PROPOSED STRUCTURE FOR HIGH LEVEL SECURITY

ENHANCEMENT

Adnan G. Abuarafah Mohamed Osama Khozium

Faculty of Computer and Faculty of Computer and
Information Systems Information Systems
Umm Al-Qura University, Umm Al-Qura University,
Makkah, Saudi Arabia Makkah, Saudi Arabia
abuarafa@uqu.edu.sa Osama@khozium.com

ABSTRACT

The increasing technology trends has turned each infrastructure to its new hazards. Present
information policies designed are not readily equipped with up-to-date analysis or problems
suffered throughout networks. This paper addresses not only technical security issues but also
providing managerial solutions. It practically targets resources allocations keeping in new
management issues with its technical adoption to available parameters. This technical solution
provided; is strategic in its nature but with self assessment criteria. Now system reliability issues
with security complexities can be targeted effectively.

Keywords: Security Risks, Security Process Management, Security Assessment, Security Plans,
Security Model, Security Audit

1 INTRODUCTION
Every movement that comes to us bring new
challenges. Where as the rising slogan of IT has
brought new horizons to our attention. Today
continuous progress & service delivery has changed
business imperatives as IT security has become
integral part for any infrastructure.
Information technology continuous advancements has
open the number of possible security threats,
vulnerabilities and security incidents are even rising pace
despite efforts done by national or international level.
The current problems faced by organizations are not
only rising trends in information technology but there
unrealistic approach to coop with evolving
environment that has caused the world the loss of
billions of US dollars.
Here is some data from real world [2],[3]:
1.1 Computer fraud in the U.S. alone exceeds $3 billion
each year.
1.2 Less than 1% of all computer fraud cases are detected.
1.3 Over 90% of all computer crime goes unreported.
1.4 “Although no one is sure how much is lost to EFT
(Electronic Funds Transfer) crime annually, the
consensus is that the losses run in the billions of
dollars. Yet few in the financial community are
paying any heed.”
1.5 Average computer bank theft amounts to $1.5 million
each year.
Actually Probability of loss is not based upon
mathematical certainty; it is consideration of the
likelihood that a loss risk event may occur in the
future, based upon historical data, the history of like
events at similar enterprises, the nature of the
neighborhood, immediate vicinity, overall
geographical location, political and social conditions,
and changes in the economy, as well as other factors
that may affect probability.
All solutions still are necessary to manage the risk
options includes security measures available to reduce
the risk of the event. Equipment or hardware, policies
and procedures and management practices, and
staffing are the general categories of security related
options.
Where as service providers claming to protect with
help of sum of tools are providing unreliable results
and that has been caused by security programs that are
not extending its boundaries to combined approach
that is people, process and technologies [1].
Even inter departmental collaboration to manage
effective processes is not up to mark to achieve high
level of IT security across any organization.
The rest of the paper is organized as follows. The next
section provides overview on general threats, Section

