camera is in place at the point of attack, the recorded video can be reviewed. Although the term closed-circuit television (CCTV) is common, it is quickly becoming outdated as more video systems lose the closed circuit for signal transmission and are instead transmitting on computer networks. Advances in information technology are transforming video monitoring into video analysis. For instance, once an image is digitized it can become data that sophisticated algorithms can act upon. As the speed and accuracy of automated analysis increases, the video system could move from a monitoring system to an intrusion detection system or access control system. It is not a stretch to imagine a video camera inputting data to a processor that outputs to a door lock. Instead of using some kind of key, whether mechanical or electrical, a person's visage is the key. FST21, an Israeli company that entered the US market this year, markets intelligent buildings that do just that. [5] When actual design and implementation is considered, there are numerous types of security cameras that can be used for many different applications. One must analyze their needs and choose accordingly. [6]

Private factory guard ©Einstein College of Engineering Page 46

INFORMATION SECURITY - CS1014 Intertwined in these four layers are people. Guards have a role in all layers, in the first as patrols and at checkpoints. In the second to administer electronic access control. In the third to respond to alarms. The response force must be able to arrive on site in less time than it is expected that the attacker will require to breach the barriers. And in the fourth to monitor and analyze video. Users obviously have a role also by questioning and reporting suspicious people. Aiding in identifying people as known versus unknown are identification systems. Often photo ID badges are used and are frequently coupled to the electronic access control system. Visitors are often required to wear a visitor badge. Other physical security tools In recent times, new developments in information and communications technology, as well as new demands on security managers, have widened the scope of physical security apparatus. Fire alarm systems are increasingly becoming based on Internet Protocol, thus leading to them being accessible via local and wide area networks within organisations. Emergency notification is now a new standard in many industries, as well as physical security information management (PSIM). A PSIM application integrates all physical security systems in a facility, and provides a single and comprehensive means of managing all of these resources. It consequently saves on time and cost in the effectual management of physical security Many installations, serving a myriad of different purposes, have physical obstacles in place to deter intrusion. This can be high walls, barbed wire, glass mounted on top of walls, etc. The presence of PIR-based motion detectors are common in many places, as a means of noting intrusion into a physical installation. Moreover, VSS/CCTV cameras are becoming increasingly common, as a means of identifying persons who intrude into physical locations. Businesses use a variety of options for physical security, including security guards, electric security fencing, cameras, motion detectors, and light beams. ATMs (cash dispensers) are protected, not by making them invulnerable, but by spoiling the money inside when they are attacked. Money tainted with a dye could act as a flag to the money's unlawful acquisition. Safes are rated in terms of the time in minutes which a skilled, well equipped safebreaker is expected to require to open the safe. These ratings are developed by highly ©Einstein College of Engineering Page 47

INFORMATION SECURITY - CS1014 skilled safe breakers employed by insurance agencies, such as Underwriters Laboratories. In a properly designed system, either the time between inspections by a patrolling guard should be less than that time, or an alarm response force should be able to reach it in less than that time. Hiding the resources, or hiding the fact that resources are valuable, is also often a good idea as it will reduce the exposure to opponents and will cause further delays during an attack, but should not be relied upon as a principal means of ensuring security. (See security through obscurity and inside job.) Not all aspects of Physical Security need be high tech. Even something as simple as a thick or thorny bush can add a layer of physical security to some premises, especially in a residential setting.

©Einstein College of Engineering Page 48


Firewalls A firewall is any device that prevents a specific type of information from moving between the untrusted network outside and the trusted network inside There are five recognized generations of firewalls The firewall may be: a separate computer system a service running on an existing router or server a separate network containing a number of supporting devices Different generations of firewalls:. First Generation Called packet filtering firewalls Examines every incoming packet header and selectively filters packets based on address, packet type, port request, and others factors The restrictions most commonly implemented are based on: IP source and destination address Direction (inbound or outbound) Second Generation TCP or UDP source and destination port-requests Second Generation Called application-level firewall or proxy server  Often a dedicated computer separate from the filtering router  With this configuration the proxy server, rather than the Web server, is exposed to the outside world in the DMZ  Additional filtering routers can be implemented behind the proxy server  The primary disadvantage of application-level firewalls is that they are designed for a specific protocol and cannot easily be reconfigured to protect against attacks on protocols for which they are not designed Third Generation  Called stateful inspection firewalls  Keeps track of each network connection established between internal and external systems using a state table which tracks the state and context of each packet in the conversation by recording which station sent what packet.  These firewalls can track connectionless packet traffic such as UDP and remote procedure calls (RPC) traffic

