Security Analyst Student HandBook Dec2015

Student Handbook – Security Analyst
Student Handbook
Security Analyst
SSC/ Q0901
1
Copyright (c) 2015
NASSCOM
4E-vandana Building (4th Floor)
11, Tolstoy Marg, Connaught Place
New Delhi 110 001, India
T 91 11 4151 9230; F 91 11 4151 9240
E ssc@nasscom.in
W www.nasscom.in
Disclaimer
The information contained herein has been obtained from sources reliable to NASSCOM.
NASSCOM disclaims all warranties to the accuracy, completeness or adequacy of such
information. NASSCOM shall have no liability for errors, omissions, or inadequacies, in the
information contained herein, or for interpretations thereof. Every effort has been made to trace
the owners of the copyright material included in the book. The publishers would be grateful for
any omissions brought to their notice for acknowledgements in future editions of the book.
No entry in NASSCOM shall be responsible for any loss whatsoever, sustained by any person who
relies on this material. The material in this publication is copyrighted. No parts of this report can
be reproduced either on paper or electronic media, unless authorized by NASSCOM.
2
3
4
Foreword
The Indian IT-ITeS industry has built its reputation in the global arena on several differentiators, chief
among them being the availability of manpower. Organizations across the world recognize the value India
brings to every engagement with its vast and readily available pool of IT professionals. Global entities have
found it extremely effective to leverage this significant resource in order to enjoy a competitive edge and
innovation benefits.
In the coming years, the landscape is expected to shift in ways that reveal more exciting opportunities.
The world will require people with advanced technology skills and domain knowledge, set against a
backdrop of heightened labour mobility across occupations and markets. India is largely acknowledged to
be heir apparent to the benefits of a demographic dividend over the coming decades, which has the
potential to see the nation emerge as one of the world’s largest population base of employable youth.
With many other countries set to face the effects of an aging and retirement-ready workforce, India is
poised to become a sought after destination for those seeking higher value add and specialized services.
Global markets are on their way towards revival and recovery, and this is well reflected in the proactive
recruitment measures taken by IT-ITeS organizations in India in recent times. India’s IT-BPM industry is on
track to achieve its target of USD 225 billion by 2020. From a base on about 3.1 million employees in
FY2014, the industry is expected to add another 2 million additional employees by 2020. Indirect
employment generated by 2020 is expected to be 3X the total direct employment number is between 13-
16 million by 2020.
To realize India’s potential of emerging as a skills hub of the world, a significant amount of foresight and
work is requisite. It is imperative that stakeholders engage in a concerted effort to undertake the
transformation of the labour pool estimated to enter the market into skilled and employable talent.
Enabling the creation of a future industry-ready cohort will give the IT-ITeS industry an edge in leadership
and sustainability.
One of the growing areas of global interest and concern is Information/ Cyber Security. This led to the
identification of the “hot skills” du jour, resulting in the formal creation of a Qualification Pack (QP) or job
role framework for the role of a Security Analyst. The QP is designed to capture the skills required by the
IT-BPM industry for an entry level position in this field.
To ensure the creation of an academic course that is both relevant and viable, IT-ITeS Sector Skills Council
NASSCOM (SSC NASSCOM) partnered with key industry stakeholders, including Cyber Eye Research,
Cypher Cloud, Deloitte, First American, HCL, HDFC, IBM, ISC2, Karvy Analytics, NIIT University, PwC,
Symantec, TCS, Wells Fargo, and the Data Security Council of India (DSCI) for design of the curricula and
courseware. In addition, the program addresses the need for faculty support, and achieves this by
acquainting trainers with the latest advancements in pedagogy.
We wish the universities and colleges all the very best in their endeavor.
R Chandrashekhar
President
NASSCOM
5
6
Acknowledgements
NASSCOM would like to thank its member company representatives within the Security Analyst Special
Interest Group (SIG) Council for believing in our vision to enhance the employability of the available
engineering student pool. SSC NASSCOM facilitates this by developing and enabling the implementation
of courses relevant to projected industry needs. The aim is to address two key requirements, of closing
the industry-academia skill gap, and of creating a talent pool that can reasonably weather future
externalities in the IT-BPM industry.
NASSCOM believes that this is an initiative of great importance for all stakeholders concerned – the
industry, academia, and the students. The tremendous amount of work and ceaseless support offered by
the members of this SIG in developing a meaningful strategy for the content and design of program
training materials has been truly commendable.
We would like to particularly thank Cyber Eye Research Labs, DSCI, First America, Karvy Analytics, and
Symantec for bringing much needed focus to this effort.
NASSCOM recognizes the fantastic contributions of Mr. Ram Ganesh at Cyber Eye Research labs; Mr.
Ashok Polapragada and Mr. Ranjit Kumar at Karvy Analytics; Mr. Dwaraka Ramana K at First American; Dr
Giri T at Cypher Cloud, Mr. Nanda Kumar Sarvade, Mr. Vinayak Godse and Mr. Aditya Bhatia at DSCI.
We acknowledge with sincere gratitude the immense contribution of the SIG member companies,
Deloitte, HCL, HDFC, IBM, ISC2, NIIT University, PwC, Symantec, TCS, Wells Fargo for their part in the
creation of this course and its accompanying training materials.
We extend our thanks to PROGILENCE Capability Development Pvt. Ltd. for producing this course
publication.
Dr Sandhya Chintala
Executive Director – Sector Skill Council

Vice President - NASSCOM
7
8
JOB ROLE: Security Analyst (Information/System Security Analyst/Engineer)
OCCUPATION: Information Security
Brief Job Description: Individuals at this job are responsible for protecting information and information
systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection,
recording, or destruction. They also need to ensure the confidentiality, integrity and availability of data to
the 'right' users within/outside of the organization.
Personal Attributes: This job may require the individual to work independently and take decisions for
his/her own area of work. The individual should be result oriented and have a high attention for detail.
The individual should also be able to demonstrate communication skills, logical thinking along with
willingness to undertake desk-based job with long hours.
ABOUT THE QUALIFICATION
The qualification SSC/Q0901 is part of the IT- ITeS Sector and the IT Services subsector. The qualification
is a level 7 on the National Skills Qualification Framework (NSQF).
This qualification eligibility requirements and National Occupational Standards are listed below.
NSQF level 7
Minimum Educational Qualifications Diploma in Engineering or any graduate course
Maximum Educational Qualifications Bachelor's Degree in Science/Technology/Computers
Training Certification in Information systems or related fields, Basic soft
(Suggested but not mandatory) skills training
Experience
0-2 years of work experience/internship in security
Compulsory:
1. SSC/N0901 (Contribute to managing information security)
2. SSC/N0902 (Co-ordinate responses to information security
incidents)
3. SSC/N0903 (Install and configure information security
devices)
4. SSC/N0904 (Contribute to information security audits)
5. SSC/N0905 (Support teams to prepare for and undergo
information security audits)
Applicable National Occupational 6. SSC/N9001 ( Manage your work to meet requirements)
Standards (NOS) 7. SSC/N9002 (Work effectively with colleagues )
8. SSC/N9003 (Maintain a healthy, safe and secure working
environment)
9. SSC/N9004 (Provide data/information in standard
formats)
10. SSC/N9005 (Develop your knowledge, skills and
competence)
Optional:
Not Applicable
9
10
Classroom and Lab Requirements

1. PCs/Tablets/Laptops
2. Labs availability (24/7)
3. Internet with WiFi (Min 2 Mbps Dedicated)
4. Networking Equipment- Routers & Switches
5. Firewalls and Access Points
6. Access to all security sites like ISO, PIC DSS
7. Commercial Tools like HP Web Inspect, IBM AppScan, etc.
8. Open Source tools like sqlmap, Nessus, Nmap, Metasploit Community edition etc.
9. Anti-Virus and Anti-Spam software
10. Security templates from various sites ITIL, ISO, etc.
11. Projection facilities
The above equipment has to be made available for classwork and for research work in non-class hours.
The equipment has to have relatively high speed and current OS and other software applications.
Students need to have adequate number of terminals for individual use for adequate number of hours.
The equipment needs to be installed in keeping with all health and safety measures. Any routine
breakdowns should be promptly addressed.
11
12
JNTUH Syllabus mapped to the Facilitator and Students Guide

Topics Student Manual Page No.
Unit I - Information Security Management

Information Security Overview 21-28
Threats and Attack Vectors 37 - 46
Types of Attacks 38
Common Vulnerabilities and Exposures (CVE) 55
Network Security Attacks 47
Fundamentals of Information Security 61-76
Computer Security Concerns 65
Information Security Measures 66-68
Unit II - Fundamentals of Information Security 55

Key Elements of Networks 61
Logical Elements of Network 61
Critical Information Characteristics 65
Information States 65
Unit III - Data Leakage 83

What is Data Leakage 83
Statistics 85, 100-101
Data Leakage Threats 83
Reducing the risk of data loss 86-97
Key Performance Indicators (KPI)
Database Security etc., 91
Unit IV - Information Security Policies, Procedures and Audits 109

Information Security Policies 109
- Necessity 103-104
- Key Elements 109-110
- Characteristics 113
Security Policy Implementation, Configuration 114
Security Standards 117
Security Guidelines & Frameworks etc., 117-141
Unit V - Information Security Management - Roles &

Responsibilities 153
Security Roles and Responsibilities 153-156
Accountability 155
Roles and Responsibility of Information Security Management 153-156
Team responding to emergency situation 156
Risk Analysis Process 175-180
13
14
Table of Contents
An Introduction: The industry, sub-sector, occupation and career …17
1. SSC/ N 0901: Contribute to managing information security …29
i. Information Security and Threats

ii. Fundamentals of Information Security
iii. Data Leakage and Prevention
iv. Information Security Policies, Procedures, Standards and Guidelines
v. Information Security Management – Roles and Responsibilities
vi. Information Security Performance Metrics
vii. Risk Assessment
viii. Configuration Review
ix. Device Log Correlations
x. Data Backup
2. SSC/N 0902: Coordinate responses to information security incidents …243
i. Incident response overview

ii. Incident Response – Roles and Responsibilities
iii. Incident Response Process
iv. Handling Malicious Code Incidents
v. Handling Network Security Incidents
3. SSC/ N 0903 Install, configure and troubleshoot information security devices …325
i. Configuring Network Devices

ii. Configuring Secure Content Management
iii. Configuring Firewall
iv. Troubleshooting Cisco IOS Firewall Configurations
v. Cisco IOS Firewall IDS
vi. IPS Configuration
vii. Anti-virus and Antispam Software
viii. Web Application Security Configuration
ix. Patch Management
4. SSC/ N 0904: Contribute to information security audits
SSC/ N 0905: Support teams to prepare for and undergo information security audits …551
i. Information Security Audit

ii. Work and Work Environment
iii. Information Security Auditor
iv. Vulnerability Analysis
15
v. Penetration Testing
vi. Information Security Audit Tasks
vii. Audit Reports and Actions
viii. Audit Support Activities
5. SSC/ N 9001: Contribute to managing information security …703
i. Understanding scope of work and working within limits of authority

ii. Work and work environment
iii. Maintaining confidentiality
6. SSC/ N 9002: Work effectively with colleagues …733
i. Effective Communication
ii. Working Effectively
7. SSC/ N 9003: Maintain a healthy, safe and secure working environment …753
i. Need For Health and Safety at Work

ii. Security Analyst’s role
iii. Emergency Situations
iv. Skills for Maintaining Health and Safety at Work
8. SSC/ N 9004: Provide data/information in standard formats …791
i. Information and Knowledge Management

ii. How to manage data/ information effectively
iii. Skills required to manage data and information effectively
iv. Performance Evaluation Criteria for an Information Security Analyst
9. SSC/ N 9005: Develop knowledge, skills & competence …817
i. Importance of Self-Development
ii. Knowledge and Skills Required for the Job
iii. Avenues of Self-Development
iv. Planning for Self-Development
Annexures …831
1. Security Assessment Template
2. Case studies
16
An Introduction:
The Industry, Sub-sector, Occupation &
Career
UNIT I: An Overview of the IT-BPM Industry

UNIT II: An Overview of the IT Services Sub-Sector
UNIT III: About Information Security and it’s Roles
17 | P a g e
INTRODUCTION
The Industry, Sub-sector, Occupation
& Career
This Unit covers:
 Lesson Plan
 Resource Material
1.1. An Overview of the IT-BPM Industry
1.2. An Overview of the IT Services Sub-Sector
1.3. About Information Security and it’s Roles
18 | P a g e
LESSON PLAN
Performance Ensuring Work Environment / Lab

Outcomes Measures Duration (Hrs) Requirement
You need to know and understand: 1. Give a brief 2Hr in class  PCs/Tablets/Laptops
description of the IT- assessment &  Labs availability
 A General Overview of the IT- BPM Industry 2Hrs offline (24/7)
BPM Industry 2. List the types of Research and  Internet with WiFi
 The organisations within IT- organisations within Learning  (Min 2 Mbps
BPM Industry the IT-BPM Industry. activity Dedicated)
 The sub-sectors within the IT 3. Research and  Networking
BPM Industry provide some names Equipment- Routers
 General Overview of the IT of each type & Switches
Services Sub-Sector 4. State the sub-
 Profile of the IT Services Sub- sectors within the IT-
Sector BPM Industry
 Key Trends in the IT Services 5. Give a brief
Sub-Sector description of the IT
 Roles in the IT Services Sub- Services Sub-sector
Sector 6. List the key trends in
 General Overview of the IT Services Sub-
Information Security and it’s sector
Roles 7. List the roles in the IT
 Career Map for Information Services Sub-Sector
Security 8. Give a brief
description of
Information Security
and it’s Roles
9. Describe the Career
Map for Information
Security Personnel
19 | P a g e
20 | P a g e
Training Resource Material
1.1. An Overview of the IT-BPM Industry
General Overview
The Information Technology – Business Process Management (IT-BPM) industry has been fuelling
India's growth story. In addition to contributing to the country's Gross Domestic Product (GDP) and
exports, the industry has played a big role in influencing the socio-economic parameters across the
country.
The industry has helped provide employment and a good standard of living to millions. It has placed
India on the world map with an image of a technologically advanced and a knowledge-based economy.
Growth of the IT-BPM industry has provided India with a wide range of economic and social benefits
which includes creating employment, raising income levels, promoting exports and significantly
contributing to the GDP of the country.
This sector attracts amongst the largest investments by venture capitalists and has been credited with
enabling the entrepreneurial ventures of many, in the country.
The IT-BPM industry has almost doubled in terms of revenue and contribution to India's GDP over the
last six years.
Organizations within the IT-BPM Industry

The organisations within the IT-BPM Industry are categorised along the following parameters:
 Sector the organisation is serving
 Type as well as range of offering the organisation provides
 Geographic spread of operations and
 Revenues and size of operations
A broad structure of the Industry based on the parameters identified in the Indian context is
represented below :
Multi-national Companies (MNCs):

MNC organisations have their headquarters outside India but operate in multiple locations
worldwide, including those in India. They cater to external clients (both domestic and/or global).
Indian Service Providers (ISPs):

ISPs are organisations that have started with their operations in India. Most of these organisations
would have their headquarters in India, while having offices at many international locations.
While most have a client base which is global as well as domestic, there are some that have focussed
on serving only the Indian clients.
21 | P a g e
Global In-house Centres (GIC):
GIC organisations cater to the needs of their parent company only and do not serve external clients.
This model allows the organisation the option to keep IT Operations in-house and at the same time,
take advantage of expanding their global footprint and offering opportunities for innovation in a cost-
effective manner.
Sub-Sectors within the IT-BPM Industry

The IT-BPM industry has four sub-sectors as listed in the subsequent figure.
Figure : Sub-Sectors in the IT-BPM Industry
ITServices(ITS) BusinessProcessManagement(BPM)
 Custom Application Development  Customer Interaction and Support
(CAD) (CIS)
 Hardware Deployment and Support  Finance and Accounting (F&A)
 Software Deployment and Support  Human Resource Management
 IT Consulting (HRM)
 System Integration  Knowledge Services
 Information Systems Outsourcing  Procurement and Logistics
 Software Testing
 Network Consultation and
Integration
 Education and Training
IT-BPM Industry
EngineeringandR&D(ER&D) SoftwareProducts(SPD)
 Embedded Services  Product Development
 Engineering Services
Figure: Sub-Sectors in the IT-BPM Industry
22 | P a g e
1.2. An Overview of the IT Services Sub-Sector
General Overview
IT-BPM market, a USD 118 billion market in India in FY2014, is a leading contributor to the services
industry in India with respect to employment and revenue.
It accounts for 38 per cent of the country's total services exports and contributes to 8.1 per cent of
India’s GDP2. It also accounts for INR 1,911 billion in FY2014. The IT Services subsector is a major
contributor to the overall IT-BPM Industry.
IT Services (ITS) sub-sector offers services to create and manage information for business functions
through host of activities that include consulting, systems integration, IT outsourcing / managed
services / hosting services, training and support/ maintenance.
The sub-sector has evolved as a major contributor to India's GDP and plays a vital role in driving
economic growth in terms of employment, export promotion and revenue generation.
The number of people

.5 Growth in IT service
directly employed in > 14 %
million exports in FY 2014
ITS sub-sector
1600 Number of Organisations India’s position in IT

1
+ in the ITS sub-sector global landscape
USD Total amount of ITS Total contribution of

52 sub-sector Export 60 % ITS sub-sector in industry
Billion Revenues IN FY 2014 Exports
Growth of the ITS sub-sector in INR terms

9.7 % in the domestic market in FY 2014
Figure: IT Services Sub-sector-A Snapshot
The worldwide IT Services market stood at USD 655 billion in 2013. The Indian IT Services exports form
the largest and fastest growing segment of the IT services with a growth rate of >14 per cent in FY
2014. IT Services export constituted over half of the entire export of the IT Industry. Even within the
domestic market, IT services is the fastest growing segment in the Indian domestic market, growing
by 9.7 per cent to reach INR 727 billion, driven by IS outsourcing, cloud services and increasing
adoption from all customer segments – government, enterprise, consumers and small and medium
23 | P a g e
businesses. There are over 1600 companies providing IT services in the country with the top 5
comprising around 60 per cent of the total revenue from the industry.
The sub-sector has established a record as a major contributor to the country's GDP as well as
penetrated into many large sectors - established as well as upcoming like healthcare, media, education
and retail. This has ensured that the sub-sector is a field in demand, both in the present and the future.
With an increased focus on optimising efficiencies, companies in all the sectors see value in leveraging
IT to manage their business better and are increasing their IT investments.
The wide scope of the services in this sub-sector creates a requirement for a large variety of skills. This
reflects on the range of opportunities available for building a career in IT Services to a varied group of
people and the industry continues to be amongst the most sought, after for many young and aspiring
individuals.
Profile of the IT Services Sub-Sector

Vertical Profile:
BFSI is the largest driver in this space claiming half of the entire IT Services export. Other industry
verticals like Healthcare, Retail and Media have started making big investments in IT services and are
turning into key verticals for the IT Services sub-sector.
An illustrative view of the vertical and horizontal profiles is shown below.
Figure 3: Contribution of Areas in the IT-BPM Industry (FY 2014)
The IT Services sub-sector started off in India with a focus on basic application development and
maintenance. The sub-sector has now grown and includes significant footprints in traditional
segments which include custom application development, application management, IS outsourcing
and software testing.
With time, the sector has expanded to provide end-to-end IT solutions and includes consulting, testing
services, infrastructure services and system integration in the offering.
After starting off, the IT Services sub-sector, served mostly the North American market until the 1990s.
While North America continues to be a major importer of Indian IT services, the sub-sector has
witnessed entry into other markets, in order to mitigate risk as well as to expand markets thus
24 | P a g e
servicing clients in a greater number of geographical areas like Latin America, the Asia Pacific and
Europe.
The client base in these markets is a healthy mix between BFSI, Manufacturing, Retail, Telecom and
all key Industry verticals.
Key Trends in the IT Services Sub-Sector
Figure 5 : Trends in the IT Services
The IT-BPM industry is standing at a watershed moment in history. In FY 2014, the industry achieved
a stellar landmark of crossing US 118 billion in revenues. However, with the industry slowly reaching
a stage of maturity and with a business model closely aligned to exports, it faces the brunt of the
economic shake-up like the one observed in 2008, which redefined the economic order amongst
nations.
While the recovery has gathered pace in the last few months, companies are becoming increasingly
conscious that in the globally connected world, the “new normal” will be characterised by business
volatility. The ups and downs will be more frequent and companies need to learn how best to manage
this volatility.
25 | P a g e
Occupations and tracks within the IT Services Sub-Sector
26 | P a g e
1.3. General Overview of Information Security
Information systems from unauthorised access, use, disclosure, disruption, modification, perusal,
inspection, recording, or destruction. The core function of this occupation is to ensure the
confidentiality, integrity and availability of data to the ‘right’ users within/outside of the organisation.
Application Security: Application Security roles are responsible for ensuring stable and secure
functioning of the applications. Application Security professionals perform the following functions in
an organisation:
 Knowing threats
 Securing the network, host and application
 Incorporating security into the software development process
Risk, Audit and Compliance

Risk Management roles are responsible for assessing, measuring, and managing the security risks to
information security of an organisation.
These conduct assessments for security threats and vulnerabilities, determine deviations from
acceptable pre-defined configurations, enterprise or local policy, assess the level of risk, develop
and/or recommend appropriate mitigation countermeasures in operational and non-operational
situations.
Key responsibilities also include measuring the maturity of an organisation to ensure that proper
security controls are incorporated when developing and running Information-security systems. These
also perform scheduled/unscheduled audits on the organisation’s security systems and processes and
ensure compliance.
Security Testing
Security Testing involves devising testing standards and cases of confidentiality, integrity,
authentication, availability, authorisation and non-repudiation of information. Security Testing
professionals perform scheduled and adhoc tests to assess vulnerability and/or safety of an
organisation’s information systems.
Incident Management
Incident Management roles work towards restoring normal service operations in an organisation to
minimise the adverse effect on business operations, thus ensuring that the best possible level of
service quality and availability is maintained.
Incident management professionals manage and protect computer assets, networks and information
systems to answer the key question “what to do, when things go wrong.
27 | P a g e
Business Continuity Management/Disaster Recovery (BCP/DR): BCP/DR roles are responsible for
improving system availability and integration of IT operational risk management strategies for an
organisation.
 Development, implementation, testing, and maintenance of the business continuity

management plan
 Recommendation and proof of concept for recovery options
 Assessments and audits for BCP/DR
Network Security
Network Security roles are responsible for defining and implementing overall network security that
includes baseline configuration, change control, security standards and process implementation.
Privacy
Privacy roles are responsible for defining and managing data/information/IP policies etc. for an
organisation. These roles require knowledge of information security norms and data privacy norms
and regulations.
Note on Information Security occupation:
Information Security related job roles may be performed in any of the following setups:
 Consulting
 Managed Services
 Internal function within the organisation
In each of these set-ups, the essential functions and the highlighted tracks remain the same, however,
the delivery style and hence skills vary slightly, depending upon the set-up.
Privacy professionals help define and implement privacy standards, build privacy awareness to protect
an organisation’s information assets.
IT Forensics
IT Forensics roles collect, process, preserve, analyse and present computer-related evidence in
support of network vulnerability mitigation, and/or criminal, fraud, counter-intelligence or law-
enforcement investigations.
28 | P a g e
Student Handbook– Security Analyst SSC/N0901
SSC/ N 0901:
Contribute to Managing Information Security
UNIT I: Information Security and Threats

UNIT II: Fundamentals of Information Security
UNIT III: Data Leakage
UNIT IV: Information Security Policies, Procedures, Standards and Guidelines
UNIT V: Information Security Management – Roles and Responsibilities
UNIT VI: Information Security Performance Metrics
UNIT VII: Risk Assessment
UNIT VIII: Configuration Review
UNIT IX: Device Log Correlation
UNIT X: Data Backup
29
Unit Code SSC/ N 0901

Unit Title (Task) Contribute to managing information security
Description This unit is about carrying out specified tasks as part of a team working to ensure
information security.
Scope This unit/ task covers the following:
Information security includes:
 Identify and Access Management (IdAM)
 Physical security
 Networks (wired and wireless)
 Devices
 Endpoints/ edge devices
 Storage devices
 Servers
 Software
 Applications security
 Content management
 Messaging
 Web security
 Security of infrastructure
 Infrastructure devices (e.g. routers, firewall services)
 Computer assets, server and storage networks
 Messaging
 Intrusion detection/ prevention
 Security incident management
 Third party security management
 Personnel security requirements
Back ups include:
 Validation
 Tracking
 Consolidation
 Replication
 Configuration
 Logs
 Devices
 Applications
 Software
Appropriate people:
 Line manager
 Members of the security team
 Subject matter experts
Performance Criteria (PC) w.r.t. the Scope
To be competent, you must be able to:
PC1. establish your role and responsibilities in contributing to managing
30
PC2.monitor systems and apply controls in line with information security

policies, procedures and guidelines.
PC3. carry out security assessment of information security systems using
automated tools.
PC4. carry out configuration reviews of information security systems using
automated tools, where required.
PC5. carry out backups of security devices and applications in line with
information security policies, procedures and guidelines, where required.
PC6. maintain accurate daily records/ logs of information security performance
parameters using standard templates and tools.
PC7. analyze information security performance metrics to highlight variances
and issues for action by appropriate people.
PC8. provide inputs to root cause analysis and the resolution of information
security issues, where required.
PC9. update your organization’s knowledge base promptly and accurately with
information security issues and their resolution.
PC10. obtain advice and guidance on information security issues from
appropriate people, where required.
PC11. comply with your organization’s policies, standards, procedures and
guidelines when contributing to managing information security.
Knowledge and Understanding (K)
A. Organization You need to know and understand:

al KA1. your organization’s policies, procedures, standards and guidelines for
Context managing information security.
(Knowledge KA2. your organization’s knowledge base and how to access and update the
same.
of the
KA3. limits of your role and responsibilities and who to seek guidance from
company/ KA4. the organizational systems, procedures and tasks/ checklists within the
organization domain and how to use the same.
and its KA5. how to analyze root causes of information security issues.
processes) KA6. how to carry out information security assessments.
KA7. how to carry out configuration reviews.
KA8. how to correlate devices and logs.
KA9. different types of automation tools and how to use them.
KA10. how to access and analyze information security performance metrics.
KA11. who to involve when managing information security.
KA12. your organization’s information security systems and tools and how to
access and maintain them.
KA13. standard tools and templates available and how to use the same.
B. Technical The user/ individual on the job needs to know and understand:
KB1. fundamentals of information security and how to apply them, including:
Knowledge  networks
 communication
 application security
KB2. different types of backups for security devices and applications and how to
carry out backups.
KB3. common issues and variances of performance metrics that require action
and whom to report these.
KB4. how to identify and resolve information security vulnerabilities and issues.
31
The Units
The module for this NOS is divided in ten units based on the learning objectives as given below:
UNIT I: Information Security and Threats UNIT VII: Risk Assessment
1.1. Information Security 7.1. Risk Overview
1.2. Information Assets & Threats 7.2. Risk Identification
7.3. Risk Analysis
UNIT II: Fundamentals of Information 7.4. Risk Treatment
Security 7.5. Risk Management Feedback Loops
2.1. Elements of information security 7.6. Risk Monitoring
2.2. Principles and concepts – data security
UNIT VIII: Configuration Reviews
2.3. Types of controls
8.1. Configuration Management
8.2. Organisational SecCM Policy
3.1 Introduction – Data Leakage 8.3. Identify CM Tools
3.2 Organisational Data Classification, 8.4. Implementing Secure Configurations
Location and Pathways 8.5. Unauthorised Access to Configuration
3.3 Content Awareness Stores
3.4 Content Analysis Techniques
3.5 Data Protection UNIT IX: Log Correlation and Management
3.6 DLP Limitations
3.7 DRM-DLP Conundrum 9.1. Event Log Concepts
9.2. Log Management and its need
UNIT IV: Information Security Policies, 9.3. Log Management Process
Procedures, Standards and Guidelines 9.4. Configuring Windows Event Log
9.5. IIS Log Files
4.1. Information Security Policies
9.6. Analysis and Response
4.2. Key Elements of a Security Policy
4.3. Security Standards, Guidelines and
UNIT X: Data Backup
Frameworks 10.1. Data Backup
4.4. Laws, Regulations and Guidelines 10.2. Types of Backup
UNIT V: Information Security Management 10.3. Backup Procedures
– Roles and Responsibilities 10.4. Types of Storage
10.5. Features of a Good Backup Strategy
5.1. Information and Data Security Team
Structure
5.2. Security Incident Response Team
UNIT VI: Information Security Performance
Metrics
6.1. Introduction – Security Metrics
6.2. Types of Security Metrics
6.3. Using Security Metrics
6.4. Developing the Metrics Process
6.5. Metrics and Reporting
6.6. Designing Information Security
Measuring Systems
32
UNIT I
Information Security and Threats
This unit covers:
 Lesson Plan
1.1. Information Security
1.2. Information Assets & Threats (Virus, Worms, Trojans, Other
Threats, Network Attacks)
33
Lesson Plan
Work Environment/ Lab

Outcomes Performance Ensuring Measures Requirement
To be competent, you must be able Peer group, faculty group and  PCs/ tablets/ laptops
to: industry experts evaluation.  Projection facilities
PC2. monitor systems and apply
controls in line with information
security policies, procedures and
guidelines.
You need to know and understand: KA4, KA5. Peer group, faculty  PCs/ tablets/ laptops
group and industry experts’  Availability of labs (24/7)
KA4. the organizational
evaluation.  Internet with Wi-Fi
systems, procedures and tasks/
(min 2 Mbps dedicated)
checklists within the domain and KB1 - KB4. Group and faculty  Access to all security sites like
how to use them. evaluation based on anticipated ISO, PCI DSS, Centre for Internet
outcomes. Reward points to be Security etc.
KB1. fundamentals of
information security and how to allocated to groups.
apply these, including:
• networks
• communication
• application security
34
Lesson
1.1 Introduction – Information Security

With the pervasive growth and use of digital information, much of which is confidential, there has also
been growth in incidents of information theft, including cyber attacks by hackers. This has happened
both in governments and in private companies. This has neces
sitated the
need for the position of information security analyst.
Those who work as information security analysts are responsible for keeping information safe from
data breaches using a variety of tools and techniques. Information security analysts protect
information stored on computer networks, in applications etc. They do this with special software that
allows them to keep track of those who can access and who have accessed data. Also, they may
perform investigations to determine whether or not data has been compromised, the extent of it and
related vulnerabilities.
 Someone at an entry level position may operate the software to monitor and analyze
information.
 At senior level positions, one may carry out investigative work to determine whether a security
breach has occurred.
 At higher levels people design systems and architecture to address these vulnerabilities.
The field of information security has seen significant growth in recent times, and the number of job
opportunities in this area are likely to increase in the near future. Recent incidents of information theft
from large companies like Target, Sony and Citibank has shown the risks and challenges of this field
and this necessitates the growing need for information security and professionals in this field. We are
now witnessing the rising background level of data leakage from governments, businesses and other
organisations, families and individuals.
A larger part of an information security analyst’s work involves monitoring data use and access on a
computer network.
Security analysts focus on three main areas:
1. risk assessment (identifying risks or issues an organization may face)
2. vulnerability assessment (determining an organization’s weaknesses to threats)
3. defense planning (designing the protection architecture and installing security systems such
as firewalls and data encryption programs)
 Information security analysts can find themselves working with IT companies, financial and utility
companies and consulting firms. They may also find positions with government organizations. Any
company or organization with data to protect may hire information security analysts so they could
find themselves working at a wide variety of different institutions. A number of companies operate
35
‘Security Operation Centres (SOCs)’ for carrying out data security services for captive or client
services.
Why information security?

With the pervasive growth and use of digital information, much of which is confidential,
there has been also a growth in incidents of information theft, including cyber-attacks by
hackers. This has happened both in governments and in private companies. This has
necessitated the need for keeping information safe from data breaches using a variety of
tools and techniques.
Role of a security analyst in information technology

 Protect information and information systems from unauthorized access; use; disclosure;
disruption; modification; perusal; inspection; recording or destruction.
 Perform investigations to determine whether or not data has been compromised, the extent
of it and related vulnerabilities.
 Ensure the confidentiality, integrity and availability of data to the 'right' users within/ outside
of the organization.
 Risk assessment (identifying risks or issues an organization may face).
 Vulnerability assessment (to determine an organization’s weaknesses to threats).
 Defense planning (designing the protection architecture and installing security systems such
as firewalls and data encryption programs).
36
Major Skills of
Security Analyst
• Understanding security policy
• Data & Traffic Analysis
• Identifying Security Events –> How & when to alarm
• Incident Response
Foundation and
Background
• Network infrastructure knowledge
• Diverse device configuration ability
• Security configuration knowledge
• Data management & teamwork
Challenges for
Security Analyst
• Not tied to a product or solution
• Complex knowledge – Not one specific process is correct or product solution
• Diverse set of skills are needed
37
1.2 Information Assets & Threats
Security concerning IT and information is normally categorised in three categories to facilitate the
management of information.
Confidentiality Integrity Availability
• Prevention of • Prevention of • Ensuring authorized

unauthorized unauthorized access of information
disclosure or use of modification of assets when required
information assets information assets for the duration
required
Threats to information assets

Risk is the potential threat, and process of understanding and responding to factors that may lead to
a failure in the confidentiality, integrity or availability of an information system constitute risk
management. The key concerns in information assets security are:
 theft
 fraud/ forgery
 unauthorized information access
 interception or modification of data and
data management systems
The above concerns are materialised in the event of a breach caused by exploitation of vulnerability.
Vulnerabilities
Vulnerability is a weakness in an information system, system security procedures, internal
controls, or implementation that could be exploited or triggered by a threat source.
‘Threat agent or actor’ refers to the intent and method targeted at the intentional exploitation
of the vulnerability or a situation and method that may accidentally trigger the vulnerability.
A ‘threat vector’ is a path or a tool that a threat actor uses to attack the target.
‘Threat targets’ are anything of value to the threat actor such as PC, laptop, PDA, tablet, mobile
phone, online bank account or identity.
38
Threat classification
Microsoft has proposed a threat classification called STRIDE from the initials of threat categories:
 Spoofing of user identity
 Tampering
 Repudiation
 Information disclosure (privacy breach or data leak)
 Denial of Service (D.o.S.)
 Elevation of privilege
Threat agents (individuals and groups) can be classified as follows:

 Non-Target specific: Non-Target specific threat agents are computer viruses, worms, Trojans
and logic bombs.
 Employees: staff, contractors, operational/ maintenance personnel or security guards who are
annoyed with the company.
 Organized crime and criminals: criminals target information that is of value to them, such as
bank accounts, credit cards or intellectual property that can be converted into money.
Criminals will often make use of insiders to help them.
 Corporations: corporations are engaged in offensive information warfare or competitive
intelligence. Partners and competitors come under this category.
 Unintentional human error: accidents, carelessness etc.
 Intentional human error: insider, outsider etc.
 Natural: Flood, fire, lightning, meteor, earthquakes etc.
Types of attacks
• Virus
Virus is a malicious program able to inject its code into other programs/ applications or data files
and the targeted areas become "infected". Installation of a virus is done without user's consent,
and spreads in form of executable code transferred from one host to another. Types of viruses
include Resident virus , non-resident virus; boot sector virus; macro virus; file-infecting virus (file-
infector); Polymorphic virus; Metamorphic virus; Stealth virus; Companion virus and Cavity virus.
• Worm
Worm is a malicious program category, exploiting operating system vulnerabilities to spread itself.
In its design, worm is quite similar to a virus - considered even its sub-class. Unlike the viruses
though worms can reproduce/ duplicate and spread by itself. During this process worm does not
require to attach itself to any existing program or executable. Different types of worms based on
their method of spread are email worms; internet worms; network worms and multi-vector worms.
• Trojan
Computer Trojan or Trojan Horses are named after the mythological Trojan horse owing to their
similarity in operation strategy. Trojans are a type of malware software that masquerades itself as
39
a not-malicious even useful application but it will actually do damage to the host computer after its
installation. Unlike virus, Trojans do not self-replicate unless end user intervene to install.
Types of Virus
Depending on virus "residence", we can classify viruses in following way:
 Resident virus - virus that embeds itself in the memory on a target host. In such way it becomes
activated every time the OS starts or executes a specific action.
 Non-resident virus - when executed, this type of virus actively seeks targets for infections either
on local, removable or network locations. Upon further infection it exits. This way is not residing
in the memory any more.
 Boot sector virus
_____________________________________________________________________________
_____________________________________________________________________________
_____________________________________________________________________________
_____________________________________________________________________________
 Macro virus - virus written in macro language, embedded in Word, Excel, Outlook etc.
documents. This type of virus is executed as soon as the document that contains it, is opened.
This corresponds to the macro execution within those documents which under normal
circumstances is automatic.
Another classification of viruses can result from their characteristics:
 File-infecting virus (file-infector) – this is a classic form of virus. When the infected file is being
executed, the virus seeks out other files on the host and infects them with malicious code. The
malicious code is inserted either at the beginning of the host file code (prepending virus), in the
middle (mid-infector) or in the end (appending virus). A specific type of viruses called "cavity
virus" can even inject the code in the gaps in the file structure itself. The start point of the file
execution is changed to the start of the virus code to ensure that it is run when the file is
executed. Afterwards the control may or may not be passed on to the original program in turn.
Depending on the infections routing the host file may become otherwise corrupted and
completely non-functional. More sophisticated viral forms allow through the host program
execution while trying to hide their presence completely (see polymorphic and metamorphic
viruses).
 Polymorphic virus
_____________________________________________________________________________
_____________________________________________________________________________
_____________________________________________________________________________
_____________________________________________________________________________
 Metamorphic virus - this virus is capable of changing its own code with each infection. The
rewriting process may cause the infection to appear different each time but the functionality of
40
the code remains the same. The metamorphic nature of this virus type makes it possible to infect
executables from two or more different operating systems or even different computer
architectures as well. The metamorphic viruses are ones of the most complex in build and very
difficult to detect.
 Stealth virus - memory resident virus that utilises various mechanisms to avoid detection. This
avoidance can be achieved for example, by removing itself from the infected files and placing a
copy of itself in a different location. The virus can also maintain a clean copy of the infected files
in order to provide it to the antivirus engine for scan while the infected version still remains
undetected. Furthermore, the stealth viruses are actively working to conceal any traces of their
activities and changes made to files.
 Armored virus
_____________________________________________________________________________
_____________________________________________________________________________
_____________________________________________________________________________
_____________________________________________________________________________
 Multipartite virus – this attempts to attack both the file executables as well as the master boot
record of the drive at the same time. This type may be tricky to remove as even when the file
executable part is clean it can re-infect the system all over again from the boot sector if it wasn't
cleaned as well.
 Camouflage virus – this virus type is able to report as a harmless program to the antivirus
software. In such cases where the virus has similar code to the legitimate non-infected files code
the antivirus application is being tricked that it has to do with the legitimate program as well.
This would work only but in case of basic signature based antivirus software. Nowadays, antivirus
solutions have become more elaborate whereas the camouflage viruses are quite rare and not a
serious threat due to the ease of their detection.
 Companion virus
_____________________________________________________________________________
_____________________________________________________________________________
_____________________________________________________________________________
_____________________________________________________________________________
_____________________________________________________________________________
 Cavity virus - unlike traditional viruses the cavity virus does not attach itself to the end of the
infected file but instead uses the empty spaces within the program files itself (that exists there
for variety of reasons). This way the length of the program code is not being changed and the
virus can more easily avoid detection. The injection of the virus in most cases is not impacting
the functionality of the host file at all. The cavity viruses are quite rare though.
41
……Let us discuss a recent news about a new version of a notorious virus that
takes over a system until money is paid as ransom which has been detected by
cyber experts. Version 2.0 of the TeslaCrypt ransomware encryptor family, say
experts, is notorious for infecting computers of gamers. The malicious program
is now targeting online consumers and businesses via email attachments which
block access to a computer system until a sum of money, specifically in dollars,
is paid as ransom. If the victim delays, the ransom is doubled. Detected in
February 2015, TeslaCrypt began infecting systems in the US, Europe and
Southeast Asian countries. It then occurred in Indian cities including Delhi and
Mumbai. Two businessmen from Agra were targeted this year, from whom the
extortionist demanded more than $10,000. In the last six months, two cases
were reported in Agra, where the malware locked down its victim's most
important files and kept them hostage in exchange for a ransom to unlock it.
Source: News Articles
Types of Worms
The most common categorization of worms relies on the method how they spread:
 Email worms: spread through email messages, especially through those with attachments.
 Internet worms: spread directly over the internet by exploiting access to open ports or system
vulnerabilities.
 Network worms: spread over open and unprotected network shares.
 Multi-vector worms: having two or more various spread capabilities.
Types of Trojans
Computer Trojans or Trojan horses are named after the mythological Trojan horse from Trojan War,
in which the Greeks give a giant wooden horse to their foes, the Trojans. As soon as Trojans drag the
horse inside their city walls, Greek soldiers sneak out of the horse's hollow belly and open the city
gates, allowing their soldiers to capture Troy. Computer Trojan horse works in way that is very similar
to such strategy - it is a type of malware software that masquerades itself as not-malicious even useful
application but it will actually do damage to the host computer after its installation.
Trojans do not self-replicate since its key difference to a virus and require often end user intervention
to install itself - which happens in most scenarios where user is being tricked that the program he is
installing is a legitimate one (this is very often connected with social engineering attacks on end users).
One of the other common method is for the Trojan to be spammed as an email attachment or a link
in an email. Another similar method has the Trojan arriving as a file or link in an instant messaging
42
client. Trojans can be spread as well by means of drive-by downloads or downloaded and dropped by
other Trojans itself or legitimate programs that have been compromised.
The results of Trojan activities can vary greatly - starting from low invasive ones that only change the
wallpaper or desktop icons through Trojans which open backdoors on the computer and allow other
threats to infect the host or allow a hacker remote access to the targeted computer system. It is up to
Trojans to cause serious damage on the host by deleting files or destroying the data on the system
using various ways (like drive format or causing BSOD). Such Trojans are usually stealthy and do not
advertise their presence on the computer.
The Trojan classification can be based upon performed function and the way they breach the systems.
An important thing to keep in mind is that many Trojans have multiple payload functions so any such
classification will provide only a general overview and not a strict boundary. Some of the most
common Trojan types are:
 Remote Access Trojans (RAT) aka Backdoor. Trojan - this type of Trojan opens backdoor on the
targeted system to allow the attacker remote access to the system or even complete control
over it. This kind of Trojan is most widespread type and often has as well various other functions.
It may be used as an entry point for DOS attack or for allowing worms or even other Trojans to
the system. A computer with a sophisticated backdoor program installed may also be referred
to as a "zombie" or a "bot". A network of such bots may often be referred to as a "botnet" (see
part 3 of the Security 1:1 series). Backdoor. Trojans are generally created by malware authors
who are organized and aim to make money out of their efforts. These types of Trojans can be
highly sophisticated and can require more work to implement than some of the simpler malware
seen on the Internet.
 Trojan-DDoS - this Trojan is installed simultaneously on a large number of computers in order to
create a zombie network (botnet) of machines that can be used (as attackers) in a DDoS attack
on a particular target.
 Trojan-Proxy -
_____________________________________________________________________________
_____________________________________________________________________________
_____________________________________________________________________________
 Trojan-FTP – this Trojan is designed to open FTP ports on the targeted machine allow remote
attacker access to the host. Furthermore, the attacked can access as well network shares or
connections to further spread other threats.
 Destructive Trojan – this is designed to destroy or delete data. It is much like a virus.
 Security Software Disabler Trojan – this is designed to stop security programs like antivirus
solutions, firewalls or IPS either by disabling them or killing the processes. This kind of Trojan
functionality is often combined with destructive Trojan that can execute data deletion or
corruption only after the security software is disabled. Security Software Disablers are entry
Trojans that allow next level of attack on the targeted system.
 Info Stealer (Data Sending/ Stealing Trojan) - this Trojan is designed to provide attacker with
confidential or sensitive information from compromised host and send it to a predefined location
(attacker). The stolen data comprise of login details, passwords, PII, credit card information etc.
43
Data sending Trojans can be designed to look for specific information only or can be more generic
like Key-logger Trojans. Nowadays more than ever before attackers are concentrating on
compromising end users for financial gain. The information stolen with use of Info stealer Trojan
is often sold on the black market. Info stealers gather information by using several techniques.
The most common techniques may include log key strokes, screen shots and web cam images,
monitoring internet activity often for specific financial websites. The stolen information may be
stored locally so that it can be retrieved later or it can be sent to a remote location where it can
be accessed by an attacker. It is often encrypted before posting it to the malware author.
 Keylogger Trojan – this is a type of data-sending Trojan that is recording every keystroke of the
end user. This kind of Trojan is specifically used to steal sensitive information from targeted host
and send it back to attacker. For these Trojans, the goal is to collect as much data as possible
without any direct specification what the data will be.
 Trojan-PSW (Password Stealer) – this is a type of data-sending Trojans designed specifically to
steal passwords from the targeted systems. In its execution routine, the Trojan will very often
first drop a keylogging component onto the infected machine.
 Trojan-Banker – a Trojan designed specifically to steal online banking information to allow
attacker further access to bank account or credit card information.
 Trojan-IM – a type of data-sending Trojan designed specifically to steal data or account
information from instant messaging programs like MSN, Skype etc.
 Trojan-Game Thief – a Trojan designed to steal information about online gaming account.
 Trojan Mail Finder – a Trojan used to harvest any emails found on the infected computer. The
email list is being then forwarded to the remote attacker.
 Trojan-Dropper -
_____________________________________________________________________________
_____________________________________________________________________________
_____________________________________________________________________________
 Trojan-Downloader – a Trojan that can download other malicious programs to the target
computer. Very often combined with the functionality of Trojan-Dropper. Most downloaders
that are encountered will attempt to download content from the internet rather than the local
network. In order to successfully achieve its primary function, a downloader must run on a
computer that is inadequately protected and connected to a network.
 Trojan-FakeAV –
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
44
This type of Trojan can be either targeted to extort money for "non-existing" threat removal or
in other cases the installation of the program itself injects other malware to the host machine.
FakeAV applications can perform fake scans with variable results, but always detect at least one
malicious object. They may as well drop files that are then ‘detected’. The FakeAV application is
constantly updated with new interfaces so that they mimic the legitimate anti-virus solutions and
appear very professional to the end users.
 Trojan-Spy – this Trojan has a similar functionality to the Info stealer or Trojan-PSW and its
purpose is to spy on the actions executed on the target host. These can include tracking data
entered via keystrokes, collecting screenshots, listing active processes/ services on the host or
stealing passwords.
 Trojan-ArcBomb -
_____________________________________________________________________________
_____________________________________________________________________________
_____________________________________________________________________________
45
 Trojan-Clicker or Trojan-AD clicker – a Trojan that continuously attempts to connect to specific

websites in order to boost the visit counters on those sites. More specific functionality of the
 Trojan can include generating traffic to pay-per-click web advertising campaigns in order to
create or boost revenue.
 Trojan-SMS – a Trojan used to send text messages from infected mobile devices to premium rate
paid phone numbers.
 Trojan-Ransom (Trojan-Ransomlock) aka Ransomware Trojan
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
 Cryptolock Trojan (Trojan.Cryptolocker) – this is a new variation of Ransomware Trojan

emerged in 2013, in a difference to a Ransomlock Trojan (that only locks computer screen or
some part of computer functionality), the Cryptolock Trojan encrypts and locks individual files.
While the Cryptolocker uses a common Trojan spreading techniques like spam email and social
engineering in order to infect victims, the threat itself uses more sophisticated techniques likes
public-key cryptography with strong RSA 2048 encryption.
……In an another incident detected by Kaspersky Labs, Pune, the TeslaCrypt Ransomware
encryptor family exhibited a curious behaviour. In version 2.0 of the Trojan notorious for
infecting computer gamers, it displays an HTML page in the web browser which is an
exact copy of CryptoWall 3.0, another notorious ransomware program. TeslaCrypt were
detected in February 2015 and the new ransomware Trojan gained immediate notoriety
as a menace to computer gamers. Amongst other types of target files, it tries to infect
typical gaming files: game saves, user profiles, recoded replays etc. That said, TeslaCrypt
does not encrypt files that are larger than 268 MB. Few more examples of ransomware
Trojans are - CryptoLocker, CryptoWall, CoinVault, TorLocker, CoinVault and CTB-Locker.
Source: New articles
46
Other security threats
Malware refers to software viruses, spyware, adware, worms, trojans, ransomeware etc. They
are designed to cause damage to a targeted computer or cause a certain degree of operational
disruption.
Rootkit are malicious software designed to hide certain processes or programs from detection.
Usually acquires and maintains privileged system access while hiding its presence in the same
time. It acts as a conduit by providing the attacker with a backdoor to a system
Spyware is a software that monitors and collects information about a particular user, computer
or organisation without user’s knowledge. There are different types of spyware, namely system
monitors, trojans (keyloggers, banker trojans, inforstealers), adware, tracking cookies etc.
Tracking cookies are a specific type of cookies that are distributed, shared and read across two
or more unrelated websites for the purpose of gathering information or potentially to present
customized data to you.
Riskware is a term used to describe potentially dangerous software whose installation may pose
a risk to the computer.
Adware in general term adware is software generating or displaying certain advertisements to

the user. This kind of adware is very common for freeware and shareware software and can
analyze end user internet habits and then tailor the advertisements directly to users’ interests.
Scareware is a class of malware that includes both Ransomeware (Trojan.Ransom) and FakeAV
software. Also well known, under the names "Rogue Security Software" or "Misleading
Software". This kind of software tricks user into belief that the computer has been infected and
offers paid solutions to clean the "fake" infection.
Spam is the term used to describe unsolicited or unwanted electronic messages, especially
advertisements. The most widely recognized form of spam is email spam.
Creepware is a term used to describe activities like spying others through webcams (very often
combined with capturing pictures), tracking online activities of others and listening to
conversation over the computer's microphone and stealing passwords and other data.
Blended threat defines an exploit that combines elements of multiple types of malware
components. Usage of multiple attack vectors and payload types targets to increase the severity
of the damage causes and as well the speed of spreading. Blended threat defines an exploit that
combines elements of multiple types of malware components. Usage of multiple attack vectors
and payload types targets to increase the severity of the damage causes and as well the speed of
spreading.
47
A. COHEN B. NORTON
In 1983, this person was

the first to offer the
definition of 'Computer
Virus'...
C. SMITH D. McAfee
ANSWER : …………………………………………………………..
Network attacks
Network attack is usually defined as an intrusion on the network infrastructure that will first analyse
the environment and collect information in order to exploit the existing open ports or vulnerabilities.
This may include unauthorized access to organisation resources.
Characteristics of network attacks:
 Passive attacks: they refer to attack where the purpose is only to learn and get some
information from the system, but the system resources are not altered or disabled in any way.
 Active attacks: in this type of network attack, the perpetrator accesses and either alters,
disables or destroys resources or data.
 Outside attack: when attack is performed from outside of the organization by unauthorized
entity it is said to be an outside attack.
 Inside attack: if an attack is performed from within the company by an "insider" that already
has certain access to the network it is considered to be an inside attack.
 Others such as end users targeted attacks (like phishing or social engineering): these attacks
are not directly referred to as network attacks, but are important to know due to their
widespread occurrences.
48
What types of attack are there?
Social Phishing Social Spear phishing Watering hole

engineering attack phishing attack attack
Vishing (voice
Network
Whaling phishing or Port scanning Spoofing
sniffing
VoIP phishing
Buffer
DoS attack ICMP smurf Man-in-the-
overflow Botnet
& DDoS attack Denial of serv middle attack
attack
Session Cross-side
SQL injection Bluetooth
hijacking scripting attack
attack related attacks
attack (XSS attack)
*Denial of Service Attack

*Distributed Denial of Service Attack
 Social engineering – refers to a psychological manipulation of people (employees of a company)

to perform actions that potentially lead to leak of company's proprietary or confidential
information or otherwise can cause damage to company resources, personnel or company
image. Social engineers use various strategies to trick users into disclosing confidential
information, data or both. One of the very common technique used by social engineers is to
pretend to be someone else - IT professional, member of the management team, co-worker,
insurance investigator or even member of governmental authorities. The mere fact that the
addressed party is someone from the mentioned should convince the victim that the person has
right to know of any confidential or in any other way secure information. The purpose of social
engineering remains the same as purpose of hacking. Unauthorized access gain to confidential
information, data theft, industrial espionage or environment/ service disruption.
 Phishing attack – this type of attack use social engineering techniques to steal confidential
information. The most common purpose of such attack targets victim's banking account details
and credentials. Phishing attacks tend to use schemes involving spoofed emails sent to users that
lead them to malware infected websites designed to appear as real online banking websites.
Emails received by users in most cases will look authentic sent from sources known to the user
(very often with appropriate company logo and localised information). These emails will contain
a direct request to verify some account information, credentials or credit card numbers by
following the provided link and confirming the information online. The request will be
accompanied by a threat that the account may become disabled or suspended if the mentioned
details are not being verified by the user.
 Social phishing – in the recent years, phishing techniques evolved much to include social media
like Facebook or Twitter. This type of Phishing is often called Social Phishing. The purpose
49
remains the same – to obtain confidential information and gain access to personal files. The
means of the attack are bit different though and include special links or posts posted on the
social media sites that attract the user with their content and convince them to click on them.
The link redirects then to malicious website or similar harmful content. The websites can mirror
the legitimate Facebook pages so that unsuspecting user does not notice the difference. The
website will require user to login with his real information. At this point, the attacker collects the
credentials gaining access to compromised account and all data on it. Other scenario includes
fake apps. Users are encouraged to download the apps and install them, apps that contain
malware used to steal confidential information.
Facebook Phishing attacks are often much more laboured. Consider the following scenario - link
posted by an attacker can include some pictures or phrase that will attract the user to click on it.
The user clicks upon which he/ she is redirected to a mirror website that ask him/ her to like the
post first before even viewing it. User not suspecting any harm, clicks on the "like" button but
doesn't realise that the "like" button has been spoofed and in reality is "accept" button for the
fake app to access user's personal information. At this point, data is collected and account is
compromised.
 Spear phishing attack – this is a type of phishing attack targeted at specific individuals, groups
of individuals or companies. Spear phishing attacks are performed mostly with primary purpose
of industrial espionage and theft of sensitive information while ordinary phishing attacks are
directed against wide public with intent of financial fraud. It has been estimated that in last
couple of years targeted spear phishing attacks are more widespread than ever before.
The recommendations to protect your company against phishing and spear phishing include:
1. Never open or download a file from an unsolicited email, even from someone you know
(you can call or email the person to double check that it really came from them).
2. Keep your operating system updated.
3. Use a reputable anti-virus program.
4. Enable two factor authentication whenever available.
5. Confirm the authenticity of a website prior to entering login credentials by looking for a
reputable security trust mark.
6. Look for HTTPS in the address bar when you enter any sensitive personal information on a
website to make sure your data will be encrypted.
 Watering hole attack – this is a more complex type of a phishing attack. Instead of the usual way
of sending spoofed emails to end users in order to trick them into revealing confidential
information, attackers use multiple staged approach to gain access to the targeted information.
In first steps, attacker is profiling the potential victim, collecting information about his or her’s
internet habits, history of visited websites etc. In next step attacker uses that knowledge to
inspect the specific legitimate public websites for vulnerabilities. If any vulnerabilities or
loopholes are found, the attacker compromises the website with its own malicious code. The
50
compromised website then awaits for the targeted victim to come back and then infects them
with exploits (often zero-day vulnerabilities) or malware. This is an analogy to a lion waiting at
the watering hole for his prey.
 Whaling – it is a type of phishing attack specifically targeted at senior executives or other high
profile targets within a company.
 Vishing (Voice Phishing or VoIP Phishing) – it is a use of social engineering techniques over
telephone system to gain access to confidential information from users. This phishing attack is
often combined with caller ID spoofing that masks the real source phone number and instead of
it displays the number familiar to the phishing victim or number known to be of a real banking
institution. General practices of Vishing include pre-recorded automated instructions for users
requesting them to provide bank account or credit card information for verification over the
phone.
 Port scanning – an attack type where the attacker sends several requests to a range of ports to
a targeted host in order to find out what ports are active and open, which allows them to exploit
known service vulnerabilities related to specific ports. Port scanning can be used by the malicious
attackers to compromise the security as well by the IT professionals to verify the network
security.
Spoofing – it is a technique used to masquerade a person, program or an address as another by
falsifying the data with purpose of unauthorized access.
A few of the common spoofing types include:
 IP Address spoofing – process of creating IP packets with forged source IP address to
impersonate legitimate system. This kind of spoofing is often used in DoS attacks
(Smurf Attack).
 ARP spoofing (ARP Poisoning) – process of sending fake ARP messages in the network.
The purpose of this spoofing is to associate the MAC address with the IP address of
another legitimate host causing traffic redirection to the attacker host. This kind of
spoofing is often used in man-in-the-middle attacks.
 DNS spoofing (DNS Cache Poisoning) – an attack where the wrong data is inserted into
DNS Server cache, causing the DNS server to divert the traffic by returning wrong IP
addresses as results for client queries.
 Email spoofing – a process of faking the email's sender "from" field in order to hide
real origin of the email. This type of spoofing is often used in spam mail or during
phishing attack.
 Search engine poisoning – attackers take advantage of high profile news items or
popular events that may be of specific interest for certain group of people to spread
malware and viruses. This is performed by various methods that have in purpose
achieving highest possible search ranking on known search portals by the malicious
sites and links introduced by the hackers. Search engine poisoning techniques are often
used to distribute rogue security products (scareware) to users searching for legitimate
security solutions for download.
51
 Network sniffing (Packet Sniffing) – a process of capturing the data packets travelling in the
network. Network sniffing can be used both by IT professionals to analyse and monitor the traffic
for example, in order to find unexpected suspicious traffic, but as well by perpetrators to collect
data send over clear text that is easily readable with use of network sniffers (protocol analysers).
Best counter measure against sniffing is the use of encrypted communication between the hosts.
 Denial of Service Attack (DoS Attack) and Distributed Denial of Service Attack (DDoS Attack) –
an attack designed to cause an interruption or suspension of services of a specific host/ server
by flooding it with large quantities of useless traffic or external communication requests. When
the DoS attack succeeds the server is not able to answer even to legitimate requests anymore,
this can be observed in numbers of ways – slow response of the server, slow network
performance, unavailability of software or web page, inability to access data, website or other
resources. Distributed Denial of Service Attack (DDoS) occurs where multiple compromised or
infected systems (botnet) flood a particular host with traffic simultaneously.
DoS (denial-of-service) attack
Few of the most common DoS attack types:
 ICMP flood attack (Ping Flood) – the attack that sends ICMP ping requests to the victim host
without waiting for the answer in order to overload it with ICMP traffic to the point where the
host cannot answer to them any more either because of the network bandwidth congestion
with ICMP packets (both requests and replies) or high CPU utilization caused by processing
the ICMP requests. Easiest way to protect against any various types of ICMP flood attacks is
either to disable propagation of ICMP traffic sent to broadcast address on the router or disable
ICMP traffic on the firewall level.
 Ping of Death (PoD) – this attack involves sending a malformed or otherwise corrupted
malicious ping to the host machine for example, PING having size bigger than usual which can
cause buffer overflow on the system that lead to a system crash.
 Smurf attack – this works in the same way as Ping Flood attack with one major difference that
the source IP address of the attacker host is spoofed with IP address of other legitimate non
malicious computer. Such attack will cause disruption both on the attacked host (receiving
large number of ICMP requests) as well as on the spoofed victim host (receiving large number
of ICMP replies).
 ICMP Smurf Denial of Service

SYN flood attack – this attack exploits the way the TCP 3-way handshake works during the
TCP connection is being established. In normal process, the host computer sends a TCP SYN
packet to the remote host requesting a connection. The remote host answers with a TCP
SYN-ACK packet confirming the connection can be made. As soon as this is received by the
first local host it replies again with TCP ACK packet to the remote host. At this point the TCP
socket connection is established. During the SYN flood attack, the attacker host or more
commonly several attacker hosts send SYN packets to the victim host requesting a
connection, the victim host responds with SYN-ACK packets but the attacker host never
respond with ACK packets as a result the victim host is reserving the space for all those
connections still awaiting the remote attacker hosts to respond, which never happens. This
52
keeps the server with dead open connections and in the end effect prevent legitimate host
to connect to the server any more.
 Buffer overflow attack – in this type of attack the victim host is being provided with traffic/ data
that is out of range of the processing specs of the victim host, protocols or applications,
overflowing the buffer and overwriting the adjacent memory. One example can be the
mentioned Ping of Death attack where malformed ICMP packet with size exceeding the normal
value can cause the buffer overflow.
 Botnet – a collection of compromised computers that can be controlled by remote perpetrators
to perform various types of attacks on other computers or networks. A known example of botnet
usage is within the distributed denial of service attack where multiple systems submit as many
request as possible to the victim machine in order to overload it with incoming packets. Botnets
can be otherwise used to send out span, spread viruses and spyware and as well to steal personal
and confidential information which afterwards is being forwarded to the botmaster.
 Man-in-the-middle attack – the attack is form of active monitoring or eavesdropping on victims’
connections and communication between victim hosts. This form of attack includes interaction
between both victim parties of the communication and the attacker. This is achieved by attacker
intercepting all part of the communication, changing the content of it and sending back as
legitimate replies. Both parties are not aware of the attacker presence and believing the replies
they get are legitimate. For this attack to be successful, the perpetrator must successfully
impersonate at least one of the endpoints. This can be the case if there are no protocols in place
that would secure mutual authentication or encryption during the communication process.
 Session hijacking attack – this attack is targeted as exploit of the valid computer session in order
to gain unauthorized access to information on a computer system. The attack type is often
referred to as cookie hijacking as during its progress, the attacker uses the stolen session cookie
to gain access and authenticate to remote server by impersonating legitimate user.
 Cross-side scripting attack (XSS attack) – the attacker exploits the XSS vulnerabilities found in
web server applications in order to inject a client side script onto the webpage that can either
point the user to a malicious website of the attacker or allow attacker to steal the user's session
cookie.
 SQL injection attack – the attacker uses existing vulnerabilities in the applications to inject a
code/ string for execution that exceeds the allowed and expected input to the SQL database.
Bluetooth related attacks
 Bluesnarfing – this kind of attack allows the malicious user to gain unauthorized access to
information on a device through its bluetooth connection. Any device with bluetooth
turned on and set to "discoverable" state may be prone to bluesnarfing attack.
 Bluejacking – this kind of attack allows the malicious user to send unsolicited (often spam)
messages over bluetooth enabled devices.
 Bluebugging – it is a hack attack on a bluetooth enabled device. Bluebugging enables the

attacker to initiate phone calls on the victim's phone as well as read through the address
book, messages and eavesdrop on phone conversations.
53
Fig: Top Network Attacks as per McAfee Labs, 2015
Few recent cyberattacks (or Network attacks) that shook some big businesses around the
globe:
Primera Blue Cross
March 2015
The company, a health insurer based in Washington State, said up to 11

million customers could have been affected by a cyberattack last year.
Hackers gained access to its computers on May 5, and the breach was not
discovered until Jan. 29, Primera said. The breach could have exposed
members' names, dates of birth, Social Security numbers, mailing and
email addresses, phone numbers and bank account information. The
company is working with the F.B.I. and a cybersecurity firm to
investigate.
54
Anthem
February 2015
One of the nation’s largest health insurers said that the personal
information of tens of millions of its customers and employees, including its
chief executive, was the subject of a “very sophisticated external
cyberattack.”
The company added that hackers were able to breach a database that
contained as many as 80 million records of current and former customers,
as well as employees. The information accessed included names, Social
Security numbers, birthdays, addresses, email and employment information,
including income data.
Sony Pictures
November 2014
A huge attack that essentially wiped clean several internal data centers and
led to cancellation of the theatrical release of "The Interview," a comedy
about the fictional assassination of the North Korean leader Kim Jong-un.
Contracts, salary lists, film budgets, entire films and Social Security numbers
were stolen, including -- to the dismay of top executives -- leaked emails
that included criticisms of Angelina Jolie and disparaging remarks about
President Obama.
Staples
October 2014
The office supply retailer said hackers had broken into the company’s
network and compromised the information of about 1.16 million credit
cards.
55
Common Vulnerabilities and Exposures (CVE)

Common Vulnerabilities and Exposures (CVE) is a catalogue of known security threats. The catalogue
is sponsored by the United States Department of Homeland Security (DHS), and threats are divided
into two categories: vulnerabilities and exposures.
According to the CVE website, a vulnerability is a mistake in software code that provides an attacker
with direct access to a system or network. For example, the vulnerability may allow an attacker to
pose as a super user or system administrator who has full access privileges. An exposure, on the other
hand, is defined as a mistake in software code or configuration that provides an attacker with indirect
access to a system or network. For example, an exposure may allow an attacker to secretly gather
customer information that could be sold.
The catalogue’s main purpose is to standardize the way each known vulnerability or exposure is
identified. This is important because standard IDs allow security administrators to quickly access
technical information about a specific threat across multiple CVE-compatible information sources.
CVE is sponsored by US-CERT, the DHS Office of Cybersecurity and Information Assurance (OCSIA).
MITRE, a not-for-profit organization that operates research and development centres sponsored by
the U.S. federal government, maintains the CVE catalogue and public website. It also manages the CVE
Compatibility Program, which promotes the use of standard CVE identifiers by authorized CVE
Numbering Authorities (CNAs).
56
Summary
 Information security analysts protect information stored on computer networks, applications,
etc., using special software that allows them to keep a track of those who can access and who
have accessed data.
 There are three categories of Information technology and information security:
o confidentiality
o integrity
o availability
 Keys concerns in information assets security are theft, fraud/ forgery, unauthorized information
access, interception or modification of data and data management systems.
 Vulnerability is a weakness in an information system, system security procedures, internal
controls or implementation that could be exploited or triggered by a threat source.
 Microsoft has proposed a threat classification called STRIDE from the initials of threat
categories.
 Types of attacks: virus, worms, Trojans and others.
 Network attack is usually defined as an intrusion on the network infrastructure that will first
analyse the environment and collect information in order to exploit the existing open ports or
vulnerabilities. This may include unauthorized access to organisation resources.
 The recommendations to protect against Phishing and Spear Phishing include:
o Never open or download a file from an unsolicited email, even from someone you
know.
o Keep your operating system updated.
o Use a reputable anti-virus program.
o Enable two factor authentication whenever available.
o Confirm the authenticity of a website prior to entering login credentials.
o Look for HTTPS in the address bar when you enter any sensitive personal information
on a website.
57
Practical activities:
Activity 1:
List various types of attacks, and get examples of each type of virus, trojan, worm and
other malware from the internet. Compare the list with your fellow students.
Activity 2:
Find out and study cases of attacks over the years and impact of those attacks on the
organisations where these occurred. Share details of 2-3 most interesting ones in the
class.
Activity 3:
Access the CVE and list all the types of information that they can get. Present the same in
class and elaborate upon the various ways in which that information can be used.
58
Check your understanding:
1. State the categories of security in IT security and information.
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
2. Explain how is a virus different from a Trojan horse?
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
3. State the reason why a Cavity virus is difficult to detect unlike traditional viruses?
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
4. State True or False:
a) Trojans do not self-replicate. _________________

b) Scareware is also known as "Rogue Security Software”.________________________
5. Explain what is Riskware and Adware?
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
6. List few common network attacks.
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
59
NOTES:
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
_________________________________________________________________________________
60
UNIT II
Fundamentals of Information Security
This unit covers:
 Lesson Plan
2.1 Elements of information security
2.2 Principles and concepts – data security
2.3 Types of controls
61
Lesson Plan
Performance Ensuring
Outcomes Measures Work Environment/ Lab Requirement
To be competent, you must be able QA session and a  PCs/ tablets/ laptops
to: descriptive write-up on  Availability of labs (24/7)
understanding.  Internet with Wi-Fi
PC3. carry out security
assessment of information security Peer group, faculty group  Networking equipment (routers &
systems using automated tools and industry experts. switches)
PC8. provide inputs to root  Firewalls and access points
cause analysis and the resolution of  Access to all security sites like ISO, PIC
information security issues, where DSS etc.
required  Commercial tools like HP Web
Inspect and IBM AppScan etc.
 Open source tools like sqlmap,
Nessus etc.
You need to know and understand: KA6, KA7, KA8. Peer  PCs/ tablets/ laptops
review with faculty with  Availability of labs (24/7)
KA5. how to analyse root causes appropriate feedback.  Internet with Wi-Fi
of information security issues (min 2 Mbps dedicated)
 Networking equipment (routers &
KA6. how to carry out KB1 – KB4. switches)
information security assessments Going through the security  Firewalls and access points
standards over internet by  Access to all security sites like ISO, PIC
KB4. how to identify and resolve visiting sites like ISO, PCI DSS etc.
information security vulnerabilities DSS etc., and understand
 Commercial Tools like HP Web
and issues various methodologies and
usage of algorithms.
 Open Source tools like sqlmap,
Nessus etc.
62
Lesson
2.1 Elements of Information Security
Network Security
Network security refers to any activity designed to protect your network. Specifically, these activities
protect the usability, reliability, integrity and safety of your network and data. Effective network
security targets a variety of threats and stops them from entering or spreading on your network.
No single solution protects you from a variety of threats. You need multiple layers of security. If one
fails, others still stand. Network security is accomplished through hardware and software. The
software must be constantly updated and managed to protect you from emerging threats.
Wireless networks, which by their nature, facilitate access to the radio, are more vulnerable than
wired networks and need to encrypt communications to deal with sniffing and continuously checking
the identity of the mobile nodes. The mobility factor adds more challenges to security, namely
monitoring and maintenance of secure traffic transport of mobile nodes. This concerns both
homogenous and heterogenous mobility (inter-technology), the latter requires homogenization of the
security level of all networks visited by the mobile.
From the terminal’s side, it is important to protect its resources (battery, disk, CPU) against misuse
and ensure the confidentiality of its data. In an ad hoc or sensor network, it becomes essential to
ensure terminal’s integrity as it plays a dual role of router and terminal.
The difficulty of designing security solutions that could address these challenges is not only to ensure
robustness faced with potential attacks or to ensure that it does not slow down communications, but
also to optimize the use of resources in terms of bandwidth, memory, battery, etc. More importantly,
in this open context the wireless network is to ensure anonymity and privacy, while allowing
traceability for legal reasons. Indeed, the growing need for traceability is now necessary for the fight
against criminal organizations and terrorists, but also to minimize the plundering of copyright. It is
therefore facing a dilemma of providing a network support of free exchange of information while
controlling the content of the communication to avoid harmful content. Actually, this concerns both
wired and wireless networks. All these factors influence the selection and implementation of security
tools that are guided by a prior risk assessment and security policy.
Finally, we are increasingly thinking about trust models in the design of secured systems, that should
offer higher level of trust than classical security mechanisms, and it seems that future networks should
implement both models: security and trust models.
In fact, if communication nodes will be capable of building and maintaining a predefined trust level in
the network, then the communication system will be trustable all the time, thus allowing a trusted
and secure service deployment. However, such trust models are very difficult to design and the trust
level is generally a biased concept presently. It is very similar to the human based trust model. Note
that succeeding in building such trust models will allow infrastructure based networks but especially
infrastructure-less or self-organized networks such as ad hoc sensors to be trusted enough to deploy
several applications. This will also have an impact on current business models where the economic
model would have to change in order to include new players in the telecommunication value chain
63
such as users offering their machines to build an infrastructure-less network. For example, in the
context of ad hoc networks, we could imagine that ad hoc users become distributors of content or
provide any other networked services1, being a sort of service providers. In this case, an appropriate
charging and billing system needs to be designed.
A network security system usually consists of many components. Ideally, all components work
together, which minimizes maintenance and improves security.
Network security components often include:

 Anti-virus and anti-spyware
 Firewall to block unauthorized access to your network
 Intrusion Prevention Systems (IPS) to identify fast-spreading threats, such as zero-day

or zero-hour attacks
 Virtual Private Networks (VPNs) to provide secure remote access
 Communication security
Application Security
Application security (AppSec) is the use of software, hardware and procedural methods to protect
applications from external threats. AppSec is the operational solution to the problem of software risk.
AppSec helps identify, fix and prevent security vulnerabilities in any kind of software application
irrespective of the function, language or platform.
As a best practice, AppSec employs proactive and preventative methods to manage software
risk, and align an organization’s security investments with the reality of today’s threats. It has
three distinct elements:
1) measurable reduction of risk in existing applications
2) prevention of introduction of new risks
3) compliance with software security mandates
A software vulnerability can be defined as a programmatic function that processes critical data
in an insecure way. These “holes” in an application can be exploited by a hacker, spy or
cybercriminal as an entry point to steal sensitive, protected or confidential data.
64
The severity and frequency of cyber-attacks is increasing which is making the practice of AppSec
important. AppSec as a discipline is also becoming more complex the variety of business software
continues to proliferate. Here are some of the reasons why (and see if these sound familiar):
Today’s enterprise software comes from a variety of sources –
 in-house development teams,

 commercial vendors,
 outsourced solution providers, and
 open source projects.
Software developers have an endless choice of programming languages to choose from – Java, .NET,
C++, PHP and more.
Applications can be deployed across myriad platforms – installed to operate locally, over virtual
servers and networks, accessed as a service in the cloud or run on mobile devices.
AppSec products must provide capabilities for managing security risk across all of these options as
each of these development and deployment options can introduce security vulnerabilities. An
effective software security strategy addresses both immediate and systemic risk.
The Application Security market has reached sufficient maturity to allow organizations of all sizes to
follow a well-established roadmap:
Begin with software security testing to find and assess potential vulnerabilities:
 Follow remediation procedures to prioritize and fix them.
 Train developers on secure coding practices.
 Leverage ongoing threat intelligence to keep up-to-date.
 Develop continuous methods to secure applications throughout the development life

cycle.
 Instantiate policies and procedures that instill good governance.
Testing and remediation form the baseline response to insecure applications, but the critical element
of a successful AppSec effort is ongoing developer training. Security conscious development teams
write bulletproof code, and avoid common errors. For example, data input validation – the process of
ensuring that a program operates with clean, correct and useful data. Neglecting this important step,
and failing to build in standard input validation rules or “check routines” leaves the application open
to common attacks such as cross-site scripting and SQL injection.
When undertaken correctly, Application Security is an orderly process of reducing the risks associated
with developing and running business critical software. Properly managed, a good application security
program will move your organization from a state of unmanaged risk and reactive security to effective,
proactive risk mitigation.
65
Communications Security
Communications Security (COMSEC) ensures the security of telecommunications confidentiality and
integrity – the two information assurance (IA) pillars. Generally, COMSEC may refer to the security of
any information that is transmitted, transferred or communicated.
There are five COMSEC security types:

 Cryptosecurity: This encrypts data, rendering it unreadable until the data is decrypted.
 Emission Security (EMSEC): This prevents the release or capture of emanations from
equipment, such as cryptographic equipment, thereby preventing unauthorized
interception.
 Physical Security: This ensures the safety of, and prevents unauthorized access to,
cryptographic information, documents and equipment.
 Traffic-Flow Security: This hides messages and message characteristics flowing on a

network.
 Transmission Security (TRANSEC): This protects transmissions from unauthorized access,

thereby preventing interruption and harm.
66
2.2. Principles and Concepts – Data Security
Critical Information Characteristics
Confidentiality
Integrity Availability
Information States
Information has three basic states, at any given moment, information is being transmitted, stored or
processed. The three states exist irrespective of the media in which information resides.
Transmission
Information
States
Processing Storage
Information systems security concerns itself with the maintenance of three critical characteristics of
information: confidentiality, integrity and availability. These attributes of information represent the
full spectrum of security concerns in an automated environment. They are applicable for any
organization irrespective of its philosophical outlook on sharing information.
67
Prevention vs. detection

Security efforts to assure confidentiality,
Basic information security concepts:
integrity and availability can be divided
into those oriented to prevention and • Identification
those focused on detection. The latter • Authentication
aims to rapidly discover and correct for • Authorization
lapses that could not be (or at least were • Confidentiality
not) prevented. The balance between • Integrity
prevention and detection depends on the • Availability
circumstances and the available security • Non-repudiation
technologies.
 Identification is the first step in the ‘identify-authenticate-authorize’ sequence that is

performed every day countless times by humans and computers alike when access to
information or information processing resources are required. While particulars of
identification systems differ depending on who or what is being identified, some intrinsic
properties of identification apply regardless of these particular. Just three of these
properties are the scope, locality, and uniqueness of IDs.
Identification name spaces can be local or global in scope. To illustrate this concept, let’s
refer to the familiar notation of email addresses. While many email accounts named Gaurav
may exist around the world, an email address Gaurav@company.com unambiguously refers
exactly to one such user in the company.com locality. Provided that the company in question
is a small one, and that only one employee is named Gaurav. His colleagues may refer to
that particular person by only using his first name. That would work because they are in the
same locality and only one Gaurav works there. However, if Gaurav were someone on the
other side of the world or even across town, to refer to Gaurav@company.com as simply
Gaurav would make no sense because user name Gaurav is not globally unique and refers
to different persons in different localities. This is one of the reasons why two user accounts
should never use the same name on the same system — not only because you would not be
able to enforce access controls based on non-unique and ambiguous user names, but also
because you would not be able to establish accountability for user actions.
 Authentication happens right after identification and before authorization. It verifies the
authenticity of the identity declared at the identification stage. In other words, it is at the
authentication stage that you prove you are indeed the person or the system you claim to
be. The three methods of authentication are what you know, what you have and what you
are. Regardless of the particular authentication method used, the aim is to obtain
reasonable assurance that the identity declared at the identification stage belongs to the
party in communication. It is important to note that reasonable assurance may mean
different degrees of assurance, depending on the particular environment and application,
and therefore may require different approaches to authentication. Authentication
requirements of a national security – critical system naturally differ from authentication
68
requirements of a small company. As different authentication methods have different costs

and properties as well as different returns on investment, the choice of authentication
method for a particular system or organization should be made after these factors have
been carefully considered.
 Authorization is the process of ensuring that a user has sufficient rights to perform the
requested operation, and preventing those without sufficient rights from doing the same.
After declaring identity at the identification stage and proving it at the authentication stage,
users are assigned a set of authorizations (also referred to as rights, privileges or
permissions) that define what they can do on the system. These authorizations are most
commonly defined by the system’s security policy and are set by the security or system
administrator. These privileges may range from the extremes of “permit nothing” to “permit
everything” and include anything in between.
 Confidentiality means persons authorized have access to receive or use information,

documents etc. Unauthorized access to confidential information may have devastating
consequences, not only in national security applications, but also in commerce and industry.
Main mechanisms of protection of confidentiality in information systems are cryptography
and access controls. Examples of threats to confidentiality are malware, intruders, social
engineering, insecure networks and poorly administered systems.
 Integrity is concerned with the trustworthiness, origin, completeness and correctness of
information as well as the prevention of improper or unauthorized modification of
information. Integrity in the information security context refers not only to integrity of
information itself but also to the origin integrity i.e. integrity of the source of information.
Integrity protection mechanisms may be grouped into two broad types: preventive
mechanisms, such as access controls that prevent unauthorized modification of information,
and detective mechanisms, which are intended to detect unauthorized modifications when
preventive mechanisms have failed. Controls that protect integrity include principles of least
privilege, separation and rotation of duties.
 Availability of information, although usually mentioned last, is not the least important pillar
of information security. Who needs confidentiality and integrity if the authorized users of
information cannot access and use it? Who needs sophisticated encryption and access
controls if the information being protected is not accessible to authorized users when they
need it? Therefore, despite being mentioned last in the C-I-A triad, availability is just as
important and as necessary a component of information security as confidentiality and
integrity. Attacks against availability are known as denial of service (DoS) attacks. Natural
and manmade disasters obviously may also affect availability as well as confidentiality and
integrity of information though their frequency and severity greatly differ. Natural disasters
are infrequent but severe, whereas human errors are frequent but usually not as severe as
natural disasters. In both cases, business continuity and disaster recovery planning (which
at the very least includes regular and reliable backups) is intended to minimize losses.
 Non-repudiation in the information security context refers to one of the properties of
cryptographic digital signatures that offers the possibility of proving whether a particular
message has been digitally signed by the holder of a particular digital signature’s private key.
69
Non-repudiation is a somewhat controversial subject, partly because it is an important one

in this day and age of electronic commerce, and because it does not provide an absolute
guarantee. A digital signature owner, who may like to repudiate a transaction maliciously
may always claim that his/ her digital signature key was stolen by someone who actually
signed the digital transaction in question, thus repudiating the transaction.
The following types of non-repudiation services are defined in international standard ISO
14516:2002 (guidelines for the use and management of trusted third party services).
o Approval: non-repudiation of approval provides proof of who is responsible for approval
of the contents of a message.
o Sending: non-repudiation of sending provides proof of who sent the message.
o Origin: non-repudiation of origin is a combination of approval and sending.
o Submission: non-repudiation of submission provides proof that a delivery agent has

accepted the message for transmission.
o Transport: non-repudiation of transport provides proof for the message originator that
a delivery agent has delivered the message to the intended recipient.
o Receipt: non-repudiation of receipt provides proof that the recipient received the
message.
o Knowledge: non-repudiation of knowledge provides proof that the recipient recognized

the content of the received message.
o Delivery: non-repudiation of delivery is a combination of receipt and knowledge, as it

provides proof that the recipient received and recognized the content of the message.
70
Fun-Facts about Top Data Center Security-GOOGLE
71
2.3 Types of Controls
Central to information security is the concept of controls, which may be categorized by their
functionality (preventive, detective, corrective, deterrent, recovery and compensating) and plane of
application (physical, administrative or technical).
By functionality:
Preventive controls
Preventive controls are the first controls met by an adversary. These try to prevent security
violations and enforce access control. Like other controls, these may be physical, administrative
or technical. Doors, security procedures and authentication requirements are examples of
physical, administrative and technical preventive controls respectively.
Detective controls
Detective controls are in place to detect security violations and alert the defenders. They come
into play when preventive controls have failed or have been circumvented and are no less crucial
than detective controls. Detective controls include cryptographic checksums, file integrity
checkers, audit trails and logs and similar mechanisms.
Corrective controls
Corrective controls try to correct the situation after a security violation has occurred. Although a
violation occurred, but the data remains secure, so it makes sense to try and fix the situation.
Corrective controls vary widely, depending on the area being targeted, and they may be technical
or administrative in nature.
Deterrent controls
Deterrent controls are intended to discourage potential attackers. Examples of deterrent controls
include notices of monitoring and logging as well as the visible practice of sound information
security management.
Recovery controls
Recovery controls are somewhat like corrective controls, but they are applied in more serious
situations to recover from security violations and restore information and information processing
resources. Recovery controls may include disaster recovery and business continuity mechanisms,
backup systems and data, emergency key management arrangements and similar controls.
Compensating controls
Compensating controls are intended to be alternative arrangements for other controls when the
original controls have failed or cannot be used. When a second set of controls addresses the same
threats that are addressed by another set of controls, it acts as a compensating control.
72
By plane of application:
Physical controls include doors, secure facilities, fire extinguishers, flood protection and air
conditioning.
Administrative controls are the organization’s policies, procedures and guidelines intended to
facilitate information security.
Technical controls are the various technical measures, such as firewalls, authentication systems,
intrusion detection systems and file encryption among others.
Access Control Models

Logical access control models are the abstract foundations upon which actual access control
mechanisms and systems are built. Access control is among the most important concepts in computer
security. Access control models define how computers enforce access of subjects (such as users, other
computers, applications and so on) to objects (such as computers, files, directories, applications,
servers and devices).
Three main access control models exist:
 Discretionary Access Control model

 Mandatory Access Control model
 Role Based Access Control model
Discretionary Access Control (DAC)
The Discretionary Access Control model is the most widely used of the three models.
In the DAC model, the owner (creator) of information (file or directory) has the discretion to decide
about and set access control restrictions on the object in question, which may, for example, be a file
or a directory. The advantage of DAC is its flexibility. Users may decide who can access information
and what they can do with it — read, write, delete, rename, execute and so on. At the same time, this
flexibility is also a disadvantage of DAC because users may make wrong decisions regarding access
control restrictions or maliciously set insecure or inappropriate permissions. Nevertheless, the DAC
model remains the model of choice for the absolute majority of operating systems today, including
Solaris.
Mandatory Access Control (MAC)
Mandatory access control, as its name suggests, takes a stricter approach to access control. In systems
utilizing MAC, users have little or no discretion as to what access permissions they can set on their
information. Instead, mandatory access controls specified in a system-wide security policy are
enforced by the operating system and applied to all operations on that system. MAC based systems
use data classification levels (such as public, confidential, secret and top secret) and security clearance
labels corresponding to data classification levels to decide in accordance with the security policy set
by the system administrator what access control restrictions to enforce. Additionally, per group and/
73
or per domain access control restrictions may be imposed i.e. in addition to having the required
security clearance level, subjects (users or applications) must also belong to the appropriate group or
domain. For example, a file with a confidential label belonging only to the research group may not be
accessed by a user from the marketing group, even if that user has a security clearance level higher
than confidential (for example, secret or top secret). This concept is known as compartmentalization
or ‘need to know’.
Although MAC based systems, when used appropriately, are thought to be more secure than DAC
based systems, they are also much more difficult to use and administer because of the additional
restrictions and limitations imposed by the operating system. MAC based systems are typically used
in government, military and financial environments where higher than usual security is required and
where the added complexity and costs are tolerated. MAC is implemented in Trusted Solaris, a version
of the Solaris operating environment intended for high security environments.
Role-Based Access Control (RBAC)
In the role based access control model, rights and permissions are assigned to roles instead of
individual users. This added layer of abstraction permits easier and more flexible administration and
enforcement of access controls. For example, access to marketing files may be restricted only to the
marketing manager role, and users Ann, David, and Joe may be assigned the role of marketing
manager. Later, when David moves from the marketing department elsewhere, it is enough to revoke
his role of marketing manager, and no other changes would be necessary. When you apply this
approach to an organization with thousands of employees and hundreds of roles, you can see the
added security and convenience of using RBAC. Solaris has supported RBAC since release 8.
Centralized vs. Decentralized Access Control

Further distinction should be made between centralized and decentralized (distributed) access control
models. In environments with centralized access control, a single, central entity makes access control
decisions and manages the access control system whereas in distributed access control environments,
these decisions are made and enforced in a decentralized manner. Both approaches have their pros
and cons, and it is generally inappropriate to say that one is better than the other. The selection of a
particular access control approach should be made only after careful consideration of an
organization’s requirements and associated risks.
Security Vulnerability Management

Security vulnerability management is the current evolutionary step of vulnerability assessment
systems that began in the early 1990s with the advent of the network security scanner S.A.T.A.N.
(Security Administrator’s Tool for Analyzing Networks) followed by the 1st commercial vulnerability
scanner from ISS. While early tools mainly found vulnerabilities and produced lengthy reports, today’s
best-in-class solutions deliver comprehensive discovery and support the entire security vulnerability
management lifecycle.
A vulnerability can occur anywhere in the IT environment, and can be the result of many different root
causes. Security vulnerability management solutions gather comprehensive endpoint and network
intelligence, and apply advanced analytics to identify and prioritize the vulnerabilities that pose the
most risk to critical systems. The result is actionable data that enables IT security teams to focus on
74
the tasks that will most quickly and effectively reduce overall network risk with the fewest possible
resources.
Security vulnerability management is a closed-loop workflow that generally includes identifying

networked systems and associated applications, auditing (scanning) the systems and applications for
vulnerabilities and remediating the vulnerabilities. Any IT infrastructure components may present
existing or new security concerns and weaknesses i.e. vulnerabilities. It may be product/ component
faults or it may be inadequate configuration. Malicious code or unauthorized individuals may exploit
those vulnerabilities to cause damage, such as disclosure of credit card data. Vulnerability
management is the process of identifying those vulnerabilities and reacting appropriately to mitigate
the risk.
Vulnerability assessment and management is an essential piece for managing overall IT risk
because:
Persistent threats
Attacks exploiting security vulnerabilities for financial gain and criminal agendas continue to
dominate headlines.
Regulation
Many government and industry regulations mandate rigorous vulnerability management

practices.
Risk management
Mature organizations treat it as a key risk management component. Organizations that follow
mature IT security principles understand the importance of risk management.
Properly planned and implemented threat and vulnerability management programs represent a key
element in an organization’s information security program, providing an approach to risk and threat
mitigation that is proactive and business aligned, not just reactive and technology focused.
Vulnerability Assessment
Includes assessment the environment for known vulnerabilities, and to assess IT components, using
the security configuration policies (by device role) that have been defined for the environment. This
is accomplished through scheduled vulnerability and configuration assessments of the environment.
Network based vulnerability assessment (VA) has been the primary method employed to baseline
networks, servers and hosts. The primary strength of VA is breadth of coverage. Thorough and
accurate vulnerability assessments can be accomplished for managed systems via credentialed access.
Unmanaged systems can be discovered and a basic assessment can be completed. The ability to
evaluate databases and web applications for security weaknesses is crucial, considering the rise of
attacks that target these components.
Database scanners check database configuration and properties to verify whether they comply with
database security best practices.
75
Web application scanners test an application’s logic for “abuse” cases that can break or exploit the
application. Additional tools can be leveraged to perform more in-depth testing and analysis.
All three scanning technologies (network, application and database) assess a different class of security
weaknesses, and most organizations need to implement all three.
Risk assessment
Larger issues should be expressed in the language of risk (e.g. ISO 27005), specifically expressing
impact in terms of business impact. The business case for any remedial action should incorporate
considerations relating to the reduction of risk and compliance with policy. This incorporates the basis
of the action to be agreed on between the relevant line of business and the security team.
Risk analysis
“Fixing” the issue may involve acceptance of the risk, shifting of the risk to another party or reducing
the risk by applying remedial action, which could be anything from a configuration change to
implementing a new infrastructure (e.g. data loss prevention, firewalls, host intrusion prevention
software).
Elimination of the root cause of security weaknesses may require changes to user administration and
system provisioning processes. Many processes and often several teams may come into play (e.g.
configuration management, change management, patch management etc.). Monitoring and incident
management processes are also required to maintain the environment.
Vulnerability enumeration
Common Vulnerabilities and Exposures (CVE®) is a dictionary of common names (i.e. CVE Identifiers)
for publicly known information security vulnerabilities. CVE’s common identifiers make it easier to
share data across separate network security databases and tools, and provide a baseline for
evaluating the coverage of an organization’s security tools. If a report from one of your security tools
incorporates CVE identifiers, you may then quickly and accurately access fix information in one or
more separate CVE compatible databases to remediate the problem.
Common Vulnerability Scoring System (CVSS)
The Common Vulnerability Scoring System (CVSS) provides an open framework for communicating
the characteristics and impacts of IT vulnerabilities. Its quantitative model ensures repeatable,
accurate measurement while enabling users to see the underlying vulnerability characteristics that
were used to generate the scores. Thus, CVSS is well suited as a standard measurement system for
industries, organizations and governments that need accurate and consistent vulnerability impact
scores.
Common Weakness Enumeration (CWE)
The Common Weakness Enumeration Specification (CWE) provides a common language of discourse
for discussing, finding and dealing with the causes of software security vulnerabilities as they are
found in code, design or system architecture. Each individual CWE represents a single vulnerability
type. CWEs are used as a classification mechanism that differentiates CVEs by the type of vulnerability
they represent. For more details see: Common Weakness Enumeration.
76
Remediation Planning
Prioritization
Vulnerability and security configuration assessments typically generate very long remediation work
lists, and this remediation work needs to be prioritized. When organizations initially implement
vulnerability assessment and security configuration baselines, they typically discover that a large
number of systems contain multiple vulnerabilities and security configuration errors. There is typically
more mitigation work to do than the resources available to accomplish it. Therefore, prioritization is
important.
Root Cause Analysis (RCA)
It is important to analyse security and vulnerability assessments in order to determine the root cause.
In many cases, the root cause of a set of vulnerabilities lies within the provisioning, administration and
maintenance processes of IT operations or within their development or the procurement processes of
applications. Elimination of the root cause of security weaknesses may require changes to user
administration and system provisioning processes.
What makes a good RCA?
An RCA is an analysis of a failure to determine the first (or root) failure that cause the ultimate
condition in which the system finds itself. For example, in an application crash one should be thinking,
why did it crash this way?
A security analyst’s job in performing an RCA is to keep asking the inquisitive "why" until one runs out
of room for questions, and then they are faced with the problem at the root of the situation.
Example: an application that had its database pilfered by hackers where the ultimate failure the
analyst may be investigating is the exfiltration of consumer private data, but SQL Injection isn't what
caused the failure. Why did the SQL Injection happen? Was the root of the problem that the developer
responsible simply didn't follow the corporate policy for building SQL queries? Or was the issue a
failure to implement something like the OWASP ESAPI (ESAPI - The OWASP Enterprise Security API is
a free, open source web application security control library that makes it easier for programmers to
write lower-risk applications.) in the appropriate manner? Or maybe the cause was a vulnerable open-
source piece of code that was incorporated into the corporate application without passing it through
the full source code lifecycle process?
Your job when you're performing an RCA is to figure this out. Root cause analysis is super critical in
the software security world. A number of automated solutions are also available for various types of
RCA. For example, HP's web application security testing technology which can link XSS issues to a single
line of code in the application input handler.
Decision tree and algorithms may be used for further detailed analysis as tools. To learn more about
it, visit: https://www.sans.org/reading-room/whitepapers/detection/decision-tree-analysis-
intrusion-detection-how-to-guide-33678 .
77
Ranking of Cyber security objectives in terms of business priority objective
5 4.4 4.7
4.5
4 3.5
3.5
3 2.8
2.5 1.9
2
1.5
1
0.5
0
 65% of organizations had an average of 3 DDoS attacks in the past 12 months.

 54 minutes’ downtime during one DDoS attack.
 Average cost per minute downtime is $22,000
 Average annual cost of DDoS attacks is $3000,000
78
Summary
 Elements of information security include network security, application security and
communication security
 Types of communication security are Cryptosecurity, Emission Security (EMSEC), Physical Security,
Traffic-Flow Security and Transmission Security (TRANSEC).
 Critical information characteristics are Confidentiality, Integrity and Availability.
 Information states include transmission, storage and processing.
 Basic information security concepts:
o Identification
o Authentication
o Authorization
o Confidentiality
o Integrity
o Availability
o Non-repudiation
 Types of control for information security can be classified into:
o Preventive
o Detective
o Corrective
o Deterrent
o Recovery
o Compensating
 Three main access control models exist:
o Discretionary Access Control model
o Mandatory Access Control model
o Role Based Access Control model
 A Root Cause Analysis is an analysis of a failure to determine the first (or root) failure that cause
the ultimate condition in which the system finds itself.
79
Activity 1:
Investigate into the various types of threats to network security, application security
and, communication security and prepare a white paper on the same. Also, list the
various counter measures or security devices that may be used to address the same.
Present it in class.
Activity 2:
Collect information about various information security service companies’ websites, and
understand the various security services they offer. Carry out a comparison of the
various services or products offered and list their features and benefits.
Activity 3:
Collect information about various categories of controls and state which various
controls are within each category? Discuss in groups the benefits and limitations of
examples of each type of control within a category.
Activity 4:
Collect information about various elements of a decision tree and an algorithm. Create
algorithms and decision trees for various situations in case of planning for security of
information assets.
80

1. Write a short note on your understanding of the following basic information security concepts.
• Identification
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
• Authentication
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
• Authorization
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
• Confidentiality
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
• Integrity
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
• Availability
__________________________________________________________________________________
__________________________________________________________________________________
81
__________________________________________________________________________________
__________________________________________________________________________________
• Non-repudiation
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
2. Which are the three states of Information?