-1-
 three highlights the sources of threats and possible
impacts. In section four the projected risk assessment
problem will be discussed. In section five we will
describe the proposed structure for security
assessment. Section six introduces the risk assessment
procedure, while section seven concludes the paper.
2 OVERVIEW ON GENERAL THREATS
A threat is a person, place, or thing that has the
potential to access resources and cause harm. Threats
can originate from two primary sources: humans and
catastrophic events. Human threats subsequently can
be broken down into two categories: malicious and
nonmalicious. Nonmalicious “attacks” usually come
from users and employees who are not properly
trained on computers and who are not aware of
various computer security threats. Malicious attacks
usually come from external people or disgruntled
current or ex-employees who have a specific goal or
objective to achieve [3],[7].
In fact there are literally hundreds of ways to
categorize threats, anyhow threats could be listed in
general as follows :
2.1 Human Error:
• Accidental destruction, modification,
disclosure, or incorrect classification of
information.
• Ignorance: Inadequate security awareness,
lack of security guidelines, lack of proper
documentation, lack of knowledge (e.g.
system administrators).
• Workload: too many or too few system
administrators. Highly pressurized users.
• Users may inadvertently give information on
security weaknesses to attackers.
• Incorrect system configuration.
• The security policy is not adequate.
• The security policy is not enforced.
• The security analysis may have omitted
something important, or be simply wrong!
2.2 Dishonesty : Fraud, theft, embezzlement, selling
of confidential corporate information.
2.3 Attacks By Social Engineering:
• Attackers may use the telephone to
impersonate employees to persuade users /
administrators to give username/passwords/
modem numbers etc.
• Attackers may persuade users to execute
Trojan horse programs.
2.4 Abuse of privileges / trust.
2.5 Unauthorized use of "open" terminals/PCs.
2.6 Mixing of test and production data or environments.
2.7 Introduction of unauthorized software or hardware.
2.8 Time bombs: software programmed to damage a
system on a certain date.
2.9 Operating System Design errors: Certain
systems were not designed to be highly secure (e.g.
PCs, many UNIX versions).
2.10 Protocol Design errors: Certain protocols were
not designed to be highly secure. Protocol
weaknesses in TCP/IP can result in:
• Source routing, DNS spoofing, TCP sequence
guessing and unauthorized access is achievable.
• hijacked sessions and Authentication session /
transaction replay are possible è Data is changed or
copied during transmission.
• Denial of service, due to ICMP bombing,
TCP_SYN flooding, large PING packets, etc.
2.11 Logic bomb: software programmed to damage a
system under certain conditions.
2.12 Viruses (in programs, documents and email
attachments).
3 SOURCES OF THREATS AND POSSIBLE IMPACTS :
3.1 Sources of threats [2]
a. Political espionage.
b. Commercial espionage. Since the end of
the cold war, the entire intelligence
community has undergone a significant
shift from classical east-against-west
spying to each-country-must-protect-its-
economy. Former KGB and CIA
employees are now working as freelance
commercial intelligence services. Sources
of such espionage are competitors
(domestic and international).
c. Employees:
• Disgruntled employees and (former)
employees.
• Bribed employees.
• Dishonest employees (possible at all
levels: from top management down).
ƒ System & security administrators are
"high-risk" users because of the
confidence required in them. Choose
with care.
d. Hackers:
• Beginners: know very little, use old,
known attack methods
• Braggers: Are learning a lot, especially
from other hackers. They seek
gratification by bragging about their
achievements
• Experts: High knowledgeable, self
reliant, inventive, try to be invisible.
They may provide tools/information to
the braggers to launch attacks, which
hide their own, more subtle attacks.
-2-
 e. Contractors / vendors who have access
(physical or network) to the systems.
f. Organized crime (with goals such as
blackmail, extortion etc.).
g. Private investigators, "mercenaries", "free
lancers".
h. . Law enforcement & government
agencies (local, national and
international), who may or may not be
correctly following legal procedures
i. Journalists looking for a good story.
3.2 Possible Impacts
Impacts are very business specific, depending
on the assets, the type of business, the current
countermeasures (IT infrastructure). Impacts
describe the effect of a threat. The impact
may also depend on the length of time that
business functions are disrupted.
The following is a list of some basic impacts,
that company may be subjected to :
• Disclosure of company secrets, disclosure
of customer data, disclosure of
accounting data.
• Modification of accounting data or
customer data.
• Attackers impersonating the company or it's
customers.
• Bad company publicity: hacker security
breaches publicized.
• Bad company publicity: customer
information modified/deleted/publicized.
• Bad division publicity: External attackers
used a particular division as an entry
point to the corporate network.
• Major disruption of business functions.
• Major disruption of the network.
• Fraud
• Loss of customer confidence (if the
disruption lasts for a longer period of
time, or occurs frequently, customers
would probably be lost).
• The company may be legally prosecuted
(negligence, breaking the law or
regulatory requirements)
• Reduction of quality of service
• Possible gains for competitors and thus loss
of revenue.
• The corporate network may be used as a
base by attackers for attacking other
sites.
• The corporate network may distribute
software containing attacker software.
• Electronic fraud
4 PROJECTED RISK ASSESSEMNET PROBLEM.
For effective risk management, sound business
decisions with continuous monitoring over assets and
all issues related to their sensitivity and criticality are
needed. Along with there associated assets proper
decisions are needed to work up risk management
plans that can have impact to departments and
organization’s environment as well [12] .
Today several standards adopted by national and
international are needed with all their classification
and to be managed with up to date continuous
coordinated directions for service providers. Here not
only technical but operational issues are also to be
targeted in well established way [4] .
Information management can provide continuity of
plans and collaborative IT security where availability
of critical services are always ensured to its maximum
level. For that organization has to apply self
assessment criteria for continuous planning so that
measured results can be inferred from resources; with
evolving security plans that can recognize and provide
remedial actions for the organizations [14] .
Information management plans can lead us
towards effective planning that enable us to audit
administrative and functional areas of IT in terms
of resources and finance concerned along with
positive reporting process [8] .
5 PROPOSED STRUCTURE FOR SECURITY
ASSESSMENT
Traditional approaches like intrusion detection system
generally detects unwanted manipulations of computer
systems, mainly through the Internet. The
manipulations may take the form of attacks by
crackers. But in our proposed approach we focus on
the behavior of the employee of the organization
themselves.
The following figures are included as example, to give
an idea what is going on in the real world [2],[3]:
• Common Causes of damage: Human Error
52%, Dishonest people 10%, Technical
Sabotage 10%, Fire 15%, Water 10% and
Terrorism 3%. Figure 1.
• Who causes damage? Current employees 81%,
Outsiders 13%, Former employees 6%.Figure 2.
-3-
 • Types of computer crime: Money theft 44%, 16%, Alteration of data 12%, Theft of services
Damage of software 16%, Theft of information 10%, Trespass 2%.