Fourth Generation

©Einstein College of Engineering Page 49

INFORMATION SECURITY - CS1014  While static filtering firewalls, such as first and third generation, allow entire sets of one type of packet to enter in response to authorized requests, a dynamic packet filtering firewall allows only a particular packet with a particular source, destination,and port address to enter through the firewall It does this by understanding how the protocol functions, and opening and closing ―doors‖ in the firewall, based on the information contained in the packet header. In this manner, dynamic packet filters are an intermediate form, between traditional static packet filters and application proxies

Fifth Generation  The final form of firewall is the kernel proxy, a specialized form that works under the Windows NT Executive, which is the kernel of Windows NT  It evaluates packets at multiple layers of the protocol stack, by checking security in the kernel as data is passed up and down the stack Firewalls are categorized by processing modes The five processing modes are 1) Packet filtering 2) Application gateways 3) Circuit gateways 4) MAC layer firewalls 5) Hybrids Packet-filtering Routers  Most organizations with an Internet connection have some form of a router as the interface at the perimeter between the organization‘s internal networks and the external service provider  Many of these routers can be configured to filter packets that the organization does not allow into the network  This is a simple but effective means to lower the organization‘s risk to external attack  The drawback to this type of system includes a lack of auditing and strong authentication  The complexity of the access control lists used to filter the packets can grow and degrade network performance

©Einstein College of Engineering Page 50

INFORMATION SECURITY - CS1014 Screened-Host Firewall Systems  Combine the packet-filtering router with a separate, dedicated firewall such as an application proxy server

©Einstein College of Engineering Page 51


Dual homed host firewalls   Dual-homed Host Firewalls The bastion-host contains two NICs (network interface cards) One NIC is connected to the external network, and one is connected to the internal network. With two NICs all traffic must physically go through the firewall to move between the internal and external networks A technology known as network-address translation (NAT) is commonly implemented with this architecture to map from real, valid, external IP addresses to ranges of internal IP addresses that are non-routable

©Einstein College of Engineering Page 52


©Einstein College of Engineering Page 53

INFORMATION SECURITY - CS1014 Screened-Subnet Firewalls? Screened-Subnet Firewalls (with DMZ)  Consists of two or more internal bastion-hosts, behind a packet-filtering router, with each host protecting the trusted network  The first general model consists of two filtering routers, with one or more dualhomed bastion-host between them  The second general model involves the connection from the outside or untrusted network going through this path: o Through an external filtering router o Into and then out of a routing firewall to the separate network segment known as the DMZ. The factors to be considered while selecting a right firewall Selecting the Right Firewall  What type of firewall technology offers the right balance of protection features and cost for the needs of the organization?  What features are included in the base price? What features are available at extra cost? Are all cost factors known?  How easy is it to set up and configure the firewall? How accessible are staff technicians with the mastery to do it well?  Can the candidate firewall adapt to the growing network in the target organization? What are Sock Servers? SOCKS Servers  The SOCKS system is a proprietary circuit-level proxy server that places special SOCKS client-side agents on each workstation  Places the filtering requirements on the individual workstation, rather than on a single point of defense (and thus point of failure)  This frees the entry router of filtering responsibilities, but then requires each A SOCKS system can require additional support and management resources to configure and manage possibly hundreds of individual clients, versus a single device or set of devices The recommended practices in designing firewalls Firewall Recommended Practices  All traffic from the trusted network is allowed out The firewall device is always inaccessible directly from the public network