______________________________________
______________________________________
______________________________________
NOTES:
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
_________________________________________________________________________________
82
UNIT III
Data Leakage and Prevention
This unit covers:
 Lesson Plan
3.1 Introduction Data Leakage
3.2 Organisational Data Classification, Location and Pathways
3.3 Content Awareness
3.5 Data Protection
3.6 DLP Limitations
3.7 DRM – DLP Conundrum
3.1.
83
Lesson Plan
To be competent, you must be able  PCs/ tablets/ laptops
to:  Availability of labs (24/7)
Going through various
PC2. monitor systems and apply organizations’ websites  Internet with Wi-Fi
controls in line with information and understand the (min 2 Mbps dedicated)
security policies, procedures and policies and guidelines  Networking equipment (routers
guidelines (Research). & switches)
PC3. carry out security  Firewalls and access points
Project charter,
assessment of information security Architecture (charts),  Access to all security sites like
systems using automated tools Project plan, Poster ISO, PIC DSS etc.
PC11. comply with your presentation and  Commercial tools like HP Web
organization’s policies, standards, Execution plan. Inspect and IBM AppScan etc.
procedures and guidelines when  Open source tools like sqlmap,
contributing to managing Nessus etc.
information security
You need to know and understand: KA12. Going through KA1 to KA13:
KA12. your organization’s various organizations’
information security systems and websites and understand  PCs/ tablets/ laptops
tools and how to access and the policies and guidelines  Availability of labs (24/7)
maintain the same (Research).  Internet with Wi-Fi
KA13. standard tools and KA12. Project charter,  Networking equipment (routers &
templates available and how to use Architecture (charts), switches)
these Project plan, Poster  Firewalls and access points
presentation and  Access to all security sites like ISO,
KB4. how to identify and resolve Execution plan. PIC DSS etc.
information security vulnerabilities  Commercial tools like HP Web
and issues KA13. Creation of Inspect and IBM AppScan etc.
templates based on the
learnings from KA1 to  Open Source tools like sqlmap,
KA12. Nessus etc.
KB1 – KB4
1. Going through the

security standards over
internet by visiting sites
like ISO, PCI DSS etc.,
and understand various
methodologies and
84
Lesson
3.1 Introduction to Data Leakage
Data leakage is defined as the accidental or unintentional distribution of private or sensitive

data to an unauthorized entity.
Sensitive data in companies and organizations include intellectual property (IP), financial
information, patient information, personal credit card data, and other information depending
on the business and the industry. Data leakage poses a serious issue for companies as the
number of incidents and the cost to those experiencing them continue to increase.
Data leakage is enhanced by the fact that transmitted data (both inbound and outbound), including
emails, instant messaging, website forms and file transfers among others, are largely unregulated and
unmonitored on their way to their destinations. Furthermore, in many cases, sensitive data are shared
among various stakeholders such as employees working from outside the organization’s premises (e.g.
on laptops), business partners and customers. This increases the risk that confidential information will
fall into unauthorized hands. Whether caused by malicious intent or an inadvertent mistake by an
insider or outsider, exposure of sensitive information can seriously hurt an organization. The potential
damage and adverse consequences of a data leakage incident can be classified into two categories:
1) direct losses 2) indirect losses.
Direct losses refer to tangible damage that is easy to measure or to estimate quantitatively. Indirect
losses, on the other hand, are much harder to quantify and have a much broader impact in terms of
cost, place and time.
Direct losses include violations of regulations (such as those protecting customer privacy) resulting in
fines; settlements or customer compensation fees; litigation involving lawsuits; loss of future sales;
costs of investigation and remedial or restoration fees. Indirect losses include reduced share price as
a result of negative publicity; damage to a company’s goodwill and reputation; customer
abandonment; and exposure of intellectual property (business plans, code, financial reports and
meeting agendas) to competitors.
Enterprises use Data Leakage Prevention (DLP) technology as one component in a

comprehensive plan for the handling and transmission of sensitive data. The technological
means employed for enhancing DLP can be divided into the following categories:
• Standard security measures

• Advanced/ intelligent security measures
• Access control and encryption
• Designated DLP systems
85
Standard security measures are used by many organizations and include common mechanisms such
as firewalls, intrusion detection systems (IDSs) and antivirus software that can provide protection
against both outsider attacks (e.g. a firewall which limits access to the internal network and an
intrusion detection system which detects attempted intrusions) and inside attacks (e.g. antivirus scans
to detect a Trojan horse that may be installed on a PC to send confidential information).
Another example is the use of thin clients which operate in a client-server architecture, with no
personal or sensitive data stored on a client’s computer. Policies and training for improving the
awareness of employees and partners provide additional standard security measures.
Advanced or intelligent security measures include machine learning and temporal reasoning
algorithms for detecting abnormal access to data (i.e. databases or information retrieval systems),
activity based verification (e.g. based on keystrokes and mouse patterns), detection of abnormal email
exchange patterns, and applying the honeypot concept for detecting malicious insiders.
Device control, access control and encryption are used to prevent access by an unauthorized user.
These are the simplest measures that can be taken to protect large amounts of personal data
against malicious outsider and insider attacks.
Designated DLP solutions are intended to detect and prevent attempts to copy or send sensitive data,
intentionally or unintentionally, without authorization, mainly by personnel who are authorized to
access the sensitive information. A major capability of such solutions is an ability to classify content as
sensitive. Designated DLP solutions are typically implemented using mechanisms such as exact data
matching, structured data fingerprinting, statistical methods (e.g. machine learning), rule and regular
expression matching, published lexicons, conceptual definitions and keywords.
Data Leakage Prevention (DLP) solutions, are often referred to as Information Leak Prevention
(ILP), Data Leak/ Loss Prevention (DLP), Outbound Content Compliance, Content Monitoring and
Filtering, Content Monitoring and Protection (CMP) or Extrusion Prevention.
A designated data leakage prevention solution is defined as a system that is designed to detect and
prevent the unauthorized access, use or transmission of confidential information.
Enterprise data generally exists in the following three major states:

 Data at rest: it resides in files systems, distributed desktops and large centralized data
stores, databases or other storage centers.
 Data at the endpoint or in use: it resides at network endpoints such as laptops; USB
devices; external drives; CD/ DVDs; archived tapes; MP3 players; iPhones or other highly
mobile devices.
 Data in motion: it moves through the network to the outside world via email, instant
messaging, peer-to-peer (P2P), FTP or other communication mechanisms.
Data in each state often requires different techniques for loss prevention. For example, although deep
content inspection is useful for data in motion, it doesn’t help so much for data at rest. Therefore, an
effective data loss prevention program should adopt appropriate techniques to cover all the
organization’s potential loss modes.
86
Types of data leaked
8% 4%
15%
NPI ( e.g. Customer Data)
Confidentiality Info
73% PHI (e.g. Patient's Records)

Intellectual Property
Data Leak Vectors
12% HTTP
3%
1% Email
5%
42% Networked Printer
10%
End Point
11% Internal Mail
16% IM
Webmail
Others
Source: http://www.networksunlimited.com
87
3.2 Organizational Data Classification, Location and

Pathways
Enterprises are often unaware of all of the types and locations of information they possess.
It is important, prior to purchasing a DLP solution, to identify and classify sensitive data types and their
flow from system to system and to users. This process should yield a data taxonomy or classification
system that will be leveraged by various DLP modules as they scan for and take action on information
that falls into the various classifications within the taxonomy. Analysis of critical business processes
should yield the required information.
Classifications can include categories such as private customer or employee data, financial data and
intellectual property. Once the data have been identified and classified appropriately, further analysis
of processes should facilitate the location of primary data stores and key data pathways.
Frequently multiple copies and variations of the same data are scattered across the enterprise on
servers, individual workstations, tape and other media. Copies are frequently made to facilitate
application testing without first cleansing the data of sensitive content. Having a good idea of the data
classifications and location of the primary data stores proves helpful in both the selection and
placement of the DLP solution.
Once the DLP solution is in place, it can assist in locating additional data locations and pathways. It is
also important to understand the enterprise’s data life cycle. Understanding the life cycle from point
of origin through processing, maintenance, storage and disposal will help uncover further data
repositories and transmission paths. Additional information should be collected by conducting an
inventory of all data egress points since not all business processes are documented and not all data
movement is a result of an established process. Analysis of firewall and router rule sets can aid these
efforts.
DLP features vs. DLP solutions
The DLP market is also split between DLP as a feature and DLP as a solution. A number of
products, particularly email security solutions, provide basic DLP functions, but aren't complete
DLP solutions. The difference is:
• A DLP product includes centralized management, policy creation and enforcement

workflow dedicated to the monitoring and protection of content and data. The user
interface and functionality are dedicated to solving the business and technical problems
of protecting content through content awareness.
• DLP features include some of the detection and enforcement capabilities of DLP
products, but are not dedicated to the task of protecting content and data.
88
Content vs. Context

We need to distinguish content from context. One of the defining characteristics of DLP solutions is
their content awareness. This is the ability of products to analyse deep content using a variety of
techniques, and is very different from analysing context. It's easiest to think of content as a letter and
context as the envelope and environment around it.
Context includes things like source; destination; size; recipients; sender; header information;
metadata; time; format and anything else short of the content of the letter itself. Context is highly
useful and any DLP solution should include contextual analysis as part of an overall solution. A more
advanced version of contextual analysis is business context analysis, which involves deeper analysis of
the content, its environment at the time of analysis and the use of the content at that time.
Content awareness involves peering inside containers and analysing the content itself. The advantage
of content awareness is that while we use context, we're not restricted by it. If I want to protect a
piece of sensitive data, I would want to protect it everywhere and not just in obviously sensitive
containers. I'm protecting the data, not the envelope, so it makes a lot more sense to open the letter,
read it, and decide how to treat it. This is more difficult and time consuming than basic contextual
analysis and is the defining characteristic of DLP solutions.
Content Analysis
The first step in content analysis is capturing the envelope and opening it. The engine then needs to
parse the context (we'll need that for the analysis) and dig into it. This is easy for a plain text email,
but when you want to look inside binary files, it gets a little more complicated.
All DLP solutions solve this using file cracking. File cracking is the technology used to read and
understand the file, even if the content is buried multiple levels down. For example, it's not unusual
for the cracker to read an Excel spreadsheet embedded in a Word file that's zipped. The product needs
to unzip the file, read the Word doc, analyse it, find the Excel data, read it and analyse it.
Other situations get far more complex, like a .pdf embedded in a CAD file. Many of the products in the
market today support around 300 file types, embedded content, multiple languages, double byte
character sets for Asian languages, and pulling plain text from unidentified file types. Quite a few use
the autonomy or verity content engines to help with file cracking, but all the serious tools have quite
a bit of proprietary capability, in addition to the embedded content engine. Some tools support
analysis of encrypted data if enterprise encryption is used with recovery keys, and most tools can
identify standard encryption and use that as a contextual rule to block/ quarantine content.
89
Once the content is accessed, there are seven major analysis techniques used to find policy violations,
each with its own strengths and weaknesses.
1. Rule based/ Regular expressions: This is the most common analysis technique available in both DLP
products and other tools with DLP features. It analyses the content for specific rules, such as 16 digit
numbers that meet credit card checksum requirements, medical billing codes or other textual
analyses. Most DLP solutions enhance basic regular expressions with their own additional analysis
rules (e.g. a name in proximity to an address near a credit card number).
Its advantages are: as a first-pass filter or for detecting easily identified pieces of structured data like
credit card numbers, social security numbers and healthcare codes/ records.
Strengths: rules process quickly and can be easily configured. Most products ship with initial rule sets.
The technology is well understood and easy to incorporate into a variety of products.
Weaknesses: prone to high false positive rates. Offers very little protection for unstructured content
like sensitive intellectual property.
2._Database fingerprinting: Sometimes called Exact Data Matching – this technique takes either a
database dump or live data (via ODBC connection) from a database and only looks for exact matches.
For example, you could generate a policy to look only for credit card numbers in your customer base,
thus ignoring your own employees buying online. More advanced tools look for combinations of
information, such as the magic combination of first name or initial with last name, credit card or social
security number that triggers a disclosure. Make sure you understand the performance and security
implications of nightly extracts vs. live database connections.
Its advantages are: structured data from databases.
Strengths: very low false positives (close to 0). Allows you to protect customer/ sensitive data while
ignoring other, similar data used by employees (like their personal credit cards for online orders).
Weaknesses: nightly dumps won't contain transaction data since the last extract. Live connections can
affect database performance. Large databases affect product performance.
3._Exact file matching: With this technique you take a hash of a file and monitor for any files that
match that exact fingerprint. Some consider this to be a contextual analysis technique since the file
contents themselves are not analysed.
Its advantages are: media files and other binaries where textual analysis isn't necessarily possible.
Strengths: works on any file type, low false positives with a large enough hash value (effectively none).
Weaknesses: trivial to evade. Worthless for content that's edited, such as standard office documents
and edited media files.
4._Partial document matching: This technique looks for a complete or partial match on protected
content. Thus you could build a policy to protect a sensitive document, and the DLP solution will look
for either the complete text of the document, or even excerpts as small as a few sentences. For
example, you could load up a business plan for a new product and the DLP solution would alert if an
employee pasted a single paragraph into an Instant Message. Most solutions are based on a technique
90
known as cyclical hashing, where you take a hash of a portion of the content, offset a predetermined
number of characters, then take another hash, and keep going until the document is completely
loaded as a series of overlapping hash values. Outbound content is run through the same hash
technique, and the hash values compared for matches. Many products use cyclical hashing as a base,
then add more advanced linguistic analysis.
Its advantages are: protecting sensitive documents or similar content with text such as CAD files (with
text labels) and source code. Unstructured content that's known to be sensitive.
Strengths: ability to protect unstructured data. Generally low false positives (some vendors will say
zero false positives, but any common sentence/ text in a protected document can trigger alerts).
Doesn't rely on complete matching of large documents. It can find policy violations on even a partial
match.
Weaknesses: performance limitations on the total volume of content that can be protected. Common
phrases/ verbiage in a protected document may trigger false positives. Must know exactly which
documents you want to protect. Trivial to avoid (ROT 1 encryption is sufficient for evasion).
5._Statistical analysis: Use of machine learning, Bayesian analysis and other statistical techniques to
analyse a corpus of content and find policy violations in content that resembles the protected content.
This category includes a wide range of statistical techniques which vary greatly in implementation and
effectiveness. Some techniques are very similar to those used to block spam.
Its advantages are: unstructured content where a deterministic technique, like partial document
matching would be ineffective. For example, a repository of engineering plans that's impractical to
load for partial document matching due to high volatility or massive volume.
Strengths: can work with more nebulous content where you may not be able to isolate exact
documents for matching. Can enforce policies such as "alert on anything outbound that resembles the
documents in this directory".
Weaknesses: prone to false positives and false negatives. Requires a large corpus of source content –
the bigger, the better.
6._Conceptual/ Lexicon: This technique uses a combination of dictionaries, rules and other analyses
to protect nebulous content that resembles an "idea". It's easier to give an example — a policy that
alerts on traffic that resembles insider trading, which uses key phrases, word counts and positions to
find violations. Other examples are sexual harassment, running a private business from a work account
and job hunting.
Its advantages are: completely unstructured ideas that defy simple categorization based on matching
known documents, databases or other registered sources.
Strengths: not all corporate policies or content can be described using specific examples. Conceptual
analysis can find closely defined policy violations other techniques can't even think of monitoring for.
Weaknesses: in most cases, these are not user-definable and the rule sets must be built by the DLP
vendor with significant effort, which costs more. This technique is very prone to false positives and
negatives because of the flexible nature of the rules.
7._Categories: Pre-built categories with rules and dictionaries for common types of sensitive data,
such as credit card numbers/ PCI protection, HIPAA etc.
91
Its advantages are: anything that neatly fits a provided category. Typically, easy to describe content
related to privacy, regulations or industry specific guidelines.
Strengths: extremely simple to configure. Saves significant policy generation time. Category policies
can form the basis for more advanced, enterprise specific policies. For many organizations, categories
can meet a large percentage of their data protection needs.
Weaknesses: one size fits all might not work. Only good for easily categorized rules and content.
These seven techniques form the basis for most of the DLP products on the market. Not all products
include all techniques, and there can be significant differences between implementations. Most
products can also chain techniques — building complex policies from combinations of content and
contextual analysis techniques.
92
3.5 Data Protection
The goal of DLP is to protect content throughout its lifecycle. In terms of DLP, this includes three
major aspects:
• Data at Rest includes scanning of storage and other content repositories to identify where
sensitive content is located. We call this content discovery. For example, you can use a DLP
product to scan your servers and identify documents with credit card numbers. If the server
isn't authorized for that kind of data, the file can be encrypted or removed or a warning sent to
the file owner.
• Data in Motion is sniffing of traffic on the network (passively or inline via proxy) to identify
content being sent across specific communications channels. For example, this includes sniffing
emails, instant messages and web traffic for snippets of sensitive source code. In motion, tools
can often block based on central policies depending on the type of traffic.
• Data in Use is typically addressed by endpoint solutions that monitor data as the user interacts
with it. For example, they can identify when you attempt to transfer a sensitive document to a
USB drive and block it (as opposed to blocking use of the USB drive entirely). Data in use tools
can also detect things like copy and paste or use of sensitive data in an unapproved application
(such as someone attempting to encrypt data to sneak it past the sensors).
Many organizations first enter the world of DLP with network based products that provide broad
protection for managed and unmanaged systems. It’s typically easier to start a deployment with
network products to gain broad coverage quickly. Early products limited themselves to basic
monitoring and alerting, but all current products include advanced capabilities to integrate with
existing network infrastructure and provide protective, not just detective controls.
93
Data In Motion
Network Monitor
At the heart of most DLP solutions lies a passive network monitor. The network monitoring component
is typically deployed at or near the gateway on a SPAN port (or a similar tap). It performs full packet
capture, session reconstruction and content analysis in real time. Performance is more complex and
subtle than vendors normally discuss. First, on the client expectation side, most clients claim they need
full gigabit ethernet performance, but that level of performance is unnecessary except in very unusual
circumstances since few organizations are really running that high a level of communications traffic.
DLP is a tool to monitor employee communications, not web application traffic. Realistically, we find
that small enterprises normally run under 50 MByte/s of relevant traffic, medium enterprises run
closer to 50-200 MB/s and large enterprises around 300 MB/s (maybe as high as 500 in a few cases).,
Not every product runs full packet capture because of the content analysis overhead. You might have
to choose between pre-filtering (and thus missing non-standard traffic) or buying more boxes and load
balancing. Also, some products lock monitoring into pre-defined port and protocol combinations,
rather than using service/ channel identification based on packet content. Even if full application
channel identification is included, you want to make sure it's enabled otherwise you might miss non-
standard communications such as connecting over an unusual port. Most of the network monitors are
dedicated general purpose server hardware with DLP software installed. A few vendors deploy true
specialized appliances. While some products have their management, workflow and reporting built
into the network monitor, this is often offloaded to a separate server or appliance.
Email Integration
The next major component is email integration. Since email is stored and forwarded, you can gain a
lot of capabilities, including quarantine, encryption integration and filtering without the same hurdles
to avoid blocking synchronous traffic.
Most products embed an MTA (Mail Transport Agent) into the product, allowing you to just add it as
another hop in the email chain. Quite a few also integrate with some of the major existing MTAs/
email security solutions directly for better performance. One weakness of this approach is it doesn't
give you access to internal email. If you're on an exchange server, internal messages never make it
through the external MTA since there's no reason to send that traffic out. To monitor internal mail,
you'll need direct Exchange/ Lotus integration, which is surprisingly rare in the market. Full integration
is different from just scanning logs/ libraries after the fact, which is what some companies call internal
mail support. Good email integration is absolutely critical if you ever want to do any filtering, as
opposed to just monitoring.
Filtering/ Blocking and Proxy Integration
Nearly anyone deploying a DLP solution will eventually want to start blocking traffic. There's only so
long you can take watching all your sensitive data running to the nether regions of the Internet before
you start taking some action. Blocking isn't the easiest thing in the world, especially since we're trying
to allow good traffic. Block only bad traffic, and make the decision using real-time content analysis.
Email, as we mentioned, is fairly straightforward to filter. It's not quite real time and is ‘proxied’ by its
very nature. Adding one more analysis hop is a manageable problem in even the most complex
environments. Outside of email, most of our communications traffic is synchronous. Everything runs
in real time. Thus if we want to filter it we either need to bridge the traffic, proxy it or poison it from
the outside.
94
Bridge
With a bridge, we just have a system with two network cards which performs content analysis in the
middle. If we see something bad, the bridge breaks the connection for that session. Bridging isn't the
best approach for DLP since it might not stop all the bad traffic before it leaks out. It's like sitting in a
doorway watching everything go past with a magnifying glass. By the time you get enough traffic to
make an intelligent decision, you may have missed the really good stuff. Very few products take this
approach although it does have the advantage of being protocol agnostic.
Proxy
In simplified terms, a proxy is protocol/ application specific and queues up traffic before passing it on,
allowing for deeper analysis. We see gateway proxies mostly for HTTP, FTP and IM protocols. Few DLP
solutions include their own proxies. They tend to integrate with existing gateway/ proxy vendors since
most customers prefer integration with these existing tools. Integration for web gateways is typically
through the iCAP protocol, allowing the proxy to grab the traffic, send it to the DLP product for analysis
and cut communication, if there's a violation. This means you don't have to add another piece of
hardware in front of your network traffic, and the DLP vendors can avoid the difficulties of building
dedicated network hardware for inline analysis. If the gateway includes a reverse SSL proxy you can
also sniff SSL connections. You will need to make changes on your endpoints to deal with all the
certificate alerts, but you can now peer into encrypted traffic. For Instant Messaging, you'll need an
IM proxy and a DLP product that specifically supports whatever IM protocol you're using.
TCP Poisoning
The last method of filtering is TCP poisoning. You monitor the traffic and when you see something
bad, you inject a TCP reset packet to kill the connection. This works on every TCP protocol but isn't
very efficient. For one thing, some protocols will keep trying to get the traffic through. If you TCP
poison a single email message, the server will keep trying to send it for three days, as often as every
15 minutes. The other problem is the same as bridging. Since you don't queue the traffic at all, by the
time you notice something bad, it might be too late. It's a good stop-gap to cover non-standard
protocols, but you'll want to proxy as much as possible.
Internal Networks
Although technically capable of monitoring internal networks, DLP is rarely used on internal traffic
other than email. Gateways provide convenient choke points. Internal monitoring is a daunting
prospect from cost, performance, and policy management/ false positive standpoints. A few DLP
vendors have partnerships for internal monitoring, but this is a lower priority feature for most
organizations.
Distributed and Hierarchical Deployments
All medium to large enterprises and many smaller organizations have multiple locations and web
gateways. A DLP solution should support multiple monitoring points, including a mix of passive
network monitoring, proxy points, email servers and remote locations. While processing/ analysis can
be offloaded to remote enforcement points, they should send all events back to a central management
server for workflow, reporting, investigations and archiving. Remote offices are usually easy to
support since you can just push policies down and reporting back, but not every product has this
capability. The more advanced products support hierarchical deployments for organizations that want
to manage DLP differently in multiple geographic locations or by business unit. International
companies often need this to meet legal monitoring requirements which vary by country. Hierarchical
95
management supports coordinated local policies and enforcement in different regions, running on
their own management servers and communicating back to a central management server. Early
products only supported one management server but now we have options to deal with these
distributed situations with a mix of corporate/ regional/ business unit policies, reporting and
workflow.
Data At Rest
While catching leaks on the network is fairly powerful, it's only one small part of the problem. Many
customers are finding that it's just as valuable, if not more valuable, to figure out where all that data
is stored in the first place. We call this content discovery. Enterprise search tools might be able to help
with this, but they really aren't tuned well for this specific problem. Enterprise data classification tools
can also help, but based on discussions with a number of clients, they don't seem to work well for
finding specific policy violations. Thus we see many clients opting to use the content discovery features
of their DLP products. The biggest advantage of content discovery in a DLP tool is that it allows you to
take a single policy, and apply it across data no matter where it's stored, how it's shared, or how it's
used. For example, you can define a policy that requires credit card numbers to only be emailed when
encrypted, never be shared via HTTP or HTTPS, only be stored on approved servers and only be stored
on workstations/ laptops by employees on the accounting team. All of this can be specified in a single
policy on the DLP management server.
Content discovery consists of three components:
 Endpoint discovery: scanning workstations and laptops for content.
 Storage discovery: scanning mass storage, including file servers, SAN and NAS.
 Server discovery: application specific scanning of stored data on email servers, document
management systems and databases (not currently a feature of most DLP products, but
beginning to appear in some Database Activity Monitoring products).
Content Discovery Techniques
There are three basic techniques for content discovery:
1. Remote scanning: a connection is made to the server or device using a file sharing or application
protocol, and scanning is performed remotely. This is essentially mounting a remote drive and
scanning it from a server that takes policies from, and sends results to the central policy server.
For some vendors, this is an appliance while for others, it's a commodity server. For smaller
deployments, it's integrated into the central management server.
2. Agent Based scanning: an agent is installed on the system (server) to be scanned and scanning is
performed locally. Agents are platform specific, and use local CPU cycles, but can potentially
perform significantly faster than remote scanning, especially for large repositories. For endpoints,
this should be a feature of the same agent used for enforcing.
3. Memory Resident Agent scanning: rather than deploying a full-time agent, a memory resident
agent is installed, which performs a scan, then exits without leaving anything running or stored on
the local system. This offers the performance of agent based scanning in situations where you
don't want an agent running all the time. Any of these technologies can work for any of the modes,
and enterprises will typically deploy a mix depending on policy and infrastructure requirements.
96
We currently see technology limitations with each approach which guide deployment:
• Remote scanning can significantly increase network traffic and has performance limitations based
on network bandwidth and target and scanner network performance. Some solutions can only
scan gigabytes per day (sometimes hundreds, but not terabytes per day), per server based on
these practical limitations, which may be inadequate for very large storage.
• Agents, temporal or permanent, are limited by processing power and memory on the target
system, which often translates to restrictions on the number of policies that can be enforced, and
the types of content analysis that can be used. For example, most endpoint agents are not capable
of partial document matching or database fingerprinting against large data sets. This is especially
true of endpoint agents which are more limited.
• Agents don't support all platforms.
Data at Rest Enforcement
Once a policy violation is discovered, the DLP tool can take a variety of actions:
Alert/ report: create an incident in the central management server just like a network violation.
Warn: notify the user via email that they may be in violation of policy.
Quarantine/ notify: move the file to the central management server and leave a text file with
instructions on how to request recovery of the file.
Quarantine/ encrypt: encrypt the file in place, usually leaving a plain text file describing how to
request decryption.
Quarantine/ access control: change access controls to restrict access to the file.
Remove/ delete: either transfer the file to the central server without notification or just delete it.
The combination of different deployment architectures, discovery techniques and enforcement

options creates a powerful combination for protecting data at rest and supporting compliance
initiatives. For example, we're starting to see increasing deployments of CMF to support PCI
compliance — more for the ability to ensure (and report) that no cardholder data is stored in violation
of PCI than to protect email or web traffic.
Data In Use
DLP usually starts on the network because that's the most cost-effective way to get the broadest
coverage. Network monitoring is non-intrusive (unless you have to crack SSL), and offers visibility to
any system on the network, managed or unmanaged, server or workstation. Filtering is more difficult,
but again still relatively straightforward on the network (especially for email) and covers all systems
connected to the network. However, this isn't a complete solution. It doesn't protect data when
someone walks out the door with a laptop, and can't even prevent people from copying data to
portable storage like USB drives. To move from a "leak prevention" solution to a "content protection"
solution, products need to expand not only to stored data, but to the endpoints where data is used.
Note: Although there have been large advancements in endpoint DLP, endpoint-only solutions are not
recommended for most users. DLP endpoint solutions normally require compromise on the number
and types of policies that can be enforced, offer limited email integration with no protection for
97
unmanaged systems. An organisation will need both network and endpoint capabilities, and most of
the leading network solutions are adding or already offer at least some endpoint protection.
Adding an endpoint agent to a DLP solution not only gives you the ability to discover stored content,
but to potentially protect systems no longer on the network or even protect data as it's being actively
used. While extremely powerful, it has been problematic to implement. Agents need to perform
within the resource constraints of a standard laptop while maintaining content awareness. This can
be difficult if you have large policies such as, "protect all 10 million credit card numbers from our
database", as opposed to something simpler like, "protect any credit card number" that will generate
false positives every time an employee visits say, flipkart.com.
Key capabilities existing products vary widely in functionality, but we can break out three key
capabilities:
1. Monitoring and enforcement within the network stack: this allows enforcement of network
rules without a network appliance. The product should be able to enforce the same rules as if
the system were on the managed network as well as separate rules designed only for use on
unmanaged networks.
2. Monitoring and enforcement within the system kernel: by plugging directly into the operating
system kernel you can monitor user activity, such as copying and pasting sensitive content. This
can also allow products to detect (and block) policy violations when the user is taking sensitive
content and attempting to hide it from detection, perhaps by encrypting it or modifying source
documents.
3. Monitoring and enforcement within the file system: this allows monitoring and enforcement
based on where data is stored. For example, you can perform local discovery and/ or restrict
transfer of sensitive content to unencrypted USB devices.
These options are simplified, and most early products focus on 1 and 3 to solve the portable storage
problem, and protect devices on unmanaged networks. System/ kernel integration is much more
complex and there are a variety of approaches to gaining this functionality.
Endpoint DLP is evolving to support a few critical use cases:

• Enforcing network rules off the managed network or modifying rules for more hostile
networks.
• Restricting sensitive content from portable storage, including USB drives, CD/ DVD drives,
home storage and devices like smartphones and PDAs.
• Restricting copy and paste of sensitive content.
• Restricting applications allowed to use sensitive content, for example, only allowing
encryption with an approved enterprise solution, not tools downloaded online that don't
allow enterprise data recovery.
• Integration with Enterprise Digital Rights Management to automatically apply access control
to documents based on the included content.
• Auditing use of sensitive content for compliance reporting.
98
The following features are highly desirable when deploying DLP at the endpoint:
 Endpoint agents and rules should be centrally managed by the same DLP management server
that controls data in motion and data at rest (network and discovery).
 Policy creation and management should be fully integrated with other DLP policies in a single
interface.
 Incidents should be reported to, and managed by a central management server.
 Endpoint agent should use the same content analysis techniques and rules as the network
servers/ appliances.
 Rules (policies) should adjust based on where the endpoint is located (on or off the network).
When the endpoint is on a managed network with gateway DLP, redundant local rules should
be skipped to improve performance.
 Agent deployment should integrate with existing enterprise software deployment tools.
 Policy updates should offer options for secure management via the DLP management server
or existing enterprise software update tools.
Endpoint limitations
Realistically, the performance and storage limitations of the endpoint will restrict the types of
content analysis supported and the number and type of policies that are locally enforced. For
some enterprises, this might not matter depending on the kinds of policies to be enforced, but
in many cases endpoints impose significant constraints on data in use policies.
Photo source: www.slideshare.net
99
3.6 DLP Limitations
While DLP solutions can go far in helping an enterprise gain greater insight over and control of
sensitive data, stakeholders need to be apprised of limitations and gaps in DLP solutions.
Understanding these limitations is the first step in the development of strategies and policies to help
compensate for the limitations of the technology.
Some of the most significant limitations common among DLP solutions are:
 Encryption — DLP solutions can only inspect encrypted information that they can first decrypt. To
do this, DLP agents, network appliances and crawlers must have access to, and be able to utilize,
the appropriate decryption keys. If users have the ability to use personal encryption packages
where keys are not managed by the enterprise and provided to the DLP solution, the files cannot
be analyzed. To mitigate this risk, policies should forbid the installation and use of encryption
solutions that are not centrally managed, and users should be educated that anything that cannot
be decrypted for inspection (meaning that the DLP solution has the encryption key) will ultimately
be blocked.
 Graphics — DLP solutions cannot intelligently interpret graphics files. Short of blocking or
manually inspecting all such information, a significant gap will exist in an enterprise’s control of
its information. Sensitive information scanned into a graphics file or intellectual property (IP) that
exists in a graphics format, such as design documents would fall into this category. Enterprises
that have significant IP in a graphics format should develop strong policies that govern the use and
dissemination of this information. While DLP solutions cannot intelligently read the contents of a
graphics file, they can identify specific file types, their source and destination. This capability,
combined with well-defined traffic analysis can flag uncharacteristic movement of this type of
information and provide some level of control.
 Third-party service providers — When an enterprise sends its sensitive information to a trusted
third party, it is inherently trusting that the service provider mirrors the same level of control over
information leaks since the enterprise’s DLP solutions rarely extend to the service provider’s
network. A robust third-party management program that incorporates effective contract language
and a supporting audit program can help mitigate this risk.
 Mobile devices — With the advent of mobile computing devices, such as smartphones, there are
communication channels that are not easily monitored or controlled. Short message service (SMS)
is the communication protocol that allows text messaging, and is a key example. Another
consideration is the ability of many of these devices to utilize Wi-Fi or even become a Wi-Fi hotspot
themselves. Both cases allow for out-of-band communication that cannot be monitored by most
enterprises. Finally, the ability of many of these devices to capture and store digital photographs
and audio information presents yet another potential gap. While some progress is being made in
this area, the significant limitations of processing power and centralized management remain a
challenge. Again, this situation is best addressed by the development of strong policies and
supporting user education to compel appropriate use of these devices.
100
 Multilingual support — A few DLP solutions support multiple languages, but virtually all
management consoles support only English. It is also true that for each additional language and
character set, the system must support processing requirements and time windows for analysis
increase. Until such time that vendors recognize sufficient market demand to address this gap,
there is little recourse but to seek other methods to control information leaks in languages other
than English. Multinational enterprises must carefully consider this potential gap when evaluating
and deploying a DLP solution. These points are not intended to discourage the adoption of DLP
technology.
The only recourse for most enterprises is the adoption of behavioral policies and physical
security controls that complement the suite of technology controls that is available today, such
as:
• Solution lock-in — At this time there is no portability of rule sets across various DLP platforms,
which means that changing from one vendor to another or integration with an acquired
organization’s solution can require significant work to replicate a complex rule set in a different
product.
• Limited client OS support — Many DLP solutions do not provide endpoint DLP agents for
operating systems such as Linux and Mac because their use as clients in the enterprise is much less
common. This does, however, leave a potentially significant gap for enterprises that have a
number of these clients. This risk can only be addressed by behavior oriented policies or requires
the use of customized solutions that are typically not integrated with the enterprise DLP platform.
• Cross application support — DLP functions can also be limited by application types. A DLP agent
that can monitor the data manipulations of one application may not be able to do so for another
application on the same system. Enterprises must ensure that all applications that can manipulate
sensitive data are identified and must verify that the DLP solution supports them. In cases where
unsupported applications exist, other actions may be required through policy, or if feasible,
through removal of the application in question.
The Open Security Foundation's DataLossDB gathers information about events involving the loss, theft
or exposure of personally identifiable information (PII). DataLossDB's dataset, in current and previous
forms, has been used in research by numerous educational, governmental and commercial entities,
which often have been able to provide statistical analysis with graphical presentations.
101
The charts below are provided in "as-is" format based on the current dataset maintained by the Open
Security Foundation and DataLossDB.
102
103
3.7 The DRM – DLP Conundrum
Digital Rights Management (DRM), a system for protecting the copyrights of data circulated via the
Internet or other digital media by enabling secure distribution and/ or disabling illegal distribution of
the data. Typically, a DRM system protects intellectual property by either encrypting the data so that
it can only be accessed by authorized users or marking the content with a digital watermark or similar
method so that the content cannot be freely distributed. The practice of imposing technological
restrictions that control what users can do with digital media. When a program is designed to prevent
you from copying or sharing a song, reading an ebook on another device, or playing a single player
game without an internet connection, you are being restricted by DRM. In other words, DRM creates
a damaged good – it prevents you from doing what would be possible without it. This concentrates
control over production and distribution of media, giving DRM peddlers the power to carry out
massive digital book burnings and conduct large scale surveillance over people's media viewing habits.
Enterprise Digital Rights Management (DRM) and Data Loss Prevention (DLP) are typically thought of
as separate technologies that could replace each other. DRM encrypts files and controls access
privileges dynamically as a file is in use. DLP detects patterns and can restrict movement of
information that meets certain criteria. Rather than being competitive, the reality is that many
organizations can use them as complementary solutions.
DLP’s ability to scan, detect data patterns and enforce appropriate actions using contextual awareness
reduces the risk of losing sensitive data. A drawback of DLP is that it does not provide any protection
in case users have to send confidential information legitimately to a business partner or
customer. DLP cannot protect information once it is outside the organization’s perimeter.
DLP is very good at monitoring the flow of data throughout an organization and applying predefined
policies at endpoint devices or the network. The policies can log activities, send warnings to end users
and administrators, quarantine data or block it altogether.
The challenge is that most businesses need to share sensitive data with outside people. Considering
most data leaks originate from trusted insiders who have or had access to sensitive documents,
organizations must complement and empower the existing security infrastructure with a data centric
security solution that protects data in use persistently. That is where DRM comes in. DRM ensures
that only intended recipients can view sensitive files regardless of their location. This assures
protection of data beyond controlled boundaries so that an organization is always in control of its
information. DRM policy stays with the document even if it is renamed or saved to another format,
like a PDF. This provides a more complete solution to limit the possibility of a data breach.
By integrating DLP and DRM, organizations may be able to:

 allow DLP to scan DRM-protected documents, and apply DLP policies
 enforce DLP policy engines to encrypt or reclassify a file to create a DRM protected document
 secure data persistently and reduce the risk of losing it from both insiders and outsiders.
 DLP alone cannot control data in use by authorized internal or external users. Adding DRM
ensures that vulnerabilities are minimized and that an organization can immediately deny
access to any file regardless of its location.
104
Summary
 Data leakage is defined as the accidental or unintentional distribution of private or sensitive
 Sensitive data in companies and organizations include intellectual property (IP), financial
information, patient information, personal credit card data and other information depending
 Enterprises use Data Leakage Prevention (DLP) technology as one component in a
o standard security measures
o advanced/ intelligent security measures
o access control and encryption
o designated DLP systems
 Device control, access control and encryption are used to prevent access by an unauthorized
user. These are the simplest measures that can be taken to protect large amounts of personal
data against malicious outsider and insider attacks.
 Designated DLP solutions are intended to detect and prevent attempts to copy or send sensitive
data, intentionally or unintentionally, without authorization, mainly by personnel who are
authorized to access the sensitive information. A major capability of such solutions is an ability
to classify content as sensitive.
 Designated DLP solutions are typically implemented using mechanisms such as exact data
matching, structured data fingerprinting, statistical methods (e.g. machine learning), rule and
regular expression matching, published lexicons, conceptual definitions and keywords.
 Content discovery consists of three components:
o Endpoint discovery
o Storage discovery
o Server discovery
 Some of the most significant limitations common among DLP solutions are:
 Encryption — DLP solutions can only inspect encrypted information that they can first
decrypt.
 Graphics — DLP solutions cannot intelligently interpret graphics files.
 Third-party service providers — When an enterprise sends its sensitive information to a
trusted third party, it is inherently trusting that the service provider mirrors the same level
of control over information leaks since the enterprise’s DLP solutions rarely extend to the
service provider’s network.
 Mobile devices — With the advent of mobile computing devices, such as smartphones,
there are communication channels that are not easily monitored or controlled.
management consoles support only English.
 DRM, short for Digital Rights Management, a system for protecting the copyrights of data
circulated via the internet or other digital media by enabling secure distribution and/ or
disabling illegal distribution of the data.
 Typically, a DRM system protects intellectual property by either encrypting the data so that it
can only be accessed by authorized users or marking the content with a digital watermark or
similar method so that the content cannot be freely distributed.
105
Activity 1:
Collect information about the extent of data leakage in its various forms across different
types of organisations and incidents of leakage and related loss. Present the cases in
class and discuss the various steps that can be taken proactively and post event to
ensure loss prevention and minimisation.
Activity 2:
Identify work behaviours and practices that can lead to data leakage in a work context.
Look at yours and your colleagues’ behaviour in your own environment, and identify
various confidential and personal information and how their own practices and habits
can cause data leakage.
Activity 3:
Collect information about various organisations that offer products and services in the
Data Leakage Prevention and Data Risk Management. Compare the two, note down and
present the various offerings, tools and their features, benefits and limitations.
Activity 4:
Discuss with others the three states of information-
 Data at Rest
 Data in Motion
 Data in Use
Find examples of data around yourself in your daily life that are categorized in these
three. State risks of data leakages and the various sources of it.
106

1. State true or false:
a) DLP solutions cannot intelligently interpret graphics files.
b) Exact data matching involves a combination of dictionaries, rules and other analyses to protect
nebulous content that resembles an "idea".
c) DLP cannot protect information once it is outside the organization’s perimeter.
d) Endpoint solutions are most recommended for all types of users.
e) DRM ensures that only intended recipients can view sensitive files regardless of their location.
2. Exact data matching is another name for _________________________________.
3. List the three basic techniques for content discovery.
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
4. List at least three common signs of a security incident.
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
5. List at least three DLP limitations
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
6. State what is file cracking in DLP solutions?
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
107
NOTES:
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
108
UNIT IV
Information Security Policies,
Procedures, Standards and Guidelines
This unit covers:
 Lesson Plan
4.3. Security Standards, Guidelines and Frameworks
4.4. Laws, Regulations and Guidelines
109
Lesson Plan
 Internet with Wi-Fi (min 2 Mbps
dedicated)
switches)
guidelines
 Firewalls and access points
PC11. comply with your  Commercial tools like HP Web
organization’s policies, standards, Inspect and IBM AppScan etc.
You need to know and understand: KA1. QA session and a  PCs/ tablets/ laptops
descriptive write-up on  Availability of labs (24/7)
KA1. your organization’s understanding.  Internet with Wi-Fi (min 2 Mbps
policies, procedures, standards and
dedicated)
guidelines for managing KA2 Group presentation
 Access to all security sites like ISO,
information security and peer evaluation along
PCI DSS, Center for Internet Security
KA2. your organization’s with faculty.
etc.
knowledge base and how to access
and update the same KA4 Performance  Security templates from ITIL & ISO
KA4. the organizational evaluation from faculty
systems, procedures and tasks/ and industry with reward
checklists within the domain and points.
how to use these KA12. Faculty and peer
KA12. your organization’s review.
information security systems and
tools and how to access and KA13. Faculty and peer
maintain these review.
KA13. standard tools and
templates available and how to use KB1 - KB4
the same Group and faculty
KB1. fundamentals of evaluation based on
information security and how to anticipated out comes.
apply these, including: Reward points to be
• networks allocated to groups.
• communication
110
Lesson
4.1 Information Security Policies
Security policies are the foundation of your security infrastructure. Without them, you cannot protect
your company from possible lawsuits, lost revenue and bad publicity, not to mention basic security
attacks. A security policy is a document or set of documents that describes, at a high level, the security
controls that will be implemented by the company.
Policies are not technology specific and do three things for an organisation:
 Reduce or eliminate legal liability to employees and third parties.

 Protect confidential, proprietary information from theft, misuse, unauthorized disclosure or
modification.
 Prevent waste of company computing resources.
Organisations are giving more priority to development of information security policies, protecting
their assets is one of the prominent things that needs to be considered. Lack of clarity in InfoSec
policies can lead to catastrophic damages which cannot be recovered. So an organisation makes
different strategies in implementing a security policy successfully. An information security policy
provides management direction and support for information security across the organisation.
There are two types of basic security policies:
 Technical security policies: these include how technology should be configured and used.
 Administrative security policies: these include how people (both end users and management)
should behave/ respond to security.
Persons responsible for the implementation of the security policies are:
 Director of Information Security

 Chief Security Officer
 Director of Information Technology
 Chief Information Officer
Information in an organisation will be both electronic and hard copy, and this information needs to be
secured properly against the consequences of breaches of confidentiality, integrity and availability.
Proper security measures need to be implemented to control and secure information from
unauthorised changes, deletions and disclosures. To find the level of security measures that need to
be applied, a risk assessment is mandatory.
Security policies are intended to define what is expected from employees within an organisation with
respect to information systems.
The objective is to guide or control the use of systems to reduce the risk to information assets. It also
gives the staff who are dealing with information systems an acceptable use policy, explaining what is
111
allowed and what not. Security policies of all companies are not same, but the key motive behind
them is to protect assets. Security policies are tailored to the specific mission goals.
A security policy should determine rules and regulations for the following systems:
 Encryption mechanisms
 Access control devices
 Authentication systems
 Firewalls
 Anti-virus systems
 Websites
 Gateways
 Routers and switches
 Necessity of a security policy
It is generally impossible to accomplish a complex task without a detailed plan for doing so.
A security policy is that plan that provides for the consistent application of security principles
throughout your company. After implementation, it becomes a reference guide when matters of
security arise.
A security policy indicates senior management’s commitment to maintain a secure network, which
allows the IT staff to do a more effective job of securing the company’s information assets. Ultimately,
a security policy will reduce the risk of a damaging security incident. In the event of a security incident,
certain policies, such as an Incident Response Policy may limit your company’s exposure and reduce
the scope of the incident.
A security policy can provide legal protection to your company. By specifying to your users exactly
how they can and cannot use the network, how they should treat confidential information, and the
proper use of encryption, you are reducing your liability and exposure in the event of an incident.
Further, a security policy provides a written record of your company’s policies if there is ever a
question about what is and is not an approved act.
Security policies are often required by third parties that do business with your company as part of
their due diligence process. Some examples of these might be auditors, customers, partners and
investors. Companies that do business with your company, particularly those that will be sharing
confidential data or connectivity to electronic systems, will be concerned about your security policy.
Lastly, one of the most common reasons why companies create security policies today is to fulfill
regulations and meet standards that relate to security of digital information.
Once the security policy is implemented, it will be a part of day-to-day business activities. Security
policies that are implemented need to be reviewed whenever there is an organizational change.
Policies can be monitored by depending on any monitoring solutions like SIEM and the violation of
security policies can be seriously dealt with. There should also be a mechanism to report any violations
to the policy.
112
While developing these policies, it is obligatory to make them as simple as possible because complex
policies are less secure than simple systems. Security policies can be modified at a later time i.e. not
to say that you can create a violent policy now and a perfect policy can be developed some time later.
It is also mandatory to update the policy based upon the environmental changes that an organization
goes into when it progresses.
The policy updates also need to be communicated with all employees as well as the person who
authorized to monitor policy violations as they may flag for some scenarios which have been ignored
by the organization.
Management is responsible for establishing controls and should regularly review the status of
controls.
Below is a list of some of the security policies that an organization may have:
Access Control Policy How information is accessed
Contingency Planning Policy How availability of data is made online 24/7
Data Classification Policy How data are classified
Change Control Policy How changes are made to directories or the file server
Wireless Policy How wireless infrastructure devices need to be configured
Incident Response Policy How incidents are reported and investigated
Termination of Access Policy How employees are terminated
Backup Policy How data are backed up
Virus Policy How virus infections need to be dealt with
Retention Policy How data can be stored
Physical Access Policy How access to the physical area is obtained
Security Awareness Policy How security awareness are carried out
Audit Trail Policy How audit trails are analyzed
Firewall Policy How firewalls are named, configured etc.
Network Security Policy How network systems can be secured
Encryption Policy How data are encrypted, the encryption method used etc.
Promiscuous Policy Firewall Management Policy
Others
Permissive Policy
113
Special Access Policy

Prudent Policy Network Connection Policy
Paranoid Policy
Network Business Partner Policy
Acceptable Use Policy
User Account Policy
Data Classification Policy
Intrusion Detection Policy
Remote Access Policy
Virus Prevention Policy
Information Protection Policy
Laptop Security Policy
Personal Security Policy
Cryptography Policy
Acceptable Usage Policy
Acceptable Usage Policy (AUP) is the policy that one should adhere to while accessing the
network. Some of the assets that this policy covers are mobile, wireless, desktop, laptop and
tablet computers, email, servers, internet etc. For each asset, we need to look at how we can
protect it, manage it, authorised persons to use and administer the asset, accepted methods of
communication in these assets etc.
A template for AUP is published in SANS http://www.sans.org/security-

resources/policies/Acceptable_Use_Policy.pdf and a security analyst will get an idea of how an
AUP actually looks. Some of the regulatory compliances mandate that a user should accept the
AUP before getting access to network devices. Implementing these controls makes the
organization a bit more risk free, even though it is very costly.
Once a reasonable security policy has been developed, an engineer has to look at the country’s laws,
which should be incorporated in security policies. One example is the use of encryption to create a
secure channel between two entities. Some encryption algorithms and their levels (128,192) will not
be allowed by the government for a standard use. Legal experts need to be consulted if you want to
know what level of encryption is allowed in an area. This would become a challenge if security policies
are derived for a big organisation spread across the globe.
Some of the laws, regulation and standards used for policy definition include:
 The PCI Data Security Standard (PCIDSS)
 The Health Insurance Portability and Accountability Act (HIPAA)
 The Sarbanes-Oxley Act (SOX)
 The ISO family of security standards
 The Graham-Leach-Bliley Act (GLBA)
114
4.2 Key Elements of Security Policy
A policy should contain:

• Overview – background information of what issue the policy addresses.
• Purpose – why the policy is created.
• Scope – what areas this policy covers.
• Targeted audience – whom the policy is applicable for.
• Policy – a detailed description of the policy.
• Definitions – a brief introduction of the technical jargon used in the policy.
• Version – number to control the changes made to the document.
Policy Content
When developing content, many go about creating a policy exactly the wrong way. The goal is not to
create hundreds of pages of impressive looking information, but rather to create an actionable
security plan. The following guidelines apply to the content of successful IT security policies.
• A security policy should be no longer than absolutely necessary. Some believe that policies are more
impressive when they fill enormous binders or contain hundreds or even thousands of policies. These
types of policies overwhelm you with data, and are frequently advertised on the internet. But quantity
does not equal quality, and it is the sheer amount of information in those policies that makes them
useless. Brevity is of utmost importance.
• A security policy should be written in “plain English.” While, by nature, technical topics will be
covered, it is important that the policy be clear and understood by the target audience for that
particular policy. There is never room for “consultant speak” in a security policy. If there is a doubt,
the policy should be written so that more people can understand it rather than fewer. Clarity must be
a priority in security policies so that a policy isn’t misunderstood during a crisis or otherwise
misapplied, which could lead to a critical vulnerability.
• A security policy must be consistent with applicable laws and regulations. In some countries there
are laws that apply to a company’s security practices, such as those covering the use of encryption.
Some states have specific disclosure laws or regulations governing the protection of citizens’ personal
information, and some industries have regulations governing security policies. It is recommended that
you research and become familiar with any regulations or standards that apply to your company’s
security controls.
• A security policy should be reasonable. The point of this process is to create a policy that you can
actually use rather than one that makes your company secure on paper but is impossible to
implement. Keep in mind that the more secure a policy is, the greater the burden it places on your
users and IT staff to comply with. Find a middle ground in the balance between security and usability
that will work for you.
115
• A security policy must be enforceable. A policy should clearly state which actions are permitted and
which of those are in violation of the policy. Further, the policy should spell out enforcement options
when non-compliance or violations are discovered, and must be consistent with applicable laws. A
security policy can be formatted to be consistent with your company’s internal documentation,
however certain information should be placed on each page of the policy. At a minimum, this
information should include: policy name, creation date, target audience and a clear designation that
the policy is company confidential.
Security Policy Implementation

Once a policy has been created, perhaps the hardest part of the process is rolling it out to the
organization. This step must be well planned and undertaken thoughtfully. First and most importantly,
a security policy must be backed by the company’s senior management team. Without their support,
the cooperation needed across departments will likely doom the implementation. Department heads
must be involved, and specifically, Human Resources and Legal Services must play an integral part.
Make sure you have management buy-in before you get too far along in the process. If the position
doesn’t already exist, an Information Security Officer or IT Security Program Manager should be
designated at your company who is responsible for implementing and managing the security policy.
This can be an existing manager. This designation is sometimes not practical at smaller companies, but
regardless, one person, who has the authority to make executive decisions, needs to own and be
accountable for your company’s security policy. Remember that your security policy must be officially
adopted as company policy. It should be signed and recorded in the same way your company makes
any major decision, including full senior management approval. Next, go through each policy and think
about how it will be applied within the organization.
Make sure that the tools are in place to conform to the policy. For example, if the policy specifies that
a certain network be monitored, make sure that monitoring capabilities exist on that network
segment. If a policy specifies that visitors must agree to the Acceptable Use Policy before using the
network, make sure that there is a process in place to provide visitors with the Acceptable Use Policy.
In this phase, if you discover something impractical, create a plan to make appropriate changes to
either the network or the policy. Understand that policies differ from processes and procedures.
You will need to carefully consider the necessary security processes and procedures after you have
your policy finished. For example, the Backup Policy may detail the schedules for backups and off-site
rotation of backup media, however it won’t say exactly how these tasks are to be accomplished.
Additionally, certain procedures must be created to support the policies. For example, how should
your users respond if they suspect a security incident? How will you notify your users if they are
noncompliant with a specific policy? How will exemptions to the policy be requested and approved?
Work with the necessary departments within your company (Legal, IT, HR etc.) to establish procedures
to support your policies. User education is critical to a successful security policy implementation. A
training session should be held to go over the policies that will impact users as well as provide basic
information security awareness training.
Often, users create security issues because they simply don’t understand that what they are doing is
risky or against the security policy. Users must be provided any user level policies, and must
acknowledge in writing that they have read and will adhere to the policies. If possible, coordinate this
116
with Human Resources so that the policies can be included with any other HR documents that require
a user signature. No matter how well implemented, no policy will be 100% applicable for every
scenario, and exceptions will need to be granted. Exceptions, however, must be granted only in writing
and must be well documented. It should be made clear from the outset that the policy is the official
company standard, and an exception will only be granted when there is an overwhelming business
need.
After the security policy has been in place for some period, which can be anywhere from three months
to a year, the company’s information security controls should be audited against the applicable
policies. Make sure that each policy is being followed as intended and is still appropriate to the
situation. If discrepancies are found or the policies are no longer applicable as written, they must be
changed to fit your company’s current requirements. After the initial review process, you should
regularly review the security policy to ensure that it still meets your company’s requirements. Create
a process so that the policy is periodically reviewed by the appropriate persons. This should occur both
at certain intervals (i.e. once per year), and when certain business changes occur (i.e. the company
opens in a new location). This will ensure that the policy does not get “stale”, and will continue to be
a useful management tool for years to come. When changes need to be made, be sure to: update the
revision history section of the document to differentiate the new document from past versions; and
distribute any modified user level policies to your users. Clearly communicate the policy changes to
any affected parties.
Internal Security Policy: Microsoft

Snicker if you must, but this is for real. Microsoft has great internal security policies and
controls. Think about it. When was the last time you heard about a major breach of
Microsoft's corporate network? The one you might recall is October 2000, when hackers
breached its security and accessed source code for future versions of Windows.
"That was a wake-up call. It changed the way our executives and employees think about
security," says Greg Wood, Microsoft's general manager of InfoSecurity.
Microsoft is one of the most targeted entities on the Internet, absorbing more than 2,200
unique attacks a day. When it developed its security policy, the security team sought
simplicity for protecting the company's 300,000 hosts.
Microsoft threw out its thick, three-ring binder that held its barely touched security policy.
Replacing it was a thin pamphlet containing 45 half-page doctrines based on elemental
security principles: enforcement, business rationale and risk assessments.
The litmus test for any security policy is whether it's enforceable. Microsoft's security
policies are easily understood and have teeth. There's no excuse for ignorance of the
policy, and any breach is enforced through HR actions, Wood says.
Microsoft's security team applies business logic to its security policies. Wood says this
helps earn the business units' cooperation. They know security won't arbitrarily inhibit
operations. Where best practices will often ban certain functions and services, the
Microsoft policy has flexibility to meet business necessities--within reason.
Source: News Journals

117
California State University, Northridge – Adoption plan of good Information

Security Policy
California State University, Northridge (CSUN) is committed to providing a secure and
accessible data and networking infrastructure that protects the confidentiality, availability
and integrity of information. The creation, preservation and exchange of information is an
intrinsic part of the University's teaching, scholarship and administrative operations.
Increasingly that information is processed, handled or stored in electronic form.
The growing availability of digital information offers opportunities to improve our
collaborations and work in new ways. Unfortunately, it also presents us with new threats.
The very technologies we use to gather, share and analyse information also make our
institution vulnerable to varied and continually evolving information security risks. CSUN is
entrusted with a wide range of confidential and sensitive information pertaining to our
students, faculty staff, donors, and other members of the community (e.g. affiliates).
We take seriously our obligation to be stewards of that trust. We are obligated by law and
institutional policy to take all reasonable and appropriate steps to protect the
confidentiality, availability, privacy, and integrity of information in our custody. This
obligation is broad and applies to information in both electronic and material form. Our
practices are designed both to prevent the inappropriate disclosure of information and to
preserve information in case of intentional or accidental loss.
(For complete case study please refer to : http://www.csun.edu/sites/default/files/csun-it-
sec-plan.pdf )
Source: www.csu.edu
118
4.3 Security Standards, Guidelines & Frameworks

Process: Security Governance Frameworks
Security governance frameworks represent solutions to the question of how to manage security
effectively. The manner in which a company builds a governance structure is a reflection of the
organization of the company and the laws and business environment in which it finds itself. Auditing
the security governance practices of a company requires understanding how the organization
manages the processes and procedures that make up its security program and compare those aspects
to recognized governance frameworks. Luckily, there are many sources that an auditor can use to
identify best practices in building a manageable, measurable and effective security governance
program. The frameworks mentioned in this text are not a complete list, and significant research is
constantly being conducted in this area. What follow are three of the most frequently found
frameworks, and should get you started in understanding how they can be applied to the
organizations you audit.
COSO
The Foreign Corrupt Practices Act of 1977 (FCPA) is a law that requires any publicly traded company
to accurately document any transactions or monetary exchanges it is involved in (to prevent off-the-
books money transfers). Additionally, the law requires that a publicly traded company also have a
system of internal accounting controls to monitor fraud and abuse and test them through compliance
auditing. This law had little guidance from the Securities and Exchange Commission (SEC), and in
response to this, a consortium of private organizations created the Treadway Commission to figure
out what companies needed to do to comply with this law.
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) was formed in 1985
to improve the accuracy of financial reports and to standardize on internal control methods to reduce
fraudulent reporting. COSO studied the problem and issued guidance about how to create an internal
controls framework that complies with the FCPA. The resulting document, called “Internal Controls:
Integrated Framework,” was published in 1994 and provided common language, definitions and
assessment methodologies for a company’s internal accounting controls. This COSO report is
considered the standard by which accounting auditors assess companies to ensure compliance with
the FCPA and SOX section 404.
The COSO report lists a few main concepts that guided the development of the COSO framework and
define what internal controls can and cannot do for an organization. These concepts show the
relationship between people and processes in respect to the effectiveness of controls, and they define
the principles with which to implement them:
 Internal control is a process and not a one-time activity.
 Internal control is affected by people; it must be adopted through the organization and is not
simply a policy document that gets filed away.
 An internal control can provide only reasonable assurance, not absolute assurance to the
management and board of a business. A control cannot ensure success.
 Internal controls are designed for the achievement of business objectives.
119
The COSO internal controls framework consists of five main control components as seen in the figure
below. These controls are the foundation of the COSO framework and provide a means for auditors
to assess a company’s control efficiency, effectiveness, reliability of financial reporting and
compliance with the law.
Monitor
Information and
Communication
Control Activities
Risk Assessment
Control Environment
Figure COSO Internal Controls Framework

Control environment
The control environment defines how an organization builds its internal governance program and
affects the company as a whole. The CEO, Board of Directors, and Executive Management are mostly
involved at this level, creating the ethics environment and organizational structure and defining the
roles and responsibilities. The control environment consists of the people, culture and ethics of the
business.
Risk assessment
Solid risk assessment methodologies are important to any successful governance program. COSO
identifies this area as critical to all control development activities and for identifying business
objectives. You can’t protect what you don’t know about, so a thorough risk assessment provides the
data to help a company design controls to protect its assets and achieve its strategic goals.
Control activities
This section covers the controls that COSO recommends to help mitigate risk. The main categories for
controls in COSO are operational, financial reporting and compliance. The controls identified are
broad in nature and cover some IT related issues, but COSO doesn’t address this area as well for IT as
it does the accounting side. It does highlight the various activities that should be controlled, but leaves
it up to management to figure out how to do it.
Information and communication
120
Having an organization in which information and communication are free to flow between all aspects
of the business is addressed in this component of COSO.
Information, according to COSO, is the data used to run the business, whereas communication is
defined as the method used to disseminate information to the appropriate individuals. People cannot
do their jobs efficiently and effectively if they are not provided with the necessary information.
Without the appropriate lines of communication and timely action, problems can turn into
catastrophes. Communication is the mechanism that drives the other four components of the COSO
framework.
Monitoring
Auditing and measurement are essential in determining how controls perform.
Monitoring can be the alarm system that identifies a problem and provides valuable data for fixing
issues for the future. Monitoring can consist of periodic reports, audits or testing mechanisms that
provide the status of individual controls.
COSO is one of the more widely adopted internal control frameworks for large companies due in no
small part to the mandates set forth through SOX 404. In response to criticism that the framework
was impractical for smaller organizations, the committee published “Internal Control over Financial
Reporting for Small Public Companies” in 2006.
The COSO framework represents the grandfather of internal controls and though it was designed
primarily for accounting controls, it still provides value for companies building out a security
governance strategy. From an IT perspective, the five main components are entirely relevant to
securing information, but the actual controls themselves don’t go to the same level of depth as other
frameworks such as Control Objects for Information and related Technologies (COBIT).
COBIT
The COBIT framework was created by the Information Systems Audit and Control.
Association (ISACA) and IT Governance Institute (ITGI) as a response to the needs of the IT community
for a less generalized and more actionable set of controls for securing information systems. The ITGI
is a non-profit organization that leads the development of COBIT through committees consisting of
experts from universities, governments and auditors across the globe. The COBIT framework is a series
of manuals and implementation guidelines for creating a full IT governance, auditing and service
delivery program for any organization.
COBIT is not a replacement but an augmentation to COSO, and maps directly to COSO from an IT
perspective. Although COSO covers the whole enterprise from an accounting perspective, it does so
by providing high level objectives that require the business to figure out how to accomplish them.
COBIT on the other hand, works with COSO by fully detailing the necessary controls required and how
to measure and audit them. The built-in auditable nature of COBIT is why it has become one of the
leading IT governance frameworks as it gets as close as can be expected to a turnkey governance
program. COBIT does not dig down into the actual tasks and procedures however, which necessitates
using other sources to develop standards and procedures for implementing the controls. In other
words, COBIT won’t tell you the best way to configure AES encryption for your wireless infrastructure,
but it will provide you with a mechanism for identifying where and why you need to apply it based on
risk.
121
The role of COBIT in IT governance is to provide a model that takes the guesswork out of how to bridge
the gap between business and IT goals. COBIT considers business the customer of IT services. Business
requirements (needs) ultimately drive the investment in IT resources, which in turn need processes
that can deliver enterprise information back to the business. At the foundation of COBIT is the cyclical
nature of business needing information and IT delivering information services.
Information is what IT provides to the business and COBIT defines the following seven control areas
as business requirements for information:
 Effectiveness: information should be delivered in a timely, correct, consistent and usable

manner.
 Efficiency: information is delivered in the most cost effective way.
 Confidentiality: data is protected from unauthorized disclosure.
 Integrity: business is protected from unauthorized manipulation or destruction of data.
 Availability: data should be accessible when the business needs it.
 Compliance: adherence to laws, regulations, and contractual agreements.
 Reliability of information: data correctly represents the state of the business and transactions.
IT resources in COBIT are the components of information delivery and represent the technology,
people and procedures used to meet business goals. Resources are divided into four areas:
 Applications: information processing systems and procedures
 Information: the data as used by the business
 Infrastructure: technology and systems used for data delivery and processing
 People: the human talent needed to keep everything operating
IT processes (or activities) are the planned utilization of resources and divided into four inter-related
domains. Each process has its own controls that govern how the process is to be accomplished and
measured. There are 34 high level processes and hundreds of individual controls. The domains and
processes are:
 Plan and Organize (PO): Defines strategy and guides the creation of a service and solutions
delivery organization. The high level process for this domain is as follows:
o PO1 Define a strategic IT plan
o PO2 Define the information architecture
o PO3 Determine technological direction
o PO4 Define the IT processes, organization and relationships
o PO5 Manage the IT investment
o PO6 Communicate management aims and direction
o PO7 Manage IT Human Resources
o PO8 Manage quality
o PO9 Assess and manage IT risks
o PO10 Manage projects
122
 Acquire and Implement (AI): Builds IT solutions and creates services. The high level process for
this domain is as follows:
o AI1 Identify automated solutions
o AI2 Acquire and maintain application software
o AI3 Acquire and maintain technology infrastructure
o AI4 Enable operation and use
o AI5 Procure IT resources
o AI6 Manage changes
o AI7 Install and accredit solutions and changes
 Deliver and Support (DS): User facing delivery of services and solutions. The high level process for
o DS1 Define and manage service levels
o DS2 Manage third-party services
o DS3 Manage performance and capacity
o DS4 Ensure continuous service
o DS5 Ensure systems security
o DS6 Identify and allocate costs
o DS7 Educate and train users
o DS8 Manage service desk and incidents
o DS9 Manage the configuration
o DS10 Manage problems
o DS11 Manage data
o DS12 Manage the physical environment
o DS13 Manage operations
 Monitor and Evaluate (ME): Monitors IT processes to ensure synergy between business
requirements. The high level process for this domain is as follows:
o ME1 Monitor and evaluate IT performance
o ME2 Monitor and evaluate internal control
o ME3 Ensure compliance with external requirements
o ME4 Provide IT governance
 Each of the processes in COBIT is written for managers, users and auditors by addressing each
group’s needs. Each process control objective is built using a template that includes:
o a general statement that provides answers to why management needs the control and
were it fits
o the key business requirements that the control addresses
o how the controls are achieved
o control goals and metrics
o who is responsible for each individual control activity
o how the controls can be measured
o clear descriptions of measuring how mature the organization is in accomplishing the
control using a detailed 0–5 scale Maturity Model
Measurement of each process and control is accomplished through a Maturity Model. The COBIT
Maturity Model is based on the Capabilities Maturity Model pioneered by Carnegie Mellon’s Software
Engineering Institute (SEI). The Capabilities Maturity Model was designed as a tool for ensuring quality
123
software development. COBIT has modified the model to deliver a measurement and tracking tool
that identifies the current state of adoption (maturity level) for each process so as to compare an
organization execution with industry averages and business targets. This helps management identify
where the company’s performance is in relation to its peers and provides a path to improve with
specific and prescriptive steps used to get there.
The COBIT Maturity Model scale provides the following measurements:
COBIT Maturity Scale
0 Non existent
Not performed.
1 Initial/ Ad hoc
Process is chaotic, not standardized and done case by case.
2 Repeatable
Relies on individual knowledge, no formal training and no process intuitive management.
3 Defined process
Standardized and documented processes and formal training to communicate standards.
4 Managed
Processes are monitored and checked for compliance by management, measurable processes
are reviewed for improvement and limited automation.
5 Optimized
Processes are refined and compared with others based on maturity, processes are automated
through workflow tools to improve quality and effectiveness.
Using COBIT requires customization to better align with the company implementing it. COBIT is not
designed as a governance strategy in a box, but as a reference for building a process focused system,
utilizing international standards and good practices. Companies still need to determine a risk
management methodology and build out a technical infrastructure to automate the various COBIT
processes identified. COBIT’s real value is in providing the management, measurement and
organizational glue to tie these functions together.
IT auditors like to use COBIT mainly because it creates a well-documented set of processes and
controls that can be assessed along with the metrics and requirements for each control. COBIT’s
usefulness is also apparent when the organization under audit does not use COBIT as a governance
framework because an auditor can build checklists and plan audits based on COBIT to ensure that all
aspects of the IT process are performed. COBIT is also an invaluable resource when writing the audit
report because it allows the auditor to justify and compare his findings to a well-respected standard.
ITIL
The Information Technology Infrastructure Library (ITIL) provides documentations for best practices
for IT Service Management. ITIL was created in the late 1980s by Great Britain’s Office of Government
Commerce to standardize Britain’s government agencies and to follow security best practices. A study
was conducted and generated a significant amount of information (roughly 40 books) that became
known as ITIL. The books were revised and consolidated in 2004 and became a series of eight books
focused on IT services management. This version 2 of ITIL became popular among organizations
looking for an internationally recognized, proactive framework for managing IT services, reducing cost
124
and improving quality. Version 3 of ITIL was released in June 2007 to refresh the core service and
support delivery material that many companies have implemented, and to move the ITIL framework
towards a life cycle model that includes management of all lifecycle services provided by IT. The five
books that make up Version 3 are:
 Service Strategy: This book is the foundation for the others by defining business to IT alignment,
value to business, services strategy and service portfolio management.
 Service Design: Focused on the design of IT processes, policies and architectures. Includes service
level, management, capacity management, information security management and availability
management.
 Service Transition: Covers moving from the design phase to production business services and
change management. It also includes service asset and configuration management, service
validation and testing, evaluation and knowledge management.
 Service Operation: Provides information on the day-to-day support of production systems. This
includes service delivery and services support, service desk design, application management,
problem management and technical management.
 Continual Service Improvement: This book covers service improvements and service retirement
strategies.
ITIL is primarily about delivering IT as a service and the lifecycle of service development,
implementation, operation and management. ITIL is used by companies for overall management of IT
and also for managing security processes. Auditing an ITIL shop requires that the auditor understand
the basics of ITIL to speak the same language. ITIL also works well with COBIT as a means for fleshing
out the service delivery of each process. The ITGI even creates a mapping between COBIT and ITIL for
organizations that want to utilize the two standards. ITIL also meets the criteria for ISO 20000, which
means that it can be used to achieve international certification. Whether a company chooses to go
for certification or not, ITIL gives guidance about how to move from a reactive to a proactive approach
to managing IT and security as a service.
Technology: Standards Procedures and Guidelines

Knowing what processes and controls need to be in place is half the job. The other half is implementing
the technology and procedures that allow the control to work as intended. Most auditors focus their
efforts on testing and validating controls to ensure that they are functional and dependable.
Penetration testing, configuration review and architecture review are all part of this type of
assessment, so auditors needs to know where to go to find guidance, templates and sample designs
that have been proven to work through consensus and extensive testing. The best security programs
don’t provide much benefit if the execution of those programs relies on poor control choices. The
following standards and best practices can help the auditor distinguish good security designs from
bad and provide reference architectures to compare.
ISO 27000 Series of Standards
The ISO 27000 series are internationally recognized security control standards for the creation and
operations of an Information Security Management System (ISMS). Previously known as ISO 17799
125
and originating from British Standard 7799, the ISO 27000 series is one of the most widely used and
cited documents in information security today. All the major governance frameworks reference ISO
when discussing key controls, and it is a great resource to address a wide range of security needs from
data-handling standards, to physical security, to policy. ISO 27000 is broad and covers a great deal of
content that is broken into seven published standards documents with ten more currently in
preparation. This overview is centered on the first two standards: ISO 27001 and 27002.
The first ISO standard is ISO 27001:2005 Information Technology Techniques Information Security
Management Systems. It provides the requirements for a security management system in accordance
with ISO 27002 best practices. ISO 27001 identifies generic technological controls and processes that
must be in place if a business wants to be certified as compliant with the ISO standard.
The contents of ISO 27001 are:
 ISMS: Establish the ISM, implement and operate, monitor and review, maintain and improve
documentation requirements, control documents and records.
 Management responsibility: Involves commitment, provision of resources and training for

awareness and competence.
 Internal audits: These are the requirements for conducting audits.
 ISMS improvements: These are the corrective and preventative actions.

 Annex A: Objectives and controls and checklist.
 Annex B: Organization for economic cooperation, development principles and international

standard.
 Annex C: Correspondence between ISO 9001, SIO 14001 and standard.

A key concept used in 27001 is the Deming Cycle process improvement approach: Plan, Do, Check and
Act. This continuous improvement cycle was made famous by Dr. W. Edwards Deming whose quality
control techniques methodology is a way to show that a process can be continually improved by
learning from mistakes and monitoring the things done correctly to further refine the capabilities of
the system.
The Deming Cycle is simple yet powerful, and ISO 27001 applies it to security management in the
following manner:
Step 1. Plan: Establish the ISM according to the policies, processes and objectives of the
organization to manage risk.
126
Step 2. Do: Implement and operate the ISM.

Step 3. Check: Audit, assess and review the ISM against policies, objectives and experiences.
Step 4. Act: Take action to correct deficiencies identified for continuous improvement.
ISO 27001 provides guidance for setting up an ISMS and an excellent checklist for assessing
compliance with the standard by specifying what controls need to be in place. An organization can be
certified through an approved assessment and registration organization as being in compliance with
27001. There are over 3,000 companies certified against ISO 27001. Many companies choose
certification as a mechanism to “prove” their competence in building an information security program,
but also because certification provides proof for SOX and other legal compliance frameworks that the
company has met the requirements of those laws. The other benefit of ISO 27001 is its global
acceptance as an accepted standard that is required for conducting business with some companies,
which can provide a unique business opportunity for a company that goes down the path of
certification.
The second ISO standard is ISO 27002:2005 Security Techniques Code of Practice, which consists of
international best practices for securing systems. This standard provides best practice information
about everything from Human Resources security needs to physical security and it represents the
detailed implementation requirements for ISO 27001.
ISO 27002 is full of good high level information that can be used as a source document for any
generalized audit or assessment. It consists of security controls across all forms of data
communication, including electronic, paper and voice (notes tied to pigeons are not included).
The twelve areas covered in ISO 27002:2005 are:
 Intro to information security management
 Risk assessment and treatment
 Security policy
 Organization of information security
 Asset management
 Human Resources security
 Communications and ops management
 Access control
 Information systems acquisition, development and maintenance
 Information security incident management
 Business continuity
 Compliance
The ISO standards define a solid benchmark for assessing a company’s information security practices,
but as with most of high level control documents, it doesn’t give the auditor details about security
architecture or implementation guidance. 27002 is a great internationally recognized standard to
refer back to for control requirements in an audit report or findings document, and makes excellent
source material for an auditor’s checklist.
127
NIST
The National Institute of Standards and Technologies (NIST) is a federal agency of the United States
government, tasked with helping commerce in the U.S. by providing weights and measurements,
materials references and technology standards. If you have configured your computer to use an
atomic clock source from the internet to synchronize time to, then you have used a NIST service. NIST
also provides reference samples of over 1,300 items, including cesium 137, peanut butter and oysters.
The division within NIST, most interesting from an information security standpoint is the Computer
Security Resource Centre (CSRC), which is the division tasked with creating information security
standards.
The CSRC is currently directed by the United States Congress to create standards for information
security in response to laws such as the Information Technology Reform Act of 1996, the Federal
Information Security Management Act of 2002 (FISMA) and HIPAA. Although FISMA is a federal law
and not enforceable in the private sector, private companies can reap the benefits of the many
excellent documents NIST has created for FISMA compliance.
Federal Information Processing Standards Publications (FIPS) standards are a series of standards that
government agencies must follow by law according to FISMA. FIPS standards include encryption
standards, information categorization and other requirements. FIPS also mandates standards for
technology through a certification program. Hardware and software involved in encrypting data via
AES for example, must be FIPS 140-2 (level 2) compliant to be used by the federal government.
The NIST Special Publications (800 series documents) are a treasure trove of good information for
auditors, systems administrators and security practitioners of any size company. These documents
give guidance and provide specific recommendations about how to address a wide range of security
requirements. These documents are created by academic researchers, security consultants and
government scientists. They are reviewed by the security community through a draft process that
allows anyone to provide comments and feedback on the documents before they are made standards.
The documents are also revised on a regular basis as new technologies become adopted.
Table below provides a list of some of the most widely used NIST 800 series documents. This list is not
exhaustive, and there are new documents added all of the time, so check the NIST website on a regular
basis for updates and new drafts.
Table NIST 800 Series documents:

SP 800-14 Generally Accepted Principles and Practices for Security Information Technology
Systems
SP 800-18 Guide for Developing Security Plans for Information Technology Systems
128
SP 800-27 Engineering Principles for Information Technology Security (A Baseline for

Achieving Security)
SP 800-30 Risk Management Guide for Information Technology
SP 800-34 Contingency Planning Guide for Information Technology Systems
SP 800-37 Guidelines for Security Certification and Accreditation of IS Systems
SP 800-47 Security Guide for Interconnecting Information Technology Systems
SP 800-50 Building an Information Technology Security Awareness and Training Program
SP 800-53 Recommended Security Controls for Federal Information Systems
SP 800-53A Techniques and Procedures for Verification of Security Controls in Federal
Information Technology Systems
SP 800-54 BGP Security

SP 800-55 Security Metrics Guide for Information Technology Systems
SP 800-58 Security Considerations for VOIP Systems
SP 800-60 Guide for Mapping Types of Information and Information Systems to Security
Categories (Two Volumes)
SP 800-61 Computer Security Incident Handling Guide

SP 800-66 An Introductory Resource Guide for Implementing the Health Insurance Portability
and Accountability Act (HIPAA) Security Rule
SP 800-77 Guide to IPSEC VPNs

SP 800-88 Guidelines for Media Sanitization
SP 800-92 Guide to Computer Security Log Management
SP 800-95 Guide to Security Web Services
SP 800-97 Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i
SP 800-100 Information Security Handbook: A Guide for Managers
The Cyber Security Research and Development Act of 2002 requires that NIST develop checklists to
help minimize the security risks of hardware and software used by the federal government. These
checklists show detailed configurations of many hardware and software platforms including Cisco. SP
800-70 outlines the format, goals, and objectives of the checklists and how to submit a checklist if you
build one that you would like to share. NIST provides these checklists in Security Content Automation
Protocol (SCAP) format, and can be loaded into a SCAP validated scanner for automated auditing.
There are a number of scanning vendors that support SCAP such as Qualys and Tenable (Nessus
129
Scanner). For a complete list of scanning vendors and downloadable checklists, visit
http://checklists.nist.gov.
Centre for Internet Security
The Centre for Internet Security (CIS) is a not-for-profit group dedicated to creating security best
practices and configuration guidance for companies to help reduce the risk of inadequately securing
corporate systems. CIS provides peer-reviewed configuration guides and templates that
administrators and auditors can follow when securing or testing the security of a target system. These
guides are well written and provide a sufficient level of detail down to the actual configuration level
to use as a checklist while also explaining why the particular configuration option needs to be
implemented.
CIS refers to its best practice documents as benchmarks and has two categories:
 Level 1 benchmarks consist of the minimum level of security that needs to be configured that any
skilled administrator can implement.
 Level 2 benchmarks focus on particular applications of security based on the type of system or
manner in which the system is used. Proper security depends on understanding risk, which
determines at what level you need to protect an asset. Laptops, for example, have a different risk
profile than servers, which are explored in the Level 2 benchmark section in detail.
The CIS benchmarks are often used for configuration level auditing of technology for proper
implementation of security features and good defensive practices. Many compliance laws dictate high
level controls, but never go into the details of how to actually perform the tasks necessary. These
benchmarks developed by CIS help to fill in the blanks when auditing for compliance through
consensus-validated device configuration recommendations. CIS also makes available automated
assessment tools that leverage these benchmarks. CIS benchmarks can be found at
www.cisecurity.org.
NSA
The National Security Agency (NSA) has been responsible for securing information and information
assurance since it began in 1952. As a component of the U.S. Department of Defense, the NSA is
typically known for its cryptology research and cryptanalysis of encrypted communications. The NSA
created the DES encryption standard that was (and still used in the form of 3DES) the most commonly
deployed encryption technique until it was replaced by AES.
Although the NSA’s mission is to keep government communications private, it has also shared a
significant amount of computer security research in the form of configuration guides on hardening
computer systems and network infrastructure equipment. Through research conducted by the
Information Assurance Department of the NSA, a series of security configuration guides have been
posted to help the public better secure computers and networks.
These guides cover:
 Applications
 Database servers
 Operating systems
 Routers
130
 Supporting documents
 Switches
 VoIP and IP telephony
 Vulnerability reports
 Web servers and browsers
 Wireless
Auditors are free to use these configuration guidelines when examining security controls. They make
a great resource and are updated as new technologies and applications are studied. You can find the
guides at http://www.nsa.gov/ia/index.cfm.
DISA
The Defense Information Security Agency (DISA) is a component of the U.S. Department of Defense
that is charged with protecting military networks and creating configuration standards for military
network deployments. DISA provides a number of useful configuration checklists for a wide variety of
information system technologies. Security Technical Implementation Guides (STIG) are great source
material for security configuration assessments and highly recommended as a tool for any auditor
looking for vetted configuration recommendations. While STIGs are written with military auditors in
mind, they are easy to read and include justification for the configuration requirements and what
threats are mitigated. You can access the current list of STIGs at http://iase.disa.mil/
stigs/stig/index.html.
SANS
The SANS (SysAdmin, Audit, Network, Security) Institute is by far one of the best sources of free
security information available on the Internet today. Established in 1989 as a security research and
education organization, it has become a source of training and knowledge that shares information
about security for hundreds of thousands of individuals across the globe. The SANS website has
something for everyone involved in information security, from the CIO to the hard-core security
technologists and researchers.
SANS is in the business of security education and delivers training events, conferences, and webcasts.
It offers an extensive array of technical security and management tracks covering everything from
incident handling and hacking to creating security policies. SANS security training conferences are the
most common venue for a student attending these courses, but many are also offered through on-
demand web training and self-study. Each of these courses also offers an opportunity to test for
certification through the GIAC organization (a separate entity that governs the certification and testing
process for SANS). For those students who want a more traditional education process, SANS is
accredited in the state of Maryland to grant master’s degrees in information assurance and
management.
Although SANS focuses on training, it also provides a wealth of free security information as part of its
mission to use knowledge and expertise to give back to the Internet community.
SANS offers the following free services and resources that are perfect for auditors and security
professionals to use to gain insight into new issues and understanding technical security controls:
 SANS reading room: The reading room consists of over 1,600 computer security whitepapers
from vendors and research projects written by SANS students going for GIAC Gold certification.
131
There are a wide range of topic categories, ensuring you will find something relevant to what
you are looking for from best practices to configuration guidance.
 SANS Top 20: SANS Top 20 is a list of the top 20 vulnerabilities in operating systems and
applications that hackers attack. This information is updated yearly by a large panel of security
experts, and it provides auditors and security practitioners with a good list of high-risk areas
they need to ensure are addressed. Although this list is good, it doesn’t cover the latest threats,
so it should not be used as a checklist, but rather as a tool to focus your efforts.
 SANS security policy samples: If you are looking for sample security policies, this resource is a
goldmine. All of the policies represented are free for use, and in some cases, you can simply
insert the business’s name. These policy templates cover a wide range of security functional
areas and are added to on a regular basis. It is important to note that security policies are a
serious documents and require that legal departments and HR departments be involved in their
adoptions.
 SANS newsletters: SANS provides a number of newsletters available as e-mails or RSS feeds that
you can subscribe to. Many topics are present, including one focused on auditing (SANS
AuditBits).
 Internet Storm Center: The Internet Storm Center is a group of volunteer incident handlers who
analyze suspicious Internet traffic from across the globe. They look at packet traces to
determine if a new virus, worm, or other attack vectors have popped up in the wild. The ISC
also compiles attack trend data and the most frequently attacked ports. Incident handlers are
always “on duty,” and you can read their notes as they go about analyzing attacks.
 SCORE: SCORE is a joint project with the CIS to create minimum standards of configuration for
security devices connected to the Internet. These checklists are available for free and provide
sound guidance about necessary technical controls.
 Intrusion Detection FAQ: The Intrusion Detection FAQ is a fantastic resource for better
understanding how to identify an attack on your network. FAQs cover the basics of intrusion
detection, details about tools to use, and a detailed analysis of sample attacks.
The SANS website should be considered mandatory reading for auditors who want to better
understand the tools and techniques attackers use to break into systems. Having all of this
knowledge in a single place is useful as auditors tailor their checklists and audit criteria to address
current events and attacks.
ISACA
If you are involved in security auditing to any degree, you undoubtedly have heard of the Information
Systems Audit and Control Association (ISACA). ISACA is the largest association of IT auditors in
existence with over 65,000 members across the world. Many of the auditing techniques and security
governance processes used to audit IT today have been compiled and standardized by ISACA. Over
50,000 people have earned the Certified Information Systems Auditor certification (CISA),
demonstrating knowledge in auditing. The Certified Information Systems Manager (CISM) is also
offered to test IT governance and management expertise.
132
ISACA is more than just a certification granting organization. In addition to establishing the IT
Governance Institute and developing COBIT, they have created the de-facto standards guide for
assessing and auditing IT controls. The IS standards, guidelines and procedures for auditing and
control professionals are regularly updated and reviewed to provide the auditing community with
standards, guidelines and procedures for conducting audits.
The auditing guide includes:
 Standards of IS auditing: This section includes code of conduct for professional auditors,
auditing process from planning to follow up and various other standards for performing audits.
 Auditing G: This section provides information on how to conduct audits while following the
standards of IS auditing.
 Auditing procedures: This section provides details on how to audit various types of systems and
processes, providing a sample approach to testing controls such as firewalls and intrusion
detection systems.
 The IT Assurance Guide to using COBIT is another excellent resource for how to conduct an audit
using COBIT as the governance framework. Regardless of whether or not the company being
audited uses COBIT, the guide describes how to leverage the controls identified by COBIT and
apply those to the audit process. This enables an auditor to follow a well-documented
framework to ensure that no major areas are missed.
ISO 27003
ISO/IEC 27003:2010 focuses on the critical aspects needed for successful design and implementation
of an Information Security Management System (ISMS) in accordance with ISO/IEC 27001:2005. It
describes the process of ISMS specification and design from inception to the production of
implementation plans. It describes the process of obtaining management approval to implement an
ISMS, defines a project to implement an ISMS (referred to in ISO/IEC 27003:2010 as the ISMS project),
and provides guidance on how to plan the ISMS project, resulting in a final ISMS project
implementation plan.
ISO 27004
ISO/IEC 27004 concerns measurements relating to information security management. These are
commonly known as ‘security metrics’ in the profession. The standard is intended to help
organizations measure, report on and hence systematically improve the effectiveness of their
Information Security Management Systems. It “provides guidance on the development and use of
measures and measurement in order to assess the effectiveness of an implemented information
security management system (ISMS) and controls or groups of controls, as specified in ISO/IEC 27001.
This would include policy, information security risk management, control objectives, controls,
processes and procedures, and support the process of its revision, helping to determine whether any
of the ISMS processes or controls need to be changed or improved.”
ISO 15408 Evaluation Common Criteria Evaluation for Security
133
SO/IEC 15408-1:2009 establishes the general concepts and principles of IT security evaluation and
specifies the general model of evaluation given by various parts of ISO/IEC 15408, which in its entirety
is meant to be used as the basis for evaluation of security properties of IT products.
It provides an overview of all parts of ISO/IEC 15408, describes the various parts of ISO/IEC 15408,
defines the terms and abbreviations to be used in all parts ISO/IEC 15408, establishes the core concept
of a Target of Evaluation (TOE), the evaluation context and describes the audience to which the
evaluation criteria are addressed. An introduction to the basic security concepts necessary for
evaluation of IT products is given.
It defines the various operations by which the functional and assurance components given in ISO/IEC
15408-2 and ISO/IEC 15408-3 may be tailored through the use of permitted operations. The key
concepts of protection profiles (PP), packages of security requirements and the topic of conformance
are specified and the consequences of evaluation and evaluation results are described. ISO/IEC 15408-
1:2009 gives guidelines for the specification of Security Targets (ST) and provides a description of the
organization of components throughout the model.
ISO/IEC 13335 (IT Security Management)
SO/IEC 13335-1:2004 presents the concepts and models fundamental to a basic understanding of ICT
security, and addresses the general management issues that are essential to the successful planning,
implementation and operation of ICT security. Part 2 of ISO/IEC 13335 (currently 2nd WD) provides
operational guidance on ICT security. Together, these parts can be used to help identify and manage
all aspects of ICT security.
ISO 13335 is focused on Information and Communication Technologies, also called ICT. ISO standard
13335 was created to help businesses improve their information and communication security. There
is currently only one part of the ISO 13335 standard, ISO 13335-1. ISO standard 13335 is designed to
create an IT management framework, including information security policies, internal controls,
company approved practices and configuration management of hardware and software components.
No one changes information and communication technologies without formal review and approval
after thorough testing was completed. In addition, ISO 13335 was created in an effort to improve
business continuity, the continuation of business operations in case of a massive technical failure,
natural disaster or hack attack.
ISO 13335-1
The ICT standard ISO 13335-1 originated as a technical report on information security before it became
a separate ISO standard. ISO 13335-1 is focused on technical security controls over administrative
procedures and internal corporate rules. ISO standard 13335-1 is now the entire ISO 13335 standard
with the other sections either consolidated into ISO 13335-1 or made into their own standards.
Network security controls like firewalls can block traffic from selected IP addresses or prevent users
from accessing specific websites. Built-in data archiving modules attached to routers or network
connections automatically save all email messages, creating an instant record of communications
available if the main email server goes down or if messages are deleted by unauthorized parties.
ISO 13335-2
134
ISO 13335-2 originally contained the ISO’s guidance on ICT security. The 1990s version of the standard
was broken up into ISO 13335-1 and 13335-2. The ICT security recommendations in ISO 13335-2 were
incorporated into ISO 13335-1 in the 2004 update of the standard.
ISO 13335-3
ISO 13335-3 was originally the guidelines for managing IT security. ISO standard 13335-3 has been
replaced by ISO 27005. In essence, what was ISO 13335-3 is now part of ISO 27005.
ISO 13335-4
ISO 13335-4 outlined the ISO recommended practices of selecting technical security controls or IT
safeguards. ISO 13335-5 has also been replaced with ISO 27005.
ISO 13335-5
ISO 13335-5 was originally a set of guidelines on network security. ISO 13335-5 was replaced with ISO
18028-1 in 2006. ISO 18028-1 has since been revised by ISO 27033-1, released in 2009.
ISO 27005
ISO 27005 replaced several sections of the original ISO 13335 standard. ISO 27005 describes how
organizations define their context, the areas for which they are responsible. Risks are identified and
the estimation of the severity of the risk are set during risk analysis. During risk treatment, the
organization decides whether to accept the risk, mitigate its effects or work to prevent the risk from
occurring. During risk monitoring, the group monitors the risks to the network. Some risks may
disappear as more security hardware is installed while others may grow due to user complacency or
evolving security threats. For example, the risk that a server’s compromise would shut down a
business is reduced when a backup server off site is created with hot backups of the organization’s
data. If the main server compromises and is removed from the network to prevent hackers from using
it to access other areas, the business simply switches over the remote backup server and keeps going.
ISO Standard 24762 for Technical Disaster Recovery
ISO/IEC 24762:2008 provides guidelines on the provision of information and communications
technology disaster recovery (ICT DR) services as part of business continuity management, applicable
to both “in-house” and “outsourced” ICT DR service providers of physical facilities and services.
ISO/IEC 24762:2008 specifies:
 the requirements for implementing, operating, monitoring and maintaining ICT DR services and
facilities
 the capabilities which outsourced ICT DR service providers should possess and the practices they
should follow so as to provide basic secure operating environments and facilitate organizations'
recovery efforts
 the guidance for selection of recovery site
 the guidance for ICT DR service providers to continuously improve their ICT DR services
ISO Standard for BCM – 22301
ISO 22301 is a management systems standard for BCM which can be used by organizations of all sizes
and types. These organizations will be able to obtain accredited certification against this standard and
135
so demonstrate to legislators, regulators, customers, prospective customers and other interested

parties that they are adhering to good practice in BCM. ISO 22301 also enables the business continuity
manager to show top management that a recognized standard has been achieved.
While ISO 22301 may be used for certification and therefore includes rather short and concise
requirements, describing the central elements of BCM, a more extensive guidance standard (ISO
22313) is being developed to provide greater detail on each requirement in ISO 22301.
ISO 22301 may also be used within an organization to measure itself against good practice, and by
auditors wishing to report to management. The influence of the standard will therefore be much
greater than those who simply choose to be certified against the standard.
ISO/IEC 27031 provides guidance on the concepts and principles behind the role of information and
communications technology in ensuring business continuity.
The standard:
Suggests a structure or framework (actually a set of methods and processes) for any organization –
private, governmental and non-governmental.
Identifies and specifies all relevant aspects including performance criteria, design and implementation
details for improving ICT readiness as part of the organization’s ISMS, helping to ensure business
continuity.
Enables an organization to measure its ICT continuity, security and hence readiness to survive a
disaster in a consistent and recognized manner.
IEEE Standards
IEEE has standardization activities in the network and information security space and in anti-malware
technologies, including in the encryption, fixed and removable storage and hard copy devices areas as
well as applications of these technologies in smart grids.
Encryption Approved standards:
 IEEE Std 1363-2000 IEEE Standard Specifications for Public-Key Cryptography [Also 1363a-
2004]
 IEEE Std 1363.1-2008 IEEE Standard Specification for Public-Key Cryptographic Techniques
Based on Hard Problems over Lattices
 IEEE Std 1363.2-2008 IEEE Standard Specification for Password-Based Public Key
Cryptographic Techniques
Fixed and Removable Storage Approved standards:

• IEEE Std 1619-2007 IEEE Standard for Cryptographic Protection of Data on Block-Oriented
Storage Devices*
• IEEE Std 1619.1-2007 IEEE Standard for Authenticated Encryption with Length Expansion
for Storage Devices
136
• IEEE Std 1619.2-2010 IEEE Standard for Wide-Block Encryption for Shared Storage Media
• IEEE Std 1667-2009 IEEE Standard Protocol for Authentication in Host Attachments of
Transient Storage Devices
Security for Hardcopy Devices Approved standards:

• IEEE Std 2600-2008 IEEE Standard for Information Technology: Hardcopy Device and System
Security
• IEEE Std 2600.1-2009 IEEE Standard for a Protection Profile in Operational Environment A
• IEEE Std 2600.2-2009 IEEE Standard Protection Profile for Hardcopy Devices in IEEE Std.
2600 (TM)-2008 Operational Environment B
2600 (TM)-2008 Operational Environment C
2600 (TM)-2008 Operational Environment D
ISO 17799
ISO/IEC 17799:2005 establishes guidelines and general principles for initiating, implementing,
maintaining and improving information security management in an organization. The objectives
outlined provide general guidance on the commonly accepted goals of information security
management.
ISO/IEC 17799:2005 contains best practices of control objectives and controls in the following areas
of information security management:
o security policy
o organization of information security
o asset management
o human resources security
o physical and environmental security
o communications and operations management
o access control
o information systems acquisition, development and maintenance
o information security incident management
o business continuity management
o compliance
The control objectives and controls in ISO/IEC 17799:2005 are intended to be implemented to meet
the requirements identified by a risk assessment. ISO/IEC 17799:2005 is intended as a common basis
137
and practical guideline for developing organizational security standards and effective security
management practices and to help build confidence in inter-organizational activities.
ISO 17799: The key components of the Standard –

The Standard is divided into 2 parts.
• ISO 7799 Code of Practice for Information Security Management
• BS 7799 Part II Specifies requirements for establishing, implementing and documenting
Information Security Management System (ISMS)
The standard has ten domains, which address key areas of Information Security Management.
1. Information security policy for the organization
This activity involves a thorough understanding of the organization business goals and its
dependence on information security. This entire exercise begins with creation of the IT security
policy. This is an extremely important task and should convey total commitment of top
management. The policy cannot be a theoretical exercise. It should reflect the needs of the actual
users. It should be implementable, easy to understand and must balance the level of protection
with productivity. The policy should cover all the important areas like personnel, physical,
procedural and technical.
2. Creation of information security infrastructure
A management framework needs to be established to initiate, implement and control information
security within the organization. This needs proper procedures for approval of the information
security policy, assigning of the security roles and coordination of security across the organization.
3. Asset classification and control
One of the most laborious but essential task is to manage inventory of all the IT assets, which
could be information assets, software assets, physical assets or other similar services. These
information assets need to be classified to indicate the degree of protection. The classification
should result into appropriate information labelling to indicate whether it is sensitive or critical
and what procedure, which is appropriate for copy, store, transmit or destruction of the
information asset.
4. Personnel security
Human errors, negligence and greed are responsible for most thefts, frauds or misuse of facilities.
Various proactive measures that should be taken are: creation of personnel screening policies,
confidentiality agreements, terms and conditions of employment and information security
education and training.
Alert and well-trained employees who are aware of what to look for can prevent future security
breaches.
5. Physical and environmental security
Designing a secure physical environment to prevent unauthorized access, damage and
interference to business premises and information is usually the beginning point of any security
138
plan. This involves creating physical security perimeter and entry control, secure offices; rooms;
facilities, providing physical access controls and protection devices to minimize risks ranging from
fire to electromagnetic radiation and providing adequate protection to power supplies and data
cables are some of the activities. Cost effective design and constant monitoring are two key
aspects to maintain adequate physical security control.
6. Communications and operations management
Properly documented procedures for the management and operation of all information
processing facilities should be established. This includes detailed operating instructions and
incident response procedures.
Network management requires a range of controls to achieve and maintain security in computer
networks. This also includes establishing procedures for remote equipment including equipment
in user areas. Special controls should be established to safeguard the confidentiality and integrity
of data passing over public networks. Special controls may also be required to maintain the
availability of the network services.
Exchange of information and software between external organizations should be controlled and
should be compliant with any relevant legislation. There should be proper information and
software exchange agreements. The media in transit need to be secured and should not be
vulnerable to unauthorized access, misuse or corruption.
Electronic commerce involves electronic data interchange, electronic mail and online transactions
across public networks such as Internet. Electronic commerce is vulnerable to a number of
network threats that may result in fraudulent activity, contract dispute and disclosure or
modification of information. Controls should be applied to protect electronic commerce from such
threats.
7. Access control
Access to information and business processes should be controlled on the business and security
requirements. This will include defining access control policy and rules; user access management;
user registration; privilege management; user password use and management; review of user
access rights; network access controls; enforcing path from user terminal to computer; user
authentication; node authentication; segregation of networks; network connection control;
network routing control; operating system access control; user identification and authentication;
use of system utilities; application access control; monitoring system access and use and ensuring
information security when using mobile computing and tele-working facilities.
8. System development and maintenance
Security should ideally be built at the time of inception of a system. Hence security requirements
should be identified and agreed prior to the development of information systems. This begins with
security requirements analysis and specification and providing controls at every stage i.e. data
input; data processing; data storage and retrieval and data output. It may be necessary to build
applications with cryptographic controls. There should be a defined policy on the use of such
controls, which may involve encryption; digital signature; use of digital certificates; protection of
cryptographic keys and standards to be used for cryptography.
139
A strict change control procedure should be in place to facilitate tracking of changes. Any changes
to operating system changes, software packages should be strictly controlled. Special precaution
must be taken to ensure that no covert channels, back doors or Trojans are left in the application
system for later exploitation.
9. Business Continuity Management
A business continuity management process should be designed, implemented and periodically
tested to reduce the disruption caused by disasters and security failures. This begins by identifying
all events that could cause interruptions to business processes and depending on the risk
assessment, preparation of a strategy plan. The plan needs to be periodically tested, maintained
and re-assessed based on changing circumstances.
10. Compliance
It is essential that strict adherence is observed to the provision of national and international IT
laws, pertaining to Intellectual Property Rights (IPR), software copyrights, safeguarding of
organizational records, data protection and privacy of personal information, prevention of misuse
of information processing facilities, regulation of cryptographic controls and collection of
evidence.
Information Technology’s use in business has also resulted in enacting of laws that enforce
responsibility of compliance. All legal requirements must be complied with to avoid breaches of any
criminal and civil law, statutory, regulatory or contractual obligations and of any security
requirements.
BS 7799 (ISO 17799) and "It’s" relevance to Indian Companies:
Although Indian companies and the Government have invested in IT, facts of theft and attacks on
Indian sites and companies are alarming. Attacks and theft that happen on corporate websites are
high and is usually kept under "strict" secrecy to avoid embarrassment from business partners,
investors, media and customers.
Huge losses are sometimes un-audited and the only solution is to involve a model where one can see
a long run business led approach to Information Security Management.
BS 7799 (ISO 17799) consists of 127 best security practices (covering 10 Domains which was discussed
above) which Indian companies can adopt to build their Security Infrastructure. Even if a company
decides not go in for the certification, BS 7799 (ISO 17799) model helps companies maintain IT security
through ongoing, integrated management of policies and procedures, personnel training, selecting
and implementing effective controls, reviewing their effectiveness and improvement. Additional
benefits of an ISMS are improved customer confidence, a competitive edge, better personnel
motivation and involvement, and reduced incident impact. Ultimately leads to increased profitability.
Security Standards Organizations

 Internet Corporation for Assigned Names and Numbers (ICANN)
140
ICANN’s role is to oversee the huge and complex interconnected network of unique identifiers
that allow computers on the Internet to find one another.
To reach another person on the Internet you have to type an address into your computer - a name
or a number. That address has to be unique so computers know where to find each other. ICANN
coordinates these unique identifiers across the world. Without that coordination we wouldn't
have one global Internet.
ICANN was formed in 1998. It is a not-for-profit partnership of people from all over the world
dedicated to keeping the Internet secure, stable and interoperable. It promotes competition and
develops policy on the Internet’s unique identifiers. This is commonly termed “universal
resolvability” and means that wherever you are on the network – and hence the world – that you
receive the same predictable results when you access the network. Without this, you could end
up with an Internet that worked entirely differently depending on your location on the globe.
 International Organization for Standardization (ISO)
ISO (International Organization for Standardization) is an independent, non-governmental
membership organization and the world's largest developer of voluntary International Standards.
They are made up of 162 member countries who are the national standards bodies around the world,
with a Central Secretariat that is based in Geneva, Switzerland.
International Standards make things work. They give world-class specifications for products, services
and systems, to ensure quality, safety and efficiency. They are instrumental in facilitating international
trade.
ISO has published more than 19 500 International Standards covering almost every industry, from
technology, to food safety, to agriculture and healthcare. ISO International Standards impact
everyone, everywhere.
 Consultative Committee For Telephone and Telegraphy (CCITT)

The CCITT, now known as the ITU-T (for Telecommunication Standardization Sector of the
International Telecommunications Union), is the primary international body for fostering cooperative
standards for telecommunications equipment and systems. It is located in Geneva, Switzerland.
 American National Standards Institute(ANSI)
American National Standards Institute (ANSI) oversees the creation, promulgation and use of
thousands of norms and guidelines that directly impact businesses in America in nearly every sector:
from acoustical devices to construction equipment, from dairy and livestock production to energy
distribution, and many more. ANSI is also actively engaged in accreditation - assessing the competence
of organizations determining conformance to standards.
 Institute Of Electronics and Electrical Engineers (IEEE)

IEEE is the world's largest professional association dedicated to advancing technological innovation
and excellence for the benefit of humanity. IEEE and its members inspire a global community through
IEEE's highly cited publications, conferences, technology standards, and professional and educational
activities. IEEE, pronounced "Eye-triple-E," stands for the Institute of Electrical and Electronics
Engineers.
141
 Electronic Industries Association

The Electronic Industries Association (EIA) comprises individual organizations that together have
agreed on certain data transmission standards such as EIA/TIA-232 (formerly known as RS-232). The
Electronics Industries Alliance (EIA) is an alliance of trade organizations that lobby in the interest of
companies engaged in the manufacture of electronics-related products.
 National Center for Standards and Certification Information (NIST)
National Institute of Standards and Technology's web site. Founded in 1901 and now part of the U.S.
Department of Commerce, NIST is one of the nation's oldest physical science laboratories. US Congress
established the agency to remove a major handicap to U.S. industrial competitiveness at the time.
Today, NIST measurements support the smallest of technologies—nanoscale devices so tiny that tens
of thousands can fit on the end of a single human hair—to the largest and most complex of human-
made creations, from earthquake-resistant skyscrapers to wide-body jetliners to global
communication networks. The National Centre for Standards and Certification Information provides
research services on standards, technical regulations and conformity assessment procedures for non-
agricultural products. The Centre is a central repository for standards-related information in the
United States and has access to U.S., foreign and international documents and contact points through
its role as the U.S. national inquiry point under the World Trade Organization Agreement on Technical
Barriers to Trade. The Program maintains a database on NIST and Department of Commerce staff
participation in standards developing activities.
 World Wide Web Consortium (W3C)
The World Wide Web Consortium (W3C) is an international community where Member organizations,
a full-time staff, and the public work together to develop Web standards. Led by Web inventor Tim
Berners-Lee and CEO Jeffrey Jaffe, W3C's mission is to lead the Web to its full potential.
Vision
W3C's vision for the Web involves participation, sharing knowledge, and thereby building
trust on a global scale.
The following design principles guide W3C's work.

