Information Security and Assurance

1
Managing Security

Managing Security

At the end of this module, the student is expected to:

1. Understand the importance of deploying computer security measures
2. Enumerate different types of identity theft
3. List down signs of identity theft
4. Understand security management
5. Enumerate different types of security management
6. Define security policy and enumerate different types
7. Understand risk and threat analysis
8. Understand attack tree.

Introduction
The deployment of security measures (and of IT in general) is a management
decision. Technical security measures have to work hand in hand with
organizational measures to be effective. Management decisions should be
underpinned by some analysis of current risks and threats.
Online payment is one of the best use of the internet, online payment refers
to money that is exchanged electronically. Typically, this involves use of
computer networks, the internet and digital stored value systems.
Advantages of using online payment includes save time and money because
you can browse the products and see discounted items, you see other
products available in other country so you have choice to select and at the
same time select from different vendors.
One of the risk of using online payment or online services is Identify theft,
where someone else’s can gain access to resources or services and exploit
weakness.

Types of Identity theft

Identity Cloning and Concealment
This type of identity theft occurs when the perpetrator wants to take on the
identity of another in order to conceal his true identity. For example, an
illegal immigrant may steal a person’s identity in order to obtain a job in the
United States.
Criminal Identity Theft
Criminal identity theft occurs when a person identifies himself as another
person to avoid detection by law enforcement, to evade arrest, or to evade
prosecution for a crime. Criminal identity theft might enable the perpetrator

Course Module
 to commit a crime under the victim’s name, leaving the victim holding the
bag. When this occurs, it may be difficult for the victim to clear his name
completely, as it is an extensive process that involves the court system.

Synthetic Identity Theft

This crime involves the creation of a completely or partially fabricated
identity. This is done by combining an individual’s real social security
number with a phony name and made-up date of birth. This type of identity
theft is difficult to track, as it may not appear on either person’s credit report.
Instead, it may create an entirely new credit report file, or appear on the
victim’s report as a sub-file.

Medical Identity Theft

The term medical identity theft, coined in 2006, is a form of insurance fraud.
This involves an individual obtaining medical care under another person’s
name, using the victim’s name and birth date, and possibly even his
insurance policy information. The perpetrator’s medical information would
be entered onto the victim’s medical records, and thus exposes the victim to
financial losses for medical bills and insurance costs.

Child Identity Theft

The IRS requires that all children claimed as dependents on a parent’s
income taxes have their own social security numbers. These social security
numbers are valued commodities for fraudsters, as they have no information
associated with them. Child identity theft may be committed by a family
member or friend, but strangers might use the numbers to apply for loans,
obtain credit cards, and even obtain a driver’s license. Because nobody thinks
to obtain a child’s credit report, this crime may go undetected for many
years.

Signs of Identity Theft

1. Failing to receive bills in the mail
2. Seeing unexplained bank account withdrawals
3. Being denied credit unexpectedly
4. Having a merchant refuse to accept your check unexpectedly
5. Receiving calls from debt collectors about accounts you are not aware
of
6. Receiving bills on accounts you did not know about
7. Receiving notification from the IRS that more than one tax return was
received in your name
8. Receiving a bill from a medical provider for services you never
received
9. Having a legitimate claim denied by your health plan because their
records show you have reached your benefits limit
10. Being denied coverage because your medical records show a
condition you do not have
 Information Security and Assurance
3
Managing Security

Tips for identity theft protection include

1. Protect PIN numbers by never writing them on credit/debit cards, or
on a slip of paper in a wallet
2. Shield keypads when using ATMs or checkout systems
3. Collect the mail immediately
4. Have the post office hold mail when away for more than a day or two
5. Pay attention to whether bills arrive as scheduled
6. Keep all receipts and account statements
7. Shred unwanted statements or receipts
8. Keep all personal information in a safe place at home
9. Ignore unsolicited requests for personal information
10. Use firewalls on home computers
11. Always use secure passwords
12. Check credit reports annually, or any time theft is suspected
Hackers are also into looking into vulnerabilities, these are security flaw,
glitch, or weakness found in software or in an operating system (OS) that
can lead to security concerns. Attackers may corrupt data on the device itself
or use it as a stepping stone for attacks against third parties. Worms and
viruses make use of overgenerous features or vulnerabilities to spread
widely and overload networks and end systems with the traffic they
generate.