©Einstein College of Engineering Page 54

INFORMATION SECURITY - CS1014 Allow Simple Mail Transport Protocol (SMTP) data to pass through your firewall, but insure it is all routed to a well-configured SMTP gateway to filter and route messaging traffic securely  All Internet Control Message Protocol (ICMP) data should be denied  Block telnet (terminal emulation) access to all internal servers from the public networks  When Web services are offered outside the firewall, deny HTTP traffic from reaching your internal networks by using some form of proxy access or DMZ architecture

Intrusion Detection Systems (IDSs) An IDS operates as either network-based, when the technology is focused on protecting network information assets, or host-based, when the technology is focused on protecting server or host information assets IDSs use one of two detection methods, signature-based or statistical anomaly-based

©Einstein College of Engineering Page 55

INFORMATION SECURITY - CS1014 Different types of IDSs a) Network-based IDS A network-based IDS(NIDS) resides on a computer or an appliance connected to a segment of an organization‘s network and monitors traffic on that network segment,looking for indications of ongoing or successful attacks. b) Host-based IDS A Host-based IDS(HIDS) works differently from a network-based version of IDS. While a netwerok-based-IDS resides on a network segment and monitors activities across that segment,a host-based IDS resides on a particular computer or server,known as the host and monitors activity only on that system. HIDs are also known as System Integrity Verifiers as they benchmark and monitor the status of key system files and detect when an intruder creates, modifies or deletes monitored files. A HIDs is also capable of monitoring system configuration databases, such as windows registries, in addition to stored configuration files like .ini, .cfg, and .dat files. c) Application-based IDS A refinement of Host-based IDs is the application-based IDS(AppIDS). Whereas the HIDs examines a single system for file modification, the application based IDs examines an application for abnormal incidents. It looks for anomalous occurrences such as users exceeding their authorization, invalid file executions etc. d) Signature-based IDS It is based on detection methods. A signature-based IDS (also called Knowledgebased IDs) examines data traffic in search of patterns that match known signatures – that is, preconfigured, predetermined attack patterns. Many attacks have clear and distinct signatures such as (i) footprinting and fingerprinting activities, have an attack pattern that includes the use of ICMP,DNS querying,and e-mail routing analysis (ii) Exploits involve a specific attack sequence designed to take advantage of a vulnerability to gain access to a system (iii) Denial of Service(DoS) and Distributed Denial of Service(DDoS) attacks. e)Statistical Anomaly-Based IDS(Also called Behaviour-based IDS) This approach is used for detecting intrusions based on the frequency with which certain network activities takes place. Statistical Anomaly-Based IDS collects statistical summaries by observing traffic that is known to be normal. A baseline is established based on normal period. The Stats IDs periodically sample network activity, and using statistical methods ,compares the sampled network activity to the baseline. When the measured activities are outside the baseline parameters,it is said to be exceeding the clipping level; at this point, the IDS will trigger an alert to notify the administrator. f) Log File Monitors(LFM) Log File Monitor(LFM) is an approach to IDS that is similar to NIDS. Using L Fm the system reviews the log files generated by servers, network devices, and when other ©Einstein College of Engineering Page 56

INFORMATION SECURITY - CS1014 IDSs. These systems look for patterns and signatures in the log files that may indicate an attack or intrusion is in process or has already succeeded. What are Honey Pots, Honey Nets,and Padded Cell Systems? A class of powerful security tools that go beyond routine intrusion detection is known variously as honey pots, honey nets,and padded cell systems. Oney pots are decoy systems designed to lure potential attackers away from critical systems and encourage attacks against the themselves. These systems are created for the sole purpose of deceiving potential attackers. In Industry they are known as decoys, lures, and fly-traps. When a collection of honey pots connects several honey pot systems on a subnet,it may be called a honey net. In sum, honey pots are designed to i) Divert an attacker from accessing critical systems. ii) Collect information about the attacker‘s activity iii) Encourage the attacker to stay on the system long enough for administrators to document the event and, perhaps ,respond. A Padded Cell is a honey pot that has been protected so that it cannot be easily compromised. In otherwords, a padded cell is a hardened honey spot.. The advantages and disadvantages of using honey pot or padded cell approach Advantages:  Attackers can be diverted to targets that they cannot damage.  Administrators have time to decide how to respond to an attacker. Attackers action can be easily and extensively monitored  Honey pots may be effective at catching insiders who are snooping around a network. Disadvantages:  The legal implication of using such devices are not well defined.  Honey pots and Padded cells have not yet been shown to be generally useful security technologies.  An expert attacker,once diverted into a decoy system,may become angry and launch a hostile attack against an organization‘s systems  Admins and security managers will need a high level of expertise to use these systems. ©Einstein College of Engineering Page 57