Web for All
142
The social value of the Web is that it enables human communication, commerce, and
opportunities to share knowledge. One of W3C's primary goals is to make these benefits available
to all people, whatever their hardware, software, network infrastructure, native language,
culture, geographical location, or physical or mental ability.
Web on Everything
The number of different kinds of devices that can access the Web has grown immensely. Mobile
phones, smart phones, personal digital assistants, interactive television systems, voice response
systems, kiosks and even certain domestic appliances can all access the Web. L
Web for Rich Interaction
The Web was invented as a communications tool intended to allow anyone, anywhere to share
information. For many years, the Web was a "read-only" tool for many. Blogs and wikis brought
more authors to the Web, and social networking emerged from the flourishing market for content
and personalized Web experiences. W3C standards have supported this evolution thanks to
strong architecture and design principles. Some people view the Web as a giant repository of
linked data while others as a giant set of services that exchange messages. The two views are
complementary, and which to use often depends on the application.
Web of Trust
The Web has transformed the way we communicate with each other. In doing so, it has also
modified the nature of our social relationships. People now "meet on the Web" and carry out
commercial and personal relationships, in some cases without ever meeting in person. W3C
recognizes that trust is a social phenomenon, but technology design can foster trust and
confidence. As more activity moves on-line, it will become even more important to support
complex interactions among parties around the globe.
Web Application Security Consortium (WASC)
The Web Application Security Consortium (WASC) is a non-profit made up of an international
group of experts, industry practitioners, and organizational representatives who produce open
source and widely agreed upon best-practice security standards for the World Wide Web. As an
active community, WASC facilitates the exchange of ideas and organizes several industry projects.
WASC consistently releases technical information, contributed articles, security guidelines, and
other useful documentation. Businesses, educational institutions, governments, application
developers, security professionals, and software vendors all over the world utilize our materials
to assist with the challenges presented by web application security.
143
4.4 Information Security Laws, Regulations &

Guidelines
India
India’s Ministry of Communications and Information Technology (“Department of Information
Technology”) has implemented the Information Technology (Reasonable security practices and
procedures and sensitive personal data or information) Rules, 2011 (“Privacy Rules”). Clarifications to
the Privacy Rules were issued via Press Note by the Ministry. India’s enabling legislation is India’s
Information Technology Act 2000 (the “Act”). While India continues to adhere to the Information
Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or
Information) Rules, 2011 (Rules) enacted in 2011, the Centre for Internet and Society presented a new
Privacy (Protection) Bill, 2013 (Bill), on September 30, 2013. The Bill seeks to further refine provisions
of the Rules, with a focus on protection of personal data through limitations on use and requirements
for notice. The collection of personal data would be prohibited unless “necessary for the achievement
of a purpose of the person seeking its collection,” and, subject to sections 6 and 7 of the Bill, “no
personal data may be collected under this Act prior to the data subject being given notice, in such
form and manner as may be prescribed, of the collection.” The Bill acknowledges the collection of data
with and without consent; the regulation of personal data storage, processing, transfer, and security;
and discusses the different types of disclosure.
 http://deity.gov.in/sites/upload_files/dit/files/GSR313E_10511(1).pdf
 http://pib.nic.in/newsite/erelease.aspx?relid=74990
 http://unpan1.un.org/intradoc/groups/public/documents/apcity/unpan010239.pdf
Data Protection Authority and Registration Requirements
 No specific data protection authority exists, but the Privacy Rules state that in the case of a breach,
a “Body Corporate,” as defined under the Act, must answer to “the agency mandated under the
law” (presumably, the Ministry).
 There are no registration requirements for the collection of data. However, the Data Security
Council of India (the “DSCI”) provides a certification service by which organizations within India
may become “DSCI Privacy Certified.”
Protected Personal Data
Personal information is defined as any information that relates to a natural person, which, either
directly or indirectly, in combination with other information available or likely to be available with a
corporate entity, is capable of identifying such person.
Sensitive personal data or information is defined as “personal information” which consists of
information relating to any of the following: passwords; financial information such as bank account or
credit card or debit card or other payment instrument details; physical, physiological and mental
health condition; sexual orientation; medical records and history; biometric information; any detail
relating to any of the above as provided to a corporate entity for providing service; and any of the
information received under the above by a corporate entity for processing, stored or processed under
144
lawful contract or otherwise. Data or information is not sensitive and personal if it is available in the
public domain or furnished under the Right to Information Act of 2005.
Data Collection and Processing
The Privacy Rules apply to data collection, but do not define processing.
The Privacy Rules requires a Body Corporate that collects, receives, possesses, stores, deals, or handles
sensitive or personal data to provide a privacy policy for handling of such data and ensure that the
policies are available for view by the data subjects who have provided the information under contract.
The policy shall provide for:
 clear and easily accessible statements of its practices and policies;
 the type of personal or sensitive personal data or information collected;
 the purpose of collection and usage of such information;
 the disclosure of information including sensitive personal data or information; and
 reasonable security practices and procedures.
Data may be collected and processed when all of the following conditions are met:
 the data subject has provided written consent and is aware at the time of collection that the
information is being collected, the purpose of collection, the intended recipients of the
information; and the name and address of the agency that is collecting and will retain the
information;
 the data subject has been provided with the option not to provide its sensitive personal data
or information;
 the data subject is permitted to withdraw his/her consent, in writing, at any time;
 the information is collected for a lawful purpose connected with a function or activity of the
body corporate or any person on its behalf; and
 the collection of the sensitive personal data or information is considered necessary for that
lawful purpose.
Data Transfer
Disclosure of data to a third party requires prior permission of the data subject, whether the
information is provided under contract or otherwise, except in the following situations:
 the disclosure has already been agreed to in a contract;

 the disclosure is necessary for compliance with a legal obligation;
 the data is shared with government agencies with the authority to obtain the data for the
purpose of verification of identity, or for the prevention, detection, investigation, prosecution,
and punishment of offenses, including cyber incidents; or
 the disclosure is pursuant to an order under the law.
Data may be transferred domestically or internationally to any person or Body Corporate that ensures
the same level of data protection that is adhered to by the Body corporate, but the transfer is allowed
only if:
 the data subject consents; or

 the transfer is necessary for the performance of the lawful contract between the body
corporate or any person on its behalf and the data subject.
145
Data Security
A Body Corporate is required to implement reasonable security practices and procedures. The Privacy
Rules indicate that reasonable practice methodologies include IS/ISO/EIC 27001 or other measures
that have been pre-approved by the central government and are subject to annual audits by a central
government approved auditor.
Breach Notification
There is no mandatory requirement to report data security breach incidents under the Privacy Rules.
Other Considerations
Data retention rules state that information should not be retained longer than is required for the
purposes for which the information may lawfully be used or is otherwise required under any other
law.
A clarification to the Privacy Rules stating that a “Body corporate providing services relating to
collection, storage, dealing or handling of sensitive personal data or information under contractual
obligation with any legal entity located within or outside India is exempt from the requirement to
obtain consent” was issued via Press Note by the Department of Information and Technology.
Accordingly, outsourcing service providers in India should be exempt from obtaining consent from the
individuals whose data they process.
Enforcement & Penalties
A corporate entity may be liable for up to Rs. 50,000,000 for the negligent failure to implement and
maintain reasonable practices and procedures, causing wrongful loss or gain.
International Directory of laws:
This directory includes laws, regulations and industry guidelines with significant security and privacy impact
and requirements. This is largely USA focused but used by International agencies as a reference point.
Broad laws:
 Sarbanes-Oxley Act (SOX);
 Payment Card Industry Data Security Standard (PCI DSS);
 Gramm-Leach-Bliley Act (GLB) Act;
 Electronic Fund Transfer Act, Regulation E (EFTA);
 Customs-Trade Partnership Against Terrorism (C-TPAT);
 Free and Secure Trade Program (FAST);
 Children's Online Privacy Protection Act (COPPA);
 Fair and Accurate Credit Transaction Act (FACTA), including Red Flags Rule; Federal Rules
of Civil Procedure (FRCP)
146
Industry specific laws:
 Federal Information Security Management Act (FISMA);
 North American Electric Reliability Corp. (NERC) standards;
 Title 21 of the Code of Federal Regulations (21 CFR Part 11) Electronic Records;
 Health Insurance Portability and Accountability Act (HIPAA);
 The Health Information Technology for Economic and Clinical Health Act (HITECH);
 Patient Safety and Quality Improvement Act (PSQIA, Patient Safety Rule);
 H.R. 2868: The Chemical Facility Anti-Terrorism Standards Regulation
147
Summary
 A security policy is a document or set of documents that describes, at a high level, the security
controls that will be implemented by the company
 There are two types of basic security policies: Technical security policies and Administrative
security policies.
 Key Elements of Security Policy
o Overview – Background information of what issue the policy addresses.
o Purpose – Why the policy is created.
o Scope – To what areas this policy covers.
o Targeted Audience – Tells to whom the policy is applicable.
o Policy – A good description of the policy.
o Definitions – A brief introduction of the technical jargon used inside the policy.
o Version – A version number to control the changes made to the document.
 Auditing the security governance practices of a company requires understanding how the
organization manages the processes and procedures that make up its security program and
compare those aspects to recognized governance frameworks.
 The COSO internal controls framework consists of five main control components
o Control Environment
o Risk Assessment
o Control Activities
o Information and Communication
o Monitoring
 The role of COBIT in IT governance is to provide a model that takes the guesswork out of how
to bridge the gap between business goals and IT goals.
 ITIL is used by companies for overall management of IT and also for managing security processes
as well.
 Standards and best practices can help the auditor distinguish good security designs from bad
and provide reference architectures to compare against.
 Various standards include:
o ISO 27000 Series of Standards
o NIST
o Center for Internet Security
o NSA
o DISA
o SANS
o ISACA
o ISO 27003
o ISO 27004
o ISO/IEC 13335 (IT Security Management)
o ISO 27005
o ISO Standard 24762 for Technical Disaster Recovery
o ISO Standard for BCM – 22301
o IEEE Standards
o ISO 17799
o BS 7799 (ISO 17799)
148
Activity 1:
Work in groups and collate various security policies available across various
organizations. Categorize various policies and highlight the differences between these
based on context including sector, size of organization, types of information or data they
possess, country, etc.
Compile a list of component that are similar across policies. Discuss as to why you think
these elements are similar or dissimilar and what is the impact of the variances.
Activity 2:
Work in groups and Research various standards of data security that area available.
Categorize the various standards based on the area they pertain to.
Present key highlights of a selected standard. Discuss why standards are important, why
these standards have credibility and legitimacy. Think about what is the composition of
the standard setting body and who are their members or patrons.
Activity 3:
Develop a set of standards for various aspects of your student life and education; make
a plan for advocacy and promotion of these standards so that more and more people
adopt them. List down key imperatives and challenges for the successful adoption and
recognition of their proposed standards
Activity 4:
Explore the various laws and regulations that are applied in the areas of information
security. Present key features of the laws and cite cases where these were violated and
cases were filed in breach of law. Present findings in the class, discussing the details of
the case and interesting facets of it.
149

1. State the main objective of security policy?
_________________________________________________________________________________
_________________________________________________________________________________
2. State at least three key constituents of a security policy
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
3. Explain at least two main concepts in the COSO framework
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
4. Explain the application of Deming Cycle in IT security?
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
5. Name the two categories of CIS benchmarks. Explain why are they used for configuration-level
auditing of technology?
________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
6. How is BS 7799 (ISO 17799) relevant to Indian Companies?
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
7. State at least five different data security policies an organisation may have.
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
150
NOTES:
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
151
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
152
UNIT V
Information Security Management
– Roles and Responsibilities
This Unit covers:
 Lesson Plan
5.1. Information and Data Security Team Structure
153
LESSON PLAN

Outcomes Measures Requirement
To be competent, you must be able Going through various  PCs/Tablets/Laptops
to: organizations websites  Labs availability (24/7)
and understand the  Internet with WiFi (Min 2 Mbps
PC1. establish your role and policies and guidelines. Dedicated)
responsibilities in contributing to (Research)  Networking Equipment- Routers
managing information security
& Switches
PC10. obtain advice and Understand, summarize  Firewalls and Access Points
guidance on information security and articulate.  Commercial Tools like HP Web
issues from appropriate people, Inspect and IBM AppScan etc.,
where required  Open Source tools like sqlmap,
Nessus etc.,
PC11. comply with your
organization’s policies, standards,
procedures and guidelines when
contributing to managing
You need to know and understand: KA1. Going through  PCs/Tablets/Laptops

various organizations  Labs availability (24/7)
KA3. limits of your role and websites and  Internet with WiFi (Min 2 Mbps
responsibilities and who to seek understand the policies Dedicated)
guidance from and guidelines.
KA4. the organizational (Research)
systems, procedures and
tasks/checklists within the domain KA2, KA3. Understand,
and how to use these summarize and
KA11. who to involve when articulate.
154
Lesson
5.1 Information and Data Security Team Structure
With the growing importance and scope of information and data security, numerous organizational
structures and configurations have been implemented to get a handle on the complexities associated
with managing and protecting data.
Information security governance begins at the top with the Board of Directors and CEO enforcing
accountability for adherence to standards and commissioning the development of security
architectures that address the security requirements of the business as a whole. The auditing function
might be its own group (or outsourced to a third party) and might report to the CEO or directly to the
Board of Directors to maintain its independence.
Board of Directors
The Board of Directors is responsible for protecting the interests of the shareholders of the
corporation. This duty of care (fiduciary responsibility) requires that it understand the risk to the
business and its data. The Board of Directors is responsible for approving the appropriate resources
necessary to safeguard data. It also needs to be kept aware of how the security program is
performing.
Security Steering Committee

The Security Steering Committee has an important role in security governance; this group is
responsible for setting the tactical and strategic direction for the organization as a whole. The group
generally consists of the CEO, CFO, CIO/CISO, and the internal auditing function (or oversight if it is
outsourced to a third party). Other business functions might also be present, such as Human
Resources and business operational leaders, depending on the size and organizational complexity
of the business. This team reviews audit results, risk assessment, and current program performance
data. The committee also provides approval for any major policy or security strategy changes.
CEO or Executive Management

Senior management must answer to the Board of Directors and shareholders of a company.
Furthermore, if the company is publicly traded, the CEO and CFO must personally attest to the
accuracy and integrity of the financial reports the company issues. Executive management sets the
tone and direction for the rest of the company and must be aware of the risks the company faces
for the confidentiality, integrity, and availability of sensitive data.
CIO/CISO
The CIO/CISO is responsible for aligning the information security program strategy and vision to
business requirements. The CIO/CISO ensures that the correct resources are in place to adhere to
the policies and procedures set forth by the steering committee. This role generally reports to the
CEO and Board of Directors and reports how the organization is performing relative to the
company’s goals and similar organizations in the same industry.
Security Director
The security director’s role is to coordinate the efforts for securing corporate assets. The
responsibilities include reporting on the progress of initiatives to executive management and
building the teams and resources to address the various tasks necessary for information security.
155
This role also acts as a liaison to other aspects of the business to articulate security requirements
throughout the company. The security director manages the teams in developing corporate data
security policies, standards, procedures, and guidelines.
Security Analyst
A security analyst builds the policies, analyses risk, and identifies new threats to the business.
Business continuity and disaster recovery planning are important functions performed by the
analyst to prepare the company for the unexpected. The analyst is also responsible for creating
reports about the performance of the organization’s security systems.
Security Architect
A security architect defines the procedures, guidelines, and standards used by the company.
Architects help to select the controls used to protect the company’s data and they make sure that
the controls are sufficient for addressing the risk and complying with policy. This role is also
responsible for testing security products and making recommendations about what will best serve
the needs of the company.
Security Engineer
A security engineer implements the controls selected by the security architect. Security engineers
are responsible for the maintenance of firewalls, IPS, and other tools. This includes upgrades,
testing, patching, and overall maintenance of the security systems. This role might also be
responsible for testing the functionality of equipment to make sure that it operates as expected.
Systems Administrator
A systems administrator is responsible for monitoring and maintaining the servers, printers, and
workstations a company uses. In addition, administrators add and/or remove user accounts as
necessary, control access to shared resources, and maintain company-wide antivirus software.
Database Administrator
The Database Administrator (DBA) has an important job in most companies. The DBA is responsible
for designing and maintaining corporate databases and also securing access to the data to ensure
its integrity. The ramifications of lax security in this role can be severe, especially considering the
reporting requirements mandated by SOX.
IS Auditor
An auditor’s role in security governance is to assess the effectiveness in meeting the requirements
set forth by policy and management direction. The auditor is tasked to identify risk and report on
how the organization performs to upper management. The auditor provides an impartial review of
projects and technologies to identify weaknesses that could result in loss to the company.
End User
End users have a critical role in security governance that is often overlooked. They must be aware
of the impact their actions can have on the security of the company and be able to safeguard
confidential information. They are responsible for complying with policies and procedures and
following safe computing practices, such as not opening attachments without antimalware software
running or loading unauthorized software. A solid user security awareness program can help
promote safe computing habits.
156
1. Board of
Directors
3. CIO/CISO 2. CEO
6. System 7. System 4. Security

Architect Engineer Director
8. System
5. Security Analyst 10. IS Auditor
Administrator
9. Database
11. End User
Administrator
Hierarchical flowchart for all the Roles w.r.t. Information Security
157
5.2 Security incident response team
The security incident response team is a group of individuals who have been trained in incident
management, each having distinct response roles. The team works under the direction of the incident
officer. The team is tasked with the following responsibilities:
 Processes IT security complaints or incidents.
 Assesses threats to IT resources.
 Alerts IT managers of imminent threats.
 Determines incident severity and escalates it, if necessary, with notification to CTO and
president’s senior staff.
 Coordinates security incidents (level 2 or 3) from discovery to closure.
 Reviews incidents, provides solutions/resolutions and closure.
Table-Top Exercise:
Students are recommended to follow this link and perform an interesting exercise on Security
Breach by assuming various roles as mentioned in the corresponding exercise:
http://www.nascio.org/portals/0/awards/nominations2015/2015/2015PA12-
PA%20Cyber%20Continuity%20CIO%20Exercise%20DR%20Sec%20Biz%20Continuity%20NASCIO%20
2015%20FINAL.pdf
Summary
 Information security governance begins at the top with the Board of Directors and CEO
enforcing accountability for adherence to standards and commissioning the development of
security architectures that address the security requirements of the business as a whole.
 The auditing function might be its own group (or outsourced to a third party) and might report
to the CEO or directly to the Board of Directors to maintain its independence
 Various roles in information security in an organisation: Board of Directors, Security Steering
Committee, CEO or Executive Management, CIO/CISO, Security Director, Security Analyst,
Security Architect, Security Engineer, Systems Administrator, Database Administrator, IS
Auditor and End User
 Role of security incident team and their responsibilities
o Processes IT security complaints or incidents.
o Assesses threats to IT resources
o Alerts IT managers of imminent threats.
o Determines incident severity and escalates it, if necessary, with notification to CTO and
president’s senior staff
o Coordinates security incidents (level 2 or 3) from discovery to closure
o Reviews incidents, provides solutions/resolutions and closure
158
Activity 1:
Collect information about various job titles and roles within the data security sub-
sector. Meet industry representatives and compile a list of functions, qualification and
experience requirements for each role. Present the same in class in groups.
Activity 2:
Work in teams to conduct industry interactions with various teams in place in

organisations, from different departments, assigned to information security. Compare
the variances between different types of companies and debate and deliberate on
various aspects of these including:
 composition,
 liaising with different departments inside the organisation,
 interactions with other organisations, their functions, etc.

1. State TRUE or FALSE
• The Security Director of an organization is not responsible for managing teams in developing
corporate data security policies, standards, procedures and guidelines. ( )
• A solid user security awareness program can help promote safe computing habits.
( )
2. Explain how is the role of a Security Analyst different from Security Engineer?
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
3. Fill in the blanks with the most appropriate answer

• Database Administrator (DBA) is responsible for ______________ and
____________________ databases and also for securing access to the data to ensure its
integrity.
• The ________ is responsible for aligning the information security program strategy and vision
to business requirements.
• A ________________ ________________is responsible for monitoring and maintaining the
servers, printers, and workstations a company uses.
159
• The security director’s role is to coordinate the efforts for securing _____________ ________.
• A ___________ ___________builds the policies, analyses risk, and identifies new threats to
the business.
4. Mention at least two important tasks of an IS Auditor.
__________________________________________________________________________________
__________________________________________________________________________________
5. Tick the right answer

The team security incident response is tasked with the following responsibilities:
(a) assess threats to IT resources
(b) alerts IT managers of imminent threats
(c) process IT security complaints or incidents
(d) all of the above
NOTES:
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
160
UNIT VI
Performance Metrics
This Unit covers:
 Lesson Plan
6.6. Designing Information Security Measuring Systems
161
LESSON PLAN

To be competent, you must be able to: QA session and a Descriptive  PCs/Tablets/Laptops
write up on understanding.  Labs availability (24/7)
PC7. analyze information security
 Internet with WiFi
performance metrics to highlight Group presentation and peer  (Min 2 Mbps Dedicated)
variances and issues for action by evaluation along with  Networking Equipment-
appropriate people Faculty. Routers & Switches
PC3. carry out security assessment  Firewalls and Access Points
Team work (IM and chat  Access to all security sites like
of information security systems using applications) and group
automated tools ISO, PIC DSS
activities (online forums)  Commercial Tools like HP
including templates to be Web Inspect and IBM
PC9. update your organization’s prepared.
knowledge base promptly and AppScan etc.,
accurately with information security  Open Source tools like
Project charter, Architecture sqlmap, Nessus etc.,
issues and their resolution (charts), Project plan, Poster
presentation and execution
PC2. monitor systems and apply plan.
security policies, procedures and Creation of templates based
guidelines on the learnings
You need to know and understand: KA1. QA session and a  PCs/Tablets/Laptops
Descriptive write up on  Labs availability (24/7)
KA1. your organization’s policies, understanding.  Internet with Wi-Fi
procedures, standards and guidelines
 (Min 2 Mbps Dedicated)
for managing information security KA2 Group presentation and  Networking Equipment-
peer evaluation along with Routers & Switches
KA2. your organization’s Faculty.
knowledge base and how to access  Firewalls and Access Points
and update this  Access to all security sites like
KA10, KA11. Team work (IM ISO, PIC DSS
and chat applications) and  Commercial Tools like HP
KA10. how to access and analyse group activities (online
information security performance Web Inspect and IBM
forums) including templates to AppScan etc.,
metrics be prepared.  Open Source tools like
KA11. who to involve when sqlmap, Nessus etc.,
KA12. Project charter,
managing information security Architecture (charts), Project
plan, Poster presentation and
KA12. your organization’s execution plan.
information security systems and tools
and how to access and maintain these KA13. Creation of templates
based on the learnings
KA13. standard tools and templates
available and how to use these
KB3. common issues and variances
of performance metrics that require
action and who to report these to
162
Lesson
6.1 Introduction – Security Metrics
It helps to understand what metrics are by drawing a distinction between metrics and measurements.
Measurements provide single-point-in-time views of specific, discrete factors, while metrics are
derived by comparing to a predetermined baseline of two or more measurements taken over time.
Measurements are generated by counting; metrics are generated from analysis. In other words,
measurements are objective raw data and metrics are either objective or subjective human
interpretations of those data.
In the face of regular, high-profile news reports of serious security breaches, as well as intense scrutiny
of institutional costs, security managers are more than ever being held accountable for demonstrating
effectiveness of their security programs. What means should managers be using to meet this
challenge? Key among these should be security metrics. This presentation will provide a definition of
security metrics, explain their value, discuss the difficulties in generating them, suggest a methodology
for building a security metrics program, and review factors that affect its ongoing success
Good metrics are those that are SMART, i.e. specific, measurable, attainable, repeatable, and time-
dependent. Truly useful metrics indicate the degree to which security goals, such as data
confidentiality, are being met, and they drive actions taken to improve an organization’s overall
security program. Distinguishing metrics meaningful primarily to those with direct responsibility for
security management from those that speak directly to executive management interests and issues is
critical to development of an effective security metrics program.
While there are multiple ways to categorize metrics, guidance from the National Institute for
Standards and Technology (NIST) does this in a way that is more helpful than simply providing tag
names for metric groupings. The Performance Measurement Guide for Information Security (NIST SP
800-55 Revision 1) divides security metrics into three categories and links each to levels of security
program maturity.
The categories are:

 Implementation – metrics used to show progress in implementing policies and procedures and
individual security controls
 Effectiveness/efficiency – metrics used to monitor results of security control implementation

for a single control or across multiple controls
 Impact – metrics used to convey the impact of the information security program on the
institution's mission, often through quantifying cost avoidance or risk reduction produced by
the overall security program
As mentioned earlier, truly useful metrics indicate the degree to which security goals are being met
and they drive actions taken to improve an organization's overall security program. Before expending
resources producing metrics in any of these three categories, it is essential that goals and objectives
of the security program be articulated.
163
6.2 Types of Security Metrics
Three distinct types of metrics classified according to level:
 Strategic security metrics

These are measures concerning the information security elements of high level business goals,
objectives and strategies. For example, if the organization needs to bolster its information security
capabilities and competences in order to support various business initiatives, without expanding
the budget, metrics concerning the efficiency and effectiveness of information security are probably
relevant. Broad-brush metrics relating to information security risks, capabilities and value tend to
exist at this high level. The reporting period may be one or more years.
 Security management metrics

There are numerous facets to managing information security risks that could be measured, hence
many possible metrics. We recommend making a special effort to identify management metrics
that directly relate to achieving specific business objectives for information security, supplementing
those that are needed to manage the information security department, function or team just like
any other part of the business (e.g. expenditure against budget). Management-level metrics tend
to be reported/updated on a monthly or quarterly basis. Metrics concerning information security
projects/initiatives (e.g. implementing dual-factor authentication) and the information security
management system (e.g. security incident statistics) are typical examples.
 Operational security metrics

At the lowest level of analysis, most information security controls, systems and processes need to
be measured in order to operate and control them. Metrics supporting security operations are
normally only of direct concern to those managing and performing security activities. They include
both technical and non-technical security metrics that are often updated on a weekly, daily or
hourly basis. They are unlikely to be of much interest or value beyond the information security and
related technical functions, although some
Another classification is by object of measurement:

 Process Security Metrics: These metrics measure processes and procedures. Examples are
number of policy violations, percentage of systems with formal risk assessments, percentage of
system with tested security controls, percentage of weak passwords (noncompliant), number of
identified risks and their severity, percentage of systems with contingency plans, etc. These are
usually Compliance/Governance driven. While they generally support better security, but the
actual impact is hard to define.
 Network Security Metrics: These are driven by products (firewalls, IDS, etc.) Readily available and
widely used, they give a sense of control. Usually have a level of data presentation through charts
and interfaces. These can be misleading though. Examples are Successful/unsuccessful logons,
number of incidents, number of viruses blocked, number of patches applied, number of spam
blocked, number of virus infections, number of port probes, traffic analysis, etc.
164
 Software Security Metrics: Software measures are usually troublesome (LOC, FPs, Complexity,
etc.) Metrics are context sensitive and environment-dependent and architecture dependent.
Examples are Size and complexity, defects/LOC, defects (severity, type) over time, cost per defect,
attack surface (# of interfaces), layers of security and design flaws
 People Security Metrics: Are usually relevant, but unreliable. As people behavior is difficult to
model. There are biases and non-standard responses that make it difficult to predict. Examples
include associates/contractors that have completed information security policy training, team
size, etc.
 Other
A sample list of metrics is given below. These metrics cover the following business functions:
 Application Security
o Number of Applications
o Percentage of Critical Applications
o Risk Assessment Coverage
o Security Testing Coverage
 Configuration Change Management
o Mean-Time to Complete Changes
o Percent of Changes with Security Review
o Percent of Changes with Security Exceptions
 Financial
o Information Security Budget as % of IT Budget
o Information Security Budget Allocation
 Incident Management
o Mean-Time to Incident Discovery
o Incident Rate
o Percentage of Incidents Detected by Internal Controls
o Mean-Time Between Security Incidents
o Mean-Time to Recovery
 Patch Management
o Patch Policy Compliance
o Patch Management Coverage
o Mean-Time to Patch
 Vulnerability Management
o Vulnerability Scan Coverage
o Percent of Systems Without Known Severe Vulnerabilities
o Mean-Time to Mitigate Vulnerabilities
Number of Known Vulnerability Instances
165
6.3 Using Security Metrics
Using security metrics involves data acquisition. This may be automated or manually collected. Data
collection automation depends on the availability of data from automated sources versus the
availability of data from people. Manual data collection involves developing questionnaires and
conducting interviews and surveys with the organization’s staff.
 More useful data becomes available from semi-automated and automated data sources, such
as self-assessment tools, certification and accreditation (C&A) databases, incident reporting
and response databases, and other data sources as a security program matures.
 Metrics data collection is fully automated when all data is gathered by using automated data
sources without human involvement or intervention.
6.4 Developing the Metrics Process

At a high level, the steps for establishing a metrics program are:
o Define goals and objectives
o Determine information goals
o Develop metrics models
o Determine metrics reporting format and
o Schedule
o Implement metrics
o Set benchmarks and targets
o Establish a formal review cycle
6.5 Metrics and Reporting

There are a number of challenges often encountered in the organizations that are about to implement
or are already in the process of implementing an ISMP. A number of challenges that commonly arise
from the stakeholders' misconceptions and erroneous expectations regarding metrics (IATAC, 2009);
these include:
Measurement efforts are finite (while in reality a metrics programme is aimed at continual
improvement and long term benefits).
 Data for metrics support is readily accessible and conducive to measurement (in many cases,
depending on the IS management's maturity, size and structure of the organization, et cetera, this
may not be so and changes to the existing data collection and analysis processes may have to be
made, especially toward higher levels of standardization, to make metrics effective and efficient).
166
 Metrics provide quick returns (this again depends on factors such as maturity of IS management;
expecting business impact metrics from an ISMS that does not have the capability to effectively
provide them is unrealistic, for instance).
 Metrics can be automated easily/rapidly (attempting to automate measures that have not yet
been thoroughly tested and proven to be effective can be ultimately counterproductive).
 Measures should help ensure maximum ROI (while not unreasonable per se, this often receives a
high priority at the expense of the other facets of measurement, which get neglected and, ones
again, the capability of IS management to deliver on these expectations is not always fully
considered).
The lack of consensus definitions and vocabulary, and a broadly accepted model for mapping IS
metrics to organizational structure and clearly illustrating how the lower level metrics can roll up into
the higher level ones in a meaningful way can possibly contribute to this problem (although, based on
the information presented in earlier chapters of the report, it can be recognized that efforts are being
made to rectify these issues). Without a good model or methodology for rolling up quantitative
measures, security professionals often struggle to find a compromise between reporting methods that
are too technical for the senior management and ones that impair the utility of a metric due to
oversimplification.
The frequency of reports depends on organizational norms, the volume and gravity of information
available, and management requirements. Regular reporting periods may vary from daily or weekly
to monthly, quarterly, six-monthly or annual. The latter ones are more likely to identify and discuss
trends and strategic issues, and to include status reports on security-relevant development projects,
information security initiatives and so forth, in other words they provide the context to make sense
of the numbers
Here are some options for your consideration:
An annual, highly-confidential Information Security Report for the CEO, the Board and other
senior management (including Internal Audit). This report might include commentary on the
success or otherwise of specific security investments. A forward-looking section can help to set
the scene for planned future investments, and is a good opportunity to point out the ever
changing legal and regulatory environment and the corresponding personal liabilities on senior
managers.
Quarterly status reports to the most senior body directly responsible for information security,
physical security, risk and/or governance. Traffic light status reports are common and KPIs may
be required, but the Information Security Manager’s commentary (supplemented or endorsed
by that of the CTO/CIO) is a good value add.
Monthly reports to the CTO/CIO, listing projects participated in and security incidents, along
with their monetary value (the financial impacts do not need to be precisely accurate, they are
used to indicate the scale of losses).
167
6.6 Designing information security measurement

systems
In order to design an information security measurement system one has to ask the following
fundamental questions.
1. What are we going to measure?
Identifying the right metrics, we shouldn’t implement a measurement process if we don’t intend to
follow it routinely and systematically - we need repeatable and reliable measures; we shouldn’t
capture data that we don’t intend to analyse, that is simply an avoidable cost. We shouldn’t analyse
data if we don’t intend to make practical use of the results.
2. How will we measure things?
Where will the data come from and where will they be stored? If the source information is not
already captured and available, there will be a need to put in place the processes to gather it. This
in turn raises the issue of who will capture the data. Will it be centralized or will we distribute the
data collection processes? If departments and functions outside central control are reporting, how
far can they be trusted not to manipulate the figures? Will they meet deadlines and formatting
requirements? How much data gathering and reporting can be automated?
3. How will we report?
What do senior management actually want? To get senior management buy-in it is important to
discuss the purpose and outputs with managers and peers. Provide alternative formats initially to
assess their preference. It may be required to report differently from other functions in the
organization, using different presentation formats as well as different content. Managers are likely
to feel more comfortable with conventional management reports, so look at a range of sample
reports to pick out the style cues.
4. How should we implement our reporting system?
When developing metrics, it’s worth testing out the feasibility and effectiveness of the
measurement processes and the usefulness of chosen metrics on a limited scale before rolling them
out across the entire corporation. Pilot studies or trials are useful ways to iron-out any glitches in
the processes for collecting and analysing metrics, and for deciding whether the metrics are truly
indicative of what you are trying to measure.
Even after the initial trial period, continuous feedback on the metrics can help to refine the
measurement system. Changes in both the organization and the information security risks it faces
mean that some metrics are likely to become outdated over time.
5. Setting targets
Measuring and reporting leads to the identification and benchmarking of Key Performance
Indicators (KPIs) and then tracking measures to evaluate performance.
Before publishing the chosen metrics it is important to figure out which ones would truly indicate
making progress towards the organization’s information security goals.
168
Summary
 Good security metrics are those that are SMART, i.e. specific, measurable, attainable,
repeatable and time-dependent.
 The Performance Measurement Guide for Information Security (NIST SP 800-55 Revision 1)
divides security metrics into three categories and links each to levels of security program
maturity, namely –Implementation, Effectiveness/Efficiency & Impact
 Security Metrics are classified into three distinct categories such as
o Strategic security metrics which are measures concerning the information security
elements of high level business goals, objectives and strategies
o Security management metrics which are numerous facets to managing information
security risks that could be measured, hence many possible metrics
o Operational security metrics which are at the lowest level of analysis, most information
security controls, systems and processes need to be measured in order to operate and
control them
 Using security metrics involves data acquisition and the latter may be automated or manually
collected.
 The frequency of reports depends on organizational norms, the volume and gravity of
information available, and management requirements. Regular reporting periods may vary
from daily or weekly to monthly, quarterly, six-monthly or annual.
 The following questions should be asked while designing information security measurement
systems
o What are we going to measure?
o How will we measure things?
o How will we report?
o How should we implement our reporting system?
o How to set targets?
Activity 1:
Work in teams and gather as much information from industry and the internet about
the various information security performance metrics they use in their organisations.
Discuss the various challenges in identifying, monitoring and inferencing performance
through these metrics.
Activity 2:
Develop performance metrics for various aspects of their own academic and non-
academic behaviours and track these over a period of a week. Draw out various
inferences from this monitoring. Present the object of your study, the metric you
chose, and the challenges in implementing these metrics and your process of
inferencing. Debate the inferences and validity of each other’s findings.
Activity 3:
Research the various information security companies offering products and services for
tracking and instituting performance metrics systems in organisations. Compare
services, present features, benefits and limitations of the same.
169

Q: Fill in the blanks with the most appropriate answer:
 Measurements are generated by counting whereas metrics are generated
by__________________.
 ____________________ metrics are usually compliance driven.
Q. State TRUE or FALSE as to which of the following accurately describe some of the misconceptions
regarding metrics.
 Metrics provide single-point-in-time views of specific, discrete factors, while measurements are
derived by comparing to a predetermined baseline of two or more measurements taken over
time. ( )
 Metrics efforts are finite, while in reality a measurement programme is aimed at continual
improvement and long term benefits ( )
 Measurement can be automated easily/rapidly, attempting to automate metrics that have not yet
been thoroughly tested and proven to be effective can be ultimately counterproductive. (
)
Q. Which type of security metrics is used to monitor results of security control implementation for a
single control or across multiple controls?
_______________________________________________________
Q. The reporting/updating of which of the following types of security metrics is carried out monthly
or quarterly:
a) Strategic security metrics

b) Security management metrics
c) Operational security metrics
Q. Which of the following is not a part of Incident Management security metrics?

a) Mean-Time to Incident Discovery
b) Incident Rate
c) Mean-Time to Mitigate Vulnerabilities
d) Mean-Time Between Security Incidents
e) Mean-Time to Recovery
Q. Data capturing process plays vital role in determining appropriate information security
measurement systems. Give one example in support of the statement.
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
170
NOTES:
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
171
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
172
UNIT VII
Risk Assessment
This Unit covers:
 Lesson Plan
7.1. Risk Overview
7.2. Risk Identification
7.3. Risk Analysis
7.4. Risk Treatment
7.5. Risk Management Feedback Loops
7.6. Risk Monitoring
173
LESSON PLAN

To be competent, you must be able QA session and a Descriptive  PCs/Tablets/Laptops
to: write up on understanding.  Labs availability (24/7)
PC2. monitor systems and apply Group presentation and peer  (Min 2 Mbps Dedicated)
controls in line with information evaluation along with Faculty.  Access to all security sites like
ISO, PCI DSS, Center for Internet
guidelines Team work (IM and chat Security
PC11. comply with your applications) and group
organization’s policies, standards, activities (online forums)
procedures and guidelines when including templates to be
contributing to managing prepared.
Project charter, Architecture
(charts), Project plan, Poster
plan.
Creation of templates based

on the learnings
You must know and understand: KA6, KA7, KA8. Peer review  PCs/Tablets/Laptops
KA6. how to carry out with faculty with appropriate  Labs availability (24/7)
information security assessments feedback.  Internet with Wi-Fi
KA13. Creation of templates  (Min 2 Mbps Dedicated)
KA13. standard tools and based on the learnings  Access to all security sites like
templates available and how to use KB1 – KB4 ISO, PCI DSS, Centre for Internet
these Security
Going through the security
standards over Internet by
KB4. how to identify and resolve
information security vulnerabilities visiting sites like ISO, PCI DSS
and issues etc., and understand various
methodologies and usage of
algorithms
174
Lesson
7.1 Risk Overview

Risk: A probability or threat of damage, injury, liability, loss, or any other negative occurrence that is
caused by external or internal vulnerabilities, and that may be avoided through pre-emptive action.
Risk assessments, whether they pertain to information security or other types of risk, are a means of
providing decision makers with information needed to understand factors that can negatively
influence operations and outcomes and make informed judgments concerning the extent of actions
needed to reduce risk.
As reliance on computer systems and electronic data has grown, information security risk has joined
the array of risks that governments and businesses must manage. Regardless of the types of risk being
considered, all risk assessments generally include the following elements. Identifying threats that
could harm and, thus, adversely affect critical operations and assets. Threats include such things as
intruders, criminals, disgruntled employees, terrorists, and natural disasters.
Estimating the likelihood that such threats will materialize based on historical information and
judgment of knowledgeable individuals. Identifying and ranking the value, sensitivity, and criticality of
the operations and assets that could be affected should a threat materialize in order to determine
which operations and assets are the most important. Estimating, for the most critical and sensitive
assets and operations, the potential losses or damage that could occur if a threat materializes,
including recovery costs. Identifying cost-effective actions to mitigate or reduce the risk. These actions
can include implementing new organizational policies and procedures as well as technical or physical
controls. Documenting the results and developing an action plan. There are various models and
methods for assessing risk, and the extent of an analysis and the resources expended can vary
depending on the scope of the assessment and the availability of reliable data on risk factors. In
addition, the availability of data can affect the extent to which risk assessment results can be reliably
quantified.
A quantitative approach generally estimates the monetary cost of risk and risk reduction techniques
based on
(1) the likelihood that a damaging event will occur,
(2) the costs of potential losses, and
(3) the costs of mitigating actions that could be taken.
When reliable data on likelihood and costs are not available, a qualitative approach can be taken by
defining risk in more subjective and general terms such as high, medium, and low. In this regard,
qualitative assessments depend more on the expertise, experience, and judgment of those conducting
the assessment. It is also possible to use a combination of quantitative and qualitative methods.
175
7.2 Risk Identification

Risk identification is the process of determining risks that could potentially prevent the program,
enterprise, or investment from achieving its objectives. It includes documenting and communicating
the concern. The objective of risk identification is the early and continuous identification of events
that, if they occur, will have negative impacts on the project's ability to achieve performance or
capability outcome goals. They may come from within the project or from external sources.
There are multiple types of risk assessments, including program risk assessments, risk assessments to
support an investment decision, analysis of alternatives, and assessments of operational or cost
uncertainty. Risk identification needs to match the type of assessment required to support risk-
informed decision making. For an acquisition program, the first step is to identify the program goals
and objectives, thus fostering a common understanding across the team of what is needed for
program success. This gives context and bounds the scope by which risks are identified and assessed.
There are multiple sources of risk. For risk identification, the project team should review the program
scope, cost estimates, schedule (to include evaluation of the critical path), technical maturity, key
performance parameters, performance challenges, stakeholder expectations vs. current plan, external
and internal dependencies, implementation challenges, integration, interoperability, supportability,
supply-chain vulnerabilities, ability to handle threats, cost deviations, test event expectations, safety,
security, and more. In addition, historical data from similar projects, stakeholder interviews, and risk
lists provide valuable insight into areas for consideration of risk.
Risk identification is an iterative process. As the program progresses, more information will be gained
about the program (e.g., specific design), and the risk statement will be adjusted to reflect the current
understanding. New risks will be identified as the project progresses through the life cycle.
176
7.3 Risk Analysis

This is the next step in the risk assessment program, Risk Analysis, requires an entity to, conduct an
accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality,
integrity, and availability of electronic protected information held by the entity. In other words, Risk
analysis, which is a tool for risk management, is a method of identifying vulnerabilities and threats,
and assessing the possible damage to determine where to implement security safeguards.
Risk analysis steps:

 Identify the scope of the analysis.
 Gather data.
 Identify and document potential threats and vulnerabilities.
 Assess current security measures.
 Determine the likelihood of threat occurrence.
 Determine the potential impact of threat occurrence.
 Determine the level of risk.
 Identify security measures and finalize documentation.
A risk analysis has four main goals:

 Identify assets and their values
 Identify vulnerabilities and threats
 Quantify the probability and business impact of these potential threats
 Provide an economic balance between the impact of the threat and the cost of the
countermeasure
Risk Evaluation
The risk evaluation process receives as input the output of risk analysis process. It compares each risk
level against the risk acceptance criteria and prioritise the risk list with risk treatment indications.
177
7.4 Risk Treatment

Risk treatment efforts should be undertaken to mitigate identified risks, using appropriate
administrative, technical and physical controls. Control includes:
 applying appropriate controls to avoid, eliminate or reduce risks;

 transferring some risks to third parties as appropriate (e.g., by insurance);
 knowingly and objectively accepting some risks; and
 documenting the risk treatment choices made, and the reasons for them.
Risk treatments should take account of:
 legal-regulatory and private certificatory requirements;

 organizational objectives, operational requirements and constraints; and
 costs of implementation and operation relative to risks being reduced.
Risk treatment strategies include:
 Risk reduction
Taking the mitigation steps necessary to reduce the overall risk to an asset. Often this will
include selecting countermeasures that will either reduce the likelihood of occurrence or
reduce the severity of loss, or achieve both objectives at the same time. Countermeasures can
include technical or operational controls or changes to the physical environment. For example,
the risk of computer viruses can be mitigated by acquiring and implementing antivirus software.
When evaluating the strength of a control, consideration should be given to whether the
controls are preventative or detective. The remaining level of risk after the
controls/countermeasures have been applied is often referred to as “residual risk.” An
organization may choose to undergo a further cycle of risk treatment to address this.
 Risk sharing/transference
The organization shares its risk with third parties through insurance and/or service providers.
Insurance is a post-event compensatory mechanism used to reduce the burden of loss if the
event were to occur. Transference is the shifting of risk from one party to another. For example,
when hard-copy documents are moved offsite for storage at a secure-storage vendor location,
the responsibility and costs associated with protecting the data transfers to the service
provider. The cost of storage may include compensation (insurance) if documents are damaged,
lost, or stolen.
 Risk avoidance
The practice of eliminating the risk by withdrawing from or not becoming involved in the activity
that allows the risk to be realized. For example, an organization decides to discontinue a
business process in order to avoid a situation that exposes the organization to risk.
 Risk acceptance
178
An organization decides to accept a particular risk because it falls within its risk-tolerance
parameters and therefore agrees to accept the cost when it occurs. Risk acceptance is a viable
strategy where the cost of insuring against the risk would be greater over time than the total
losses sustained. All risks that are not avoided or transferred are accepted by default
7.5 Risk Management Feedback Loops
Risk management is a comprehensive process that requires organizations to:
 frame risk (i.e., establish the context for risk-based decisions);

 assess risk;
 respond to risk once determined; and
 monitor risk on an ongoing basis using effective organizational communications and a
feedback loop for continuous improvement in the risk-related activities of
organizations.
Risk management is carried out as a holistic, organization wide activity that addresses risk from the
strategic level to the tactical level, ensuring that risk based decision making is integrated into every
aspect of the organization. The following sections briefly describe each of the four risk management
components. The first component of risk management addresses how organizations frame risk or
establish a risk context—that is, describing the environment in which risk-based decisions are made.
The purpose of the risk framing component is to produce a risk management strategy that addresses
how organizations intend to assess risk, respond to risk, and monitor risk—making explicit and
transparent the risk perceptions that organizations routinely use in making both investment and
operational decisions. The risk frame establishes a foundation for managing risk and delineates the
boundaries for risk-based decisions within organizations.
Establishing a realistic and credible risk frame requires that organizations identify:
 risk assumptions (e.g., assumptions about the threats, vulnerabilities, consequences/impact,

and likelihood of occurrence that affect how risk is assessed, responded to, and monitored
over time);
 risk constraints (e.g., constraints on the risk assessment, response, and monitoring
alternatives under consideration);
 risk tolerance (e.g., levels of risk, types of risk, and degree of risk uncertainty that are
acceptable); and
 priorities and trade-offs (e.g., the relative importance of missions/business functions, trade-
offs among different types of risk that organizations face, time frames in which organizations
must address risk, and any factors of uncertainty that organizations consider in risk
responses).
179
The risk framing component and the associated risk management strategy also include any strategic-
level decisions on how risk to organizational operations and assets, individuals, other organizations,
and the Nation, is to be managed by senior leaders/executives.
The second component of risk management addresses how organizations assess risk within the
context of the organizational risk frame. The purpose of the risk assessment component is to identify:
 threats to organizations (i.e., operations, assets, or individuals) or threats directed through

organizations against other organizations or the Nation;
 vulnerabilities internal and external to organizations;
 the harm (i.e., consequences/impact) to organizations that may occur given the potential for
threats exploiting vulnerabilities; and
 the likelihood that harm will occur. The end result is a determination of risk (i.e., the degree
of harm and likelihood of harm occurring).
To support the risk assessment component, organizations identify:
 the tools, techniques, and methodologies that are used to assess risk;
 the assumptions related to risk assessments;
 the constraints that may affect risk assessments;
 roles and responsibilities;
 how risk assessment information is collected, processed, and communicated throughout
organizations;
 how risk assessments are conducted within organizations;
 the frequency of risk assessments; and
 how threat information is obtained (i.e., sources and methods).
The third component of risk management addresses how organizations respond to risk once that risk
is determined based on the results of risk assessments.
The purpose of the risk response component is to provide a consistent, organization-wide, response
to risk in accordance with the organizational risk frame by:
 developing alternative courses of action for responding to risk;

 evaluating the alternative courses of action;
 determining appropriate courses of action consistent with organizational risk tolerance; and
 implementing risk responses based on selected courses of action.
To support the risk response component, organizations describe the types of risk responses that can
be implemented (i.e., accepting, avoiding, mitigating, sharing, or transferring risk).
Organizations also identify the tools, techniques, and methodologies used to develop courses of action
for responding to risk, how courses of action are evaluated, and how risk responses are communicated
across organizations and as appropriate, to external entities (e.g., external service providers, supply
chain partners).
The fourth component of risk management addresses how organizations monitor risk over time. The
purpose of the risk monitoring component is to:
180
 verify that planned risk response measures are implemented and information security
requirements derived from/traceable to organizational mission/business functions, federal
legislation, directives, regulations, policies, and standards, and guidelines, are satisfied;
 determine the ongoing effectiveness of risk response measures following implementation;
and
 identify risk-impacting changes to organizational information systems and the environments
in which the systems operate.
To support the risk monitoring component, organizations describe how compliance is verified and how
the ongoing effectiveness of risk responses is determined (e.g., the types of tools, techniques, and
methodologies used to determine the sufficiency/correctness of risk responses and if risk mitigation
measures are implemented correctly, operating as intended, and producing the desired effect with
regard to reducing risk). In addition, organizations describe how changes that may impact the ongoing
effectiveness of risk responses are monitored.
7.6 Risk Monitoring
Risk monitoring provides organizations with the means to:
 verify compliance;
 determine the ongoing effectiveness of risk response measures; and
 identify risk-impacting changes to organizational information systems and environments of
operation.
Analysing monitoring results gives organizations the capability to maintain awareness of the risk being
incurred, highlight the need to revisit other steps in the risk management process, and initiate process
improvement activities as needed.
Organizations employ risk monitoring tools, techniques, and procedures to increase risk awareness,
helping senior leaders/executives develop a better understanding of the ongoing risk to organizational
operations and assets, individuals, other organizations, and the Nation. Organizations can implement
risk monitoring at any of the risk management tiers with different objectives and utility of information
produced. For example, Tier 1 monitoring activities might include ongoing threat assessments and
how changes in the threat space may affect Tier 2 and Tier 3 activities, including enterprise
architectures (with embedded information security architectures) and organizational information
systems. Tier 2 monitoring activities might include, for example, analyses of new or current
technologies either in use or considered for future use by organizations to identify exploitable
weaknesses and/or deficiencies in those technologies that may affect mission/business success. Tier
3 monitoring activities focus on information systems and might include, for example, automated
monitoring of standard configuration settings for information technology products, vulnerability
scanning, and ongoing assessments of security controls. In addition to deciding on appropriate
181
monitoring activities across the risk management tiers, organizations also decide how monitoring is
to be conducted (e.g., automated or manual approaches) and the frequency of monitoring activities
based on, for example, the frequency with which deployed security controls change, critical items on
plans of action and milestones, and risk tolerance.
Summary
 Definition of Risk: A probability or threat of damage, injury, liability, loss, or any other negative
occurrence that is caused by external or internal vulnerabilities, and that may be avoided
through pre-emptive action.
 A quantitative approach generally estimates the monetary cost of risk and risk reduction
techniques based on
o the likelihood that a damaging event will occur,
o the costs of potential losses, and
o the costs of mitigating actions that could be taken.
 Risk identification is an iterative process.
 Risk analysis, which is a tool for risk management, is a method of identifying vulnerabilities and
threats, and assessing the possible damage to determine where to implement security
safeguards.
 The risk evaluation process receives as input the output of risk analysis process.
 Risk treatment efforts should be undertaken to mitigate identified risks, using appropriate
administrative, technical and physical controls.
 Risk management is carried out as a holistic, organization wide activity that addresses risk from
the strategic level to the tactical level, ensuring that risk based decision making is integrated
into every aspect of the organization.
 Analysing monitoring results gives organizations the capability to maintain awareness of the
risk being incurred, highlight the need to revisit other steps in the risk management process,
and initiate process improvement activities as needed. h as laptop, appropriate software such
as packet sniffers, digital forensics, back up devices, blank media etc.
Activity 1:
Research various risks for their institute in the area of information security. Prepare a
process report highlighting your approach towards identifying risk, recording, monitoring,
analysing and treating risk. The approach should be shared with the faculty and the
report should be submitted for evaluation.
182

Q. State TRUE or FALSE
 Risk identification and risk assessment are co-related in function. ( )

 Implementation of risk monitoring at different risk management tiers with different objectives
within an organization increase risk awareness and capability. ( )
Q. Analyse and state the differences between risk analysis and risk evaluation in two lines.
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
Q. Suggest one of the appropriate measures that can curb the problem of ‘residual risk.’
__________________________________________________________________________________
__________________________________________________________________________________
Q. In what ways do service/insurance providers facilitate risk sharing/transference?
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
Q. Complete the following requirements that an organization needs to identify in order to build a
realistic and credible risk frame
a) risk constraints
b) ________________
c) risk tolerance
d) ________________
183
NOTES:
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
184
UNIT VIII
Configuration review
This Unit covers:
 Lesson Plan
8.3. Identify CM Tools
8.4. Implementing Secure Configurations
8.5. Unauthorised Access to Configuration Stores
185
LESSON PLAN
Work Environment/Lab Requirement
Outcomes Measures
To be competent, you must be able Performance evaluation  PCs/Tablets/Laptops
to: from Faculty and Industry  Labs availability (24/7)
with reward points  Internet with Wi-Fi
PC4. carry out configuration
reviews of information security
 Networking Equipment - Routers &
systems using automated tools, QA session and a Switches
where required Descriptive write up on  Firewalls and Access Points
understanding.  Access to all security sites like ISO,
PIC DSS
Inspect and IBM AppScan etc.,
Nessus etc.,
You must know and understand: KA6, KA7 Performance  PCs/Tablets/Laptops

KA6. how to carry out evaluation from Faculty  Labs availability (24/7)
information security assessments and Industry with  Internet with Wi-Fi
reward points  (Min 2 Mbps Dedicated)
KA7. how to carry out  Access to all security sites like ISO,
configuration reviews KA9. QA session and a PCI DSS, Centre for Internet Security
Descriptive write up on
KA9. different types of
understanding.
automation tools and how to use
these
186
Lesson
8.1 Configuration Management

An information system is typically in a constant state of change in response to new, enhanced,
corrected, or updated hardware and software capabilities, patches for correcting software flaws and
other errors to existing components, new security threats, changing business functions, etc.
Implementing information system changes almost always results in some adjustment to the system
configuration. To ensure that the required adjustments to the system configuration do not adversely
affect the security of the information system or the organization from operation of the information
system, a well-defined configuration management process that integrates information security is
needed.
Organizations apply configuration management (CM) for establishing baselines and for tracking,
controlling, and managing many aspects of business development and operation (e.g., products,
services, manufacturing, business processes, and information technology). Organizations with a
robust and effective CM process need to consider information security implications with respect to
the development and operation of information systems including hardware, software, applications,
and documentation. Effective CM of information systems requires the integration of the management
of secure configurations into the organizational CM process or processes. For this reason, this
document assumes that information security is an integral part of an organization’s overall CM
process; however, the focus of this document is on implementation of the information system security
aspects of CM, and as such the term security-focused configuration management (SecCM) is used to
emphasize the concentration on information security. Though both IT business application functions
and security-focused practices are expected to be integrated as a single process, SecCM in this context
is defined as the management and control of configurations for information systems to enable security
and facilitate the management of information security risk.
Configuration Management (CM) comprises a collection of activities focused on establishing and
maintaining the integrity of products and systems, through control of the processes for initializing,
changing, and monitoring the configurations of those products and systems.
A Configuration Item (CI) is an identifiable part of a system (e.g., hardware, software, firmware,
documentation, or a combination thereof) that is a discrete target of configuration control processes.
A Baseline Configuration is a set of specifications for a system, or CI within a system, that has been
formally reviewed and agreed on at a given point in time, and which can be changed only through
change control procedures. The baseline configuration is used as a basis for future builds, releases,
and/or changes.
The basic parts of a CM Plan include:
Configuration Control Board (CCB) – Establishment of and charter for a group of qualified people with
responsibility for the process of controlling and approving changes throughout the development and
operational lifecycle of products and systems; may also be referred to as a change control board;
Configuration Item Identification – methodology for selecting and naming configuration items that
need to be placed under CM;
Configuration Change Control – process for managing updates to the baseline configurations for the
configuration items; and
187
Configuration Monitoring – process for assessing or testing the level of compliance with the
established baseline configuration and mechanisms for reporting on the configuration status of items
placed under CM.
Security-Focused Configuration Management (SecCM) is the management and control of secure
configurations for an information system to enable security and facilitate the management of risk.
SecCM builds on the general concepts, processes, and activities of configuration management by
attention on the implementation and maintenance of the established security requirements of the
organization and information systems.
Information security configuration management requirements are integrated into (or complement)
existing organizational configuration management processes (e.g., business functions, applications,
products) and information systems. SecCM activities include:
 identification and recording of configurations that impact the security posture of the
information system and the organization;
 the consideration of security risks in approving the initial configuration;
 the analysis of security implications of changes to the information system configuration; and
 documentation of the approved/implemented changes.
SecCM requires an ongoing investment in time and resources. Product patches, fixes, and updates
require time for security impact analysis even as threats and vulnerabilities continue to exist. As
changes to information systems are made, baseline configurations are updated, specific configuration
settings confirmed, and configuration items tracked, verified, and reported. SecCM is a continuous
activity that, once incorporated into IT management processes, touches all stages of the system
development life cycle (SDLC).
In the context of SecCM of information systems, a configuration item (CI) is an aggregation of
information system components that is designated for configuration management and treated as a
single entity throughout the SecCM process. This implies that the CI is identified, labelled, and tracked
during its life cycle – the CI is the target of many of the activities within SecCM, such as configuration
change control and monitoring activities. A CI may be a specific information system component (e.g.,
server, workstation, router, application), a group of information system components (e.g., group of
servers with like operating systems, group of network components such as routers and switches, an
application or suite of applications), a non-component object (e.g., firmware, documentation), or an
information system as a whole. CIs give organizations a way to decompose the information system
into manageable parts whose configurations can be actively managed.
The purpose of breaking up an information system into CIs is to allow more granularity and control in
managing the secure configuration of the system. The level of granularity will vary among
organizations and systems and is balanced against the associated management overhead for each CI.
In one organization, it may be appropriate to create a single CI to track all of the laptops within a
system, while in another organization, each laptop may represent an individual CI.
Baseline configuration
A baseline configuration is a set of specifications for a system, or Configuration Item (CI) within a
system, that has been formally reviewed and agreed on at a given point in time, and which can be
changed only through change control procedures. The baseline configuration is used as a basis for
future builds, releases, and/or changes.
Security-focused configuration management of information systems involves a set of activities that
can be organized into four major phases – Planning, Identifying and Implementing Configurations,
Controlling Configuration Changes, and Monitoring.
188
Planning - Planning includes developing policy and procedures to incorporate SecCM into existing
information technology and security programs, and then disseminating the policy throughout the
organization.
Identifying and implementing configurations - After the planning and preparation activities are
completed, a secure baseline configuration for the information system is developed, reviewed,
approved, and implemented. The approved baseline configuration for an information system and
associated components represents the most secure state consistent with operational requirements
and constraints. For a typical information system, the secure baseline may address configuration
settings, software loads, patch levels, how the information system is physically or logically arranged,
how various security controls are implemented, and documentation. Where possible, automation is
used to enable interoperability of tools and uniformity of baseline configurations across the
information system.
Controlling configuration changes - Given the continually evolving nature of an information system
and the mission it supports, the challenge for organizations is not only to establish an initial baseline
configuration that represents a secure state (which is also cost-effective, functional, and supportive
of mission and business processes), but also to maintain a secure configuration in the face of the
significant waves of change that ripple through organizations.
Monitoring
Monitoring activities are used as the mechanism within SecCM to validate that the information system
is adhering to organizational policies, procedures, and the approved secure baseline configuration.
Monitoring identifies undiscovered/ undocumented system components, misconfigurations,
vulnerabilities, and unauthorized changes, all of which, if not addressed, can expose organizations to
increased risk. Using automated tools helps organizations to efficiently identify when the information
system is not consistent with the approved baseline configuration and when remediation actions are
necessary. In addition, the use of automated tools often facilitates situational awareness and the
documentation of deviations from the baseline configuration.
189
8.2 Organizational SecCM Policy

The organization is typically responsible for defining documented policies for the SecCM program. The
SecCM program manager develops, disseminates, and periodically reviews and updates the SecCM
policies for the organization. The policies are included as a part of the overall organization-wide
security policy.
The SecCM policy normally includes the following:
1. Purpose – the objective(s) in establishing organization-wide SecCM policy;
2. Scope – the extent of the enterprise architecture to which the policy applies;
3. Roles – the roles that are significant within the context of the policy;
4. Responsibilities – the responsibilities of each identified role;
5. Activities – the functions that are performed to meet policy objectives;
6. Common secure configurations – federal and/or organization-wide standardized benchmarks

for configuration settings along with how to address deviations; and
7. Records – the records of configuration management activities to be maintained; the

information to be included in each type of record; who is responsible for writing/keeping the
records; and procedures for protecting, accessing, auditing, and ultimately deleting such
records.
SecCM policy may also address the following topics:

 SecCM training requirements;
 Use of SecCM templates;
 Use of automated tools;
 Prohibited configuration settings; and
 Requirements for inventory of information systems and components.
SecCM Training
SecCM is a fundamental part of an organizational security program, but often requires a change in
organizational culture. Staff is provided training to ensure their understanding of SecCM policies and
procedures. Training also provides a venue for management to communicate the reasons why SecCM
is important. SecCM training material is developed covering organizational policies, procedures, tools,
artefacts, and monitoring requirements. The training may be mandatory or optional as appropriate
and is targeted to relevant staff (e.g., system administrators, system/software developers, system
security officers, system owners, etc.) as necessary to ensure that staff has the skills to manage the
baseline configurations in accordance with organizational policy.
190
8.3 Identify SecCM Tools

Managing the myriad configurations found within information system components has become an
almost impossible task using manual methods like spreadsheets. When possible, organizations look
for automated solutions which, in the long run, can lower costs, enhance efficiency, and improve the
reliability of SecCM efforts.
In most cases, tools to support activities in SecCM phases two, three, and four are selected for use
across the organization by SecCM program management, and information system owners are
responsible for applying the tools to the SecCM activities performed on each information system.
Similarly, tools and mechanisms for inventory reporting and management may be provided to
information system owners by the organization. In accordance with federal government and
organizational policy, if automated tools are used, the tools are Security Content Automation Protocol
(SCAP)-validated to the extent that such tools are available.
There are a wide variety of configuration management tools available to support an organization’s
SecCM program. At a minimum, the organization considers tools that can automatically assess
configuration settings of IS components. Automated tools should be able to scan different information
system components (e.g., Web server, database server, network devices, etc.) running different
operating systems, identify the current configuration settings, and indicate where they are
noncompliant with policy. Such tools import settings from one or more common secure configurations
and then allow for tailoring the configurations to the organization’s security and mission/functional
requirements.
Tools that implement and/or assess configuration settings are evaluated to determine whether they
include requirements such as:
• Ability to pull information from a variety of sources (different type of components, different
operating systems, different platforms, etc.);
• Use of standardized specifications such as XML and SCAP;
• Integration with other products such as help desk, inventory management, and incident
response solutions;
• Vendor-provided support (patches, updated vulnerability signatures, etc.);
• Compliance with applicable federal laws, Executive Orders, directives, policies, regulations,
standards, and guidelines and link vulnerabilities to SP 800-53 controls;
• Standardized reporting capability (e.g. SCAP, XML) including ability to tailor output & drill down;
• Data consolidation into Security Information and Event Management (SIEM) tools and
dashboard products.
Organizations may consider implementation of an all-in-one solution for configuration management.
For example, various configuration management functions are included in products for managing IT
servers, workstations, desktops, and services provided by applications. These products may include
functions such as:
o Inventory/discovery of IS components;
o Software distribution;
o Patch management;
o Operating system deployment;
o Policy management;
o Migration to new baseline configuration; and
o Backup/recovery.
191
8.4 Implementing secure configurations
Implementing secure configurations for IT products is no simple task. There are many IT products, and
each has a myriad of possible parameters that can be configured. In addition, organizations have
mission and business process needs which may require that IT products be configured in a particular
manner. To further complicate matters, for some products, the configuration settings of the
underlying platform may need to be modified to allow for the functionality required for mission
accomplishment such that they deviate from the approved common secure configurations.
Using the secure configuration previously established as a starting point, the following
structured approach is recommended when implementing the secure configuration:
1) Prioritize Configurations
2) Test Configurations
3) Resolve Issues and Document Deviations
4) Record and Approve the Baseline Configuration
5) Deploy the Baseline Configuration
i. Prioritize Configurations
In the ideal environment, all IT products within an organization would be configured to the most
secure state that still provided the functionality required by the organization. However, due to limited
resources and other constraints, many organizations may find it necessary to prioritize which
information systems, IT products, or CIs to target first for secure configuration as they implement
SecCM.
In determining the priorities for implementing secure configurations in information systems, IT
products, or CIs, organizations consider the following criteria:
• System impact level – Implementing secure configurations in information systems with a high or
moderate security impact level may have priority over information systems with a low security
impact level.
• Risk assessments – Risk assessments can be used to target information systems, IT products, or
CIs having the most impact on security and organizational risk.
• Vulnerability scanning – Vulnerability scans can be used to target information systems, IT
products, or CIs that are most vulnerable. For example, the Common Vulnerability Scoring System
(CVSS) is a specification within SCAP that provides an open framework for communicating the
characteristics of software flaw vulnerabilities and in calculating their relative severity. CVSS
scores can be used to help prioritize configuration and patching activities.
• Degree of penetration – The degree of penetration represents the extent to which the same
product is deployed within an information technology environment. For example, if an
organization uses a specific operating system on 95 percent of its workstations, it may obtain the
most immediate value by planning and deploying secure configurations for that operating system.
Other IT products or CIs can be targeted afterwards.
ii. Test Configurations
Organizations fully test secure configurations prior to implementation in the production environment.
There are a number of issues that may be encountered when implementing configurations including
software compatibility and hardware device driver issues. For example, there may be legacy
applications with special operating requirements that do not function correctly after a common secure
192
configuration has been applied. Additionally, configuration errors could occur if OS and multiple
application configurations are applied to the same component. For example, a setting for an
application configuration parameter may conflict with a similar setting for an OS configuration
parameter.
Virtual environments are recommended for testing secure configurations as they allow organizations
to examine the functional impact on applications without having to configure actual machines.
iii. Resolve Issues and Document Deviations
Testing secure configuration implementations may introduce functional problems within the system
or applications. For example, the new secure configuration may close a port or stop a service that is
needed for OS or application functionality. These problems are examined individually and either
resolved or documented as a deviation from, or exception to, the established common secure
configurations.
In some cases, changing one configuration setting may require changes to another setting, another CI,
or another information system. For instance, a common secure configuration may specify
strengthened password requirements which may require a change to existing single sign-on
applications. Or there may be a requirement that the OS-provided firewall be enabled by default. To
ensure that applications function as expected, the firewall policy may need to be revised to allow
specific ports, services, IP addresses, etc. When conflicts between applications and secure
configurations cannot be resolved, deviations are documented and approved through the
configuration change control process as appropriate.
iv. Record and Approve the Baseline Configuration
The established and tested secure configuration, including any necessary deviations, represents the
preliminary baseline configuration and is recorded in order to support configuration change
control/security impact analysis, incident resolution, problem solving, and monitoring activities. Once
recorded, the preliminary baseline configuration is approved in accordance with organizationally
defined policy. Once approved, the preliminary baseline configuration becomes the initial baseline
configuration for the information system and its constituent CIs.
The baseline configuration of an information system includes the sum total of the secure
configurations of its constituent CIs and represents the system-specific configuration against which all
changes are controlled.
The baseline configuration may include, as applicable, information regarding the system architecture,
the interconnection of hardware components, secure configuration settings of software components,
the software load, supporting documentation, and the elements in a release package. There could be
a different baseline configuration for each life cycle stage (development, test, staging, production) of
the information system.
When possible, organizations employ automated tools to support the management of baseline
configurations and to keep the configuration information as up to date and near real time as possible.
There are a number of solutions which maintain baseline configurations for a wide variety of hardware
and software products. Some comprehensive SecCM solutions integrate the maintenance of baseline
configurations with component inventory and monitoring tools.
v. Deploy the Baseline Configuration
Organizations are encouraged to implement baseline configurations in a centralized and automated
manner using automated configuration management tools, automated scripts, vendor-provided
mechanisms, etc.
193
SecCM monitoring is accomplished through assessment and reporting activities. For organizations
with a large number of components, the only practical and effective solution for SecCM monitoring
activities is the use of automated solutions that use standardized reporting methods such as SCAP.
An information system may have many components and many baseline configurations. To manually
collect information on the configuration of all components and assess them against policy and
approved baseline configurations is not practical, or even possible, in most cases. Automated tools
can also facilitate reporting for Security Information and Event Management applications that can be
accessed by management and/or formatted into other reports on baseline configuration status. Care
is exercised in collecting and analysing the results generated by automated tools to account for any
false positives.
SecCM monitoring may be supported by numerous means, including, but not limited to:
• Scanning to discover components not recorded in the inventory. For example, after testing of a
new firewall, a technician forgets to remove it from the network. If it is not properly configured,
it may provide access to the network for intruders. A scan would identify this network device as
not a part of the inventory, enabling the organization to take action.
• Scanning to identify disparities between the approved baseline configuration and the actual
configuration for an information system.
Example I. A technician rolls out a new patch but forgets to update the baseline configurations of the
information systems impacted by the new patch. A scan would identify a difference between the
actual environment and the description in the baseline configuration enabling the organization to take
action.
Example II. A new tool is installed on the workstations of a few end users of the information system.
During installation, the tool changes a number of configuration settings in the browser on the users’
workstations, exposing them to attack. A scan would identify the change in the workstation
configuration, allowing the appropriate individuals to take action.
Implementation of automated change monitoring tools (e.g., change/configuration management
tools, application whitelisting tools). Unauthorized changes to information systems may be an
indication that the systems are under attack or that SecCM procedures are not being followed or need
updating. Automated tools are available that monitor information systems for changes and alert
system staff if unauthorized changes occur or are attempted.
 Querying audit records/log monitoring to identify unauthorized change events.

 Running system integrity checks to verify that baseline configurations have not been changed.
 Reviewing configuration change control records (including system impact analyses) to verify
conformance with SecCM policy and procedures.
When possible, organizations seek to normalize data to describe their information system in order
that the various outputs from monitoring can be combined, correlated, analysed, and reported in a
consistent manner. SCAP provides a common language for describing vulnerabilities,
misconfigurations, and products and is an obvious starting point for organizations seeking a consistent
way of communicating across the organization regarding the security status of the enterprise
architecture.
When inconsistencies are discovered as a result of monitoring activities, the organization may want
to take remedial action. Action taken may be via manual methods or via use of automated tools.
Automated tools are preferable since actions are not reliant upon human intervention and are taken
immediately once an unauthorized change is identified. Examples of possible actions include:
194
 Implementing non-destructive remediation actions (e.g., quarantining of unregistered

device(s), blocking insecure protocols, etc.);
 Sending an alert with change details to appropriate staff using email;
 Rolling back changes and restoring from backups;
 Updating the inventory to include newly identified components; and
 Updating baseline configurations to represent new configurations.
Many applications support configuration management interfaces and functionality to allow operators
and administrators to change configuration parameters, update Web site content, and to perform
routine maintenance. Top configuration management threats include:
 Unauthorized access to administration interfaces

 Unauthorized access to configuration stores
 Retrieval of plaintext configuration secrets
 Lack of individual accountability
 Over-privileged process and service accounts
 Unauthorized Access to Administration Interfaces
Administration interfaces are often provided through additional Web pages or separate Web
applications that allow administrators, operators, and content developers to managed site content
and configuration. Administration interfaces such as these should be available only to restricted and
authorized users. Malicious users able to access a configuration management function can potentially
deface the Web site, access downstream systems and databases, or take the application out of action
altogether by corrupting configuration data.
Counter measures to prevent unauthorized access to administration interfaces include:
 Minimize the number of administration interfaces.

 Use strong authentication, for example, by using certificates.
 Use strong authorization with multiple gatekeepers.
Consider supporting only local administration. If remote administration is absolutely essential, use
encrypted channels, for example, with VPN technology or SSL, because of the sensitive nature of the
data passed over administrative interfaces. To further reduce risk, also consider using IPSec policies
to limit remote administration to computers on the internal network.
195
8.5 Unauthorized Access to Configuration Stores

Because of the sensitive nature of the data maintained in configuration stores, you should ensure that
the stores are adequately secured.
Countermeasures to protect configuration stores include:

 Configure restricted ACLs on text-based configuration files such as Machine.config and
Web.config.
 Keep custom configuration stores outside of the Web space. This removes the potential to
download Web server configurations to exploit their vulnerabilities.
 Retrieval of Plaintext Configuration Secrets
Restricting access to the configuration store is a must. As an important defence in depth mechanism,
you should encrypt sensitive data such as passwords and connection strings. This helps prevent
external attackers from obtaining sensitive configuration data. It also prevents rogue administrators
and internal employees from obtaining sensitive details such as database connection strings and
account credentials that might allow them to gain access to other systems.
Lack of Individual Accountability
Lack of auditing and logging of changes made to configuration information threatens the ability to
identify when changes were made and who made those changes. When a breaking change is made
either by an honest operator error or by a malicious change to grant privileged access, action must
first be taken to correct the change. Then apply preventive measures to prevent breaking changes to
be introduced in the same manner. Keep in mind that auditing and logging can be circumvented by a
shared account; this applies to both administrative and user/application/service accounts.
Administrative accounts must not be shared. User/application/service accounts must be assigned at
a level that allows the identification of a single source of access using the account, and that contains
any damage to the privileges granted that account.
Over-privileged Application and Service Accounts
If application and service accounts are granted access to change configuration information on the
system, they may be manipulated to do so by an attacker. The risk of this threat can be mitigated by
adopting a policy of using least privileged service and application accounts. Be wary of granting
accounts the ability to modify their own configuration information unless explicitly required by design.
196
Summary
 SecCM is defined as the management and control of configurations for information systems to
enable security and facilitate the management of information security risk.
 Configuration Management (CM) comprises a collection of activities focused on establishing
and maintaining the integrity of products and systems, through control of the processes for
initializing, changing, and monitoring the configurations of those products and systems.
 The activities of SecCM include the following:
o identification and recording of configurations that impact the security posture of the
o the consideration of security risks in approving the initial configuration;
o the analysis of security implications of changes to the information system
configuration;
o documentation of the approved/implemented changes.
 Product patches, fixes, and updates require time for security impact analysis even as threats
and vulnerabilities continue to exist.
 Configuration Item (CI) is identified, labelled, and tracked during its life cycle – the CI is the
target of many of the activities within SecCM. It may be—
o specific information system component (e.g., server, workstation, router, application)
o group of information system components (e.g., group of servers with like operating
systems, group of network components such as routers and switches, an application or
suite of applications)
o non-component object (e.g., firmware, documentation)
o an information system as a whole. CIs give organizations a way to decompose the
information system into manageable parts whose configurations can be actively
managed
 A baseline configuration is a set of specifications for a system, or Configuration Item (CI) within
a system, that has been formally reviewed and agreed on at a given point in time, and which
can be changed only through change control procedures.
 Monitoring identifies undiscovered/ undocumented system components, misconfigurations,
vulnerabilities, and unauthorized changes, all of which, if not addressed, can expose
organizations to increased risk.
 The organization is typically responsible for defining documented policies for the SecCM
program. A SecCM policy should include the following :
 Purpose – the objective(s) in establishing organization-wide SecCM policy;
 Scope – the extent of the enterprise architecture to which the policy applies;
 Roles – the roles that are significant within the context of the policy;
 Responsibilities – the responsibilities of each identified role;
 Activities – the functions that are performed to meet policy objectives
 Tools to support SecCM activities are selected for use across the organization by SecCM
program management, and information system owners are responsible for applying the tools
to the SecCM activities performed on each information system
197
Activity 1:
Work in groups to research configuration management tools available in the industry.

Compare and categorise these tools based on their features, area of strengths and
limitations. These should be presented in class for shared understanding.
Activity 2:
Create a group project by interacting with companies that offer CM tools and prepare a
sequential process map of how the tool functions in order to carry out its functions.
Present the same in class, highlighting the functionality and dependencies of the tools.
198

Q. List two countermeasures to protect configuration store
a. ________________________________________
b. ________________________________________
Q. State the key criteria on which priority for implementing SecCM secure configurations are
determined?
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
Q. If Configuration Item is an identifiable part of a system then what does Configuration Item
Identification mean?
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
 There could be a different baseline configuration for each life cycle stage (development, test,
staging, production) of the information system. ( )
 Semi-automated tools work best to scan Web server, database server, network devices, etc. in
SecCM program. ( )
Q. Rank the phases/stages of security-focused configuration management in the correct order
____Identifying and Implementing Configurations
____Planning
____Monitoring
____Controlling Configuration Changes
199
NOTES:
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
200
UNIT IX
Log Correlation and
Management
This Unit covers:
 Lesson Plan
9.1. Event Log Concepts
9.3. Log Management Process
9.4. Configuring Windows Event Log
9.5. IIS Log Files
201
LESSON PLAN

and understand the  Internet with WiFi
PC6. maintain accurate daily
policies and guidelines.  (Min 2 Mbps Dedicated)
records/logs of information security
(Research)
performance parameters using  Networking Equipment-
standard templates and tools Understand, summarize
Routers & Switches
and articulate.
PC7. analyze information  Firewalls and Access Points
security performance metrics to Peer group, Faculty group  Access to all security sites
highlight variances and issues for and Industry experts. like ISO, PIC DSS
action by appropriate people  Commercial Tools like HP
PC8. provide inputs to root Peer review with faculty Web Inspect and IBM
cause analysis and the resolution of with appropriate AppScan etc.,
information security issues, where feedback.  Open Source tools like
required
sqlmap, Nessus etc.,
PC9. update your organization’s
knowledge base promptly and organizations websites
accurately with information and understand the
security issues and their resolution policies and guidelines.
(Research)
assessment of information security Team work (IM and chat
systems using automated tools
applications) and group
activities (online forums)
including templates to be
prepared
You must know and understand: KA1. Going through various  PCs/Tablets/Laptops
KA1. your organization’s organizations websites  Labs availability (24/7)
policies, procedures, standards and and understand the  Internet with Wi-Fi
guidelines for managing policies and guidelines.  (Min 2 Mbps Dedicated)
information security (Research)  Networking Equipments-
Routers & Switches
KA2. your organization’s  Firewalls and Access Points
KA2, Understand, summarize
knowledge base and how to access  Access to all security sites like
and articulate.
and update this ISO, PIC DSS
KA4. the organizational KA4, KA5. Peer group, Faculty Inspect and IBM AppScan etc.,
systems, procedures and group and Industry
tasks/checklists within the domain experts.
Nessus etc.,
and how to use these
KA8. Peer review with faculty
KA5. how to analyse root causes with appropriate
of information security issues feedback.
KA8. how to correlate devices KA9. Going through various

and logs
organizations websites
and understand the
202
KA9. different types of policies and guidelines.

automation tools and how to use (Research)
these
KA10. how to access and analyse KA10, KA11. Team work (IM
information security performance and chat applications) and
metrics group activities (online
forums) including
templates to be prepared.
203
Lesson
9.1 Event Logs - Concepts

A log is a record of the events occurring within an organization’s systems and networks. Logs are
composed of log entries; each entry contains information related to a specific event that has occurred
within a system or network. Originally, logs were used primarily for troubleshooting problems, but
logs now serve many functions within most organizations, such as optimizing system and network
performance, recording the actions of users, and providing data useful for investigating malicious
activity.
Logs have evolved to contain information related to many different types of events occurring within
networks and systems. Within an organization, many logs contain records related to computer
security; common examples of these computer security logs are audit logs that track user
authentication attempts and security device logs that record possible attacks
Key Concepts
Log management: Log management refers to the broad practice of collecting, aggregating and
analysing network data for a variety of purposes. Data logging devices collect incredible amounts of
information on security, operational and application events — log management comprises the tools
to search and parse this data for trends, anomalies and other relevant information.
Security information event management (SIEM): Like log management, SIEM also involves the
collection and analysis of data. The key distinction to be made is that SIEM is a specialized tool for
information security. SIEM appliances enable event reduction and real-time alerting, and they provide
specific workflows to address security breaches as they occur. Another key feature of SIEM is the
incorporation of non-event based data, such as vulnerability scanning reports, for correlation and
analysis.
A lot of money has been invested in security products such as firewalls, intrusion detection, and strong
authentication over the past several years. However, system penetration attempts continue to occur
and go unnoticed until it is too late. It is not that security countermeasures are ineffective against
intrusive activity. Indeed, they can be very effective within an organization where security policies and
procedures require analysis of security events and appropriate incident response. However, deploying
and analysing a single device in an effort to maintain situational awareness with respect to the state
of security within an organization is the "computerized version of tunnel vision”. Security events must
be analysed from as many sources as possible in order to assess threat and formulate appropriate
response. Extraordinary levels of security awareness can be attained in an organization's network by
simply listening to what its devices are telling you.
 Security software logs primarily contain computer security-related information.

 Operating system logs and application logs typically contain a variety of information,
including computer security-related data
204
Security Software
Most organizations use several types of network-based and host-based security software to detect
malicious activity, protect systems and data, and support incident response efforts. Accordingly,
security software is a major source of computer security log data. Common types of network-based
and host based security software include the following:
Antimalware Software. The most common form of antimalware software is antivirus software, which
typically records all instances of detected malware, file and system disinfection attempts, and file
quarantines.
Additionally, antivirus software might also record when malware scans were performed and when
antivirus signature or software updates occurred. Antispyware software and other types of
antimalware software (e.g., rootkit detectors) are also common sources of security information.
Intrusion Detection and Intrusion Prevention Systems. Intrusion detection and intrusion prevention
systems record detailed information on suspicious behaviour and detected attacks, as well as any
actions intrusion prevention systems performed to stop malicious activity in progress.
Some intrusion detection systems, such as file integrity checking software, run periodically instead of
continuously, so they generate log entries in batches instead of on an ongoing basis.
Remote Access Software
Remote access is often granted and secured through virtual private networking (VPN). VPN systems
typically log successful and failed login attempts, as well as the dates and times each user connected
and disconnected, and the amount of data sent and received in each user session. VPN systems that
support granular access control, such as many Secure Sockets Layer (SSL) VPNs, may log detailed
information about the use of resources.
Web Proxies
Web proxies are intermediate hosts through which Web sites are accessed. Web proxies make Web
page requests on behalf of users, and they cache copies of retrieved Web pages to make additional
accesses to those pages more efficient. Web proxies can also be used to restrict Web access and to
add a layer of protection between Web clients and Web servers. Web proxies often keep a record of
all URLs accessed through them.
Vulnerability Management Software
Vulnerability management software, which includes patch management software and vulnerability
assessment software, typically logs the patch installation history and vulnerability status of each host,
which includes known vulnerabilities and missing software updates.
Vulnerability management software may also record additional information about hosts’
configurations. Vulnerability management software typically runs occasionally, not continuously, and
is likely to generate large batches of log entries.
205
Authentication Servers
Authentication servers, including directory servers and single sign-on servers, typically log each
authentication attempt, including its origin, username, success or failure, and date and time.
Routers
Routers may be configured to permit or block certain types of network traffic based on a policy.
Routers that block traffic are usually configured to log only the most basic characteristics of blocked
activity.
Firewalls
Like routers, firewalls permit or block activity based on a policy; however, firewalls use much more
sophisticated methods to examine network traffic.
Firewalls can also track the state of network traffic and perform content inspection. Firewalls tend to
have more complex policies and generate more detailed logs of activity than routers.
Network Quarantine Servers
Some organizations check each remote host’s security posture before allowing it to join the network.
This is often done through a network quarantine server and agents placed on each host. Hosts that do
not respond to the server’s checks or that fail the checks are quarantined on a separate virtual local
area network (VLAN) segment. Network quarantine servers log information about the status of checks,
including which hosts were quarantined and for what reasons.
Operating systems (OS) for servers, workstations, and networking devices (e.g., routers, switches)
usually log a variety of information related to security. The most common types of security-related OS
data are as follows:
System Events
System events are operational actions performed by OS components, such as shutting down the
system or starting a service. Typically, failed events and the most significant successful events are
logged, but many OSs permit administrators to specify which types of events will be logged. The details
logged for each event also vary widely; each event is usually timestamped, and other supporting
information could include event, status, and error codes; service name; and user or system account
associated with an event.
Audit Records
Audit records contain security event information such as successful and failed authentication
attempts, file accesses, security policy changes, account changes (e.g., account creation and deletion,
account privilege assignment), and use of privileges. OSs typically permit system administrators to
specify which types of events should be audited and whether successful and/or failed attempts to
perform certain actions should be logged.
OS logs are most beneficial for identifying or investigating suspicious activity involving a particular
host. After suspicious activity is identified by security software, OS logs are often consulted to get
more information on the activity.
206
Applications
Operating systems and security software provide the foundation and protection for applications,
which are used to store, access, and manipulate the data used for the organization’s business
processes. Most organizations rely on a variety of commercial off-the-shelf (COTS) applications, such
as e-mail servers and clients, Web servers and browsers, file servers and file sharing clients, and
database servers and clients. Some applications generate their own log files, while others use the
logging capabilities of the OS on which they are installed. Applications vary significantly in the types
of information that they log. The following lists some of the most commonly logged types of
information and the potential benefits of each:
Client requests and server responses, which can be very helpful in reconstructing sequences of events
and determining their apparent outcome. If the application logs successful user authentications, it is
usually possible to determine which user made each request. Some applications can perform highly
detailed logging, such as e-mail servers recording the sender, recipients, subject name, and
attachment names for each e-mail; Web servers recording each URL requested and the type of
response provided by the server; and business applications recording which financial records were
accessed by each user. This information can be used to identify or investigate incidents and to monitor
application usage for compliance and auditing purposes.
Account information such as successful and failed authentication attempts, account changes (e.g.,
account creation and deletion, account privilege assignment), and use of privileges. In addition to
identifying security events such as brute force password guessing and escalation of privileges, it can
be used to identify who has used the application and when each person has used it.
Usage information such as the number of transactions occurring in a certain period (e.g., minute, hour)
and the size of transactions (e.g., e-mail message size, file transfer size). This can be useful for certain
types of security monitoring (e.g., a ten-fold increase in e-mail activity might indicate a new e-mail–
borne malware threat; an unusually large outbound e-mail message might indicate inappropriate
release of information).
Significant operational actions such as application startup and shutdown, application failures, and
major application configuration changes. This can be used to identify security compromises and
operational failures.
Much of this information, particularly for applications that are not used through unencrypted network
communications, can only be logged by the applications, which makes application logs particularly
valuable for application-related security incidents, auditing, and compliance efforts. However, these
logs are often in proprietary formats that make them more difficult to use, and the data they contain
is often highly context-dependent, necessitating more resources to review their contents.
207
9.2 Log Management and its need

Log management can benefit an organization in many ways. It helps to ensure that computer security
records are stored in sufficient detail for an appropriate period of time. Routine log reviews and
analysis are beneficial for identifying security incidents, policy violations, fraudulent activity, and
operational problems shortly after they have occurred, and for providing information useful for
resolving such problems. Logs can also be useful for performing auditing and forensic analysis,
supporting the organization’s internal investigations, establishing baselines, and identifying
operational trends and long term problems
A log management infrastructure typically comprises the following three tiers:
Log Generation
The first tier contains the hosts that generate the log data. Some hosts run logging client
applications or services that make their log data available through networks to log servers
in the second tier. Other hosts make their logs available through other means, such as
allowing the servers to authenticate to them and retrieve copies of the log files.
Log Analysis and Storage

The second tier is composed of one or more log servers that receive log data or copies of
log data from the hosts in the first tier. The data is transferred to the servers either in a
real-time or near-real-time manner, or in occasional batches based on a schedule or the
amount of log data waiting to be transferred. Servers that receive log data from multiple
log generators are sometimes called collectors or aggregators. Log data may be stored on
the log servers themselves or on separate database servers.
Log Monitoring
The third tier contains consoles that may be used to monitor and review log data and the
results of automated analysis. Log monitoring consoles can also be used to generate
reports. In some log management infrastructures, consoles can also be used to provide
management for the log servers and clients. Also, console user privileges sometimes can
be limited to only the necessary functions and data sources for each user.
Log management infrastructures typically perform several functions that assist in the storage,
analysis, and disposal of log data. These functions are normally performed in such a way that they do
not alter the original logs.
The following items describe common log management infrastructure functions:
Log parsing is extracting data from a log so that the parsed values can be used as input for another
logging process. A simple example of parsing is reading a text-based log file that contains 10 comma-
separated values per line and extracting the 10 values from each line.
Parsing is performed as part of many other logging functions, such as log conversion and log
viewing.
208
Event filtering is the suppression of log entries from analysis, reporting, or long-term storage
because their characteristics indicate that they are unlikely to contain information of interest.
For example, duplicate entries and standard informational entries might be filtered because they
do not provide useful information to log analysts. Typically, filtering does not affect the generation
or short-term storage of events because it does not alter the original log files.
In event aggregation, similar entries are consolidated into a single entry containing a count of the
number of occurrences of the event. For example, a thousand entries that each record part of a
scan could be aggregated into a single entry that indicates how many hosts were scanned.
Aggregation is often performed as logs are originally generated (the generator counts similar
related events and periodically writes a log entry containing the count), and it can also be
performed as part of log reduction or event correlation processes, which are described below.
Storage
Log rotation is closing a log file and opening a new log file when the first file is considered to be
complete. Log rotation is typically performed according to a schedule (e.g., hourly, daily, weekly) or
when a log file reaches a certain size. The primary benefits of log rotation are preserving log entries
and keeping the size of log files manageable. When a log file is rotated, the preserved log file can be
compressed to save space. Also, during log rotation, scripts are often run that act on the archived log.
For example, a script might analyse the old log to identify malicious activity, or might perform filtering
that causes only log entries meeting certain characteristics to be preserved. Many log generators offer
log rotation capabilities; many log files can also be rotated through simple scripts or third-party
utilities, which in some cases offer features not provided by the log generators.
Log archival is retaining logs for an extended period of time, typically on removable media, a storage
area network (SAN), or a specialized log archival appliance or server. Logs often need to be preserved
to meet legal or regulatory requirements.
There are two types of log archival: retention and preservation. Log retention is archiving logs on a
regular basis as part of standard operational activities. Log preservation is keeping logs that normally
would be discarded, because they contain records of activity of particular interest. Log preservation is
typically performed in support of incident handling or investigations.
Log compression is storing a log file in a way that reduces the amount of storage space needed for the
file without altering the meaning of its contents. Log compression is often performed when logs are
rotated or archived.
Log reduction is removing unneeded entries from a log to create a new log that is smaller. A similar
process is event reduction, which removes unneeded data fields from all log entries. Log and event
reduction are often performed in conjunction with log archival so that only the log entries and data
fields of interest are placed into long-term storage.
Log conversion is parsing a log in one format and storing its entries in a second format. For example,
conversion could take data from a log stored in a database and save it in an XML format in a text file.
Many log generators can convert their own logs to another format; third party conversion utilities are
also available. Log conversion sometimes includes actions such as filtering, aggregation, and
normalization. – In log normalization, each log data field is converted to a particular data
209
representation and categorized consistently. One of the most common uses of normalization is storing
dates and times in a single format. For example, one log generator might store the event time in a
twelve-hour format (2:34:56 P.M. EDT) categorized as Timestamp, while another log generator might
store it in twenty-four (14:34) format categorized as Event Time, with the time zone stored in different
notation (-0400) in a different field categorized as Time Zone. 24 Normalizing the data makes analysis
and reporting much easier when multiple log formats are in use. However, normalization can be very
resource-intensive, especially for complex log entries (e.g., typical intrusion detection logs).
Log file integrity checking involves calculating a message digest for each file and storing the message
digest securely to ensure that changes to archived logs are detected. A message digest is a digital
signature that uniquely identifies data and has the property that changing a single bit in the data
causes a completely different message digest to be generated. The most commonly used message
digest algorithms are MD5 and Secure Hash Algorithm 1 (SHA- 1). 25 If the log file is modified and its
message digest is recalculated, it will not match the original message digest, indicating that the file
has been altered. The original message digests should be protected from alteration through FIPS-
approved encryption algorithms, storage on read-only media, or other suitable means. Analysis
Event correlation is finding relationships between two or more log entries. The most common form
of event correlation is rule-based correlation, which matches multiple log entries from a single source
or multiple sources based on logged values, such as timestamps, IP addresses, and event types.
Event correlation can also be performed in other ways, such as using statistical methods or
visualization tools. If correlation is performed through automated methods, generally the result of
successful correlation is a new log entry that brings together the pieces of information into a single
place. Depending on the nature of that information, the infrastructure might also generate an alert to
indicate that the identified event needs further investigation. – Log viewing is displaying log entries in
a human-readable format. Most log generators provide some sort of log viewing capability; third-party
log viewing utilities are also available. Some log viewers provide filtering and aggregation capabilities.
Log reporting is displaying the results of log analysis. Log reporting is often performed to summarize
significant activity over a particular period of time or to record detailed information related to a
particular event or series of events.
Disposal
Log clearing is removing all entries from a log that precede a certain date and time. Log clearing is
often performed to remove old log data that is no longer needed on a system because it is not of
importance or it has been archived.
210
9.3 Log Management Process

System-level and infrastructure administrators should follow standard processes for managing the
logs for which they are responsible.
Major operational processes for log management are as follows:
 Configure the log sources, including log generation, storage, and security
 Perform analysis of log data
 Initiate appropriate responses to identified events
 Manage the long-term storage of log data.
Configure Log Sources
System-level administrators need to configure log sources so that they capture the necessary
information in the desired format and locations, as well as retain the information for the appropriate
period of time.
The process includes:
 administrators determine which of their hosts and host components must or should participate in
the log management infrastructure,
 A single log file might contain information from several sources, such as an OS log containing
information from the OS itself and several security software programs and applications.
Administrators ascertain which log sources use each log file.
 For each identified log source, administrators determine which types of events each log source
must or should log, as well as which data characteristics must or should be logged for each type
of event.
The administrator’s ability to configure each log source is dependent on the features offered by that
particular type of log source. For example, some log sources offer very granular configuration options,
while some offer no granularity at all—logging is simply enabled or disabled, with no control over what
is logged. This section discusses log source configuration in three categories: log generation, log
storage and disposal, and log security.
Event Logs
Event logs are special files that record significant events on your computer, such as when a user logs
on to the computer or when a program encounters an error.
Example: Windows Event Log
Whenever the significant types of events occur, Windows records the event in an event log that you
can read by using Event Viewer. Advanced users might find the details in event logs helpful when
troubleshooting problems with Windows and other programs.
211
Event Viewer tracks information in several different logs. Windows Logs include:
Application (program) events
Events are classified as error, warning, or information, depending on the severity of the event. An
error is a significant problem, such as loss of data. A warning is an event that isn't necessarily
significant, but might indicate a possible future problem. An information event describes the
successful operation of a program, driver, or service.
Security-related events
These events are called audits and are described as successful or failed depending on the event,
such as whether a user trying to log on to Windows was successful.
Setup events
Computers that are configured as domain controllers will have additional logs displayed here.
System events
System events are logged by Windows and Windows system services, and are classified as error,
warning, or information.
Forwarded events
These events are forwarded to this log by other computers.
Applications and Services Logs vary. They include separate logs about the programs that run on your
computer, as well as more detailed logs that pertain to specific Windows services.
Open Event Viewer by clicking the Start button Picture of the Start button, clicking Control Panel,
clicking System and Security, clicking Administrative Tools, and then double-clicking Event Viewer.
Administrator permission is required if you're prompted for an administrator password or
confirmation, type the password or provide confirmation.
Click an event log in the left pane.
Double-click an event to view the details of the event.
212
9.4 Configuring Windows Event Log

Authorized administrators can define security settings for the event logs. The choices are somewhat
limited, and include log size, the length of time a log should be stored, and when the log should be
cleared. Each event log can be configured individually.
1. Click Start, select Programs, select Administrative Tools, click Computer Management.
2. In the console tree, click Event Viewer. Right-click Security and select Properties.
3. The Security Properties window will appear. Here authorized administrators can set
the Maximum log size and select what action to
take when the maximum log size is reached.
 To restore the default settings, click Restore

Defaults.
 To clear the log, click Clear Log.
Under Log size, select one of these options:
If the log is not to be archived, click Overwrite events as needed.