60
50
40
30
20
10
0
Human Dishonest Technical Fire Water Terrorism
Error People Sabotage

Figure.1 : The common causes of damage in security area

From sections 3 and 4 once the threats, impacts and 2. Continuous IT planning for technical &
corresponding risks have been listed and the operational tasks
constraints have been analyzed, the significant 3. Self Assessment mechanism
business risks (or weaknesses) will be more evident, 4. Audit Process planning
allowing a counter strategy to be developed. 5. Incident handling procedures
6. Information recovery methodology
The formulation of following steps can enhance 7. Back up of Data & Configuration
information security structure for any organization i.e. 8. Incident Impacts
1. Identify Security Deficiency 9. Future Security Visions
10. Quality measures for security

Outsiders
13%

Current
Former
Employees
Employees
81%
6%

Figure.2 : Types of employees who cause damage in security area

-4-
 Where as for any effective plan, senior management priority as mentioned or described by security advisors
should always be involved in implementation process as described in figure 4.
that bound ness can bring true strategy of
management.
Current infrastructure providing physical security
measures hasn’t proved to be adequate enough
because of potentially large scale undefined problems
can not be limited to few work stations. Security Departments IT Division End Users
safeguards needed to be improved via identification &
authentication where low risk environment prevails.
While considering security procedures access
privileges need to be monitored and controlled for
every level of access [5] . Security Privacy
Organizations have to apply departmental zones with
reference to security control and access mechanism.
As one key mechanism that is often neglected by
Figure-4 : Securing User’s Privacy
many organizations is continuous monitoring of
network traffic with all its available resources.
As shown in figure3, along with proper security
standards controlling is also ensured to identify
6 RISK ASSESSMENT PROCEDURE
security breaches, suspected or known security threats.
Organizational security plan can be adopted with
Risk assessment should take into account the potential
proper control mechanism that are
adverse impact on the organization reputation,
1. Physical access controls
operations and assets. Risk assessment should be
2. Device & media controls
conducted by teams composed of appropriate
3. Procedural controls
managers, administrators and all other personnel
With all its departments, organizations should evaluate
associated with those activities. [11]
risk assessment plans often after certain period of time as
Organizations need to adopt local notification
tools associated with security are not at halt. Where as
procedures which include reporting mechanism
organizations have to share their experiences for better
where as for disaster recovery plan should also specify
control as tools provided by venders some time are not
emergency procedures plan including system
focused regional issues [11].
documentation required for performing recovery.
All technical and operational environments should log
In many of organizations where proper systems hasn’t
the event in case any incident occur .Management plan
been deployed still missing corrective measures or
should qualify to access potential impact and proper
never considered in their security consideration need
identification of the system so to tackle this issue,
to apply recovery plans along with all possible
system control should be configured with best
strategic planning and that should not be limited to all
practices[4].
management decisions but communications and
actions should be properly recorded.
Management Security Plan
7 CONCLUSION

Information security issues can better be targeted if

effective risk management plans come into existence
as proposed in this paper that continuous planning
Creating Monitoring & along with standards can bring IT infrastructure where
Standards Risk
Awareness Controlling
& Policies Assessment processes are not only managed but effective control
along with audit can create awareness among humans
that can readily initiate action plans for best security
configuration [6], [10] .
Figure-3 : Information hierarchy for Security Implementation
We strongly address that beside physical security
All operational records associated with human’s measures following steps are needed for security
operations and service delivery should always include advancements both in management and technical
risk related to IT system with reference to their areas.
1. Promote a culture of security
-5-
 2. Raise awareness about the risk of Information [6] ISO/IEC 27002 " Code of practice for Information
systems Security Management", BSI Management
3. Enhance confidence level among all Systems, 2005.
participants in information system
4. Adopt the culture of cooperation and [7] MSSC, "Securing Widows 2000 server ",
information sharing Microsoft TechNet, 2006.
5. Conduct full risk assessment in accordance
with international accredited standards [8] Pfleeger, charles P., Security in Computing,
6. Coordination with departments for regular Prentice Hall,1989.
monitoring of all servers.
7. Develop action plans and milestone for
information security [9] Risk Management Group, "Sound Practices for
Management & Supervision of Operational Risk"
Bank for International Settlements (BIS), 2003.
REFERENCES
[10] Schwartz Mathew, " How to lower security
[1] Bishop Matt, " Introduction to computer security ", compliance costs ", IT compliance institute, June,
prentice hall PTR, 2004. 15, 2005.

[2] Boran Sean, "IT security cookbook", [11] Stoneburner G., Goguen A. and Fringa A., " Risk
linuxsecurity, 2003. Management Guide for Information Technology
Systems ", NIST special publication 800-30, July
2002.
[3] Devoney Chris, " Security in review : yesterday
and tomorrow ", Enterprise strategies newsletters,
esj.com, Dec., 18, 2007. [12] Swindle Orson, " Cybersecurity and Consumer
Data: What's at Risk for the Consumer? " Federal
Trade Commission, 2003.
[4] Glaessner Thomas, “Electronic Security: Risk
Mitigation in Financial IT Transactions”, The
World Bank, June 2002. [13] US President’s Information Technology Advisory
Committee,” Cyber Security Report”, Feb.2005.
[5] Higgins, John C., “National Training Standard for
Information Systems Security (INFOSEC) [14] Zamorski Michael, “Audit IT Examination
Professionals”, Proceedings of the 12th National Handbook” And “FFIEC Audit Examination
Computer Security Conference, June. 1994 Procedures”, US Federal financial Institutions
Examination Council. HB 49, Proc.27, 2003.

-6-