Scanning and Analysis Tools  Scanners, sniffers, and other analysis tools are useful to security administrators in enabling them to see what the attacker sees  Scanner and analysis tools can find vulnerabilities in systems  One of the preparatory parts of an attack is known as footprinting – collecting IP addresses and other useful data  The next phase of pre-attack data gathering process is called fingerprinting – scanning all known addresses to make a network map of the target

How Scanning and Analysis tools are useful in enforcing Information Security? Scanning and Analysis Tools  Scanners, sniffers, and other analysis tools are useful to security administrators in enabling them to see what the attacker sees  Scanner and analysis tools can find vulnerabilities in systems One of the preparatory parts of an attack is known as footprinting – collecting IP addresses and other useful data ©Einstein College of Engineering Page 58

INFORMATION SECURITY - CS1014  The next phase of pre-attack data gathering process is called fingerprinting – scanning all known addresses to make a network map of the target

What are foot printing and finger printing?

The attack protocol is a series of steps or processes used by an attacker ,in a logical sequence ,to launch an attack against a target system or netweok. One of the preparatory part of the attack protocol is the collection of publicly available information about a potential target,a process known as footprinting. Footprinting is the organized research of the Internet addresses owned or controlled by the target organization. The attacker uses public Internet data sources to perform keyword searches to identify the network addresses of the organization. This research ios augmented by browsing the organization‘s web pages. The next phase of the attack protocol is a second intelligence or data-gathering process called fingerprinting. This is systematic survey of all of the target organization‘s Internet addresses (which are collected during the footprinting phase); the survey is conducted to ascertain the network services offered by the hosts in that range. Fingerprinting reveals useful information about the internal structure and operational nature of the target system or network for the anticipated attack. Different types of the Scanning and Analysis tools available. Port Scanners  Port scanners fingerprint networks to find ports and services and other useful information Why secure open ports? An open port can be used to send commands to a computer, gain access to a server, and exert control over a networking device o The general rule of thumb is to remove from service or secure any port not absolutely necessary for the conduct of business Vulnerability Scanners  Vulnerability scanners are capable of scanning networks for very detailed information  As a class, they identify exposed usernames and groups, show open network shares,expose configuration problems, and other vulnerabilities in servers ©Einstein College of Engineering Page 59


Packet Sniffers  A network tool that collects copies of packets from the network and analyzes them  Can be used to eavesdrop on the network traffic  To use a packet sniffer legally, you must be:  on a network that the organization owns  under direct authorization of the owners of the network  have knowledge and consent of the content creators (users) Content Filters  Although technically not a firewall, a content filter is a software filter that allows administrators to restrict accessible content from within a network  The content filtering restricts Web sites with inappropriate content Trap and Trace  Trace: determine the identity of someone using unauthorized access  Better known as honey pots, they distract the attacker while notifying the Administrator What is Cryptography? Cryptography ,which comes from the Greek work kryptos,meaning ―hidden‖,and graphein, meaning ―to write‖,is aprocess of making and using codes to secure the transmission of information. Cryptoanalysis is the process of obtaining the original message (called plaintext) from an encrypted message (called the cipher ext) without knowing the algorithms and keys used to perform the encryption. Encryption is the process of converting an original message into a form that is unreadable to unauthorized individuals-that is; to anyone without the tools to convert the encrypted message back to its original format. Decryption is the process of converting the cipher text into a message that conveys readily understood meaning.