To archive the log at scheduled intervals, click Overwrite events older than and specify the appropriate
number of days. Be sure that the Maximum log size is large enough to accommodate the interval.
To retain all the events in the log, click Do not overwrite events (clear log manually). This option
requires that logs be cleared manually. When the maximum log size is reached, new events are
discarded. If the event log is not cleared and archived regularly, the following message will appear.
213
1. After establishing the security log settings, click the Apply button.
2. The Security Properties window also

provides the ability to set filters on the event log to
perform searches and sorting of audit data. To filter an
existing event log in order to view or save specific
security events, select the Filter tab and configure the
filter.
3. To configure the filter, select the Event

types that will be included by checking or unchecking
a selection box next
to Information, Warning, Error, Success Audit, and/or
Failure audit, then input any additional desired
filtering requirements by Event
source, Category, Event ID, User, or Computer.
4. By default. the entire event log will be

filtered for viewing by the parameters selected above. If desired, select a date and time range for
the logs that will be filtered for viewing. This is accomplished by first clicking on the From: drop
down menu and changing the selection to Events On. The date and time dialog boxes will become
active. Change the date by selecting the drop down menu and choosing a date from the calendar
that is presented. Change the time by scrolling the up and down arrows in the time dialog box.
Follow the same procedures clicking on the To: drop down menu and changing the selection
to Events On. Set the date and time for the last as described above.
5. Once all the desired filtering options have been selected, click the Apply button and click OK. The
Event Viewer will filter the log and display the information as defined by the filter.
Windows Logon Types
Logon Types are logged in the Logon Type field of logon events (event IDs 528 and 540 for successful
logons, and 529-537 and 539 for failed logons).
Windows supports the following logon types and associated logon type values:
2: Interactive logon—This is used for a logon at the console of a computer. A type 2 logon is
logged when you attempt to log on at a Windows computer’s local keyboard and screen.
3: Network logon—This logon occurs when you access remote file shares or printers. Also, most
logons to Internet Information Services (IIS) are classified as network logons, other than IIS logons
that use the basic authentication protocol (those are logged as logon type 8).
4: Batch logon—This is used for scheduled tasks. When the Windows Scheduler service starts a
scheduled task, it first creates a new logon session for the task, so that it can run in the security
context of the account that was specified when the task was created.
5: Service logon—This is used for services and service accounts that log on to start a service.
When a service starts, Windows first creates a logon session for the user account that is specified
in the service configuration.
7: Unlock—This is used whenever you unlock your Windows machine.
8: Network clear text logon—This is used when you log on over a network and the password is
sent in clear text. This happens, for example, when you use basic authentication to authenticate
to an IIS server.
214
9: New credentials-based logon—This is used when you run an application using the RunAs
command and specify the /netonly switch. When you start a program with RunAs using /netonly,
the program starts in a new logon session that has the same local identity (this is the identity of
the user you are currently logged on with), but uses different credentials (the ones specified in the
runas command) for other network connections. Without /netonly, Windows runs the program on
the local computer and on the network as the user specified in the runas command, and logs the
logon event with type 2.
10: Remote Interactive logon—This is used for RDP-based applications like Terminal Services,
Remote Desktop or Remote Assistance.
11: Cached Interactive logon—This is logged when users log on using cached credentials, which
basically means that in the absence of a domain controller, you can still log on to your local
machine using your domain credentials. Windows supports logon using cached credentials to ease
the life of mobile users and users who are often disconnected.
How to Read the Windows Application, Security, and System Log Files
The Windows application, security, and system log files can be read with a Windows application called
“Event Viewer,” which is accessed through the Control Panel:
 Click the Start button on the desktop’s Taskbar
 Click the Control Panel menu item
 The Control Panel’s window will open
 In the Control Panel, double-click the Administrative Tools icon
 The Administrative Tools window will open with a list of different icons
 Double click the Event Viewer icon
How to Read Other Windows Log Files
Many log files that software applications use are written as plain text file, making it possible to use
any freeware text editor, “Notepad” or “WordPad”, to read the generated log files. To read .txt files
in WordPad:

 Click All Programs option
 Click Accessories menu item
 Click WordPad application
 A new WordPad window will open
 Click the File menu
 Click the Open menu item
 Navigate to the desired log file and click the Open button
There are also programs that allow the user to monitor log files as they occur in real-time. Examples
of such software include Tail For Win32 and Hoo WinTail. These programs make it easy to read new
entries from the bottom (tail) of the log file.
215
9.5 IIS log files
Internet Information Services (IIS) is a web server developed by Microsoft for use with Windows
Server. The server is meant for a variety of hosting uses while attempting to maintain a high level of
flexibility and scalability.
To help with server use and analysis, IIS is integrated with several types of log files. These log file
formats provide information on a range of websites and specific statistics, including Internet Protocol
(IP) addresses, user information and site visits as well as dates, times and queries.
Log File Formats in IIS (IIS 6.0)
IIS provides six different log file formats that you can use to track and analyse information about your
IIS-based sites and services. In addition to the six available formats, you can create your own custom
log file format.
The following log file formats and logging options are available in IIS:
 W3C Extended Log File Format Text-based, customizable format for a single site. This is the
default format.
 W3C Centralized Logging All data from all Web sites is recorded in a single log file in the W3C
log file format.
 NCSA Common Log File Format Text-based, fixed format for a single site.
 IIS Log File Format Text-based, fixed format for a single site.
 ODBC Logging Fixed format for a single site. Data is recorded in an ODBC-compliant database.
 Centralized Binary Logging Binary-based, unformatted data that is not customizable. Data is
recorded from multiple Web sites and sent to a single log file. To interpret the data, you need
a special parser.
 HTTP.sys Error Log Files Fixed format for HTTP.sys-generated errors.
You can read text-based log files using a text editor such as Notepad, which is included with Windows,
but administrators often import the files into a report-generating software tool for further analysis.
IIS logs, when properly analysed, provide information about demographics and usage of the IIS web
server. By tracking usage data, web providers can better tailor their services to support specific
regions, time frames or IP ranges. Log filters also allow providers to track only the data deemed
necessary for analysis.
Analyse an IIS Log file
IIS logs contain crucial information for improving the web site. Log files for an IIS server are the key
source of information for managing the websites hosted on the server. The log files contains a record
of each request from a web user and the response provided by the IIS server. This data is crucial for
marketing, site performance and security. Logs are often the only indication that a user is attempting
to hack into your IIS server. Patterns and trends can be spotted in this data to help you segment your
users for marketing opportunities. IIS log analysis is a critical tool in improving your website.
216
Internet Information Services (IIS) 6.0 offers a number of ways to record the activity of your Web sites,
File Transfer Protocol (FTP) sites, Network News Transfer Protocol (NNTP) service, and Simple Mail
Transfer Protocol (SMTP) service and allows you to choose the log file format that works best for your
environment. IIS logging is designed to be more detailed than the event logging or performance
monitoring features of the Microsoft® Windows® Server 2003, Standard Edition, Windows® Server
2003, Enterprise Edition, and Windows® Server 2003, Datacenter Edition, operating systems. IIS log
files can include information such as who has visited your site, what was viewed, and when the
information was last viewed. You can monitor attempts to access your sites, virtual folders, or files
and determine whether attempts were made to read or write to your files. IIS log file formats allow
you to record events independently for any site, virtual folder, or file.
Using a text editor, the following steps can be used to analyse the IIS file:
 Open the log file labeled as "ex010110.log" in your text editor. The six digits in the log file
name are in the format day, month and year the file was created.
 Locate the header information. This is a line starting with "#Fields:." Use this line to determine
the corresponding values in each column.
 Use the date and time to identify when the request was created. The "sitename" and
"computername" will indicate what server responded to the request.
 Identify the visitor to your web server by the "c-ip" which is the ip address of the visitors’
computer.
 The "cs-method" column will most often contain either "post" or "get" depending on the
request made by the visitors’ browser. The fields "cs-uri-stem" and "cs-uri-query" will denote
the resource such as an image or web page the visitor requested.
 Use the "sc-status" column to determine whether the web server was capable of correctly
responding to the request. A link is provided in the resource section of this article to a
complete list of response codes.
 Use the "cs(User-Agent)" to determine what type of browser the visitor used, or if the visitor
is actually a search engine. A link to a list of common user agents has been provided in the
resource area of this article.
217
9.6 Log Analysis and Response
Analyse Log Data
Effective analysis of log data is often the most challenging aspect of log management, but is also
usually the most important. Although analysing log data is sometimes perceived by administrators as
uninteresting and inefficient (e.g., little value for much effort), having robust log management
infrastructures and automating as much of the log analysis process as possible can significantly
improve analysis so that it takes less time to perform and produces more valuable results.
The most effective way to gain a solid understanding of log data is to review and analyse portions of
it regularly (e.g., every day). The goal is to eventually gain an understanding of the baseline of typical
log entries, likely encompassing the vast majority of log entries on the system. (Because a few types
of entries often comprise a significant percentage of the log entries, this is not as difficult as it may
first sound.) Daily log reviews should include those entries that have been deemed most likely to be
important, as well as some of the entries that are not yet fully understood. Because it can make
considerable effort to understand the significance of most log entries, the initial days, weeks, or even
months of performing the log analysis process are the most challenging and time-consuming. Over
time, as the baseline of normal activity is broadened and deepened, the daily log reviews should take
less time and be more focused on the most important log entries, thus leading to more valuable
analysis results.
Another motivation for understanding the log entries is so that the analysis process can be automated
as much as possible. By determining which types of log entries are of interest and which are not,
administrators can configure automated filtering of the log entries. This allows events known to be
malicious to be recognized and responded to automatically (e.g., alerting administrators,
reconfiguring other security controls). Another purpose for filtering is to ensure that the manual
analysis performed by administrators is prioritized appropriately. The filtering should be configured
so that it presents administrators with a reasonable number of entries for manual analysis.
Web log analysis software (also called a web log analyzer) is a kind of web analytics software that
passes a server log file from a web server, and based on the values contained in the log file, derives
indicators about when, how, and by whom a web server is visited. Usually reports are generated from
the log files immediately, but the log files can alternatively be passed for a database and reports
generated on demand.
There are free, open source and paid software tools available for log analysis or management.
Response to events
During their log analysis, infrastructure and system-level administrators may identify events of
significance, such as incidents and operational problems that necessitate some type of response.
When an administrator identifies a likely computer security incident, as defined by the organization’s
incident response policies, the administrator should follow the organization’s incident response
procedures to ensure that it is addressed appropriately. Examples of computer security incidents
include a host being infected by malware and a person gaining unauthorized access to a host.
218
Administrators should perform their own responses to non-incident events, such as minor operational
problems (e.g., misconfiguration of host security software). Some organizations require system-level
administrators to report incidents and logging-related operational problems to infrastructure
administrators so that the infrastructure administrators can better identify additional instances of the
same activities and patterns that cannot be seen at the individual system level. Infrastructure and
system-level administrators should also be prepared to assist incident response teams with their
efforts. For example, when an incident occurs, affected system-level administrators may be asked to
review their systems’ logs for particular signs of malicious activity or to provide copies of their logs to
incident handlers for further analysis. Administrators should also be prepared to alter their logging
configurations as part of a response. Adverse events such as worms often cause unusually large
numbers of events to be logged. This can cause various negative impacts, such as slowing system
performance, overwhelming logging processes, and overwriting recent log entries. Analysts may not
be able to see other events of significance because their records are hidden among all of the other log
entries. Accordingly, administrators may need to reconfigure logging for the short term, long term, or
permanently, depending on the source of the log data, to prevent it from overwhelming the system
and the logs. Administrators may also need to adjust logging to capture more data as part of a
response effort, such as collecting additional information on a particular type of activity. To identify
similar incidents, especially in the short term, administrators may need to perform additional log
monitoring and analysis, such as more closely examining the types of logging sources that recorded
pertinent information on the initial incident.
219
Summary
 Log management: Log management refers to the broad practice of collecting, aggregating and
analysing network data for a variety of purposes.
 Security information event management (SIEM) involves the collection and analysis of data
 Security software is a major source of computer security log data.
 Web proxies often keep a record of all URLs accessed through them.
 Routers and Firewalls permit or block certain types of network traffic based on a policy
however, they differ in terms of the level of complexity
 OS logs are most beneficial for identifying or investigating suspicious activity involving a
particular host.
 Operating systems and security software provide the foundation and protection for
applications; Applications vary significantly in the types of information that they log and some
of the most commonly logged types of information include:
o Client requests and server responses
o e-mail servers recording the sender, recipients, subject name, and attachment names
for each e-mail
o web servers recording each URL requested and the type of response provided by the
server;
o business applications recording which financial records were accessed by each user
o successful and failed authentication attempts, account changes (e.g., account creation
and deletion, account privilege assignment), and use of privileges
o brute force password guessing and escalation of privileges
o number of transactions occurring in a certain period and size of transactions, etc.
 Log management ensures that computer security records are stored in sufficient detail for
an appropriate period of time. A log management infrastructure typically comprises the
following three tiers:
 Log Generation: contains the hosts that generate the log data
 Log Analysis and Storage: composed of one or more log servers that receive log
data or copies of log data
 Log Monitoring: contains consoles that may be used to monitor and review log data
and the results of automated analysis
 Log management infrastructures typically perform several functions that assist in the
storage, analysis, and disposal of log data. These functions are normally performed in such
a way that they do not alter the original logs.
 Major operational processes for log management are as follows:
 Manage the long-term storage of log data
 Authorized administrators can define security settings for the event logs. The choices are
somewhat limited, and include log size, the length of time a log should be stored, and when
the log should be cleared.
 Internet Information Services (IIS) is a web server developed by Microsoft for use with
Windows Server. The server is meant for a variety of hosting uses while attempting to
maintain a high level of flexibility and scalability.
 The most effective way to gain a solid understanding of log data is to review and analyse
portions of it regularly (e.g., every day)
 Infrastructure and system-level administrators may identify events of significance, such as
incidents and operational problems that necessitate some type of response during log
analysis.
220
Activity 1:
Study various log report templates and sources which provide guidance on using log
reports. The various information available in the report should be understood and
possible anomalies listed.
Activity 2:
Work in groups to explore the log configurations of your own training institute server
and generate reports from the servers each week. These should be analysed and
activity reports and inferences from it presented in class by a different group each
week.

Q. State the key distinction between log management and security information event management.
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
Q. What do you understand by the technical phrase “computerized version of tunnel vision”?
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
Q. Mention the common features shared by Routers and Firewalls
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
Q. Fill in the blanks
• Web proxies are intermediate hosts that acts as a layer between

_______________________________and______________________________________.
• Status of checks and quarantined hosts log information can be retrieved
from__________________.
221
Q. State the type of log which is most beneficial for identifying or investigating suspicious activity
involving a particular host
__________________________________________________________________________________
Q. Tick the best answers to the following question
Log monitoring consoles can
a) receive log data or copies of log data

b) generate reports
c) provide management for the log servers and clients
d) All of the above
 The most common form of antimalware software is antivirus software. ( )
 Event Filtering is extracting data from a log so that the parsed values can be used as input for
another logging process. ( )
Q. Define the two types of log archival.
__________________________________________________________________________________
__________________________________________________________________________________
Q. Why are log and event reduction performed simultaneously with log archival?
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
NOTES:
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
222
UNIT X
Data Backup
This Unit covers:
 Lesson Plan
10.1. Data Backup
10.2. Types of Backup
10.3. Backup Procedures
10.4. Types of Storage
223
LESSON PLAN

To be competent, you must be able Project charter, Architecture  PCs/Tablets/Laptops
to: (charts), Project plan, Poster  Labs availability (24/7)
presentation and execution  Internet with WiFi
plan.  (Min 2 Mbps Dedicated)
 Networking Equipment- Routers
Going through the security & Switches
guidelines
standards over Internet by  Firewalls and Access Points
PC5. carry out backups of visiting sites like ISO, PCI DSS  Backup devices and storage
security devices and applications in etc., and understand various media
line with information security methodologies and usage of
policies, procedures and guidelines, algorithms
where required
You must know and understand: KA12. Project charter,  PCs/Tablets/Laptops

KA12. your organization’s Architecture (charts),  Labs availability (24/7)
information security systems and Project plan, Poster  Internet with WiFi
tools and how to access and presentation and
maintain these  (Min 2 Mbps Dedicated)
execution plan.
KB2. different types of backups  Networking Equipments-
for security devices and applications Routers & Switches
KB2. Going through the
and how to carry out backups
security standards over  Firewalls and Access Points
Internet by visiting sites like  Backup devices and storage
ISO, PCI DSS etc., and media
understand various
algorithms
224
Lesson
10.1 Data Backup - Overview

Backup is the activity of copying files or databases so that they will be preserved in case of equipment
failure or other catastrophe. Backup is usually a routine part of the operation of large businesses with
mainframes as well as the administrators of smaller business computers. For personal computer users,
backup is also necessary but often neglected. The retrieval of files you backed up is called restoring
them.
Purpose
All electronic information considered of institutional value should be copied onto secure storage
media on a regular basis (i.e., backed up), for disaster recovery and business resumption. Special
backup needs, identified through technical risk analysis that exceeds these requirements, should be
accommodated on an individual basis.
Scope
Data custodians are responsible for providing adequate backups to ensure the recovery of data and
systems in the event of failure. Backup provisions allow business processes to be resumed in a
reasonable amount of time with minimal loss of data. Since hardware and software failures can take
many forms, and may occur over time, multiple generations of institutional data backups need to be
maintained.
225
10.2 Types of Backup
Full backup
Full backup is a method of backup where all the files and folders selected for the backup will be backed
up. It is commonly used as an initial or first backup followed with subsequent incremental or
differential backups. After several incremental or differential backups, it is common to start over with
a fresh full backup again.
Some also like to do full backups for all backup runs typically for smaller folders or projects that do
not occupy too much storage space.
Advantages
Restores are fast and easy to manage as the entire list of files and folders are in one backup set.
Easy to maintain and restore different versions.
Disadvantages
Backups can take very long as each file is backed up again every time the full backup is run.
Consumes the most storage space compared to incremental and differential backups. The exact
same files are be stored repeatedly resulting in inefficient use of storage.
Incremental backup
Incremental backup is a backup of all changes made since the last backup. The last backup can be a
full backup or simply the last incremental backup. With incremental backups, one full backup is done
first and subsequent backup runs are just the changed files and new files added since the last backup.
Advantages
Much faster backups
Efficient use of storage space as files is not duplicated. Much less storage space used compared to
running full backups and even differential backups.
Disadvantages
Restores are slower than with a full backup and differential backups.
Restores are a little more complicated. All backup sets (first full backup and all incremental backups)
are needed to perform a restore.
Differential backups
Differential backups fall in the middle between full backups and incremental backup. A differential
backup is a backup of all changes made since the last full backup. With differential backups, one full
backup is done first and subsequent backup runs are the changes made since the last full backup. The
result is a much faster backup than a full backup for each backup run. Storage space used is less than
a full backup but more than Incremental backups. Restores are slower than with a full backup but
usually faster than Incremental backups.
Advantages
Much faster backups then full backups
226
More efficient use of storage space then full backups since only files changed since the last full
backup will be copied on each differential backup run.
Faster restores than incremental backups
Disadvantages
Backups are slower then incremental backups
Not as efficient use of storage space as compared to incremental backups. All files added or edited
after the initial full backup will be duplicated again with each subsequent differential backup.
Restores are slower than with full backups.
Restores are a little more complicated than full backups but simpler than incremental backups. Only
the full backup set and the last differential backup are needed to perform a restore.
Mirror backups
Mirror backups are as the name suggests a mirror of the source being backed up. With mirror backups,
when a file in the source is deleted, that file is eventually also deleted in the mirror backup. Because
of this, mirror backups should be used with caution as a file that is deleted by accident, sabotage or
through a virus may also cause that same file in mirror to be deleted as well. Some do not consider a
mirror to be a backup.
Many online backup services offer a mirror backup with, a 30 days delete. This means that when you
delete a file on your source, that file is kept on the storage server for at least 30 days before it is
eventually deleted. This helps strike a balance offering a level of safety while not allowing the backups
to keep growing since online storage can be relatively expensive.
Many backup software utilities do provide support for mirror backups.
Advantages
The backup is clean and does not contain old and obsolete files
Disadvantages
There is a chance that files in the source deleted accidentally, by sabotage or through a virus may
also be deleted from the backup mirror.
Full PC backup
Full PC backup of full computer backup typically involves backing up entire images of the computer’s
hard drives rather than individual files and folders. The drive image is like a snapshot of the drive. It
may be stored compressed or uncompressed.
With other file backups, only the user’s document, pictures, videos and music files can be restored
while the operating system, programs etc. need to be reinstalled from is source download or disc
media.
With the full PC backup however, you can restore the hard drives to its exact state when the backup
was done. Hence, not only can the documents, pictures, videos and audio files be restored but the
operating system, hardware drivers, system files, registry, programs, emails etc. In other words, a full
PC backup can restore a crashed computer to its exact state at the time the backup was made.
Full PC backups are sometimes called “Drive Image Backups”

227
Advantages
A crashed computer can be restored in minutes with all programs databases emails etc intact. No
need to install the operating system, programs and perform settings etc.
Ideal backup solution for a hard drive failure.
Disadvantages
May not be able to restore on a completely new computer with a different motherboard, CPU,
Display adapters, sound card etc.
Any problems that were present on the computer (like viruses, or mis-configured drivers, unused
programs etc.) at the time of the backup may still be present after a full restore.
Local backup
A local backup is any backup where the storage medium is kept close at hand. Typically, the storage
medium is plugged in directly to the source computer being backed up or is connected through a local
area network to the source being backed up.
Advantages
Offers good protection from hard drive failures, virus attacks, accidental deletes and deliberate
employee sabotage on the source data.
Very fast backup and very fast restore.
Storage cost can be very cheap when the right storage medium is used like external hard drives
Data transfer cost to the storage medium can be negligible or very cheap
Since the backups are stored close by, they are very conveniently obtained whenever needed for
backups and restore.
Full internal control over the backup storage media and the security of the data on it. There is no
need to entrust the storage media to third parties.
Disadvantages
Since the backup is stored close by to the source, it does not offer good protections against theft,
fire, flood, earthquakes and other natural disasters. When the source is damaged by any of these
circumstances, there’s a good chance the backup will be also damaged.
Offsite Backup
Any backup where the backup storage medium is kept at a different geographic location from
the source is known as an offsite backup. The backup may be done locally at first on the usual
storage devices but once the storage medium is brought to another location, it becomes an
offsite backup.
228
Advantages
Offers additional protection when compared to local backup such as protection from theft, fire,
flood, earthquakes, hurricanes and more.
Disadvantages
Except for online backups, it requires more due diligence to bring the storage media to the offsite
location.
May cost more as people usually need to rotate between several storage devices. For example when
keeping in a bank deposit box, people usually use 2 or 3 hard drives and rotate between them. So
at least one drive will be in storage at any time while the other is removed to perform the backup.
Because of increased handling of the storage devices, the risk of damaging delicate hard disk is
higher. (does not apply to online storage)
Online backup
An online backup is a backup done on an ongoing basis to a storage medium that is always connected
to the source being backed up. The term “online” refers to the storage device or facility being always
connected. Typically, the storage medium or facility is located offsite and connected to the backup
source by a network or Internet connection. It does not involve human intervention to plug in drives
and storage media for backups to run.
Many commercial data centers now offer this as a subscription service to consumers. The storage data
centers are located away from the source being backed up and the data is sent from the source to the
storage center securely over the Internet.
Typically, a client application is installed on the source computer being backed up. Users can define
what folders and files they want to backup and at one times of the day they want the backups to run.
The data may be compressed and encrypted before being sent over the Internet to the storage data
center.
The storage facility is a commercial data center located away from the source computers being backed
up. Typically, they are built to certain fire and earthquake safety specifications. They have higher
security standards with CCTV and round the clock monitoring. They typically have backup generators
to deal with grid power outages and the facility is temperature controlled. Data is not just stored in
one physical media but replicated across several devices. These facilities are usually serviced by
multiple redundant Internet connection so there is no single point of failure to bring the service down.
Advantages
Offers the best protection against fires, theft and natural disasters.
Because data is replicated across several storage media, the risk of data loss from hardware failure
is very low.
Because backups are frequent or continuous, data loss is very minimal compared to other backups
that are run less frequently.
Because it is online, it requires little human or manual interaction after it is setup.
Disadvantages
Is a more expensive option then local backups.
Initial or first backups can be a slow process spanning a few days or weeks depending on Internet
connection speed and the amount of data backed up.
Can be slow to restore.
229
Remote backups
Remote backups are a form of offsite backup with a difference being that you can access, restore or
administer the backups while located at your source location or other physical location. The term
“remote” refers to the ability to control or administer the backups from another location.
You do not need to be physically present at the backup storage facility to access the backups.
Putting your backup hard drive at your bank safe deposit box would not be considered a remote
backup. You cannot administer or access it without making a trip to the bank. The term “remote
backup” is often used loosely and interchangeably with “online backup” and “cloud backup”.
Advantages
Much better protection from natural disasters than local backups.
Easier administration as it does not need a physical trip to the offsite backup location.
Disadvantages
More expensive then local backups
Can take longer to backup and restore than local backups
Cloud backup
Cloud backup is a term often used loosely and interchangeably with Online Backup and Remote
Backup. This is a type of backup where data is backed up to a storage server or facility connected to
the source via the Internet. With the proper login credentials, that backup can then be accessed
securely from any other computer with an Internet connection. The term “cloud” refers to the backup
storage facility being accessible from the Internet.
Advantages
Since this is an offsite backup, it offers protection from fire, floods, earth quakes and other natural
disasters.
Able to easily connect and access the backup with just an Internet connection.
Data is replicated across several storage devices and usually serviced by multiple internet
connections so the system is not at the mercy of a single point of failure.
When the service is provided by a good commercial data center, service is managed and protection
is un-paralleled.
Disadvantages
Can take longer to backup and restore
FTP Backup
This is a kind of backup where the backup is done via the File Transfer Protocol (FTP) over the Internet
to an FTP Server. Typically, the FTP Server is located in a commercial data center away from the source
data being backed up. When the FTP server is located at a different location, this is another form of
offsite backup.
Advantages
230
disasters.
Disadvantages
Can take longer to backup and restore. Backup and restore times are dependent to the Internet
connection.
231
10.3 Backup Procedures

The 3-2-1 Rule
The simplest way to remember how to back up your images safely is to use the 3-2-1 rule.
We recommend keeping 3 copies of any important file (a primary and two backups)
We recommend having the files on 2 different media types (such as hard drive and optical media), to
protect against different types of hazards.*
1 copy should be stored offsite (or at least offline).
The data backup procedures must include
 frequency,
 data backup retention,
 testing,
 media replacement,
 recovery time,
 roles and responsibilities
Local data backup procedures must include the following:
 Data Backup Retention. Retention of backup data must meet System and institution
requirements for critical data.
 Testing - Restoration of backup data must be performed and validated on all types of media
in use periodically.
 Media Replacement - Backup media should be replaced according to manufacturer
recommendations.
 Recovery Time - The recovery time objective (RTO) must be defined and support business
requirements.
 Roles and Responsibilities - Appropriate roles and responsibilities must be defined for data
backup and restoration to ensure timeliness and accountability.
 Offsite Storage - Removable backup media taken offsite must be stored in an offsite location
that is insured and bonded or in a locked media rated, fire safe.
 Onsite Storage - Removable backup media kept onsite must be stored in a locked container
with restricted physical access.
 Media Destruction - How to dispose of data storage media in various situations.
 Encryption - Non-public data stored on removable backup media must be encrypted. Non-
public data must be encrypted in transit and at rest when sent to an offsite backup facility,
either physically or via electronic transmission.
 Third Parties - Third parties' backup handling & storage procedures must meet System, or
institution policy or procedure requirements related to data protection, security and privacy.
These procedures must cover contract terms that include bonding, insurance, disaster
recovery planning and requirements for storage facilities with appropriate environmental
controls.
232
Definitions
Archive: An archive is a collection of historical data specifically selected for long-term retention and
future reference. It is usually data that is no longer actively used, and is often stored on removable
media.
Backup: A copy of data that may be used to restore the original in the event the latter is lost or
damaged beyond repair. It is a safeguard for data that is being used. Backups are not intended to
provide a means to archive data for future reference or to maintain a versioned history of data to
meet specific retention requirements.
Critical Data: Data that needs to be preserved in support of the institution's ability to recover from
a disaster or to ensure business continuity.
Data: Information collected, stored, transferred or reported for any purpose, whether in computers
or in manual files. Data can include: financial transactions, lists, identifying information about
people, projects or processes, and information in the form of reports. Because data has value, and
because it has various sensitivity classifications defined by federal law and state statute, it must be
protected.
Destruction: Destruction of media includes: disintegration, incineration, pulverizing, shredding, and
melting. Information cannot be restored in any form following destruction.
Media Rated, Fire Safe: A safe designed to maintain internal temperature and humidity levels low
enough to prevent damage to CDs, tapes, and other computer storage devices in a fire. Safes are
rated based on the length of time the contents of a safe are preserved while directly exposed to fire
and high temperatures.
Information Technology Resources: Facilities, technologies, and information resources used for
System information processing, transfer, storage, and communications. Included in this definition
are computer labs, classroom technologies, computing and electronic communications devices and
services, such as modems, e-mail, networks, telephones (including cellular), voice mail, fax
transmissions, video, multimedia, and instructional materials. This definition is not all-inclusive, but
rather, reflects examples of System equipment, supplies and services.
Recovery Point Objective (RPO): Acceptable amount of service or data loss measured in time. The
RPO is the point in time prior to service or data loss that service or data will be recovered to.
Recovery Time Objective (RTO). Acceptable duration from the time of service or data loss to the
time of restoration.
Automated Backup
If the data backup plan defines a daily interval, making manual backups becomes quite time
consuming, and one may discover now and then that they have skipped making backups because they
had something else more important to do at same time. It is better to foresee the risk of not making
backups and try to automate the whole backup process as much as possible.
233
10.4 Types of storage
Local Storage Options

1. External Hard Drive
These are hard drives similar to the type that is installed within a desktop computer or laptop
computer. The difference being that they can be plugged in to the computer or removed and kept
separate from the main computer.
Advantages:
 Very good option for local backups of large amounts of data.

 The cheapest storage option in terms of cost per GB. Very reliable when handled with care
Disadvantages:
 Can be very delicate. May be damaged if dropped or through electrical surge
2. Solid State Drive (SSD)
Solid State Drives look and function similar to traditional mechanical/ magnetic hard drives but the
similarities stop there. Internally, they are completely different. They have no moving parts or rotating
platers. They rely solely on semiconductors and electronics for data storage making it a more reliable
and robust than traditional magnetic. No moving parts also means that they use less power than
traditional hard drives and are much faster too.
With the prices of Solid State Drives coming down and is lower power usage, SSD’s are used extensively
on laptops and mobile devices. External SSD’s are also a viable option for data backups.
Advantages:
 Faster read and write performance

 More robust and reliable than traditional magnetic hard drives
 Highly portable. Can be easily taken offsite
Disadvantages:
 Still relatively expensive when compared to traditional hard drives

 Storage space is typically less than that of traditional magnetic hard drives.
3. Network Attached Storage (NAS)
NAS are simply one or more regular IDE or SATA hard drives plugged in an array storage enclosure and
connected to a network Router or Hub through a Ethernet port. Some of these NAS enclosures have
ventilating fans to protect the hard drives from overheating.
Advantages:
 Very good option for local backups especially for networks and small businesses.
 As several hard drives can be plugged in, NAS can hold very large amounts of data
234
 Can be setup with Redundancy (RAID) increasing the reliability and/ or read and write
performance. Depending on the type of RAID level used, the NAS can still function even if one
hard drive in the RAID set fails. Or two hard drives can be setup to double the read and write
speed of single hard drive.
 The drive is always connected and available to the network making the NAS a good option for
implementing automated scheduled backups.
Disadvantages:
 Significantly more expensive than using single External Hard Drives

 Difficult to bring offsite making it very much a local backup hence still susceptible to some
events like theft and floods, fire etc.
4. USB Thumb Drive or Flash Drive
These are similar to Solid State Drives except that it is much smaller in size and capacity. They have no
moving parts making them quite robust. They are extremely portable and can fit on a keychain. They
are Ideal for backing up a small amount of data that need to be brought with you on the go.
Advantages:
 The most portable storage option. Can fit on a keychain making it an offsite backup when you
bring it with you.
 Much more robust than traditional magnetic hard drives
Disadvantages:
 Relatively expensive per GB so can only be used for backing up a small amount of data
5. Optical Drive (CD/ DVD)
CD’s and DVD’s are ideal for storing a list of songs, movies, media or software for distribution or for
giving to a friend due to the very low cost per disk. They do not make good storage options for backups
due to their shorter lifespan, small storage space and slower read and write speeds.
Advantages:
 Low cost per disk
Disadvantages:
 Relatively shorter life span than other storage options

 Not as reliable as other storage options like external hard disk and SSD. One damaged disk in
a backup set can make the whole backup unusable.
Remote Storage Options

1. Cloud Storage
Cloud storage is storage space on commercial data center accessible from any computer with Internet
access. It is usually provided by a service provider. A limited storage space may be provided free with
more space available for a subscription fee. Examples of service providers are Amazon S3, Google
Drive, Sky Drive etc.
235
Advantages:
 A very good offsite backup. Not affected by events and disasters such as theft, floods, fire etc
Disadvantages:
 More expensive than traditional external hard drives. Often requires an ongoing subscription.
 Requires an Internet connection to access the cloud storage.
 Much slower than other local backups
236
10.5 Features of a Good Backup Strategy
The following are features to aim for when designing your backup strategy:
 Able to recover from data loss in all circumstances like hard drive failure, virus
attacks, theft, accidental deletes or data entry errors, sabotage, fire, flood, earth
quakes and other natural disasters.
 Able to recover to an earlier state if necessary like due to data entry errors or
accidental deletes.
 Able to recover as quickly as possible with minimum effort, cost and data loss.
 Require minimum ongoing human interaction and maintenance after the initial
setup. Hence able to run automated or semi-automated.
Planning Your Backup Strategy

1. What to Backup
The first step in planning your backup strategy is identifying what needs to be backed up. Identify
the files and folders that you cannot afford to lose? It involves going through your documents,
databases, pictures, videos, music and program setup or installation files. Some of these media like
pictures and videos may be irreplaceable. Others like documents and databases may be tedious or
costly to recover from hard copies. These are the files and folders that need to be in your backup
plan.
2. Where to Backup to
This is another fundamental consideration in your backup plan. In light of some content being
irreplaceable, the backup strategy should protect against all events. Hence a good backup strategy
should employ a combination of local and offsite backups.
Local backups are needed due to its lower cost allowing you to backup a huge amount of data. Local
backups are also useful for its very fast restore speed allowing you to get back online in minimal
time. Offsite backups are needed for its wider scope of protection from major disasters or
catastrophes not covered by local backups.
3. When to Backup
Frequency: How often you backup your data is the next major consideration when planning your
backup policy. Some folders are fairly static and do not need to be backed up very often. Other
folders are frequently updated and should correspondingly have a higher backup frequency like
once a day or more.
Your decision regarding backup frequency should be based on a worst case scenario. For example,
if tragedy struck just before the next backup was scheduled to run, how much data would you lose
since the last backup. How long would it take and how much would it cost to re key that lost data?
Backup Start Time: You would typically want to run your backups when there’s minimal usage on
the computers. Backups may consume some computer resources that may affect performance.
Also, files that are open or in use may not get backed up.
Scheduling backups to run after business hours is a good practice providing the computer is left on
overnight. Backups will not normally run when the computer is in “sleep” or “hibernate mode”.
237
Some backup software will run immediately upon boot up if it missed a scheduled backup the
previous night.
So if the first hour on a business day morning is your busiest time, you would not want your
computer doing its backups then. If you always shut down or put your computer in sleep or
hibernate mode at the end of a work day, maybe your lunch time would be a better time to schedule
a backup. Just leave the computer on but logged-off when you go out for lunch.
Since servers are usually left running 24 hours, overnight backups for servers are a good choice.
4. Backup Types
Many backup softwares offer several backup types like Full Backup, Incremental Backup and
Differential backup. Each backup type has its own advantages and disadvantages. Full backups are
useful for projects, databases or small websites where many different files (text, pictures, videos
etc.) are needed to make up the entire project and you may want to keep different versions of the
project.
5. Compression & Encryption
As part of your backup plan, you also need to decide if you want to apply any compression to your
backups. For example, when backing up to an online service, you may want to apply compression
to save on storage cost and upload bandwidth. You may also want to apply compression when
backing up to storage devices with limited space like USB thumb drives.
If you are backing up very private or sensitive data to an offsite service, some backup tools and
services also offer support for encryption. Encryption is a good way to protect your content should
it fall into malicious hands. When applying encryption, always ensure that you remember your
encryption key. You will not be able to restore it without your encryption key or phrase.
6. Testing Your Backup
A backup is only worth doing if it can be restored when you need it most. It is advisable to
periodically test your backup by attempting to restore it. Some backup utilities offer a validation
option for your backups. While this is a welcome feature, it is still a good idea to test your backup
with an actual restore once in a while.
7. Backup Utilities & Services
Simply copying and pasting files and folders to another drive would be considered a backup.
However, the aim of a good backup plan is to set it up once and leave it to run on its own. You
would check up on it occasionally but the backup strategy should not depend on your ongoing
interaction for it to continue backing up. A good backup plan would incorporate the use of good
quality, proven backup software utilities and backup services.
To access further security logs, access the following web links
https://www.owasp.org/index.php/Logging_Cheat_Sheet
https://www.sans.org/reading-room/whitepapers/logging/detecting-attacks-web-applications-log-files-
2074
http://blog.hicube.in/2012/11/07/understanding-log-files-linux-server/
238
Summary
 Backup is the activity of copying files or databases so that they will be preserved in case of
equipment failure or other catastrophe.
 Data custodians are responsible for providing adequate backups to ensure the recovery of data
and systems in the event of failure. Types of Backup include:
 Full backup where all the files and folders selected for the backup will be backed up
 Incremental backup is a backup of all changes made since the last backup
 Differential backups fall in the middle between full backups and incremental backup
 Mirror backups are mirror of the source being backed up
 Full PC backup involves backing up entire images of the computer hard drives
 Local backup is any backup where the storage medium is kept close at hand
 Offsite Backup where the backup storage medium is kept at a different geographic location
 Online backup is ongoing backup to a storage medium that is always connected to the
source being backed up
 Remote backups are offsite backup with a difference being that you can access, restore or
administer the backups while located at your source location or other physical location
 Cloud backup where data is backed up to a storage server or facility connected to the
source via the Internet
 FTP Backup where the backup is done via the File Transfer Protocol (FTP) over the Internet
to an FTP Server
 The simplest way to remember how to back up your images safely is to use the 3-2-1 rule. To
keep 3 copies of any important file (a primary and two backups); have files on 2 different media
types (such as hard drive and optical media); 1 copy should be stored offsite (or at least offline).
 Different types of Local Storage Options
 External Hard Drive are hard drives similar to the type that is installed within a desktop
computer or laptop computer
 Solid State Drive (SSD) looks and functions similar to traditional mechanical/ magnetic
hard drives but different
 Network Attached Storage (NAS) are simply one or more regular IDE or SATA hard
drives plugged in an array storage enclosure and connected to a network Router or Hub
through a Ethernet port
 USB Thumb Drive or Flash Drive are similar to Solid State Drives except that it is much
smaller in size and capacity
 Optical Drive (CD/ DVD) are ideal for storing a list of songs, movies, media or software
for distribution or for giving to a friend due to the very low cost per disk.
 Cloud Storage is storage space on commercial data center accessible from any
computer with Internet access
 Ask the key questions while planning your backup strategy
 What to Backup
 Where to Backup to
 When to Backup
 Backup Types
 Compression & Encryption
 Testing Your Backup
 Backup Utilities & Services
239
Activity 1:
Backup data available in the institute and evaluate the backup requirements for the
institute. If there isn’t a policy for backup then work in a group to develop one and
define all necessary steps for successful implementation.
Activity 2:
Work in a group prepare a report on difference between backup of individual data

and of security devices and applications. The same should focus on requirements,
challenges, products and means available, advantages and disadvantages, media
used, and other differences.
Activity 3:
Collect information on various products and services for backup available in the
industry and compare the benefits, features and limitations of each. The comparison
should be presented in class.
240

Q. State the advantages of full backup over incremental backup.
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
Q. Explain why is Full PC backup also known as “Drive Image Backups”?
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
Q. How does Offsite backup differ from Remote backup?
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
Q. Solid State Drive (SSD) looks and functions similar to traditional mechanical/ magnetic hard drives
but are different. State the difference.
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
Q. Is it possible to retrieve a file deleted in a source with a mirror backup? Explain your answer in
brief.
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
241
NOTES:
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
242
SSC/ N 0901:
Contribute to Managing Information Security
UNIT I: Information Security and Threats

UNIT II: Fundamentals of Information Security
UNIT IV: Information Security Policies, Procedures, Standards and Guidelines
UNIT V: Information Security Management – Roles and Responsibilities
UNIT VI: Information Security Performance Metrics
UNIT VII: Risk Assessment
UNIT VIII: Configuration Review
UNIT IX: Device Log Correlation
UNIT X: Data Backup
29

Unit Title (Task) Contribute to managing information security
Description This unit is about carrying out specified tasks as part of a team working to ensure
Information security includes:
 Devices
 Storage devices
 Servers
 Software
 Messaging
 Web security
 Computer assets, server and storage networks
 Messaging
 Intrusion detection/ prevention
Back ups include:
 Validation
 Tracking
 Consolidation
 Replication
 Configuration
 Logs
 Devices
 Applications
 Software
Appropriate people:
 Line manager
PC1. establish your role and responsibilities in contributing to managing
30
PC2.monitor systems and apply controls in line with information security

policies, procedures and guidelines.
PC3. carry out security assessment of information security systems using
automated tools.
PC4. carry out configuration reviews of information security systems using
automated tools, where required.
PC5. carry out backups of security devices and applications in line with
information security policies, procedures and guidelines, where required.
PC6. maintain accurate daily records/ logs of information security performance
parameters using standard templates and tools.
PC7. analyze information security performance metrics to highlight variances
and issues for action by appropriate people.
PC8. provide inputs to root cause analysis and the resolution of information
security issues, where required.
PC9. update your organization’s knowledge base promptly and accurately with
information security issues and their resolution.
PC10. obtain advice and guidance on information security issues from
appropriate people, where required.
PC11. comply with your organization’s policies, standards, procedures and
guidelines when contributing to managing information security.

al KA1. your organization’s policies, procedures, standards and guidelines for
Context managing information security.
(Knowledge KA2. your organization’s knowledge base and how to access and update the
same.
of the
KA3. limits of your role and responsibilities and who to seek guidance from
company/ KA4. the organizational systems, procedures and tasks/ checklists within the
organization domain and how to use the same.
and its KA5. how to analyze root causes of information security issues.
processes) KA6. how to carry out information security assessments.
KA7. how to carry out configuration reviews.
KA8. how to correlate devices and logs.
KA9. different types of automation tools and how to use them.
KA10. how to access and analyze information security performance metrics.
KA11. who to involve when managing information security.
KA12. your organization’s information security systems and tools and how to
access and maintain them.
KA13. standard tools and templates available and how to use the same.
B. Technical The user/ individual on the job needs to know and understand:
KB1. fundamentals of information security and how to apply them, including:
Knowledge  networks
 communication
KB2. different types of backups for security devices and applications and how to
carry out backups.
KB3. common issues and variances of performance metrics that require action
and whom to report these.
KB4. how to identify and resolve information security vulnerabilities and issues.
31
The Units
The module for this NOS is divided in ten units based on the learning objectives as given below:
UNIT I: Information Security and Threats UNIT VII: Risk Assessment
1.1. Information Security 7.1. Risk Overview
1.2. Information Assets & Threats 7.2. Risk Identification
7.3. Risk Analysis
UNIT II: Fundamentals of Information 7.4. Risk Treatment
Security 7.5. Risk Management Feedback Loops
2.1. Elements of information security 7.6. Risk Monitoring
2.2. Principles and concepts – data security
UNIT VIII: Configuration Reviews
2.3. Types of controls
3.1 Introduction – Data Leakage 8.3. Identify CM Tools
3.2 Organisational Data Classification, 8.4. Implementing Secure Configurations
Location and Pathways 8.5. Unauthorised Access to Configuration
3.3 Content Awareness Stores
3.5 Data Protection UNIT IX: Log Correlation and Management
3.6 DLP Limitations
3.7 DRM-DLP Conundrum 9.1. Event Log Concepts
UNIT IV: Information Security Policies, 9.3. Log Management Process
Procedures, Standards and Guidelines 9.4. Configuring Windows Event Log
9.5. IIS Log Files
4.3. Security Standards, Guidelines and
UNIT X: Data Backup
Frameworks 10.1. Data Backup
4.4. Laws, Regulations and Guidelines 10.2. Types of Backup
UNIT V: Information Security Management 10.3. Backup Procedures
– Roles and Responsibilities 10.4. Types of Storage
5.1. Information and Data Security Team
Structure
UNIT VI: Information Security Performance
Metrics
6.6. Designing Information Security
Measuring Systems
32
UNIT I
Information Security and Threats
This unit covers:
 Lesson Plan
1.1. Information Security
1.2. Information Assets & Threats (Virus, Worms, Trojans, Other
Threats, Network Attacks)
33
Lesson Plan

To be competent, you must be able Peer group, faculty group and  PCs/ tablets/ laptops
to: industry experts evaluation.  Projection facilities
guidelines.
You need to know and understand: KA4, KA5. Peer group, faculty  PCs/ tablets/ laptops
group and industry experts’  Availability of labs (24/7)
KA4. the organizational
evaluation.  Internet with Wi-Fi
systems, procedures and tasks/
checklists within the domain and KB1 - KB4. Group and faculty  Access to all security sites like
how to use them. evaluation based on anticipated ISO, PCI DSS, Centre for Internet
outcomes. Reward points to be Security etc.
KB1. fundamentals of
information security and how to allocated to groups.
apply these, including:
• networks
• communication
34
Lesson
1.1 Introduction – Information Security

With the pervasive growth and use of digital information, much of which is confidential, there has also
been growth in incidents of information theft, including cyber attacks by hackers. This has happened
both in governments and in private companies. This has neces
sitated the
need for the position of information security analyst.
Those who work as information security analysts are responsible for keeping information safe from
data breaches using a variety of tools and techniques. Information security analysts protect
information stored on computer networks, in applications etc. They do this with special software that
allows them to keep track of those who can access and who have accessed data. Also, they may
perform investigations to determine whether or not data has been compromised, the extent of it and
related vulnerabilities.
 Someone at an entry level position may operate the software to monitor and analyze
information.
 At senior level positions, one may carry out investigative work to determine whether a security
breach has occurred.
 At higher levels people design systems and architecture to address these vulnerabilities.
The field of information security has seen significant growth in recent times, and the number of job
opportunities in this area are likely to increase in the near future. Recent incidents of information theft
from large companies like Target, Sony and Citibank has shown the risks and challenges of this field
and this necessitates the growing need for information security and professionals in this field. We are
now witnessing the rising background level of data leakage from governments, businesses and other
organisations, families and individuals.
A larger part of an information security analyst’s work involves monitoring data use and access on a
computer network.
Security analysts focus on three main areas:
1. risk assessment (identifying risks or issues an organization may face)
2. vulnerability assessment (determining an organization’s weaknesses to threats)
3. defense planning (designing the protection architecture and installing security systems such
as firewalls and data encryption programs)
 Information security analysts can find themselves working with IT companies, financial and utility
companies and consulting firms. They may also find positions with government organizations. Any
company or organization with data to protect may hire information security analysts so they could
find themselves working at a wide variety of different institutions. A number of companies operate
35
‘Security Operation Centres (SOCs)’ for carrying out data security services for captive or client
services.
Why information security?

With the pervasive growth and use of digital information, much of which is confidential,
there has been also a growth in incidents of information theft, including cyber-attacks by
hackers. This has happened both in governments and in private companies. This has
necessitated the need for keeping information safe from data breaches using a variety of
Role of a security analyst in information technology

 Protect information and information systems from unauthorized access; use; disclosure;
disruption; modification; perusal; inspection; recording or destruction.
 Perform investigations to determine whether or not data has been compromised, the extent
of it and related vulnerabilities.
 Ensure the confidentiality, integrity and availability of data to the 'right' users within/ outside
of the organization.
 Risk assessment (identifying risks or issues an organization may face).
 Vulnerability assessment (to determine an organization’s weaknesses to threats).
 Defense planning (designing the protection architecture and installing security systems such
as firewalls and data encryption programs).
36
Major Skills of
Security Analyst
• Understanding security policy
• Data & Traffic Analysis
• Identifying Security Events –> How & when to alarm
• Incident Response
Foundation and
Background
• Network infrastructure knowledge
• Diverse device configuration ability
• Security configuration knowledge
• Data management & teamwork
Challenges for
Security Analyst
• Not tied to a product or solution
• Complex knowledge – Not one specific process is correct or product solution
• Diverse set of skills are needed
37
1.2 Information Assets & Threats
Security concerning IT and information is normally categorised in three categories to facilitate the
management of information.
Confidentiality Integrity Availability
• Prevention of • Prevention of • Ensuring authorized

unauthorized unauthorized access of information
disclosure or use of modification of assets when required
information assets information assets for the duration
required
Threats to information assets

Risk is the potential threat, and process of understanding and responding to factors that may lead to
a failure in the confidentiality, integrity or availability of an information system constitute risk
management. The key concerns in information assets security are:
 theft
 fraud/ forgery
 unauthorized information access
 interception or modification of data and
data management systems
The above concerns are materialised in the event of a breach caused by exploitation of vulnerability.
Vulnerabilities
Vulnerability is a weakness in an information system, system security procedures, internal
controls, or implementation that could be exploited or triggered by a threat source.
‘Threat agent or actor’ refers to the intent and method targeted at the intentional exploitation
of the vulnerability or a situation and method that may accidentally trigger the vulnerability.
A ‘threat vector’ is a path or a tool that a threat actor uses to attack the target.
‘Threat targets’ are anything of value to the threat actor such as PC, laptop, PDA, tablet, mobile
phone, online bank account or identity.
38
Threat classification
Microsoft has proposed a threat classification called STRIDE from the initials of threat categories:
 Spoofing of user identity
 Tampering
 Repudiation
 Information disclosure (privacy breach or data leak)
 Denial of Service (D.o.S.)
 Elevation of privilege
Threat agents (individuals and groups) can be classified as follows:

 Non-Target specific: Non-Target specific threat agents are computer viruses, worms, Trojans
and logic bombs.
 Employees: staff, contractors, operational/ maintenance personnel or security guards who are
annoyed with the company.
 Organized crime and criminals: criminals target information that is of value to them, such as
bank accounts, credit cards or intellectual property that can be converted into money.
Criminals will often make use of insiders to help them.
 Corporations: corporations are engaged in offensive information warfare or competitive
intelligence. Partners and competitors come under this category.
 Unintentional human error: accidents, carelessness etc.
 Intentional human error: insider, outsider etc.
 Natural: Flood, fire, lightning, meteor, earthquakes etc.
Types of attacks
• Virus
Virus is a malicious program able to inject its code into other programs/ applications or data files
and the targeted areas become "infected". Installation of a virus is done without user's consent,
and spreads in form of executable code transferred from one host to another. Types of viruses
include Resident virus , non-resident virus; boot sector virus; macro virus; file-infecting virus (file-
infector); Polymorphic virus; Metamorphic virus; Stealth virus; Companion virus and Cavity virus.
• Worm
Worm is a malicious program category, exploiting operating system vulnerabilities to spread itself.
In its design, worm is quite similar to a virus - considered even its sub-class. Unlike the viruses
though worms can reproduce/ duplicate and spread by itself. During this process worm does not
require to attach itself to any existing program or executable. Different types of worms based on
their method of spread are email worms; internet worms; network worms and multi-vector worms.
• Trojan
Computer Trojan or Trojan Horses are named after the mythological Trojan horse owing to their
similarity in operation strategy. Trojans are a type of malware software that masquerades itself as
39
a not-malicious even useful application but it will actually do damage to the host computer after its
installation. Unlike virus, Trojans do not self-replicate unless end user intervene to install.
Types of Virus
Depending on virus "residence", we can classify viruses in following way:
 Resident virus - virus that embeds itself in the memory on a target host. In such way it becomes
activated every time the OS starts or executes a specific action.
 Non-resident virus - when executed, this type of virus actively seeks targets for infections either
on local, removable or network locations. Upon further infection it exits. This way is not residing
in the memory any more.
 Boot sector virus
_____________________________________________________________________________
_____________________________________________________________________________
_____________________________________________________________________________
_____________________________________________________________________________
 Macro virus - virus written in macro language, embedded in Word, Excel, Outlook etc.
documents. This type of virus is executed as soon as the document that contains it, is opened.
This corresponds to the macro execution within those documents which under normal
circumstances is automatic.
Another classification of viruses can result from their characteristics:
 File-infecting virus (file-infector) – this is a classic form of virus. When the infected file is being
executed, the virus seeks out other files on the host and infects them with malicious code. The
malicious code is inserted either at the beginning of the host file code (prepending virus), in the
middle (mid-infector) or in the end (appending virus). A specific type of viruses called "cavity
virus" can even inject the code in the gaps in the file structure itself. The start point of the file
execution is changed to the start of the virus code to ensure that it is run when the file is
executed. Afterwards the control may or may not be passed on to the original program in turn.
Depending on the infections routing the host file may become otherwise corrupted and
completely non-functional. More sophisticated viral forms allow through the host program
execution while trying to hide their presence completely (see polymorphic and metamorphic
viruses).
 Polymorphic virus
_____________________________________________________________________________
_____________________________________________________________________________
_____________________________________________________________________________
_____________________________________________________________________________
 Metamorphic virus - this virus is capable of changing its own code with each infection. The
rewriting process may cause the infection to appear different each time but the functionality of
40
the code remains the same. The metamorphic nature of this virus type makes it possible to infect
executables from two or more different operating systems or even different computer
architectures as well. The metamorphic viruses are ones of the most complex in build and very
difficult to detect.
 Stealth virus - memory resident virus that utilises various mechanisms to avoid detection. This
avoidance can be achieved for example, by removing itself from the infected files and placing a
copy of itself in a different location. The virus can also maintain a clean copy of the infected files
in order to provide it to the antivirus engine for scan while the infected version still remains
undetected. Furthermore, the stealth viruses are actively working to conceal any traces of their
activities and changes made to files.
 Armored virus
_____________________________________________________________________________
_____________________________________________________________________________
_____________________________________________________________________________
_____________________________________________________________________________
 Multipartite virus – this attempts to attack both the file executables as well as the master boot
record of the drive at the same time. This type may be tricky to remove as even when the file
executable part is clean it can re-infect the system all over again from the boot sector if it wasn't
cleaned as well.
 Camouflage virus – this virus type is able to report as a harmless program to the antivirus
software. In such cases where the virus has similar code to the legitimate non-infected files code
the antivirus application is being tricked that it has to do with the legitimate program as well.
This would work only but in case of basic signature based antivirus software. Nowadays, antivirus
solutions have become more elaborate whereas the camouflage viruses are quite rare and not a
serious threat due to the ease of their detection.
 Companion virus
_____________________________________________________________________________
_____________________________________________________________________________
_____________________________________________________________________________
_____________________________________________________________________________
_____________________________________________________________________________
 Cavity virus - unlike traditional viruses the cavity virus does not attach itself to the end of the
infected file but instead uses the empty spaces within the program files itself (that exists there
for variety of reasons). This way the length of the program code is not being changed and the
virus can more easily avoid detection. The injection of the virus in most cases is not impacting
the functionality of the host file at all. The cavity viruses are quite rare though.
41
……Let us discuss a recent news about a new version of a notorious virus that
takes over a system until money is paid as ransom which has been detected by
cyber experts. Version 2.0 of the TeslaCrypt ransomware encryptor family, say
experts, is notorious for infecting computers of gamers. The malicious program
is now targeting online consumers and businesses via email attachments which
block access to a computer system until a sum of money, specifically in dollars,
is paid as ransom. If the victim delays, the ransom is doubled. Detected in
February 2015, TeslaCrypt began infecting systems in the US, Europe and
Southeast Asian countries. It then occurred in Indian cities including Delhi and
Mumbai. Two businessmen from Agra were targeted this year, from whom the
extortionist demanded more than $10,000. In the last six months, two cases
were reported in Agra, where the malware locked down its victim's most
important files and kept them hostage in exchange for a ransom to unlock it.
Source: News Articles
Types of Worms
The most common categorization of worms relies on the method how they spread:
 Email worms: spread through email messages, especially through those with attachments.
 Internet worms: spread directly over the internet by exploiting access to open ports or system
vulnerabilities.
 Network worms: spread over open and unprotected network shares.
 Multi-vector worms: having two or more various spread capabilities.
Types of Trojans
Computer Trojans or Trojan horses are named after the mythological Trojan horse from Trojan War,
in which the Greeks give a giant wooden horse to their foes, the Trojans. As soon as Trojans drag the
horse inside their city walls, Greek soldiers sneak out of the horse's hollow belly and open the city
gates, allowing their soldiers to capture Troy. Computer Trojan horse works in way that is very similar
to such strategy - it is a type of malware software that masquerades itself as not-malicious even useful
application but it will actually do damage to the host computer after its installation.
Trojans do not self-replicate since its key difference to a virus and require often end user intervention
to install itself - which happens in most scenarios where user is being tricked that the program he is
installing is a legitimate one (this is very often connected with social engineering attacks on end users).
One of the other common method is for the Trojan to be spammed as an email attachment or a link
in an email. Another similar method has the Trojan arriving as a file or link in an instant messaging
42
client. Trojans can be spread as well by means of drive-by downloads or downloaded and dropped by
other Trojans itself or legitimate programs that have been compromised.
The results of Trojan activities can vary greatly - starting from low invasive ones that only change the
wallpaper or desktop icons through Trojans which open backdoors on the computer and allow other
threats to infect the host or allow a hacker remote access to the targeted computer system. It is up to
Trojans to cause serious damage on the host by deleting files or destroying the data on the system
using various ways (like drive format or causing BSOD). Such Trojans are usually stealthy and do not
advertise their presence on the computer.
The Trojan classification can be based upon performed function and the way they breach the systems.
An important thing to keep in mind is that many Trojans have multiple payload functions so any such
classification will provide only a general overview and not a strict boundary. Some of the most
common Trojan types are:
 Remote Access Trojans (RAT) aka Backdoor. Trojan - this type of Trojan opens backdoor on the
targeted system to allow the attacker remote access to the system or even complete control
over it. This kind of Trojan is most widespread type and often has as well various other functions.
It may be used as an entry point for DOS attack or for allowing worms or even other Trojans to
the system. A computer with a sophisticated backdoor program installed may also be referred
to as a "zombie" or a "bot". A network of such bots may often be referred to as a "botnet" (see
part 3 of the Security 1:1 series). Backdoor. Trojans are generally created by malware authors
who are organized and aim to make money out of their efforts. These types of Trojans can be
highly sophisticated and can require more work to implement than some of the simpler malware
seen on the Internet.
 Trojan-DDoS - this Trojan is installed simultaneously on a large number of computers in order to
create a zombie network (botnet) of machines that can be used (as attackers) in a DDoS attack
on a particular target.
 Trojan-Proxy -
_____________________________________________________________________________
_____________________________________________________________________________
_____________________________________________________________________________
 Trojan-FTP – this Trojan is designed to open FTP ports on the targeted machine allow remote
attacker access to the host. Furthermore, the attacked can access as well network shares or
connections to further spread other threats.
 Destructive Trojan – this is designed to destroy or delete data. It is much like a virus.
 Security Software Disabler Trojan – this is designed to stop security programs like antivirus
solutions, firewalls or IPS either by disabling them or killing the processes. This kind of Trojan
functionality is often combined with destructive Trojan that can execute data deletion or
corruption only after the security software is disabled. Security Software Disablers are entry
Trojans that allow next level of attack on the targeted system.
 Info Stealer (Data Sending/ Stealing Trojan) - this Trojan is designed to provide attacker with
confidential or sensitive information from compromised host and send it to a predefined location
(attacker). The stolen data comprise of login details, passwords, PII, credit card information etc.
43
Data sending Trojans can be designed to look for specific information only or can be more generic
like Key-logger Trojans. Nowadays more than ever before attackers are concentrating on
compromising end users for financial gain. The information stolen with use of Info stealer Trojan
is often sold on the black market. Info stealers gather information by using several techniques.
The most common techniques may include log key strokes, screen shots and web cam images,
monitoring internet activity often for specific financial websites. The stolen information may be
stored locally so that it can be retrieved later or it can be sent to a remote location where it can
be accessed by an attacker. It is often encrypted before posting it to the malware author.
 Keylogger Trojan – this is a type of data-sending Trojan that is recording every keystroke of the
end user. This kind of Trojan is specifically used to steal sensitive information from targeted host
and send it back to attacker. For these Trojans, the goal is to collect as much data as possible
without any direct specification what the data will be.
 Trojan-PSW (Password Stealer) – this is a type of data-sending Trojans designed specifically to
steal passwords from the targeted systems. In its execution routine, the Trojan will very often
first drop a keylogging component onto the infected machine.
 Trojan-Banker – a Trojan designed specifically to steal online banking information to allow
attacker further access to bank account or credit card information.
 Trojan-IM – a type of data-sending Trojan designed specifically to steal data or account
information from instant messaging programs like MSN, Skype etc.
 Trojan-Game Thief – a Trojan designed to steal information about online gaming account.
 Trojan Mail Finder – a Trojan used to harvest any emails found on the infected computer. The
email list is being then forwarded to the remote attacker.
 Trojan-Dropper -
_____________________________________________________________________________
_____________________________________________________________________________
_____________________________________________________________________________
 Trojan-Downloader – a Trojan that can download other malicious programs to the target
computer. Very often combined with the functionality of Trojan-Dropper. Most downloaders
that are encountered will attempt to download content from the internet rather than the local
network. In order to successfully achieve its primary function, a downloader must run on a
computer that is inadequately protected and connected to a network.
 Trojan-FakeAV –
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
44
This type of Trojan can be either targeted to extort money for "non-existing" threat removal or
in other cases the installation of the program itself injects other malware to the host machine.
FakeAV applications can perform fake scans with variable results, but always detect at least one
malicious object. They may as well drop files that are then ‘detected’. The FakeAV application is
constantly updated with new interfaces so that they mimic the legitimate anti-virus solutions and
appear very professional to the end users.
 Trojan-Spy – this Trojan has a similar functionality to the Info stealer or Trojan-PSW and its
purpose is to spy on the actions executed on the target host. These can include tracking data
entered via keystrokes, collecting screenshots, listing active processes/ services on the host or
stealing passwords.
 Trojan-ArcBomb -
_____________________________________________________________________________
_____________________________________________________________________________
_____________________________________________________________________________
45
 Trojan-Clicker or Trojan-AD clicker – a Trojan that continuously attempts to connect to specific

websites in order to boost the visit counters on those sites. More specific functionality of the
 Trojan can include generating traffic to pay-per-click web advertising campaigns in order to
create or boost revenue.
 Trojan-SMS – a Trojan used to send text messages from infected mobile devices to premium rate
paid phone numbers.
 Trojan-Ransom (Trojan-Ransomlock) aka Ransomware Trojan
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
 Cryptolock Trojan (Trojan.Cryptolocker) – this is a new variation of Ransomware Trojan

emerged in 2013, in a difference to a Ransomlock Trojan (that only locks computer screen or
some part of computer functionality), the Cryptolock Trojan encrypts and locks individual files.
While the Cryptolocker uses a common Trojan spreading techniques like spam email and social
engineering in order to infect victims, the threat itself uses more sophisticated techniques likes
public-key cryptography with strong RSA 2048 encryption.
……In an another incident detected by Kaspersky Labs, Pune, the TeslaCrypt Ransomware
encryptor family exhibited a curious behaviour. In version 2.0 of the Trojan notorious for
infecting computer gamers, it displays an HTML page in the web browser which is an
exact copy of CryptoWall 3.0, another notorious ransomware program. TeslaCrypt were
detected in February 2015 and the new ransomware Trojan gained immediate notoriety
as a menace to computer gamers. Amongst other types of target files, it tries to infect
typical gaming files: game saves, user profiles, recoded replays etc. That said, TeslaCrypt
does not encrypt files that are larger than 268 MB. Few more examples of ransomware
Trojans are - CryptoLocker, CryptoWall, CoinVault, TorLocker, CoinVault and CTB-Locker.
Source: New articles
46
Other security threats
Malware refers to software viruses, spyware, adware, worms, trojans, ransomeware etc. They
are designed to cause damage to a targeted computer or cause a certain degree of operational
disruption.
Rootkit are malicious software designed to hide certain processes or programs from detection.
Usually acquires and maintains privileged system access while hiding its presence in the same
time. It acts as a conduit by providing the attacker with a backdoor to a system
Spyware is a software that monitors and collects information about a particular user, computer
or organisation without user’s knowledge. There are different types of spyware, namely system
monitors, trojans (keyloggers, banker trojans, inforstealers), adware, tracking cookies etc.
Tracking cookies are a specific type of cookies that are distributed, shared and read across two
or more unrelated websites for the purpose of gathering information or potentially to present
customized data to you.
Riskware is a term used to describe potentially dangerous software whose installation may pose
a risk to the computer.
Adware in general term adware is software generating or displaying certain advertisements to

the user. This kind of adware is very common for freeware and shareware software and can
analyze end user internet habits and then tailor the advertisements directly to users’ interests.
Scareware is a class of malware that includes both Ransomeware (Trojan.Ransom) and FakeAV
software. Also well known, under the names "Rogue Security Software" or "Misleading
Software". This kind of software tricks user into belief that the computer has been infected and
offers paid solutions to clean the "fake" infection.
Spam is the term used to describe unsolicited or unwanted electronic messages, especially
advertisements. The most widely recognized form of spam is email spam.
Creepware is a term used to describe activities like spying others through webcams (very often
combined with capturing pictures), tracking online activities of others and listening to
conversation over the computer's microphone and stealing passwords and other data.
Blended threat defines an exploit that combines elements of multiple types of malware
components. Usage of multiple attack vectors and payload types targets to increase the severity
of the damage causes and as well the speed of spreading. Blended threat defines an exploit that
combines elements of multiple types of malware components. Usage of multiple attack vectors
and payload types targets to increase the severity of the damage causes and as well the speed of
spreading.
47
A. COHEN B. NORTON
In 1983, this person was

the first to offer the
definition of 'Computer
Virus'...
C. SMITH D. McAfee
ANSWER : …………………………………………………………..
Network attacks
Network attack is usually defined as an intrusion on the network infrastructure that will first analyse
the environment and collect information in order to exploit the existing open ports or vulnerabilities.
This may include unauthorized access to organisation resources.
Characteristics of network attacks:
 Passive attacks: they refer to attack where the purpose is only to learn and get some
information from the system, but the system resources are not altered or disabled in any way.
 Active attacks: in this type of network attack, the perpetrator accesses and either alters,
disables or destroys resources or data.
 Outside attack: when attack is performed from outside of the organization by unauthorized
entity it is said to be an outside attack.
 Inside attack: if an attack is performed from within the company by an "insider" that already
has certain access to the network it is considered to be an inside attack.
 Others such as end users targeted attacks (like phishing or social engineering): these attacks
are not directly referred to as network attacks, but are important to know due to their
widespread occurrences.
48
What types of attack are there?
Social Phishing Social Spear phishing Watering hole

engineering attack phishing attack attack
Vishing (voice
Network
Whaling phishing or Port scanning Spoofing
sniffing
VoIP phishing
Buffer
DoS attack ICMP smurf Man-in-the-
overflow Botnet
& DDoS attack Denial of serv middle attack
attack
Session Cross-side
SQL injection Bluetooth
hijacking scripting attack
attack related attacks
attack (XSS attack)
*Denial of Service Attack

*Distributed Denial of Service Attack
 Social engineering – refers to a psychological manipulation of people (employees of a company)

to perform actions that potentially lead to leak of company's proprietary or confidential
information or otherwise can cause damage to company resources, personnel or company
image. Social engineers use various strategies to trick users into disclosing confidential
information, data or both. One of the very common technique used by social engineers is to
pretend to be someone else - IT professional, member of the management team, co-worker,
insurance investigator or even member of governmental authorities. The mere fact that the
addressed party is someone from the mentioned should convince the victim that the person has
right to know of any confidential or in any other way secure information. The purpose of social
engineering remains the same as purpose of hacking. Unauthorized access gain to confidential
information, data theft, industrial espionage or environment/ service disruption.
 Phishing attack – this type of attack use social engineering techniques to steal confidential
information. The most common purpose of such attack targets victim's banking account details
and credentials. Phishing attacks tend to use schemes involving spoofed emails sent to users that
lead them to malware infected websites designed to appear as real online banking websites.
Emails received by users in most cases will look authentic sent from sources known to the user
(very often with appropriate company logo and localised information). These emails will contain
a direct request to verify some account information, credentials or credit card numbers by
following the provided link and confirming the information online. The request will be
accompanied by a threat that the account may become disabled or suspended if the mentioned
details are not being verified by the user.
 Social phishing – in the recent years, phishing techniques evolved much to include social media
like Facebook or Twitter. This type of Phishing is often called Social Phishing. The purpose
49
remains the same – to obtain confidential information and gain access to personal files. The
means of the attack are bit different though and include special links or posts posted on the
social media sites that attract the user with their content and convince them to click on them.
The link redirects then to malicious website or similar harmful content. The websites can mirror
the legitimate Facebook pages so that unsuspecting user does not notice the difference. The
website will require user to login with his real information. At this point, the attacker collects the
credentials gaining access to compromised account and all data on it. Other scenario includes
fake apps. Users are encouraged to download the apps and install them, apps that contain
malware used to steal confidential information.
Facebook Phishing attacks are often much more laboured. Consider the following scenario - link
posted by an attacker can include some pictures or phrase that will attract the user to click on it.
The user clicks upon which he/ she is redirected to a mirror website that ask him/ her to like the
post first before even viewing it. User not suspecting any harm, clicks on the "like" button but
doesn't realise that the "like" button has been spoofed and in reality is "accept" button for the
fake app to access user's personal information. At this point, data is collected and account is
compromised.
 Spear phishing attack – this is a type of phishing attack targeted at specific individuals, groups
of individuals or companies. Spear phishing attacks are performed mostly with primary purpose
of industrial espionage and theft of sensitive information while ordinary phishing attacks are
directed against wide public with intent of financial fraud. It has been estimated that in last
couple of years targeted spear phishing attacks are more widespread than ever before.
The recommendations to protect your company against phishing and spear phishing include:
1. Never open or download a file from an unsolicited email, even from someone you know
(you can call or email the person to double check that it really came from them).
2. Keep your operating system updated.
3. Use a reputable anti-virus program.
4. Enable two factor authentication whenever available.
5. Confirm the authenticity of a website prior to entering login credentials by looking for a
reputable security trust mark.
6. Look for HTTPS in the address bar when you enter any sensitive personal information on a
website to make sure your data will be encrypted.
 Watering hole attack – this is a more complex type of a phishing attack. Instead of the usual way
of sending spoofed emails to end users in order to trick them into revealing confidential
information, attackers use multiple staged approach to gain access to the targeted information.
In first steps, attacker is profiling the potential victim, collecting information about his or her’s
internet habits, history of visited websites etc. In next step attacker uses that knowledge to
inspect the specific legitimate public websites for vulnerabilities. If any vulnerabilities or
loopholes are found, the attacker compromises the website with its own malicious code. The
50
compromised website then awaits for the targeted victim to come back and then infects them
with exploits (often zero-day vulnerabilities) or malware. This is an analogy to a lion waiting at
the watering hole for his prey.
 Whaling – it is a type of phishing attack specifically targeted at senior executives or other high
profile targets within a company.
 Vishing (Voice Phishing or VoIP Phishing) – it is a use of social engineering techniques over
telephone system to gain access to confidential information from users. This phishing attack is
often combined with caller ID spoofing that masks the real source phone number and instead of
it displays the number familiar to the phishing victim or number known to be of a real banking
institution. General practices of Vishing include pre-recorded automated instructions for users
requesting them to provide bank account or credit card information for verification over the
phone.
 Port scanning – an attack type where the attacker sends several requests to a range of ports to
a targeted host in order to find out what ports are active and open, which allows them to exploit
known service vulnerabilities related to specific ports. Port scanning can be used by the malicious
attackers to compromise the security as well by the IT professionals to verify the network
security.
Spoofing – it is a technique used to masquerade a person, program or an address as another by
falsifying the data with purpose of unauthorized access.
A few of the common spoofing types include:
 IP Address spoofing – process of creating IP packets with forged source IP address to
impersonate legitimate system. This kind of spoofing is often used in DoS attacks
(Smurf Attack).
 ARP spoofing (ARP Poisoning) – process of sending fake ARP messages in the network.
The purpose of this spoofing is to associate the MAC address with the IP address of
another legitimate host causing traffic redirection to the attacker host. This kind of
spoofing is often used in man-in-the-middle attacks.
 DNS spoofing (DNS Cache Poisoning) – an attack where the wrong data is inserted into
DNS Server cache, causing the DNS server to divert the traffic by returning wrong IP
addresses as results for client queries.
 Email spoofing – a process of faking the email's sender "from" field in order to hide
real origin of the email. This type of spoofing is often used in spam mail or during
phishing attack.
 Search engine poisoning – attackers take advantage of high profile news items or
popular events that may be of specific interest for certain group of people to spread
malware and viruses. This is performed by various methods that have in purpose
achieving highest possible search ranking on known search portals by the malicious
sites and links introduced by the hackers. Search engine poisoning techniques are often
used to distribute rogue security products (scareware) to users searching for legitimate
security solutions for download.
51
 Network sniffing (Packet Sniffing) – a process of capturing the data packets travelling in the
network. Network sniffing can be used both by IT professionals to analyse and monitor the traffic
for example, in order to find unexpected suspicious traffic, but as well by perpetrators to collect
data send over clear text that is easily readable with use of network sniffers (protocol analysers).
Best counter measure against sniffing is the use of encrypted communication between the hosts.
 Denial of Service Attack (DoS Attack) and Distributed Denial of Service Attack (DDoS Attack) –
an attack designed to cause an interruption or suspension of services of a specific host/ server
by flooding it with large quantities of useless traffic or external communication requests. When
the DoS attack succeeds the server is not able to answer even to legitimate requests anymore,
this can be observed in numbers of ways – slow response of the server, slow network
performance, unavailability of software or web page, inability to access data, website or other
resources. Distributed Denial of Service Attack (DDoS) occurs where multiple compromised or
infected systems (botnet) flood a particular host with traffic simultaneously.
DoS (denial-of-service) attack
Few of the most common DoS attack types:
 ICMP flood attack (Ping Flood) – the attack that sends ICMP ping requests to the victim host
without waiting for the answer in order to overload it with ICMP traffic to the point where the
host cannot answer to them any more either because of the network bandwidth congestion
with ICMP packets (both requests and replies) or high CPU utilization caused by processing
the ICMP requests. Easiest way to protect against any various types of ICMP flood attacks is
either to disable propagation of ICMP traffic sent to broadcast address on the router or disable
ICMP traffic on the firewall level.
 Ping of Death (PoD) – this attack involves sending a malformed or otherwise corrupted
malicious ping to the host machine for example, PING having size bigger than usual which can
cause buffer overflow on the system that lead to a system crash.
 Smurf attack – this works in the same way as Ping Flood attack with one major difference that
the source IP address of the attacker host is spoofed with IP address of other legitimate non
malicious computer. Such attack will cause disruption both on the attacked host (receiving
large number of ICMP requests) as well as on the spoofed victim host (receiving large number
of ICMP replies).
 ICMP Smurf Denial of Service

SYN flood attack – this attack exploits the way the TCP 3-way handshake works during the
TCP connection is being established. In normal process, the host computer sends a TCP SYN
packet to the remote host requesting a connection. The remote host answers with a TCP
SYN-ACK packet confirming the connection can be made. As soon as this is received by the
first local host it replies again with TCP ACK packet to the remote host. At this point the TCP
socket connection is established. During the SYN flood attack, the attacker host or more
commonly several attacker hosts send SYN packets to the victim host requesting a
connection, the victim host responds with SYN-ACK packets but the attacker host never
respond with ACK packets as a result the victim host is reserving the space for all those
connections still awaiting the remote attacker hosts to respond, which never happens. This
52
keeps the server with dead open connections and in the end effect prevent legitimate host
to connect to the server any more.
 Buffer overflow attack – in this type of attack the victim host is being provided with traffic/ data
that is out of range of the processing specs of the victim host, protocols or applications,
overflowing the buffer and overwriting the adjacent memory. One example can be the
mentioned Ping of Death attack where malformed ICMP packet with size exceeding the normal
value can cause the buffer overflow.
 Botnet – a collection of compromised computers that can be controlled by remote perpetrators
to perform various types of attacks on other computers or networks. A known example of botnet
usage is within the distributed denial of service attack where multiple systems submit as many
request as possible to the victim machine in order to overload it with incoming packets. Botnets
can be otherwise used to send out span, spread viruses and spyware and as well to steal personal
and confidential information which afterwards is being forwarded to the botmaster.
 Man-in-the-middle attack – the attack is form of active monitoring or eavesdropping on victims’
connections and communication between victim hosts. This form of attack includes interaction
between both victim parties of the communication and the attacker. This is achieved by attacker
intercepting all part of the communication, changing the content of it and sending back as
legitimate replies. Both parties are not aware of the attacker presence and believing the replies
they get are legitimate. For this attack to be successful, the perpetrator must successfully
impersonate at least one of the endpoints. This can be the case if there are no protocols in place
that would secure mutual authentication or encryption during the communication process.
 Session hijacking attack – this attack is targeted as exploit of the valid computer session in order
to gain unauthorized access to information on a computer system. The attack type is often
referred to as cookie hijacking as during its progress, the attacker uses the stolen session cookie
to gain access and authenticate to remote server by impersonating legitimate user.
 Cross-side scripting attack (XSS attack) – the attacker exploits the XSS vulnerabilities found in
web server applications in order to inject a client side script onto the webpage that can either
point the user to a malicious website of the attacker or allow attacker to steal the user's session
cookie.
 SQL injection attack – the attacker uses existing vulnerabilities in the applications to inject a
code/ string for execution that exceeds the allowed and expected input to the SQL database.
Bluetooth related attacks
 Bluesnarfing – this kind of attack allows the malicious user to gain unauthorized access to
information on a device through its bluetooth connection. Any device with bluetooth
turned on and set to "discoverable" state may be prone to bluesnarfing attack.
 Bluejacking – this kind of attack allows the malicious user to send unsolicited (often spam)
messages over bluetooth enabled devices.
 Bluebugging – it is a hack attack on a bluetooth enabled device. Bluebugging enables the

attacker to initiate phone calls on the victim's phone as well as read through the address
book, messages and eavesdrop on phone conversations.
53
Fig: Top Network Attacks as per McAfee Labs, 2015
Few recent cyberattacks (or Network attacks) that shook some big businesses around the
globe:
Primera Blue Cross
March 2015
The company, a health insurer based in Washington State, said up to 11

million customers could have been affected by a cyberattack last year.
Hackers gained access to its computers on May 5, and the breach was not
discovered until Jan. 29, Primera said. The breach could have exposed
members' names, dates of birth, Social Security numbers, mailing and
email addresses, phone numbers and bank account information. The
company is working with the F.B.I. and a cybersecurity firm to
investigate.
54
Anthem
February 2015
One of the nation’s largest health insurers said that the personal
information of tens of millions of its customers and employees, including its
chief executive, was the subject of a “very sophisticated external
cyberattack.”
The company added that hackers were able to breach a database that
contained as many as 80 million records of current and former customers,
as well as employees. The information accessed included names, Social
Security numbers, birthdays, addresses, email and employment information,
including income data.
Sony Pictures
November 2014
A huge attack that essentially wiped clean several internal data centers and
led to cancellation of the theatrical release of "The Interview," a comedy
about the fictional assassination of the North Korean leader Kim Jong-un.
Contracts, salary lists, film budgets, entire films and Social Security numbers
were stolen, including -- to the dismay of top executives -- leaked emails
that included criticisms of Angelina Jolie and disparaging remarks about
President Obama.
Staples
October 2014
The office supply retailer said hackers had broken into the company’s
network and compromised the information of about 1.16 million credit
cards.
55

Common Vulnerabilities and Exposures (CVE) is a catalogue of known security threats. The catalogue
is sponsored by the United States Department of Homeland Security (DHS), and threats are divided
into two categories: vulnerabilities and exposures.
According to the CVE website, a vulnerability is a mistake in software code that provides an attacker
with direct access to a system or network. For example, the vulnerability may allow an attacker to
pose as a super user or system administrator who has full access privileges. An exposure, on the other
hand, is defined as a mistake in software code or configuration that provides an attacker with indirect
access to a system or network. For example, an exposure may allow an attacker to secretly gather
customer information that could be sold.
The catalogue’s main purpose is to standardize the way each known vulnerability or exposure is
identified. This is important because standard IDs allow security administrators to quickly access
technical information about a specific threat across multiple CVE-compatible information sources.
CVE is sponsored by US-CERT, the DHS Office of Cybersecurity and Information Assurance (OCSIA).
MITRE, a not-for-profit organization that operates research and development centres sponsored by
the U.S. federal government, maintains the CVE catalogue and public website. It also manages the CVE
Compatibility Program, which promotes the use of standard CVE identifiers by authorized CVE
Numbering Authorities (CNAs).
56
Summary
 Information security analysts protect information stored on computer networks, applications,
etc., using special software that allows them to keep a track of those who can access and who
have accessed data.
 There are three categories of Information technology and information security:
o confidentiality
o integrity
o availability
 Keys concerns in information assets security are theft, fraud/ forgery, unauthorized information
access, interception or modification of data and data management systems.
 Vulnerability is a weakness in an information system, system security procedures, internal
controls or implementation that could be exploited or triggered by a threat source.
 Microsoft has proposed a threat classification called STRIDE from the initials of threat
categories.
 Types of attacks: virus, worms, Trojans and others.
 Network attack is usually defined as an intrusion on the network infrastructure that will first
analyse the environment and collect information in order to exploit the existing open ports or
vulnerabilities. This may include unauthorized access to organisation resources.
 The recommendations to protect against Phishing and Spear Phishing include:
o Never open or download a file from an unsolicited email, even from someone you
know.
o Keep your operating system updated.
o Use a reputable anti-virus program.
o Enable two factor authentication whenever available.
o Confirm the authenticity of a website prior to entering login credentials.
o Look for HTTPS in the address bar when you enter any sensitive personal information
on a website.
57
Activity 1:
List various types of attacks, and get examples of each type of virus, trojan, worm and
other malware from the internet. Compare the list with your fellow students.
Activity 2:
Find out and study cases of attacks over the years and impact of those attacks on the
organisations where these occurred. Share details of 2-3 most interesting ones in the
class.
Activity 3:
Access the CVE and list all the types of information that they can get. Present the same in
class and elaborate upon the various ways in which that information can be used.
58
1. State the categories of security in IT security and information.
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
2. Explain how is a virus different from a Trojan horse?
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
3. State the reason why a Cavity virus is difficult to detect unlike traditional viruses?
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
4. State True or False:
a) Trojans do not self-replicate. _________________

b) Scareware is also known as "Rogue Security Software”.________________________
5. Explain what is Riskware and Adware?
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
6. List few common network attacks.
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
59
NOTES:
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
_________________________________________________________________________________
60
UNIT II
Fundamentals of Information Security
This unit covers:
 Lesson Plan
2.1 Elements of information security
2.2 Principles and concepts – data security
2.3 Types of controls
61
Lesson Plan
To be competent, you must be able QA session and a  PCs/ tablets/ laptops
to: descriptive write-up on  Availability of labs (24/7)
understanding.  Internet with Wi-Fi
assessment of information security Peer group, faculty group  Networking equipment (routers &
systems using automated tools and industry experts. switches)
PC8. provide inputs to root  Firewalls and access points
cause analysis and the resolution of  Access to all security sites like ISO, PIC
information security issues, where DSS etc.
required  Commercial tools like HP Web
 Open source tools like sqlmap,
Nessus etc.
You need to know and understand: KA6, KA7, KA8. Peer  PCs/ tablets/ laptops
review with faculty with  Availability of labs (24/7)
KA5. how to analyse root causes appropriate feedback.  Internet with Wi-Fi
of information security issues (min 2 Mbps dedicated)
KA6. how to carry out KB1 – KB4. switches)
information security assessments Going through the security  Firewalls and access points
standards over internet by  Access to all security sites like ISO, PIC
KB4. how to identify and resolve visiting sites like ISO, PCI DSS etc.
information security vulnerabilities DSS etc., and understand
and issues various methodologies and
Nessus etc.
62
Lesson
2.1 Elements of Information Security
Network Security
Network security refers to any activity designed to protect your network. Specifically, these activities
protect the usability, reliability, integrity and safety of your network and data. Effective network
security targets a variety of threats and stops them from entering or spreading on your network.
No single solution protects you from a variety of threats. You need multiple layers of security. If one
fails, others still stand. Network security is accomplished through hardware and software. The
software must be constantly updated and managed to protect you from emerging threats.
Wireless networks, which by their nature, facilitate access to the radio, are more vulnerable than
wired networks and need to encrypt communications to deal with sniffing and continuously checking
the identity of the mobile nodes. The mobility factor adds more challenges to security, namely
monitoring and maintenance of secure traffic transport of mobile nodes. This concerns both
homogenous and heterogenous mobility (inter-technology), the latter requires homogenization of the
security level of all networks visited by the mobile.
From the terminal’s side, it is important to protect its resources (battery, disk, CPU) against misuse
and ensure the confidentiality of its data. In an ad hoc or sensor network, it becomes essential to
ensure terminal’s integrity as it plays a dual role of router and terminal.
The difficulty of designing security solutions that could address these challenges is not only to ensure
robustness faced with potential attacks or to ensure that it does not slow down communications, but
also to optimize the use of resources in terms of bandwidth, memory, battery, etc. More importantly,
in this open context the wireless network is to ensure anonymity and privacy, while allowing
traceability for legal reasons. Indeed, the growing need for traceability is now necessary for the fight
against criminal organizations and terrorists, but also to minimize the plundering of copyright. It is
therefore facing a dilemma of providing a network support of free exchange of information while
controlling the content of the communication to avoid harmful content. Actually, this concerns both
wired and wireless networks. All these factors influence the selection and implementation of security
tools that are guided by a prior risk assessment and security policy.
Finally, we are increasingly thinking about trust models in the design of secured systems, that should
offer higher level of trust than classical security mechanisms, and it seems that future networks should
implement both models: security and trust models.
In fact, if communication nodes will be capable of building and maintaining a predefined trust level in
the network, then the communication system will be trustable all the time, thus allowing a trusted
and secure service deployment. However, such trust models are very difficult to design and the trust
level is generally a biased concept presently. It is very similar to the human based trust model. Note
that succeeding in building such trust models will allow infrastructure based networks but especially
infrastructure-less or self-organized networks such as ad hoc sensors to be trusted enough to deploy
several applications. This will also have an impact on current business models where the economic
model would have to change in order to include new players in the telecommunication value chain
63
such as users offering their machines to build an infrastructure-less network. For example, in the
context of ad hoc networks, we could imagine that ad hoc users become distributors of content or
provide any other networked services1, being a sort of service providers. In this case, an appropriate
charging and billing system needs to be designed.
A network security system usually consists of many components. Ideally, all components work
together, which minimizes maintenance and improves security.
Network security components often include:

 Anti-virus and anti-spyware
 Firewall to block unauthorized access to your network
 Intrusion Prevention Systems (IPS) to identify fast-spreading threats, such as zero-day

or zero-hour attacks
 Virtual Private Networks (VPNs) to provide secure remote access
 Communication security
Application security (AppSec) is the use of software, hardware and procedural methods to protect
applications from external threats. AppSec is the operational solution to the problem of software risk.
AppSec helps identify, fix and prevent security vulnerabilities in any kind of software application
irrespective of the function, language or platform.
As a best practice, AppSec employs proactive and preventative methods to manage software
risk, and align an organization’s security investments with the reality of today’s threats. It has
three distinct elements:
1) measurable reduction of risk in existing applications
2) prevention of introduction of new risks
3) compliance with software security mandates
A software vulnerability can be defined as a programmatic function that processes critical data
in an insecure way. These “holes” in an application can be exploited by a hacker, spy or
cybercriminal as an entry point to steal sensitive, protected or confidential data.
64
The severity and frequency of cyber-attacks is increasing which is making the practice of AppSec
important. AppSec as a discipline is also becoming more complex the variety of business software
continues to proliferate. Here are some of the reasons why (and see if these sound familiar):
Today’s enterprise software comes from a variety of sources –
 in-house development teams,

 commercial vendors,
 outsourced solution providers, and
 open source projects.
Software developers have an endless choice of programming languages to choose from – Java, .NET,
C++, PHP and more.
Applications can be deployed across myriad platforms – installed to operate locally, over virtual
servers and networks, accessed as a service in the cloud or run on mobile devices.
AppSec products must provide capabilities for managing security risk across all of these options as
each of these development and deployment options can introduce security vulnerabilities. An
effective software security strategy addresses both immediate and systemic risk.
The Application Security market has reached sufficient maturity to allow organizations of all sizes to
follow a well-established roadmap:
Begin with software security testing to find and assess potential vulnerabilities:
 Follow remediation procedures to prioritize and fix them.
 Train developers on secure coding practices.
 Leverage ongoing threat intelligence to keep up-to-date.
 Develop continuous methods to secure applications throughout the development life

cycle.
 Instantiate policies and procedures that instill good governance.
Testing and remediation form the baseline response to insecure applications, but the critical element
of a successful AppSec effort is ongoing developer training. Security conscious development teams
write bulletproof code, and avoid common errors. For example, data input validation – the process of
ensuring that a program operates with clean, correct and useful data. Neglecting this important step,
and failing to build in standard input validation rules or “check routines” leaves the application open
to common attacks such as cross-site scripting and SQL injection.
When undertaken correctly, Application Security is an orderly process of reducing the risks associated
with developing and running business critical software. Properly managed, a good application security
program will move your organization from a state of unmanaged risk and reactive security to effective,
proactive risk mitigation.
65
Communications Security
Communications Security (COMSEC) ensures the security of telecommunications confidentiality and
integrity – the two information assurance (IA) pillars. Generally, COMSEC may refer to the security of
any information that is transmitted, transferred or communicated.
There are five COMSEC security types:

 Cryptosecurity: This encrypts data, rendering it unreadable until the data is decrypted.
 Emission Security (EMSEC): This prevents the release or capture of emanations from
equipment, such as cryptographic equipment, thereby preventing unauthorized
interception.
 Physical Security: This ensures the safety of, and prevents unauthorized access to,
cryptographic information, documents and equipment.
 Traffic-Flow Security: This hides messages and message characteristics flowing on a

network.
 Transmission Security (TRANSEC): This protects transmissions from unauthorized access,

thereby preventing interruption and harm.
66
2.2. Principles and Concepts – Data Security
Critical Information Characteristics
Confidentiality
Integrity Availability
Information States
Information has three basic states, at any given moment, information is being transmitted, stored or
processed. The three states exist irrespective of the media in which information resides.
Transmission
Information
States
Processing Storage
Information systems security concerns itself with the maintenance of three critical characteristics of
information: confidentiality, integrity and availability. These attributes of information represent the
full spectrum of security concerns in an automated environment. They are applicable for any
organization irrespective of its philosophical outlook on sharing information.
67
Prevention vs. detection

Security efforts to assure confidentiality,
Basic information security concepts:
integrity and availability can be divided
into those oriented to prevention and • Identification
those focused on detection. The latter • Authentication
aims to rapidly discover and correct for • Authorization
lapses that could not be (or at least were • Confidentiality
not) prevented. The balance between • Integrity
prevention and detection depends on the • Availability
circumstances and the available security • Non-repudiation
technologies.
 Identification is the first step in the ‘identify-authenticate-authorize’ sequence that is

performed every day countless times by humans and computers alike when access to
information or information processing resources are required. While particulars of
identification systems differ depending on who or what is being identified, some intrinsic
properties of identification apply regardless of these particular. Just three of these
properties are the scope, locality, and uniqueness of IDs.
Identification name spaces can be local or global in scope. To illustrate this concept, let’s
refer to the familiar notation of email addresses. While many email accounts named Gaurav
may exist around the world, an email address Gaurav@company.com unambiguously refers
exactly to one such user in the company.com locality. Provided that the company in question
is a small one, and that only one employee is named Gaurav. His colleagues may refer to
that particular person by only using his first name. That would work because they are in the
same locality and only one Gaurav works there. However, if Gaurav were someone on the
other side of the world or even across town, to refer to Gaurav@company.com as simply
Gaurav would make no sense because user name Gaurav is not globally unique and refers
to different persons in different localities. This is one of the reasons why two user accounts
should never use the same name on the same system — not only because you would not be
able to enforce access controls based on non-unique and ambiguous user names, but also
because you would not be able to establish accountability for user actions.
 Authentication happens right after identification and before authorization. It verifies the
authenticity of the identity declared at the identification stage. In other words, it is at the
authentication stage that you prove you are indeed the person or the system you claim to
be. The three methods of authentication are what you know, what you have and what you
are. Regardless of the particular authentication method used, the aim is to obtain
reasonable assurance that the identity declared at the identification stage belongs to the
party in communication. It is important to note that reasonable assurance may mean
different degrees of assurance, depending on the particular environment and application,
and therefore may require different approaches to authentication. Authentication
requirements of a national security – critical system naturally differ from authentication
68
requirements of a small company. As different authentication methods have different costs

and properties as well as different returns on investment, the choice of authentication
method for a particular system or organization should be made after these factors have
been carefully considered.
 Authorization is the process of ensuring that a user has sufficient rights to perform the
requested operation, and preventing those without sufficient rights from doing the same.
After declaring identity at the identification stage and proving it at the authentication stage,
users are assigned a set of authorizations (also referred to as rights, privileges or
permissions) that define what they can do on the system. These authorizations are most
commonly defined by the system’s security policy and are set by the security or system
administrator. These privileges may range from the extremes of “permit nothing” to “permit
everything” and include anything in between.
 Confidentiality means persons authorized have access to receive or use information,

documents etc. Unauthorized access to confidential information may have devastating
consequences, not only in national security applications, but also in commerce and industry.
Main mechanisms of protection of confidentiality in information systems are cryptography
and access controls. Examples of threats to confidentiality are malware, intruders, social
engineering, insecure networks and poorly administered systems.
 Integrity is concerned with the trustworthiness, origin, completeness and correctness of
information as well as the prevention of improper or unauthorized modification of
information. Integrity in the information security context refers not only to integrity of
information itself but also to the origin integrity i.e. integrity of the source of information.
Integrity protection mechanisms may be grouped into two broad types: preventive
mechanisms, such as access controls that prevent unauthorized modification of information,
and detective mechanisms, which are intended to detect unauthorized modifications when
preventive mechanisms have failed. Controls that protect integrity include principles of least
privilege, separation and rotation of duties.
 Availability of information, although usually mentioned last, is not the least important pillar
of information security. Who needs confidentiality and integrity if the authorized users of
information cannot access and use it? Who needs sophisticated encryption and access
controls if the information being protected is not accessible to authorized users when they
need it? Therefore, despite being mentioned last in the C-I-A triad, availability is just as
important and as necessary a component of information security as confidentiality and
integrity. Attacks against availability are known as denial of service (DoS) attacks. Natural
and manmade disasters obviously may also affect availability as well as confidentiality and
integrity of information though their frequency and severity greatly differ. Natural disasters
are infrequent but severe, whereas human errors are frequent but usually not as severe as
natural disasters. In both cases, business continuity and disaster recovery planning (which
at the very least includes regular and reliable backups) is intended to minimize losses.
 Non-repudiation in the information security context refers to one of the properties of
cryptographic digital signatures that offers the possibility of proving whether a particular
message has been digitally signed by the holder of a particular digital signature’s private key.
69
Non-repudiation is a somewhat controversial subject, partly because it is an important one

in this day and age of electronic commerce, and because it does not provide an absolute
guarantee. A digital signature owner, who may like to repudiate a transaction maliciously
may always claim that his/ her digital signature key was stolen by someone who actually
signed the digital transaction in question, thus repudiating the transaction.
The following types of non-repudiation services are defined in international standard ISO
14516:2002 (guidelines for the use and management of trusted third party services).
o Approval: non-repudiation of approval provides proof of who is responsible for approval
of the contents of a message.
o Sending: non-repudiation of sending provides proof of who sent the message.
o Origin: non-repudiation of origin is a combination of approval and sending.
o Submission: non-repudiation of submission provides proof that a delivery agent has

accepted the message for transmission.
o Transport: non-repudiation of transport provides proof for the message originator that
a delivery agent has delivered the message to the intended recipient.
o Receipt: non-repudiation of receipt provides proof that the recipient received the
message.
o Knowledge: non-repudiation of knowledge provides proof that the recipient recognized

the content of the received message.
o Delivery: non-repudiation of delivery is a combination of receipt and knowledge, as it

provides proof that the recipient received and recognized the content of the message.
70
Fun-Facts about Top Data Center Security-GOOGLE
71
2.3 Types of Controls
Central to information security is the concept of controls, which may be categorized by their
functionality (preventive, detective, corrective, deterrent, recovery and compensating) and plane of
application (physical, administrative or technical).
By functionality:
Preventive controls
Preventive controls are the first controls met by an adversary. These try to prevent security
violations and enforce access control. Like other controls, these may be physical, administrative
or technical. Doors, security procedures and authentication requirements are examples of
physical, administrative and technical preventive controls respectively.
Detective controls
Detective controls are in place to detect security violations and alert the defenders. They come
into play when preventive controls have failed or have been circumvented and are no less crucial
than detective controls. Detective controls include cryptographic checksums, file integrity
checkers, audit trails and logs and similar mechanisms.
Corrective controls
Corrective controls try to correct the situation after a security violation has occurred. Although a
violation occurred, but the data remains secure, so it makes sense to try and fix the situation.
Corrective controls vary widely, depending on the area being targeted, and they may be technical
or administrative in nature.
Deterrent controls
Deterrent controls are intended to discourage potential attackers. Examples of deterrent controls
include notices of monitoring and logging as well as the visible practice of sound information
security management.
Recovery controls
Recovery controls are somewhat like corrective controls, but they are applied in more serious
situations to recover from security violations and restore information and information processing
resources. Recovery controls may include disaster recovery and business continuity mechanisms,
backup systems and data, emergency key management arrangements and similar controls.
Compensating controls
Compensating controls are intended to be alternative arrangements for other controls when the
original controls have failed or cannot be used. When a second set of controls addresses the same
threats that are addressed by another set of controls, it acts as a compensating control.
72
By plane of application:
Physical controls include doors, secure facilities, fire extinguishers, flood protection and air
conditioning.
Administrative controls are the organization’s policies, procedures and guidelines intended to
facilitate information security.
Technical controls are the various technical measures, such as firewalls, authentication systems,
intrusion detection systems and file encryption among others.
Access Control Models

Logical access control models are the abstract foundations upon which actual access control
mechanisms and systems are built. Access control is among the most important concepts in computer
security. Access control models define how computers enforce access of subjects (such as users, other
computers, applications and so on) to objects (such as computers, files, directories, applications,
servers and devices).
Three main access control models exist:
 Discretionary Access Control model

 Mandatory Access Control model
 Role Based Access Control model
Discretionary Access Control (DAC)
The Discretionary Access Control model is the most widely used of the three models.
In the DAC model, the owner (creator) of information (file or directory) has the discretion to decide
about and set access control restrictions on the object in question, which may, for example, be a file
or a directory. The advantage of DAC is its flexibility. Users may decide who can access information
and what they can do with it — read, write, delete, rename, execute and so on. At the same time, this
flexibility is also a disadvantage of DAC because users may make wrong decisions regarding access
control restrictions or maliciously set insecure or inappropriate permissions. Nevertheless, the DAC
model remains the model of choice for the absolute majority of operating systems today, including
Solaris.
Mandatory Access Control (MAC)
Mandatory access control, as its name suggests, takes a stricter approach to access control. In systems
utilizing MAC, users have little or no discretion as to what access permissions they can set on their
information. Instead, mandatory access controls specified in a system-wide security policy are
enforced by the operating system and applied to all operations on that system. MAC based systems
use data classification levels (such as public, confidential, secret and top secret) and security clearance
labels corresponding to data classification levels to decide in accordance with the security policy set
by the system administrator what access control restrictions to enforce. Additionally, per group and/
73
or per domain access control restrictions may be imposed i.e. in addition to having the required
security clearance level, subjects (users or applications) must also belong to the appropriate group or
domain. For example, a file with a confidential label belonging only to the research group may not be
accessed by a user from the marketing group, even if that user has a security clearance level higher
than confidential (for example, secret or top secret). This concept is known as compartmentalization
or ‘need to know’.
Although MAC based systems, when used appropriately, are thought to be more secure than DAC
based systems, they are also much more difficult to use and administer because of the additional
restrictions and limitations imposed by the operating system. MAC based systems are typically used
in government, military and financial environments where higher than usual security is required and
where the added complexity and costs are tolerated. MAC is implemented in Trusted Solaris, a version
of the Solaris operating environment intended for high security environments.
Role-Based Access Control (RBAC)
In the role based access control model, rights and permissions are assigned to roles instead of
individual users. This added layer of abstraction permits easier and more flexible administration and
enforcement of access controls. For example, access to marketing files may be restricted only to the
marketing manager role, and users Ann, David, and Joe may be assigned the role of marketing
manager. Later, when David moves from the marketing department elsewhere, it is enough to revoke
his role of marketing manager, and no other changes would be necessary. When you apply this
approach to an organization with thousands of employees and hundreds of roles, you can see the
added security and convenience of using RBAC. Solaris has supported RBAC since release 8.
Centralized vs. Decentralized Access Control

Further distinction should be made between centralized and decentralized (distributed) access control
models. In environments with centralized access control, a single, central entity makes access control
decisions and manages the access control system whereas in distributed access control environments,
these decisions are made and enforced in a decentralized manner. Both approaches have their pros
and cons, and it is generally inappropriate to say that one is better than the other. The selection of a
particular access control approach should be made only after careful consideration of an
organization’s requirements and associated risks.
Security Vulnerability Management

Security vulnerability management is the current evolutionary step of vulnerability assessment
systems that began in the early 1990s with the advent of the network security scanner S.A.T.A.N.
(Security Administrator’s Tool for Analyzing Networks) followed by the 1st commercial vulnerability
scanner from ISS. While early tools mainly found vulnerabilities and produced lengthy reports, today’s
best-in-class solutions deliver comprehensive discovery and support the entire security vulnerability
management lifecycle.
A vulnerability can occur anywhere in the IT environment, and can be the result of many different root
causes. Security vulnerability management solutions gather comprehensive endpoint and network
intelligence, and apply advanced analytics to identify and prioritize the vulnerabilities that pose the
most risk to critical systems. The result is actionable data that enables IT security teams to focus on
74
the tasks that will most quickly and effectively reduce overall network risk with the fewest possible
resources.
Security vulnerability management is a closed-loop workflow that generally includes identifying

networked systems and associated applications, auditing (scanning) the systems and applications for
vulnerabilities and remediating the vulnerabilities. Any IT infrastructure components may present
existing or new security concerns and weaknesses i.e. vulnerabilities. It may be product/ component
faults or it may be inadequate configuration. Malicious code or unauthorized individuals may exploit
those vulnerabilities to cause damage, such as disclosure of credit card data. Vulnerability
management is the process of identifying those vulnerabilities and reacting appropriately to mitigate
the risk.
Vulnerability assessment and management is an essential piece for managing overall IT risk
because:
Persistent threats
Attacks exploiting security vulnerabilities for financial gain and criminal agendas continue to
dominate headlines.
Regulation
Many government and industry regulations mandate rigorous vulnerability management

practices.
Risk management
Mature organizations treat it as a key risk management component. Organizations that follow
mature IT security principles understand the importance of risk management.
Properly planned and implemented threat and vulnerability management programs represent a key
element in an organization’s information security program, providing an approach to risk and threat
mitigation that is proactive and business aligned, not just reactive and technology focused.
Vulnerability Assessment
Includes assessment the environment for known vulnerabilities, and to assess IT components, using
the security configuration policies (by device role) that have been defined for the environment. This
is accomplished through scheduled vulnerability and configuration assessments of the environment.
Network based vulnerability assessment (VA) has been the primary method employed to baseline
networks, servers and hosts. The primary strength of VA is breadth of coverage. Thorough and
accurate vulnerability assessments can be accomplished for managed systems via credentialed access.
Unmanaged systems can be discovered and a basic assessment can be completed. The ability to
evaluate databases and web applications for security weaknesses is crucial, considering the rise of
attacks that target these components.
Database scanners check database configuration and properties to verify whether they comply with
database security best practices.
75
Web application scanners test an application’s logic for “abuse” cases that can break or exploit the
application. Additional tools can be leveraged to perform more in-depth testing and analysis.
All three scanning technologies (network, application and database) assess a different class of security
weaknesses, and most organizations need to implement all three.
Risk assessment
Larger issues should be expressed in the language of risk (e.g. ISO 27005), specifically expressing
impact in terms of business impact. The business case for any remedial action should incorporate
considerations relating to the reduction of risk and compliance with policy. This incorporates the basis
of the action to be agreed on between the relevant line of business and the security team.
Risk analysis
“Fixing” the issue may involve acceptance of the risk, shifting of the risk to another party or reducing
the risk by applying remedial action, which could be anything from a configuration change to
implementing a new infrastructure (e.g. data loss prevention, firewalls, host intrusion prevention
software).
Elimination of the root cause of security weaknesses may require changes to user administration and
system provisioning processes. Many processes and often several teams may come into play (e.g.
configuration management, change management, patch management etc.). Monitoring and incident
management processes are also required to maintain the environment.
Vulnerability enumeration
Common Vulnerabilities and Exposures (CVE®) is a dictionary of common names (i.e. CVE Identifiers)
for publicly known information security vulnerabilities. CVE’s common identifiers make it easier to
share data across separate network security databases and tools, and provide a baseline for
evaluating the coverage of an organization’s security tools. If a report from one of your security tools
incorporates CVE identifiers, you may then quickly and accurately access fix information in one or
more separate CVE compatible databases to remediate the problem.
Common Vulnerability Scoring System (CVSS)
The Common Vulnerability Scoring System (CVSS) provides an open framework for communicating
the characteristics and impacts of IT vulnerabilities. Its quantitative model ensures repeatable,
accurate measurement while enabling users to see the underlying vulnerability characteristics that
were used to generate the scores. Thus, CVSS is well suited as a standard measurement system for
industries, organizations and governments that need accurate and consistent vulnerability impact
scores.
Common Weakness Enumeration (CWE)
The Common Weakness Enumeration Specification (CWE) provides a common language of discourse
for discussing, finding and dealing with the causes of software security vulnerabilities as they are
found in code, design or system architecture. Each individual CWE represents a single vulnerability
type. CWEs are used as a classification mechanism that differentiates CVEs by the type of vulnerability
they represent. For more details see: Common Weakness Enumeration.
76
Remediation Planning
Prioritization
Vulnerability and security configuration assessments typically generate very long remediation work
lists, and this remediation work needs to be prioritized. When organizations initially implement
vulnerability assessment and security configuration baselines, they typically discover that a large
number of systems contain multiple vulnerabilities and security configuration errors. There is typically
more mitigation work to do than the resources available to accomplish it. Therefore, prioritization is
important.
Root Cause Analysis (RCA)
It is important to analyse security and vulnerability assessments in order to determine the root cause.
In many cases, the root cause of a set of vulnerabilities lies within the provisioning, administration and
maintenance processes of IT operations or within their development or the procurement processes of
applications. Elimination of the root cause of security weaknesses may require changes to user
administration and system provisioning processes.
What makes a good RCA?
An RCA is an analysis of a failure to determine the first (or root) failure that cause the ultimate
condition in which the system finds itself. For example, in an application crash one should be thinking,
why did it crash this way?
A security analyst’s job in performing an RCA is to keep asking the inquisitive "why" until one runs out
of room for questions, and then they are faced with the problem at the root of the situation.
Example: an application that had its database pilfered by hackers where the ultimate failure the
analyst may be investigating is the exfiltration of consumer private data, but SQL Injection isn't what
caused the failure. Why did the SQL Injection happen? Was the root of the problem that the developer
responsible simply didn't follow the corporate policy for building SQL queries? Or was the issue a
failure to implement something like the OWASP ESAPI (ESAPI - The OWASP Enterprise Security API is
a free, open source web application security control library that makes it easier for programmers to
write lower-risk applications.) in the appropriate manner? Or maybe the cause was a vulnerable open-
source piece of code that was incorporated into the corporate application without passing it through
the full source code lifecycle process?
Your job when you're performing an RCA is to figure this out. Root cause analysis is super critical in
the software security world. A number of automated solutions are also available for various types of
RCA. For example, HP's web application security testing technology which can link XSS issues to a single
line of code in the application input handler.
Decision tree and algorithms may be used for further detailed analysis as tools. To learn more about
it, visit: https://www.sans.org/reading-room/whitepapers/detection/decision-tree-analysis-
intrusion-detection-how-to-guide-33678 .
77
Ranking of Cyber security objectives in terms of business priority objective
5 4.4 4.7
4.5
4 3.5
3.5
3 2.8
2.5 1.9
2
1.5
1
0.5
0
 65% of organizations had an average of 3 DDoS attacks in the past 12 months.