Security Management
Security management is the identification of an organization's assets
(including information assets), followed by the development, documentation,
and implementation of policies and procedures for protecting these assets.
An organization uses such security management procedures as information
classification, risk assessment, and risk analysis to identify threats, categories
assets, and rate system vulnerabilities so that they can implement effective
controls

Information security involves

1. Confidentiality
2. Integrity
3. Availably
4. Traceability

Types of security threats

External
1. Strategic: like competition and customer demand...
2. Operational: Regulation, suppliers, contract
3. Financial: FX, credit
4. Hazard: Natural disaster, cyber, external criminal act
Course Module
 5. Compliance: new regulatory or legal requirements are introduced, or
existing ones are changed, exposing the organization to a non-
compliance risk if measures are not taken to ensure compliance

Internal
1. Strategic: R&D
2. Operational: Systems and process (H&R, Payroll)
3. Financial: Liquidity, cash flow
4. Hazard: Safety and security; employees and equipment
5. Compliance: Actual or potential changes in the organization’s systems,
processes, suppliers, etc. may create exposure to a legal or regulatory
non-compliance.

Security policy
Security policy is a definition of what it means to be secure for a system,
organization or other entity. For an organization, it addresses the constraints
on behavior of its members as well as constraints imposed on adversaries by
mechanisms such as doors, locks, keys and walls.

Types of Security Policies

The policies for information security must come from all corners of an
organization, which includes the general staff. These policies are the basis for
all information security planning, design and deployment. These policies
should be able to provide a direction on how the issues should be handled
and what are the best technologies to be used. These policies will direct how
a particular software or equipment should work. This specific information is
placed in the standards, procedures and practices.
The starting and the ending point of any qualitative security programs is the
policy that has been taken. These security policies are very easy to decide on
but they are very difficult to implement in a proper manner.
Security policies mostly depend upon the context in which they are used.
These security policies of an organization are required to protect the
information assets of an organization.
Managements often propose three types of security policies. These are:

Enterprise Information Security Policies

In Enterprise Information Security Policy, a direct support is given to the
organization’s mission, vision and direction. This security policy will view
and direct all the security efforts. The EISP on the other hand also provides a
direction in the development, implementation and management of the
security program and sets out the requirements that must be met by the
information security framework.
Issue-specific Security Policies
In Issue-specific Security Policy, the scope and applicability of the security
policy is examined. The technologies that need to be used are addressed.
Authorization of user access, privacy protection, fair and responsible use of
 Information Security and Assurance
5
Managing Security

the technology is addressed. Often, the users are prohibited from using the
information in a manner that can harm others.

System-specific Security Policies

System-specific Security Policies often include standards and procedures to
be implemented while maintaining of systems. This security policy is also
used to address the implementation and configuration of technology as well
as the behavior of the people.

Information Security Blueprint

After the organization develops the information security policies and
standards, the information security department will develop the blueprint
for the information security program. The information security department
will list all the information assets and prioritizes the threats and dangers of
the organization, a risk assessment analysis is conducted. These assessments
will help in the design of the security blueprint for the organization.
This security blueprint will act as the basis for the design, selection and
implementation of all security program elements including policy
implementation, ongoing policy management, risk management programs,
education and training programs technological controls and maintenance of
the security programs.

Risk and Threat Analysis

‘Threat’ is a function of the enemy’s capability and intent to conduct attacks,
whereas ‘Risk’ is a function of the probability that your organization will be
involved in an attack (either as a deliberate target or just in the wrong place
at the wrong time) and the harm that such an attack would cause. Even more
simply, ‘threat’ = capability x intent, whereas ‘risk’ = Assets x Threats x
Vulnerabilities”.
Risk analysis, which is a tool for risk management, is a method of identifying
vulnerabilities and threats, and assessing the possible damage to determine
where to implement security safeguards. Risk analysis is used to ensure that
security is cost effective, relevant, timely and responsive to threats.
Risk analysis helps companies prioritize their risks and shows management
the amount of money that should be applied to protecting against those risks
in a sensible manner.
A risk analysis has four main goals:
1. Identify assets and their values
2. Identify vulnerabilities and threats
3. Quantify the probability and business impact of these potential
threats
4. Provide an economic balance between the impact of the threat and the
cost of the countermeasure
Course Module
Attack Trees
Attack trees are conceptual diagrams showing how an asset, or target, might
be attacked. Attack trees have been used in a variety of applications. In the
field of information technology, they have been used to describe threats on
computer systems and possible attacks to realize those threats.

Figure 1 Attack trees