Basic Encryption Definitions. Encryption Definitions Algorithm: the mathematical formula used to convert an unencrypted message into an encrypted message. Cipher: the transformation of the individual components (characters, bytes, or bits) of an unencrypted message into encrypted components. ©Einstein College of Engineering Page 60

INFORMATION SECURITY - CS1014 Ciphertext or cryptogram: the unintelligible encrypted or encoded message resulting from an encryption. Code: the transformation of the larger components (words or phrases) of an unencrypted message into encrypted components. Cryptosystem: the set of transformations necessary to convert an unencrypted message into an encrypted message. Decipher: to decrypt or convert ciphertext to plaintext. Encipher: to encrypt or convert plaintext to ciphertext. Key or cryptovariable: the information used in conjunction with the algorithm to create ciphertext from plaintext. Keyspace: the entire range of values that can possibly be used to construct an individual key. Link encryption: a series of encryptions and decryptions between a number of systems, whereby each node decrypts the message sent to it and then re-encrypts it using different keys and sends it to the next neighbor, until it reaches the final destination. Plaintext: the original unencrypted message that is encrypted and results from successful decryption. Steganography: the process of hiding messages in a picture or graphic. Work factor: the amount of effort (usually in hours) required to perform cryptanalysis on an encoded message. Data Encryption Standard(DES)  Data Encryption Standard (DES)  Developed in 1977 by IBM Based on the Data Encryption Algorithm (DEA) Uses a 64-bit block size and a 56-bit key  With a 56-bit key, the algorithm has 256 possible keys to choose from (over quadrillion)  DES is a federally approved standard for non classified data  DES was cracked in 1997 when RSA put a bounty on the algorithm offering $10,000 to the team to crack the algorithm - fourteen thousand users collaborated over the Internet to finally break the encryption Triple DES (3DES)  Developed as an improvement to DES  Uses up to three keys in succession and also performs three different encryption operations:  3DES encrypts the message three times with three different keys, the most ©Einstein College of Engineering Page 61

INFORMATION SECURITY - CS1014 secure level of encryption possible with 3DES  In 1998, it took a dedicated computer designed by the Electronic Freedom  Frontier ( over 56 hours to crack DES  The successor to 3DES is Advanced Encryption Standard (AES), based on the Rijndael Block Cipher, a block cipher with a variable block length and a key length of either128, 192, or 256 bits  It would take the same computer approximately 4,698,864 quintillion years to crack AES Digital Signatures  An interesting thing happens when the asymmetric process is reversed, that is the private key is used to encrypt a short message  The public key can be used to decrypt it, and the fact that the message was sent by the organization that owns the private key cannot be refuted  This is known asnonrepudiat ion, which is the foundation of digital signatures  Digital Signatures are encrypted messages that are independently verified by a central facility (registry) as authentic

PKI or Public Key Infrastructure Public Key Infrastructure is the entire set of hardware, software, and cryptosystems necessary to implement public key encryption PKI systems are based on public-key cryptosystems and include digital certificates and certificate authorities (CAs) and can:  Issue digital certificates  Issue crypto keys  Provide tools to use crypto to secure information  Provide verification and return of certificates PKI Benefits PKI protects information assets in several ways:  Authentication  Integrity  Privacy  Authorization  Nonrepudiation Securing E-mail Encryption cryptosystems have been adapted to inject some degree of security ©Einstein College of Engineering Page 62