 54 minutes’ downtime during one DDoS attack.
 Average cost per minute downtime is $22,000
 Average annual cost of DDoS attacks is $3000,000
78
Summary
 Elements of information security include network security, application security and
communication security
 Types of communication security are Cryptosecurity, Emission Security (EMSEC), Physical Security,
Traffic-Flow Security and Transmission Security (TRANSEC).
 Critical information characteristics are Confidentiality, Integrity and Availability.
 Information states include transmission, storage and processing.
 Basic information security concepts:
o Identification
o Authentication
o Authorization
o Confidentiality
o Integrity
o Availability
o Non-repudiation
 Types of control for information security can be classified into:
o Preventive
o Detective
o Corrective
o Deterrent
o Recovery
o Compensating
 Three main access control models exist:
o Discretionary Access Control model
o Mandatory Access Control model
o Role Based Access Control model
 A Root Cause Analysis is an analysis of a failure to determine the first (or root) failure that cause
the ultimate condition in which the system finds itself.
79
Activity 1:
Investigate into the various types of threats to network security, application security
and, communication security and prepare a white paper on the same. Also, list the
various counter measures or security devices that may be used to address the same.
Present it in class.
Activity 2:
Collect information about various information security service companies’ websites, and
understand the various security services they offer. Carry out a comparison of the
various services or products offered and list their features and benefits.
Activity 3:
Collect information about various categories of controls and state which various
controls are within each category? Discuss in groups the benefits and limitations of
examples of each type of control within a category.
Activity 4:
Collect information about various elements of a decision tree and an algorithm. Create
algorithms and decision trees for various situations in case of planning for security of
information assets.
80

1. Write a short note on your understanding of the following basic information security concepts.
• Identification
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
• Authentication
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
• Authorization
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
• Confidentiality
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
• Integrity
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
• Availability
__________________________________________________________________________________
__________________________________________________________________________________
81
__________________________________________________________________________________
__________________________________________________________________________________
• Non-repudiation
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
2. Which are the three states of Information?

______________________________________
______________________________________
______________________________________
NOTES:
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
_________________________________________________________________________________
82
UNIT III
Data Leakage and Prevention
This unit covers:
 Lesson Plan
3.1 Introduction Data Leakage
3.2 Organisational Data Classification, Location and Pathways
3.5 Data Protection
3.6 DLP Limitations
3.7 DRM – DLP Conundrum
3.1.
83
Lesson Plan
PC2. monitor systems and apply organizations’ websites  Internet with Wi-Fi
controls in line with information and understand the (min 2 Mbps dedicated)
security policies, procedures and policies and guidelines  Networking equipment (routers
guidelines (Research). & switches)
PC3. carry out security  Firewalls and access points
Project charter,
assessment of information security Architecture (charts),  Access to all security sites like
systems using automated tools Project plan, Poster ISO, PIC DSS etc.
PC11. comply with your presentation and  Commercial tools like HP Web
organization’s policies, standards, Execution plan. Inspect and IBM AppScan etc.
You need to know and understand: KA12. Going through KA1 to KA13:
KA12. your organization’s various organizations’
information security systems and websites and understand  PCs/ tablets/ laptops
tools and how to access and the policies and guidelines  Availability of labs (24/7)
maintain the same (Research).  Internet with Wi-Fi
KA13. standard tools and KA12. Project charter,  Networking equipment (routers &
templates available and how to use Architecture (charts), switches)
these Project plan, Poster  Firewalls and access points
presentation and  Access to all security sites like ISO,
KB4. how to identify and resolve Execution plan. PIC DSS etc.
information security vulnerabilities  Commercial tools like HP Web
and issues KA13. Creation of Inspect and IBM AppScan etc.
templates based on the
learnings from KA1 to  Open Source tools like sqlmap,
KA12. Nessus etc.
KB1 – KB4
1. Going through the

security standards over
internet by visiting sites
like ISO, PCI DSS etc.,
and understand various
methodologies and
84
Lesson
3.1 Introduction to Data Leakage
Data leakage is defined as the accidental or unintentional distribution of private or sensitive

Sensitive data in companies and organizations include intellectual property (IP), financial
information, patient information, personal credit card data, and other information depending
Data leakage is enhanced by the fact that transmitted data (both inbound and outbound), including
emails, instant messaging, website forms and file transfers among others, are largely unregulated and
unmonitored on their way to their destinations. Furthermore, in many cases, sensitive data are shared
among various stakeholders such as employees working from outside the organization’s premises (e.g.
on laptops), business partners and customers. This increases the risk that confidential information will
fall into unauthorized hands. Whether caused by malicious intent or an inadvertent mistake by an
insider or outsider, exposure of sensitive information can seriously hurt an organization. The potential
damage and adverse consequences of a data leakage incident can be classified into two categories:
1) direct losses 2) indirect losses.
Direct losses refer to tangible damage that is easy to measure or to estimate quantitatively. Indirect
losses, on the other hand, are much harder to quantify and have a much broader impact in terms of
cost, place and time.
Direct losses include violations of regulations (such as those protecting customer privacy) resulting in
fines; settlements or customer compensation fees; litigation involving lawsuits; loss of future sales;
costs of investigation and remedial or restoration fees. Indirect losses include reduced share price as
a result of negative publicity; damage to a company’s goodwill and reputation; customer
abandonment; and exposure of intellectual property (business plans, code, financial reports and
meeting agendas) to competitors.
Enterprises use Data Leakage Prevention (DLP) technology as one component in a

• Standard security measures

• Advanced/ intelligent security measures
• Access control and encryption
• Designated DLP systems
85
Standard security measures are used by many organizations and include common mechanisms such
as firewalls, intrusion detection systems (IDSs) and antivirus software that can provide protection
against both outsider attacks (e.g. a firewall which limits access to the internal network and an
intrusion detection system which detects attempted intrusions) and inside attacks (e.g. antivirus scans
to detect a Trojan horse that may be installed on a PC to send confidential information).
Another example is the use of thin clients which operate in a client-server architecture, with no
personal or sensitive data stored on a client’s computer. Policies and training for improving the
awareness of employees and partners provide additional standard security measures.
Advanced or intelligent security measures include machine learning and temporal reasoning
algorithms for detecting abnormal access to data (i.e. databases or information retrieval systems),
activity based verification (e.g. based on keystrokes and mouse patterns), detection of abnormal email
exchange patterns, and applying the honeypot concept for detecting malicious insiders.
Device control, access control and encryption are used to prevent access by an unauthorized user.
These are the simplest measures that can be taken to protect large amounts of personal data
against malicious outsider and insider attacks.
Designated DLP solutions are intended to detect and prevent attempts to copy or send sensitive data,
intentionally or unintentionally, without authorization, mainly by personnel who are authorized to
access the sensitive information. A major capability of such solutions is an ability to classify content as
sensitive. Designated DLP solutions are typically implemented using mechanisms such as exact data
matching, structured data fingerprinting, statistical methods (e.g. machine learning), rule and regular
expression matching, published lexicons, conceptual definitions and keywords.
Data Leakage Prevention (DLP) solutions, are often referred to as Information Leak Prevention
(ILP), Data Leak/ Loss Prevention (DLP), Outbound Content Compliance, Content Monitoring and
Filtering, Content Monitoring and Protection (CMP) or Extrusion Prevention.
A designated data leakage prevention solution is defined as a system that is designed to detect and
prevent the unauthorized access, use or transmission of confidential information.
Enterprise data generally exists in the following three major states:

 Data at rest: it resides in files systems, distributed desktops and large centralized data
stores, databases or other storage centers.
 Data at the endpoint or in use: it resides at network endpoints such as laptops; USB
devices; external drives; CD/ DVDs; archived tapes; MP3 players; iPhones or other highly
mobile devices.
 Data in motion: it moves through the network to the outside world via email, instant
messaging, peer-to-peer (P2P), FTP or other communication mechanisms.
Data in each state often requires different techniques for loss prevention. For example, although deep
content inspection is useful for data in motion, it doesn’t help so much for data at rest. Therefore, an
effective data loss prevention program should adopt appropriate techniques to cover all the
organization’s potential loss modes.
86
Types of data leaked
8% 4%
15%
NPI ( e.g. Customer Data)
Confidentiality Info
73% PHI (e.g. Patient's Records)

Intellectual Property
Data Leak Vectors
12% HTTP
3%
1% Email
5%
42% Networked Printer
10%
End Point
11% Internal Mail
16% IM
Webmail
Others
Source: http://www.networksunlimited.com
87
3.2 Organizational Data Classification, Location and

Pathways
Enterprises are often unaware of all of the types and locations of information they possess.
It is important, prior to purchasing a DLP solution, to identify and classify sensitive data types and their
flow from system to system and to users. This process should yield a data taxonomy or classification
system that will be leveraged by various DLP modules as they scan for and take action on information
that falls into the various classifications within the taxonomy. Analysis of critical business processes
should yield the required information.
Classifications can include categories such as private customer or employee data, financial data and
intellectual property. Once the data have been identified and classified appropriately, further analysis
of processes should facilitate the location of primary data stores and key data pathways.
Frequently multiple copies and variations of the same data are scattered across the enterprise on
servers, individual workstations, tape and other media. Copies are frequently made to facilitate
application testing without first cleansing the data of sensitive content. Having a good idea of the data
classifications and location of the primary data stores proves helpful in both the selection and
placement of the DLP solution.
Once the DLP solution is in place, it can assist in locating additional data locations and pathways. It is
also important to understand the enterprise’s data life cycle. Understanding the life cycle from point
of origin through processing, maintenance, storage and disposal will help uncover further data
repositories and transmission paths. Additional information should be collected by conducting an
inventory of all data egress points since not all business processes are documented and not all data
movement is a result of an established process. Analysis of firewall and router rule sets can aid these
efforts.
DLP features vs. DLP solutions
The DLP market is also split between DLP as a feature and DLP as a solution. A number of
products, particularly email security solutions, provide basic DLP functions, but aren't complete
DLP solutions. The difference is:
• A DLP product includes centralized management, policy creation and enforcement

workflow dedicated to the monitoring and protection of content and data. The user
interface and functionality are dedicated to solving the business and technical problems
of protecting content through content awareness.
• DLP features include some of the detection and enforcement capabilities of DLP
products, but are not dedicated to the task of protecting content and data.
88
Content vs. Context

We need to distinguish content from context. One of the defining characteristics of DLP solutions is
their content awareness. This is the ability of products to analyse deep content using a variety of
techniques, and is very different from analysing context. It's easiest to think of content as a letter and
context as the envelope and environment around it.
Context includes things like source; destination; size; recipients; sender; header information;
metadata; time; format and anything else short of the content of the letter itself. Context is highly
useful and any DLP solution should include contextual analysis as part of an overall solution. A more
advanced version of contextual analysis is business context analysis, which involves deeper analysis of
the content, its environment at the time of analysis and the use of the content at that time.
Content awareness involves peering inside containers and analysing the content itself. The advantage
of content awareness is that while we use context, we're not restricted by it. If I want to protect a
piece of sensitive data, I would want to protect it everywhere and not just in obviously sensitive
containers. I'm protecting the data, not the envelope, so it makes a lot more sense to open the letter,
read it, and decide how to treat it. This is more difficult and time consuming than basic contextual
analysis and is the defining characteristic of DLP solutions.
Content Analysis
The first step in content analysis is capturing the envelope and opening it. The engine then needs to
parse the context (we'll need that for the analysis) and dig into it. This is easy for a plain text email,
but when you want to look inside binary files, it gets a little more complicated.
All DLP solutions solve this using file cracking. File cracking is the technology used to read and
understand the file, even if the content is buried multiple levels down. For example, it's not unusual
for the cracker to read an Excel spreadsheet embedded in a Word file that's zipped. The product needs
to unzip the file, read the Word doc, analyse it, find the Excel data, read it and analyse it.
Other situations get far more complex, like a .pdf embedded in a CAD file. Many of the products in the
market today support around 300 file types, embedded content, multiple languages, double byte
character sets for Asian languages, and pulling plain text from unidentified file types. Quite a few use
the autonomy or verity content engines to help with file cracking, but all the serious tools have quite
a bit of proprietary capability, in addition to the embedded content engine. Some tools support
analysis of encrypted data if enterprise encryption is used with recovery keys, and most tools can
identify standard encryption and use that as a contextual rule to block/ quarantine content.
89
Once the content is accessed, there are seven major analysis techniques used to find policy violations,
each with its own strengths and weaknesses.
1. Rule based/ Regular expressions: This is the most common analysis technique available in both DLP
products and other tools with DLP features. It analyses the content for specific rules, such as 16 digit
numbers that meet credit card checksum requirements, medical billing codes or other textual
analyses. Most DLP solutions enhance basic regular expressions with their own additional analysis
rules (e.g. a name in proximity to an address near a credit card number).
Its advantages are: as a first-pass filter or for detecting easily identified pieces of structured data like
credit card numbers, social security numbers and healthcare codes/ records.
Strengths: rules process quickly and can be easily configured. Most products ship with initial rule sets.
The technology is well understood and easy to incorporate into a variety of products.
Weaknesses: prone to high false positive rates. Offers very little protection for unstructured content
like sensitive intellectual property.
2._Database fingerprinting: Sometimes called Exact Data Matching – this technique takes either a
database dump or live data (via ODBC connection) from a database and only looks for exact matches.
For example, you could generate a policy to look only for credit card numbers in your customer base,
thus ignoring your own employees buying online. More advanced tools look for combinations of
information, such as the magic combination of first name or initial with last name, credit card or social
security number that triggers a disclosure. Make sure you understand the performance and security
implications of nightly extracts vs. live database connections.
Its advantages are: structured data from databases.
Strengths: very low false positives (close to 0). Allows you to protect customer/ sensitive data while
ignoring other, similar data used by employees (like their personal credit cards for online orders).
Weaknesses: nightly dumps won't contain transaction data since the last extract. Live connections can
affect database performance. Large databases affect product performance.
3._Exact file matching: With this technique you take a hash of a file and monitor for any files that
match that exact fingerprint. Some consider this to be a contextual analysis technique since the file
contents themselves are not analysed.
Its advantages are: media files and other binaries where textual analysis isn't necessarily possible.
Strengths: works on any file type, low false positives with a large enough hash value (effectively none).
Weaknesses: trivial to evade. Worthless for content that's edited, such as standard office documents
and edited media files.
4._Partial document matching: This technique looks for a complete or partial match on protected
content. Thus you could build a policy to protect a sensitive document, and the DLP solution will look
for either the complete text of the document, or even excerpts as small as a few sentences. For
example, you could load up a business plan for a new product and the DLP solution would alert if an
employee pasted a single paragraph into an Instant Message. Most solutions are based on a technique
90
known as cyclical hashing, where you take a hash of a portion of the content, offset a predetermined
number of characters, then take another hash, and keep going until the document is completely
loaded as a series of overlapping hash values. Outbound content is run through the same hash
technique, and the hash values compared for matches. Many products use cyclical hashing as a base,
then add more advanced linguistic analysis.
Its advantages are: protecting sensitive documents or similar content with text such as CAD files (with
text labels) and source code. Unstructured content that's known to be sensitive.
Strengths: ability to protect unstructured data. Generally low false positives (some vendors will say
zero false positives, but any common sentence/ text in a protected document can trigger alerts).
Doesn't rely on complete matching of large documents. It can find policy violations on even a partial
match.
Weaknesses: performance limitations on the total volume of content that can be protected. Common
phrases/ verbiage in a protected document may trigger false positives. Must know exactly which
documents you want to protect. Trivial to avoid (ROT 1 encryption is sufficient for evasion).
5._Statistical analysis: Use of machine learning, Bayesian analysis and other statistical techniques to
analyse a corpus of content and find policy violations in content that resembles the protected content.
This category includes a wide range of statistical techniques which vary greatly in implementation and
effectiveness. Some techniques are very similar to those used to block spam.
Its advantages are: unstructured content where a deterministic technique, like partial document
matching would be ineffective. For example, a repository of engineering plans that's impractical to
load for partial document matching due to high volatility or massive volume.
Strengths: can work with more nebulous content where you may not be able to isolate exact
documents for matching. Can enforce policies such as "alert on anything outbound that resembles the
documents in this directory".
Weaknesses: prone to false positives and false negatives. Requires a large corpus of source content –
the bigger, the better.
6._Conceptual/ Lexicon: This technique uses a combination of dictionaries, rules and other analyses
to protect nebulous content that resembles an "idea". It's easier to give an example — a policy that
alerts on traffic that resembles insider trading, which uses key phrases, word counts and positions to
find violations. Other examples are sexual harassment, running a private business from a work account
and job hunting.
Its advantages are: completely unstructured ideas that defy simple categorization based on matching
known documents, databases or other registered sources.
Strengths: not all corporate policies or content can be described using specific examples. Conceptual
analysis can find closely defined policy violations other techniques can't even think of monitoring for.
Weaknesses: in most cases, these are not user-definable and the rule sets must be built by the DLP
vendor with significant effort, which costs more. This technique is very prone to false positives and
negatives because of the flexible nature of the rules.
7._Categories: Pre-built categories with rules and dictionaries for common types of sensitive data,
such as credit card numbers/ PCI protection, HIPAA etc.
91
Its advantages are: anything that neatly fits a provided category. Typically, easy to describe content
related to privacy, regulations or industry specific guidelines.
Strengths: extremely simple to configure. Saves significant policy generation time. Category policies
can form the basis for more advanced, enterprise specific policies. For many organizations, categories
can meet a large percentage of their data protection needs.
Weaknesses: one size fits all might not work. Only good for easily categorized rules and content.
These seven techniques form the basis for most of the DLP products on the market. Not all products
include all techniques, and there can be significant differences between implementations. Most
products can also chain techniques — building complex policies from combinations of content and
contextual analysis techniques.
92
3.5 Data Protection
The goal of DLP is to protect content throughout its lifecycle. In terms of DLP, this includes three
major aspects:
• Data at Rest includes scanning of storage and other content repositories to identify where
sensitive content is located. We call this content discovery. For example, you can use a DLP
product to scan your servers and identify documents with credit card numbers. If the server
isn't authorized for that kind of data, the file can be encrypted or removed or a warning sent to
the file owner.
• Data in Motion is sniffing of traffic on the network (passively or inline via proxy) to identify
content being sent across specific communications channels. For example, this includes sniffing
emails, instant messages and web traffic for snippets of sensitive source code. In motion, tools
can often block based on central policies depending on the type of traffic.
• Data in Use is typically addressed by endpoint solutions that monitor data as the user interacts
with it. For example, they can identify when you attempt to transfer a sensitive document to a
USB drive and block it (as opposed to blocking use of the USB drive entirely). Data in use tools
can also detect things like copy and paste or use of sensitive data in an unapproved application
(such as someone attempting to encrypt data to sneak it past the sensors).
Many organizations first enter the world of DLP with network based products that provide broad
protection for managed and unmanaged systems. It’s typically easier to start a deployment with
network products to gain broad coverage quickly. Early products limited themselves to basic
monitoring and alerting, but all current products include advanced capabilities to integrate with
existing network infrastructure and provide protective, not just detective controls.
93
Data In Motion
Network Monitor
At the heart of most DLP solutions lies a passive network monitor. The network monitoring component
is typically deployed at or near the gateway on a SPAN port (or a similar tap). It performs full packet
capture, session reconstruction and content analysis in real time. Performance is more complex and
subtle than vendors normally discuss. First, on the client expectation side, most clients claim they need
full gigabit ethernet performance, but that level of performance is unnecessary except in very unusual
circumstances since few organizations are really running that high a level of communications traffic.
DLP is a tool to monitor employee communications, not web application traffic. Realistically, we find
that small enterprises normally run under 50 MByte/s of relevant traffic, medium enterprises run
closer to 50-200 MB/s and large enterprises around 300 MB/s (maybe as high as 500 in a few cases).,
Not every product runs full packet capture because of the content analysis overhead. You might have
to choose between pre-filtering (and thus missing non-standard traffic) or buying more boxes and load
balancing. Also, some products lock monitoring into pre-defined port and protocol combinations,
rather than using service/ channel identification based on packet content. Even if full application
channel identification is included, you want to make sure it's enabled otherwise you might miss non-
standard communications such as connecting over an unusual port. Most of the network monitors are
dedicated general purpose server hardware with DLP software installed. A few vendors deploy true
specialized appliances. While some products have their management, workflow and reporting built
into the network monitor, this is often offloaded to a separate server or appliance.
Email Integration
The next major component is email integration. Since email is stored and forwarded, you can gain a
lot of capabilities, including quarantine, encryption integration and filtering without the same hurdles
to avoid blocking synchronous traffic.
Most products embed an MTA (Mail Transport Agent) into the product, allowing you to just add it as
another hop in the email chain. Quite a few also integrate with some of the major existing MTAs/
email security solutions directly for better performance. One weakness of this approach is it doesn't
give you access to internal email. If you're on an exchange server, internal messages never make it
through the external MTA since there's no reason to send that traffic out. To monitor internal mail,
you'll need direct Exchange/ Lotus integration, which is surprisingly rare in the market. Full integration
is different from just scanning logs/ libraries after the fact, which is what some companies call internal
mail support. Good email integration is absolutely critical if you ever want to do any filtering, as
opposed to just monitoring.
Filtering/ Blocking and Proxy Integration
Nearly anyone deploying a DLP solution will eventually want to start blocking traffic. There's only so
long you can take watching all your sensitive data running to the nether regions of the Internet before
you start taking some action. Blocking isn't the easiest thing in the world, especially since we're trying
to allow good traffic. Block only bad traffic, and make the decision using real-time content analysis.
Email, as we mentioned, is fairly straightforward to filter. It's not quite real time and is ‘proxied’ by its
very nature. Adding one more analysis hop is a manageable problem in even the most complex
environments. Outside of email, most of our communications traffic is synchronous. Everything runs
in real time. Thus if we want to filter it we either need to bridge the traffic, proxy it or poison it from
the outside.
94
Bridge
With a bridge, we just have a system with two network cards which performs content analysis in the
middle. If we see something bad, the bridge breaks the connection for that session. Bridging isn't the
best approach for DLP since it might not stop all the bad traffic before it leaks out. It's like sitting in a
doorway watching everything go past with a magnifying glass. By the time you get enough traffic to
make an intelligent decision, you may have missed the really good stuff. Very few products take this
approach although it does have the advantage of being protocol agnostic.
Proxy
In simplified terms, a proxy is protocol/ application specific and queues up traffic before passing it on,
allowing for deeper analysis. We see gateway proxies mostly for HTTP, FTP and IM protocols. Few DLP
solutions include their own proxies. They tend to integrate with existing gateway/ proxy vendors since
most customers prefer integration with these existing tools. Integration for web gateways is typically
through the iCAP protocol, allowing the proxy to grab the traffic, send it to the DLP product for analysis
and cut communication, if there's a violation. This means you don't have to add another piece of
hardware in front of your network traffic, and the DLP vendors can avoid the difficulties of building
dedicated network hardware for inline analysis. If the gateway includes a reverse SSL proxy you can
also sniff SSL connections. You will need to make changes on your endpoints to deal with all the
certificate alerts, but you can now peer into encrypted traffic. For Instant Messaging, you'll need an
IM proxy and a DLP product that specifically supports whatever IM protocol you're using.
TCP Poisoning
The last method of filtering is TCP poisoning. You monitor the traffic and when you see something
bad, you inject a TCP reset packet to kill the connection. This works on every TCP protocol but isn't
very efficient. For one thing, some protocols will keep trying to get the traffic through. If you TCP
poison a single email message, the server will keep trying to send it for three days, as often as every
15 minutes. The other problem is the same as bridging. Since you don't queue the traffic at all, by the
time you notice something bad, it might be too late. It's a good stop-gap to cover non-standard
protocols, but you'll want to proxy as much as possible.
Internal Networks
Although technically capable of monitoring internal networks, DLP is rarely used on internal traffic
other than email. Gateways provide convenient choke points. Internal monitoring is a daunting
prospect from cost, performance, and policy management/ false positive standpoints. A few DLP
vendors have partnerships for internal monitoring, but this is a lower priority feature for most
organizations.
Distributed and Hierarchical Deployments
All medium to large enterprises and many smaller organizations have multiple locations and web
gateways. A DLP solution should support multiple monitoring points, including a mix of passive
network monitoring, proxy points, email servers and remote locations. While processing/ analysis can
be offloaded to remote enforcement points, they should send all events back to a central management
server for workflow, reporting, investigations and archiving. Remote offices are usually easy to
support since you can just push policies down and reporting back, but not every product has this
capability. The more advanced products support hierarchical deployments for organizations that want
to manage DLP differently in multiple geographic locations or by business unit. International
companies often need this to meet legal monitoring requirements which vary by country. Hierarchical
95
management supports coordinated local policies and enforcement in different regions, running on
their own management servers and communicating back to a central management server. Early
products only supported one management server but now we have options to deal with these
distributed situations with a mix of corporate/ regional/ business unit policies, reporting and
workflow.
Data At Rest
While catching leaks on the network is fairly powerful, it's only one small part of the problem. Many
customers are finding that it's just as valuable, if not more valuable, to figure out where all that data
is stored in the first place. We call this content discovery. Enterprise search tools might be able to help
with this, but they really aren't tuned well for this specific problem. Enterprise data classification tools
can also help, but based on discussions with a number of clients, they don't seem to work well for
finding specific policy violations. Thus we see many clients opting to use the content discovery features
of their DLP products. The biggest advantage of content discovery in a DLP tool is that it allows you to
take a single policy, and apply it across data no matter where it's stored, how it's shared, or how it's
used. For example, you can define a policy that requires credit card numbers to only be emailed when
encrypted, never be shared via HTTP or HTTPS, only be stored on approved servers and only be stored
on workstations/ laptops by employees on the accounting team. All of this can be specified in a single
policy on the DLP management server.
Content discovery consists of three components:
 Endpoint discovery: scanning workstations and laptops for content.
 Storage discovery: scanning mass storage, including file servers, SAN and NAS.
 Server discovery: application specific scanning of stored data on email servers, document
management systems and databases (not currently a feature of most DLP products, but
beginning to appear in some Database Activity Monitoring products).
Content Discovery Techniques
There are three basic techniques for content discovery:
1. Remote scanning: a connection is made to the server or device using a file sharing or application
protocol, and scanning is performed remotely. This is essentially mounting a remote drive and
scanning it from a server that takes policies from, and sends results to the central policy server.
For some vendors, this is an appliance while for others, it's a commodity server. For smaller
deployments, it's integrated into the central management server.
2. Agent Based scanning: an agent is installed on the system (server) to be scanned and scanning is
performed locally. Agents are platform specific, and use local CPU cycles, but can potentially
perform significantly faster than remote scanning, especially for large repositories. For endpoints,
this should be a feature of the same agent used for enforcing.
3. Memory Resident Agent scanning: rather than deploying a full-time agent, a memory resident
agent is installed, which performs a scan, then exits without leaving anything running or stored on
the local system. This offers the performance of agent based scanning in situations where you
don't want an agent running all the time. Any of these technologies can work for any of the modes,
and enterprises will typically deploy a mix depending on policy and infrastructure requirements.
96
We currently see technology limitations with each approach which guide deployment:
• Remote scanning can significantly increase network traffic and has performance limitations based
on network bandwidth and target and scanner network performance. Some solutions can only
scan gigabytes per day (sometimes hundreds, but not terabytes per day), per server based on
these practical limitations, which may be inadequate for very large storage.
• Agents, temporal or permanent, are limited by processing power and memory on the target
system, which often translates to restrictions on the number of policies that can be enforced, and
the types of content analysis that can be used. For example, most endpoint agents are not capable
of partial document matching or database fingerprinting against large data sets. This is especially
true of endpoint agents which are more limited.
• Agents don't support all platforms.
Data at Rest Enforcement
Once a policy violation is discovered, the DLP tool can take a variety of actions:
Alert/ report: create an incident in the central management server just like a network violation.
Warn: notify the user via email that they may be in violation of policy.
Quarantine/ notify: move the file to the central management server and leave a text file with
instructions on how to request recovery of the file.
Quarantine/ encrypt: encrypt the file in place, usually leaving a plain text file describing how to
request decryption.
Quarantine/ access control: change access controls to restrict access to the file.
Remove/ delete: either transfer the file to the central server without notification or just delete it.
The combination of different deployment architectures, discovery techniques and enforcement

options creates a powerful combination for protecting data at rest and supporting compliance
initiatives. For example, we're starting to see increasing deployments of CMF to support PCI
compliance — more for the ability to ensure (and report) that no cardholder data is stored in violation
of PCI than to protect email or web traffic.
Data In Use
DLP usually starts on the network because that's the most cost-effective way to get the broadest
coverage. Network monitoring is non-intrusive (unless you have to crack SSL), and offers visibility to
any system on the network, managed or unmanaged, server or workstation. Filtering is more difficult,
but again still relatively straightforward on the network (especially for email) and covers all systems
connected to the network. However, this isn't a complete solution. It doesn't protect data when
someone walks out the door with a laptop, and can't even prevent people from copying data to
portable storage like USB drives. To move from a "leak prevention" solution to a "content protection"
solution, products need to expand not only to stored data, but to the endpoints where data is used.
Note: Although there have been large advancements in endpoint DLP, endpoint-only solutions are not
recommended for most users. DLP endpoint solutions normally require compromise on the number
and types of policies that can be enforced, offer limited email integration with no protection for
97
unmanaged systems. An organisation will need both network and endpoint capabilities, and most of
the leading network solutions are adding or already offer at least some endpoint protection.
Adding an endpoint agent to a DLP solution not only gives you the ability to discover stored content,
but to potentially protect systems no longer on the network or even protect data as it's being actively
used. While extremely powerful, it has been problematic to implement. Agents need to perform
within the resource constraints of a standard laptop while maintaining content awareness. This can
be difficult if you have large policies such as, "protect all 10 million credit card numbers from our
database", as opposed to something simpler like, "protect any credit card number" that will generate
false positives every time an employee visits say, flipkart.com.
Key capabilities existing products vary widely in functionality, but we can break out three key
capabilities:
1. Monitoring and enforcement within the network stack: this allows enforcement of network
rules without a network appliance. The product should be able to enforce the same rules as if
the system were on the managed network as well as separate rules designed only for use on
unmanaged networks.
2. Monitoring and enforcement within the system kernel: by plugging directly into the operating
system kernel you can monitor user activity, such as copying and pasting sensitive content. This
can also allow products to detect (and block) policy violations when the user is taking sensitive
content and attempting to hide it from detection, perhaps by encrypting it or modifying source
documents.
3. Monitoring and enforcement within the file system: this allows monitoring and enforcement
based on where data is stored. For example, you can perform local discovery and/ or restrict
transfer of sensitive content to unencrypted USB devices.
These options are simplified, and most early products focus on 1 and 3 to solve the portable storage
problem, and protect devices on unmanaged networks. System/ kernel integration is much more
complex and there are a variety of approaches to gaining this functionality.
Endpoint DLP is evolving to support a few critical use cases:

• Enforcing network rules off the managed network or modifying rules for more hostile
networks.
• Restricting sensitive content from portable storage, including USB drives, CD/ DVD drives,
home storage and devices like smartphones and PDAs.
• Restricting copy and paste of sensitive content.
• Restricting applications allowed to use sensitive content, for example, only allowing
encryption with an approved enterprise solution, not tools downloaded online that don't
allow enterprise data recovery.
• Integration with Enterprise Digital Rights Management to automatically apply access control
to documents based on the included content.
• Auditing use of sensitive content for compliance reporting.
98
The following features are highly desirable when deploying DLP at the endpoint:
 Endpoint agents and rules should be centrally managed by the same DLP management server
that controls data in motion and data at rest (network and discovery).
 Policy creation and management should be fully integrated with other DLP policies in a single
interface.
 Incidents should be reported to, and managed by a central management server.
 Endpoint agent should use the same content analysis techniques and rules as the network
servers/ appliances.
 Rules (policies) should adjust based on where the endpoint is located (on or off the network).
When the endpoint is on a managed network with gateway DLP, redundant local rules should
be skipped to improve performance.
 Agent deployment should integrate with existing enterprise software deployment tools.
 Policy updates should offer options for secure management via the DLP management server
or existing enterprise software update tools.
Endpoint limitations
Realistically, the performance and storage limitations of the endpoint will restrict the types of
content analysis supported and the number and type of policies that are locally enforced. For
some enterprises, this might not matter depending on the kinds of policies to be enforced, but
in many cases endpoints impose significant constraints on data in use policies.
Photo source: www.slideshare.net
99
3.6 DLP Limitations
While DLP solutions can go far in helping an enterprise gain greater insight over and control of
sensitive data, stakeholders need to be apprised of limitations and gaps in DLP solutions.
Understanding these limitations is the first step in the development of strategies and policies to help
compensate for the limitations of the technology.
Some of the most significant limitations common among DLP solutions are:
 Encryption — DLP solutions can only inspect encrypted information that they can first decrypt. To
do this, DLP agents, network appliances and crawlers must have access to, and be able to utilize,
the appropriate decryption keys. If users have the ability to use personal encryption packages
where keys are not managed by the enterprise and provided to the DLP solution, the files cannot
be analyzed. To mitigate this risk, policies should forbid the installation and use of encryption
solutions that are not centrally managed, and users should be educated that anything that cannot
be decrypted for inspection (meaning that the DLP solution has the encryption key) will ultimately
be blocked.
 Graphics — DLP solutions cannot intelligently interpret graphics files. Short of blocking or
manually inspecting all such information, a significant gap will exist in an enterprise’s control of
its information. Sensitive information scanned into a graphics file or intellectual property (IP) that
exists in a graphics format, such as design documents would fall into this category. Enterprises
that have significant IP in a graphics format should develop strong policies that govern the use and
dissemination of this information. While DLP solutions cannot intelligently read the contents of a
graphics file, they can identify specific file types, their source and destination. This capability,
combined with well-defined traffic analysis can flag uncharacteristic movement of this type of
information and provide some level of control.
 Third-party service providers — When an enterprise sends its sensitive information to a trusted
third party, it is inherently trusting that the service provider mirrors the same level of control over
information leaks since the enterprise’s DLP solutions rarely extend to the service provider’s
network. A robust third-party management program that incorporates effective contract language
and a supporting audit program can help mitigate this risk.
 Mobile devices — With the advent of mobile computing devices, such as smartphones, there are
communication channels that are not easily monitored or controlled. Short message service (SMS)
is the communication protocol that allows text messaging, and is a key example. Another
consideration is the ability of many of these devices to utilize Wi-Fi or even become a Wi-Fi hotspot
themselves. Both cases allow for out-of-band communication that cannot be monitored by most
enterprises. Finally, the ability of many of these devices to capture and store digital photographs
and audio information presents yet another potential gap. While some progress is being made in
this area, the significant limitations of processing power and centralized management remain a
challenge. Again, this situation is best addressed by the development of strong policies and
supporting user education to compel appropriate use of these devices.
100
management consoles support only English. It is also true that for each additional language and
character set, the system must support processing requirements and time windows for analysis
increase. Until such time that vendors recognize sufficient market demand to address this gap,
there is little recourse but to seek other methods to control information leaks in languages other
than English. Multinational enterprises must carefully consider this potential gap when evaluating
and deploying a DLP solution. These points are not intended to discourage the adoption of DLP
technology.
The only recourse for most enterprises is the adoption of behavioral policies and physical
security controls that complement the suite of technology controls that is available today, such
as:
• Solution lock-in — At this time there is no portability of rule sets across various DLP platforms,
which means that changing from one vendor to another or integration with an acquired
organization’s solution can require significant work to replicate a complex rule set in a different
product.
• Limited client OS support — Many DLP solutions do not provide endpoint DLP agents for
operating systems such as Linux and Mac because their use as clients in the enterprise is much less
common. This does, however, leave a potentially significant gap for enterprises that have a
number of these clients. This risk can only be addressed by behavior oriented policies or requires
the use of customized solutions that are typically not integrated with the enterprise DLP platform.
• Cross application support — DLP functions can also be limited by application types. A DLP agent
that can monitor the data manipulations of one application may not be able to do so for another
application on the same system. Enterprises must ensure that all applications that can manipulate
sensitive data are identified and must verify that the DLP solution supports them. In cases where
unsupported applications exist, other actions may be required through policy, or if feasible,
through removal of the application in question.
The Open Security Foundation's DataLossDB gathers information about events involving the loss, theft
or exposure of personally identifiable information (PII). DataLossDB's dataset, in current and previous
forms, has been used in research by numerous educational, governmental and commercial entities,
which often have been able to provide statistical analysis with graphical presentations.
101
The charts below are provided in "as-is" format based on the current dataset maintained by the Open
Security Foundation and DataLossDB.
102
103
3.7 The DRM – DLP Conundrum
Digital Rights Management (DRM), a system for protecting the copyrights of data circulated via the
Internet or other digital media by enabling secure distribution and/ or disabling illegal distribution of
the data. Typically, a DRM system protects intellectual property by either encrypting the data so that
it can only be accessed by authorized users or marking the content with a digital watermark or similar
method so that the content cannot be freely distributed. The practice of imposing technological
restrictions that control what users can do with digital media. When a program is designed to prevent
you from copying or sharing a song, reading an ebook on another device, or playing a single player
game without an internet connection, you are being restricted by DRM. In other words, DRM creates
a damaged good – it prevents you from doing what would be possible without it. This concentrates
control over production and distribution of media, giving DRM peddlers the power to carry out
massive digital book burnings and conduct large scale surveillance over people's media viewing habits.
Enterprise Digital Rights Management (DRM) and Data Loss Prevention (DLP) are typically thought of
as separate technologies that could replace each other. DRM encrypts files and controls access
privileges dynamically as a file is in use. DLP detects patterns and can restrict movement of
information that meets certain criteria. Rather than being competitive, the reality is that many
organizations can use them as complementary solutions.
DLP’s ability to scan, detect data patterns and enforce appropriate actions using contextual awareness
reduces the risk of losing sensitive data. A drawback of DLP is that it does not provide any protection
in case users have to send confidential information legitimately to a business partner or
customer. DLP cannot protect information once it is outside the organization’s perimeter.
DLP is very good at monitoring the flow of data throughout an organization and applying predefined
policies at endpoint devices or the network. The policies can log activities, send warnings to end users
and administrators, quarantine data or block it altogether.
The challenge is that most businesses need to share sensitive data with outside people. Considering
most data leaks originate from trusted insiders who have or had access to sensitive documents,
organizations must complement and empower the existing security infrastructure with a data centric
security solution that protects data in use persistently. That is where DRM comes in. DRM ensures
that only intended recipients can view sensitive files regardless of their location. This assures
protection of data beyond controlled boundaries so that an organization is always in control of its
information. DRM policy stays with the document even if it is renamed or saved to another format,
like a PDF. This provides a more complete solution to limit the possibility of a data breach.
By integrating DLP and DRM, organizations may be able to:

 allow DLP to scan DRM-protected documents, and apply DLP policies
 enforce DLP policy engines to encrypt or reclassify a file to create a DRM protected document
 secure data persistently and reduce the risk of losing it from both insiders and outsiders.
 DLP alone cannot control data in use by authorized internal or external users. Adding DRM
ensures that vulnerabilities are minimized and that an organization can immediately deny
access to any file regardless of its location.
104
Summary
 Data leakage is defined as the accidental or unintentional distribution of private or sensitive
 Sensitive data in companies and organizations include intellectual property (IP), financial
information, patient information, personal credit card data and other information depending
 Enterprises use Data Leakage Prevention (DLP) technology as one component in a
o standard security measures
o advanced/ intelligent security measures
o access control and encryption
o designated DLP systems
 Device control, access control and encryption are used to prevent access by an unauthorized
user. These are the simplest measures that can be taken to protect large amounts of personal
data against malicious outsider and insider attacks.
 Designated DLP solutions are intended to detect and prevent attempts to copy or send sensitive
data, intentionally or unintentionally, without authorization, mainly by personnel who are
authorized to access the sensitive information. A major capability of such solutions is an ability
to classify content as sensitive.
 Designated DLP solutions are typically implemented using mechanisms such as exact data
matching, structured data fingerprinting, statistical methods (e.g. machine learning), rule and
regular expression matching, published lexicons, conceptual definitions and keywords.
 Content discovery consists of three components:
o Endpoint discovery
o Storage discovery
o Server discovery
 Some of the most significant limitations common among DLP solutions are:
 Encryption — DLP solutions can only inspect encrypted information that they can first
decrypt.
 Graphics — DLP solutions cannot intelligently interpret graphics files.
 Third-party service providers — When an enterprise sends its sensitive information to a
trusted third party, it is inherently trusting that the service provider mirrors the same level
of control over information leaks since the enterprise’s DLP solutions rarely extend to the
service provider’s network.
 Mobile devices — With the advent of mobile computing devices, such as smartphones,
there are communication channels that are not easily monitored or controlled.
management consoles support only English.
 DRM, short for Digital Rights Management, a system for protecting the copyrights of data
circulated via the internet or other digital media by enabling secure distribution and/ or
disabling illegal distribution of the data.
 Typically, a DRM system protects intellectual property by either encrypting the data so that it
can only be accessed by authorized users or marking the content with a digital watermark or
similar method so that the content cannot be freely distributed.
105
Activity 1:
Collect information about the extent of data leakage in its various forms across different
types of organisations and incidents of leakage and related loss. Present the cases in
class and discuss the various steps that can be taken proactively and post event to
ensure loss prevention and minimisation.
Activity 2:
Identify work behaviours and practices that can lead to data leakage in a work context.
Look at yours and your colleagues’ behaviour in your own environment, and identify
various confidential and personal information and how their own practices and habits
can cause data leakage.
Activity 3:
Collect information about various organisations that offer products and services in the
Data Leakage Prevention and Data Risk Management. Compare the two, note down and
present the various offerings, tools and their features, benefits and limitations.
Activity 4:
Discuss with others the three states of information-
 Data at Rest
 Data in Motion
 Data in Use
Find examples of data around yourself in your daily life that are categorized in these
three. State risks of data leakages and the various sources of it.
106

1. State true or false:
a) DLP solutions cannot intelligently interpret graphics files.
b) Exact data matching involves a combination of dictionaries, rules and other analyses to protect
nebulous content that resembles an "idea".
c) DLP cannot protect information once it is outside the organization’s perimeter.
d) Endpoint solutions are most recommended for all types of users.
e) DRM ensures that only intended recipients can view sensitive files regardless of their location.
2. Exact data matching is another name for _________________________________.
3. List the three basic techniques for content discovery.
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
4. List at least three common signs of a security incident.
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
5. List at least three DLP limitations
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
6. State what is file cracking in DLP solutions?
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
107
NOTES:
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
108
UNIT IV
Information Security Policies,
Procedures, Standards and Guidelines
This unit covers:
 Lesson Plan
4.3. Security Standards, Guidelines and Frameworks
4.4. Laws, Regulations and Guidelines
109
Lesson Plan
 Internet with Wi-Fi (min 2 Mbps
dedicated)
switches)
guidelines
 Firewalls and access points
PC11. comply with your  Commercial tools like HP Web
organization’s policies, standards, Inspect and IBM AppScan etc.
You need to know and understand: KA1. QA session and a  PCs/ tablets/ laptops
descriptive write-up on  Availability of labs (24/7)
KA1. your organization’s understanding.  Internet with Wi-Fi (min 2 Mbps
policies, procedures, standards and
dedicated)
guidelines for managing KA2 Group presentation
 Access to all security sites like ISO,
information security and peer evaluation along
PCI DSS, Center for Internet Security
KA2. your organization’s with faculty.
etc.
knowledge base and how to access
and update the same KA4 Performance  Security templates from ITIL & ISO
KA4. the organizational evaluation from faculty
systems, procedures and tasks/ and industry with reward
checklists within the domain and points.
how to use these KA12. Faculty and peer
KA12. your organization’s review.
information security systems and
tools and how to access and KA13. Faculty and peer
maintain these review.
KA13. standard tools and
templates available and how to use KB1 - KB4
the same Group and faculty
KB1. fundamentals of evaluation based on
information security and how to anticipated out comes.
apply these, including: Reward points to be
• networks allocated to groups.
• communication
110
Lesson
4.1 Information Security Policies
Security policies are the foundation of your security infrastructure. Without them, you cannot protect
your company from possible lawsuits, lost revenue and bad publicity, not to mention basic security
attacks. A security policy is a document or set of documents that describes, at a high level, the security
controls that will be implemented by the company.
Policies are not technology specific and do three things for an organisation:
 Reduce or eliminate legal liability to employees and third parties.

 Protect confidential, proprietary information from theft, misuse, unauthorized disclosure or
modification.
 Prevent waste of company computing resources.
Organisations are giving more priority to development of information security policies, protecting
their assets is one of the prominent things that needs to be considered. Lack of clarity in InfoSec
policies can lead to catastrophic damages which cannot be recovered. So an organisation makes
different strategies in implementing a security policy successfully. An information security policy
provides management direction and support for information security across the organisation.
There are two types of basic security policies:
 Technical security policies: these include how technology should be configured and used.
 Administrative security policies: these include how people (both end users and management)
should behave/ respond to security.
Persons responsible for the implementation of the security policies are:
 Director of Information Security

 Chief Security Officer
 Director of Information Technology
 Chief Information Officer
Information in an organisation will be both electronic and hard copy, and this information needs to be
secured properly against the consequences of breaches of confidentiality, integrity and availability.
Proper security measures need to be implemented to control and secure information from
unauthorised changes, deletions and disclosures. To find the level of security measures that need to
be applied, a risk assessment is mandatory.
Security policies are intended to define what is expected from employees within an organisation with
respect to information systems.
The objective is to guide or control the use of systems to reduce the risk to information assets. It also
gives the staff who are dealing with information systems an acceptable use policy, explaining what is
111
allowed and what not. Security policies of all companies are not same, but the key motive behind
them is to protect assets. Security policies are tailored to the specific mission goals.
A security policy should determine rules and regulations for the following systems:
 Encryption mechanisms
 Access control devices
 Authentication systems
 Firewalls
 Anti-virus systems
 Websites
 Gateways
 Routers and switches
 Necessity of a security policy
It is generally impossible to accomplish a complex task without a detailed plan for doing so.
A security policy is that plan that provides for the consistent application of security principles
throughout your company. After implementation, it becomes a reference guide when matters of
security arise.
A security policy indicates senior management’s commitment to maintain a secure network, which
allows the IT staff to do a more effective job of securing the company’s information assets. Ultimately,
a security policy will reduce the risk of a damaging security incident. In the event of a security incident,
certain policies, such as an Incident Response Policy may limit your company’s exposure and reduce
the scope of the incident.
A security policy can provide legal protection to your company. By specifying to your users exactly
how they can and cannot use the network, how they should treat confidential information, and the
proper use of encryption, you are reducing your liability and exposure in the event of an incident.
Further, a security policy provides a written record of your company’s policies if there is ever a
question about what is and is not an approved act.
Security policies are often required by third parties that do business with your company as part of
their due diligence process. Some examples of these might be auditors, customers, partners and
investors. Companies that do business with your company, particularly those that will be sharing
confidential data or connectivity to electronic systems, will be concerned about your security policy.
Lastly, one of the most common reasons why companies create security policies today is to fulfill
regulations and meet standards that relate to security of digital information.
Once the security policy is implemented, it will be a part of day-to-day business activities. Security
policies that are implemented need to be reviewed whenever there is an organizational change.
Policies can be monitored by depending on any monitoring solutions like SIEM and the violation of
security policies can be seriously dealt with. There should also be a mechanism to report any violations
to the policy.
112
While developing these policies, it is obligatory to make them as simple as possible because complex
policies are less secure than simple systems. Security policies can be modified at a later time i.e. not
to say that you can create a violent policy now and a perfect policy can be developed some time later.
It is also mandatory to update the policy based upon the environmental changes that an organization
goes into when it progresses.
The policy updates also need to be communicated with all employees as well as the person who
authorized to monitor policy violations as they may flag for some scenarios which have been ignored
by the organization.
Management is responsible for establishing controls and should regularly review the status of
controls.
Below is a list of some of the security policies that an organization may have:
Access Control Policy How information is accessed
Contingency Planning Policy How availability of data is made online 24/7
Data Classification Policy How data are classified
Change Control Policy How changes are made to directories or the file server
Wireless Policy How wireless infrastructure devices need to be configured
Incident Response Policy How incidents are reported and investigated
Termination of Access Policy How employees are terminated
Backup Policy How data are backed up
Virus Policy How virus infections need to be dealt with
Retention Policy How data can be stored
Physical Access Policy How access to the physical area is obtained
Security Awareness Policy How security awareness are carried out
Audit Trail Policy How audit trails are analyzed
Firewall Policy How firewalls are named, configured etc.
Network Security Policy How network systems can be secured
Encryption Policy How data are encrypted, the encryption method used etc.
Promiscuous Policy Firewall Management Policy
Others
Permissive Policy
113
Special Access Policy

Prudent Policy Network Connection Policy
Paranoid Policy
Network Business Partner Policy
Acceptable Use Policy
User Account Policy
Data Classification Policy
Intrusion Detection Policy
Remote Access Policy
Virus Prevention Policy
Information Protection Policy
Laptop Security Policy
Personal Security Policy
Cryptography Policy
Acceptable Usage Policy
Acceptable Usage Policy (AUP) is the policy that one should adhere to while accessing the
network. Some of the assets that this policy covers are mobile, wireless, desktop, laptop and
tablet computers, email, servers, internet etc. For each asset, we need to look at how we can
protect it, manage it, authorised persons to use and administer the asset, accepted methods of
communication in these assets etc.
A template for AUP is published in SANS http://www.sans.org/security-

resources/policies/Acceptable_Use_Policy.pdf and a security analyst will get an idea of how an
AUP actually looks. Some of the regulatory compliances mandate that a user should accept the
AUP before getting access to network devices. Implementing these controls makes the
organization a bit more risk free, even though it is very costly.
Once a reasonable security policy has been developed, an engineer has to look at the country’s laws,
which should be incorporated in security policies. One example is the use of encryption to create a
secure channel between two entities. Some encryption algorithms and their levels (128,192) will not
be allowed by the government for a standard use. Legal experts need to be consulted if you want to
know what level of encryption is allowed in an area. This would become a challenge if security policies
are derived for a big organisation spread across the globe.
Some of the laws, regulation and standards used for policy definition include:
 The PCI Data Security Standard (PCIDSS)
 The Health Insurance Portability and Accountability Act (HIPAA)
 The Sarbanes-Oxley Act (SOX)
 The ISO family of security standards
 The Graham-Leach-Bliley Act (GLBA)
114
4.2 Key Elements of Security Policy
A policy should contain:

• Overview – background information of what issue the policy addresses.
• Purpose – why the policy is created.
• Scope – what areas this policy covers.
• Targeted audience – whom the policy is applicable for.
• Policy – a detailed description of the policy.
• Definitions – a brief introduction of the technical jargon used in the policy.
• Version – number to control the changes made to the document.
Policy Content
When developing content, many go about creating a policy exactly the wrong way. The goal is not to
create hundreds of pages of impressive looking information, but rather to create an actionable
security plan. The following guidelines apply to the content of successful IT security policies.
• A security policy should be no longer than absolutely necessary. Some believe that policies are more
impressive when they fill enormous binders or contain hundreds or even thousands of policies. These
types of policies overwhelm you with data, and are frequently advertised on the internet. But quantity
does not equal quality, and it is the sheer amount of information in those policies that makes them
useless. Brevity is of utmost importance.
• A security policy should be written in “plain English.” While, by nature, technical topics will be
covered, it is important that the policy be clear and understood by the target audience for that
particular policy. There is never room for “consultant speak” in a security policy. If there is a doubt,
the policy should be written so that more people can understand it rather than fewer. Clarity must be
a priority in security policies so that a policy isn’t misunderstood during a crisis or otherwise
misapplied, which could lead to a critical vulnerability.
• A security policy must be consistent with applicable laws and regulations. In some countries there
are laws that apply to a company’s security practices, such as those covering the use of encryption.
Some states have specific disclosure laws or regulations governing the protection of citizens’ personal
information, and some industries have regulations governing security policies. It is recommended that
you research and become familiar with any regulations or standards that apply to your company’s
security controls.
• A security policy should be reasonable. The point of this process is to create a policy that you can
actually use rather than one that makes your company secure on paper but is impossible to
implement. Keep in mind that the more secure a policy is, the greater the burden it places on your
users and IT staff to comply with. Find a middle ground in the balance between security and usability
that will work for you.
115
• A security policy must be enforceable. A policy should clearly state which actions are permitted and
which of those are in violation of the policy. Further, the policy should spell out enforcement options
when non-compliance or violations are discovered, and must be consistent with applicable laws. A
security policy can be formatted to be consistent with your company’s internal documentation,
however certain information should be placed on each page of the policy. At a minimum, this
information should include: policy name, creation date, target audience and a clear designation that
the policy is company confidential.
Security Policy Implementation

Once a policy has been created, perhaps the hardest part of the process is rolling it out to the
organization. This step must be well planned and undertaken thoughtfully. First and most importantly,
a security policy must be backed by the company’s senior management team. Without their support,
the cooperation needed across departments will likely doom the implementation. Department heads
must be involved, and specifically, Human Resources and Legal Services must play an integral part.
Make sure you have management buy-in before you get too far along in the process. If the position
doesn’t already exist, an Information Security Officer or IT Security Program Manager should be
designated at your company who is responsible for implementing and managing the security policy.
This can be an existing manager. This designation is sometimes not practical at smaller companies, but
regardless, one person, who has the authority to make executive decisions, needs to own and be
accountable for your company’s security policy. Remember that your security policy must be officially
adopted as company policy. It should be signed and recorded in the same way your company makes
any major decision, including full senior management approval. Next, go through each policy and think
about how it will be applied within the organization.
Make sure that the tools are in place to conform to the policy. For example, if the policy specifies that
a certain network be monitored, make sure that monitoring capabilities exist on that network
segment. If a policy specifies that visitors must agree to the Acceptable Use Policy before using the
network, make sure that there is a process in place to provide visitors with the Acceptable Use Policy.
In this phase, if you discover something impractical, create a plan to make appropriate changes to
either the network or the policy. Understand that policies differ from processes and procedures.
You will need to carefully consider the necessary security processes and procedures after you have
your policy finished. For example, the Backup Policy may detail the schedules for backups and off-site
rotation of backup media, however it won’t say exactly how these tasks are to be accomplished.
Additionally, certain procedures must be created to support the policies. For example, how should
your users respond if they suspect a security incident? How will you notify your users if they are
noncompliant with a specific policy? How will exemptions to the policy be requested and approved?
Work with the necessary departments within your company (Legal, IT, HR etc.) to establish procedures
to support your policies. User education is critical to a successful security policy implementation. A
training session should be held to go over the policies that will impact users as well as provide basic
information security awareness training.
Often, users create security issues because they simply don’t understand that what they are doing is
risky or against the security policy. Users must be provided any user level policies, and must
acknowledge in writing that they have read and will adhere to the policies. If possible, coordinate this
116
with Human Resources so that the policies can be included with any other HR documents that require
a user signature. No matter how well implemented, no policy will be 100% applicable for every
scenario, and exceptions will need to be granted. Exceptions, however, must be granted only in writing
and must be well documented. It should be made clear from the outset that the policy is the official
company standard, and an exception will only be granted when there is an overwhelming business
need.
After the security policy has been in place for some period, which can be anywhere from three months
to a year, the company’s information security controls should be audited against the applicable
policies. Make sure that each policy is being followed as intended and is still appropriate to the
situation. If discrepancies are found or the policies are no longer applicable as written, they must be
changed to fit your company’s current requirements. After the initial review process, you should
regularly review the security policy to ensure that it still meets your company’s requirements. Create
a process so that the policy is periodically reviewed by the appropriate persons. This should occur both
at certain intervals (i.e. once per year), and when certain business changes occur (i.e. the company
opens in a new location). This will ensure that the policy does not get “stale”, and will continue to be
a useful management tool for years to come. When changes need to be made, be sure to: update the
revision history section of the document to differentiate the new document from past versions; and
distribute any modified user level policies to your users. Clearly communicate the policy changes to
any affected parties.
Internal Security Policy: Microsoft

Snicker if you must, but this is for real. Microsoft has great internal security policies and
controls. Think about it. When was the last time you heard about a major breach of
Microsoft's corporate network? The one you might recall is October 2000, when hackers
breached its security and accessed source code for future versions of Windows.
"That was a wake-up call. It changed the way our executives and employees think about
security," says Greg Wood, Microsoft's general manager of InfoSecurity.
Microsoft is one of the most targeted entities on the Internet, absorbing more than 2,200
unique attacks a day. When it developed its security policy, the security team sought
simplicity for protecting the company's 300,000 hosts.
Microsoft threw out its thick, three-ring binder that held its barely touched security policy.
Replacing it was a thin pamphlet containing 45 half-page doctrines based on elemental
security principles: enforcement, business rationale and risk assessments.
The litmus test for any security policy is whether it's enforceable. Microsoft's security
policies are easily understood and have teeth. There's no excuse for ignorance of the
policy, and any breach is enforced through HR actions, Wood says.
Microsoft's security team applies business logic to its security policies. Wood says this
helps earn the business units' cooperation. They know security won't arbitrarily inhibit
operations. Where best practices will often ban certain functions and services, the
Microsoft policy has flexibility to meet business necessities--within reason.
Source: News Journals

117
California State University, Northridge – Adoption plan of good Information

Security Policy
California State University, Northridge (CSUN) is committed to providing a secure and
accessible data and networking infrastructure that protects the confidentiality, availability
and integrity of information. The creation, preservation and exchange of information is an
intrinsic part of the University's teaching, scholarship and administrative operations.
Increasingly that information is processed, handled or stored in electronic form.
The growing availability of digital information offers opportunities to improve our
collaborations and work in new ways. Unfortunately, it also presents us with new threats.
The very technologies we use to gather, share and analyse information also make our
institution vulnerable to varied and continually evolving information security risks. CSUN is
entrusted with a wide range of confidential and sensitive information pertaining to our
students, faculty staff, donors, and other members of the community (e.g. affiliates).
We take seriously our obligation to be stewards of that trust. We are obligated by law and
institutional policy to take all reasonable and appropriate steps to protect the
confidentiality, availability, privacy, and integrity of information in our custody. This
obligation is broad and applies to information in both electronic and material form. Our
practices are designed both to prevent the inappropriate disclosure of information and to
preserve information in case of intentional or accidental loss.
(For complete case study please refer to : http://www.csun.edu/sites/default/files/csun-it-
sec-plan.pdf )
Source: www.csu.edu
118
4.3 Security Standards, Guidelines & Frameworks

Process: Security Governance Frameworks
Security governance frameworks represent solutions to the question of how to manage security
effectively. The manner in which a company builds a governance structure is a reflection of the
organization of the company and the laws and business environment in which it finds itself. Auditing
the security governance practices of a company requires understanding how the organization
manages the processes and procedures that make up its security program and compare those aspects
to recognized governance frameworks. Luckily, there are many sources that an auditor can use to
identify best practices in building a manageable, measurable and effective security governance
program. The frameworks mentioned in this text are not a complete list, and significant research is
constantly being conducted in this area. What follow are three of the most frequently found
frameworks, and should get you started in understanding how they can be applied to the
organizations you audit.
COSO
The Foreign Corrupt Practices Act of 1977 (FCPA) is a law that requires any publicly traded company
to accurately document any transactions or monetary exchanges it is involved in (to prevent off-the-
books money transfers). Additionally, the law requires that a publicly traded company also have a
system of internal accounting controls to monitor fraud and abuse and test them through compliance
auditing. This law had little guidance from the Securities and Exchange Commission (SEC), and in
response to this, a consortium of private organizations created the Treadway Commission to figure
out what companies needed to do to comply with this law.
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) was formed in 1985
to improve the accuracy of financial reports and to standardize on internal control methods to reduce
fraudulent reporting. COSO studied the problem and issued guidance about how to create an internal
controls framework that complies with the FCPA. The resulting document, called “Internal Controls:
Integrated Framework,” was published in 1994 and provided common language, definitions and
assessment methodologies for a company’s internal accounting controls. This COSO report is
considered the standard by which accounting auditors assess companies to ensure compliance with
the FCPA and SOX section 404.
The COSO report lists a few main concepts that guided the development of the COSO framework and
define what internal controls can and cannot do for an organization. These concepts show the
relationship between people and processes in respect to the effectiveness of controls, and they define
the principles with which to implement them:
 Internal control is a process and not a one-time activity.
 Internal control is affected by people; it must be adopted through the organization and is not
simply a policy document that gets filed away.
 An internal control can provide only reasonable assurance, not absolute assurance to the
management and board of a business. A control cannot ensure success.
 Internal controls are designed for the achievement of business objectives.
119
The COSO internal controls framework consists of five main control components as seen in the figure
below. These controls are the foundation of the COSO framework and provide a means for auditors
to assess a company’s control efficiency, effectiveness, reliability of financial reporting and
compliance with the law.
Monitor
Information and
Communication
Control Activities
Risk Assessment
Control Environment
Figure COSO Internal Controls Framework

Control environment
The control environment defines how an organization builds its internal governance program and
affects the company as a whole. The CEO, Board of Directors, and Executive Management are mostly
involved at this level, creating the ethics environment and organizational structure and defining the
roles and responsibilities. The control environment consists of the people, culture and ethics of the
business.
Risk assessment
Solid risk assessment methodologies are important to any successful governance program. COSO
identifies this area as critical to all control development activities and for identifying business
objectives. You can’t protect what you don’t know about, so a thorough risk assessment provides the
data to help a company design controls to protect its assets and achieve its strategic goals.
Control activities
This section covers the controls that COSO recommends to help mitigate risk. The main categories for
controls in COSO are operational, financial reporting and compliance. The controls identified are
broad in nature and cover some IT related issues, but COSO doesn’t address this area as well for IT as
it does the accounting side. It does highlight the various activities that should be controlled, but leaves
it up to management to figure out how to do it.
120
Information and communication

Having an organization in which information and communication are free to flow between all aspects
of the business is addressed in this component of COSO.
Information, according to COSO, is the data used to run the business, whereas communication is
defined as the method used to disseminate information to the appropriate individuals. People cannot
do their jobs efficiently and effectively if they are not provided with the necessary information.
Without the appropriate lines of communication and timely action, problems can turn into
catastrophes. Communication is the mechanism that drives the other four components of the COSO
framework.
Monitoring
Auditing and measurement are essential in determining how controls perform.
Monitoring can be the alarm system that identifies a problem and provides valuable data for fixing
issues for the future. Monitoring can consist of periodic reports, audits or testing mechanisms that
provide the status of individual controls.
COSO is one of the more widely adopted internal control frameworks for large companies due in no
small part to the mandates set forth through SOX 404. In response to criticism that the framework
was impractical for smaller organizations, the committee published “Internal Control over Financial
Reporting for Small Public Companies” in 2006.
The COSO framework represents the grandfather of internal controls and though it was designed
primarily for accounting controls, it still provides value for companies building out a security
governance strategy. From an IT perspective, the five main components are entirely relevant to
securing information, but the actual controls themselves don’t go to the same level of depth as other
frameworks such as Control Objects for Information and related Technologies (COBIT).
COBIT
The COBIT framework was created by the Information Systems Audit and Control.
Association (ISACA) and IT Governance Institute (ITGI) as a response to the needs of the IT community
for a less generalized and more actionable set of controls for securing information systems. The ITGI
is a non-profit organization that leads the development of COBIT through committees consisting of
experts from universities, governments and auditors across the globe. The COBIT framework is a series
of manuals and implementation guidelines for creating a full IT governance, auditing and service
delivery program for any organization.
COBIT is not a replacement but an augmentation to COSO, and maps directly to COSO from an IT
perspective. Although COSO covers the whole enterprise from an accounting perspective, it does so
by providing high level objectives that require the business to figure out how to accomplish them.
COBIT on the other hand, works with COSO by fully detailing the necessary controls required and how
to measure and audit them. The built-in auditable nature of COBIT is why it has become one of the
leading IT governance frameworks as it gets as close as can be expected to a turnkey governance
program. COBIT does not dig down into the actual tasks and procedures however, which necessitates
using other sources to develop standards and procedures for implementing the controls. In other
words, COBIT won’t tell you the best way to configure AES encryption for your wireless infrastructure,
121
but it will provide you with a mechanism for identifying where and why you need to apply it based on
risk.
The role of COBIT in IT governance is to provide a model that takes the guesswork out of how to bridge
the gap between business and IT goals. COBIT considers business the customer of IT services. Business
requirements (needs) ultimately drive the investment in IT resources, which in turn need processes
that can deliver enterprise information back to the business. At the foundation of COBIT is the cyclical
nature of business needing information and IT delivering information services.
Information is what IT provides to the business and COBIT defines the following seven control areas
as business requirements for information:
 Effectiveness: information should be delivered in a timely, correct, consistent and usable

manner.
 Efficiency: information is delivered in the most cost effective way.
 Confidentiality: data is protected from unauthorized disclosure.
 Integrity: business is protected from unauthorized manipulation or destruction of data.
 Availability: data should be accessible when the business needs it.
 Compliance: adherence to laws, regulations, and contractual agreements.
 Reliability of information: data correctly represents the state of the business and transactions.
IT resources in COBIT are the components of information delivery and represent the technology,
people and procedures used to meet business goals. Resources are divided into four areas:
 Applications: information processing systems and procedures
 Information: the data as used by the business

 Infrastructure: technology and systems used for data delivery and processing
 People: the human talent needed to keep everything operating
IT processes (or activities) are the planned utilization of resources and divided into four inter-related
domains. Each process has its own controls that govern how the process is to be accomplished and
measured. There are 34 high level processes and hundreds of individual controls. The domains and
processes are:
 Plan and Organize (PO): Defines strategy and guides the creation of a service and solutions
delivery organization. The high level process for this domain is as follows:
o PO1 Define a strategic IT plan
o PO2 Define the information architecture
o PO3 Determine technological direction
o PO4 Define the IT processes, organization and relationships
o PO5 Manage the IT investment
o PO6 Communicate management aims and direction
o PO7 Manage IT Human Resources
o PO8 Manage quality
122
o PO9 Assess and manage IT risks

o PO10 Manage projects
 Acquire and Implement (AI): Builds IT solutions and creates services. The high level process for
o AI1 Identify automated solutions
o AI2 Acquire and maintain application software
o AI3 Acquire and maintain technology infrastructure
o AI4 Enable operation and use
o AI5 Procure IT resources
o AI6 Manage changes
o AI7 Install and accredit solutions and changes
 Deliver and Support (DS): User facing delivery of services and solutions. The high level process for
o DS1 Define and manage service levels
o DS2 Manage third-party services
o DS3 Manage performance and capacity
o DS4 Ensure continuous service
o DS5 Ensure systems security
o DS6 Identify and allocate costs
o DS7 Educate and train users
o DS8 Manage service desk and incidents
o DS9 Manage the configuration
o DS10 Manage problems
o DS11 Manage data
o DS12 Manage the physical environment
o DS13 Manage operations
 Monitor and Evaluate (ME): Monitors IT processes to ensure synergy between business
requirements. The high level process for this domain is as follows:
o ME1 Monitor and evaluate IT performance
o ME2 Monitor and evaluate internal control
o ME3 Ensure compliance with external requirements
o ME4 Provide IT governance
 Each of the processes in COBIT is written for managers, users and auditors by addressing each
group’s needs. Each process control objective is built using a template that includes:
o a general statement that provides answers to why management needs the control and
were it fits
o the key business requirements that the control addresses
o how the controls are achieved
o control goals and metrics
o who is responsible for each individual control activity
o how the controls can be measured
o clear descriptions of measuring how mature the organization is in accomplishing the
control using a detailed 0–5 scale Maturity Model
123
Measurement of each process and control is accomplished through a Maturity Model. The COBIT
Maturity Model is based on the Capabilities Maturity Model pioneered by Carnegie Mellon’s Software
Engineering Institute (SEI). The Capabilities Maturity Model was designed as a tool for ensuring quality
software development. COBIT has modified the model to deliver a measurement and tracking tool
that identifies the current state of adoption (maturity level) for each process so as to compare an
organization execution with industry averages and business targets. This helps management identify
where the company’s performance is in relation to its peers and provides a path to improve with
specific and prescriptive steps used to get there.
The COBIT Maturity Model scale provides the following measurements:
COBIT Maturity Scale
0 Non existent
Not performed.
1 Initial/ Ad hoc
Process is chaotic, not standardized and done case by case.
2 Repeatable
Relies on individual knowledge, no formal training and no process intuitive management.
3 Defined process
Standardized and documented processes and formal training to communicate standards.
4 Managed
Processes are monitored and checked for compliance by management, measurable processes
are reviewed for improvement and limited automation.
5 Optimized
Processes are refined and compared with others based on maturity, processes are automated
through workflow tools to improve quality and effectiveness.
Using COBIT requires customization to better align with the company implementing it. COBIT is not
designed as a governance strategy in a box, but as a reference for building a process focused system,
utilizing international standards and good practices. Companies still need to determine a risk
management methodology and build out a technical infrastructure to automate the various COBIT
processes identified. COBIT’s real value is in providing the management, measurement and
organizational glue to tie these functions together.
IT auditors like to use COBIT mainly because it creates a well-documented set of processes and
controls that can be assessed along with the metrics and requirements for each control. COBIT’s
usefulness is also apparent when the organization under audit does not use COBIT as a governance
framework because an auditor can build checklists and plan audits based on COBIT to ensure that all
aspects of the IT process are performed. COBIT is also an invaluable resource when writing the audit
report because it allows the auditor to justify and compare his findings to a well-respected standard.
ITIL
The Information Technology Infrastructure Library (ITIL) provides documentations for best practices
for IT Service Management. ITIL was created in the late 1980s by Great Britain’s Office of Government
Commerce to standardize Britain’s government agencies and to follow security best practices. A study
was conducted and generated a significant amount of information (roughly 40 books) that became
124
known as ITIL. The books were revised and consolidated in 2004 and became a series of eight books
focused on IT services management. This version 2 of ITIL became popular among organizations
looking for an internationally recognized, proactive framework for managing IT services, reducing cost
and improving quality. Version 3 of ITIL was released in June 2007 to refresh the core service and
support delivery material that many companies have implemented, and to move the ITIL framework
towards a life cycle model that includes management of all lifecycle services provided by IT. The five
books that make up Version 3 are:
 Service Strategy: This book is the foundation for the others by defining business to IT alignment,
value to business, services strategy and service portfolio management.
 Service Design: Focused on the design of IT processes, policies and architectures. Includes service
level, management, capacity management, information security management and availability
management.
 Service Transition: Covers moving from the design phase to production business services and
change management. It also includes service asset and configuration management, service
validation and testing, evaluation and knowledge management.
 Service Operation: Provides information on the day-to-day support of production systems. This
includes service delivery and services support, service desk design, application management,
problem management and technical management.
 Continual Service Improvement: This book covers service improvements and service retirement
strategies.
ITIL is primarily about delivering IT as a service and the lifecycle of service development,
implementation, operation and management. ITIL is used by companies for overall management of IT
and also for managing security processes. Auditing an ITIL shop requires that the auditor understand
the basics of ITIL to speak the same language. ITIL also works well with COBIT as a means for fleshing
out the service delivery of each process. The ITGI even creates a mapping between COBIT and ITIL for
organizations that want to utilize the two standards. ITIL also meets the criteria for ISO 20000, which
means that it can be used to achieve international certification. Whether a company chooses to go
for certification or not, ITIL gives guidance about how to move from a reactive to a proactive approach
to managing IT and security as a service.
Technology: Standards Procedures and Guidelines

Knowing what processes and controls need to be in place is half the job. The other half is implementing
the technology and procedures that allow the control to work as intended. Most auditors focus their
efforts on testing and validating controls to ensure that they are functional and dependable.
Penetration testing, configuration review and architecture review are all part of this type of
assessment, so auditors needs to know where to go to find guidance, templates and sample designs
that have been proven to work through consensus and extensive testing. The best security programs
don’t provide much benefit if the execution of those programs relies on poor control choices. The
following standards and best practices can help the auditor distinguish good security designs from
bad and provide reference architectures to compare.
125
ISO 27000 Series of Standards

The ISO 27000 series are internationally recognized security control standards for the creation and
operations of an Information Security Management System (ISMS). Previously known as ISO 17799
and originating from British Standard 7799, the ISO 27000 series is one of the most widely used and
cited documents in information security today. All the major governance frameworks reference ISO
when discussing key controls, and it is a great resource to address a wide range of security needs from
data-handling standards, to physical security, to policy. ISO 27000 is broad and covers a great deal of
content that is broken into seven published standards documents with ten more currently in
preparation. This overview is centered on the first two standards: ISO 27001 and 27002.
The first ISO standard is ISO 27001:2005 Information Technology Techniques Information Security
Management Systems. It provides the requirements for a security management system in accordance
with ISO 27002 best practices. ISO 27001 identifies generic technological controls and processes that
must be in place if a business wants to be certified as compliant with the ISO standard.
The contents of ISO 27001 are:
 ISMS: Establish the ISM, implement and operate, monitor and review, maintain and improve
documentation requirements, control documents and records.
 Management responsibility: Involves commitment, provision of resources and training for

awareness and competence.
 Internal audits: These are the requirements for conducting audits.
 ISMS improvements: These are the corrective and preventative actions.
 Annex A: Objectives and controls and checklist.
 Annex B: Organization for economic cooperation, development principles and international
standard.
 Annex C: Correspondence between ISO 9001, SIO 14001 and standard.
A key concept used in 27001 is the Deming Cycle process improvement approach: Plan, Do, Check and
Act. This continuous improvement cycle was made famous by Dr. W. Edwards Deming whose quality
control techniques methodology is a way to show that a process can be continually improved by
learning from mistakes and monitoring the things done correctly to further refine the capabilities of
the system.
126
The Deming Cycle is simple yet powerful, and ISO 27001 applies it to security management in the
following manner:
Step 1. Plan: Establish the ISM according to the policies, processes and objectives of the
organization to manage risk.
Step 2. Do: Implement and operate the ISM.
Step 3. Check: Audit, assess and review the ISM against policies, objectives and experiences.
Step 4. Act: Take action to correct deficiencies identified for continuous improvement.
ISO 27001 provides guidance for setting up an ISMS and an excellent checklist for assessing
compliance with the standard by specifying what controls need to be in place. An organization can be
certified through an approved assessment and registration organization as being in compliance with
27001. There are over 3,000 companies certified against ISO 27001. Many companies choose
certification as a mechanism to “prove” their competence in building an information security program,
but also because certification provides proof for SOX and other legal compliance frameworks that the
company has met the requirements of those laws. The other benefit of ISO 27001 is its global
acceptance as an accepted standard that is required for conducting business with some companies,
which can provide a unique business opportunity for a company that goes down the path of
certification.
The second ISO standard is ISO 27002:2005 Security Techniques Code of Practice, which consists of
international best practices for securing systems. This standard provides best practice information
about everything from Human Resources security needs to physical security and it represents the
detailed implementation requirements for ISO 27001.
ISO 27002 is full of good high level information that can be used as a source document for any
generalized audit or assessment. It consists of security controls across all forms of data
communication, including electronic, paper and voice (notes tied to pigeons are not included).
The twelve areas covered in ISO 27002:2005 are:
 Intro to information security management
 Risk assessment and treatment
 Security policy
 Organization of information security
 Asset management
 Human Resources security
 Communications and ops management
 Access control
 Information systems acquisition, development and maintenance
 Information security incident management
 Business continuity
 Compliance
127
The ISO standards define a solid benchmark for assessing a company’s information security practices,
but as with most of high level control documents, it doesn’t give the auditor details about security
architecture or implementation guidance. 27002 is a great internationally recognized standard to
refer back to for control requirements in an audit report or findings document, and makes excellent
source material for an auditor’s checklist.
NIST
The National Institute of Standards and Technologies (NIST) is a federal agency of the United States
government, tasked with helping commerce in the U.S. by providing weights and measurements,
materials references and technology standards. If you have configured your computer to use an
atomic clock source from the internet to synchronize time to, then you have used a NIST service. NIST
also provides reference samples of over 1,300 items, including cesium 137, peanut butter and oysters.
The division within NIST, most interesting from an information security standpoint is the Computer
Security Resource Centre (CSRC), which is the division tasked with creating information security
standards.
The CSRC is currently directed by the United States Congress to create standards for information
security in response to laws such as the Information Technology Reform Act of 1996, the Federal
Information Security Management Act of 2002 (FISMA) and HIPAA. Although FISMA is a federal law
and not enforceable in the private sector, private companies can reap the benefits of the many
excellent documents NIST has created for FISMA compliance.
Federal Information Processing Standards Publications (FIPS) standards are a series of standards that
government agencies must follow by law according to FISMA. FIPS standards include encryption
standards, information categorization and other requirements. FIPS also mandates standards for
technology through a certification program. Hardware and software involved in encrypting data via
AES for example, must be FIPS 140-2 (level 2) compliant to be used by the federal government.
The NIST Special Publications (800 series documents) are a treasure trove of good information for
auditors, systems administrators and security practitioners of any size company. These documents
give guidance and provide specific recommendations about how to address a wide range of security
requirements. These documents are created by academic researchers, security consultants and
government scientists. They are reviewed by the security community through a draft process that
allows anyone to provide comments and feedback on the documents before they are made standards.
The documents are also revised on a regular basis as new technologies become adopted.
Table below provides a list of some of the most widely used NIST 800 series documents. This list is not
exhaustive, and there are new documents added all of the time, so check the NIST website on a regular
basis for updates and new drafts.
128
Table NIST 800 Series documents:

SP 800-14 Generally Accepted Principles and Practices for Security Information Technology
Systems
SP 800-18 Guide for Developing Security Plans for Information Technology Systems
SP 800-27 Engineering Principles for Information Technology Security (A Baseline for
Achieving Security)
SP 800-30 Risk Management Guide for Information Technology
SP 800-34 Contingency Planning Guide for Information Technology Systems
SP 800-37 Guidelines for Security Certification and Accreditation of IS Systems
SP 800-47 Security Guide for Interconnecting Information Technology Systems
SP 800-50 Building an Information Technology Security Awareness and Training Program
SP 800-53 Recommended Security Controls for Federal Information Systems
SP 800-53A Techniques and Procedures for Verification of Security Controls in Federal
Information Technology Systems
SP 800-54 BGP Security

SP 800-55 Security Metrics Guide for Information Technology Systems
SP 800-58 Security Considerations for VOIP Systems
SP 800-60 Guide for Mapping Types of Information and Information Systems to Security
Categories (Two Volumes)
SP 800-61 Computer Security Incident Handling Guide

SP 800-66 An Introductory Resource Guide for Implementing the Health Insurance Portability
and Accountability Act (HIPAA) Security Rule
SP 800-77 Guide to IPSEC VPNs

