INFORMATION SECURITY MANAGEMENT Project 1 Select an organization with a sizeable IT department (At least 25 IT personnel) for the project.

Perform a study on the IT department, how it works, and the information security operations. The project report should address the following queries. 1. What kind of services do they offer? Web Application Development ( developing and maintaining web services for their clients. 2. What is the security model adopted by the organization? Economic Co-operation and Development's (OECD) Guidelines Multi Level Policy Recommended by DoD . Availability - Prevention of loss of access to resources and data

Integrity Prevention of unauthorized modification of data Access permissions are defined through an access control matrix and through a partial ordering of security levels-BLP Model

Confidentiality Prevention of unauthorized disclosure of data

Security policies prevent information flowing downwards from a high security level to a low security level.

3. Bring out the network structure followed in the organization.

The company is using OSI Model and using IP as network layer protocol

Network Topology STAR Topology All sites connected through a central site.

Connection Strategies Packet Switching

Name Resolution Naming systems in the network. Address messages with the process-id. Identify processes on remote systems by < hostname, identifier > pair. Domain name service -- specifies the naming structure of the hosts, as well as name to address resolution ( internet

Routing Static Routing Adding static route to a remote network. No dynamic routing is used.

Network Types LAN with WAN connectivity

Resource sharing Distributed Operating System

Users aware of multiplicity of machines Access to remote resources similar to access to local resources Data Migration transfer data by transferring entire file, or transferring only those portions of the file necessary for the immediate task Computation Migration transfer the computation, rather than the data, across the system

4. Have they developed a security system on their own or was it outsourced? Why? Outsourced.Due to huge salary of security experts. 5. Which security concepts (if any) appear to be missing from the organization? Authenticity The identification and assurance of the origin of information Physical Security(mainly vulnerable for tailgating) Vulnerable for official Engineering attacks

6. Prepare a report on the various IT security issues that the organization comes across? Disgruntled employees : Stupid theories of Project Managers, creating frustrated employees. A very serious issue. Inside hacker Tailgating Purchase Manager has not given permission for buying security devices like dom camera , Bio-Metric devices etc.Chance for Inside affiliate Malicious activities Technically unaware Mangers are not giving permissions for applying strict policies and overriding the security policies for the ease of use.

7. How is it dealt with? They fired the disgruntled employee and reported police about the tailgating incident.

8. What are the physical, logical and operations security measures adopted by the organization? RFID, CCTV, strong datacenter Deep packet inspection, statefull inspection, digital signatures, multi factorial authentications, packet logger 9. List out the threats, risks and vulnerabilities the organization faced Earlier

Web surfing by employees(porn sites, social engineering sites, malware sites etc) Caused threat infection inside the company. Data theft.

at present.

Overriding security policies . Tailgating They might face in future.

Criminal hackers may attack . Increasing number of disgruntled employees 10.List out their plans to overcome it? IT team is planning to introduce more strong security policies and focusing on physical security and Logging of all lan and wan activities. 11.What are the various levels of identification, authentication and authorizations followed in the organization?

Identification
A user name, account no and digital signature Authentication Password,One time password,Acees cards(RFID, not Bi-metric) Authorization

Passwords, account number, privileges based on employee hierarchies .

12.Do they follow any cryptographic techniques? Explain. Public key cryptography It uses one key encryption and another key for decrypotion One key is designed as public and is open to public and another key is private key Hashing It uses a mathematical transformation to irreversibly encrypt information. Eg: MD5 13.Perform cost-benefits analysis on the amount spent on information security. 14.Has there been an occurrence of any computer crime in the organization? If any, how did the organization deal with it? Comment on whether it was the apt way for dealing with the crime. An, employee sent the project details to another company using Image steganography .(Hiding datas on an image as noise) .An independent forensic examiner figured it out and management fired the employee Comments The Management should educate the employees about cyber laws. And should enquire about the reasons behind these crimes. 15.What has the organization done in response to the above crimes? management fired the employee 16.With reference to the IT Act of India and the US Federal Computer Crime Laws, list out the punishments for the above crimes. 6 years of imprisonment 17.What are the tools and techniques to determine the culprits?

The forensic examiner used caine live forensic operating system E-mail tracker technology and reverse steganography. 18.Are there security controls that you would expect to be there but are not? Yes, since the company is trying for ISO 27001 certification, all the security devices are there like, Deep packet inspection firewall, statefull inspection firewalls, strong passwords, encryption, access control. But stupid Management is not maintaing the policies .