INFORMATION SECURITY - CS1014 into e-mail:  S/MIME builds on the Multipurpose Internet Mail Extensions (MIME) encoding format by adding encryption and authentication  Privacy Enhanced Mail (PEM) was proposed by the Internet Engineering Task Force (IETF) as a standard to function with the public key cryptosystems  PEM uses 3DES symmetric key encryption and RSA for key exchanges and digital signatures  Pretty Good Privacy (PGP) was developed by Phil Zimmerman and uses the IDEA Cipher along with RSA for key exchange Seven Major Sources of Physical Loss Temperature extremes Gases Liquids Living organisms Projectiles Movement Energy anomalies Secure facility A secure facility is a physical location that has been engineered with controls designed to minimize the risk of attacks from physical threats A secure facility can use the natural terrain; traffic flow, urban development, and can complement these features with protection mechanisms such as fences, gates, walls, guards, and alarms Controls for Protecting the Secure Facility  Walls, Fencing, and Gates  Guards  Dogs, ID Cards, and Badges  Locks and Keys  Mantraps  Electronic Monitoring  Alarms and Alarm Systems  Computer Rooms  Walls and Doors Controls used in a Secure Facility ID Cards and Badges ©Einstein College of Engineering Page 63

INFORMATION SECURITY - CS1014  Ties physical security to information access with identification cards (ID) and/or name badges  ID card is typically concealed  Name badge is visible These devices are actually biometrics (facial recognition) Should not be the only control as they can be easily duplicated, stolen, and modified Tailgating occurs when unauthorized individuals follow authorized users through the control Locks and Keys There are two types of locks  mechanical and electro-mechanical Locks can also be divided into four categories  manual, programmable, electronic, and biometric Locks fail and facilities need alternative procedures for access Locks fail in one of two ways:  lock  lock when the lock of a door fails and the door becomes unlocked, that is a fail-safe when the lock of a door fails and the door remains locked, this is a fail-secure

Electronic Monitoring  Records events where other types of physical controls are not practical  May use cameras with video recorders  Drawbacks: o reactive and do not prevent access or prohibited activity o recordings often not monitored in real time and must be reviewed to have any value Alarms and Alarm Systems Alarm systems notify when an event occurs Used for fire, intrusion, environmental disturbance, or an interruption in services These systems rely on sensors that detect the event: motion detectors, smoke detectors, thermal detectors, glass breakage detectors, weight sensors, and contact sensors

©Einstein College of Engineering Page 64

INFORMATION SECURITY - CS1014 Computer Rooms and Wiring Closets  Computer rooms and wiring and communications closets require special attention  Logical controls are easily defeated, if an attacker gains physical access to the computing equipment  Custodial staff are often the least scrutinized of those who have access to offices and are given the greatest degree of unsupervised access Interior Walls and Doors  The walls in a facility are typically either: o standard interior o firewall  All high-security areas must have firewall grade walls to provide physical security from potential intruders and improves the facility's resistance to fires  Doors that allow access into secured rooms should also be evaluated  Doors that allow access into secured rooms should also be evaluated  Computer rooms and wiring closets can have push or crash bars installed to meet building codes and provide much higher levels of security than the standard door pull handle Fire Safety  The most serious threat to the safety of the people who work in the organization is the possibility of fire  Fires account for more property damage, personal injury, and death than any other threat  It is imperative that physical security plans examine and implement strong measures to detect and respond to fires and fire hazards Fire Detection and Response  Fire suppression systems are devices installed and maintained to detect and respond to a fire  They work to deny an environment of one of the three requirements for a fire to burn: heat, fuel, and oxygen Water and water mist systems reduce the temperature and saturate some fuels to prevent ignition  Carbon dioxide systems rob fire of its oxygen  Soda acid systems deny fire its fuel, preventing spreading  Gas-based systems disrupt the fire‘s chemical reaction but leave enough oxygen for people to survive for a short time

©Einstein College of Engineering Page 65

INFORMATION SECURITY - CS1014 Chief Information Security Officer  The top information security position in the organization, not usually an executive and frequently reports to the Chief Information Officer  The CISO performs the following functions:  Manages the overall InfoSec program  Drafts or approves information security policies  Works with the CIO on strategic plans, develops tactical plans, and works with  security managers on operational plans  Develops InfoSec budgets based on funding  Sets priorities for InfoSec projects & technology  Makes decisions in recruiting, hiring, and firing of security staff  Acts as the spokesperson for the security team

©Einstein College of Engineering Page 66

Master your semester with Scribd & The New York Times

Special offer for students: Only $4.99/month.

Master your semester with Scribd & The New York Times

Cancel anytime.