SP 800-88 Guidelines for Media Sanitization
SP 800-92 Guide to Computer Security Log Management
SP 800-95 Guide to Security Web Services
SP 800-97 Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i
SP 800-100 Information Security Handbook: A Guide for Managers
129
The Cyber Security Research and Development Act of 2002 requires that NIST develop checklists to
help minimize the security risks of hardware and software used by the federal government. These
checklists show detailed configurations of many hardware and software platforms including Cisco. SP
800-70 outlines the format, goals, and objectives of the checklists and how to submit a checklist if you
build one that you would like to share. NIST provides these checklists in Security Content Automation
Protocol (SCAP) format, and can be loaded into a SCAP validated scanner for automated auditing.
There are a number of scanning vendors that support SCAP such as Qualys and Tenable (Nessus
Scanner). For a complete list of scanning vendors and downloadable checklists, visit
http://checklists.nist.gov.
Centre for Internet Security
The Centre for Internet Security (CIS) is a not-for-profit group dedicated to creating security best
practices and configuration guidance for companies to help reduce the risk of inadequately securing
corporate systems. CIS provides peer-reviewed configuration guides and templates that
administrators and auditors can follow when securing or testing the security of a target system. These
guides are well written and provide a sufficient level of detail down to the actual configuration level
to use as a checklist while also explaining why the particular configuration option needs to be
implemented.
CIS refers to its best practice documents as benchmarks and has two categories:
 Level 1 benchmarks consist of the minimum level of security that needs to be configured that any
skilled administrator can implement.
 Level 2 benchmarks focus on particular applications of security based on the type of system or
manner in which the system is used. Proper security depends on understanding risk, which
determines at what level you need to protect an asset. Laptops, for example, have a different risk
profile than servers, which are explored in the Level 2 benchmark section in detail.
The CIS benchmarks are often used for configuration level auditing of technology for proper
implementation of security features and good defensive practices. Many compliance laws dictate high
level controls, but never go into the details of how to actually perform the tasks necessary. These
benchmarks developed by CIS help to fill in the blanks when auditing for compliance through
consensus-validated device configuration recommendations. CIS also makes available automated
assessment tools that leverage these benchmarks. CIS benchmarks can be found at
www.cisecurity.org.
NSA
The National Security Agency (NSA) has been responsible for securing information and information
assurance since it began in 1952. As a component of the U.S. Department of Defense, the NSA is
typically known for its cryptology research and cryptanalysis of encrypted communications. The NSA
created the DES encryption standard that was (and still used in the form of 3DES) the most commonly
deployed encryption technique until it was replaced by AES.
Although the NSA’s mission is to keep government communications private, it has also shared a
significant amount of computer security research in the form of configuration guides on hardening
computer systems and network infrastructure equipment. Through research conducted by the
130
Information Assurance Department of the NSA, a series of security configuration guides have been
posted to help the public better secure computers and networks.
These guides cover:
 Applications
 Database servers
 Operating systems
 Routers
 Supporting documents
 Switches
 VoIP and IP telephony
 Vulnerability reports
 Web servers and browsers
 Wireless
Auditors are free to use these configuration guidelines when examining security controls. They make
a great resource and are updated as new technologies and applications are studied. You can find the
guides at http://www.nsa.gov/ia/index.cfm.
DISA
The Defense Information Security Agency (DISA) is a component of the U.S. Department of Defense
that is charged with protecting military networks and creating configuration standards for military
network deployments. DISA provides a number of useful configuration checklists for a wide variety of
information system technologies. Security Technical Implementation Guides (STIG) are great source
material for security configuration assessments and highly recommended as a tool for any auditor
looking for vetted configuration recommendations. While STIGs are written with military auditors in
mind, they are easy to read and include justification for the configuration requirements and what
threats are mitigated. You can access the current list of STIGs at http://iase.disa.mil/
stigs/stig/index.html.
SANS
The SANS (SysAdmin, Audit, Network, Security) Institute is by far one of the best sources of free
security information available on the Internet today. Established in 1989 as a security research and
education organization, it has become a source of training and knowledge that shares information
about security for hundreds of thousands of individuals across the globe. The SANS website has
something for everyone involved in information security, from the CIO to the hard-core security
technologists and researchers.
SANS is in the business of security education and delivers training events, conferences, and webcasts.
It offers an extensive array of technical security and management tracks covering everything from
incident handling and hacking to creating security policies. SANS security training conferences are the
most common venue for a student attending these courses, but many are also offered through on-
demand web training and self-study. Each of these courses also offers an opportunity to test for
certification through the GIAC organization (a separate entity that governs the certification and testing
process for SANS). For those students who want a more traditional education process, SANS is
131
accredited in the state of Maryland to grant master’s degrees in information assurance and
management.
Although SANS focuses on training, it also provides a wealth of free security information as part of its
mission to use knowledge and expertise to give back to the Internet community.
SANS offers the following free services and resources that are perfect for auditors and security
professionals to use to gain insight into new issues and understanding technical security controls:
 SANS reading room: The reading room consists of over 1,600 computer security whitepapers
from vendors and research projects written by SANS students going for GIAC Gold certification.
There are a wide range of topic categories, ensuring you will find something relevant to what
you are looking for from best practices to configuration guidance.
 SANS Top 20: SANS Top 20 is a list of the top 20 vulnerabilities in operating systems and
applications that hackers attack. This information is updated yearly by a large panel of security
experts, and it provides auditors and security practitioners with a good list of high-risk areas
they need to ensure are addressed. Although this list is good, it doesn’t cover the latest threats,
so it should not be used as a checklist, but rather as a tool to focus your efforts.
 SANS security policy samples: If you are looking for sample security policies, this resource is a
goldmine. All of the policies represented are free for use, and in some cases, you can simply
insert the business’s name. These policy templates cover a wide range of security functional
areas and are added to on a regular basis. It is important to note that security policies are a
serious documents and require that legal departments and HR departments be involved in their
adoptions.
 SANS newsletters: SANS provides a number of newsletters available as e-mails or RSS feeds that
you can subscribe to. Many topics are present, including one focused on auditing (SANS
AuditBits).
 Internet Storm Center: The Internet Storm Center is a group of volunteer incident handlers who
analyze suspicious Internet traffic from across the globe. They look at packet traces to
determine if a new virus, worm, or other attack vectors have popped up in the wild. The ISC
also compiles attack trend data and the most frequently attacked ports. Incident handlers are
always “on duty,” and you can read their notes as they go about analyzing attacks.
 SCORE: SCORE is a joint project with the CIS to create minimum standards of configuration for
security devices connected to the Internet. These checklists are available for free and provide
sound guidance about necessary technical controls.
 Intrusion Detection FAQ: The Intrusion Detection FAQ is a fantastic resource for better
understanding how to identify an attack on your network. FAQs cover the basics of intrusion
detection, details about tools to use, and a detailed analysis of sample attacks.
The SANS website should be considered mandatory reading for auditors who want to better
understand the tools and techniques attackers use to break into systems. Having all of this
knowledge in a single place is useful as auditors tailor their checklists and audit criteria to address
current events and attacks.
132
ISACA
If you are involved in security auditing to any degree, you undoubtedly have heard of the Information
Systems Audit and Control Association (ISACA). ISACA is the largest association of IT auditors in
existence with over 65,000 members across the world. Many of the auditing techniques and security
governance processes used to audit IT today have been compiled and standardized by ISACA. Over
50,000 people have earned the Certified Information Systems Auditor certification (CISA),
demonstrating knowledge in auditing. The Certified Information Systems Manager (CISM) is also
offered to test IT governance and management expertise.
ISACA is more than just a certification granting organization. In addition to establishing the IT
Governance Institute and developing COBIT, they have created the de-facto standards guide for
assessing and auditing IT controls. The IS standards, guidelines and procedures for auditing and
control professionals are regularly updated and reviewed to provide the auditing community with
standards, guidelines and procedures for conducting audits.
The auditing guide includes:
 Standards of IS auditing: This section includes code of conduct for professional auditors,
auditing process from planning to follow up and various other standards for performing audits.
 Auditing G: This section provides information on how to conduct audits while following the
standards of IS auditing.
 Auditing procedures: This section provides details on how to audit various types of systems and
processes, providing a sample approach to testing controls such as firewalls and intrusion
detection systems.
 The IT Assurance Guide to using COBIT is another excellent resource for how to conduct an audit
using COBIT as the governance framework. Regardless of whether or not the company being
audited uses COBIT, the guide describes how to leverage the controls identified by COBIT and
apply those to the audit process. This enables an auditor to follow a well-documented
framework to ensure that no major areas are missed.
ISO 27003
ISO/IEC 27003:2010 focuses on the critical aspects needed for successful design and implementation
of an Information Security Management System (ISMS) in accordance with ISO/IEC 27001:2005. It
describes the process of ISMS specification and design from inception to the production of
implementation plans. It describes the process of obtaining management approval to implement an
ISMS, defines a project to implement an ISMS (referred to in ISO/IEC 27003:2010 as the ISMS project),
and provides guidance on how to plan the ISMS project, resulting in a final ISMS project
implementation plan.
ISO 27004
ISO/IEC 27004 concerns measurements relating to information security management. These are
commonly known as ‘security metrics’ in the profession. The standard is intended to help
organizations measure, report on and hence systematically improve the effectiveness of their
Information Security Management Systems. It “provides guidance on the development and use of
133
measures and measurement in order to assess the effectiveness of an implemented information

security management system (ISMS) and controls or groups of controls, as specified in ISO/IEC 27001.
This would include policy, information security risk management, control objectives, controls,
processes and procedures, and support the process of its revision, helping to determine whether any
of the ISMS processes or controls need to be changed or improved.”
ISO 15408 Evaluation Common Criteria Evaluation for Security
SO/IEC 15408-1:2009 establishes the general concepts and principles of IT security evaluation and
specifies the general model of evaluation given by various parts of ISO/IEC 15408, which in its entirety
is meant to be used as the basis for evaluation of security properties of IT products.
It provides an overview of all parts of ISO/IEC 15408, describes the various parts of ISO/IEC 15408,
defines the terms and abbreviations to be used in all parts ISO/IEC 15408, establishes the core concept
of a Target of Evaluation (TOE), the evaluation context and describes the audience to which the
evaluation criteria are addressed. An introduction to the basic security concepts necessary for
evaluation of IT products is given.
It defines the various operations by which the functional and assurance components given in ISO/IEC
15408-2 and ISO/IEC 15408-3 may be tailored through the use of permitted operations. The key
concepts of protection profiles (PP), packages of security requirements and the topic of conformance
are specified and the consequences of evaluation and evaluation results are described. ISO/IEC 15408-
1:2009 gives guidelines for the specification of Security Targets (ST) and provides a description of the
organization of components throughout the model.
ISO/IEC 13335 (IT Security Management)
SO/IEC 13335-1:2004 presents the concepts and models fundamental to a basic understanding of ICT
security, and addresses the general management issues that are essential to the successful planning,
implementation and operation of ICT security. Part 2 of ISO/IEC 13335 (currently 2nd WD) provides
operational guidance on ICT security. Together, these parts can be used to help identify and manage
all aspects of ICT security.
ISO 13335 is focused on Information and Communication Technologies, also called ICT. ISO standard
13335 was created to help businesses improve their information and communication security. There
is currently only one part of the ISO 13335 standard, ISO 13335-1. ISO standard 13335 is designed to
create an IT management framework, including information security policies, internal controls,
company approved practices and configuration management of hardware and software components.
No one changes information and communication technologies without formal review and approval
after thorough testing was completed. In addition, ISO 13335 was created in an effort to improve
business continuity, the continuation of business operations in case of a massive technical failure,
natural disaster or hack attack.
ISO 13335-1
The ICT standard ISO 13335-1 originated as a technical report on information security before it became
a separate ISO standard. ISO 13335-1 is focused on technical security controls over administrative
procedures and internal corporate rules. ISO standard 13335-1 is now the entire ISO 13335 standard
with the other sections either consolidated into ISO 13335-1 or made into their own standards.
134
Network security controls like firewalls can block traffic from selected IP addresses or prevent users
from accessing specific websites. Built-in data archiving modules attached to routers or network
connections automatically save all email messages, creating an instant record of communications
available if the main email server goes down or if messages are deleted by unauthorized parties.
ISO 13335-2
ISO 13335-2 originally contained the ISO’s guidance on ICT security. The 1990s version of the standard
was broken up into ISO 13335-1 and 13335-2. The ICT security recommendations in ISO 13335-2 were
incorporated into ISO 13335-1 in the 2004 update of the standard.
ISO 13335-3
ISO 13335-3 was originally the guidelines for managing IT security. ISO standard 13335-3 has been
replaced by ISO 27005. In essence, what was ISO 13335-3 is now part of ISO 27005.
ISO 13335-4
ISO 13335-4 outlined the ISO recommended practices of selecting technical security controls or IT
safeguards. ISO 13335-5 has also been replaced with ISO 27005.
ISO 13335-5
ISO 13335-5 was originally a set of guidelines on network security. ISO 13335-5 was replaced with ISO
18028-1 in 2006. ISO 18028-1 has since been revised by ISO 27033-1, released in 2009.
ISO 27005
ISO 27005 replaced several sections of the original ISO 13335 standard. ISO 27005 describes how
organizations define their context, the areas for which they are responsible. Risks are identified and
the estimation of the severity of the risk are set during risk analysis. During risk treatment, the
organization decides whether to accept the risk, mitigate its effects or work to prevent the risk from
occurring. During risk monitoring, the group monitors the risks to the network. Some risks may
disappear as more security hardware is installed while others may grow due to user complacency or
evolving security threats. For example, the risk that a server’s compromise would shut down a
business is reduced when a backup server off site is created with hot backups of the organization’s
data. If the main server compromises and is removed from the network to prevent hackers from using
it to access other areas, the business simply switches over the remote backup server and keeps going.
ISO Standard 24762 for Technical Disaster Recovery
ISO/IEC 24762:2008 provides guidelines on the provision of information and communications
technology disaster recovery (ICT DR) services as part of business continuity management, applicable
to both “in-house” and “outsourced” ICT DR service providers of physical facilities and services.
ISO/IEC 24762:2008 specifies:
 the requirements for implementing, operating, monitoring and maintaining ICT DR services and
facilities
 the capabilities which outsourced ICT DR service providers should possess and the practices they
should follow so as to provide basic secure operating environments and facilitate organizations'
recovery efforts
135
 the guidance for selection of recovery site
 the guidance for ICT DR service providers to continuously improve their ICT DR services
ISO Standard for BCM – 22301
ISO 22301 is a management systems standard for BCM which can be used by organizations of all sizes
and types. These organizations will be able to obtain accredited certification against this standard and
so demonstrate to legislators, regulators, customers, prospective customers and other interested
parties that they are adhering to good practice in BCM. ISO 22301 also enables the business continuity
manager to show top management that a recognized standard has been achieved.
While ISO 22301 may be used for certification and therefore includes rather short and concise
requirements, describing the central elements of BCM, a more extensive guidance standard (ISO
22313) is being developed to provide greater detail on each requirement in ISO 22301.
ISO 22301 may also be used within an organization to measure itself against good practice, and by
auditors wishing to report to management. The influence of the standard will therefore be much
greater than those who simply choose to be certified against the standard.
ISO/IEC 27031 provides guidance on the concepts and principles behind the role of information and
communications technology in ensuring business continuity.
The standard:
Suggests a structure or framework (actually a set of methods and processes) for any organization –
private, governmental and non-governmental.
Identifies and specifies all relevant aspects including performance criteria, design and implementation
details for improving ICT readiness as part of the organization’s ISMS, helping to ensure business
continuity.
Enables an organization to measure its ICT continuity, security and hence readiness to survive a
disaster in a consistent and recognized manner.
IEEE Standards
IEEE has standardization activities in the network and information security space and in anti-malware
technologies, including in the encryption, fixed and removable storage and hard copy devices areas as
well as applications of these technologies in smart grids.
Encryption Approved standards:
 IEEE Std 1363-2000 IEEE Standard Specifications for Public-Key Cryptography [Also 1363a-
2004]
 IEEE Std 1363.1-2008 IEEE Standard Specification for Public-Key Cryptographic Techniques
Based on Hard Problems over Lattices
 IEEE Std 1363.2-2008 IEEE Standard Specification for Password-Based Public Key
Cryptographic Techniques
136
Fixed and Removable Storage Approved standards:

• IEEE Std 1619-2007 IEEE Standard for Cryptographic Protection of Data on Block-Oriented
Storage Devices*
• IEEE Std 1619.1-2007 IEEE Standard for Authenticated Encryption with Length Expansion
for Storage Devices
• IEEE Std 1619.2-2010 IEEE Standard for Wide-Block Encryption for Shared Storage Media
• IEEE Std 1667-2009 IEEE Standard Protocol for Authentication in Host Attachments of
Transient Storage Devices
Security for Hardcopy Devices Approved standards:

• IEEE Std 2600-2008 IEEE Standard for Information Technology: Hardcopy Device and System
Security
• IEEE Std 2600.1-2009 IEEE Standard for a Protection Profile in Operational Environment A
2600 (TM)-2008 Operational Environment B
2600 (TM)-2008 Operational Environment C
2600 (TM)-2008 Operational Environment D
ISO 17799
ISO/IEC 17799:2005 establishes guidelines and general principles for initiating, implementing,
maintaining and improving information security management in an organization. The objectives
outlined provide general guidance on the commonly accepted goals of information security
management.
ISO/IEC 17799:2005 contains best practices of control objectives and controls in the following areas
of information security management:
o security policy
o organization of information security
o asset management
o human resources security
o physical and environmental security
o communications and operations management
o access control
o information systems acquisition, development and maintenance
137
o information security incident management

o business continuity management
o compliance
The control objectives and controls in ISO/IEC 17799:2005 are intended to be implemented to meet
the requirements identified by a risk assessment. ISO/IEC 17799:2005 is intended as a common basis
and practical guideline for developing organizational security standards and effective security
management practices and to help build confidence in inter-organizational activities.
ISO 17799: The key components of the Standard –

The Standard is divided into 2 parts.
• ISO 7799 Code of Practice for Information Security Management
• BS 7799 Part II Specifies requirements for establishing, implementing and documenting
Information Security Management System (ISMS)
The standard has ten domains, which address key areas of Information Security Management.
1. Information security policy for the organization
This activity involves a thorough understanding of the organization business goals and its
dependence on information security. This entire exercise begins with creation of the IT security
policy. This is an extremely important task and should convey total commitment of top
management. The policy cannot be a theoretical exercise. It should reflect the needs of the actual
users. It should be implementable, easy to understand and must balance the level of protection
with productivity. The policy should cover all the important areas like personnel, physical,
procedural and technical.
2. Creation of information security infrastructure
A management framework needs to be established to initiate, implement and control information
security within the organization. This needs proper procedures for approval of the information
security policy, assigning of the security roles and coordination of security across the organization.
3. Asset classification and control
One of the most laborious but essential task is to manage inventory of all the IT assets, which
could be information assets, software assets, physical assets or other similar services. These
information assets need to be classified to indicate the degree of protection. The classification
should result into appropriate information labelling to indicate whether it is sensitive or critical
and what procedure, which is appropriate for copy, store, transmit or destruction of the
information asset.
4. Personnel security
Human errors, negligence and greed are responsible for most thefts, frauds or misuse of facilities.
Various proactive measures that should be taken are: creation of personnel screening policies,
confidentiality agreements, terms and conditions of employment and information security
education and training.
138
Alert and well-trained employees who are aware of what to look for can prevent future security
breaches.
5. Physical and environmental security
Designing a secure physical environment to prevent unauthorized access, damage and
interference to business premises and information is usually the beginning point of any security
plan. This involves creating physical security perimeter and entry control, secure offices; rooms;
facilities, providing physical access controls and protection devices to minimize risks ranging from
fire to electromagnetic radiation and providing adequate protection to power supplies and data
cables are some of the activities. Cost effective design and constant monitoring are two key
aspects to maintain adequate physical security control.
6. Communications and operations management
Properly documented procedures for the management and operation of all information
processing facilities should be established. This includes detailed operating instructions and
incident response procedures.
Network management requires a range of controls to achieve and maintain security in computer
networks. This also includes establishing procedures for remote equipment including equipment
in user areas. Special controls should be established to safeguard the confidentiality and integrity
of data passing over public networks. Special controls may also be required to maintain the
availability of the network services.
Exchange of information and software between external organizations should be controlled and
should be compliant with any relevant legislation. There should be proper information and
software exchange agreements. The media in transit need to be secured and should not be
vulnerable to unauthorized access, misuse or corruption.
Electronic commerce involves electronic data interchange, electronic mail and online transactions
across public networks such as Internet. Electronic commerce is vulnerable to a number of
network threats that may result in fraudulent activity, contract dispute and disclosure or
modification of information. Controls should be applied to protect electronic commerce from such
threats.
7. Access control
Access to information and business processes should be controlled on the business and security
requirements. This will include defining access control policy and rules; user access management;
user registration; privilege management; user password use and management; review of user
access rights; network access controls; enforcing path from user terminal to computer; user
authentication; node authentication; segregation of networks; network connection control;
network routing control; operating system access control; user identification and authentication;
use of system utilities; application access control; monitoring system access and use and ensuring
information security when using mobile computing and tele-working facilities.
8. System development and maintenance
Security should ideally be built at the time of inception of a system. Hence security requirements
should be identified and agreed prior to the development of information systems. This begins with
security requirements analysis and specification and providing controls at every stage i.e. data
139
input; data processing; data storage and retrieval and data output. It may be necessary to build
applications with cryptographic controls. There should be a defined policy on the use of such
controls, which may involve encryption; digital signature; use of digital certificates; protection of
cryptographic keys and standards to be used for cryptography.
A strict change control procedure should be in place to facilitate tracking of changes. Any changes
to operating system changes, software packages should be strictly controlled. Special precaution
must be taken to ensure that no covert channels, back doors or Trojans are left in the application
system for later exploitation.
9. Business Continuity Management
A business continuity management process should be designed, implemented and periodically
tested to reduce the disruption caused by disasters and security failures. This begins by identifying
all events that could cause interruptions to business processes and depending on the risk
assessment, preparation of a strategy plan. The plan needs to be periodically tested, maintained
and re-assessed based on changing circumstances.
10. Compliance
It is essential that strict adherence is observed to the provision of national and international IT
laws, pertaining to Intellectual Property Rights (IPR), software copyrights, safeguarding of
organizational records, data protection and privacy of personal information, prevention of misuse
of information processing facilities, regulation of cryptographic controls and collection of
evidence.
Information Technology’s use in business has also resulted in enacting of laws that enforce
responsibility of compliance. All legal requirements must be complied with to avoid breaches of any
criminal and civil law, statutory, regulatory or contractual obligations and of any security
requirements.
BS 7799 (ISO 17799) and "It’s" relevance to Indian Companies:
Although Indian companies and the Government have invested in IT, facts of theft and attacks on
Indian sites and companies are alarming. Attacks and theft that happen on corporate websites are
high and is usually kept under "strict" secrecy to avoid embarrassment from business partners,
investors, media and customers.
Huge losses are sometimes un-audited and the only solution is to involve a model where one can see
a long run business led approach to Information Security Management.
BS 7799 (ISO 17799) consists of 127 best security practices (covering 10 Domains which was discussed
above) which Indian companies can adopt to build their Security Infrastructure. Even if a company
decides not go in for the certification, BS 7799 (ISO 17799) model helps companies maintain IT security
through ongoing, integrated management of policies and procedures, personnel training, selecting
and implementing effective controls, reviewing their effectiveness and improvement. Additional
benefits of an ISMS are improved customer confidence, a competitive edge, better personnel
motivation and involvement, and reduced incident impact. Ultimately leads to increased profitability.
140
Security Standards Organizations

 Internet Corporation for Assigned Names and Numbers (ICANN)
ICANN’s role is to oversee the huge and complex interconnected network of unique identifiers
that allow computers on the Internet to find one another.
To reach another person on the Internet you have to type an address into your computer - a name
or a number. That address has to be unique so computers know where to find each other. ICANN
coordinates these unique identifiers across the world. Without that coordination we wouldn't
have one global Internet.
ICANN was formed in 1998. It is a not-for-profit partnership of people from all over the world
dedicated to keeping the Internet secure, stable and interoperable. It promotes competition and
develops policy on the Internet’s unique identifiers. This is commonly termed “universal
resolvability” and means that wherever you are on the network – and hence the world – that you
receive the same predictable results when you access the network. Without this, you could end
up with an Internet that worked entirely differently depending on your location on the globe.
 International Organization for Standardization (ISO)

ISO (International Organization for Standardization) is an independent, non-governmental
membership organization and the world's largest developer of voluntary International Standards.
They are made up of 162 member countries who are the national standards bodies around the world,
with a Central Secretariat that is based in Geneva, Switzerland.
International Standards make things work. They give world-class specifications for products, services
and systems, to ensure quality, safety and efficiency. They are instrumental in facilitating international
trade.
ISO has published more than 19 500 International Standards covering almost every industry, from
technology, to food safety, to agriculture and healthcare. ISO International Standards impact
everyone, everywhere.
 Consultative Committee For Telephone and Telegraphy (CCITT)

The CCITT, now known as the ITU-T (for Telecommunication Standardization Sector of the
International Telecommunications Union), is the primary international body for fostering cooperative
standards for telecommunications equipment and systems. It is located in Geneva, Switzerland.
 American National Standards Institute(ANSI)
American National Standards Institute (ANSI) oversees the creation, promulgation and use of
thousands of norms and guidelines that directly impact businesses in America in nearly every sector:
from acoustical devices to construction equipment, from dairy and livestock production to energy
distribution, and many more. ANSI is also actively engaged in accreditation - assessing the competence
of organizations determining conformance to standards.
 Institute Of Electronics and Electrical Engineers (IEEE)
IEEE is the world's largest professional association dedicated to advancing technological innovation
and excellence for the benefit of humanity. IEEE and its members inspire a global community through
IEEE's highly cited publications, conferences, technology standards, and professional and educational
141
activities. IEEE, pronounced "Eye-triple-E," stands for the Institute of Electrical and Electronics
Engineers.
 Electronic Industries Association
The Electronic Industries Association (EIA) comprises individual organizations that together have
agreed on certain data transmission standards such as EIA/TIA-232 (formerly known as RS-232). The
Electronics Industries Alliance (EIA) is an alliance of trade organizations that lobby in the interest of
companies engaged in the manufacture of electronics-related products.
 National Center for Standards and Certification Information (NIST)
National Institute of Standards and Technology's web site. Founded in 1901 and now part of the U.S.
Department of Commerce, NIST is one of the nation's oldest physical science laboratories. US Congress
established the agency to remove a major handicap to U.S. industrial competitiveness at the time.
Today, NIST measurements support the smallest of technologies—nanoscale devices so tiny that tens
of thousands can fit on the end of a single human hair—to the largest and most complex of human-
made creations, from earthquake-resistant skyscrapers to wide-body jetliners to global
communication networks. The National Centre for Standards and Certification Information provides
research services on standards, technical regulations and conformity assessment procedures for non-
agricultural products. The Centre is a central repository for standards-related information in the
United States and has access to U.S., foreign and international documents and contact points through
its role as the U.S. national inquiry point under the World Trade Organization Agreement on Technical
Barriers to Trade. The Program maintains a database on NIST and Department of Commerce staff
participation in standards developing activities.
 World Wide Web Consortium (W3C)
The World Wide Web Consortium (W3C) is an international community where Member organizations,
a full-time staff, and the public work together to develop Web standards. Led by Web inventor Tim
Berners-Lee and CEO Jeffrey Jaffe, W3C's mission is to lead the Web to its full potential.
Vision
W3C's vision for the Web involves participation, sharing knowledge, and thereby building
trust on a global scale.
142
The following design principles guide W3C's work.

Web for All
The social value of the Web is that it enables human communication, commerce, and
opportunities to share knowledge. One of W3C's primary goals is to make these benefits available
to all people, whatever their hardware, software, network infrastructure, native language,
culture, geographical location, or physical or mental ability.
Web on Everything
The number of different kinds of devices that can access the Web has grown immensely. Mobile
phones, smart phones, personal digital assistants, interactive television systems, voice response
systems, kiosks and even certain domestic appliances can all access the Web. L
Web for Rich Interaction
The Web was invented as a communications tool intended to allow anyone, anywhere to share
information. For many years, the Web was a "read-only" tool for many. Blogs and wikis brought
more authors to the Web, and social networking emerged from the flourishing market for content
and personalized Web experiences. W3C standards have supported this evolution thanks to
strong architecture and design principles. Some people view the Web as a giant repository of
linked data while others as a giant set of services that exchange messages. The two views are
complementary, and which to use often depends on the application.
Web of Trust
The Web has transformed the way we communicate with each other. In doing so, it has also
modified the nature of our social relationships. People now "meet on the Web" and carry out
commercial and personal relationships, in some cases without ever meeting in person. W3C
recognizes that trust is a social phenomenon, but technology design can foster trust and
confidence. As more activity moves on-line, it will become even more important to support
complex interactions among parties around the globe.
Web Application Security Consortium (WASC)
The Web Application Security Consortium (WASC) is a non-profit made up of an international
group of experts, industry practitioners, and organizational representatives who produce open
source and widely agreed upon best-practice security standards for the World Wide Web. As an
active community, WASC facilitates the exchange of ideas and organizes several industry projects.
WASC consistently releases technical information, contributed articles, security guidelines, and
other useful documentation. Businesses, educational institutions, governments, application
developers, security professionals, and software vendors all over the world utilize our materials
to assist with the challenges presented by web application security.
143
4.4 Information Security Laws, Regulations &

Guidelines
India
India’s Ministry of Communications and Information Technology (“Department of Information
Technology”) has implemented the Information Technology (Reasonable security practices and
procedures and sensitive personal data or information) Rules, 2011 (“Privacy Rules”). Clarifications to
the Privacy Rules were issued via Press Note by the Ministry. India’s enabling legislation is India’s
Information Technology Act 2000 (the “Act”). While India continues to adhere to the Information
Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or
Information) Rules, 2011 (Rules) enacted in 2011, the Centre for Internet and Society presented a new
Privacy (Protection) Bill, 2013 (Bill), on September 30, 2013. The Bill seeks to further refine provisions
of the Rules, with a focus on protection of personal data through limitations on use and requirements
for notice. The collection of personal data would be prohibited unless “necessary for the achievement
of a purpose of the person seeking its collection,” and, subject to sections 6 and 7 of the Bill, “no
personal data may be collected under this Act prior to the data subject being given notice, in such
form and manner as may be prescribed, of the collection.” The Bill acknowledges the collection of data
with and without consent; the regulation of personal data storage, processing, transfer, and security;
and discusses the different types of disclosure.
 http://deity.gov.in/sites/upload_files/dit/files/GSR313E_10511(1).pdf
 http://pib.nic.in/newsite/erelease.aspx?relid=74990
 http://unpan1.un.org/intradoc/groups/public/documents/apcity/unpan010239.pdf
Data Protection Authority and Registration Requirements
 No specific data protection authority exists, but the Privacy Rules state that in the case of a breach,
a “Body Corporate,” as defined under the Act, must answer to “the agency mandated under the
law” (presumably, the Ministry).
 There are no registration requirements for the collection of data. However, the Data Security
Council of India (the “DSCI”) provides a certification service by which organizations within India
may become “DSCI Privacy Certified.”
Protected Personal Data
Personal information is defined as any information that relates to a natural person, which, either
directly or indirectly, in combination with other information available or likely to be available with a
corporate entity, is capable of identifying such person.
Sensitive personal data or information is defined as “personal information” which consists of
information relating to any of the following: passwords; financial information such as bank account or
credit card or debit card or other payment instrument details; physical, physiological and mental
health condition; sexual orientation; medical records and history; biometric information; any detail
relating to any of the above as provided to a corporate entity for providing service; and any of the
information received under the above by a corporate entity for processing, stored or processed under
144
lawful contract or otherwise. Data or information is not sensitive and personal if it is available in the
public domain or furnished under the Right to Information Act of 2005.
Data Collection and Processing
The Privacy Rules apply to data collection, but do not define processing.
The Privacy Rules requires a Body Corporate that collects, receives, possesses, stores, deals, or handles
sensitive or personal data to provide a privacy policy for handling of such data and ensure that the
policies are available for view by the data subjects who have provided the information under contract.
The policy shall provide for:
 clear and easily accessible statements of its practices and policies;
 the type of personal or sensitive personal data or information collected;
 the purpose of collection and usage of such information;
 the disclosure of information including sensitive personal data or information; and
 reasonable security practices and procedures.
Data may be collected and processed when all of the following conditions are met:
 the data subject has provided written consent and is aware at the time of collection that the
information is being collected, the purpose of collection, the intended recipients of the
information; and the name and address of the agency that is collecting and will retain the
information;
 the data subject has been provided with the option not to provide its sensitive personal data
or information;
 the data subject is permitted to withdraw his/her consent, in writing, at any time;
 the information is collected for a lawful purpose connected with a function or activity of the
body corporate or any person on its behalf; and
 the collection of the sensitive personal data or information is considered necessary for that
lawful purpose.
Data Transfer
Disclosure of data to a third party requires prior permission of the data subject, whether the
information is provided under contract or otherwise, except in the following situations:
 the disclosure has already been agreed to in a contract;

 the disclosure is necessary for compliance with a legal obligation;
 the data is shared with government agencies with the authority to obtain the data for the
purpose of verification of identity, or for the prevention, detection, investigation, prosecution,
and punishment of offenses, including cyber incidents; or
 the disclosure is pursuant to an order under the law.
Data may be transferred domestically or internationally to any person or Body Corporate that ensures
the same level of data protection that is adhered to by the Body corporate, but the transfer is allowed
only if:
 the data subject consents; or

 the transfer is necessary for the performance of the lawful contract between the body
corporate or any person on its behalf and the data subject.
145
Data Security
A Body Corporate is required to implement reasonable security practices and procedures. The Privacy
Rules indicate that reasonable practice methodologies include IS/ISO/EIC 27001 or other measures
that have been pre-approved by the central government and are subject to annual audits by a central
government approved auditor.
Breach Notification
There is no mandatory requirement to report data security breach incidents under the Privacy Rules.
Other Considerations
Data retention rules state that information should not be retained longer than is required for the
purposes for which the information may lawfully be used or is otherwise required under any other
law.
A clarification to the Privacy Rules stating that a “Body corporate providing services relating to
collection, storage, dealing or handling of sensitive personal data or information under contractual
obligation with any legal entity located within or outside India is exempt from the requirement to
obtain consent” was issued via Press Note by the Department of Information and Technology.
Accordingly, outsourcing service providers in India should be exempt from obtaining consent from the
individuals whose data they process.
Enforcement & Penalties
A corporate entity may be liable for up to Rs. 50,000,000 for the negligent failure to implement and
maintain reasonable practices and procedures, causing wrongful loss or gain.
International Directory of laws:
This directory includes laws, regulations and industry guidelines with significant security and privacy impact
and requirements. This is largely USA focused but used by International agencies as a reference point.
Broad laws:
 Sarbanes-Oxley Act (SOX);
 Payment Card Industry Data Security Standard (PCI DSS);
 Gramm-Leach-Bliley Act (GLB) Act;
 Electronic Fund Transfer Act, Regulation E (EFTA);
 Customs-Trade Partnership Against Terrorism (C-TPAT);
 Free and Secure Trade Program (FAST);
 Children's Online Privacy Protection Act (COPPA);
 Fair and Accurate Credit Transaction Act (FACTA), including Red Flags Rule; Federal Rules
of Civil Procedure (FRCP)
146
Industry specific laws:
 Federal Information Security Management Act (FISMA);
 North American Electric Reliability Corp. (NERC) standards;
 Title 21 of the Code of Federal Regulations (21 CFR Part 11) Electronic Records;
 Health Insurance Portability and Accountability Act (HIPAA);
 The Health Information Technology for Economic and Clinical Health Act (HITECH);
 Patient Safety and Quality Improvement Act (PSQIA, Patient Safety Rule);
 H.R. 2868: The Chemical Facility Anti-Terrorism Standards Regulation
147
Summary
 A security policy is a document or set of documents that describes, at a high level, the security
controls that will be implemented by the company
 There are two types of basic security policies: Technical security policies and Administrative
security policies.
 Key Elements of Security Policy
o Overview – Background information of what issue the policy addresses.
o Purpose – Why the policy is created.
o Scope – To what areas this policy covers.
o Targeted Audience – Tells to whom the policy is applicable.
o Policy – A good description of the policy.
o Definitions – A brief introduction of the technical jargon used inside the policy.
o Version – A version number to control the changes made to the document.
 Auditing the security governance practices of a company requires understanding how the
organization manages the processes and procedures that make up its security program and
compare those aspects to recognized governance frameworks.
 The COSO internal controls framework consists of five main control components
o Control Environment
o Risk Assessment
o Control Activities
o Information and Communication
o Monitoring
 The role of COBIT in IT governance is to provide a model that takes the guesswork out of how
to bridge the gap between business goals and IT goals.
 ITIL is used by companies for overall management of IT and also for managing security processes
as well.
 Standards and best practices can help the auditor distinguish good security designs from bad
and provide reference architectures to compare against.
 Various standards include:
o ISO 27000 Series of Standards
o NIST
o Center for Internet Security
o NSA
o DISA
o SANS
o ISACA
o ISO 27003
o ISO 27004
o ISO/IEC 13335 (IT Security Management)
o ISO 27005
o ISO Standard 24762 for Technical Disaster Recovery
o ISO Standard for BCM – 22301
o IEEE Standards
o ISO 17799
o BS 7799 (ISO 17799)
148
Activity 1:
Work in groups and collate various security policies available across various
organizations. Categorize various policies and highlight the differences between these
based on context including sector, size of organization, types of information or data they
possess, country, etc.
Compile a list of component that are similar across policies. Discuss as to why you think
these elements are similar or dissimilar and what is the impact of the variances.
Activity 2:
Work in groups and Research various standards of data security that area available.
Categorize the various standards based on the area they pertain to.
Present key highlights of a selected standard. Discuss why standards are important, why
these standards have credibility and legitimacy. Think about what is the composition of
the standard setting body and who are their members or patrons.
Activity 3:
Develop a set of standards for various aspects of your student life and education; make
a plan for advocacy and promotion of these standards so that more and more people
adopt them. List down key imperatives and challenges for the successful adoption and
recognition of their proposed standards
Activity 4:
Explore the various laws and regulations that are applied in the areas of information
security. Present key features of the laws and cite cases where these were violated and
cases were filed in breach of law. Present findings in the class, discussing the details of
the case and interesting facets of it.
149

1. State the main objective of security policy?
_________________________________________________________________________________
_________________________________________________________________________________
2. State at least three key constituents of a security policy
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
3. Explain at least two main concepts in the COSO framework
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
4. Explain the application of Deming Cycle in IT security?
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
5. Name the two categories of CIS benchmarks. Explain why are they used for configuration-level
auditing of technology?
________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
6. How is BS 7799 (ISO 17799) relevant to Indian Companies?
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
7. State at least five different data security policies an organisation may have.
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
150
NOTES:
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
151
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
152
UNIT V
Information Security Management
– Roles and Responsibilities
This Unit covers:
 Lesson Plan
5.1. Information and Data Security Team Structure
153
LESSON PLAN

and understand the  Internet with WiFi (Min 2 Mbps
PC1. establish your role and policies and guidelines. Dedicated)
responsibilities in contributing to (Research)  Networking Equipment- Routers
& Switches
PC10. obtain advice and Understand, summarize  Firewalls and Access Points
guidance on information security and articulate.  Commercial Tools like HP Web
issues from appropriate people, Inspect and IBM AppScan etc.,
where required  Open Source tools like sqlmap,
Nessus etc.,
organization’s policies, standards,
procedures and guidelines when
contributing to managing
You need to know and understand: KA1. Going through  PCs/Tablets/Laptops

various organizations  Labs availability (24/7)
KA3. limits of your role and websites and  Internet with WiFi (Min 2 Mbps
responsibilities and who to seek understand the policies Dedicated)
guidance from and guidelines.
KA4. the organizational (Research)
systems, procedures and
tasks/checklists within the domain KA2, KA3. Understand,
and how to use these summarize and
KA11. who to involve when articulate.
154
Lesson
5.1 Information and Data Security Team Structure
With the growing importance and scope of information and data security, numerous organizational
structures and configurations have been implemented to get a handle on the complexities associated
with managing and protecting data.
Information security governance begins at the top with the Board of Directors and CEO enforcing
accountability for adherence to standards and commissioning the development of security
architectures that address the security requirements of the business as a whole. The auditing function
might be its own group (or outsourced to a third party) and might report to the CEO or directly to the
Board of Directors to maintain its independence.
Board of Directors
The Board of Directors is responsible for protecting the interests of the shareholders of the
corporation. This duty of care (fiduciary responsibility) requires that it understand the risk to the
business and its data. The Board of Directors is responsible for approving the appropriate resources
necessary to safeguard data. It also needs to be kept aware of how the security program is
performing.
Security Steering Committee

The Security Steering Committee has an important role in security governance; this group is
responsible for setting the tactical and strategic direction for the organization as a whole. The group
generally consists of the CEO, CFO, CIO/CISO, and the internal auditing function (or oversight if it is
outsourced to a third party). Other business functions might also be present, such as Human
Resources and business operational leaders, depending on the size and organizational complexity
of the business. This team reviews audit results, risk assessment, and current program performance
data. The committee also provides approval for any major policy or security strategy changes.
CEO or Executive Management

Senior management must answer to the Board of Directors and shareholders of a company.
Furthermore, if the company is publicly traded, the CEO and CFO must personally attest to the
accuracy and integrity of the financial reports the company issues. Executive management sets the
tone and direction for the rest of the company and must be aware of the risks the company faces
for the confidentiality, integrity, and availability of sensitive data.
CIO/CISO
The CIO/CISO is responsible for aligning the information security program strategy and vision to
business requirements. The CIO/CISO ensures that the correct resources are in place to adhere to
the policies and procedures set forth by the steering committee. This role generally reports to the
CEO and Board of Directors and reports how the organization is performing relative to the
company’s goals and similar organizations in the same industry.
Security Director
The security director’s role is to coordinate the efforts for securing corporate assets. The
responsibilities include reporting on the progress of initiatives to executive management and
building the teams and resources to address the various tasks necessary for information security.
155
This role also acts as a liaison to other aspects of the business to articulate security requirements
throughout the company. The security director manages the teams in developing corporate data
security policies, standards, procedures, and guidelines.
Security Analyst
A security analyst builds the policies, analyses risk, and identifies new threats to the business.
Business continuity and disaster recovery planning are important functions performed by the
analyst to prepare the company for the unexpected. The analyst is also responsible for creating
reports about the performance of the organization’s security systems.
Security Architect
A security architect defines the procedures, guidelines, and standards used by the company.
Architects help to select the controls used to protect the company’s data and they make sure that
the controls are sufficient for addressing the risk and complying with policy. This role is also
responsible for testing security products and making recommendations about what will best serve
the needs of the company.
Security Engineer
A security engineer implements the controls selected by the security architect. Security engineers
are responsible for the maintenance of firewalls, IPS, and other tools. This includes upgrades,
testing, patching, and overall maintenance of the security systems. This role might also be
responsible for testing the functionality of equipment to make sure that it operates as expected.
Systems Administrator
A systems administrator is responsible for monitoring and maintaining the servers, printers, and
workstations a company uses. In addition, administrators add and/or remove user accounts as
necessary, control access to shared resources, and maintain company-wide antivirus software.
Database Administrator
The Database Administrator (DBA) has an important job in most companies. The DBA is responsible
for designing and maintaining corporate databases and also securing access to the data to ensure
its integrity. The ramifications of lax security in this role can be severe, especially considering the
reporting requirements mandated by SOX.
IS Auditor
An auditor’s role in security governance is to assess the effectiveness in meeting the requirements
set forth by policy and management direction. The auditor is tasked to identify risk and report on
how the organization performs to upper management. The auditor provides an impartial review of
projects and technologies to identify weaknesses that could result in loss to the company.
End User
End users have a critical role in security governance that is often overlooked. They must be aware
of the impact their actions can have on the security of the company and be able to safeguard
confidential information. They are responsible for complying with policies and procedures and
following safe computing practices, such as not opening attachments without antimalware software
running or loading unauthorized software. A solid user security awareness program can help
promote safe computing habits.
156
1. Board of
Directors
3. CIO/CISO 2. CEO
6. System 7. System 4. Security

Architect Engineer Director
8. System
5. Security Analyst 10. IS Auditor
Administrator
9. Database
11. End User
Administrator
Hierarchical flowchart for all the Roles w.r.t. Information Security
157
5.2 Security incident response team
The security incident response team is a group of individuals who have been trained in incident
management, each having distinct response roles. The team works under the direction of the incident
officer. The team is tasked with the following responsibilities:
 Processes IT security complaints or incidents.
 Assesses threats to IT resources.
 Alerts IT managers of imminent threats.
 Determines incident severity and escalates it, if necessary, with notification to CTO and
president’s senior staff.
 Coordinates security incidents (level 2 or 3) from discovery to closure.
 Reviews incidents, provides solutions/resolutions and closure.
Table-Top Exercise:
Students are recommended to follow this link and perform an interesting exercise on Security
Breach by assuming various roles as mentioned in the corresponding exercise:
http://www.nascio.org/portals/0/awards/nominations2015/2015/2015PA12-
PA%20Cyber%20Continuity%20CIO%20Exercise%20DR%20Sec%20Biz%20Continuity%20NASCIO%20
2015%20FINAL.pdf
Summary
 Information security governance begins at the top with the Board of Directors and CEO
enforcing accountability for adherence to standards and commissioning the development of
security architectures that address the security requirements of the business as a whole.
 The auditing function might be its own group (or outsourced to a third party) and might report
to the CEO or directly to the Board of Directors to maintain its independence
 Various roles in information security in an organisation: Board of Directors, Security Steering
Committee, CEO or Executive Management, CIO/CISO, Security Director, Security Analyst,
Security Architect, Security Engineer, Systems Administrator, Database Administrator, IS
Auditor and End User
 Role of security incident team and their responsibilities
o Processes IT security complaints or incidents.
o Assesses threats to IT resources
o Alerts IT managers of imminent threats.
o Determines incident severity and escalates it, if necessary, with notification to CTO and
president’s senior staff
o Coordinates security incidents (level 2 or 3) from discovery to closure
o Reviews incidents, provides solutions/resolutions and closure
158
Activity 1:
Collect information about various job titles and roles within the data security sub-
sector. Meet industry representatives and compile a list of functions, qualification and
experience requirements for each role. Present the same in class in groups.
Activity 2:
Work in teams to conduct industry interactions with various teams in place in

organisations, from different departments, assigned to information security. Compare
the variances between different types of companies and debate and deliberate on
various aspects of these including:
 composition,
 liaising with different departments inside the organisation,
 interactions with other organisations, their functions, etc.

1. State TRUE or FALSE
• The Security Director of an organization is not responsible for managing teams in developing
corporate data security policies, standards, procedures and guidelines. ( )
• A solid user security awareness program can help promote safe computing habits.
( )
2. Explain how is the role of a Security Analyst different from Security Engineer?
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
3. Fill in the blanks with the most appropriate answer

• Database Administrator (DBA) is responsible for ______________ and
____________________ databases and also for securing access to the data to ensure its
integrity.
• The ________ is responsible for aligning the information security program strategy and vision
to business requirements.
• A ________________ ________________is responsible for monitoring and maintaining the
servers, printers, and workstations a company uses.
159
• The security director’s role is to coordinate the efforts for securing _____________ ________.
• A ___________ ___________builds the policies, analyses risk, and identifies new threats to
the business.
4. Mention at least two important tasks of an IS Auditor.
__________________________________________________________________________________
__________________________________________________________________________________
5. Tick the right answer

The team security incident response is tasked with the following responsibilities:
(a) assess threats to IT resources
(b) alerts IT managers of imminent threats
(c) process IT security complaints or incidents
(d) all of the above
NOTES:
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
160
UNIT VI
Performance Metrics
This Unit covers:
 Lesson Plan
6.6. Designing Information Security Measuring Systems
161
LESSON PLAN

To be competent, you must be able to: QA session and a Descriptive  PCs/Tablets/Laptops
write up on understanding.  Labs availability (24/7)
PC7. analyze information security
performance metrics to highlight Group presentation and peer  (Min 2 Mbps Dedicated)
variances and issues for action by evaluation along with  Networking Equipment-
appropriate people Faculty. Routers & Switches
PC3. carry out security assessment  Firewalls and Access Points
Team work (IM and chat  Access to all security sites like
of information security systems using applications) and group
automated tools ISO, PIC DSS
activities (online forums)  Commercial Tools like HP
including templates to be Web Inspect and IBM
PC9. update your organization’s prepared.
knowledge base promptly and AppScan etc.,
accurately with information security  Open Source tools like
Project charter, Architecture sqlmap, Nessus etc.,
issues and their resolution (charts), Project plan, Poster
PC2. monitor systems and apply plan.
security policies, procedures and Creation of templates based
guidelines on the learnings
You need to know and understand: KA1. QA session and a  PCs/Tablets/Laptops
Descriptive write up on  Labs availability (24/7)
KA1. your organization’s policies, understanding.  Internet with Wi-Fi
procedures, standards and guidelines
for managing information security KA2 Group presentation and  Networking Equipment-
peer evaluation along with Routers & Switches
KA2. your organization’s Faculty.
knowledge base and how to access  Firewalls and Access Points
and update this  Access to all security sites like
KA10, KA11. Team work (IM ISO, PIC DSS
and chat applications) and  Commercial Tools like HP
KA10. how to access and analyse group activities (online
information security performance Web Inspect and IBM
forums) including templates to AppScan etc.,
metrics be prepared.  Open Source tools like
KA11. who to involve when sqlmap, Nessus etc.,
KA12. Project charter,
managing information security Architecture (charts), Project
plan, Poster presentation and
KA12. your organization’s execution plan.
information security systems and tools
and how to access and maintain these KA13. Creation of templates
based on the learnings
KA13. standard tools and templates
available and how to use these
KB3. common issues and variances
of performance metrics that require
action and who to report these to
162
Lesson
6.1 Introduction – Security Metrics
It helps to understand what metrics are by drawing a distinction between metrics and measurements.
Measurements provide single-point-in-time views of specific, discrete factors, while metrics are
derived by comparing to a predetermined baseline of two or more measurements taken over time.
Measurements are generated by counting; metrics are generated from analysis. In other words,
measurements are objective raw data and metrics are either objective or subjective human
interpretations of those data.
In the face of regular, high-profile news reports of serious security breaches, as well as intense scrutiny
of institutional costs, security managers are more than ever being held accountable for demonstrating
effectiveness of their security programs. What means should managers be using to meet this
challenge? Key among these should be security metrics. This presentation will provide a definition of
security metrics, explain their value, discuss the difficulties in generating them, suggest a methodology
for building a security metrics program, and review factors that affect its ongoing success
Good metrics are those that are SMART, i.e. specific, measurable, attainable, repeatable, and time-
dependent. Truly useful metrics indicate the degree to which security goals, such as data
confidentiality, are being met, and they drive actions taken to improve an organization’s overall
security program. Distinguishing metrics meaningful primarily to those with direct responsibility for
security management from those that speak directly to executive management interests and issues is
critical to development of an effective security metrics program.
While there are multiple ways to categorize metrics, guidance from the National Institute for
Standards and Technology (NIST) does this in a way that is more helpful than simply providing tag
names for metric groupings. The Performance Measurement Guide for Information Security (NIST SP
800-55 Revision 1) divides security metrics into three categories and links each to levels of security
program maturity.
The categories are:

 Implementation – metrics used to show progress in implementing policies and procedures and
individual security controls
 Effectiveness/efficiency – metrics used to monitor results of security control implementation

for a single control or across multiple controls
 Impact – metrics used to convey the impact of the information security program on the
institution's mission, often through quantifying cost avoidance or risk reduction produced by
the overall security program
As mentioned earlier, truly useful metrics indicate the degree to which security goals are being met
and they drive actions taken to improve an organization's overall security program. Before expending
resources producing metrics in any of these three categories, it is essential that goals and objectives
of the security program be articulated.
163
6.2 Types of Security Metrics
Three distinct types of metrics classified according to level:
 Strategic security metrics

These are measures concerning the information security elements of high level business goals,
objectives and strategies. For example, if the organization needs to bolster its information security
capabilities and competences in order to support various business initiatives, without expanding
the budget, metrics concerning the efficiency and effectiveness of information security are probably
relevant. Broad-brush metrics relating to information security risks, capabilities and value tend to
exist at this high level. The reporting period may be one or more years.
 Security management metrics

There are numerous facets to managing information security risks that could be measured, hence
many possible metrics. We recommend making a special effort to identify management metrics
that directly relate to achieving specific business objectives for information security, supplementing
those that are needed to manage the information security department, function or team just like
any other part of the business (e.g. expenditure against budget). Management-level metrics tend
to be reported/updated on a monthly or quarterly basis. Metrics concerning information security
projects/initiatives (e.g. implementing dual-factor authentication) and the information security
management system (e.g. security incident statistics) are typical examples.
 Operational security metrics

At the lowest level of analysis, most information security controls, systems and processes need to
be measured in order to operate and control them. Metrics supporting security operations are
normally only of direct concern to those managing and performing security activities. They include
both technical and non-technical security metrics that are often updated on a weekly, daily or
hourly basis. They are unlikely to be of much interest or value beyond the information security and
related technical functions, although some
Another classification is by object of measurement:

 Process Security Metrics: These metrics measure processes and procedures. Examples are
number of policy violations, percentage of systems with formal risk assessments, percentage of
system with tested security controls, percentage of weak passwords (noncompliant), number of
identified risks and their severity, percentage of systems with contingency plans, etc. These are
usually Compliance/Governance driven. While they generally support better security, but the
actual impact is hard to define.
 Network Security Metrics: These are driven by products (firewalls, IDS, etc.) Readily available and
widely used, they give a sense of control. Usually have a level of data presentation through charts
and interfaces. These can be misleading though. Examples are Successful/unsuccessful logons,
number of incidents, number of viruses blocked, number of patches applied, number of spam
blocked, number of virus infections, number of port probes, traffic analysis, etc.
164
 Software Security Metrics: Software measures are usually troublesome (LOC, FPs, Complexity,
etc.) Metrics are context sensitive and environment-dependent and architecture dependent.
Examples are Size and complexity, defects/LOC, defects (severity, type) over time, cost per defect,
attack surface (# of interfaces), layers of security and design flaws
 People Security Metrics: Are usually relevant, but unreliable. As people behavior is difficult to
model. There are biases and non-standard responses that make it difficult to predict. Examples
include associates/contractors that have completed information security policy training, team
size, etc.
 Other
A sample list of metrics is given below. These metrics cover the following business functions:
 Application Security
o Number of Applications
o Percentage of Critical Applications
o Risk Assessment Coverage
o Security Testing Coverage
 Configuration Change Management
o Mean-Time to Complete Changes
o Percent of Changes with Security Review
o Percent of Changes with Security Exceptions
 Financial
o Information Security Budget as % of IT Budget
o Information Security Budget Allocation
 Incident Management
o Mean-Time to Incident Discovery
o Incident Rate
o Percentage of Incidents Detected by Internal Controls
o Mean-Time Between Security Incidents
o Mean-Time to Recovery
 Patch Management
o Patch Policy Compliance
o Patch Management Coverage
o Mean-Time to Patch
 Vulnerability Management
o Vulnerability Scan Coverage
o Percent of Systems Without Known Severe Vulnerabilities
o Mean-Time to Mitigate Vulnerabilities
Number of Known Vulnerability Instances
165
6.3 Using Security Metrics
Using security metrics involves data acquisition. This may be automated or manually collected. Data
collection automation depends on the availability of data from automated sources versus the
availability of data from people. Manual data collection involves developing questionnaires and
conducting interviews and surveys with the organization’s staff.
 More useful data becomes available from semi-automated and automated data sources, such
as self-assessment tools, certification and accreditation (C&A) databases, incident reporting
and response databases, and other data sources as a security program matures.
 Metrics data collection is fully automated when all data is gathered by using automated data
sources without human involvement or intervention.
6.4 Developing the Metrics Process

At a high level, the steps for establishing a metrics program are:
o Define goals and objectives
o Determine information goals
o Develop metrics models
o Determine metrics reporting format and
o Schedule
o Implement metrics
o Set benchmarks and targets
o Establish a formal review cycle
6.5 Metrics and Reporting

There are a number of challenges often encountered in the organizations that are about to implement
or are already in the process of implementing an ISMP. A number of challenges that commonly arise
from the stakeholders' misconceptions and erroneous expectations regarding metrics (IATAC, 2009);
these include:
Measurement efforts are finite (while in reality a metrics programme is aimed at continual
improvement and long term benefits).
 Data for metrics support is readily accessible and conducive to measurement (in many cases,
depending on the IS management's maturity, size and structure of the organization, et cetera, this
may not be so and changes to the existing data collection and analysis processes may have to be
made, especially toward higher levels of standardization, to make metrics effective and efficient).
166
 Metrics provide quick returns (this again depends on factors such as maturity of IS management;
expecting business impact metrics from an ISMS that does not have the capability to effectively
provide them is unrealistic, for instance).
 Metrics can be automated easily/rapidly (attempting to automate measures that have not yet
been thoroughly tested and proven to be effective can be ultimately counterproductive).
 Measures should help ensure maximum ROI (while not unreasonable per se, this often receives a
high priority at the expense of the other facets of measurement, which get neglected and, ones
again, the capability of IS management to deliver on these expectations is not always fully
considered).
The lack of consensus definitions and vocabulary, and a broadly accepted model for mapping IS
metrics to organizational structure and clearly illustrating how the lower level metrics can roll up into
the higher level ones in a meaningful way can possibly contribute to this problem (although, based on
the information presented in earlier chapters of the report, it can be recognized that efforts are being
made to rectify these issues). Without a good model or methodology for rolling up quantitative
measures, security professionals often struggle to find a compromise between reporting methods that
are too technical for the senior management and ones that impair the utility of a metric due to
oversimplification.
The frequency of reports depends on organizational norms, the volume and gravity of information
available, and management requirements. Regular reporting periods may vary from daily or weekly
to monthly, quarterly, six-monthly or annual. The latter ones are more likely to identify and discuss
trends and strategic issues, and to include status reports on security-relevant development projects,
information security initiatives and so forth, in other words they provide the context to make sense
of the numbers
Here are some options for your consideration:
An annual, highly-confidential Information Security Report for the CEO, the Board and other
senior management (including Internal Audit). This report might include commentary on the
success or otherwise of specific security investments. A forward-looking section can help to set
the scene for planned future investments, and is a good opportunity to point out the ever
changing legal and regulatory environment and the corresponding personal liabilities on senior
managers.
Quarterly status reports to the most senior body directly responsible for information security,
physical security, risk and/or governance. Traffic light status reports are common and KPIs may
be required, but the Information Security Manager’s commentary (supplemented or endorsed
by that of the CTO/CIO) is a good value add.
Monthly reports to the CTO/CIO, listing projects participated in and security incidents, along
with their monetary value (the financial impacts do not need to be precisely accurate, they are
used to indicate the scale of losses).
167
6.6 Designing information security measurement

systems
In order to design an information security measurement system one has to ask the following
fundamental questions.
1. What are we going to measure?
Identifying the right metrics, we shouldn’t implement a measurement process if we don’t intend to
follow it routinely and systematically - we need repeatable and reliable measures; we shouldn’t
capture data that we don’t intend to analyse, that is simply an avoidable cost. We shouldn’t analyse
data if we don’t intend to make practical use of the results.
2. How will we measure things?
Where will the data come from and where will they be stored? If the source information is not
already captured and available, there will be a need to put in place the processes to gather it. This
in turn raises the issue of who will capture the data. Will it be centralized or will we distribute the
data collection processes? If departments and functions outside central control are reporting, how
far can they be trusted not to manipulate the figures? Will they meet deadlines and formatting
requirements? How much data gathering and reporting can be automated?
3. How will we report?
What do senior management actually want? To get senior management buy-in it is important to
discuss the purpose and outputs with managers and peers. Provide alternative formats initially to
assess their preference. It may be required to report differently from other functions in the
organization, using different presentation formats as well as different content. Managers are likely
to feel more comfortable with conventional management reports, so look at a range of sample
reports to pick out the style cues.
4. How should we implement our reporting system?
When developing metrics, it’s worth testing out the feasibility and effectiveness of the
measurement processes and the usefulness of chosen metrics on a limited scale before rolling them
out across the entire corporation. Pilot studies or trials are useful ways to iron-out any glitches in
the processes for collecting and analysing metrics, and for deciding whether the metrics are truly
indicative of what you are trying to measure.
Even after the initial trial period, continuous feedback on the metrics can help to refine the
measurement system. Changes in both the organization and the information security risks it faces
mean that some metrics are likely to become outdated over time.
5. Setting targets
Measuring and reporting leads to the identification and benchmarking of Key Performance
Indicators (KPIs) and then tracking measures to evaluate performance.
Before publishing the chosen metrics it is important to figure out which ones would truly indicate
making progress towards the organization’s information security goals.
168
Summary
 Good security metrics are those that are SMART, i.e. specific, measurable, attainable,
repeatable and time-dependent.
 The Performance Measurement Guide for Information Security (NIST SP 800-55 Revision 1)
divides security metrics into three categories and links each to levels of security program
maturity, namely –Implementation, Effectiveness/Efficiency & Impact
 Security Metrics are classified into three distinct categories such as
o Strategic security metrics which are measures concerning the information security
elements of high level business goals, objectives and strategies
o Security management metrics which are numerous facets to managing information
security risks that could be measured, hence many possible metrics
o Operational security metrics which are at the lowest level of analysis, most information
security controls, systems and processes need to be measured in order to operate and
control them
 Using security metrics involves data acquisition and the latter may be automated or manually
collected.
 The frequency of reports depends on organizational norms, the volume and gravity of
information available, and management requirements. Regular reporting periods may vary
from daily or weekly to monthly, quarterly, six-monthly or annual.
 The following questions should be asked while designing information security measurement
systems
o What are we going to measure?
o How will we measure things?
o How will we report?
o How should we implement our reporting system?
o How to set targets?
Activity 1:
Work in teams and gather as much information from industry and the internet about
the various information security performance metrics they use in their organisations.
Discuss the various challenges in identifying, monitoring and inferencing performance
through these metrics.
Activity 2:
Develop performance metrics for various aspects of their own academic and non-
academic behaviours and track these over a period of a week. Draw out various
inferences from this monitoring. Present the object of your study, the metric you
chose, and the challenges in implementing these metrics and your process of
inferencing. Debate the inferences and validity of each other’s findings.
Activity 3:
Research the various information security companies offering products and services for
tracking and instituting performance metrics systems in organisations. Compare
services, present features, benefits and limitations of the same.
169

Q: Fill in the blanks with the most appropriate answer:
 Measurements are generated by counting whereas metrics are generated
by__________________.
 ____________________ metrics are usually compliance driven.
Q. State TRUE or FALSE as to which of the following accurately describe some of the misconceptions
regarding metrics.
 Metrics provide single-point-in-time views of specific, discrete factors, while measurements are
derived by comparing to a predetermined baseline of two or more measurements taken over
time. ( )
 Metrics efforts are finite, while in reality a measurement programme is aimed at continual
improvement and long term benefits ( )
 Measurement can be automated easily/rapidly, attempting to automate metrics that have not yet
been thoroughly tested and proven to be effective can be ultimately counterproductive. ( )
Q. Which type of security metrics is used to monitor results of security control implementation for a
single control or across multiple controls?
_______________________________________________________
Q. The reporting/updating of which of the following types of security metrics is carried out monthly
or quarterly:
a) Strategic security metrics

b) Security management metrics
c) Operational security metrics
Q. Which of the following is not a part of Incident Management security metrics?

a) Mean-Time to Incident Discovery
b) Incident Rate
c) Mean-Time to Mitigate Vulnerabilities
d) Mean-Time Between Security Incidents
e) Mean-Time to Recovery
Q. Data capturing process plays vital role in determining appropriate information security
measurement systems. Give one example in support of the statement.
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
170
NOTES:
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
171
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
172
UNIT VII
Risk Assessment
This Unit covers:
 Lesson Plan
7.1. Risk Overview
7.2. Risk Identification
7.3. Risk Analysis
7.4. Risk Treatment
7.5. Risk Management Feedback Loops
7.6. Risk Monitoring
173
LESSON PLAN

To be competent, you must be able QA session and a Descriptive  PCs/Tablets/Laptops
to: write up on understanding.  Labs availability (24/7)
PC2. monitor systems and apply Group presentation and peer  (Min 2 Mbps Dedicated)
controls in line with information evaluation along with Faculty.  Access to all security sites like
ISO, PCI DSS, Center for Internet
guidelines Team work (IM and chat Security
PC11. comply with your applications) and group
organization’s policies, standards, activities (online forums)
procedures and guidelines when including templates to be
contributing to managing prepared.
Project charter, Architecture
(charts), Project plan, Poster
plan.
Creation of templates based

on the learnings
You must know and understand: KA6, KA7, KA8. Peer review  PCs/Tablets/Laptops
KA6. how to carry out with faculty with appropriate  Labs availability (24/7)
information security assessments feedback.  Internet with Wi-Fi
KA13. Creation of templates  (Min 2 Mbps Dedicated)
KA13. standard tools and based on the learnings  Access to all security sites like
templates available and how to use KB1 – KB4 ISO, PCI DSS, Centre for Internet
these Security
Going through the security
standards over Internet by
KB4. how to identify and resolve
information security vulnerabilities visiting sites like ISO, PCI DSS
and issues etc., and understand various
algorithms
174
Lesson
7.1 Risk Overview

Risk: A probability or threat of damage, injury, liability, loss, or any other negative occurrence that is
caused by external or internal vulnerabilities, and that may be avoided through pre-emptive action.
Risk assessments, whether they pertain to information security or other types of risk, are a means of
providing decision makers with information needed to understand factors that can negatively
influence operations and outcomes and make informed judgments concerning the extent of actions
needed to reduce risk.
As reliance on computer systems and electronic data has grown, information security risk has joined
the array of risks that governments and businesses must manage. Regardless of the types of risk being
considered, all risk assessments generally include the following elements. Identifying threats that
could harm and, thus, adversely affect critical operations and assets. Threats include such things as
intruders, criminals, disgruntled employees, terrorists, and natural disasters.
Estimating the likelihood that such threats will materialize based on historical information and
judgment of knowledgeable individuals. Identifying and ranking the value, sensitivity, and criticality of
the operations and assets that could be affected should a threat materialize in order to determine
which operations and assets are the most important. Estimating, for the most critical and sensitive
assets and operations, the potential losses or damage that could occur if a threat materializes,
including recovery costs. Identifying cost-effective actions to mitigate or reduce the risk. These actions
can include implementing new organizational policies and procedures as well as technical or physical
controls. Documenting the results and developing an action plan. There are various models and
methods for assessing risk, and the extent of an analysis and the resources expended can vary
depending on the scope of the assessment and the availability of reliable data on risk factors. In
addition, the availability of data can affect the extent to which risk assessment results can be reliably
quantified.
A quantitative approach generally estimates the monetary cost of risk and risk reduction techniques
based on
(1) the likelihood that a damaging event will occur,
(2) the costs of potential losses, and
(3) the costs of mitigating actions that could be taken.
When reliable data on likelihood and costs are not available, a qualitative approach can be taken by
defining risk in more subjective and general terms such as high, medium, and low. In this regard,
qualitative assessments depend more on the expertise, experience, and judgment of those conducting
the assessment. It is also possible to use a combination of quantitative and qualitative methods.
175
7.2 Risk Identification

Risk identification is the process of determining risks that could potentially prevent the program,
enterprise, or investment from achieving its objectives. It includes documenting and communicating
the concern. The objective of risk identification is the early and continuous identification of events
that, if they occur, will have negative impacts on the project's ability to achieve performance or
capability outcome goals. They may come from within the project or from external sources.
There are multiple types of risk assessments, including program risk assessments, risk assessments to
support an investment decision, analysis of alternatives, and assessments of operational or cost
uncertainty. Risk identification needs to match the type of assessment required to support risk-
informed decision making. For an acquisition program, the first step is to identify the program goals
and objectives, thus fostering a common understanding across the team of what is needed for
program success. This gives context and bounds the scope by which risks are identified and assessed.
There are multiple sources of risk. For risk identification, the project team should review the program
scope, cost estimates, schedule (to include evaluation of the critical path), technical maturity, key
performance parameters, performance challenges, stakeholder expectations vs. current plan, external
and internal dependencies, implementation challenges, integration, interoperability, supportability,
supply-chain vulnerabilities, ability to handle threats, cost deviations, test event expectations, safety,
security, and more. In addition, historical data from similar projects, stakeholder interviews, and risk
lists provide valuable insight into areas for consideration of risk.
Risk identification is an iterative process. As the program progresses, more information will be gained
about the program (e.g., specific design), and the risk statement will be adjusted to reflect the current
understanding. New risks will be identified as the project progresses through the life cycle.
176
7.3 Risk Analysis

This is the next step in the risk assessment program, Risk Analysis, requires an entity to, conduct an
accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality,
integrity, and availability of electronic protected information held by the entity. In other words, Risk
analysis, which is a tool for risk management, is a method of identifying vulnerabilities and threats,
and assessing the possible damage to determine where to implement security safeguards.
Risk analysis steps:

 Identify the scope of the analysis.
 Gather data.
 Identify and document potential threats and vulnerabilities.
 Assess current security measures.
 Determine the likelihood of threat occurrence.
 Determine the potential impact of threat occurrence.
 Determine the level of risk.
 Identify security measures and finalize documentation.
A risk analysis has four main goals:

 Identify assets and their values
 Identify vulnerabilities and threats
 Quantify the probability and business impact of these potential threats
 Provide an economic balance between the impact of the threat and the cost of the
countermeasure
Risk Evaluation
The risk evaluation process receives as input the output of risk analysis process. It compares each risk
level against the risk acceptance criteria and prioritise the risk list with risk treatment indications.
177
7.4 Risk Treatment

Risk treatment efforts should be undertaken to mitigate identified risks, using appropriate
administrative, technical and physical controls. Control includes:
 applying appropriate controls to avoid, eliminate or reduce risks;

 transferring some risks to third parties as appropriate (e.g., by insurance);
 knowingly and objectively accepting some risks; and
 documenting the risk treatment choices made, and the reasons for them.
Risk treatments should take account of:
 legal-regulatory and private certificatory requirements;

 organizational objectives, operational requirements and constraints; and
 costs of implementation and operation relative to risks being reduced.
Risk treatment strategies include:
 Risk reduction
Taking the mitigation steps necessary to reduce the overall risk to an asset. Often this will
include selecting countermeasures that will either reduce the likelihood of occurrence or
reduce the severity of loss, or achieve both objectives at the same time. Countermeasures can
include technical or operational controls or changes to the physical environment. For example,
the risk of computer viruses can be mitigated by acquiring and implementing antivirus software.
When evaluating the strength of a control, consideration should be given to whether the
controls are preventative or detective. The remaining level of risk after the
controls/countermeasures have been applied is often referred to as “residual risk.” An
organization may choose to undergo a further cycle of risk treatment to address this.
 Risk sharing/transference
The organization shares its risk with third parties through insurance and/or service providers.
Insurance is a post-event compensatory mechanism used to reduce the burden of loss if the
event were to occur. Transference is the shifting of risk from one party to another. For example,
when hard-copy documents are moved offsite for storage at a secure-storage vendor location,
the responsibility and costs associated with protecting the data transfers to the service
provider. The cost of storage may include compensation (insurance) if documents are damaged,
lost, or stolen.
 Risk avoidance
The practice of eliminating the risk by withdrawing from or not becoming involved in the activity
that allows the risk to be realized. For example, an organization decides to discontinue a
business process in order to avoid a situation that exposes the organization to risk.
178
 Risk acceptance
An organization decides to accept a particular risk because it falls within its risk-tolerance
parameters and therefore agrees to accept the cost when it occurs. Risk acceptance is a viable
strategy where the cost of insuring against the risk would be greater over time than the total
losses sustained. All risks that are not avoided or transferred are accepted by default
7.5 Risk Management Feedback Loops
Risk management is a comprehensive process that requires organizations to:
 frame risk (i.e., establish the context for risk-based decisions);

 assess risk;
 respond to risk once determined; and
 monitor risk on an ongoing basis using effective organizational communications and a
feedback loop for continuous improvement in the risk-related activities of
organizations.
Risk management is carried out as a holistic, organization wide activity that addresses risk from the
strategic level to the tactical level, ensuring that risk based decision making is integrated into every
aspect of the organization. The following sections briefly describe each of the four risk management
components. The first component of risk management addresses how organizations frame risk or
establish a risk context—that is, describing the environment in which risk-based decisions are made.
The purpose of the risk framing component is to produce a risk management strategy that addresses
how organizations intend to assess risk, respond to risk, and monitor risk—making explicit and
transparent the risk perceptions that organizations routinely use in making both investment and
operational decisions. The risk frame establishes a foundation for managing risk and delineates the
boundaries for risk-based decisions within organizations.
Establishing a realistic and credible risk frame requires that organizations identify:
 risk assumptions (e.g., assumptions about the threats, vulnerabilities, consequences/impact,

and likelihood of occurrence that affect how risk is assessed, responded to, and monitored
over time);
 risk constraints (e.g., constraints on the risk assessment, response, and monitoring
alternatives under consideration);
 risk tolerance (e.g., levels of risk, types of risk, and degree of risk uncertainty that are
acceptable); and
 priorities and trade-offs (e.g., the relative importance of missions/business functions, trade-
offs among different types of risk that organizations face, time frames in which organizations
179
must address risk, and any factors of uncertainty that organizations consider in risk
responses).
The risk framing component and the associated risk management strategy also include any strategic-
level decisions on how risk to organizational operations and assets, individuals, other organizations,
and the Nation, is to be managed by senior leaders/executives.
The second component of risk management addresses how organizations assess risk within the
context of the organizational risk frame. The purpose of the risk assessment component is to identify:
 threats to organizations (i.e., operations, assets, or individuals) or threats directed through

organizations against other organizations or the Nation;
 vulnerabilities internal and external to organizations;
 the harm (i.e., consequences/impact) to organizations that may occur given the potential for
threats exploiting vulnerabilities; and
 the likelihood that harm will occur. The end result is a determination of risk (i.e., the degree
of harm and likelihood of harm occurring).
To support the risk assessment component, organizations identify:
 the tools, techniques, and methodologies that are used to assess risk;
 the assumptions related to risk assessments;
 the constraints that may affect risk assessments;
 roles and responsibilities;
 how risk assessment information is collected, processed, and communicated throughout
organizations;
 how risk assessments are conducted within organizations;
 the frequency of risk assessments; and
 how threat information is obtained (i.e., sources and methods).
The third component of risk management addresses how organizations respond to risk once that risk
is determined based on the results of risk assessments.
The purpose of the risk response component is to provide a consistent, organization-wide, response
to risk in accordance with the organizational risk frame by:
 developing alternative courses of action for responding to risk;

 evaluating the alternative courses of action;
 determining appropriate courses of action consistent with organizational risk tolerance; and
 implementing risk responses based on selected courses of action.
To support the risk response component, organizations describe the types of risk responses that can
be implemented (i.e., accepting, avoiding, mitigating, sharing, or transferring risk).
Organizations also identify the tools, techniques, and methodologies used to develop courses of action
for responding to risk, how courses of action are evaluated, and how risk responses are communicated
across organizations and as appropriate, to external entities (e.g., external service providers, supply
chain partners).
180
The fourth component of risk management addresses how organizations monitor risk over time. The
purpose of the risk monitoring component is to:
 verify that planned risk response measures are implemented and information security
requirements derived from/traceable to organizational mission/business functions, federal
legislation, directives, regulations, policies, and standards, and guidelines, are satisfied;
 determine the ongoing effectiveness of risk response measures following implementation;
and
 identify risk-impacting changes to organizational information systems and the environments
in which the systems operate.
To support the risk monitoring component, organizations describe how compliance is verified and how
the ongoing effectiveness of risk responses is determined (e.g., the types of tools, techniques, and
methodologies used to determine the sufficiency/correctness of risk responses and if risk mitigation
measures are implemented correctly, operating as intended, and producing the desired effect with
regard to reducing risk). In addition, organizations describe how changes that may impact the ongoing
effectiveness of risk responses are monitored.
181
7.6 Risk Monitoring
Risk monitoring provides organizations with the means to:
 verify compliance;
 determine the ongoing effectiveness of risk response measures; and
 identify risk-impacting changes to organizational information systems and environments of
operation.
Analysing monitoring results gives organizations the capability to maintain awareness of the risk being
incurred, highlight the need to revisit other steps in the risk management process, and initiate process
improvement activities as needed.
Organizations employ risk monitoring tools, techniques, and procedures to increase risk awareness,
helping senior leaders/executives develop a better understanding of the ongoing risk to organizational
operations and assets, individuals, other organizations, and the Nation. Organizations can implement
risk monitoring at any of the risk management tiers with different objectives and utility of information
produced. For example, Tier 1 monitoring activities might include ongoing threat assessments and
how changes in the threat space may affect Tier 2 and Tier 3 activities, including enterprise
architectures (with embedded information security architectures) and organizational information
systems. Tier 2 monitoring activities might include, for example, analyses of new or current
technologies either in use or considered for future use by organizations to identify exploitable
weaknesses and/or deficiencies in those technologies that may affect mission/business success. Tier
3 monitoring activities focus on information systems and might include, for example, automated
monitoring of standard configuration settings for information technology products, vulnerability
scanning, and ongoing assessments of security controls. In addition to deciding on appropriate
monitoring activities across the risk management tiers, organizations also decide how monitoring is
to be conducted (e.g., automated or manual approaches) and the frequency of monitoring activities
based on, for example, the frequency with which deployed security controls change, critical items on
plans of action and milestones, and risk tolerance.
182
Summary
 Definition of Risk: A probability or threat of damage, injury, liability, loss, or any other negative
occurrence that is caused by external or internal vulnerabilities, and that may be avoided
through pre-emptive action.
 A quantitative approach generally estimates the monetary cost of risk and risk reduction
techniques based on
o the likelihood that a damaging event will occur,
o the costs of potential losses, and
o the costs of mitigating actions that could be taken.
 Risk identification is an iterative process.
 Risk analysis, which is a tool for risk management, is a method of identifying vulnerabilities and
threats, and assessing the possible damage to determine where to implement security
safeguards.
 The risk evaluation process receives as input the output of risk analysis process.
 Risk treatment efforts should be undertaken to mitigate identified risks, using appropriate
administrative, technical and physical controls.
 Risk management is carried out as a holistic, organization wide activity that addresses risk from
the strategic level to the tactical level, ensuring that risk based decision making is integrated
into every aspect of the organization.
 Analysing monitoring results gives organizations the capability to maintain awareness of the
risk being incurred, highlight the need to revisit other steps in the risk management process,
and initiate process improvement activities as needed. h as laptop, appropriate software such
as packet sniffers, digital forensics, back up devices, blank media etc.
Activity 1:
Research various risks for their institute in the area of information security. Prepare a
process report highlighting your approach towards identifying risk, recording, monitoring,
analysing and treating risk. The approach should be shared with the faculty and the
report should be submitted for evaluation.
183

 Risk identification and risk assessment are co-related in function. ( )

 Implementation of risk monitoring at different risk management tiers with different objectives
within an organization increase risk awareness and capability. ( )
Q. Analyse and state the differences between risk analysis and risk evaluation in two lines.
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
Q. Suggest one of the appropriate measures that can curb the problem of ‘residual risk.’
__________________________________________________________________________________
__________________________________________________________________________________
Q. In what ways do service/insurance providers facilitate risk sharing/transference?
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
Q. Complete the following requirements that an organization needs to identify in order to build a
realistic and credible risk frame
a) risk constraints
b) ________________
c) risk tolerance
d) ________________
NOTES:
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
184
UNIT VIII
Configuration review
This Unit covers:
 Lesson Plan
8.3. Identify CM Tools
8.4. Implementing Secure Configurations
8.5. Unauthorised Access to Configuration Stores
185
LESSON PLAN
Work Environment/Lab Requirement
Outcomes Measures
To be competent, you must be able Performance evaluation  PCs/Tablets/Laptops
to: from Faculty and Industry  Labs availability (24/7)
with reward points  Internet with Wi-Fi
PC4. carry out configuration
reviews of information security
 Networking Equipment - Routers &
systems using automated tools, QA session and a Switches
where required Descriptive write up on  Firewalls and Access Points
understanding.  Access to all security sites like ISO,
PIC DSS
Inspect and IBM AppScan etc.,
Nessus etc.,
You must know and understand: KA6, KA7 Performance  PCs/Tablets/Laptops

KA6. how to carry out evaluation from Faculty  Labs availability (24/7)
information security assessments and Industry with  Internet with Wi-Fi
reward points  (Min 2 Mbps Dedicated)
KA7. how to carry out  Access to all security sites like ISO,
configuration reviews KA9. QA session and a PCI DSS, Centre for Internet Security
Descriptive write up on
KA9. different types of
understanding.
automation tools and how to use
these
186
Lesson
8.1 Configuration Management

An information system is typically in a constant state of change in response to new, enhanced,
corrected, or updated hardware and software capabilities, patches for correcting software flaws and
other errors to existing components, new security threats, changing business functions, etc.
Implementing information system changes almost always results in some adjustment to the system
configuration. To ensure that the required adjustments to the system configuration do not adversely
affect the security of the information system or the organization from operation of the information
system, a well-defined configuration management process that integrates information security is
needed.
Organizations apply configuration management (CM) for establishing baselines and for tracking,
controlling, and managing many aspects of business development and operation (e.g., products,
services, manufacturing, business processes, and information technology). Organizations with a
robust and effective CM process need to consider information security implications with respect to
the development and operation of information systems including hardware, software, applications,
and documentation. Effective CM of information systems requires the integration of the management
of secure configurations into the organizational CM process or processes. For this reason, this
document assumes that information security is an integral part of an organization’s overall CM
process; however, the focus of this document is on implementation of the information system security
aspects of CM, and as such the term security-focused configuration management (SecCM) is used to
emphasize the concentration on information security. Though both IT business application functions
and security-focused practices are expected to be integrated as a single process, SecCM in this context
is defined as the management and control of configurations for information systems to enable security
and facilitate the management of information security risk.
Configuration Management (CM) comprises a collection of activities focused on establishing and
maintaining the integrity of products and systems, through control of the processes for initializing,
changing, and monitoring the configurations of those products and systems.
A Configuration Item (CI) is an identifiable part of a system (e.g., hardware, software, firmware,
documentation, or a combination thereof) that is a discrete target of configuration control processes.
A Baseline Configuration is a set of specifications for a system, or CI within a system, that has been
formally reviewed and agreed on at a given point in time, and which can be changed only through
change control procedures. The baseline configuration is used as a basis for future builds, releases,
and/or changes.
The basic parts of a CM Plan include:
Configuration Control Board (CCB) – Establishment of and charter for a group of qualified people with
responsibility for the process of controlling and approving changes throughout the development and
operational lifecycle of products and systems; may also be referred to as a change control board;
Configuration Item Identification – methodology for selecting and naming configuration items that
need to be placed under CM;
Configuration Change Control – process for managing updates to the baseline configurations for the
configuration items; and
187
Configuration Monitoring – process for assessing or testing the level of compliance with the
established baseline configuration and mechanisms for reporting on the configuration status of items
placed under CM.
Security-Focused Configuration Management (SecCM) is the management and control of secure
configurations for an information system to enable security and facilitate the management of risk.
SecCM builds on the general concepts, processes, and activities of configuration management by
attention on the implementation and maintenance of the established security requirements of the
organization and information systems.
Information security configuration management requirements are integrated into (or complement)
existing organizational configuration management processes (e.g., business functions, applications,
products) and information systems. SecCM activities include:
 identification and recording of configurations that impact the security posture of the
 the consideration of security risks in approving the initial configuration;
 the analysis of security implications of changes to the information system configuration; and
 documentation of the approved/implemented changes.
SecCM requires an ongoing investment in time and resources. Product patches, fixes, and updates
require time for security impact analysis even as threats and vulnerabilities continue to exist. As
changes to information systems are made, baseline configurations are updated, specific configuration
settings confirmed, and configuration items tracked, verified, and reported. SecCM is a continuous
activity that, once incorporated into IT management processes, touches all stages of the system
development life cycle (SDLC).
In the context of SecCM of information systems, a configuration item (CI) is an aggregation of
information system components that is designated for configuration management and treated as a
single entity throughout the SecCM process. This implies that the CI is identified, labelled, and tracked
during its life cycle – the CI is the target of many of the activities within SecCM, such as configuration
change control and monitoring activities. A CI may be a specific information system component (e.g.,
server, workstation, router, application), a group of information system components (e.g., group of
servers with like operating systems, group of network components such as routers and switches, an
application or suite of applications), a non-component object (e.g., firmware, documentation), or an
information system as a whole. CIs give organizations a way to decompose the information system
into manageable parts whose configurations can be actively managed.
The purpose of breaking up an information system into CIs is to allow more granularity and control in
managing the secure configuration of the system. The level of granularity will vary among
organizations and systems and is balanced against the associated management overhead for each CI.
In one organization, it may be appropriate to create a single CI to track all of the laptops within a
system, while in another organization, each laptop may represent an individual CI.
Baseline configuration
A baseline configuration is a set of specifications for a system, or Configuration Item (CI) within a
system, that has been formally reviewed and agreed on at a given point in time, and which can be
changed only through change control procedures. The baseline configuration is used as a basis for
future builds, releases, and/or changes.
Security-focused configuration management of information systems involves a set of activities that
can be organized into four major phases – Planning, Identifying and Implementing Configurations,
Controlling Configuration Changes, and Monitoring.
188
Planning - Planning includes developing policy and procedures to incorporate SecCM into existing
information technology and security programs, and then disseminating the policy throughout the
organization.
Identifying and implementing configurations - After the planning and preparation activities are
completed, a secure baseline configuration for the information system is developed, reviewed,
approved, and implemented. The approved baseline configuration for an information system and
associated components represents the most secure state consistent with operational requirements
and constraints. For a typical information system, the secure baseline may address configuration
settings, software loads, patch levels, how the information system is physically or logically arranged,
how various security controls are implemented, and documentation. Where possible, automation is
used to enable interoperability of tools and uniformity of baseline configurations across the
information system.
Controlling configuration changes - Given the continually evolving nature of an information system
and the mission it supports, the challenge for organizations is not only to establish an initial baseline
configuration that represents a secure state (which is also cost-effective, functional, and supportive
of mission and business processes), but also to maintain a secure configuration in the face of the
significant waves of change that ripple through organizations.
Monitoring
Monitoring activities are used as the mechanism within SecCM to validate that the information system
is adhering to organizational policies, procedures, and the approved secure baseline configuration.
Monitoring identifies undiscovered/ undocumented system components, misconfigurations,
vulnerabilities, and unauthorized changes, all of which, if not addressed, can expose organizations to
increased risk. Using automated tools helps organizations to efficiently identify when the information
system is not consistent with the approved baseline configuration and when remediation actions are
necessary. In addition, the use of automated tools often facilitates situational awareness and the
documentation of deviations from the baseline configuration.
189
8.2 Organizational SecCM Policy

The organization is typically responsible for defining documented policies for the SecCM program. The
SecCM program manager develops, disseminates, and periodically reviews and updates the SecCM
policies for the organization. The policies are included as a part of the overall organization-wide
security policy.
The SecCM policy normally includes the following:
1. Purpose – the objective(s) in establishing organization-wide SecCM policy;
2. Scope – the extent of the enterprise architecture to which the policy applies;
3. Roles – the roles that are significant within the context of the policy;
4. Responsibilities – the responsibilities of each identified role;
5. Activities – the functions that are performed to meet policy objectives;
6. Common secure configurations – federal and/or organization-wide standardized benchmarks

for configuration settings along with how to address deviations; and
7. Records – the records of configuration management activities to be maintained; the

information to be included in each type of record; who is responsible for writing/keeping the
records; and procedures for protecting, accessing, auditing, and ultimately deleting such
records.
SecCM policy may also address the following topics:

 SecCM training requirements;
 Use of SecCM templates;
 Use of automated tools;
 Prohibited configuration settings; and
 Requirements for inventory of information systems and components.
SecCM Training
SecCM is a fundamental part of an organizational security program, but often requires a change in
organizational culture. Staff is provided training to ensure their understanding of SecCM policies and
procedures. Training also provides a venue for management to communicate the reasons why SecCM
is important. SecCM training material is developed covering organizational policies, procedures, tools,
artefacts, and monitoring requirements. The training may be mandatory or optional as appropriate
and is targeted to relevant staff (e.g., system administrators, system/software developers, system
security officers, system owners, etc.) as necessary to ensure that staff has the skills to manage the
baseline configurations in accordance with organizational policy.
190
8.3 Identify SecCM Tools

Managing the myriad configurations found within information system components has become an
almost impossible task using manual methods like spreadsheets. When possible, organizations look
for automated solutions which, in the long run, can lower costs, enhance efficiency, and improve the
reliability of SecCM efforts.
In most cases, tools to support activities in SecCM phases two, three, and four are selected for use
across the organization by SecCM program management, and information system owners are
responsible for applying the tools to the SecCM activities performed on each information system.
Similarly, tools and mechanisms for inventory reporting and management may be provided to
information system owners by the organization. In accordance with federal government and
organizational policy, if automated tools are used, the tools are Security Content Automation Protocol
(SCAP)-validated to the extent that such tools are available.
There are a wide variety of configuration management tools available to support an organization’s
SecCM program. At a minimum, the organization considers tools that can automatically assess
configuration settings of IS components. Automated tools should be able to scan different information
system components (e.g., Web server, database server, network devices, etc.) running different
operating systems, identify the current configuration settings, and indicate where they are
noncompliant with policy. Such tools import settings from one or more common secure configurations
and then allow for tailoring the configurations to the organization’s security and mission/functional
requirements.
Tools that implement and/or assess configuration settings are evaluated to determine whether they
include requirements such as:
• Ability to pull information from a variety of sources (different type of components, different
operating systems, different platforms, etc.);
• Use of standardized specifications such as XML and SCAP;
• Integration with other products such as help desk, inventory management, and incident
response solutions;
• Vendor-provided support (patches, updated vulnerability signatures, etc.);
• Compliance with applicable federal laws, Executive Orders, directives, policies, regulations,
standards, and guidelines and link vulnerabilities to SP 800-53 controls;
• Standardized reporting capability (e.g. SCAP, XML) including ability to tailor output & drill down;
• Data consolidation into Security Information and Event Management (SIEM) tools and
dashboard products.
Organizations may consider implementation of an all-in-one solution for configuration management.
For example, various configuration management functions are included in products for managing IT
servers, workstations, desktops, and services provided by applications. These products may include
functions such as:
o Inventory/discovery of IS components;
o Software distribution;
o Patch management;
o Operating system deployment;
o Policy management;
o Migration to new baseline configuration; and
o Backup/recovery.
191
8.4 Implementing secure configurations
Implementing secure configurations for IT products is no simple task. There are many IT products, and
each has a myriad of possible parameters that can be configured. In addition, organizations have
mission and business process needs which may require that IT products be configured in a particular
manner. To further complicate matters, for some products, the configuration settings of the
underlying platform may need to be modified to allow for the functionality required for mission
accomplishment such that they deviate from the approved common secure configurations.
Using the secure configuration previously established as a starting point, the following
structured approach is recommended when implementing the secure configuration:
1) Prioritize Configurations
2) Test Configurations
3) Resolve Issues and Document Deviations
4) Record and Approve the Baseline Configuration
5) Deploy the Baseline Configuration
i. Prioritize Configurations
In the ideal environment, all IT products within an organization would be configured to the most
secure state that still provided the functionality required by the organization. However, due to limited
resources and other constraints, many organizations may find it necessary to prioritize which
information systems, IT products, or CIs to target first for secure configuration as they implement
SecCM.
In determining the priorities for implementing secure configurations in information systems, IT
products, or CIs, organizations consider the following criteria:
• System impact level – Implementing secure configurations in information systems with a high or
moderate security impact level may have priority over information systems with a low security
impact level.
• Risk assessments – Risk assessments can be used to target information systems, IT products, or
CIs having the most impact on security and organizational risk.
• Vulnerability scanning – Vulnerability scans can be used to target information systems, IT
products, or CIs that are most vulnerable. For example, the Common Vulnerability Scoring System
(CVSS) is a specification within SCAP that provides an open framework for communicating the
characteristics of software flaw vulnerabilities and in calculating their relative severity. CVSS
scores can be used to help prioritize configuration and patching activities.
• Degree of penetration – The degree of penetration represents the extent to which the same
product is deployed within an information technology environment. For example, if an
organization uses a specific operating system on 95 percent of its workstations, it may obtain the
most immediate value by planning and deploying secure configurations for that operating system.
Other IT products or CIs can be targeted afterwards.
ii. Test Configurations
Organizations fully test secure configurations prior to implementation in the production environment.
There are a number of issues that may be encountered when implementing configurations including
software compatibility and hardware device driver issues. For example, there may be legacy
applications with special operating requirements that do not function correctly after a common secure
192
configuration has been applied. Additionally, configuration errors could occur if OS and multiple
application configurations are applied to the same component. For example, a setting for an
application configuration parameter may conflict with a similar setting for an OS configuration
parameter.
Virtual environments are recommended for testing secure configurations as they allow organizations
to examine the functional impact on applications without having to configure actual machines.
iii. Resolve Issues and Document Deviations
Testing secure configuration implementations may introduce functional problems within the system
or applications. For example, the new secure configuration may close a port or stop a service that is
needed for OS or application functionality. These problems are examined individually and either
resolved or documented as a deviation from, or exception to, the established common secure
configurations.
In some cases, changing one configuration setting may require changes to another setting, another CI,
or another information system. For instance, a common secure configuration may specify
strengthened password requirements which may require a change to existing single sign-on
applications. Or there may be a requirement that the OS-provided firewall be enabled by default. To
ensure that applications function as expected, the firewall policy may need to be revised to allow
specific ports, services, IP addresses, etc. When conflicts between applications and secure
configurations cannot be resolved, deviations are documented and approved through the
configuration change control process as appropriate.
iv. Record and Approve the Baseline Configuration
The established and tested secure configuration, including any necessary deviations, represents the
preliminary baseline configuration and is recorded in order to support configuration change
control/security impact analysis, incident resolution, problem solving, and monitoring activities. Once
recorded, the preliminary baseline configuration is approved in accordance with organizationally
defined policy. Once approved, the preliminary baseline configuration becomes the initial baseline
configuration for the information system and its constituent CIs.
The baseline configuration of an information system includes the sum total of the secure
configurations of its constituent CIs and represents the system-specific configuration against which all
changes are controlled.
The baseline configuration may include, as applicable, information regarding the system architecture,
the interconnection of hardware components, secure configuration settings of software components,
the software load, supporting documentation, and the elements in a release package. There could be
a different baseline configuration for each life cycle stage (development, test, staging, production) of
the information system.
When possible, organizations employ automated tools to support the management of baseline
configurations and to keep the configuration information as up to date and near real time as possible.
There are a number of solutions which maintain baseline configurations for a wide variety of hardware
and software products. Some comprehensive SecCM solutions integrate the maintenance of baseline
configurations with component inventory and monitoring tools.
v. Deploy the Baseline Configuration
Organizations are encouraged to implement baseline configurations in a centralized and automated
manner using automated configuration management tools, automated scripts, vendor-provided
mechanisms, etc.
193
SecCM monitoring is accomplished through assessment and reporting activities. For organizations
with a large number of components, the only practical and effective solution for SecCM monitoring
activities is the use of automated solutions that use standardized reporting methods such as SCAP.
An information system may have many components and many baseline configurations. To manually
collect information on the configuration of all components and assess them against policy and
approved baseline configurations is not practical, or even possible, in most cases. Automated tools
can also facilitate reporting for Security Information and Event Management applications that can be
accessed by management and/or formatted into other reports on baseline configuration status. Care
is exercised in collecting and analysing the results generated by automated tools to account for any
false positives.
SecCM monitoring may be supported by numerous means, including, but not limited to:
• Scanning to discover components not recorded in the inventory. For example, after testing of a
new firewall, a technician forgets to remove it from the network. If it is not properly configured,
it may provide access to the network for intruders. A scan would identify this network device as
not a part of the inventory, enabling the organization to take action.
• Scanning to identify disparities between the approved baseline configuration and the actual
configuration for an information system.
Example I. A technician rolls out a new patch but forgets to update the baseline configurations of the
information systems impacted by the new patch. A scan would identify a difference between the
actual environment and the description in the baseline configuration enabling the organization to take
action.
Example II. A new tool is installed on the workstations of a few end users of the information system.
During installation, the tool changes a number of configuration settings in the browser on the users’
workstations, exposing them to attack. A scan would identify the change in the workstation
configuration, allowing the appropriate individuals to take action.
Implementation of automated change monitoring tools (e.g., change/configuration management
tools, application whitelisting tools). Unauthorized changes to information systems may be an
indication that the systems are under attack or that SecCM procedures are not being followed or need
updating. Automated tools are available that monitor information systems for changes and alert
system staff if unauthorized changes occur or are attempted.
 Querying audit records/log monitoring to identify unauthorized change events.

 Running system integrity checks to verify that baseline configurations have not been changed.
 Reviewing configuration change control records (including system impact analyses) to verify
conformance with SecCM policy and procedures.
When possible, organizations seek to normalize data to describe their information system in order
that the various outputs from monitoring can be combined, correlated, analysed, and reported in a
consistent manner. SCAP provides a common language for describing vulnerabilities,
misconfigurations, and products and is an obvious starting point for organizations seeking a consistent
way of communicating across the organization regarding the security status of the enterprise
architecture.
When inconsistencies are discovered as a result of monitoring activities, the organization may want
to take remedial action. Action taken may be via manual methods or via use of automated tools.
Automated tools are preferable since actions are not reliant upon human intervention and are taken
immediately once an unauthorized change is identified. Examples of possible actions include:
194
 Implementing non-destructive remediation actions (e.g., quarantining of unregistered

device(s), blocking insecure protocols, etc.);
 Sending an alert with change details to appropriate staff using email;
 Rolling back changes and restoring from backups;
 Updating the inventory to include newly identified components; and
 Updating baseline configurations to represent new configurations.
Many applications support configuration management interfaces and functionality to allow operators
and administrators to change configuration parameters, update Web site content, and to perform
routine maintenance. Top configuration management threats include:
 Unauthorized access to administration interfaces

 Unauthorized access to configuration stores
 Retrieval of plaintext configuration secrets
 Lack of individual accountability
 Over-privileged process and service accounts
 Unauthorized Access to Administration Interfaces
Administration interfaces are often provided through additional Web pages or separate Web
applications that allow administrators, operators, and content developers to managed site content
and configuration. Administration interfaces such as these should be available only to restricted and
authorized users. Malicious users able to access a configuration management function can potentially
deface the Web site, access downstream systems and databases, or take the application out of action
altogether by corrupting configuration data.
Counter measures to prevent unauthorized access to administration interfaces include:
 Minimize the number of administration interfaces.

 Use strong authentication, for example, by using certificates.
 Use strong authorization with multiple gatekeepers.
Consider supporting only local administration. If remote administration is absolutely essential, use
encrypted channels, for example, with VPN technology or SSL, because of the sensitive nature of the
data passed over administrative interfaces. To further reduce risk, also consider using IPSec policies
to limit remote administration to computers on the internal network.
195
8.5 Unauthorized Access to Configuration Stores

Because of the sensitive nature of the data maintained in configuration stores, you should ensure that
the stores are adequately secured.
Countermeasures to protect configuration stores include:

 Configure restricted ACLs on text-based configuration files such as Machine.config and
Web.config.
 Keep custom configuration stores outside of the Web space. This removes the potential to
download Web server configurations to exploit their vulnerabilities.
 Retrieval of Plaintext Configuration Secrets
Restricting access to the configuration store is a must. As an important defence in depth mechanism,
you should encrypt sensitive data such as passwords and connection strings. This helps prevent
external attackers from obtaining sensitive configuration data. It also prevents rogue administrators
and internal employees from obtaining sensitive details such as database connection strings and
account credentials that might allow them to gain access to other systems.
Lack of Individual Accountability
Lack of auditing and logging of changes made to configuration information threatens the ability to
identify when changes were made and who made those changes. When a breaking change is made
either by an honest operator error or by a malicious change to grant privileged access, action must
first be taken to correct the change. Then apply preventive measures to prevent breaking changes to
be introduced in the same manner. Keep in mind that auditing and logging can be circumvented by a
shared account; this applies to both administrative and user/application/service accounts.
Administrative accounts must not be shared. User/application/service accounts must be assigned at
a level that allows the identification of a single source of access using the account, and that contains
any damage to the privileges granted that account.
Over-privileged Application and Service Accounts
If application and service accounts are granted access to change configuration information on the
system, they may be manipulated to do so by an attacker. The risk of this threat can be mitigated by
adopting a policy of using least privileged service and application accounts. Be wary of granting
accounts the ability to modify their own configuration information unless explicitly required by design.
196
Summary
 SecCM is defined as the management and control of configurations for information systems to
enable security and facilitate the management of information security risk.
 Configuration Management (CM) comprises a collection of activities focused on establishing
and maintaining the integrity of products and systems, through control of the processes for
initializing, changing, and monitoring the configurations of those products and systems.
 The activities of SecCM include the following:
o identification and recording of configurations that impact the security posture of the
o the consideration of security risks in approving the initial configuration;
o the analysis of security implications of changes to the information system
configuration;
o documentation of the approved/implemented changes.
 Product patches, fixes, and updates require time for security impact analysis even as threats
and vulnerabilities continue to exist.
 Configuration Item (CI) is identified, labelled, and tracked during its life cycle – the CI is the
target of many of the activities within SecCM. It may be—
o specific information system component (e.g., server, workstation, router, application)
o group of information system components (e.g., group of servers with like operating
systems, group of network components such as routers and switches, an application or
suite of applications)
o non-component object (e.g., firmware, documentation)
o an information system as a whole. CIs give organizations a way to decompose the
information system into manageable parts whose configurations can be actively
managed
 A baseline configuration is a set of specifications for a system, or Configuration Item (CI) within
a system, that has been formally reviewed and agreed on at a given point in time, and which
can be changed only through change control procedures.
 Monitoring identifies undiscovered/ undocumented system components, misconfigurations,
vulnerabilities, and unauthorized changes, all of which, if not addressed, can expose
organizations to increased risk.
 The organization is typically responsible for defining documented policies for the SecCM
program. A SecCM policy should include the following :
 Purpose – the objective(s) in establishing organization-wide SecCM policy;
 Scope – the extent of the enterprise architecture to which the policy applies;
 Roles – the roles that are significant within the context of the policy;
 Responsibilities – the responsibilities of each identified role;
 Activities – the functions that are performed to meet policy objectives
 Tools to support SecCM activities are selected for use across the organization by SecCM
program management, and information system owners are responsible for applying the tools
to the SecCM activities performed on each information system
197
Activity 1:
Work in groups to research configuration management tools available in the industry.

Compare and categorise these tools based on their features, area of strengths and
limitations. These should be presented in class for shared understanding.
Activity 2:
Create a group project by interacting with companies that offer CM tools and prepare a
sequential process map of how the tool functions in order to carry out its functions.
Present the same in class, highlighting the functionality and dependencies of the tools.
198

Q. List two countermeasures to protect configuration store
a. ________________________________________
b. ________________________________________
Q. State the key criteria on which priority for implementing SecCM secure configurations are
determined?
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
Q. If Configuration Item is an identifiable part of a system then what does Configuration Item
Identification mean?
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
 There could be a different baseline configuration for each life cycle stage (development, test,
staging, production) of the information system. ( )
 Semi-automated tools work best to scan Web server, database server, network devices, etc. in
SecCM program. ( )
Q. Rank the phases/stages of security-focused configuration management in the correct order
____Identifying and Implementing Configurations
____Planning
____Monitoring
____Controlling Configuration Changes
199
NOTES:
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
200
UNIT IX
Log Correlation and
Management
This Unit covers:
 Lesson Plan
9.1. Event Log Concepts
9.3. Log Management Process
9.4. Configuring Windows Event Log
9.5. IIS Log Files
201
LESSON PLAN

and understand the  Internet with WiFi
PC6. maintain accurate daily
policies and guidelines.  (Min 2 Mbps Dedicated)
records/logs of information security
(Research)
performance parameters using  Networking Equipment-
standard templates and tools Understand, summarize
Routers & Switches
and articulate.
PC7. analyze information  Firewalls and Access Points
security performance metrics to Peer group, Faculty group  Access to all security sites
highlight variances and issues for and Industry experts. like ISO, PIC DSS
action by appropriate people  Commercial Tools like HP
PC8. provide inputs to root Peer review with faculty Web Inspect and IBM
cause analysis and the resolution of with appropriate AppScan etc.,
information security issues, where feedback.  Open Source tools like
required
PC9. update your organization’s
knowledge base promptly and organizations websites
accurately with information and understand the
security issues and their resolution policies and guidelines.
(Research)
assessment of information security Team work (IM and chat
systems using automated tools
applications) and group
activities (online forums)
including templates to be
prepared
You must know and understand: KA1. Going through various  PCs/Tablets/Laptops
KA1. your organization’s organizations websites  Labs availability (24/7)
policies, procedures, standards and and understand the  Internet with Wi-Fi
guidelines for managing policies and guidelines.  (Min 2 Mbps Dedicated)
information security (Research)  Networking Equipments-
Routers & Switches
KA2. your organization’s  Firewalls and Access Points
KA2, Understand, summarize
knowledge base and how to access  Access to all security sites like
and articulate.
and update this ISO, PIC DSS
KA4. the organizational KA4, KA5. Peer group, Faculty Inspect and IBM AppScan etc.,
systems, procedures and group and Industry
tasks/checklists within the domain experts.
Nessus etc.,
and how to use these
KA8. Peer review with faculty
KA5. how to analyse root causes with appropriate
of information security issues feedback.
KA8. how to correlate devices KA9. Going through various

and logs
organizations websites
and understand the
202
KA9. different types of policies and guidelines.

automation tools and how to use (Research)
these
KA10. how to access and analyse KA10, KA11. Team work (IM
information security performance and chat applications) and
metrics group activities (online
forums) including
templates to be prepared.
203
Lesson
9.1 Event Logs - Concepts

A log is a record of the events occurring within an organization’s systems and networks. Logs are
composed of log entries; each entry contains information related to a specific event that has occurred
within a system or network. Originally, logs were used primarily for troubleshooting problems, but
logs now serve many functions within most organizations, such as optimizing system and network
performance, recording the actions of users, and providing data useful for investigating malicious
activity.
Logs have evolved to contain information related to many different types of events occurring within
networks and systems. Within an organization, many logs contain records related to computer
security; common examples of these computer security logs are audit logs that track user
authentication attempts and security device logs that record possible attacks
Key Concepts
Log management: Log management refers to the broad practice of collecting, aggregating and
analysing network data for a variety of purposes. Data logging devices collect incredible amounts of
information on security, operational and application events — log management comprises the tools
to search and parse this data for trends, anomalies and other relevant information.
Security information event management (SIEM): Like log management, SIEM also involves the
collection and analysis of data. The key distinction to be made is that SIEM is a specialized tool for
information security. SIEM appliances enable event reduction and real-time alerting, and they provide
specific workflows to address security breaches as they occur. Another key feature of SIEM is the
incorporation of non-event based data, such as vulnerability scanning reports, for correlation and
analysis.
A lot of money has been invested in security products such as firewalls, intrusion detection, and strong
authentication over the past several years. However, system penetration attempts continue to occur
and go unnoticed until it is too late. It is not that security countermeasures are ineffective against
intrusive activity. Indeed, they can be very effective within an organization where security policies and
procedures require analysis of security events and appropriate incident response. However, deploying
and analysing a single device in an effort to maintain situational awareness with respect to the state
of security within an organization is the "computerized version of tunnel vision”. Security events must
be analysed from as many sources as possible in order to assess threat and formulate appropriate
response. Extraordinary levels of security awareness can be attained in an organization's network by
simply listening to what its devices are telling you.
 Security software logs primarily contain computer security-related information.

 Operating system logs and application logs typically contain a variety of information,
including computer security-related data
204
Security Software
Most organizations use several types of network-based and host-based security software to detect
malicious activity, protect systems and data, and support incident response efforts. Accordingly,
security software is a major source of computer security log data. Common types of network-based
and host based security software include the following:
Antimalware Software. The most common form of antimalware software is antivirus software, which
typically records all instances of detected malware, file and system disinfection attempts, and file
quarantines.
Additionally, antivirus software might also record when malware scans were performed and when
antivirus signature or software updates occurred. Antispyware software and other types of
antimalware software (e.g., rootkit detectors) are also common sources of security information.
Intrusion Detection and Intrusion Prevention Systems. Intrusion detection and intrusion prevention
systems record detailed information on suspicious behaviour and detected attacks, as well as any
actions intrusion prevention systems performed to stop malicious activity in progress.
Some intrusion detection systems, such as file integrity checking software, run periodically instead of
continuously, so they generate log entries in batches instead of on an ongoing basis.
Remote Access Software
Remote access is often granted and secured through virtual private networking (VPN). VPN systems
typically log successful and failed login attempts, as well as the dates and times each user connected
and disconnected, and the amount of data sent and received in each user session. VPN systems that
support granular access control, such as many Secure Sockets Layer (SSL) VPNs, may log detailed
information about the use of resources.
Web Proxies
Web proxies are intermediate hosts through which Web sites are accessed. Web proxies make Web
page requests on behalf of users, and they cache copies of retrieved Web pages to make additional
accesses to those pages more efficient. Web proxies can also be used to restrict Web access and to
add a layer of protection between Web clients and Web servers. Web proxies often keep a record of
all URLs accessed through them.
Vulnerability Management Software
Vulnerability management software, which includes patch management software and vulnerability
assessment software, typically logs the patch installation history and vulnerability status of each host,
which includes known vulnerabilities and missing software updates.
Vulnerability management software may also record additional information about hosts’
configurations. Vulnerability management software typically runs occasionally, not continuously, and
is likely to generate large batches of log entries.
205
Authentication Servers
Authentication servers, including directory servers and single sign-on servers, typically log each
authentication attempt, including its origin, username, success or failure, and date and time.
Routers
Routers may be configured to permit or block certain types of network traffic based on a policy.
Routers that block traffic are usually configured to log only the most basic characteristics of blocked
activity.
Firewalls
Like routers, firewalls permit or block activity based on a policy; however, firewalls use much more
sophisticated methods to examine network traffic.
Firewalls can also track the state of network traffic and perform content inspection. Firewalls tend to
have more complex policies and generate more detailed logs of activity than routers.
Network Quarantine Servers
Some organizations check each remote host’s security posture before allowing it to join the network.
This is often done through a network quarantine server and agents placed on each host. Hosts that do
not respond to the server’s checks or that fail the checks are quarantined on a separate virtual local
area network (VLAN) segment. Network quarantine servers log information about the status of checks,
including which hosts were quarantined and for what reasons.
Operating systems (OS) for servers, workstations, and networking devices (e.g., routers, switches)
usually log a variety of information related to security. The most common types of security-related OS
data are as follows:
System Events
System events are operational actions performed by OS components, such as shutting down the
system or starting a service. Typically, failed events and the most significant successful events are
logged, but many OSs permit administrators to specify which types of events will be logged. The details
logged for each event also vary widely; each event is usually timestamped, and other supporting
information could include event, status, and error codes; service name; and user or system account
associated with an event.
Audit Records
Audit records contain security event information such as successful and failed authentication
attempts, file accesses, security policy changes, account changes (e.g., account creation and deletion,
account privilege assignment), and use of privileges. OSs typically permit system administrators to
specify which types of events should be audited and whether successful and/or failed attempts to
perform certain actions should be logged.
OS logs are most beneficial for identifying or investigating suspicious activity involving a particular
host. After suspicious activity is identified by security software, OS logs are often consulted to get
more information on the activity.
206
Applications
Operating systems and security software provide the foundation and protection for applications,
which are used to store, access, and manipulate the data used for the organization’s business
processes. Most organizations rely on a variety of commercial off-the-shelf (COTS) applications, such
as e-mail servers and clients, Web servers and browsers, file servers and file sharing clients, and
database servers and clients. Some applications generate their own log files, while others use the
logging capabilities of the OS on which they are installed. Applications vary significantly in the types
of information that they log. The following lists some of the most commonly logged types of
information and the potential benefits of each:
Client requests and server responses, which can be very helpful in reconstructing sequences of events
and determining their apparent outcome. If the application logs successful user authentications, it is
usually possible to determine which user made each request. Some applications can perform highly
detailed logging, such as e-mail servers recording the sender, recipients, subject name, and
attachment names for each e-mail; Web servers recording each URL requested and the type of
response provided by the server; and business applications recording which financial records were
accessed by each user. This information can be used to identify or investigate incidents and to monitor
application usage for compliance and auditing purposes.
Account information such as successful and failed authentication attempts, account changes (e.g.,
account creation and deletion, account privilege assignment), and use of privileges. In addition to
identifying security events such as brute force password guessing and escalation of privileges, it can
be used to identify who has used the application and when each person has used it.
Usage information such as the number of transactions occurring in a certain period (e.g., minute, hour)
and the size of transactions (e.g., e-mail message size, file transfer size). This can be useful for certain
types of security monitoring (e.g., a ten-fold increase in e-mail activity might indicate a new e-mail–
borne malware threat; an unusually large outbound e-mail message might indicate inappropriate
release of information).
Significant operational actions such as application startup and shutdown, application failures, and
major application configuration changes. This can be used to identify security compromises and
operational failures.
Much of this information, particularly for applications that are not used through unencrypted network
communications, can only be logged by the applications, which makes application logs particularly
valuable for application-related security incidents, auditing, and compliance efforts. However, these
logs are often in proprietary formats that make them more difficult to use, and the data they contain
is often highly context-dependent, necessitating more resources to review their contents.
207
9.2 Log Management and its need

Log management can benefit an organization in many ways. It helps to ensure that computer security
records are stored in sufficient detail for an appropriate period of time. Routine log reviews and
analysis are beneficial for identifying security incidents, policy violations, fraudulent activity, and
operational problems shortly after they have occurred, and for providing information useful for
resolving such problems. Logs can also be useful for performing auditing and forensic analysis,
supporting the organization’s internal investigations, establishing baselines, and identifying
operational trends and long term problems
A log management infrastructure typically comprises the following three tiers:
Log Generation
The first tier contains the hosts that generate the log data. Some hosts run logging client
applications or services that make their log data available through networks to log servers
in the second tier. Other hosts make their logs available through other means, such as
allowing the servers to authenticate to them and retrieve copies of the log files.
Log Analysis and Storage

The second tier is composed of one or more log servers that receive log data or copies of
log data from the hosts in the first tier. The data is transferred to the servers either in a
real-time or near-real-time manner, or in occasional batches based on a schedule or the
amount of log data waiting to be transferred. Servers that receive log data from multiple
log generators are sometimes called collectors or aggregators. Log data may be stored on
the log servers themselves or on separate database servers.
Log Monitoring
The third tier contains consoles that may be used to monitor and review log data and the
results of automated analysis. Log monitoring consoles can also be used to generate
reports. In some log management infrastructures, consoles can also be used to provide
management for the log servers and clients. Also, console user privileges sometimes can
be limited to only the necessary functions and data sources for each user.
Log management infrastructures typically perform several functions that assist in the storage,
analysis, and disposal of log data. These functions are normally performed in such a way that they do
not alter the original logs.
208
The following items describe common log management infrastructure functions:
Log parsing is extracting data from a log so that the parsed values can be used as input for another
logging process. A simple example of parsing is reading a text-based log file that contains 10 comma-
separated values per line and extracting the 10 values from each line.
Parsing is performed as part of many other logging functions, such as log conversion and log
viewing.
Event filtering is the suppression of log entries from analysis, reporting, or long-term storage
because their characteristics indicate that they are unlikely to contain information of interest.
For example, duplicate entries and standard informational entries might be filtered because they
do not provide useful information to log analysts. Typically, filtering does not affect the generation
or short-term storage of events because it does not alter the original log files.
In event aggregation, similar entries are consolidated into a single entry containing a count of the
number of occurrences of the event. For example, a thousand entries that each record part of a
scan could be aggregated into a single entry that indicates how many hosts were scanned.
Aggregation is often performed as logs are originally generated (the generator counts similar
related events and periodically writes a log entry containing the count), and it can also be
performed as part of log reduction or event correlation processes, which are described below.
Storage
Log rotation is closing a log file and opening a new log file when the first file is considered to be
complete. Log rotation is typically performed according to a schedule (e.g., hourly, daily, weekly) or
when a log file reaches a certain size. The primary benefits of log rotation are preserving log entries
and keeping the size of log files manageable. When a log file is rotated, the preserved log file can be
compressed to save space. Also, during log rotation, scripts are often run that act on the archived log.
For example, a script might analyse the old log to identify malicious activity, or might perform filtering
that causes only log entries meeting certain characteristics to be preserved. Many log generators offer
log rotation capabilities; many log files can also be rotated through simple scripts or third-party
utilities, which in some cases offer features not provided by the log generators.
Log archival is retaining logs for an extended period of time, typically on removable media, a storage
area network (SAN), or a specialized log archival appliance or server. Logs often need to be preserved
to meet legal or regulatory requirements.
There are two types of log archival: retention and preservation. Log retention is archiving logs on a
regular basis as part of standard operational activities. Log preservation is keeping logs that normally
would be discarded, because they contain records of activity of particular interest. Log preservation is
typically performed in support of incident handling or investigations.
Log compression is storing a log file in a way that reduces the amount of storage space needed for the
file without altering the meaning of its contents. Log compression is often performed when logs are
rotated or archived.
Log reduction is removing unneeded entries from a log to create a new log that is smaller. A similar
process is event reduction, which removes unneeded data fields from all log entries. Log and event
209
reduction are often performed in conjunction with log archival so that only the log entries and data
fields of interest are placed into long-term storage.
Log conversion is parsing a log in one format and storing its entries in a second format. For example,
conversion could take data from a log stored in a database and save it in an XML format in a text file.
Many log generators can convert their own logs to another format; third party conversion utilities are
also available. Log conversion sometimes includes actions such as filtering, aggregation, and
normalization. – In log normalization, each log data field is converted to a particular data
representation and categorized consistently. One of the most common uses of normalization is storing
dates and times in a single format. For example, one log generator might store the event time in a
twelve-hour format (2:34:56 P.M. EDT) categorized as Timestamp, while another log generator might
store it in twenty-four (14:34) format categorized as Event Time, with the time zone stored in different
notation (-0400) in a different field categorized as Time Zone. 24 Normalizing the data makes analysis
and reporting much easier when multiple log formats are in use. However, normalization can be very
resource-intensive, especially for complex log entries (e.g., typical intrusion detection logs).
Log file integrity checking involves calculating a message digest for each file and storing the message
digest securely to ensure that changes to archived logs are detected. A message digest is a digital
signature that uniquely identifies data and has the property that changing a single bit in the data
causes a completely different message digest to be generated. The most commonly used message
digest algorithms are MD5 and Secure Hash Algorithm 1 (SHA- 1). 25 If the log file is modified and its
message digest is recalculated, it will not match the original message digest, indicating that the file
has been altered. The original message digests should be protected from alteration through FIPS-
approved encryption algorithms, storage on read-only media, or other suitable means. Analysis
Event correlation is finding relationships between two or more log entries. The most common form
of event correlation is rule-based correlation, which matches multiple log entries from a single source
or multiple sources based on logged values, such as timestamps, IP addresses, and event types.
Event correlation can also be performed in other ways, such as using statistical methods or
visualization tools. If correlation is performed through automated methods, generally the result of
successful correlation is a new log entry that brings together the pieces of information into a single
place. Depending on the nature of that information, the infrastructure might also generate an alert to
indicate that the identified event needs further investigation. – Log viewing is displaying log entries in
a human-readable format. Most log generators provide some sort of log viewing capability; third-party
log viewing utilities are also available. Some log viewers provide filtering and aggregation capabilities.
Log reporting is displaying the results of log analysis. Log reporting is often performed to summarize
significant activity over a particular period of time or to record detailed information related to a
particular event or series of events.
Disposal
Log clearing is removing all entries from a log that precede a certain date and time. Log clearing is
often performed to remove old log data that is no longer needed on a system because it is not of
importance or it has been archived.
210
9.3 Log Management Process

System-level and infrastructure administrators should follow standard processes for managing the
logs for which they are responsible.
Major operational processes for log management are as follows:
 Manage the long-term storage of log data.
Configure Log Sources
System-level administrators need to configure log sources so that they capture the necessary
information in the desired format and locations, as well as retain the information for the appropriate
period of time.
The process includes:
 administrators determine which of their hosts and host components must or should participate in
the log management infrastructure,
 A single log file might contain information from several sources, such as an OS log containing
information from the OS itself and several security software programs and applications.
Administrators ascertain which log sources use each log file.
 For each identified log source, administrators determine which types of events each log source
must or should log, as well as which data characteristics must or should be logged for each type
of event.
The administrator’s ability to configure each log source is dependent on the features offered by that
particular type of log source. For example, some log sources offer very granular configuration options,
while some offer no granularity at all—logging is simply enabled or disabled, with no control over what
is logged. This section discusses log source configuration in three categories: log generation, log
storage and disposal, and log security.
Event Logs
Event logs are special files that record significant events on your computer, such as when a user logs
on to the computer or when a program encounters an error.
Example: Windows Event Log
Whenever the significant types of events occur, Windows records the event in an event log that you
can read by using Event Viewer. Advanced users might find the details in event logs helpful when
troubleshooting problems with Windows and other programs.
211
Event Viewer tracks information in several different logs. Windows Logs include:
Application (program) events
Events are classified as error, warning, or information, depending on the severity of the event. An
error is a significant problem, such as loss of data. A warning is an event that isn't necessarily
significant, but might indicate a possible future problem. An information event describes the
successful operation of a program, driver, or service.
Security-related events
These events are called audits and are described as successful or failed depending on the event,
such as whether a user trying to log on to Windows was successful.
Setup events
Computers that are configured as domain controllers will have additional logs displayed here.
System events
System events are logged by Windows and Windows system services, and are classified as error,
warning, or information.
Forwarded events
These events are forwarded to this log by other computers.
Applications and Services Logs vary. They include separate logs about the programs that run on your
computer, as well as more detailed logs that pertain to specific Windows services.
Open Event Viewer by clicking the Start button Picture of the Start button, clicking Control Panel,
clicking System and Security, clicking Administrative Tools, and then double-clicking Event Viewer.
Administrator permission is required if you're prompted for an administrator password or
confirmation, type the password or provide confirmation.
Click an event log in the left pane.
Double-click an event to view the details of the event.
212
9.4 Configuring Windows Event Log

Authorized administrators can define security settings for the event logs. The choices are somewhat
limited, and include log size, the length of time a log should be stored, and when the log should be
cleared. Each event log can be configured individually.
1. Click Start, select Programs, select Administrative Tools, click Computer Management.
2. In the console tree, click Event Viewer. Right-click Security and select Properties.
3. The Security Properties window will appear. Here authorized administrators can set
the Maximum log size and select what action to
take when the maximum log size is reached.
 To restore the default settings, click Restore

Defaults.
 To clear the log, click Clear Log.
Under Log size, select one of these options:
If the log is not to be archived, click Overwrite events as needed.

To archive the log at scheduled intervals, click Overwrite events older than and specify the appropriate
number of days. Be sure that the Maximum log size is large enough to accommodate the interval.
To retain all the events in the log, click Do not overwrite events (clear log manually). This option
requires that logs be cleared manually. When the maximum log size is reached, new events are
discarded. If the event log is not cleared and archived regularly, the following message will appear.
213
1. After establishing the security log settings, click the Apply button.
2. The Security Properties window also

provides the ability to set filters on the event log to
perform searches and sorting of audit data. To filter an
existing event log in order to view or save specific
security events, select the Filter tab and configure the
filter.
3. To configure the filter, select the Event

types that will be included by checking or unchecking
a selection box next
to Information, Warning, Error, Success Audit, and/or
Failure audit, then input any additional desired
filtering requirements by Event
source, Category, Event ID, User, or Computer.
4. By default. the entire event log will be

filtered for viewing by the parameters selected above. If desired, select a date and time range for
the logs that will be filtered for viewing. This is accomplished by first clicking on the From: drop
down menu and changing the selection to Events On. The date and time dialog boxes will become
active. Change the date by selecting the drop down menu and choosing a date from the calendar
that is presented. Change the time by scrolling the up and down arrows in the time dialog box.
Follow the same procedures clicking on the To: drop down menu and changing the selection
to Events On. Set the date and time for the last as described above.
5. Once all the desired filtering options have been selected, click the Apply button and click OK. The
Event Viewer will filter the log and display the information as defined by the filter.
Windows Logon Types
Logon Types are logged in the Logon Type field of logon events (event IDs 528 and 540 for successful
logons, and 529-537 and 539 for failed logons).
Windows supports the following logon types and associated logon type values:
2: Interactive logon—This is used for a logon at the console of a computer. A type 2 logon is
logged when you attempt to log on at a Windows computer’s local keyboard and screen.
3: Network logon—This logon occurs when you access remote file shares or printers. Also, most
logons to Internet Information Services (IIS) are classified as network logons, other than IIS logons
that use the basic authentication protocol (those are logged as logon type 8).
4: Batch logon—This is used for scheduled tasks. When the Windows Scheduler service starts a
scheduled task, it first creates a new logon session for the task, so that it can run in the security
context of the account that was specified when the task was created.
5: Service logon—This is used for services and service accounts that log on to start a service.
When a service starts, Windows first creates a logon session for the user account that is specified
in the service configuration.
7: Unlock—This is used whenever you unlock your Windows machine.
8: Network clear text logon—This is used when you log on over a network and the password is
sent in clear text. This happens, for example, when you use basic authentication to authenticate
to an IIS server.
214
9: New credentials-based logon—This is used when you run an application using the RunAs
command and specify the /netonly switch. When you start a program with RunAs using /netonly,
the program starts in a new logon session that has the same local identity (this is the identity of
the user you are currently logged on with), but uses different credentials (the ones specified in the
runas command) for other network connections. Without /netonly, Windows runs the program on
the local computer and on the network as the user specified in the runas command, and logs the
logon event with type 2.
10: Remote Interactive logon—This is used for RDP-based applications like Terminal Services,
Remote Desktop or Remote Assistance.
11: Cached Interactive logon—This is logged when users log on using cached credentials, which
basically means that in the absence of a domain controller, you can still log on to your local
machine using your domain credentials. Windows supports logon using cached credentials to ease
the life of mobile users and users who are often disconnected.
How to Read the Windows Application, Security, and System Log Files
The Windows application, security, and system log files can be read with a Windows application called
“Event Viewer,” which is accessed through the Control Panel:
 Click the Control Panel menu item
 The Control Panel’s window will open
 In the Control Panel, double-click the Administrative Tools icon
 The Administrative Tools window will open with a list of different icons
 Double click the Event Viewer icon
How to Read Other Windows Log Files
Many log files that software applications use are written as plain text file, making it possible to use
any freeware text editor, “Notepad” or “WordPad”, to read the generated log files. To read .txt files
in WordPad:

 Click All Programs option
 Click Accessories menu item
 Click WordPad application
 A new WordPad window will open
 Click the File menu
 Click the Open menu item
 Navigate to the desired log file and click the Open button
There are also programs that allow the user to monitor log files as they occur in real-time. Examples
of such software include Tail For Win32 and Hoo WinTail. These programs make it easy to read new
entries from the bottom (tail) of the log file.
215
9.5 IIS log files
Internet Information Services (IIS) is a web server developed by Microsoft for use with Windows
Server. The server is meant for a variety of hosting uses while attempting to maintain a high level of
flexibility and scalability.
To help with server use and analysis, IIS is integrated with several types of log files. These log file
formats provide information on a range of websites and specific statistics, including Internet Protocol
(IP) addresses, user information and site visits as well as dates, times and queries.
Log File Formats in IIS (IIS 6.0)
IIS provides six different log file formats that you can use to track and analyse information about your
IIS-based sites and services. In addition to the six available formats, you can create your own custom
log file format.
The following log file formats and logging options are available in IIS:
 W3C Extended Log File Format Text-based, customizable format for a single site. This is the
default format.
 W3C Centralized Logging All data from all Web sites is recorded in a single log file in the W3C
log file format.
 NCSA Common Log File Format Text-based, fixed format for a single site.
 IIS Log File Format Text-based, fixed format for a single site.
 ODBC Logging Fixed format for a single site. Data is recorded in an ODBC-compliant database.
 Centralized Binary Logging Binary-based, unformatted data that is not customizable. Data is
recorded from multiple Web sites and sent to a single log file. To interpret the data, you need
a special parser.
 HTTP.sys Error Log Files Fixed format for HTTP.sys-generated errors.
You can read text-based log files using a text editor such as Notepad, which is included with Windows,
but administrators often import the files into a report-generating software tool for further analysis.
IIS logs, when properly analysed, provide information about demographics and usage of the IIS web
server. By tracking usage data, web providers can better tailor their services to support specific
regions, time frames or IP ranges. Log filters also allow providers to track only the data deemed
necessary for analysis.
Analyse an IIS Log file
IIS logs contain crucial information for improving the web site. Log files for an IIS server are the key
source of information for managing the websites hosted on the server. The log files contains a record
of each request from a web user and the response provided by the IIS server. This data is crucial for
marketing, site performance and security. Logs are often the only indication that a user is attempting
to hack into your IIS server. Patterns and trends can be spotted in this data to help you segment your
users for marketing opportunities. IIS log analysis is a critical tool in improving your website.
216
Internet Information Services (IIS) 6.0 offers a number of ways to record the activity of your Web sites,
File Transfer Protocol (FTP) sites, Network News Transfer Protocol (NNTP) service, and Simple Mail
Transfer Protocol (SMTP) service and allows you to choose the log file format that works best for your
environment. IIS logging is designed to be more detailed than the event logging or performance
monitoring features of the Microsoft® Windows® Server 2003, Standard Edition, Windows® Server
2003, Enterprise Edition, and Windows® Server 2003, Datacenter Edition, operating systems. IIS log
files can include information such as who has visited your site, what was viewed, and when the
information was last viewed. You can monitor attempts to access your sites, virtual folders, or files
and determine whether attempts were made to read or write to your files. IIS log file formats allow
you to record events independently for any site, virtual folder, or file.
Using a text editor, the following steps can be used to analyse the IIS file:
 Open the log file labeled as "ex010110.log" in your text editor. The six digits in the log file
name are in the format day, month and year the file was created.
 Locate the header information. This is a line starting with "#Fields:." Use this line to determine
the corresponding values in each column.
 Use the date and time to identify when the request was created. The "sitename" and
"computername" will indicate what server responded to the request.
 Identify the visitor to your web server by the "c-ip" which is the ip address of the visitors’
computer.
 The "cs-method" column will most often contain either "post" or "get" depending on the
request made by the visitors’ browser. The fields "cs-uri-stem" and "cs-uri-query" will denote
the resource such as an image or web page the visitor requested.
 Use the "sc-status" column to determine whether the web server was capable of correctly
responding to the request. A link is provided in the resource section of this article to a
complete list of response codes.
 Use the "cs(User-Agent)" to determine what type of browser the visitor used, or if the visitor
is actually a search engine. A link to a list of common user agents has been provided in the
resource area of this article.
217
9.6 Log Analysis and Response
Analyse Log Data
Effective analysis of log data is often the most challenging aspect of log management, but is also
usually the most important. Although analysing log data is sometimes perceived by administrators as
uninteresting and inefficient (e.g., little value for much effort), having robust log management
infrastructures and automating as much of the log analysis process as possible can significantly
improve analysis so that it takes less time to perform and produces more valuable results.
The most effective way to gain a solid understanding of log data is to review and analyse portions of
it regularly (e.g., every day). The goal is to eventually gain an understanding of the baseline of typical
log entries, likely encompassing the vast majority of log entries on the system. (Because a few types
of entries often comprise a significant percentage of the log entries, this is not as difficult as it may
first sound.) Daily log reviews should include those entries that have been deemed most likely to be
important, as well as some of the entries that are not yet fully understood. Because it can make
considerable effort to understand the significance of most log entries, the initial days, weeks, or even
months of performing the log analysis process are the most challenging and time-consuming. Over
time, as the baseline of normal activity is broadened and deepened, the daily log reviews should take
less time and be more focused on the most important log entries, thus leading to more valuable
analysis results.
Another motivation for understanding the log entries is so that the analysis process can be automated
as much as possible. By determining which types of log entries are of interest and which are not,
administrators can configure automated filtering of the log entries. This allows events known to be
malicious to be recognized and responded to automatically (e.g., alerting administrators,
reconfiguring other security controls). Another purpose for filtering is to ensure that the manual
analysis performed by administrators is prioritized appropriately. The filtering should be configured
so that it presents administrators with a reasonable number of entries for manual analysis.
Web log analysis software (also called a web log analyzer) is a kind of web analytics software that
passes a server log file from a web server, and based on the values contained in the log file, derives
indicators about when, how, and by whom a web server is visited. Usually reports are generated from
the log files immediately, but the log files can alternatively be passed for a database and reports
generated on demand.
There are free, open source and paid software tools available for log analysis or management.
Response to events
During their log analysis, infrastructure and system-level administrators may identify events of
significance, such as incidents and operational problems that necessitate some type of response.
When an administrator identifies a likely computer security incident, as defined by the organization’s
incident response policies, the administrator should follow the organization’s incident response
procedures to ensure that it is addressed appropriately. Examples of computer security incidents
include a host being infected by malware and a person gaining unauthorized access to a host.
218
Administrators should perform their own responses to non-incident events, such as minor operational
problems (e.g., misconfiguration of host security software). Some organizations require system-level
administrators to report incidents and logging-related operational problems to infrastructure
administrators so that the infrastructure administrators can better identify additional instances of the
same activities and patterns that cannot be seen at the individual system level. Infrastructure and
system-level administrators should also be prepared to assist incident response teams with their
efforts. For example, when an incident occurs, affected system-level administrators may be asked to
review their systems’ logs for particular signs of malicious activity or to provide copies of their logs to
incident handlers for further analysis. Administrators should also be prepared to alter their logging
configurations as part of a response. Adverse events such as worms often cause unusually large
numbers of events to be logged. This can cause various negative impacts, such as slowing system
performance, overwhelming logging processes, and overwriting recent log entries. Analysts may not
be able to see other events of significance because their records are hidden among all of the other log
entries. Accordingly, administrators may need to reconfigure logging for the short term, long term, or
permanently, depending on the source of the log data, to prevent it from overwhelming the system
and the logs. Administrators may also need to adjust logging to capture more data as part of a
response effort, such as collecting additional information on a particular type of activity. To identify
similar incidents, especially in the short term, administrators may need to perform additional log
monitoring and analysis, such as more closely examining the types of logging sources that recorded
pertinent information on the initial incident.
219
Summary
 Log management: Log management refers to the broad practice of collecting, aggregating and
analysing network data for a variety of purposes.
 Security information event management (SIEM) involves the collection and analysis of data
 Security software is a major source of computer security log data.
 Web proxies often keep a record of all URLs accessed through them.
 Routers and Firewalls permit or block certain types of network traffic based on a policy
however, they differ in terms of the level of complexity
 OS logs are most beneficial for identifying or investigating suspicious activity involving a
particular host.
 Operating systems and security software provide the foundation and protection for
applications; Applications vary significantly in the types of information that they log and some
of the most commonly logged types of information include:
o Client requests and server responses
o e-mail servers recording the sender, recipients, subject name, and attachment names
for each e-mail
o web servers recording each URL requested and the type of response provided by the
server;
o business applications recording which financial records were accessed by each user
o successful and failed authentication attempts, account changes (e.g., account creation
and deletion, account privilege assignment), and use of privileges
o brute force password guessing and escalation of privileges
o number of transactions occurring in a certain period and size of transactions, etc.
 Log management ensures that computer security records are stored in sufficient detail for
an appropriate period of time. A log management infrastructure typically comprises the
following three tiers:
 Log Generation: contains the hosts that generate the log data
 Log Analysis and Storage: composed of one or more log servers that receive log
data or copies of log data
 Log Monitoring: contains consoles that may be used to monitor and review log data
and the results of automated analysis
 Log management infrastructures typically perform several functions that assist in the
storage, analysis, and disposal of log data. These functions are normally performed in such
a way that they do not alter the original logs.
 Major operational processes for log management are as follows:
 Manage the long-term storage of log data
 Authorized administrators can define security settings for the event logs. The choices are
somewhat limited, and include log size, the length of time a log should be stored, and when
the log should be cleared.
 Internet Information Services (IIS) is a web server developed by Microsoft for use with
Windows Server. The server is meant for a variety of hosting uses while attempting to
maintain a high level of flexibility and scalability.
 The most effective way to gain a solid understanding of log data is to review and analyse
portions of it regularly (e.g., every day)
 Infrastructure and system-level administrators may identify events of significance, such as
incidents and operational problems that necessitate some type of response during log
analysis.
220
Activity 1:
Study various log report templates and sources which provide guidance on using log
reports. The various information available in the report should be understood and
possible anomalies listed.
Activity 2:
Work in groups to explore the log configurations of your own training institute server
and generate reports from the servers each week. These should be analysed and
activity reports and inferences from it presented in class by a different group each
week.

Q. State the key distinction between log management and security information event management.
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
Q. What do you understand by the technical phrase “computerized version of tunnel vision”?
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
Q. Mention the common features shared by Routers and Firewalls
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
Q. Fill in the blanks
• Web proxies are intermediate hosts that acts as a layer between

_______________________________and______________________________________.
• Status of checks and quarantined hosts log information can be retrieved
from__________________.
221
Q. State the type of log which is most beneficial for identifying or investigating suspicious activity
involving a particular host
__________________________________________________________________________________
Q. Tick the best answers to the following question
Log monitoring consoles can
a) receive log data or copies of log data

b) generate reports
c) provide management for the log servers and clients
d) All of the above
 The most common form of antimalware software is antivirus software. ( )
 Event Filtering is extracting data from a log so that the parsed values can be used as input for
another logging process. ( )
Q. Define the two types of log archival.
__________________________________________________________________________________
__________________________________________________________________________________
Q. Why are log and event reduction performed simultaneously with log archival?
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
NOTES:
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
222
UNIT X
Data Backup
This Unit covers:
 Lesson Plan
10.1. Data Backup
10.2. Types of Backup
10.3. Backup Procedures
10.4. Types of Storage
223
LESSON PLAN

To be competent, you must be able Project charter, Architecture  PCs/Tablets/Laptops
to: (charts), Project plan, Poster  Labs availability (24/7)
presentation and execution  Internet with WiFi
plan.  (Min 2 Mbps Dedicated)
 Networking Equipment- Routers
Going through the security & Switches
guidelines
standards over Internet by  Firewalls and Access Points
PC5. carry out backups of visiting sites like ISO, PCI DSS  Backup devices and storage
security devices and applications in etc., and understand various media
line with information security methodologies and usage of
policies, procedures and guidelines, algorithms
where required
You must know and understand: KA12. Project charter,  PCs/Tablets/Laptops

KA12. your organization’s Architecture (charts),  Labs availability (24/7)
information security systems and Project plan, Poster  Internet with WiFi
tools and how to access and presentation and
maintain these  (Min 2 Mbps Dedicated)
execution plan.
KB2. different types of backups  Networking Equipments-
for security devices and applications Routers & Switches
KB2. Going through the
and how to carry out backups
security standards over  Firewalls and Access Points
Internet by visiting sites like  Backup devices and storage
ISO, PCI DSS etc., and media
understand various
algorithms
224
Lesson
10.1 Data Backup - Overview

Backup is the activity of copying files or databases so that they will be preserved in case of equipment
failure or other catastrophe. Backup is usually a routine part of the operation of large businesses with
mainframes as well as the administrators of smaller business computers. For personal computer users,
backup is also necessary but often neglected. The retrieval of files you backed up is called restoring
them.
Purpose
All electronic information considered of institutional value should be copied onto secure storage
media on a regular basis (i.e., backed up), for disaster recovery and business resumption. Special
backup needs, identified through technical risk analysis that exceeds these requirements, should be
accommodated on an individual basis.
Scope
Data custodians are responsible for providing adequate backups to ensure the recovery of data and
systems in the event of failure. Backup provisions allow business processes to be resumed in a
reasonable amount of time with minimal loss of data. Since hardware and software failures can take
many forms, and may occur over time, multiple generations of institutional data backups need to be
maintained.
225
10.2 Types of Backup
Full backup
Full backup is a method of backup where all the files and folders selected for the backup will be backed
up. It is commonly used as an initial or first backup followed with subsequent incremental or
differential backups. After several incremental or differential backups, it is common to start over with
a fresh full backup again.
Some also like to do full backups for all backup runs typically for smaller folders or projects that do
not occupy too much storage space.
Advantages
Restores are fast and easy to manage as the entire list of files and folders are in one backup set.
Easy to maintain and restore different versions.
Disadvantages
Backups can take very long as each file is backed up again every time the full backup is run.
Consumes the most storage space compared to incremental and differential backups. The exact
same files are be stored repeatedly resulting in inefficient use of storage.
Incremental backup
Incremental backup is a backup of all changes made since the last backup. The last backup can be a
full backup or simply the last incremental backup. With incremental backups, one full backup is done
first and subsequent backup runs are just the changed files and new files added since the last backup.
Advantages
Much faster backups
Efficient use of storage space as files is not duplicated. Much less storage space used compared to
running full backups and even differential backups.
Disadvantages
Restores are slower than with a full backup and differential backups.
Restores are a little more complicated. All backup sets (first full backup and all incremental backups)
are needed to perform a restore.
Differential backups
Differential backups fall in the middle between full backups and incremental backup. A differential
backup is a backup of all changes made since the last full backup. With differential backups, one full
backup is done first and subsequent backup runs are the changes made since the last full backup. The
result is a much faster backup than a full backup for each backup run. Storage space used is less than
a full backup but more than Incremental backups. Restores are slower than with a full backup but
usually faster than Incremental backups.
Advantages
Much faster backups then full backups
226
More efficient use of storage space then full backups since only files changed since the last full
backup will be copied on each differential backup run.
Faster restores than incremental backups
Disadvantages
Backups are slower then incremental backups
Not as efficient use of storage space as compared to incremental backups. All files added or edited
after the initial full backup will be duplicated again with each subsequent differential backup.
Restores are slower than with full backups.
Restores are a little more complicated than full backups but simpler than incremental backups. Only
the full backup set and the last differential backup are needed to perform a restore.
Mirror backups
Mirror backups are as the name suggests a mirror of the source being backed up. With mirror backups,
when a file in the source is deleted, that file is eventually also deleted in the mirror backup. Because
of this, mirror backups should be used with caution as a file that is deleted by accident, sabotage or
through a virus may also cause that same file in mirror to be deleted as well. Some do not consider a
mirror to be a backup.
Many online backup services offer a mirror backup with, a 30 days delete. This means that when you
delete a file on your source, that file is kept on the storage server for at least 30 days before it is
eventually deleted. This helps strike a balance offering a level of safety while not allowing the backups
to keep growing since online storage can be relatively expensive.
Many backup software utilities do provide support for mirror backups.
Advantages
The backup is clean and does not contain old and obsolete files
Disadvantages
There is a chance that files in the source deleted accidentally, by sabotage or through a virus may
also be deleted from the backup mirror.
Full PC backup
Full PC backup of full computer backup typically involves backing up entire images of the computer’s
hard drives rather than individual files and folders. The drive image is like a snapshot of the drive. It
may be stored compressed or uncompressed.
With other file backups, only the user’s document, pictures, videos and music files can be restored
while the operating system, programs etc. need to be reinstalled from is source download or disc
media.
With the full PC backup however, you can restore the hard drives to its exact state when the backup
was done. Hence, not only can the documents, pictures, videos and audio files be restored but the
operating system, hardware drivers, system files, registry, programs, emails etc. In other words, a full
PC backup can restore a crashed computer to its exact state at the time the backup was made.
Full PC backups are sometimes called “Drive Image Backups”

227
Advantages
A crashed computer can be restored in minutes with all programs databases emails etc intact. No
need to install the operating system, programs and perform settings etc.
Ideal backup solution for a hard drive failure.
Disadvantages
May not be able to restore on a completely new computer with a different motherboard, CPU,
Display adapters, sound card etc.
Any problems that were present on the computer (like viruses, or mis-configured drivers, unused
programs etc.) at the time of the backup may still be present after a full restore.
Local backup
A local backup is any backup where the storage medium is kept close at hand. Typically, the storage
medium is plugged in directly to the source computer being backed up or is connected through a local
area network to the source being backed up.
Advantages
Offers good protection from hard drive failures, virus attacks, accidental deletes and deliberate
employee sabotage on the source data.
Very fast backup and very fast restore.
Storage cost can be very cheap when the right storage medium is used like external hard drives
Data transfer cost to the storage medium can be negligible or very cheap
Since the backups are stored close by, they are very conveniently obtained whenever needed for
backups and restore.
Full internal control over the backup storage media and the security of the data on it. There is no
need to entrust the storage media to third parties.
Disadvantages
Since the backup is stored close by to the source, it does not offer good protections against theft,
fire, flood, earthquakes and other natural disasters. When the source is damaged by any of these
circumstances, there’s a good chance the backup will be also damaged.
Offsite Backup
Any backup where the backup storage medium is kept at a different geographic location from
the source is known as an offsite backup. The backup may be done locally at first on the usual
storage devices but once the storage medium is brought to another location, it becomes an
offsite backup.
228
Advantages
Offers additional protection when compared to local backup such as protection from theft, fire,
flood, earthquakes, hurricanes and more.
Disadvantages
Except for online backups, it requires more due diligence to bring the storage media to the offsite
location.
May cost more as people usually need to rotate between several storage devices. For example when
keeping in a bank deposit box, people usually use 2 or 3 hard drives and rotate between them. So
at least one drive will be in storage at any time while the other is removed to perform the backup.
Because of increased handling of the storage devices, the risk of damaging delicate hard disk is
higher. (does not apply to online storage)
Online backup
An online backup is a backup done on an ongoing basis to a storage medium that is always connected
to the source being backed up. The term “online” refers to the storage device or facility being always
connected. Typically, the storage medium or facility is located offsite and connected to the backup
source by a network or Internet connection. It does not involve human intervention to plug in drives
and storage media for backups to run.
Many commercial data centers now offer this as a subscription service to consumers. The storage data
centers are located away from the source being backed up and the data is sent from the source to the
storage center securely over the Internet.
Typically, a client application is installed on the source computer being backed up. Users can define
what folders and files they want to backup and at one times of the day they want the backups to run.
The data may be compressed and encrypted before being sent over the Internet to the storage data
center.
The storage facility is a commercial data center located away from the source computers being backed
up. Typically, they are built to certain fire and earthquake safety specifications. They have higher
security standards with CCTV and round the clock monitoring. They typically have backup generators
to deal with grid power outages and the facility is temperature controlled. Data is not just stored in
one physical media but replicated across several devices. These facilities are usually serviced by
multiple redundant Internet connection so there is no single point of failure to bring the service down.
Advantages
Offers the best protection against fires, theft and natural disasters.
Because data is replicated across several storage media, the risk of data loss from hardware failure
is very low.
Because backups are frequent or continuous, data loss is very minimal compared to other backups
that are run less frequently.
Because it is online, it requires little human or manual interaction after it is setup.
Disadvantages
Is a more expensive option then local backups.
Initial or first backups can be a slow process spanning a few days or weeks depending on Internet
connection speed and the amount of data backed up.
Can be slow to restore.
229
Remote backups
Remote backups are a form of offsite backup with a difference being that you can access, restore or
administer the backups while located at your source location or other physical location. The term
“remote” refers to the ability to control or administer the backups from another location.
You do not need to be physically present at the backup storage facility to access the backups.
Putting your backup hard drive at your bank safe deposit box would not be considered a remote
backup. You cannot administer or access it without making a trip to the bank. The term “remote
backup” is often used loosely and interchangeably with “online backup” and “cloud backup”.
Advantages
Much better protection from natural disasters than local backups.
Easier administration as it does not need a physical trip to the offsite backup location.
Disadvantages
Can take longer to backup and restore than local backups
Cloud backup
Cloud backup is a term often used loosely and interchangeably with Online Backup and Remote
Backup. This is a type of backup where data is backed up to a storage server or facility connected to
the source via the Internet. With the proper login credentials, that backup can then be accessed
securely from any other computer with an Internet connection. The term “cloud” refers to the backup
storage facility being accessible from the Internet.
Advantages
disasters.
Data is replicated across several storage devices and usually serviced by multiple internet
connections so the system is not at the mercy of a single point of failure.
When the service is provided by a good commercial data center, service is managed and protection
is un-paralleled.
Disadvantages
Can take longer to backup and restore
FTP Backup
This is a kind of backup where the backup is done via the File Transfer Protocol (FTP) over the Internet
to an FTP Server. Typically, the FTP Server is located in a commercial data center away from the source
data being backed up. When the FTP server is located at a different location, this is another form of
offsite backup.
Advantages
230
disasters.
Disadvantages
Can take longer to backup and restore. Backup and restore times are dependent to the Internet
connection.
231
10.3 Backup Procedures

The 3-2-1 Rule
The simplest way to remember how to back up your images safely is to use the 3-2-1 rule.
We recommend keeping 3 copies of any important file (a primary and two backups)
We recommend having the files on 2 different media types (such as hard drive and optical media), to
protect against different types of hazards.*
1 copy should be stored offsite (or at least offline).
The data backup procedures must include
 frequency,
 data backup retention,
 testing,
 media replacement,
 recovery time,
 roles and responsibilities
Local data backup procedures must include the following:
 Data Backup Retention. Retention of backup data must meet System and institution
requirements for critical data.
 Testing - Restoration of backup data must be performed and validated on all types of media
in use periodically.
 Media Replacement - Backup media should be replaced according to manufacturer
recommendations.
 Recovery Time - The recovery time objective (RTO) must be defined and support business
requirements.
 Roles and Responsibilities - Appropriate roles and responsibilities must be defined for data
backup and restoration to ensure timeliness and accountability.
 Offsite Storage - Removable backup media taken offsite must be stored in an offsite location
that is insured and bonded or in a locked media rated, fire safe.
 Onsite Storage - Removable backup media kept onsite must be stored in a locked container
with restricted physical access.
 Media Destruction - How to dispose of data storage media in various situations.
 Encryption - Non-public data stored on removable backup media must be encrypted. Non-
public data must be encrypted in transit and at rest when sent to an offsite backup facility,
either physically or via electronic transmission.
 Third Parties - Third parties' backup handling & storage procedures must meet System, or
institution policy or procedure requirements related to data protection, security and privacy.
These procedures must cover contract terms that include bonding, insurance, disaster
recovery planning and requirements for storage facilities with appropriate environmental
controls.
232
Definitions
Archive: An archive is a collection of historical data specifically selected for long-term retention and
future reference. It is usually data that is no longer actively used, and is often stored on removable
media.
Backup: A copy of data that may be used to restore the original in the event the latter is lost or
damaged beyond repair. It is a safeguard for data that is being used. Backups are not intended to
provide a means to archive data for future reference or to maintain a versioned history of data to
meet specific retention requirements.
Critical Data: Data that needs to be preserved in support of the institution's ability to recover from
a disaster or to ensure business continuity.
Data: Information collected, stored, transferred or reported for any purpose, whether in computers
or in manual files. Data can include: financial transactions, lists, identifying information about
people, projects or processes, and information in the form of reports. Because data has value, and
because it has various sensitivity classifications defined by federal law and state statute, it must be
protected.
Destruction: Destruction of media includes: disintegration, incineration, pulverizing, shredding, and
melting. Information cannot be restored in any form following destruction.
Media Rated, Fire Safe: A safe designed to maintain internal temperature and humidity levels low
enough to prevent damage to CDs, tapes, and other computer storage devices in a fire. Safes are
rated based on the length of time the contents of a safe are preserved while directly exposed to fire
and high temperatures.
Information Technology Resources: Facilities, technologies, and information resources used for
System information processing, transfer, storage, and communications. Included in this definition
are computer labs, classroom technologies, computing and electronic communications devices and
services, such as modems, e-mail, networks, telephones (including cellular), voice mail, fax
transmissions, video, multimedia, and instructional materials. This definition is not all-inclusive, but
rather, reflects examples of System equipment, supplies and services.
Recovery Point Objective (RPO): Acceptable amount of service or data loss measured in time. The
RPO is the point in time prior to service or data loss that service or data will be recovered to.
Recovery Time Objective (RTO). Acceptable duration from the time of service or data loss to the
time of restoration.
Automated Backup
If the data backup plan defines a daily interval, making manual backups becomes quite time
consuming, and one may discover now and then that they have skipped making backups because they
had something else more important to do at same time. It is better to foresee the risk of not making
backups and try to automate the whole backup process as much as possible.
233
10.4 Types of storage
Local Storage Options

1. External Hard Drive
These are hard drives similar to the type that is installed within a desktop computer or laptop
computer. The difference being that they can be plugged in to the computer or removed and kept
separate from the main computer.
Advantages:
 Very good option for local backups of large amounts of data.

 The cheapest storage option in terms of cost per GB. Very reliable when handled with care
Disadvantages:
 Can be very delicate. May be damaged if dropped or through electrical surge
2. Solid State Drive (SSD)
Solid State Drives look and function similar to traditional mechanical/ magnetic hard drives but the
similarities stop there. Internally, they are completely different. They have no moving parts or rotating
platers. They rely solely on semiconductors and electronics for data storage making it a more reliable
and robust than traditional magnetic. No moving parts also means that they use less power than
traditional hard drives and are much faster too.
With the prices of Solid State Drives coming down and is lower power usage, SSD’s are used extensively
on laptops and mobile devices. External SSD’s are also a viable option for data backups.
Advantages:
 Faster read and write performance

 More robust and reliable than traditional magnetic hard drives
 Highly portable. Can be easily taken offsite
Disadvantages:
 Still relatively expensive when compared to traditional hard drives

 Storage space is typically less than that of traditional magnetic hard drives.
3. Network Attached Storage (NAS)
NAS are simply one or more regular IDE or SATA hard drives plugged in an array storage enclosure and
connected to a network Router or Hub through a Ethernet port. Some of these NAS enclosures have
ventilating fans to protect the hard drives from overheating.
Advantages:
 Very good option for local backups especially for networks and small businesses.
 As several hard drives can be plugged in, NAS can hold very large amounts of data
234
 Can be setup with Redundancy (RAID) increasing the reliability and/ or read and write
performance. Depending on the type of RAID level used, the NAS can still function even if one
hard drive in the RAID set fails. Or two hard drives can be setup to double the read and write
speed of single hard drive.
 The drive is always connected and available to the network making the NAS a good option for
implementing automated scheduled backups.
Disadvantages:
 Significantly more expensive than using single External Hard Drives

 Difficult to bring offsite making it very much a local backup hence still susceptible to some
events like theft and floods, fire etc.
4. USB Thumb Drive or Flash Drive
These are similar to Solid State Drives except that it is much smaller in size and capacity. They have no
moving parts making them quite robust. They are extremely portable and can fit on a keychain. They
are Ideal for backing up a small amount of data that need to be brought with you on the go.
Advantages:
 The most portable storage option. Can fit on a keychain making it an offsite backup when you
bring it with you.
 Much more robust than traditional magnetic hard drives
Disadvantages:
 Relatively expensive per GB so can only be used for backing up a small amount of data
5. Optical Drive (CD/ DVD)
CD’s and DVD’s are ideal for storing a list of songs, movies, media or software for distribution or for
giving to a friend due to the very low cost per disk. They do not make good storage options for backups
due to their shorter lifespan, small storage space and slower read and write speeds.
Advantages:
 Low cost per disk
Disadvantages:
 Relatively shorter life span than other storage options

 Not as reliable as other storage options like external hard disk and SSD. One damaged disk in
a backup set can make the whole backup unusable.
Remote Storage Options

1. Cloud Storage
Cloud storage is storage space on commercial data center accessible from any computer with Internet
access. It is usually provided by a service provider. A limited storage space may be provided free with
more space available for a subscription fee. Examples of service providers are Amazon S3, Google
Drive, Sky Drive etc.
235
Advantages:
 A very good offsite backup. Not affected by events and disasters such as theft, floods, fire etc
Disadvantages:
 More expensive than traditional external hard drives. Often requires an ongoing subscription.
 Requires an Internet connection to access the cloud storage.
 Much slower than other local backups
236
10.5 Features of a Good Backup Strategy
The following are features to aim for when designing your backup strategy:
 Able to recover from data loss in all circumstances like hard drive failure, virus
attacks, theft, accidental deletes or data entry errors, sabotage, fire, flood, earth
quakes and other natural disasters.
 Able to recover to an earlier state if necessary like due to data entry errors or
accidental deletes.
 Able to recover as quickly as possible with minimum effort, cost and data loss.
 Require minimum ongoing human interaction and maintenance after the initial
setup. Hence able to run automated or semi-automated.
Planning Your Backup Strategy

1. What to Backup
The first step in planning your backup strategy is identifying what needs to be backed up. Identify
the files and folders that you cannot afford to lose? It involves going through your documents,
databases, pictures, videos, music and program setup or installation files. Some of these media like
pictures and videos may be irreplaceable. Others like documents and databases may be tedious or
costly to recover from hard copies. These are the files and folders that need to be in your backup
plan.
2. Where to Backup to
This is another fundamental consideration in your backup plan. In light of some content being
irreplaceable, the backup strategy should protect against all events. Hence a good backup strategy
should employ a combination of local and offsite backups.
Local backups are needed due to its lower cost allowing you to backup a huge amount of data. Local
backups are also useful for its very fast restore speed allowing you to get back online in minimal
time. Offsite backups are needed for its wider scope of protection from major disasters or
catastrophes not covered by local backups.
3. When to Backup
Frequency: How often you backup your data is the next major consideration when planning your
backup policy. Some folders are fairly static and do not need to be backed up very often. Other
folders are frequently updated and should correspondingly have a higher backup frequency like
once a day or more.
Your decision regarding backup frequency should be based on a worst case scenario. For example,
if tragedy struck just before the next backup was scheduled to run, how much data would you lose
since the last backup. How long would it take and how much would it cost to re key that lost data?
Backup Start Time: You would typically want to run your backups when there’s minimal usage on
the computers. Backups may consume some computer resources that may affect performance.
Also, files that are open or in use may not get backed up.
Scheduling backups to run after business hours is a good practice providing the computer is left on
overnight. Backups will not normally run when the computer is in “sleep” or “hibernate mode”.
237
Some backup software will run immediately upon boot up if it missed a scheduled backup the
previous night.
So if the first hour on a business day morning is your busiest time, you would not want your
computer doing its backups then. If you always shut down or put your computer in sleep or
hibernate mode at the end of a work day, maybe your lunch time would be a better time to schedule
a backup. Just leave the computer on but logged-off when you go out for lunch.
Since servers are usually left running 24 hours, overnight backups for servers are a good choice.
4. Backup Types
Many backup softwares offer several backup types like Full Backup, Incremental Backup and
Differential backup. Each backup type has its own advantages and disadvantages. Full backups are
useful for projects, databases or small websites where many different files (text, pictures, videos
etc.) are needed to make up the entire project and you may want to keep different versions of the
project.
5. Compression & Encryption
As part of your backup plan, you also need to decide if you want to apply any compression to your
backups. For example, when backing up to an online service, you may want to apply compression
to save on storage cost and upload bandwidth. You may also want to apply compression when
backing up to storage devices with limited space like USB thumb drives.
If you are backing up very private or sensitive data to an offsite service, some backup tools and
services also offer support for encryption. Encryption is a good way to protect your content should
it fall into malicious hands. When applying encryption, always ensure that you remember your
encryption key. You will not be able to restore it without your encryption key or phrase.
6. Testing Your Backup
A backup is only worth doing if it can be restored when you need it most. It is advisable to
periodically test your backup by attempting to restore it. Some backup utilities offer a validation
option for your backups. While this is a welcome feature, it is still a good idea to test your backup
with an actual restore once in a while.
7. Backup Utilities & Services
Simply copying and pasting files and folders to another drive would be considered a backup.
However, the aim of a good backup plan is to set it up once and leave it to run on its own. You
would check up on it occasionally but the backup strategy should not depend on your ongoing
interaction for it to continue backing up. A good backup plan would incorporate the use of good
quality, proven backup software utilities and backup services.
To access further security logs, access the following web links
https://www.owasp.org/index.php/Logging_Cheat_Sheet
https://www.sans.org/reading-room/whitepapers/logging/detecting-attacks-web-applications-log-files-
2074
http://blog.hicube.in/2012/11/07/understanding-log-files-linux-server/
238
Summary
 Backup is the activity of copying files or databases so that they will be preserved in case of
equipment failure or other catastrophe.
 Data custodians are responsible for providing adequate backups to ensure the recovery of data
and systems in the event of failure. Types of Backup include:
 Full backup where all the files and folders selected for the backup will be backed up
 Incremental backup is a backup of all changes made since the last backup
 Differential backups fall in the middle between full backups and incremental backup
 Mirror backups are mirror of the source being backed up
 Full PC backup involves backing up entire images of the computer hard drives
 Local backup is any backup where the storage medium is kept close at hand
 Offsite Backup where the backup storage medium is kept at a different geographic location
 Online backup is ongoing backup to a storage medium that is always connected to the
source being backed up
 Remote backups are offsite backup with a difference being that you can access, restore or
administer the backups while located at your source location or other physical location
 Cloud backup where data is backed up to a storage server or facility connected to the
source via the Internet
 FTP Backup where the backup is done via the File Transfer Protocol (FTP) over the Internet
to an FTP Server
 The simplest way to remember how to back up your images safely is to use the 3-2-1 rule. To
keep 3 copies of any important file (a primary and two backups); have files on 2 different media
types (such as hard drive and optical media); 1 copy should be stored offsite (or at least offline).
 Different types of Local Storage Options
 External Hard Drive are hard drives similar to the type that is installed within a desktop
computer or laptop computer
 Solid State Drive (SSD) looks and functions similar to traditional mechanical/ magnetic
hard drives but different
 Network Attached Storage (NAS) are simply one or more regular IDE or SATA hard
drives plugged in an array storage enclosure and connected to a network Router or Hub
through a Ethernet port
 USB Thumb Drive or Flash Drive are similar to Solid State Drives except that it is much
smaller in size and capacity
 Optical Drive (CD/ DVD) are ideal for storing a list of songs, movies, media or software
for distribution or for giving to a friend due to the very low cost per disk.
 Cloud Storage is storage space on commercial data center accessible from any
computer with Internet access
 Ask the key questions while planning your backup strategy
 What to Backup
 Where to Backup to
 When to Backup
 Backup Types
 Compression & Encryption
 Testing Your Backup
 Backup Utilities & Services
239
Activity 1:
Backup data available in the institute and evaluate the backup requirements for the
institute. If there isn’t a policy for backup then work in a group to develop one and
define all necessary steps for successful implementation.
Activity 2:
Work in a group prepare a report on difference between backup of individual data

and of security devices and applications. The same should focus on requirements,
challenges, products and means available, advantages and disadvantages, media
used, and other differences.
Activity 3:
Collect information on various products and services for backup available in the
industry and compare the benefits, features and limitations of each. The comparison
should be presented in class.
240

Q. State the advantages of full backup over incremental backup.
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
Q. Explain why is Full PC backup also known as “Drive Image Backups”?
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
Q. How does Offsite backup differ from Remote backup?
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
Q. Solid State Drive (SSD) looks and functions similar to traditional mechanical/ magnetic hard drives
but are different. State the difference.
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
Q. Is it possible to retrieve a file deleted in a source with a mirror backup? Explain your answer in
brief.
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
241
NOTES:
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
242
Student Handbook – Security Analyst SSC/N0902
SSC/ N 0902:
Coordinate responses to information security
Incidents
UNIT I: Incident Response Overview

UNIT II: Incident Response – Roles and Responsibilities
UNIT III: Incident Response Process
UNIT IV: Handling Malicious Code Incidents
UNIT V: Handling Network Security Incidents
243
Unit Code SSC/N0902
Unit Title
Co-ordinate responses to information security incidents
(Task)
Description This unit is about playing a co-ordinating role in responding to information

security incidents, liaising with members of the security team who carry out
investigations and other stakeholders or business users.

Information security incidents may cover:
 Identify and Access Management (IDAM)
 Devices
 Storage devices
 Servers
 Software
 Messaging
 Web security
 Computer assets, server s and storage networks
 Messaging
 Intrusion detection/prevention
Information security incidents:
 Automatically by tools and systems
 Manually by employees or business users
Appropriate people:
 Line manager
 Incident management group
244
PC1.
establish your role and responsibilities in co-ordinating responses to
information security incidents.
PC2. record, classify and prioritize information security incidents using
standard templates and tools.
PC3. access your organization’s knowledge base for information on previous
information security incidents and how these were managed.
PC4. assign information security incidents promptly to appropriate people
for investigation/ action.
PC5. liaise with stakeholders to gather, validate and provide information
related to information security incidents, where required.
PC6. track progress of investigations into information security incidents and
escalate to appropriate people where progress does not comply with
standards or service level agreements (SLAs).
PC7. prepare accurate preliminary reports on information security incidents
using standard templates and tools.
PC8. submit preliminary reports promptly to appropriate people for action
PC9. update the status of information security incidents following
investigation/ action using standard templates and tools.
PC10. obtain advice and guidance on co-ordinating information security
incidents from appropriate people, where required.
PC11. update your organization’s knowledge base promptly and accurately
with information security incidents and how they were managed.
PC12. comply with your organization’s policies, standards, procedures,
guidelines and service level agreements (SLAs) when co-ordinating
responses to information security incidents.
A. Organizational You need to know and understand:

Context
KA1. your organization’s policies, procedures, standards, guidelines and
(Knowledge of
service level agreements for responding to information security
the company/
incidents.
organization
KA2. the day-to-day operations, procedures and tasks relating to your area
and its
of work.
processes)
KA3. your organization’s knowledge base and how to access and update the
same.
KA4. limits of your role and responsibilities and who to seek guidance from,
where required.
KA5. the purpose of managing information security incidents.
KA6. who to involve when investigating and coordinating responses to
information security incidents and how to contact them.
245
KA7. the importance of tracking progress and corrective and preventative

actions for information security incidents.
KA8. the importance of keeping records and evidence relating to
KA9. the impact information security incidents can have on your
organization.
KA10. different types of information security incidents and how to deal with
them.
KA11. how to assign and escalate information on information security
incidents.
KA12. different methods and techniques used when working with others.
KA13. standard tools and templates available and how to use them.
KA14. your organization’s policies and procedures for sharing information on
security incidents and the importance of complying with the same.
KA15. how to classify and priorities information security incidents.
B. Technical You need to know and understand:
Knowledge KB1. fundamentals of information security and how to apply these,

including:
 networks
 communication
KB2. routine operational procedures and tasks required to co-ordinate and
respond to information security incidents.
KB3. different stages of incident management and your role in relation to
these, including:
 identify
 contain
 cleanse
 recover
 close
KB4. how to identify and resolve information security vulnerabilities and
incidents.
KB5. common issues and incidents of information security that may require
action and who to report these to.
KB6. how to obtain and validate information related to information security
issues.
KB7. how to prepare and submit information security reports and who to
share these with.
246
THE UNITS
The module for this NOS is divided in five units based on the learning objectives as given below:
UNIT I: Incident Response Overview

1.1 Incident Response Overview
1.2 Handling Different Types of Information Security Incidents
1.3 Preparation for Incident Response and Handling Constraints of a Security Audit
UNIT II: Incident Response Team – Roles and Responsibilities

2.1 Incident Response Team
2.2 Incident Response Team Dependencies
UNIT III: Incident Response Process

3.1 Incident Response Process
UNIT IV: Handling Malicious Code Incidents

4.1. Incident Handling Preparation
4.2. Incident Prevention
4.3. Detection of Malicious Code
4.4. Containment Strategy
4.5. Evidence Gathering and Handling
4.6. Eradication and Recovery
UNIT V: Handling Network Security Incidents

5.1. Network Reconnaissance Incidents
5.2. Denial of Service Attack Incidents
5.3. Unauthorized Access Incidents
5.4. Inappropriate Usage Incidents
5.5. Multiple Component Incidents
247
248
UNIT I
Incident Response Overview
This unit covers:

 Lesson Plan
1.1. Incident Response Overview
1.2. Handling Different Types of Information Security Incidents
1.3. Preparation for Incident Response and Handling
249
Lesson Plan

To be competent, you must be able PC2. PC3. QA session and a  PCs/ tablets/ laptops
to: descriptive write-up on  Projection facilities
understanding
PC2. record, classify and prioritize
information security incidents using Group presentation and evaluation
standard templates and tools. by faculty and groups
PC3. access your organization’s
knowledge base for information on
previous information security
incidents and how these were
managed.
You need to know and understand: KA1. QA session and a descriptive  PCs/ tablets/ laptops
write-up on understanding.  Availability of labs (24/7)
KA5. the purpose of managing
 Internet with Wi-Fi (min 2
information security incidents. KA5. Performance evaluation from Mbps dedicated)
faculty and Industry with reward points.
KA9. The impact information
security incidents can have on your KA9. QA session and a descriptive
organization. write-up on understanding.
KA10. different types of information KA10. Classify latest threats and

on security incidents and how to vulnerabilities into CIA triad. Classify
deal with these. various threats into incident categories
listed in the unit.
KA14. your organization’s policies
and procedures for sharing KA15. Group and faculty evaluation
information on security incidents based on anticipated out comes.
and the importance of complying Reward points to be allocated to
with these. groups.
KA15. how to classify and prioritize KA14. KB3 Group and faculty evaluation
information security incidents. for highlighting the various parts and
their purpose of an incident response
KB3. different stages of incident plan/ tasks of incident management,
management and your role in using live researched examples.
relation to these, including:
• identify
• contain
• cleanse
• recover
• close
250
Lesson
1.1. Incident Response
An incident is a set of one or more security events or conditions that requires action and closure
in order to maintain an acceptable risk profile.
Incidents
In the haystack of events, organizations must find the "needles" that are the security incidents. Events
are isolated and disconnected, but incidents add the context that enables security administrators to
gain understanding and take action.
It can be defined as a set of events or conditions requiring response and closure. Incidents comprise
not only the significant threats that jeopardize business and require intervention.
They include more mundane situations that occur on a daily basis, and only threaten the business if
no action is taken. Examples of these routine situations include “low and slow” port scans and some
varieties of email worms. Most organizations face thousands of instances of the latter types of threats,
together with the higher profile blended threats like Code Red, Nimda, and Klez.
Besides attacks, known system vulnerabilities or discovered policy violations are also incidents that
require a response in order to protect the business. When related events (e.g. attacks, vulnerabilities,
and policy violations) are viewed together, the true nature (or type) of the incident becomes evident.
Introduction to Incident Handling and Response
Computer or information security incident response has become an important component of

information technology (IT) security programs. An incident response capability is therefore necessary
for rapidly detecting incidents, minimizing loss and destruction, mitigating the weaknesses that were
exploited and restoring IT services.
Different types of information security incidents are caused due to:
Peripheral devices such as external/ removable media
Attrition (brute force methods that compromise, degrade, or destroy systems, networks or
services)
Website or web based application
Email message or attachment
Improper usage of an organization’s acceptable usage policies by an authorized user
Loss or theft of equipment
Other factors
251
Incidents can be classified into:

• Malicious code
• Network reconnaissance
• Unauthorized access
• Inappropriate usage
• Multiple component
These are explained in Unit IV and V.
Impact of information security incidents:
• Functional impact (current and likely future negative impact to business functions)
• Information impact (effect on the confidentiality, integrity, and availability of the
organization’s information)
• Recoverability from the incident (time and types of resources that must be spent
on recovering from the incident)
Organizations prioritize information security incidents based on the weightages they give to each of
the above categories for a particular incident. For example, an organization that deals with massive
amounts of personal identifying information (PII) might weight information impact more heavily than
recoverability impact, while an emergency response agency might prioritize functional impact to
ensure the continued delivery of emergency services.
Need for incident response
 to respond quickly and effectively when security breaches occur.

 to be able to use information gained during incident handling to better prepare for handling future
incidents.
 to provide stronger protection for systems and data.
 to help deal properly with legal issues that may arise during incidents.
 to comply with law, regulations, and policy directing a coordinated, effective defense against
information.
Goals of incident response
 formal, focused, and coordinated approach to responding to incidents.

 adhere to organization’s mission, size, structure, and functions.
 formulate policy, plan, and procedure creation to counter adverse events.
 to provide stronger protection for systems and data.
 to minimize loss or theft of information and disruption of services.
 to respond quickly and effectively when security breaches occur.
How to identify an incident
 incident analysis hardware and software to identify an incident.

 appropriate incident handling communication means and facilities.
252
 incident analysis resources to identify an incident.

 incident mitigation software to identify an incident.
 different response strategies to identify incidents through attack vectors, such as external/
removable media, attrition, web, email, impersonation, improper usage by organization’s
authorized users, loss or theft of equipment and others that are beyond the scope of the above
mentioned.
Signs of security incident
Two main types of signs of an incident are:

• Precursors: a sign that an incident may occur in the future.
• Indicator: a sign that an incident may have occurred or may be occurring now.
Some of the common signs of security incident are:

 web server log entries that show the usage of a vulnerability scanner.
 announcement of a new exploit that targets a vulnerability of the organization’s mail server.
 threat from a group stating that it will attack the organization.
 network intrusion detection sensor alerts when a buffer overflow attempt occurs against a
database server.
 antivirus software alerts when it detects that a host is infected with malware.
 system administrator sees a file name with unusual characters.
 host records an auditing configuration change in its log.
 application logs multiple failed login attempts from an unfamiliar remote system.
 email administrator sees a large number of bounced emails with suspicious content.
 network administrator notices an unusual deviation from typical network traffic flows.
Incident Information
One can get information about incidents from various sources:

 Alerts: reviewing alerts based on supporting data from sources such as Intrusion Detection and
Prevention Systems (IDPS); Security Information and Event Management (SIEM) alerts;
Antivirus and anti-spam software; file integrity checking software; third-party monitoring
services etc.
 Logs: analyzing logs from sources such as operating system, service and application logs and
network device logs in correlation with event information.
 Network flow: using routers and other networking devices to provide information and locate
anomalous network activity caused by malware, data exfiltration and other malicious acts.
 Publicly Available Information: updating and integrating new vulnerabilities and exploits
published by authorized agencies such as National Vulnerability Database (NVD).
 People: validating reports registered by users, system administrators, network administrators,
security staff, other people within the organization and reports originating from external
sources or parties.
253
1.2 Handling Different Types of Information Security

Incidents
Handling incidents
There are five important incident handling phases:
 Preparation: establishing and training an incident response team, and acquiring the necessary
tools and resources.
 Detection and analysis: detecting security breaches and alerting organization during any
imminent attack.
 Containment: mitigating the impact of the incident by containing
 Eradication and recovery: carrying out detection and analysis cycle to eradicate incident and
ultimately initiate recovery.
 Post-incident activity: preparing detailed report of the cause and cost of the incident and future
preventive measures against similar attacks.
This is similar to the tasks contained within incident management plans:

• identify
• contain
• cleanse
• recover
• close
Organizations should have a plan to respond to various types of incidents detailing various aspects of
incident handling including the above.
Incident response plan
Incident Response Plan is an organization’s foundation to a formal, focused and coordinated approach
for incident response.
Purpose of incident response plan
The objective of instating an incident response plan is to provide the roadmap for implementing the
incidence response capability. The incident response plan acts as a defence mechanism against
hackers, malware, human error and a series of other security threats.
Requirements of incident response plan
The intervention of an incident response plan can be the structure to building an organization’s
incident response capability. Emphasis on computing security policies and practices are the main
objectives of most organization in their overall risk management strategies. Elements that are
recommended as important to an incident response plan are:
 organization’s mission towards the plan

 organization’s strategies and goals to determine the structure of incident response capability
 senior management approval in the structuring of the proposed plan
 organizational approach to incident response
254
 incident response team’s communication with the rest of the organization and with other
organizations
 metrics for measuring the incident response capability and its effectiveness
 roadmap for maturing the incident response capability (regular reviews, audits and tests etc.)
 how the program fits into the overall organization
Incident response plan checklist
Developing an incident response plan checklist can minimize the threat of security breach in the form
of attacks in websites and servers, or inadvertent leakage of share sensitive data etc. Instating a
structure that ensures the latest developments are captured, understood, evaluated as threats to the
business, documented and distributed will help ensure an effective incident response. An incident
response plan checklist should be an amalgamation of the following key practices:
 provides a roadmap for implementing an incident response program based on the

organization’s policy.
 organize both short and long-term goals program, including metrics for measuring the
program.
 highlight incident handler’s training needs and other technical requirements.
 address existing and new cyber technologies are adequately addressed in policies and
procedure.
 conduct regular reviews, audits and tests to protect against security breach.
 classify business data in the order of its sensitivity and security requirements.
 selecting of appropriate incident response team structure.
 complying with security-related incident regulations and law enforcement procedures.
255
1.3 Preparation for Incident Response and Handling

 Create a core team
Integrity of business security demands the presence of an effective incidence response team and the
latter can be achieved through the selection of appropriate structure and staffing models. Typically, a
designated incident response team or personnel function as the first point of contact (POC) in a
situation involving security breach in an organization. The incident handlers may then analyse the
incident data, determine the impact of the incident, and act appropriately to limit the damage and
restore normal services. The incident response team’s success depends on the participation and
cooperation of individuals throughout the organization. Therefore, an organization must create a core
team, identify suitable individuals, discuss incident response team models, and provide advice on
selecting an appropriate model.
A team model may be based on the following models:

 Central Security Incident Response team: a functional model for small organizations with
limited or no geographic presence wherein a single incident response team handles core
security computing.
 Distributed Security Incident Response team: this model is effective for large organizations
(e.g. one team per division) and for organizations with major computing resources at distant
locations (e.g. one team per geographic region, one team per major facility).
 Coordinating team: an incident response team provides advice to other teams without having
authority over those teams. For example, a department wise team may assist individual
agencies’ teams and it is almost modelled as a CSIRT for CSIRTs.
 Create tool kit, systems and instrumentation: a jumpkit is a portable case instrumental to incident
response teams and it contains items such as laptop, appropriate software such as packet sniffers,
digital forensics, back up devices, blank media etc.
Listed below are range of various tool kit, systems and instrumentation that may be useful in an
incident response:
 Incident handler communications and facilities: these may include contact information of team
members and others within the organization and external, on-call information matrix, incident
reporting mechanisms such as phone numbers, email addresses, online forms, etc. Incident
tracking systems; smartphones for round-the-clock communication; use of encryption software
for internal team members; security materials storage facility etc.
 Incident analysis hardware and software: digital forensic workstations and/ or backup devices to
create disk images, preserve log files and save other relevant incident data etc. Laptops; spare
workstations; servers; networking equipment or the virtualized equivalents for storing and trying
out malware; blank removable media; packet sniffers and protocol analyzers; digital forensic
software; evidence gathering accessories such as digital cameras, audio recorders, chain of
custody forms etc.
 Incident analysis resources: port lists, including commonly used ports and Trojan horse ports;
documentation for Oss; applications; protocols etc. Network diagrams and lists of critical assets
such as database servers; current baselines of expected network system and application activity;
cryptographic hashes of critical files to speed incident analysis, verification and eradication.
 Incident mitigation software: access to images of clean OS and application installations for
restoration and recovery purposes.
256
Table-Top Exercise for Incident Response (IR) for XYZ Organization:
IR Lifecycle Summary of Incident Activities

Stage
Preparation  Provide training and awareness for all individuals in

recognizing anomalous behavior and specific reporting
requirements for suspected breaches of an
 Gather contact information for incident handlers,
 Gather hardware and software needed for technical analysis;
and
Perform evaluations, such as tabletop exercises, of the IR
capability.
Detection and Analysis  Monitor information system protection mechanisms and
system logs
 Investigate reports of suspected XYZ breaches from agency
individuals.
 Notify Security Director and the System Administrator
immediately, but no later than 24-hours after identification of
a possible issue involving XYZ asset information.
Containment  Choose and implement strategy for preventing further
Information loss based on level of risk to Information.
 Gather and preserve technical evidence, if applicable;
Eradication  Eliminate components of the incident, such as deleting
malicious code and disabling breached user accounts, if
applicable.
Recovery  Restore systems via appropriate technical actions such as:
restoring from clean backups, rebuilding systems from scratch,
replacing compromised files with clean versions, installing
patches, changing passwords, and tightening network
perimeter security.
Sample Incident Response Evaluation Scenarios
XYZ Breach Scenario Tabletop Exercise Objectives
Through a routine evaluation of system logs, a  Determine the actions that would help
system administrator discovers that XYZ’s data prevent this type of incident (preparation).
has been exfiltrated from the system by an  Determine the controls in place that
unauthorized user account. would help identify this incident, along
A remote user has lost his/her laptop. The with procedures on how to report the
user’s job function required that XYZ’s incident (detection and analysis).
information be stored on the laptop.  How to prevent further damage
(containment),
After a recent office move, it is discovered that  How to clean the system (eradication).
a locked cabinet containing XYZ’s information is  How to restore the system in a secure
missing. manner (recovery).
257
Summary
 An incident is a set of one or more security events or conditions that requires action and closure
in order to maintain an acceptable risk profile.
 These can be classified into:
o Malicious code incidents
o Network reconnaissance incidents
o Unauthorised access incidents
o Inappropriate usage incidents
o Multiple component incidents
 Impact of information security incidents can be classified into:
o Functional impact
o Information impact
o Recoverability from the incident
 Signs of security incident: Two main types of signs of an incident are:
o Precursors: It is technically a sign that an incident may occur in the future.
o Indicator: A sign that an incident may have occurred or may be occurring now.
 There are five important incident handling phases:
o Preparation
o Detection and analysis
o Containment
o Eradication and recovery
o Post-incident activity
 Incident Response Plan is an organization’s foundation to a formal, focused and coordinated
approach for incident response.
 Central Incident Response team: a functional model for small organizations with limited or no
geographic presence wherein a single incident response team handles core security computing.
 Distributed Incident Response team: this model is effective for large organizations (e.g. one
team per division) and for organizations with major computing resources at distant locations
(e.g. one team per geographic region, one team per major facility).
 A jumpkit is a portable case instrumental to incident response teams and it contains items such
as laptop, appropriate software such as packet sniffers, digital forensics, back up devices, blank
media etc.
258
Activity 1:
Collate information on various types of information security incidents from the internet
and populate the various categories of incidents mentioned in the unit with examples
of each. Present a few details of these incidents, if possible.
Activity 2:
Visit various company sites, and find out their incident response plans and list out
various components of it.
Activity 3:
Work in a group to create an incident response plan for the training institute and
modify it as they progress through this module.

Q. The two signs of an incident are?
a. ________________________________________
b. ________________________________________
Q. A portable case instrumental to incident response teams and it contains items such as laptop,
appropriate software such as packet sniffers, digital forensics, back up devices, blank media etc. is
known as a ________________
Q. What are the goals of Incident Response? List at least three.
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
Q. List at least three common signs of a security incident.
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
Q. List the five incident handling stages.
__________________________________________________________________________________
__________________________________________________________________________________
259
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
Q. Which of the following is not a category of security incidents? Mark all that apply.
a) Malicious code
b) Network usage
c) CSIRT
d) Inappropriate usage
e) Precursor
f) Multiple component
NOTES:
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
_________________________________________________________________________________
260
UNIT II
Incident Response
- Roles and Responsibilities
This unit covers:

 Lesson Plan
2.1. Incident Response Team
2.2. Incident Response Team Dependencies
261
Lesson Plan
Performance Ensuring Work Environment/ Lab

To be competent, you must be able to: 1. Identify and access sources  PCs/ tablets/ laptops
for standard checklists,  Availability of labs (24/7)
PC1. establish your role and guidelines and templates for  Internet with Wi-Fi (min 2
responsibilities in co-ordinating carrying out different types Mbps dedicated)
responses to information security of audits.
incidents.
PC4. assign information security

incidents promptly to appropriate people
for investigation/ action.
PC5. liaise with stakeholders to gather,

validate and provide information related
to information security incidents, where
required.
PC10. obtain advice and guidance on co-

ordinating information security incidents
from appropriate people, where
required.
You need to know and understand: KA4. Peer group, faculty group  PCs/ tablets/ laptops
KA4. limits of your role and and industry experts.  Availability of labs (24/7)
responsibilities and who to seek guidance  Internet with Wi-Fi (min 2
from where required. KA6. Performance evaluation Mbps dedicated)
from faculty and industry with  Access to all security
KA6. who to involve when investigating reward points. sites like ISO, PCI DSS,
and co-ordinating responses to
Center for Internet
information security incidents and how KA11. Online exam and rewards
to contact them. points based on reviews from Security etc.
the forums.  Security Templates from
KA11. how to assign and escalate ITIL & ISO
information on information security KA12. Faculty and peer review.
incidents.
KB5, KB6, KB7. Going through
KA12. different methods and techniques the security standards over
used when working with others. internet by visiting sites like ISO,
PCI DSS etc. and understand
KB5. common issues and incidents of various methodologies and
information security that may require usage of algorithms.
action and whom to report these.
Learn about CIA triad relating to
KB6. how to obtain and validate latest threats and vulnerabilities.
information related to information
security issues.
KB7. how to prepare and submit

information security reports and whom
to share these with.
262
Lesson
2.1 Incident Response Team

Incident response team members
A single employee, with one or more designated alternates should be in charge of incident response.
In a fully outsourced model, this person oversees and evaluates the outsourcer’s work. All other
models generally have a team manager and one or more deputies who assume authority in the
absence of the team manager. Every team member should have good problem solving skills and
critical thinking abilities.
Incident response team: roles and responsibilities
An incident response team member should possess technical skills, such as system administration,
network administration, programming, technical support or intrusion detection. An incident
response team should be a combination of skilled members in the area of technology (e.g. operating
systems and applications) and other technical areas such as network intrusion detection, malware
analysis or forensics.
Roles and responsibilities
A team member in an incident response unit is expected to have the basic understanding of the
technologies used and their applications. The individual should be capable of comprehending
and handling the following security incidents:
 the type of incident activity that is being reported or seen by the community.
 the way in which incident response team services are being provided (the level and
depth of technical assistance provided to the constituency).
 the responses that are appropriate for the team (e.g. what policies and procedures or
other regulations must be considered or followed while undertaking the response).
 the level of authority the incident response team has in taking any specific actions when
applying technical solutions to an incident reported to the incident response team.
Developing skills in incident response personnel
 maintain, enhance and expand proficiency in technical areas and security disciplines as well as
less technical topics such as the legal aspects of incident response.
 incentivize participation in staff conferences.
 promote deeper technical understanding.
 engage external technical knowledge facilitator with deep technical knowledge in needed areas
to impart learning and development.
 provide opportunities to perform other tasks in non-functional areas.
 rotate staffing of members across functions to gain new technical skills.
263
 create a mentoring program to enable senior technical staff to help less experienced staff learn
incident handling.
 develop incident handling scenarios and conduct team discussions.
Incident response team structure
After successfully selecting a functional core team, it is best followed that team members be further
integrated and modelled into appropriate staffing based on the magnitude of incident response and
size of the organization. Find details of the three types of staffing methods below:
 In house employees
 Partially outsourced
 Fully outsourced
Therefore, an organization must consider the following factors before selecting an appropriate
incident response team structures:
 The need for 24/7 availability: real-time availability is considered one of the best for
incident response options because the longer an incident last, the more potential there is for
damage and loss.
 Full-time versus part-time team members: organizations with limited funding, staffing or
incident response needs may have only part-time incident response team members, serving
as more of a virtual incident response team. An existing group such as the IT help desk can
act as a first POC for incident reporting and perform initial investigation and data collection.
 Employee morale: segregate administrative work and core incident response to minimize
stress on employees and to help boost morale.
 Cost: implement sufficient funding for training and skills development of incident response
team members the area of work function demands broader knowledge of IT.
 Staff expertise: incident handling requires specialized knowledge and experience in several
technical areas. The breadth and depth of knowledge required varies based on the severity
of the organization’s risks.
Outsourced
 In the case of outsourced work, the organization must consider not only the current quality
(breadth and depth) of the outsourcer’s work, but also efforts to ensure the quality of future
work.
 Document line of work or authority of outsourced incident response work appropriately and
ensure actions for these decision points are handled.
 Divide incident response responsibilities and restrict access to sensitive information.
 Provide regularly updated documents that define what incidents outsources is concerned
about.
 Create correlation among multiple data sources.
 Maintain basic incident response skills in-house.
264
2.2 Incident Response Team Dependencies

It is important to identify other groups within the organization and rely on the expertise, judgment,
and abilities of others, including response policy, budget, staffing established by management;
information security staff members during certain stages of incident handling (prevention,
containment, eradication, and recovery); IT technical experts (system and network administrators,
legal departments to review plans, policies, documents etc.); public affairs; media relations; human
resources; business continuity planning; physical security and facilities management.
Different methods and techniques used when working with others
Incident response team services

The main focus of an incident response team is performing incident response however it may also
undertake the provision of the following services:
 Intrusion detection: incident response team analyzes incidents more quickly and accurately,
based on the knowledge it gains of intrusion detection technologies.
 Advisory distribution: the team also may also issue advisories within the organization
regarding new vulnerabilities and threats through automated methods.
 Education and awareness: promote education and awareness among users technical staff
know about detecting, reporting and responding to incidents through means such as
workshops; websites; newsletters; posters and stickers on monitors and laptops.
 Information sharing: manage the organization’s incident information sharing efforts.
Defining the relationship between incident response, incident handling, and incident management
Incident response means responding to computer security incidents systematically or by following a

consistent incident handling methodology so that the appropriate actions are taken timely. It is a
mechanism to minimize loss or theft of information and disruption of services caused by incidents.
Incident handling refers to the several phases of incident response process i.e. preparation,
detection and analysis, containment, eradication and recovery and post-incident activity required in
adequate handling of an incident.
Incident management is term used to describe the overall computing security management to
detect the occurrence of incident, initiate and handle an incident response and prevent any future
re-occurrences.
Routine operational procedures and tasks required to co-ordinate and respond to information
security incidents
 Prepare to handle incidents.
 Use incident analysis hardware and software.
 Use incident analysis resources.
 Use of incident mitigation software.
 Management responsible for coordinating incident response among various stakeholders,
minimizing damage, and reporting to Congress, OMB, the General Accounting Office (GAO),
and other parties.
 Information security staff members may be needed during certain stages of incident handling
(prevention, containment, eradication and recovery). For example, to alter network security
controls (e.g. firewall rule sets).
265
 IT technical experts (e.g. system and network administrators) can ensure that the appropriate
actions are taken for the affected system, such as whether to disconnect an attacked system.
 Coordinate with relevant legal experts to review incident response plans, policies and
procedures to ensure their compliance with law and federal guidance, including the right to
privacy.
 Coordinate and inform the media and, by extension, the public.
 Ensure that incident response policies and procedures and business continuity processes are
in sync.
 Coordinate with Physical Security and Facilities Management to access facilities during
incident handling.
A part of outlining the incident response framework involves the identification of IR

Severity Levels. These levels will help the team understand the severity of an event and
will govern the team’s response. Some suggestions for these levels are the following:
SEVERITY LEVEL LEVEL OF BUSINESS IMPACT RESOLUTION EFFORT REQUIRED

SEVERITY 1 LOW LOW EFFORT
SEVERITY 2 MODERATE MODERATE EFFORT
SEVERITY 3 HIGH EXTENSIVE, ONGOING EFFORT
SEVERITY 4 SEVERE DISASTER RECOVERY INVOKED
Start to create a documented action script that will outline your response steps so your IR Manager
can follow them consistently. Your script should show steps similar to the following:
STEP # ACTION
1 Incident announced
2 IR Manager alerted
3 IR Manager begins information gathering from affected site
4 IR Manager begins tracking and documentation of incident
IR Manager invokes Assessment Team
5
(Details of call bridge or other communication mechanism)
6 Assessment Team reviews details and decides on Severity Level of incident.
7 IF SEV 1 = PROCEED TO STEP #11.0

IF SEV 4 = PROCEED TO STEP #14.0
10
266
FOR SEVERITY LEVEL 1 – Proceed with following sequence
11.0 Determine attack vectors being used by threat

11.1 Determine network locations that are impacted
11.2 Identify areas that fall under “Parent Organization”
11.3 Identify systems or applications that are impacted
FOR SEVERITY LEVEL 2 – Proceed with following sequence
12.0 Determine attack vectors being used by threat
12.1 Alert Incident Officer to Severity 2 threat
References: Students are encouraged to read more on Roles and Responsibilities in IR team of any
Organization from following references.
 http://www.cert.org/csirts/Creating-A-CSIRT.html
 http://www.cert.org/csirts/Creating-A-CSIRT.html#practices
 O’Reilly Incident Response – Kenneth R. vanWyk and Richard Forno
 http://csrc.nist.gov/publications/nistpubs/800-61rev2/SP800-61rev2.pdf
267
Summary
 An incident response team member should possess technical skills, such as system
administration, network administration, programming, technical support or intrusion
detection.
 An incident response team should be a combination of skilled members in the area of
technology (operating systems and applications) and other technical areas such as network
intrusion detection, malware analysis or forensics.
 An incident response team may include: in-house, partially outsourced, fully outsourced
employees.
 The main focus of an incident response team is performing incident response, but it may also
undertake the provision of the following services: intrusion detection, advisory distribution,
education and awareness and information sharing.
 Incident response means responding to computer security incidents systematically or by
following a consistent incident handling methodology so that the appropriate actions are taken
timely. It is a mechanism to minimize loss or theft of information and disruption of services
caused by incidents.
 Incident handling refers to the several phases of incident response process i.e. preparation,
detection and analysis, containment, eradication and recovery and post-incident activity
required in adequate handling of an incident.
 Incident management is a term used to describe the overall computing security management
to detect the occurrence of incident, initiate and handle an incident response and prevent any
future re-occurrences.
Activity 1:
Research various sites of companies to understand their information security incident

plan and team involved, including roles and responsibilities for various teams and
personnel. Come and present the same in class.
Activity 2:
Research various external service providers and services that support incident team in
the organisation in responding to information security incidents.
268

Q. List down various roles and responsibilities of the Incident Response team.
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
Q. List the various other teams and departments the Incident Response team has to work or
coordinate with.
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
269
NOTES:
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
270
UNIT III
Incident Response Process
This unit covers:

 Lesson Plan
271
Lesson Plan

PC2. record, classify and 1. QA session and a descriptive  PCs/ tablets/ laptops
prioritize information security write-up on understanding.  Availability of labs (24/7)
incidents using standard 2. Group presentation and peer  Internet with Wi-Fi (min
templates and tools. evaluation along with faculty. 2 Mbps dedicated)
3. Performance evaluation from  Access to all security
PC5. liaise with stakeholders to faculty and industry with
gather, validate and provide sites like ISO, PCI DSS,
reward points.
information related to 4. Written assignment of incident Center for Internet
information security incidents, report prepared. Security etc.
where required.  Security Templates
PC6. track progress of from ITIL & ISO
investigations into information  Projection facilities
security incidents and escalate
to appropriate people where
progress does not comply with
standards or service level
agreements (SLAs).
PC7. prepare accurate
preliminary reports on
information security incidents
using standard templates and
tools.
PC8. submit preliminary reports
promptly to appropriate people
for action.
PC9. update the status of
following investigation/ action
tools.
KA1. your organization’s KA1. QA session and a descriptive  PCs/ tablets/ laptops
policies, procedures, standards, write-up on understanding.  Availability of labs (24/7)
guidelines and service level  Internet with Wi-Fi (min
agreements for responding to KA2 Group presentation and peer 2 Mbps dedicated)
information security incidents. evaluation along with faculty.  Access to all security
KA7, KA8. Performance sites like ISO, PCI DSS,
KA2. the day-to-day operations,
Center for Internet
procedures and tasks relating to evaluation from faculty and
your area of work. industry with reward points Security etc.
 Security Templates
KA13. Creation of templates
KA7. the importance of tracking from ITIL & ISO
based on the learnings.
progress and corrective and
272
preventative actions for KB1 – KB7

1. Group and faculty evaluation
KA8. the importance of keeping based on anticipated out comes.
records and evidence relating to Reward points to be allocated to
information security incidents. groups.
KA13. standard tools and 2. Classify latest threats and

templates available and how to vulnerabilities into CIA triad.
use them.
KA14. your organization’s

policies and procedures for
sharing information on security
incidents and the importance of
complying with those.
KA15. how to classify and

priorities information security
incidents.
KB6. how to obtain and validate

information related to
information security issues.
KB7. how to prepare and submit

information security reports
and whom to share the same
with.
273
Lesson
Step 1: Identification
Obtaining and validating information related to information security issues
In incident handling, detection may be the most difficult task. Incident response teams in an
organization are equipped to handle security incidents using well-defined response strategies
beginning with information gathering. Preparing a list most common attack vectors such as
external/removable media, web, email, impersonation, improper use by authorized users etc. can
narrow down to the most competent incident handling procedure. Therefore, it is important to
validate each incident using defined standard procedures and document each step taken accurately.
Common issues and incidents of information security that may require action and whom to report
An indicator may not always translate into a security incident given the possibility of technical faults
due to human error in cases such as server crash or modification of critical files. Determining whether
a particular event is actually an incident is sometimes a matter of judgment. It may be necessary to
collaborate with other technical and information security personnel to make a decision. Therefore,
incident handlers need to report the matter to highly experienced and proficient staff members who
can analyse the precursors and indicators effectively and take appropriate actions.
Mentioned below are some of the means to conduct initial analysis for validation:
 Profiling Networks and Systems in order to measure the characteristics of expected activity so
that changes to it can be more easily identified and used one of the several detection and
analysis techniques.
 Studying networks, systems and applications to understand what their normal behavior is so
that abnormal behavior can be recognized more easily.
 Creating and implementing a log retention policy that specifies how long log data should be
maintained may be extremely helpful in analysis because older log entries may show
reconnaissance activity or previous instances of similar attacks.
 Correlating events using evidence of an incident captured in several logs such wherein each
may contain different types of data — a firewall log may have the source IP address that was
used, whereas an application log may contain a username.
 Synchronizing hosts clock using protocols such as the Network Time Protocol (NTP) to record
time of attack.
 Maintain and use a knowledge base of information that handlers need for referencing quickly
during incident analysis.
 Use internet search engines for research to help analysts find information on unusual activity.
 Run packet sniffers to collect additional data to record traffic that matches specified criteria
should keep the volume of data manageable and minimize the inadvertent capture of other
information.
 Filter the data to segregate categories of indicators that tend to be insignificant.
274
Step 2: Incident recording

Any occurrences of incident must be recorded and the incident response team should update the
status of incidents along with other pertinent information. Observations and facts of the incident may
be stored in any of the following sources such as logbook, laptops, audio recorders and digital cameras
etc.
Incident record samples and template
Documenting system events, conversations and observed changes in files can lead to a more efficient,
more systematic and error-free handling of the problem. Using an application or a database, such as
an issue tracking system helps ensure that incidents are handled and resolved in a timely manner.
The following useful information are to be included in an incident record template:

 Current status of the incident as new, in progress, forwarded for investigation, resolved etc.
 Summary of the incident
 Indicators related to the incident
 Other incidents related to this incident
 Actions taken by all incident handlers on this incident
 Chain of custody, if applicable
 Impact assessments related to the incident
 Contact information for other involved parties (system owners, system administrators etc.)
 List of evidence gathered during the incident investigation
 Comments from incident handlers
 Next steps to be taken (rebuild the host, upgrade an application etc.)
Step 3: Initial response

Commence initial response to an incident based on the type of incident, the criticality of the resources
and data that are affected, the severity of the incident, existing Service Level Agreements (SLA) for
affected resources, the time and day of the week, and other incidents that the team is handling.
Generally, the highest priority is handling incidents that are likely to cause the most damage to the
organization or to other organizations.
Step 4: Communicating the incident

The incident should be communicated in appropriate procedures through the organization’s points of
contact (POC) for reporting incidents internally. Therefore, it is important for an organization to
structure their incident response capability so that all incidents are reported directly to the incident
response team, whereas others will use existing support.
Assigning and escalating information on information security incidents
Organizations should also establish an escalation process for those instances when the team does not
respond to an incident within the designated time. This can happen for many reasons. For example,
cell phones may fail or people may have personal emergencies. The escalation process should state
how long a person should wait for a response and what to do if no response occurs. On failure to
respond within a stipulated time, then the incident should be escalated again to a higher level of
management. This process should be repeated until the incident is successfully handled.
275
Step 5: Containment
Containment and Quarantine
Containment is important before an incident overwhelms resources or increases damage. Most

incidents require containment so that is an important consideration early in the course of handling
each incident. Containment provides time for developing a tailored remediation strategy. An essential
part of containment is decision-making where the situation may demand immediate action such as
shut down a system, disconnect it from a network and disable certain functions.
Various containment strategies may be considered in the following ways:

 Potential damage to and theft of resources
 Need for evidence preservation
 Service availability (network connectivity, services provided to external parties etc.)
 Time and resources needed to implement the strategy
 Effectiveness of the strategy (partial containment, full containment etc.)
 Duration of the solution (emergency workaround to be removed in four hours, temporary
workaround to be removed in two weeks, permanent solution etc.)
Quarantine
Handling an incident may necessitate the use of strategies to contain the existing predicament and
one such method being redirecting the attacker to a sandbox (a form of containment) so that they can
monitor the attacker’s activity, usually to gather additional evidence. Hence, once a system has been
compromised and if allowed with the compromise to continue, it may help the attacker to use the
compromised system to attack other systems.
Understand network damage
On the other hand, containment may give rise to another potential issue and that is some attacks may
cause additional damage when they are contained. When the incident handler attempts to contain
the incident by disconnecting the compromised host from the network, the subsequent pings will fail.
As a result of the failure, the malicious process may overwrite or encrypt all the data on the host’s
hard drive.
Identify and isolate the trust model
Network information systems are vulnerable to threats and benign nodes often compromised because
of unknown, incomplete or distorted information while interacting with external sources. In this case,
malicious nodes need to be identified and isolated from the environment. The solution to insecure
can be found in the establishment of trust. Trust model can be formed based on the characteristics,
information sources to compute, most relevant and reliable information source, experience of other
members of community etc.
Step 6: Formulating a response strategy

An analysis of the recoverability from an incident determines the possible responses that the team
may take when handling the incident. An incident with a high functional impact and low effort to
recover from is an ideal candidate for immediate action from the team. In situations involving high
end data infiltration and exposure of sensitive information the incident response team may formulate
response by transferring the case to strategic level team. Each response strategy should be formulated
276
based on business impact caused by the incident and the estimated efforts required to recover from
the incident.
Incident response policies should include provisions concerning incident reporting at a minimum,
what must be reported to whom and at what times.
Important information to be included are CIO, head of information security, local information security
officer, other incident response teams within the organization, external incident response teams (if
appropriate), system owner, human resources (for cases involving employees, such as harassment
through email), public affairs etc.
Step 7: Incident classification

Classifying and prioritizing information security incidents
An incident may be broadly classified based on common attack vectors such as external/
removable media; attrition; web; email; improper usage; loss or theft of equipment;
miscellaneous.
Incident prioritization
 Functional impact of the incident on the existing functionality of the affected systems and
future functional impact of the incident if it is not immediately contained.
 Information impact of the incident that may amount to information exfiltration and impact
on organization’s overall mission and impact of exfiltration of sensitive information on
other organizations if any of the data pertain to a partner organization.
 Recoverability from the incident and how to determine the amount of time and resources
that must be spent on recovering from that incident. Necessity to actually recover from an
incident and carefully weigh that against the value the recovery effort will create and any
requirements related to incident handling.
Incident classification guidelines and templates
Organizations should document their guidelines and templates to handle any incident but should
focus on being prepared to handle incidents that use common attack vectors. Capturing the attack
pattern formally with required information may help understand specific parts of an attack, how it is
designed and executed, providing the adversary's perspective on the problem and the solution, and
gives guidance on ways to mitigate the attack's effectiveness.
 Requirements – identification of relevant security requirements, misuse and abuse cases.

 Architecture and design – provide context for architectural risk analysis and guidance for security
architecture.
 Implementation and development – prioritize and guide review activities.
 Testing and quality assurance – provide context for appropriate risk-based and penetration
testing.
 System operation – leverage lessons learned from security incidents into preventative guidance.
 Policy and standard generation – guide the identification of appropriate prescriptive
organizational policies and standards.
277
Incident prioritization guidelines and templates
Creating written guidelines for prioritizing incidents serve as a good practice and help achieve effective
information sharing within an organization. The step may also help in identifying situations that are of
greater severity and demand immediate attention. An ideal template for incident prioritization should
be formulated based on relevant factors such as the functional impact of the incident (e.g. current and
likely future negative impact to business functions), the information impact of the incident (e.g. effect
on the confidentiality, integrity and availability of the organization’s information) and the
recoverability from the incident (e.g. the time and types of resources that must be spent on recovering
from the incident).
Step 8: Incident investigation
One of the key tasks of an incident response team is to receive information on possible incidents,
investigate them, and take action to ensure that the damage caused by the incidents is minimized.
Following up an incident investigation
In the course of the work, the team must adhere to the following procedures deemed appropriate
to a given situation:
• receive initial investigation and data gathering from IT help desk members and
escalate to high strategic level specialist if situation demands.
• use appropriate materials that may be needed during an investigation.
• should become acquainted with various law enforcement representatives before an
incident occurs to discuss conditions under which incidents should be reported to
them.
• maintain record of chain of custody forms should detail the transfer and include each
party’s signature while transferring evidence from person to person.
• should be careful to give out only appropriate information — the affected parties may
request details about internal investigations that should not be revealed publicly.
• ensure law enforcement are available to investigate incidents wherever necessary.
• collect required list of evidence gathered during the incident investigation.
• should collect evidence in accordance with procedures that meet all applicable laws
and regulations that have been developed from previous discussions with legal staff
and appropriate law enforcement agencies so that any evidence can be admissible in
court.
Lessons learnt from security incident
Handling and rectifying security incident work best in a “learning and improving” model. Therefore,
incident handling teams must evolve to reflect on new threats, improved technology and lessons
learned. Each lesson’s learned brief must include the following agenda:
 What exactly happened and during times?

 How well did staff and management perform in dealing with the incident? Were the documented
procedures followed? Were they adequate?
 What information was needed sooner?
 Were any steps or actions taken that might have inhibited the recovery?
 What would the staff and management do differently the next time a similar incident occurs?
278
 How could information sharing with other organizations have been improved?
 What corrective actions can prevent similar incidents in the future?
 What precursors or indicators should be watched for in the future to detect similar incidents?
 What additional tools or resources are needed to detect, analyze and mitigate future incidents?
Process change for the future
The changing nature of information technology and changes in personnel requires the incident
response team to review all related documentation and procedures for handling incidents at
designated intervals. A study of incident characteristics (data collected of previous incidents) may
indicate systemic security weaknesses and threats as well as changes in incident trends.
Incident data can also be collected to determine if a change to incident response capabilities causes a
corresponding change in the team’s performance (improvements in efficiency, reductions in costs
etc).
Incident record keeping
Incident record keeping or collecting data that are actionable, rather than collecting data simply
because they are available will be useful in several capacities to the organization. It may help in
deriving at the following information:
 systemic security weaknesses and threats, as well as changes in incident trends.

 selection and implementation of additional controls.
 measure the success of the incident response team.
 expected return on investment from the data.
Step 9: Data collection

Chain of custody
Evidences collected should be accounted for at all times whenever evidence is transferred from person
to person, chain of custody forms should detail the transfer and include each party’s signature. A
detailed log should be kept for all evidence, including the following:
 Identifying information (e.g. the location, serial number, model number, hostname, media access
control (MAC) addresses and IP addresses of a computer).
 Name, title, and phone number of each individual who collected or handled the evidence during
the investigation.
 Time and date (including time zone) of each occurrence of evidence handling.
 Locations where the evidence was stored.
Step 10: Forensic analysis

Incident handling requires some team members to be specialized in particular technical areas, such as
network intrusion detection, malware analysis or forensics. Many incidents cause a dynamic chain of
events to occur, an initial system snapshot may do more good in identifying the problem and its source
than most other actions that can be taken at this stage. Therefore, it is appropriate to obtain
snapshots through full forensic disk images, not file system backups. Disk images should be made to
sanitized write-protectable or write-once media. This process is superior to a file system backup for
investigatory and evidentiary purposes. Imaging is also valuable in that it is much safer to analyse an
279
image than it is to perform analysis on the original system because the analysis may inadvertently
alter the original. Some of the useful resources in forensic aspects of incident analysis may include
digital forensic workstations and/ or backup devices to create disk images, preserve log files, and save
other relevant incident data
Step 11: Evidence protection

Importance of keeping evidence relating to information security incidents
Collecting evidence from computing resources presents some challenges. It is generally desirable to
acquire evidence from a system of interest as soon as one suspects that an incident may have
occurred. Users and system administrators should be made aware of the steps that they should take
to preserve evidence. In addition, evidence should be accounted for at all times whenever evidence is
transferred from person to person, chain of custody forms should detail the transfer and include each
party’s signature and a registry or log be maintained location of the stored evidence.
Step 12: Notify external agencies

An organization’s incident response team should plan its incident coordination with those parties
before incidents occur to ensure that all parties know their roles and that effective line of
communication are established.
Some of the organizations’ external agencies may include other or external incident response teams,
law enforcement agencies, Internet service providers and constituents, law enforcements/ legal
departments and customers or system owner etc.
Step 13: Eradication

Eliminating components of the incident such as deleting malware and disabling breached user
accounts as well as identifying and mitigating all vulnerabilities that were exploited follow next to
successful containment and quarantine. During the process, it is important to identify all affected
hosts within the organization so that they can be remediated. In some cases, eradication is either not
necessary or is performed during recovery.
Identify data backup holes
Verify data back-up and restore procedures. Incident response should be aware of the location of
back-up date storage, maintenance, user access and security procedures for data restoration and
system recovery. Following are the suggested data back-up sources:
 spare workstations, servers, networking equipment or virtualized equivalents, which may be used
for many purposes, such as restoring back-ups and trying out malware.
 other important materials include back-up devices, blank media, basic networking equipment and
cables.
Operating system updates and patch management
All hosts patched appropriately using standard configurations be configured to follow the principle of
least privilege — granting users only the privileges necessary for performing their authorized tasks.
Hosts should have auditing enabled and should log significant security-related events, security of hosts
and their configurations should be continuously monitored. In some organizations, the use of Security
Content Automation Protocol (SCAP) expressed operating system and application configuration
checklists to assist in securing hosts consistently and effectively.
280
Infrastructure and security policy improvement
Security cannot be achieved by merely implementing various security systems, tools or products.
However, security failures are less likely through the implementation of security policy, process,
procedure and product(s). Multiple layers of defence need to be applied to design a fail-safe security
system. The organization should also report all changes and updates made to its IT infrastructure,
network configuration and systems. Organization should also focus on longer-term changes (e.g.
infrastructure changes) and ongoing work to keep the enterprise as secure as possible.
Step 14: Systems recovery

In recovery, administrators restore systems to normal operation, confirm that the systems are
functioning normally, and (if applicable) remediate vulnerabilities to prevent similar incidents.
Recovery may involve such actions as restoring systems from clean back-ups, rebuilding systems from
scratch, replacing compromised files with clean versions, installing patches, changing passwords and
tightening network perimeter security (e.g. firewall rulesets, boundary router access control lists etc.).
Higher levels of system logging or network monitoring are often part of the recovery process. Once a
resource is successfully attacked, it is often attacked again or other resources within the organization
are attacked in a similar manner.
Step 15: Incident documentation

A logbook is an effective and simple medium for recording all facts regarding incidents. Documenting
system events, conversations and observed changes in files can lead to a more efficient, more
systematic and less error prone handling of the problem. Every step taken from the time the incident
was detected to its final resolution should be documented and time-stamped. Every document
regarding the incident should be dated and signed by the incident handler as such information can
also be used as evidence in a court of law if legal prosecution is pursued.
Importance of keeping records and evidence relating to information security incidents
The incident response team should maintain records about the status of incidents along with other
pertinent information. Using an application or a database, such as an issue tracking system, helps
ensure that incidents are handled and resolved in a timely manner.
Audio and video documentation strategies
Recording details of evidence gathering accessories including hard-bound notebooks, digital cameras,
audio recorders, chain of custody forms etc. is one of the common strategies used to track incidents
and security. In addition, laptops, audio recorders, and digital cameras can also serve the purpose
beside system events, conversations, and observed changes in files can lead to a more efficient, more
systematic and less error prone handling of the problem.
Update the status of information security incidents
Incident handling team may need to provide status updates to certain parties even in some cases the
entire organization. The team should plan and prepare several communication methods, including
out-of-band methods (in person or on paper), and select the methods that are appropriate for a
particular incident.
281
Possible communication methods include:
 Email
 Website (internal, external or portal)
 Telephone calls
 In person (daily briefings)
 Voice mailbox greeting (set up a separate voice mailbox for incident updates and update the
greeting message to reflect the current incident status and use the help desk’s voice mail greeting)
 Paper (post notices on bulletin boards and doors, hand out notices at all entrance points etc.)
Incident status template
An incident status should carry statement of the current status of the incident so that
communications with the media are consistent and up-to-date. Template may include the following
details:
 Current status of the incident (new, in progress, forwarded for investigation, resolved etc.)
 Summary of the incident
 Indicators related to the incident
 Other incidents related to this incident
 Actions taken by all incident handlers on this incident
 Chain of custody, if applicable
 Impact assessments related to the incident
 Contact information for other involved parties (e.g. system owners, system administrators)
 List of evidence gathered during the incident investigation
 Comments from incident handlers
 Next steps to be taken (e.g. rebuild the host, upgrade an application)
Preparing reports on information security incidents
This estimate may become the basis for subsequent prosecution activity by law enforcement entities.
Follow-up reports should be kept for a period of time as specified in record retention policies
Another important post-incident activity is creating a follow-up report for each incident, which can be
quite valuable for future use. The report provides a reference that can be used to assist in handling
similar incidents.
Incident report templates
Creating a formal chronology of events in the incident report template for criteria including time-
stamped information such as log data from systems (important for legal reasons) and monetary
estimate of the amount of damage the incident caused.
282
Additionally, the following information may also be a part of the report:
 Number of incidents handled

 Time per incident
 Objective assessment of each incident
 Subjective assessment of each incident
Organizations should specify which incidents must be reported, when they must be reported and to
whom. The parties most commonly notified are the CIO, head of information security, local
information security officer, other incident response teams within the organization and system
owners.
Submitting information security reports
Security follow-up reports are usually kept for a period of time as specified in record retention policies.
Most organizations have data retention policies that state how long certain types of data may be kept.
For example, an organization may state that email messages should be retained for only 180 days. If
a disk image contains thousands of emails, the organization may not want the image to be kept for
more than 180 days unless it is absolutely necessary.
Step 16: Incident damage and cost assessment

After the incident is adequately handled, the organization issues a report that details the cause and
cost of the incident and the steps the organization should take to prevent future incidents.
The incident data, particularly the total hours of involvement and the cost, may be used to justify
additional funding of the incident response team. Cost of storing evidence and the cost of retaining
functional computers that can use the stored hardware and media can be substantial.
Cost is a major factor, especially if employees are required to be onsite 24/7. Organizations may fail
to include incident response-specific costs in budgets, such as sufficient funding for training and
maintaining skills.
Step 17: Review and update the response policies

The organization must review and update response policies, related activities, gather information
from the handlers, provide incident updates to other groups, and ensure that the team’s needs are
met. The gambit of the work may also include periodically reviewing and updating threat update
information through briefings, web postings, and mailing lists published by authorized agencies or
public bodies.
283
Step 18: Training and awareness

Organizations must create, provision, and operate a formal incident response capability.
Security awareness and training checklist
Establishing an incident response training and awareness should include the following actions:
 creating an incident response training and awareness policy and plan.
 developing procedures for performing incident handling and reporting.
 setting guidelines for communicating with outside parties regarding incidents.
 training IT staff on complying with the organization’s security standards and making users aware
of policies and procedures regarding appropriate use of networks, systems and applications.
 training should be provided for SOP (delineation of the specific technical processes, techniques,
checklists and forms) users.
 staffing and training the incident response team.
 providing a solid training program for new employees.
 training to maintain networks, systems and applications in accordance with the organization’s
security standards.
 creating awareness of policies and procedures regarding appropriate use of networks, systems,
and applications.
Incident response knowledge base
The knowledge base is the consolidated incident data collected onto common incident database.
Organizations can create their own knowledge base or refer to those established by several groups
and organizations. Although it is possible to build a knowledge base with a complex structure, a simple
approach can be effective. Text documents, spreadsheets and relatively simple databases provide
effective, flexible and searchable mechanisms for sharing data among team members. The knowledge
base should also contain a variety of information, including explanations of the significance and
validity of precursors and indicators, such as IDPS alerts, operating system log entries and application
error codes.
Accessing and updating knowledge base
An incident handler may access knowledge databases information quickly during incident analysis, a
centralized knowledge base provides a consistent and maintainable source of information. The
knowledge base should include general information such as data on precursors and indicators of
previous incidents.
Importance of tracking progress
Several groups collect and consolidate incident data from various organizations into incident
databases. This information sharing may take place in many forms such as trackers and real-time
284
blacklists. The organization can also check its own knowledge base or issue tracking system for related
activity.
Corrective and preventative actions for information security incidents
In the absence of security controls higher volumes of incidents may occur overwhelming the incident
response team. An incident response team may be able to identify problems that the organization is
otherwise not aware of. The team can play a key role in risk assessment and training by identifying
gaps.
The following text, however, provides a brief overview of some of the main recommended practices
for securing networks, systems and applications:
 Periodic risk assessments of systems and applications to determine what risks posed by
combinations of threats and vulnerabilities.
 Hardened hosts appropriately using standard configurations while keeping each host properly
patched, hosts should be configured to follow the principle of least privilege — granting users only
the privileges necessary for performing their authorized tasks.
 The network perimeter should be configured to deny all activity that is not expressly permitted.
 Software to detect and stop malware should be deployed throughout the organization.
 Users should be made aware of policies and procedures regarding appropriate use of networks,
systems and applications.
285
Summary
 The Incident Handling Process includes the following steps:
o Identification
o Incident recording
o Initial response
o Communicating the incident
o Containment
o Formulating a incident response strategy
o Incident classification
o Incident investigation
o Data collection
o Forensic analysis
o Evidence protection
o Notify external agencies
o Eradication
o System recovery
o Incident documentation
o Incident damage and cost analysis
o Review and update the response policies
o Training awareness
 Evidences collected should be accounted for at all times. Whenever evidence is transferred
from person to person, chain of custody forms should detail the transfer and include each
party’s signature. A detailed log should be kept for all evidence, including the following:
o Identifying information (e.g. the location, serial number, model number, hostname,
media access control (MAC) addresses and IP addresses of a computer).
o Name, title, and phone number of each individual who collected or handled the
evidence during the investigation.
o Time and date (including time zone) of each occurrence of evidence handling.
o Locations where the evidence was stored.
 Incident record keeping or collecting data that are actionable rather than collecting data simply
because they are available will be useful in several capacities to the organization. It may help in
deriving at the following information:
o Systemic security weaknesses and threats as well as changes in incident trends
o Selection and implementation of additional controls
o Measure the success of the incident response team
o Expected return on investment from the data
 An incident may be broadly classified based on common attack vectors, such as external/
removable media; attrition; web; email; improper usage; loss or theft of equipment;
miscellaneous.
 Handling and rectifying security incident work best in a “learning and improving” model.
Therefore, incident handling teams must evolve to reflect on new threats, improved
technology and lessons learnt.
286
Activity 1:
Go through the internet to collect ideas and templates on incident report forms and
formats. Meet with industry experts/ personnel, if possible to understand the usage and
applicability of these.
Activity 2:
Work in groups to prepare an incident report using templates available for preparing a
report for your training institute. Highlight the sources of information for various parts
of the report.

Q. Arrange the 18 stages of incident response in the correct order by putting the correct sequence
number against it.
For example: Identification 1

o Identification
o Containment
o Incident investigation
o Communicating the incident
o Data collection
o Formulating an incident response strategy
o Notify external agencies
o Initial response
o Eradication
o Forensic analysis
o Incident classification
o System recovery
o Incident recording
o Evidence protection
o Incident documentation
o Incident damage and cost analysis
o Review and update the response policies
o Training awareness
287
Q. Evidences collected should be accounted for at all times. Whenever evidence is transferred from
person to person, the concept is captured in which form?
________________________________________
Q. Actions such as restoring systems from clean backups, rebuilding systems from scratch, replacing
compromised files with clean versions, installing patches, changing passwords and tightening network
perimeter security (e.g. firewall rulesets, boundary router access control lists) is known as:
__________________________________________
Q. Fill in the blanks with the appropriate term.
a) All hosts patched appropriately using standard configurations be configured to follow the
principle of_________________ granting users only the privileges necessary for performing
their authorized tasks.
b) ______________________ is important before an incident overwhelms resources or
increases damage.
c) A/ An ______________________ may not always translate into a security incident given the
possibility of technical faults due to human error in cases such as server crash or modification
of critical files.
Q. What is the full form of SCAP?
__________________________________________________________________________________
288
NOTES:
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
289
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
290
UNIT IV
Handling Malicious Code Incidents
This unit covers:
 Lesson Plan
5.1. Incident handling preparation
5.2. Incident prevention
5.3. Detection of Malicious Code
5.4. Containment strategy
5.5. Evidence gathering and handling
5.6. Eradication and Recovery
291
Lesson Plan

To be competent, you must be 1. Creation of templates based on  PCs/ tablets/ laptops
able to: the learnings.  Availability of labs
2. Peer review with faculty with (24/7)
PC5. liaise with stakeholders to
appropriate feedback.  Internet with Wi-Fi
gather, validate and provide
(min 2 Mbps
information related to
dedicated)
information security incidents,
where required.  Projection facilities

tools.
You need to know and KA7. Peer review with faculty with  PCs/ tablets/ laptops
understand: appropriate feedback.  Availability of labs
(24/7)
KA7. the importance of tracking KA10. Team work (IM and chat  Internet with Wi-Fi
progress and corrective and applications) and group activities  (min 2 Mbps
preventative actions for (online forums) including working dedicated)
information security incidents. on templates.  Access to all security
KA10. different types of sites like ISO, PCI DSS,
information security incidents Centre for Internet
and how to deal with the same. Security etc.
 Security Templates
from ITIL & ISO
292
Lesson
Malicious code refers to a program that is covertly inserted into another program with the
intent to destroy data, run destructive or intrusive programs or otherwise compromise the
security or integrity of the victim’s data.
Generally, malicious code is designed to perform these nefarious functions without the system’s user
knowing. Malicious code attacks can be divided into five categories: viruses, Trojan horses, worms,
mobile code and blended.
4.1 Incident Handling Preparation

Preparation is the first step to handling an incident response and it accounts for establishing an
incident response capability so that the organization is ready to respond to incidents, but also
preventing incidents by ensuring that systems, networks and applications are sufficiently secure.
Incident handling procedures include the following requirements:

 Contact information for team members and others within and outside the organization (primary
and back-up contacts) such as law enforcement and other incident response teams etc.
 On-call information for other teams within the organization including escalation information.
 Incident reporting mechanisms, such as phone numbers; email addresses; online forms; and
secure instant messaging systems that users can use to report suspected incidents.
 Issue tracking system for tracking incident information, status etc.
 Encryption software to be used for communication among team members, within the
organization and with external parties and federal agencies, software must use a FIPS-validated
encryption algorithm.
 Digital forensic workstations and/ or backup devices to create disk images, preserve log files,
and save other relevant incident data.
 Laptops for activities such as analyzing data, sniffing packets and writing reports.
 Portable printer to print copies of log files and other evidence from non-networked systems.
 Packet sniffers and protocol analyzers to capture and analyze network traffic.
 Port lists, including commonly used ports and Trojan horse ports.
 Documentation for OSs, applications, protocols, and intrusion detection and antivirus products.
 Network diagrams and lists of critical assets, such as database servers.
 Current baselines of expected network, system and application activity.
 Cryptographic hashes of critical files to speed incident analysis, verification and eradication.
 Access to images of clean OS and application installations for restoration and recovery
purposes.
293
For malicious code incidents, the following preparation steps can be taken:
STEP 1. Make users aware of malicious code issues – this information should include a basic review
of the methods that malicious code uses to propagate and the symptoms of infections. Holding
regular user education sessions helps to ensure that users are aware of the risks that malicious
code poses.
STEP 2. Read antivirus vendor bulletins – sign up for mailing lists from antivirus vendors that provide
timely information on new malicious code threats.
STEP 3. Deploy host-based intrusion detection systems to critical hosts – host-based IDS software can
detect signs of malicious code incidents such as configuration changes and system executable
modifications. File integrity checkers are useful in identifying the affected components of a
system.
Some organizations configure their network perimeters to block connections to specific common
Trojan horse ports, with the goal of preventing Trojan horse client and server component
communications. However, this approach is generally ineffective. Known Trojan horses use hundreds
of different port numbers, and many Trojan horses can be configured to use any port number. Also,
some Trojan horses use the same port numbers that legitimate services use so their communication
cannot be blocked by port number. Some organizations also implement port blocking incorrectly so
legitimate connections are sometimes blocked. Implementing filtering rules for each Trojan horse port
will also increase the demands placed on the filtering device. Generally, a Trojan horse port should be
blocked only if the organization has a serious Trojan horse infestation.
Figure: Incident Captured in system32 files
294
4.2 Incident Prevention

Incident prevention objectively works on minimizing larger negative business (e.g. more extensive
damage, longer periods of service and data unavailability etc.) impact and reduced number of
incidents. Although incident response teams are generally not responsible for securing resources, they
can be advocates of sound security practices. They can play a key role of identify problems that the
organization is otherwise not aware of, the team can play a key role in risk assessment and training by
identifying gaps.
Some of the recommended practices for securing networks, systems and applications include:
 periodic risk assessments of systems and applications.
 hardening of hosts appropriately using standard configurations.
 configuring network perimeters such as securing all connection points, such as virtual private
networks (VPNs) and dedicated connections to other organizations.
 deploying malware protection at the host level (server and workstation operating systems), the
application server level (email server, web proxies etc.) and the application client level (email
clients, instant messaging clients etc.)
 applying the learning from previous incidents, and sharing with users so they can see how their
actions could affect the organization.
For preventing malicious code incidents, the following steps can be taken:
STEP 1. Use antivirus software: antivirus software is a necessity to combat the threat of malicious
code and limit damage. The software should be running on all hosts throughout the
organization, and all copies should be kept current with the latest virus signatures so that the
newest threats can be thwarted. Antivirus software should also be used for applications used
to transfer malicious code, such as e-mail, file transfer and instant messaging software. The
software should be configured to perform periodic scans of the system as well as real-time
scans of each file as it is downloaded, opened or executed. The antivirus software should also
be configured to disinfect and quarantine infected files. Some antivirus products not only look
for viruses, worms and Trojan horses, but they also examine HTML, ActiveX, JavaScript and
other types of mobile code for malicious content.
STEP 2. Block suspicious files: configure email servers and clients to block attachments with file
extensions that are associated with malicious code (e.g. .pif, .vbs) and suspicious file extension
combinations (e.g. .txt.vbs, .htm.exe).
STEP 3. Limit the use of nonessential programs with file transfer capabilities: examples include peer-
to-peer file and music sharing programs, instant messaging software and IRC clients and
servers. These programs are frequently used to spread malicious code among users.
STEP 4. Educate users on the safe handling of email attachments: antivirus software should be
configured to scan each attachment before opening it. Users should not open suspicious
attachments or attachments from unknown sources. Users should also not assume that if the
sender is known, the attachment is not infected. Senders may not know that their systems are
infected with malicious code that can extract email addresses from files and send copies of the
malicious code to those addresses. This activity creates the impression that the emails are
coming from a trusted person even though the person is not aware that they have been sent.
Users can also be educated on file types that they should never open (e.g. .bat, .com, .exe, .pif,
.vbs). Although user awareness of good practices should lessen the number and severity of
295
malicious code incidents, organizations should assume that users will make mistakes and infect
systems.
STEP 5. Eliminate open windows shares: many worms spread through unsecured shares on hosts
running Windows. If one host in the organization is infected with a worm, it could rapidly
spread to hundreds or thousands of other hosts within the organization through their
unsecured shares. Organizations should routinely check all hosts for open shares and direct
the system owners to secure the shares properly. Also, the network perimeter should be
configured to prevent traffic that uses NetBIOS ports from entering or leaving the
organization’s networks. This should not only prevent external hosts from directly infecting
internal hosts through open shares but should also prevent internal worm infections from
spreading to other organizations through open shares.
STEP 6. Use web browser security to limit mobile code: all web browsers should have their security
settings configured so as to prevent unsigned ActiveX and other mobile code vehicles from
unknowingly being downloaded to and executed on local systems. Organizations should
consider establishing an internet security policy that specifies which types of mobile code may
be used from various sources (e.g. internal servers, external servers).
STEP 7. Configure email clients to act more securely: email clients throughout the organization should
be configured to avoid actions that may inadvertently permit infections to occur. For example,
email clients should not automatically execute attachments.
296
4.3 Detection of Malicious Code

Detection of malicious code involves the preparation to handle incidents that use common attack
vectors. Some of the key aspects useful in determining malicious code detection:
 screening attack vectors such as removable media or other peripheral device.

 keeping a tab on network flow information through routers and other networking devices that
can be used to find anomalous network activity caused by malware, data exfiltration and other
malicious acts.
 monitoring alerts sent by most IDPS products that uses attack signatures to identify malicious
activity. The signatures must be kept up to date so that the newest attacks can be detected.
 observing antivirus software alerts for detecting various forms of malware, generates alerts and
prevents the malware from infecting hosts.
 maintaining and using a rich knowledge base replete with explanations of the significance and
validity of precursors and indicators, such as IDPS alerts, operating system log entries and
application error codes.
 following appropriate containment procedures which require disconnection of host from the
network, and cause further damage.
Because malicious code incidents can take many forms, they may be detected via a number of
precursors and indications. Some precursors and possible responses are listed below:
Precursor: An alert warns of new malicious code that targets software that the organization uses.
Response: Research the new virus to determine whether it is real or a hoax. This can be done
through antivirus vendor websites and virus hoax sites. If the malicious code is confirmed as
authentic, ensure that antivirus software is updated with virus signatures for the new malicious
code. If a virus signature is not yet available, and the threat is serious and imminent, the activity
might be blocked through other means, such as configuring email servers or clients to block
emails matching characteristics of the new malicious code. The team might also want to notify
antivirus vendors of the new virus.
Precursor: Antivirus software detects and successfully disinfects or quarantines a newly received
infected file.
Response: Determine how the malicious code entered the system and what vulnerability or
weakness it was attempting to exploit. If the malicious code might pose a significant risk to other
users and hosts, mitigate the weaknesses that the malicious code used to reach the system and
would have used to infect the target host.
297
For Example:
Similarly, there are certain indications that can highlight the onset of a malicious action. For example:
Malicious action: a virus that spreads through email infects a host.

Indicators:
• Antivirus software alerts of infected files
• Sudden increase in the number of emails being sent and received
• Changes to templates for word processing documents, spreadsheets etc.
• Deleted, corrupted or inaccessible files
• Unusual items on the screen such as odd messages and graphics
• Programs start slowly, run slowly or do not run at all
• System instability and crashes
Malicious action: a worm that spreads through a vulnerable service infects a host.
Indicators:
 Antivirus software alerts of infected files
 Port scans and failed connection attempts targeted at the vulnerable service (e.g. open
Windows shares, HTTP)
 Increased network usage
 Programs start slowly, run slowly or do not run at all
 System instability and crashes
Malicious action: malicious mobile code on a Web site is used to infect a host with a virus, worm or
Trojan horse.
Indicators:
 Indications listed above for the pertinent type of malicious code
 Unexpected dialog boxes, requesting permission to do something
 Unusual graphics such as overlapping or overlaid message boxes
Malicious action: a Trojan horse is installed and running on a host.

Indicators:
 Antivirus software alerts of Trojan horse versions of files
 Network intrusion detection alerts of Trojan horse client-server communication
 Firewall and router log entries for Trojan horse client-server communication
 Network connections between the host and unknown remote systems
 Unusual and unexpected ports open
 Unknown processes running
 High amounts of network traffic generated by the host, particularly if directed at external
host(s)
 Programs start slowly, run slowly or do not run at all
 System instability and crashes
298
4.4 Containment Strategy

Containment strategies vary based on the type of incident. For example, the strategy for containing
an email-borne malware infection is quite different from that of a network-based DDoS attack.
Organizations should create separate containment strategies for each major incident type, with
criteria documented clearly to facilitate decision making.
Criteria for determining the appropriate strategy include:
 Potential damage to and theft of resources

 Need for evidence preservation
 Service availability (e.g. network connectivity or services provided to external parties)
 Time and resources needed to implement the strategy
 Effectiveness of the strategy (e.g. partial containment or full containment)
 Duration of the solution (e.g. emergency workaround to be removed in four hours, temporary
workaround to be removed in two weeks or permanent solution)
Containment strategy for malicious code incidents may include:
Identifying and isolating other infected hosts: antivirus alert messages are a good source of
information, but not every infection will be detected by antivirus software.
Incident handlers may need to search for indications of infection through other means such as:
 performing port scans to detect hosts listening on a known Trojan horse or backdoor port.
 using antivirus scanning and clean-up tools released to combat a specific instance of malicious
code.
 reviewing logs from email servers, firewalls and other systems that the malicious code may have
passed through as well as individual host logs.
 configuring network and host intrusion detection software to identify activity associated with
infections.
 auditing the processes running on systems to confirm that they are all legitimate.
Sending unknown malicious code to antivirus vendors: malicious code that cannot be definitively
identified by antivirus software may occasionally enter the environment. Eradicating the malicious
code from systems and preventing additional infections may be difficult or impossible without having
updated antivirus signatures from the vendor. Incident handlers should be familiar with the
procedures for submitting copies of unknown malicious code to the organization’s antivirus vendors.
Configuring email servers and clients to block emails: many email programs can be configured
manually to block emails by particular subjects, attachment names or other criteria that correspond
to the malicious code. This is neither a foolproof nor an efficient solution, but it may be the best option
available if an imminent threat exists and antivirus signatures are not yet available.
Blocking outbound access: if the malicious code attempts to generate outbound emails or
connections, handlers should consider blocking access to IP addresses or services to which the infected
system may be attempting to connect.
299
Shutting down email servers: during the most severe malicious code incidents with hundreds or
thousands of internal hosts infected, email servers may become completely overwhelmed by viruses
trying to spread via email. It may be necessary to shut down an email server to halt the spread of
email-borne viruses.
Isolating networks from the internet: networks may become overwhelmed with worm traffic when a
severe worm infestation occurs. Occasionally a worm will generate so much traffic throughout the
internet that network perimeters are completely overwhelmed. It may be better to disconnect the
organization from the internet, particularly if the organization’s internet access is essentially useless
as a result of the volume of worm traffic. This protects the organization’s systems from being attacked
by external worms should the organization’s systems already be infected. This prevents them from
attacking other systems and adding to the traffic congestion.
4.5 Evidence Gathering and Handling

The primary reason for gathering evidence during an incident is to resolve the incident however it may
also be needed for legal proceedings. In the case of incident analysis, the procedure is implemented
through the application of hardware and software and related accessories such as hard-bound
notebooks, digital cameras, audio recorders, chain of custody forms, evidence storage bags and tags
and evidence tape and to preserve evidence for possible legal actions.
With respect to legal proceedings, it is important to clearly document how all evidence, including
compromised systems, has been preserved. Evidence should be collected according to procedures
that meet all applicable laws and regulations that have been developed from previous discussions with
legal staff and appropriate law enforcement agencies so that any evidence can be admissible in court.
Thus, users and system administrators should be made aware of the steps that they should take to
preserve evidence.
300
4.6 Eradication and Recovery

After an incident has occurred, it is important to identify all affected hosts within the organization so
that they can be remediated. For some incidents, eradication is either not necessary or is performed
during recovery. In recovery, administrators restore systems to normal operation, confirm that the
systems are functioning normally and (if applicable) remediate vulnerabilities to prevent similar
incidents.
Eradication procedures may be performed in the following ways:
 identify and mitigate all vulnerabilities that were exploited.
 remove malware, inappropriate materials and other components.
 repeat the detection and analysis steps to identify all other affected hosts, if more affected
hosts are discovered (e.g. new malware infections.
 contain and eradicate the incident in accordance with appropriate procedures.
Recovery may involve such actions as restoring systems from clean backups, rebuilding systems from
scratch, replacing compromised files with clean versions, installing patches, changing passwords and
tightening network perimeter security (e.g. firewall rulesets, boundary router access control lists).
Some of the recommended practices in recovery procedures are:
 return affected systems to an operationally ready state

 confirm that the affected systems are functioning normally
 implement additional monitoring to look for future related activity, if necessary
Eradication and recovery should be done in a phased approach so that remediation steps are
prioritized.
Antivirus systems
Antivirus software effectively identifies and removes malicious code infections however, some
infected files cannot be disinfected. (Files can be deleted and replaced with clean backup copies. In
case of an application, the affected application can be reinstalled.) If the malicious code provided
attackers with root-level access, it may not be possible to determine what other actions the attackers
may have performed. In such cases, the system should either be restored from a previous, uninfected
backup or be rebuilt from scratch. Of course, the system should then be secured so that it will not be
susceptible to another infection from the same malicious code.
Antivirus software sends alerts when it detects that a host is infected with malware. It detects various
forms of malware, generates alerts and prevents the malware from infecting hosts. Current antivirus
products are effective at stopping many instances of malware if their signatures are kept up to date.
Anti-spam software is used to detect spam and prevent it from reaching users’ mailboxes. Spam may
contain malware, phishing attacks and other malicious content, so alerts from anti-spam software may
indicate attack attempts.
301
Case Study on Incident Handling Process
The Challenge
A large, multinational organization was alerted by US-CERT/FBI that it had been the source of a number
of credit cards and details being leaked/sold on underground (carding) forums. After an initial
investigation, the organization's security team discovered a compromised credit-card processing server
but, having insufficient resources and skills in dealing with the incident, called in OSEC.
The Solution
OSEC sent a team of analysts, including Incident Response, Crisis Management, and Digital Forensics
personnel to the organization's head office and data centres to deal with the incident. Once there, the
team initiated full incident response based on the information supplied by the organization itself as well
as law enforcement/authorities.
Planning - After The Fact
The first task was understanding what measures were in place to deal with the incident. Unfortunately,
while the organization had an incident response plan, it had not undertaken the first step of Incident
Response - preparation. OSEC's incident response manager, along with the team, got to work coming up
with a strategy: analysing the available information, using it to understand the extent of the
compromise, and the incident, and working out how to contain and eradicate it. All the while,
information to the rest of the organization and the world at large had to be controlled, due to the
possible legal and regulatory implications.
Now that you know the security challenge that had been faced by US-CERT/FBI, you may now read
the Detection and Eradication process that was adopted to handle the incident in a controlled
manner:
Detection and Analysis
Containment required understanding what data had been exfiltrated, and working back from there to
the compromised resources, as well as examining the rest of the environment for other footholds that
the attackers had. Quickly gaining an understanding of the network and segmentation, as well as
rapidly implementing network behavioural analysis and performing content inspection between the
payment processing infrastructure and external networks, OSEC detected connections back to
command and control servers that were known to be operated by organized criminal elements
('carders'). From there, we started performing analysis of the compromised systems using forensics
techniques to determine how and what vulnerabilities had been exploited to gain access, correlating
that with available logging information, all the while monitoring network flows to both ensure that no
additional card information was being exfiltrated for the purposes of understanding what machines
were under their control, all without alerting the bad guys.
Within a short amount of time, OSEC determined that a third-party web application/site that was
vulnerable to SQL injection had been initially compromised, and then used as a "base of operations" to
penetrate further into the network, ultimately gaining access to the payment processing segments. By
targeting administrators using social engineering attacks in combination with an Internet Explorer
vulnerability, they had then stolen credentials that could be used to authenticate to payment
processing servers, and utilized privilege escalation vulnerabilities on the servers themselves to harvest
credit card numbers as they were being processed. In addition, they had installed customized malware
that communicated with the command and control servers and exfiltrated data through encrypted
tunnels, in bursts, to evade detection.
302
Containment and Eradication
OSEC then went about stopping the spread of the malware and compromise, and expelling the
attackers from the network. Once we had determined that the malware installed would not respond
negatively to loss of connectivity to command and control servers, we quickly: ensured the initial point
of compromise (SQL injection) was corrected scanned for similar common vulnerabilities in externally-
visible systems, and ensured any identified issues were corrected reset all relevant authentication
credentials blocked the attackers at the network perimeter. We then set about isolating and cleaning
each of the compromised hosts as quickly as we could, in coordination with IT personnel, to ensure
that the processing systems were impacted as little as possible. In most cases, we were able to wipe
hosts and perform recovery to ensure all traces of malware were eradicated, but a number of systems
required manual cleaning, which we undertook with the relevant organizational resources, and
initiated extensive monitoring to ensure no undetected issues remained.
Finally, once the full extent of the breach was understood - particularly what and how much data had
been stolen, OSEC coordinated with PR and Legal personnel to manage client and other regulatory-
body notifications.
Post-Incident Activity
Once the immediate incident had been dealt with, OSEC performed a post-mortem analysis of the
incident, the organization's response, and compared it to OSEC's internally-developed IR processes,
procedures, and frameworks to identify what needed to be done to ensure IR, vulnerability
management, as well as overall Information Security Management process and procedures were
improved such that future incidents would be minimized We then sat down with the various
stakeholders in the organization that had been involved and discussed the incident and response,
explaining the relevant issues, identifying organizational problems that also needed to be corrected, as
well as future strategies for avoiding incidents and dealing with them when they occurred,
communicating our recommended incident response strategy and implementation to the
organization's senior levels.
Having reviewed OSEC's recommendations, the organization then asked us back to assist with
implementing them. Over a 3 months’ period, OSEC led a number of efforts, including implementing
protection mechanisms at the host, application, and network layers; establishing a functioning
vulnerability management within the overall information security management program, verifying
processes, helping with staffing and training, and performing incident response drills to test the final
product.
The Result
Twelve months after implementing the recommendations, and achieving a practical incident response
program, the organization has not suffered any subsequent breaches. In addition, it has gained the
assurance, through incident response drills, that should a breach occur, response will be swift and
effective.
303
Summary
 Malicious code attacks can be divided into five categories: viruses, Trojan horses, worms,
mobile code and blended.
 Set recommendations for organizing a computer security incident handling are summarized
below:
o Develop an incident response plan based on the incident response policy.
o Develop incident response procedures.
o Establish policies and procedures regarding incident related information sharing.
o Consider the relevant factors when selecting an incident response team model.
o Profile networks and systems.
o Understand the normal behaviors of networks, systems and applications.
o Create a log retention policy.
o Perform event correlation.
o Acquire tools and resources that may be of value during incident handling.
o Prevent incidents from occurring by ensuring that networks, systems and applications
are sufficiently secure.
o Identify precursors and indicators through alerts generated by several types of
security software.
o Establish mechanisms for outside parties to report incidents.
o Require a baseline level of logging and auditing on all systems and a higher baseline
level on all critical systems.
o Keep all host clocks synchronized.
o Maintain and use a knowledge base of information.
Summary of recommendations for handling malicious code incidents include:
o Deploy host based intrusion detection systems, including file integrity checkers to
critical hosts.
o Make users aware of malicious code issues.
o Use antivirus software, and keep it updated with the latest virus signatures.
o Configure software to block suspicious files.
o Eliminate open Windows shares.
o Contain malicious code incidents as quickly as possible.
304
Activity 1:
Work in groups and list various service providers and products that help in addressing
malicious code incidents through prevention and eradication. Compare features and
benefits of various products and service providers. Present your finding in class and
compare the findings with that of your peers.
Activity 2:
Collate data on various OS and the inbuilt provisions to prevent malicious code
incidents. Present the same in class.

Q. Fill in the blanks -
a) _________ ___________ objectively works on minimizing larger negative business (e.g. more
extensive damage, longer periods of service and data unavailability, etc.) impact and reduced number
of incidents.
b) Malware can be deployed at the levels of _____________ level, ______________ _________ level
and ___________ ___________ level.
Q. List at least one each of file extensions of attachments that are associated with malicious code and
suspicious file extension combinations.
• Malicious code ________, ________, ________

• Suspicious file extension ________, ________, _______
Q. List at least two indicators for the following malicious code action:
Malicious action: a worm that spreads through a vulnerable service infects a host.
Indicators:
_____________________________________________________________________
_____________________________________________________________________
Malicious action: malicious mobile code on a website is used to infect a host with a virus, worm or
Trojan horse.
Indicators:
305
_____________________________________________________________________
_____________________________________________________________________
Malicious action: a Trojan horse is installed and running on a host.
Indicators:
__________________________________________________________________________________
__________________________________________________________________________________
NOTES:
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
306
UNIT V
Handling Network Security
Incidents
This unit covers:
 Lesson Plan
5.1. Network Reconnaissance Incidents

5.2. Denial of Service Incidents
5.3. Unauthorized Access Incidents
5.4. Inappropriate usage incident
5.5. Multiple component incident
307
Lesson Plan

To be competent, you must be 1. Creation of templates based PCs/ tablets/ laptops
able to: on the learnings.
2. Peer review with faculty with Availability of labs (24/7)
PC5. liaise with stakeholders to
appropriate feedback. Internet with Wi-Fi (min 2
gather, validate and provide
information related to Mbps dedicated)
information security incidents, Projection facilities
where required.
tools.
You need to know and KA7. Peer review with faculty PCs/ tablets/ laptops
understand: with appropriate feedback.
Availability of labs (24/7)
KA7. the importance of trackingKA10. Team work (IM and chat
progress and corrective and Internet with Wi-Fi
applications) and group activities
preventative actions for
(online forums) including (min 2 Mbps dedicated)
information security incidents.templates to be prepared. Access to all security sites like
KA10. different types of ISO, PCI DSS, Center for
information security incidents Internet Security etc.
and how to deal with the same. Security Templates from ITIL
& ISO
308
Lesson
Intruders over computer networks to gather information about computer systems and
resources. A probe is any attempt launched to detect:
• active hosts and networks that are reachable over a public or an accessible medium.
• services and applications they are running that could be connected to any vulnerability
that these services and applications may have, which could be exposed and taken
advantage of.
5.1 Network Reconnaissance Incidents

Probes can be classified appropriately into three main activities:
Host detection
Host detection essentially aims to establish liveness of a host along with its network address.
Hardware addresses may also be sought by intruders having access to the same segment as the
target.
Port enumeration
Port enumeration is to do with the listing of TCP/ UDP services running on a host. This may be a list
of all services or only those of particular interest to an intruder along with the port address they are
running on.
Vulnerability assessment
Vulnerability assessment seeks to establish information on the type and version of the operating
system and the different applications running on a machine. Version and patch level details about
an operating system and applications are important to judge the possible exploits that could be
used to attack the host.
A probe could be seen to be launched by an intruder in two modes:
1. Active
2. Passive
An active probe involves some attempted interaction over the network on behalf of the
intruder. This may involve sending a packet directly to a target host or a network or some
intermediary used for the purposes of probing.
A passive probe, on the other hand, would involve an intruder restricting herself to sniffing
and logging traffic, originating from and destined to a potential or an identified target and
obtaining relevant information. The choice of being passive may be due to reasons of
configuration or access or it may be a deliberate act by an intruder to avoid detection.
This probe by their nature are hard to detect. Any reconnaissance information gained using
such tactics, however, is limited to the traffic visible to an intruder. Active probes are
necessary if an intruder wishes to gather information both timely and of her choice.
309
A variety of techniques exist for active probes, including making use of mechanisms such as the TCP
handshake to judge a host’s liveness, fingerprinting the protocol stack (which often indicates the
operating system the host is running), probing DNS servers and grabbing service banners volunteering
information on the host.
Most active probes make use of techniques that use the core protocols of the modern day
communications, namely IP, ICMP, TCP and UDP. Common approaches to counter-probing activity at
this level include:
• filtering inbound ICMP probes (responses to which are used to determine what machine
is alive).
• filtering outbound ICMP responses to UDP port scanning attempts (where a lack of
response allows an intruder to determine a live host).
• filtering inbound TCP probes with different combinations of flags set, (response or lack of
it, to which (depending on the flags set and the operating system probed) may indicate to
an intruder whether a host is live or not).
• using a variety of firewalling techniques that allow throttling of probes and stateful
mechanisms that disallow unsolicited packets aimed at generating responses from target
hosts.
A somewhat more proactive approach is suggested by Kang et al, who propose to generate false
positive responses to any probes attempting to detect hosts or enumerate ports targeting an unused
address space or closed ports on active hosts. Their approach, referred to as all positive response
(APR), is designed to make it difficult for an intruder to distinguish active hosts from inactive ones,
and open ports from closed ones. To an intruder, all machines appear active and all ports appear open.
Such an approach could also help in detecting any packets that follow up after initial probes, which
attempt to probe the host further, enumerating ports or assessing some vulnerability.
Using false responses is useful in hiding any information about the network that an intruder may try
to gather, but an all positive approach will certainly indicate to an intruder that false responses are
being generated to all probing. Another important issue is that generating false responses for a very
large network may require untenably large resources, and may therefore not be scalable. Some
factors to consider here are the size of the entire (used and unused) address space that the false
response needs to be generated for, the rate at which the network is probed, the various types of
probes launched (that need to be responded to) and memory state required to detect any attempts
at intrusion that follow up a false response.
Generating a false positive response to probes targeting a closed port on an active host could also
result in a conflict: an active host may have a port closed at the time of the probe, but the port may
open (upon the host initiating a connection or starting a service, for instance) sometime after the false
response is generated. Some alternatives to APR could be designed so that such responses are
generated:
• where some probes are randomly replied to and some are not.
• to a specified subset of the unused address space. This subset could be chosen randomly (from a
given chunk of addresses) or strategically (from an address space used non-contiguously).
310
• for all probes destined for the unused address space. This is similar to APR, except that only probes
destined for the unused parts of the address space are replied to and one or a few services
depicted.
Handling specific types of incidents
 Denial of Service (DoS) — an attack that prevents the usage of network, system or application
resources.
 Malicious Code — a virus, worm, Trojan horse or other code based malicious entity that infects
a host.
 Unauthorized Access — a user gains access without permission to a network, system,
application, data or other resource.
 Inappropriate Usage — a user violates acceptable computing use policies.
 Multiple Component — a single incident that encompasses two or more incidents. For example,
a malicious code infection leads to unauthorized access to a host, which is then used to gain
unauthorized access to additional hosts.
Fig: A Sample Network Reconnaissance Check Screenshot
311
5.2 Denial of Service Incidents

DoS prevents authorized used of IT resources. Tips for responding to a network distributed denial-of-
service (DDoS) incident.
General considerations
 DDoS attacks often take the form of flooding the network with unwanted traffic. Some attacks
focus on overwhelming resources of a specific system.
 It will be very difficult to defend against the attack without specialized equipment or your ISP’s
help.
 Too many people often participate during incident response. Limit the number of people on the
team.
 DDoS incidents may span days. Consider how your team will handle a prolonged attack. Humans
get tired!
 Understand your equipment’s capabilities in mitigating a DDoS attack. Many underappreciate the
capabilities of their devices or overestimate their performance.
Prepare for a future incident
 If you do not prepare for a DDoS incident in advance, you will waste precious time during the
attack.
 Contact your ISP to understand the paid and free DDoS mitigation it offers and what process you
should follow.
 Create a whitelist of the source IPs and protocols you must allow if prioritizing traffic during an
attack. Include your big customers, critical partners etc.
 Confirm DNS time-to-live (TTL) settings for the systems that might be attacked. Lower the TTLs, if
necessary, to facilitate DNS redirection if the original IPs get attacked.
 Establish contacts for your ISP, law enforcement, IDS, firewall, systems and network teams.
 Document your IT infrastructure details, including business owners, IP addresses and circuit IDs.
Prepare a network topology diagram and an asset inventory.
 Understand business implications (e.g. money lost) of likely DDoS attack scenarios.
 If the risk of a DDoS attack is high, consider purchasing specialized DDoS mitigation products or
services.
 Collaborate with your BCP/ DR planning team to understand their perspective on DDoS incidents.
 Harden the configuration of network, OS and application components that may be targeted by
DDoS.
 Baseline your current infrastructure’s performance so you can identify the attack faster and more
accurately.
Analyse the attack
 Understand the logical flow of the DDoS attack and identify the infrastructure components
affected by it.
 Review the load and logs of servers, routers, firewalls, applications and other affected
infrastructure.
 Identify what aspects of the DDoS traffic differentiate it from benign traffic (e.g. specific source
IPs, destination ports, URLs, TCP flags etc.).
 Use a network analyzer (e.g. tcpdump, ntop, Aguri, MRTG, a NetFlow tool) to review the traffic.
312
 Contact your ISP and internal teams to learn about their visibility into the attack, and to ask for
help.
 If contacting the ISP, be specific about the traffic you would like to control (e.g. blackhole what
networks blocks to be blackholed what source IPs to be rate-limited).
 Find out whether the company received an extortion demand as a precursor to the attack.
 Create a NIDS signature to focus to differentiate between benign and malicious traffic, if possible.
 Notify your company’s executive and legal teams upon their direction. Consider involving law
enforcement.
Mitigate the effects of the attack
 While it is very difficult to fully block DDoS attacks. You may be able to mitigate their effects.
 Attempt to throttle or block DDoS traffic as close to the network’s “cloud” as possible via a router,
firewall, load balancer, specialized device etc.
 Terminate unwanted connections or processes on servers and routers and tune their TCP/ IP
settings.
 Switch to alternate sites or networks using DNS or another mechanism. Blackhole DDoS traffic
targeting the original IPs, if possible.
 If the bottle neck is a particular a feature of an application, temporarily disable that feature.
 Add servers or network bandwidth to handle the DDoS load (this is an arms race though).
 Route traffic through a traffic-scrubbing service or product via DNS or routing changes.
 If adjusting defenses, make one change at a time, so you know the cause of the changes you may
observe.
 Configure egress filters to block the traffic your systems may send in response to DDoS traffic to
avoid adding unnecessary packets to the network.
Wrap up the incident and adjust
 consider what preparation steps you could have taken to respond to the incident faster or more
effectively.
 adjust assumptions that affected the decisions made during DDoS incident preparation, if
necessary.
 assess the effectiveness of your DDoS response process, involving people and communication.
 consider what relationships inside and outside your organizations could help you with future
incidents.
Key DDoS incident response steps
 Preparation: establish contacts, define procedures and gather tools to save time during an attack.
 Analysis: detect the incident, determine its scope and involve the appropriate parties.
 Mitigation: mitigate the attack’s effects on the targeted environment.
 Wrap up: document the incident’s details, discuss lessons learned and adjust plans and defenses.
313
5.3 Unauthorized Access Incidents

Examples of unauthorised access include:
 performing a remote root compromise of an email server.
 defacing a web server.
 guessing and cracking passwords.
 copying a database containing credit card numbers.
 viewing sensitive data, including payroll records and medical information without
authorization.
 running a packet sniffer on a workstation to capture usernames and passwords.
 using a permission error on an anonymous FTP server to distribute pirated software and music
files.
 dialing into an unsecured modem and gaining internal network access.
 posing as an executive, calling the help desk, resetting the executive’s email password and
learning the new password.
 using an unattended, logged-in workstation without permission.
Preparation
 configure network based and host based IDS software (such as file integrity checkers and log
monitors) to identify and alert on attempts to gain unauthorized access. Each type of intrusion
detection software may detect attacks that others are not able to detect.
 use centralized log servers so pertinent information from hosts across the organization is stored
in a single secured location.
 establish procedures to be followed when all users of an application, system, trust domain or
organization should change their passwords because of a password compromise. The procedures
should adhere to the organization’s password policy.
 discuss unauthorized access incidents with system administrators so that they understand their
roles in the incident handling process.
Prevention
Network security
Configure the network perimeter to deny all incoming traffic that is not expressly permitted.
Secure all remote access methods properly, including modems and VPNs. An unsecured modem can
provide easily attainable unauthorized access to internal systems and networks. War dialling is the
most efficient technique for identifying improperly secured modems. When securing remote access,
carefully consider the trustworthiness of the clients. If they are outside the organization’s control,
they should be given as little access to resources as possible, and their actions should be closely
monitored.
Put all publicly accessible services on secured demilitarized zone (DMZ) network segments. The
network perimeter can then be configured so that external hosts can establish connections only to
hosts on the DMZ, not internal network segments.
314
Use private IP addresses for all hosts on internal networks. This will severely restrict the ability of
attackers to establish direct connections to internal hosts.
Host security
• perform regular vulnerability assessments to identify serious risks and mitigate the risks to an
acceptable level.
• disable all unneeded services on hosts. Separate critical services so they run on different hosts. If an
attacker then compromises a host, immediate access should be gained only to a single service.
• run services with the least privileges possible to reduce the immediate impact of successful exploits.
• use host based firewall software to limit individual hosts’ exposure to attacks.
• limit unauthorized physical access to logged-in systems by requiring hosts to lock idle screens
automatically and asking users to log off before leaving the office.
• verify the permission settings regularly for critical resources, including password files, sensitive
databases and public web pages. This process can easily be automated to report changes in
permissions on a regular basis.
Authentication and authorization
• create a password policy that requires the use of complex, ‘difficult-to-guess’ passwords, forbids
password sharing, and directs users to use different passwords on different systems, especially
external hosts and applications.
• require sufficiently strong authentication, particularly for accessing critical resources.
• create authentication and authorization standards for employees and contractors to follow when
developing software. For example, passwords should be strongly encrypted using a FIPS 140-2
validated algorithm when they are transmitted or stored.
• establish procedures for provisioning and de-provisioning user accounts. These should include an
approval process for new account requests and a process for periodically disabling or deleting
accounts that are no longer needed.
Physical security
• Implement physical security measures that restrict access to critical resources.
Detection and analysis
As unauthorized access incidents can occur in many forms, they can be detected through dozens of
types of precursors and indications.
315
Precursors
List of precursors and respective responses:
Precursor: unauthorized access incidents are often preceded by reconnaissance activity to map
hosts and services and to identify vulnerabilities. Activity may include port scans, host scans,
vulnerability scans, pings, trace routes, DNS zone transfers, OS fingerprinting and banner
grabbing. Such activity is detected primarily through IDS software and secondarily, through log
analysis.
Response: incident handlers should look for distinct changes in reconnaissance patterns. For
example, a sudden interest in a particular port number or host. If this activity points out a
vulnerability that could be exploited, the organization may have time to block future attacks by
mitigating the vulnerability (e.g. patching a host, disabling an unused service, modifying firewall
rules etc.).
Precursor: a new exploit for gaining unauthorized access is released publicly, and it poses a
significant threat to the organization.
Response: the organization should investigate the new exploit and, if possible, alter security
controls to minimize the potential impact of the exploit for the organization.
Precursor: users report possible social engineering attempts — attackers trying to trick them into
revealing sensitive information, such as passwords or encouraging them to download or run
programs and file attachments.
Response: the incident response team should send a bulletin to users with guidance on handling
the social engineering attempts. The team should determine what resources the attacker was
interested in and look for corresponding log based precursors, as it is likely that the social
engineering is only part of the reconnaissance.
Precursor: a person or system may observe a failed physical access attempt (e.g. outsider
attempting to open a locked wiring closet door, unknown individual using a cancelled ID badge).
Response: security should detain the person, if possible. The purpose of the activity should be
determined and it should be verified that the physical and computer security controls are strong
enough to block the apparent threat. (An attacker who cannot gain physical access may perform
remote computing based attacks instead.) Physical and computer security controls should be
strengthened if necessary.
316
Indications
List of Malicious actions and their respective indicators:
Malicious action: root compromise of a host

Indicators:
• Hacker tools on system
• Unusual traffic to/ from host
• System configuration changes
• Modification of critical files
• Unexplained account usage
• Strange OS/ application log messages
Malicious Action: Unauthorized usage of standard user account

Indicators
• Access attempts to critical files (e.g., password files)
• Unexplained account usage (e.g., idle account in use, account in use from multiple
locations at once, commands that are unexpected from a particular user, large
number of locked-out accounts)
• Web proxy log entries showing the download of hacker tools
Malicious action: unauthorized data modification (e.g. web server defacement, FTP warez
server)
Indicators:
 Network intrusion detection alerts

 Increased resource utilization
 User reports of the data modification (e.g. defaced website)
 Modifications to critical files (e.g. web pages)
 New files or directories with unusual names (e.g. binary characters, leading spaces,
leading dots etc.)
 Significant changes in expected resource usage (e.g., CPU, network activity, full logs
or file systems)
317
Containment, eradication and recovery

Initial containment elements
 Isolation of affected system

 Disabling affected service
 Eliminate attacker’s route
 Disable user accounts used in attack
 Enhance physical security
Eradication and recovery
Successful attackers frequently install rootkits, which modify or replace dozens or hundreds of files,
including system binaries. Rootkits hide much of what they do, making it tricky to identify what was
changed. Therefore, if an attacker appears to have gained root access to a system, handlers cannot
trust the operating system software. Typically, the best solution is to restore the system from a known
good backup or reinstall the operating system and applications from scratch, and then secure the
system properly.
Changing all passwords on the system, and possibly on all systems that have trust relationships with
the victim system, is also highly recommended.
Some unauthorized access incidents involve the exploitation of multiple vulnerabilities, so it is

important for handlers to identify all vulnerabilities that were used and to determine strategies for
correcting or mitigating each vulnerability. Other vulnerabilities that are present should be mitigated
as well or an attacker may use them instead.
If an attacker only gains a lesser level of access than administrator level, eradication and recovery
actions should be based on the extent to which the attacker gained access. Vulnerabilities that were
used to gain access should be mitigated appropriately.
Additional actions should be performed as merited to identify and address weaknesses systemically.
For example, if an attacker gained user level access by guessing a weak password, then not only should
that account’s password be changed to a stronger password, but also the system administrator and
owner should consider enforcing stronger password requirements. If the system was in compliance
with the organization’s password policies, the organization should consider revising its password
policies.
Recommendations
Key recommendations for handling unauthorized access incidents are summarized below:
 configure intrusion detection software to alert on attempts to gain unauthorized access. Network
and host based intrusion detection software (including file integrity checking software) is valuable
for detecting attempts to gain unauthorized access. Each type of software may detect incidents
that the other types of software cannot so the use of multiple types of computer security software
is highly recommended.
 configure all hosts to use centralized logging. Incidents are easier to detect if data from all hosts
across the organization is stored in a centralized, secured location.
318
 establish procedures for having all users change their passwords. A password compromise may
force the organization to require all users of an application, system, trust domain or perhaps, the
entire organization to change their passwords.
 configure the network perimeter to deny all incoming traffic that is not expressly permitted. By
limiting the types of incoming traffic, attackers should be able to reach fewer targets and should
be able to reach the targets using only designated protocols. This should reduce the number of
unauthorized access incidents.
 secure all remote access methods, including modems and VPNs. Unsecured modems provide
easily attainable unauthorized access to internal systems and networks. Remote access clients are
often outside the organization’s control, granting them access to resources increases risk.
 put all publicly accessible services on secured DMZ network segments. This permits the
organization to allow external hosts to initiate connections to hosts only on the DMZ segments,
not to hosts on internal network segments. This should reduce the number of unauthorized access
incidents.
 disable all unneeded services on hosts and separate critical services. Every service that is running
presents another potential opportunity for compromise. Separating critical services is important
because if an attacker compromises a host that is running a critical service, immediate access
should be gained only to that one service.
 use host based firewall software to limit individual hosts’ exposure to attacks. Deploying host
based firewall software to individual hosts and configuring it to deny all activity that is not
expressly permitted should further reduce the likelihood of unauthorized access incidents.
 create and implement a password policy. The password policy should require the use of complex,
‘difficult-to-guess’ passwords and ensure that authentication methods are sufficiently strong for
accessing critical resources. Weak and default passwords are likely to be guessed or cracked,
leading to unauthorized access.
 provide change management information to the incident response team. Indications such as
system shutdowns, audit configuration changes and executable modifications are probably
caused by routine system administration rather than attacks. When such indications are detected,
the team should be able to use change management information to verify that the indications are
caused by authorized activity.
 select containment strategies that balance mitigating risks and maintaining services. Incident
handlers should consider moderate containment solutions that focus on mitigating the risks as
much as is practical while maintaining unaffected services.
 restore or reinstall systems that appear to have suffered a root compromise. The effects of root
compromises are often difficult to identify completely. The system should be restored from a
known good backup, or the operating system and applications should be reinstalled from scratch.
The system should then be secured properly so the incident cannot recur.
319
5.4 Inappropriate usage incident

An inappropriate usage incident occurs when a user performs actions that violate acceptable
computing use policies. Although such incidents are often not security related, handling them is very
similar to handling security related incidents. Therefore, it has become commonplace for incident
response teams to handle many inappropriate usage incidents. Examples of incidents a team might
handle include users who —
 download password cracking tools or pornography.

 send spam promoting a personal business.
 email harassing co-workers.
 set up an unauthorized website on one of the organization’s computers.
 use file or music sharing services to acquire or distribute pirated materials.
 transfer sensitive materials from the organization to external locations.
Recommendations
Key recommendations for handling inappropriate usage incidents include:
 discuss the handling of inappropriate usage incidents with the organization’s human resources
and legal departments. Processes for monitoring and logging user activities should comply with
the organization’s policies and all applicable laws. Procedures for handling incidents that directly
involve employees should incorporate discretion and confidentiality.
 discuss liability issues with the organization’s legal departments. Liability issues may arise during
inappropriate usage incidents, particularly for incidents that are targeted at outside parties.
Incident handlers should understand when they should discuss incidents with the allegedly
attacked party and what information they should reveal.
 configure network based intrusion detection software to detect certain types of inappropriate
usage. Intrusion detection software has built-in capabilities to detect certain inappropriate usage
incidents, such as the use of unauthorized services, outbound reconnaissance activity and attacks
and improper mail relay usage (e.g. sending spam).
 log basic information on user activities. Basic information on user activities such as FTP commands,
web requests, and email headers may be valuable for investigative and evidentiary purposes.
 configure all email servers so they cannot be used for unauthorized mail relaying. Mail relaying is
commonly used to send spam.
 implement spam filtering software on all email servers. Spam filtering software can block much of
the spam sent by external parties to the organization’s users as well as spam that is sent by internal
users.
 implement URL filtering software. URL filtering software prevents access to many inappropriate
websites. Users should be required to use the software, typically by preventing access to external
websites unless the traffic passes through a server that performs URL filtering.
320
5.5 Multiple component incident

A multiple component incident is a single incident that encompasses two or more incidents. For
example, the following could comprise a multiple component incident:
1. Malicious code spread through email compromises an internal workstation.
2. An attacker (who may or may not be the one who sent the malicious code) uses the infected
workstation to compromise additional workstations and servers.
3. An attacker (who may or may not have been involved in steps 1 or 2) uses one of the compromised
hosts to launch a DDoS attack against another organization.
This multiple component incident consists of a malicious code incident, several unauthorized access
incidents and a DoS incident.
Recommendations
The key recommendations for handling multiple component incidents are given below:
 use centralized logging and event correlation software. Incident handlers should identify an
incident as having multiple components more quickly if all precursors and indications are
accessible from a single point of view.
 contain the initial incident and then search for signs of other incident components. It can take an
extended period of time for a handler to authoritatively determine that an incident has only a
single component; meanwhile, the initial incident has not been contained. It is generally better to
contain the initial incident first.
 prioritize the handling of each incident component. Resources are probably too limited to handle
all incident components simultaneously. Components should be prioritized based on the current
component and its response guidelines.
321
Summary
 Intruders over computer networks to gather information about computer systems and
resources. A probe is any attempt launched to detect:
o Active hosts and networks that are reachable over a public or an accessible medium.
o The services and applications they are running that could be connected to any
vulnerability that these services and applications may have, which could be exposed
and taken advantage of.
 Probes can be classified appropriately into three main activities:
o Host detection
o Port enumeration
o Vulnerability assessment
 A probe could be seen to be launched by an intruder in two modes: active and passive.
 Denial of Service (DoS) — an attack that prevents the usage of network, system or application
resources.
 Malicious Code — a virus, worm, Trojan horse or other code based malicious entity that infects
a host.
 Unauthorized Access — a user gains access without permission to a network, system,
application, data or other resource.
 Inappropriate Usage — a user violates acceptable computing use policies.
 Multiple Component — a single incident that encompasses two or more incidents. For example,
a malicious code infection leads to unauthorized access to a host, which is then used to gain
unauthorized access to additional hosts.
Activity 1:
Present to class different types of incidents that impact network security and research
various service providers who offer services for network incident management.
Compare their offerings.
Activity 2:
Create an action plan for your training institute for addressing network security
incidents. As part of the plan state dos and don’ts for the network administrator and
users.
322

Q. List down at least two key recommendations for handling the following categories of incidents:
Network reconnaissance incidents
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
Denial of service incidents
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
Unauthorised access incidents
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
Inappropriate usage incidents
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
Multiple component events
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
323
NOTES:
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
324
SSC/ N 0903
Install, configure and troubleshoot information
security devices
UNIT I: Configuring Network Devices

UNIT II: Configuring Secure Content Management
UNIT III: Configuring Firewall
UNIT IV: Troubleshooting Cisco IOS Firewall Configurations
UNIT V: Cisco IOS Firewall IDS
UNIT VI: IPS Configuration
UNIT VII: Anti-virus and Antispam Software
UNIT VIII: Web Application Security Configuration
UNIT IX: Patch Management
325
Unit Title (Task) Install, configure and troubleshoot information security devices
Description This unit is about installing/configuring information security devices and

resolving any problems, following clearly laid down instructions and guidelines.
Scope This unit/task covers the following:
Information security devices may cover:

 networks (wired and wireless)
 devices
 endpoints/edge devices
 storage devices
 servers
 software
 application support
 application penetration
 application testing
 content management
 messaging
 web security
 security of infrastructure
 infrastructure devices (e.g. routers, firewall services)
 computer assets, server s and storage networks
 messaging
 intrusion detection/prevention
 security incident management
 third party security management
 personnel security requirements
Appropriate people:
 line manager
 members of the security team
 subject matter experts
Stakeholders:
 internal
 external
Performance Criteria(PC) w.r.t. the Scope
The user / individual on the job should be able to:

PC1. identify the information security devices you are required to install/
configure/troubleshoot and source relevant instructions and guidelines
PC2. identify any issues with instructions and guidelines for
installing/configuring information security devices and clarify these with
326
appropriate people
PC3. liaise with stakeholders clearly and promptly regarding the installation/
configuration of information security devices
PC4. install/configure information security devices as per instructions and
guidelines
PC5. test installed/configured information security devices, following
instructions and guidelines
PC6. resolve problems with security devices, following instructions and
guidelines
PC7. obtain advice and guidance on
installing/configuring/testing/troubleshooting information security
devices from appropriate people, where required
PC8. record the installation/configuration/testing/troubleshooting of
information security devices promptly using standard templates and
tools
PC9. provide reports for troubleshooting, configurations and deployment
using standard templates and tools
guidelines and service level agreements (SLAs) when Installing /
configuring / troubleshooting information security devices
A. Organizatio The user/individual on the job needs to know and understand:

nal KA1. your organization’s policies, procedures, standards, guidelines and client
Context specific service level agreements for installing, configuring and
(Knowledge troubleshooting information security devices
of the KA2. limits of your role and responsibilities and who to seek guidance from
where required
company /
KA3. your organization’s systems, procedures and tasks/checklists relevant to
organization
your work and how to use these
and its KA4. the importance of following manufacturer’s installation guides and
processes) procedures and how to access and apply these to install, configure and
troubleshoot information security devices
KA5. who to involve when installing, configuring and troubleshooting
information security devices
KA6. methods and techniques used when working with others
KA7. the importance of recording issues when installing/configuring/
troubleshooting information security devices and how to report these
KA8. standard tools and templates available and how to use these to record
installation/configuration/troubleshooting
B. Technical The user/individual on the job needs to know and understand:
KB1. different types of information security devices and their functions
Knowledge KB2. different technical and configuration specifications for information
security devices and how this affects function and use
KB3. architecture concepts and design patterns and how these contribute to
the security of design and devices
KB4. common issues that may occur when installing or configuring
information security devices and how to resolve these
KB5. methods of testing installed/configured information security devices
327
THE UNITS
The module for this NOS is divided in 9 Units.
UNIT I: Configuring Network Devices

1.1. Identifying Unauthorized Devices
1.2. Testing the Traffic Filtering Devices
1.3. Solutions Combining Traffic Filtering with Other Technologies
UNIT II: Configuring Secure Content Management
2.1 Secure Content Management Overview
2.2 The importance of Secure Content Management
2.3 How does Secure Content Management Work?
2.4 Solution Architectures
UNIT III: Configuring Firewall
3.1. What Firewall Software Does?
3.2. Firewall Configuration
3.3. Why Firewall Security?
3.4. Configuring a Simple Firewall
UNIT IV: Troubleshooting Cisco IOS Firewall Configurations
4.1 Troubleshooting Cisco IOS Firewall Configurations
UNIT V: Cisco IOS Firewall IDS
5.1 Cisco IOS Firewall IDS feature
5.2 Cisco IOS Firewall IDS Signature List
5.3 Cisco IOS Firewall IDS Configuration Task List
UNIT VI: IPS Configuration
6.1 Understanding IPS Network Sensing
6.2 Overview of IPS Configuration
UNIT VII: Anti-virus and Antispam Software
7.1 Antivirus Software
7.2 Antispam Software
UNIT VIII: Web Application Security Configuration
8.1 Web Application Security Overview
8.2 Configuring Cisco Web Application Security Module
UNIT IX: Patch Management
9.1 Patch Management Overview
9.2 The Patch Management Process
9.3 Windows Patch Management Tools
328
UNIT I
Configuring Network Devices
This Unit covers:

 Lesson Plan
1.3. Solutions Combining Traffic Filtering with Other
Technologies
329
LESSON PLAN
Performance
Ensuring Work Environment / Lab
PC1. identify the information security devices you The learners must KA1 to KA13:
are required to install/ configure/troubleshoot and demonstrate all
source relevant instructions and guidelines PCs on given PCs/Tablets/Laptops
work tasks
PC2. identify any issues with instructions and Labs availability
guidelines for installing/configuring information (24/7)
security devices and clarify these with appropriate
people Internet with Wi-Fi
PC3. liaise with stakeholders clearly and promptly (Min 2 Mbps
regarding the installation/ configuration of Dedicated)
Networking
PC4. install/configure information security
devices as per instructions and guidelines Equipment- Routers
& Switches
PC5. test installed/configured information
security devices, following instructions and Firewalls and Access
guidelines Points
PC6. resolve problems with security devices,
Access to all security
following instructions and guidelines
sites like ISO, PIC
PC7. obtain advice and guidance on DSS
installing/configuring/testing/troubleshooting
information security devices from appropriate Commercial Tools
people, where required like HP Web Inspect
PC8. record the and IBM AppScan
installation/configuration/testing/troubleshooting of etc.,
information security devices promptly using
standard templates and tools Open Source tools
like sqlmap, Nessus
PC9. provide reports for troubleshooting,
etc.,
configurations and deployment using standard
templates and tools
Security Templates
PC10. comply with your organization’s policies, from ITIL
standards, procedures, guidelines and service level
agreements (SLAs) when
installing/configuring/troubleshooting information
security devices
330
You need to know and understand: KA1-KA3. QA

session and a
KA1. your organization’s policies, procedures,
standards, guidelines and client specific service level Descriptive write
agreements for installing, configuring and up on
troubleshooting information security devices understanding.
KA2. limits of your role and responsibilities and who
to seek guidance from where required KA4, KA7
KA3. your organization’s systems, procedures and
Group
tasks/checklists relevant to your work and how to
use these presentation and
KA4. the importance of following manufacturer’s peer evaluation
installation guides and procedures and how to along with
access and apply these to install, configure and Faculty.
troubleshoot information security devices
KA5. who to involve when installing, configuring and KA5, KA6.
troubleshooting information security devices
KA6. methods and techniques used when working Presentation of
with others best practices
KA7. the importance of recording issues when document by
installing/configuring/ troubleshooting Network peer group to the
Devices and how to report these faculty and
KA8.standard tools and templates available and how loading the same
to use these to record installation / configuration /
into different
troubleshooting
KB3. architecture concepts and design patterns and sites
how these contribute to the security of design and KA8.
devices
KB4. common issues that may occur when installing Presentation of
or configuring information security devices and how the customized
to resolve these
templates by peer
KB5. methods of testing installed/configured
groups and
validation of
them by faculty
KB1 – KB5
Installation and
configuration of
security tools in
the lab
environment by
peer groups and
validation by the
faculty
331
Lesson

Most organizations today use some form of asset management. These systems work great for
managing assets that are known and permitted within the environment, but offer little visibility or
control over rogue machines that may be connecting to the network.
The challenge with rogue devices is that they are not part of the management framework. This
means that they are not part of any standards, policies, security controls, or patch updates. They
pose a unique threat to an environment.
Consider a server that a developer built to test something and never decommissioned. This server
remains online, running company code on an unpatched database. Without actively monitoring the
network, there is no way that an administrator can have any real idea of the volume of unmanaged
systems on the network.
The greater the number of unmanaged systems, the greater the risk to the network. Where
administrators have audited the network, typically between 1 percent and 10 percent of assets were
previously unknown to the administrator. Once detected, local system administrators can manage
modest numbers of assets. However, if the volume or location of rogue assets is excessive or
dangerous, these results provide justification and motivation for automated and proactive
enforcement performed by Network Access Control.
Identify Assets
There are two general approaches to identifying assets on the network, techniques that are very
similar in nature to finding viruses:
 on-access or real-time detection,

 on-demand or scheduled detection.
Note that the optimal solution is likely to be able to cater for both approaches to device
identification.
Real-time detection - Relies on detection of traffic generated by the endpoint. The benefit is its
timely nature—detection is immediate. Consequently, you can take action very quickly. The
downside of this approach is that since detection is based on traffic generated by the endpoint,
there must be a sensor located near this traffic. This technique may not be practical for all network
topologies.
Scheduled detection - The system queries network addresses for a response according to a
schedule. This model can overcome the proximity limitations of the first approach. Sensors can
execute scans from a limited number of locations or a single location on the network. The
downside of this approach is that detection is not immediate. It is limited to the detection interval
determined by the schedule. As in the example of off-hours scanning, rogue systems may operate
on the network between detection scans and escape identification.
Further steps to identifying unauthorised devices include asset inventory tool.
332
Asset Inventory Tool

Deploy an automated asset inventory discovery tool and use it to build a preliminary asset inventory
of systems connected to an organization’s public and private network(s). Both, active tools that scan
through network address ranges and passive tools that identify hosts based on analysing their traffic
should be employed.
Deploy DHCP Server logging, and utilize a system to improve the asset inventory and help detect
unknown systems through this DHCP information.
All equipment acquisitions should automatically update the inventory system as new, approved
devices are connected to the network.
Maintain an asset inventory of all systems connected to the network and the network devices
themselves recording at least the network addresses, machine name(s), purpose of each system, an
asset owner responsible for each device, and the department associated with each device.
The inventory should include every system that has an Internet Protocol (IP) address on the network,
including but not limited to desktops, laptops, servers, network equipment (routers, switches,
firewalls, etc.), printers, storage area networks, Voice Over-IP telephones, multi-homed addresses,
virtual addresses, etc.
The asset inventory created must also include data on whether the device is a portable and/or
personal device. Devices such as mobile phones, tablets, laptops, and other portable electronic
devices that store or process data must be identified, regardless of whether or not they are attached
to the organization’s network. Make sure that asset inventory database is properly protected and a
copy stored in a secure location.
In addition to an inventory of hardware, organizations should develop an inventory of information

assets that identifies their critical information.
Information asset inventory should map critical information to the hardware assets (including
servers, workstations, and laptops) on which it is located. A department and individual responsible
for each information asset should be identified, recorded, and tracked.
Further to the asset inventory tool the organisation needs to:

 Deploy network level authentication via 802.1x to limit and control which devices can be
connected to the network.
 Deploy network access control (NAC) to monitor authorized systems so if attacks occur, the
impact can be remediated by moving the untrusted system to a virtual local area network
that has minimal access.
 Create separate VLANs for BYOD (bring your own device) systems or other untrusted
devices.
 Utilize client certificates to validate and authenticate systems prior to connecting to the
private network.
Organizations must first establish information/asset owners, deciding and documenting which
organizations and individuals are responsible for each component of a business process that includes
information, software, and hardware. In particular, when organizations acquire new systems, they
record the owner and features of each new asset, including its network interface media access
control (MAC) address and location. This mapping of asset attributes and owner-to-MAC address can
be stored in a free or commercial database management system.
333
Use tools to pull information from network assets such as switches and routers regarding the
machines connected to the network.
Using securely authenticated and encrypted network management protocols, tools can retrieve MAC
addresses and other information from network devices that can be reconciled with the
organization’s asset inventory of servers, workstations, laptops, and other devices. Once MAC
addresses are confirmed, switches should implement 802.1x and NAC to only allow authorized
systems that are properly configured to connect to the network.
Effective organizations configure free or commercial network scanning tools to perform network
sweeps on a regular basis, sending a variety of different packet types to identify devices connected
to the network. In addition to active scanning tools that sweep the network, other asset
identification tools passively listen on network interfaces looking for devices to announce their
presence by sending traffic. Such passive tools can be connected to switch span ports at critical
places in the network to view all data flowing through such switches, maximizing the chance of
identifying systems communicating through those switches. Whether physical or virtual, each
machine using an IP address should be included in an organization’s asset inventory.
The system must be capable of identifying any new unauthorized devices that are connected to the
network within 24 hours. Alerting or sending e-mail notification to a list of enterprise administrative
personnel. The system must automatically isolate the unauthorized system from the network within
one hour of the initial alert.
Send a follow-up alert or e-mail notification when isolation is achieved. Every 24 hours after that
point, the system must alert or send e-mail about the status of the system until the unauthorized
system has been removed from the network. The asset inventory database and alerting system must
be able to identify the location, department, and other details of where authorized and
unauthorized devices are plugged into the network.
To evaluate the implementation of Control 1 on a periodic basis, the evaluation team will connect
hardened test systems to at least 10 locations on the network, including a selection of subnets
associated with demilitarized zones (DMZs), workstations, and servers. Two of the systems must be
included in the asset inventory database, while the other systems are not. The evaluation team must
then verify that the systems generate an alert or e-mail notice regarding the newly connected
systems within 24 hours of the test machines being connected to the network. The evaluation team
must verify that the system provides details of the location of all the test machines connected to the
network. For those test machines included in the asset inventory, the team must also verify that the
system provides information about the asset owner. The evaluation team must then verify that the
test systems are automatically isolated from the production network within one hour of initial
notification and that an e-mail or alert indicating the isolation has occurred. The team must then
verify that the connected test systems are isolated from production systems.
334
There are four basic recommendations for Traffic Filtering in order to reduce security threats,
organisations use various devices, technologies and techniques for traffic filtering. Each
institution/organisation that wishes to improve the efficiency of filtering and increase the level of
security in its network should apply the following recommendations:
1. Define traffic-filtering rules that will determine the manner in which the incoming and outgoing
traffic flows in the network will be regulated. A set of traffic-filtering rules can be adopted as an
independent packet filtering policy or as a part of the information security policy;
2. Select a traffic-filtering technology that will be implemented depending on the requirements

and needs;
3. Implement defined rules on the selected technology and optimise the performance of devices
accordingly;
4. Maintain all the components of the solution, including not only devices, but also the policy.
Traffic-filtering technologies are commonly divided into
 packet filtering/stateless firewall

 stateful firewall technologies.
The packet-filtering functionality (stateless firewall) is built into the majority of operating systems
and devices with a traffic routing feature. In most cases, it is a router on which access control lists
(ACLs) are applied. A packet filter implemented on a router is the simplest, but only one of the
available traffic-filtering methods.
Packet filtering is the basic feature of all firewall devices. The first firewall devices, with only a packet
filter, were also called stateless inspection firewalls. Unlike them, modern firewall devices provide
far more possibilities for packet filtering. A packet filter enables the implementation of control of
access to resources by deciding whether a packet should be allowed to pass, based on the
information contained in the IP packet header. The packet filter does not analyse the content of the
packet (unlike a content filter), nor does it attempt to determine the sessions to which individual
packets belong, based on the information contained in the TCP or UPD header, and therefore it does
not make any further decisions in that regard. For this reason, the process is also known as stateless
packet inspection. Due to its manner of operation, which does not track the information on the state
of connections, it is necessary to explicitly allow two-way traffic on the connection when configuring
a stateless firewall device. Stateless firewall devices analyse each packet individually and filter them
based on the information contained in Layers 3 and 4 of the OSI reference model. A filtering decision
is made based on the following information:
 source IP address;
 destination IP address;
 protocol;
335
 source port number;

 destination port number.
They are commonly implemented as a part of the functionality on routers (ACL, firewall filters, etc.),
but can also be implemented on servers.
The advantages of applying packet filters:
 simple implementation;
 supported by most routers, so there is no need to invest in new equipment and software;
 rarely cause bottlenecks in the area of their application, even at high speeds in Gigabit
networks.
The disadvantages of applying packet filters:
 vulnerability to IP spoofing attacks;
 vulnerability to attacks that exploit problems within the TCP/IP specification and the
protocol stack;
 problems with filtering packets that are fragmented (causing interoperability and non-
functioning of VPN connections);
 no support for the dynamic filtering of some services (the services that require
 dynamic negotiation about the ports that will be used in communication – passive FTP).
Stateful packet inspection improves the packet filtering process by monitoring the state of each
connection established through a firewall device. It is known that the TCP protocol, allows two-way
communication and that TCP traffic is characterised by three phases: establishing the connection,
data transfer, and terminating the connection. In the connection establishment phase, stateful
packet inspection records each connection in the state-table. In the data transfer phase, the device
monitors certain parameters in the header of the L3 packet and L4 segment and makes a filtering
decision depending on their values and the content of the state-table. The state-table contains all
currently active connections. As a result, a potential attacker trying to spoof a packet with a header
indicating that the packet is a part of an established connection can only be detected by the stateful
inspection firewall device, which verifies whether the connection is recorded in the state-table. The
state-table contains the following information:
 source IP address;
 destination IP address;
 source port number;
 destination port number;
 TCP sequence numbers;
 TCP flag values.
336
The state of the synchronize (SYN), reset (RST), acknowledgment (ACK) and finish (FIN) flags are
monitored within the TCP header and a conclusion is reached about the state of a specific
connection. The UDP protocol does not have a formal procedure for establishing and terminating a
connection. However, devices with stateful inspection can monitor the state of individual flows1 and
match different flows when they logically correspond to each other (e.g., a DNS response from an
external server will only be allowed to pass if the corresponding DNS query from the internal source
to that server has previously been recorded).
The advantages of applying stateful firewall devices:
 a higher level of protection compared to stateless firewall devices (greater efficiency and more
detailed traffic analysis);
 detection of IP spoofing and DoS attacks;
 more log information compared to packet filters.
The disadvantages of applying stateful firewall devices:
• no protection against application layer attacks;
• performance degradation of the router on which they are deployed (this depends on the size
of the network and other services run on the router);
• not all of them provide support for UDP, GRE and IPSEC protocols, treating them in the same
way as stateless firewall devices;
• no support for user authentication.
Lately, attempts have been made to improve the standard stateful packet inspection technology by
adding basic solutions from intrusion detection technology. The improved version is called stateful
protocol analysis, also known as DPI (Deep Packet Inspection) analysis of data on the application
layer. The devices resulting from this development trend include Application Firewall, Application
Proxy Gateways and Proxy servers. Unlike stateful firewall devices that filter traffic based on the
data on layers 3, 4 and 5 of the OSI reference model, these devices also enable traffic filtering based
on the information on the application layer of the OSI reference model (Layer 7).
Application Firewall
Application Firewall (AF) devices perform a stateful protocol analysis of the application layer. They
support numerous common protocols, such as HTTP, SQL, e-mail service (SMTP, POP3 and IMAP),
VoIP and XML. Stateful protocol analysis relies on predefined profiles of acceptable operating modes
for the selected protocol, enabling the identification of potential deviations and irregularities in the
message flow of the protocol through the device. Problems may arise if there is a conflict between
the operating mode of a specific protocol, which is defined on the AF device, and the way in which
the protocol is implemented in the specific version of the application or of the operating systems
used in the network.
337
The stateful protocol analysis can:
 determine whether an e-mail message contains a type of attachment that is not allowed (e.g.,
exec files);
 determine whether instant messaging is used via an HTTP port;
 block the connection through which an unwanted command is executed (e.g., an FTP put
command on the FTP server);
 block access to a page with unwanted active content (e.g., Java);
 identify an irregular sequence of commands exchanged in the communication between two

hosts (e.g., an unusually large number of repetitions of the same command or the use of a
command before using the command it depends on);
 enable the verification of individual commands and the minimum and maximum length of
appropriate command-line arguments (e.g., the number of characters used in a username). An
AF device cannot detect attacks that meet the generally acceptable procedures of operation of
a specific protocol, such as DoS (Denial of Service) attacks caused by the repetition of a large
number of acceptable message sequences in a short time interval. Due to the complexity of
the analysis they perform, and the large number of concurrent sessions they monitor, the
main disadvantage of the method of stateful protocol analysis is the intensive use of AF
devices.
Application Proxy Gateway

Application Proxy Gateway (APG) devices also perform an analysis of the traffic flow on the
application layer. Compared to AF devices, APG devices provide a higher level of security for
individual applications since they never allow a direct connection between two hosts, and they can
perform an inspection of the content of application-layer messages.
APG devices contain so-called proxy agents or “intermediaries” in the communication between two
end hosts. In this way, they prevent direct communication between them. Each successful
connection between the end hosts consists of two connections – one between the client and the
proxy server and the other between the proxy server and the destination device. Based on the
filtering rules defined on the APG device, proxy agents decide whether network traffic will be
allowed or not. Traffic-filtering decisions can also be made based on the information contained in
the header of an application-layer message or even based on the content conveyed by that message.
In addition, proxy agents can require user authentication. There are also APG devices with the
capability of packet decryption, analysis and re-encryption, before a packet is forwarded to the
destination host. Packets that cannot be decrypted are simply forwarded through the device.
Compared to packet filters and stateful devices, APG devices have numerous deficiencies. The
manner of operation of APG devices requires a significantly greater utilisation of resources, i.e., they
require more memory and greater utilisation of processor time for analysing and interpreting each
packet passing through the device. As a result, APG devices are not suitable for filtering applications
that are more demanding in terms of bandwidth or applications that are sensitive to time delays
338
(real-time applications). Another deficiency of these devices is the limitation in the number of
services that can be filtered through them. Each type of traffic passing through the device requires a
specific proxy agent that acts as an intermediary in the communication. Consequently, APG devices
do not always support the filtering of new applications or protocols. Due to their price, APG devices
are commonly used for protecting data centres or other networks containing publicly available
servers that are of high importance to an organisation. In order to reduce the load on APG devices
and achieve greater efficiency, modern networks more frequently use proxy servers (dedicated
proxy servers) that are dedicated to specific services that are not so sensitive to time delays (e.g., e-
mail or web proxy servers).
Dedicated Proxy Server

Like APG devices, Dedicated Proxy (DP) servers also have a role as “intermediaries” in the
communication between two hosts, although their traffic-filtering capabilities are significantly lower.
This type of device is intended for the analysis of the operation of specific services and protocols
(e.g., HTTP or SMTP). Due to their limited traffic-filtering capabilities, DP devices are deployed
behind firewall devices in the network architecture. Their main function is to perform specialised
filtering of a specific type of traffic (based on a limited set of parameters) and carry out the logging
operation. The execution of these specific activities significantly reduces the load on the firewall
device itself, which is located in front of the DP server. The most widely used devices of this type are
Web Proxy servers. A common example of their use is an HTTP proxy server (placed behind the
firewall device or router), to which users need to connect when they wish to access external web
servers. If an institution has an outgoing connection (uplink) of lower bandwidth, the use of the
caching function is recommended in order to reduce the level of traffic and improve the response
time. As a result of an increase in the number of available web applications and the number of
threats transferred through the HTTP protocol, Web Proxy servers are growing in significance.
Consequently, many equipment manufacturers today add the functionality of various firewall
technologies to the standard Web Proxy servers, thus increasing their traffic-filtering capabilities.
339
1.3. Solutions Combining Traffic Filtering with Other

Technologies
In addition to their basic purpose of blocking unwanted traffic, firewall devices often combine their
filtering functionality with other technologies, primarily routing. It is the other way around with
routers. As a result, NAT (Network Address Translation) is sometimes considered to be a firewall
technology, although essentially it is a routing technology.
Other related functionalities, such as VPN and IDP, are often available on firewall devices. In order to
have a complete overview and due to their frequent use, these technologies are also addressed
briefly in this chapter.
NAT (Network Address Translation)

NAT is a technology that enables devices that use private IP addresses to communicate with devices
on the Internet. This technology translates private IP addresses, which can be used by devices within
a Local Area Network (LAN), into publicly available Internet addresses.
The application of NAT technology may limit (intentionally or unintentionally) the number of
available services, i.e., it may disable the functioning of the services that require direct, end-to-end
connectivity (e.g., VoIP).
There are three types of NAT translations: dynamic, static and PAT.
Dynamic NAT uses a set of publicly available IP addresses, successively assigning them to hosts with
private IP addresses. When a host with a private IP address needs to communicate with a device on
the Internet, dynamic NAT translates its private IP address into a publicly available IP address, by
taking the first available IP address from a defined pool of publicly available IP addresses. Dynamic
NAT is suitable for client computers.
Static NAT provides one-to-one mapping between the private IP address of a host and the public IP
address assigned to it. In this manner, the host with a private IP address always appears on the
Internet with the same public IP address. This is the main difference between static and dynamic
translation. Static NAT is suitable for servers. In both types of translation mentioned above, each
private IP address is translated into a separate, public IP address. In order to support a sufficient
number of simultaneous user sessions, an organisation using dynamic and/or static NAT needs to
have a sufficient number of public IP addresses.
PAT (Port Address Translation or so-called NAT overload) performs mapping between several private
IP addresses and one or more public IP addresses. The mapping of each private IP address is
performed by way of the port number of the public IP address. PAT translation ensures that each
client on a LAN that establishes a connection with a device on the Internet is assigned a different
port number of the public IP address. The response from the Internet, which comes as a result of the
request, is sent to the port from which the request was forwarded. In this manner, a device that
performs the translation (a router, firewall or server) knows to which host from the LAN it should
forward the packet. This feature of PAT increases the level of security of the LAN to a certain degree,
since it prevents a connection from the Internet being established directly with the hosts on the
LAN. Due to this manner of operation, PAT is sometimes, incorrectly, regarded as a security
technology, although it is primarily a routing technology.
340
VPN (Virtual Private Network)

VPN (Virtual Private Network) technology is used to increase the security of data transfer through a
network infrastructure that does not provide a sufficient degree of data security. It enables the
encryption and decryption of network traffic between external networks and an internal, protected
network.
VPN functionality can be available on firewall devices or implemented on VPN servers that are
placed behind firewall devices in the network architecture. In many cases, the implementation of
VPN services on a firewall device itself is the most optimal solution. Placing a VPN server behind the
firewall device requires the VPN traffic to pass through the firewall device in an encrypted form. As a
result, the firewall device cannot perform an inspection, access control or logging of the network
traffic, and therefore cannot scan it for certain security threats. However, regardless of the place of
the implementation, the VPN service requires the application of certain filtering rules of the firewall
device in order to enable its uninterrupted operation. Accordingly, special attention should always
be paid to making sure that the appropriate protocols and the TCP/UDP services that are necessary
for the functioning of the chosen VPN solution are supported.
IDP (Intrusion Detection and Prevention)

Network Intrusion Detection (ID) is based on monitoring the operation of computer systems or
networks and analysing the processes they perform, which can point to certain incidents. Incidents
are events posing a threat to or violating defined security policies, violating AUP (Acceptable Use
Policy) rules, or generally accepted security norms. They appear as a result of the operation of
341
various malware programmes (e.g., worms, spyware, viruses, and Trojans), as a result of attempts at
unauthorised access to a system through public infrastructure (Internet), or as a result of the
operation of authorised system users who abuse their privileges.
Network Intrusion Prevention (IP) includes the process of detecting network intrusion events, but
also includes the process of preventing and blocking detected or potential network incidents.
Network Intrusion Detection and Prevention systems (IDP) are based on identifying potential
incidents, logging information about them, attempting to prevent them and alerting the
administrators responsible for security. In addition to this basic function, IDP systems can also be
used to identify problems concerning the adopted security policies, to document existing security
threats and to discourage individuals from violating security rules. IDP systems use various incident-
detection methods.
There are three primary classes of detection methodology:
1. Signature-based detection
Certain security threats can be detected based on the characteristic manner in which they appear.
The behaviour of an already detected security threat, described in a form that can be used for the
detection of any subsequent appearance of the same threat, is called an attack signature. This
detection method, based on the characteristic signature of an attack, is a process of comparing the
known forms in which the threat has appeared with the specific network traffic in order to identify
certain incidents. Although it can be very efficient in detecting the subsequent appearance of known
threats, this detection method is extremely inefficient in the detection of completely unknown
threats, of threats hidden by using various techniques, and of already known threats that have
somehow been modified in the meantime. It is considered the simplest detection method and it
cannot be used for monitoring and analysing the state of certain, more complex forms of
communication.
2. Anomaly-based detection
This method of IDP is based on detecting anomalies in a specific traffic flow in the network. Anomaly
detection is performed, based on the defined profile of acceptable traffic and its comparison with
the specific traffic in the network. Acceptable traffic profiles are formed by tracking the typical
characteristics of the traffic in the network during a certain period of time (e.g., the number of e-
mail messages sent by a user, and the number of attempts to log in to a host, or the level of
utilisation of the processor in a given time interval). These characteristics of the behaviour of users,
hosts, connections or applications in the same time interval are then considered to be completely
acceptable. However, acceptable-behaviour profiles can unintentionally contain certain security
threats, which lead to problems in their application. Likewise, imprecisely defined profiles of
acceptable behaviour can cause numerous alarms, generated by the system itself as a reaction to
certain (acceptable) activities on the network. The greatest advantage of this detection method is its
exceptional efficiency in detecting previously unknown security threats.
3. Detection based on stateful protocol analysis
Stateful protocol analysis is a process of comparing predefined operation profiles with the specific
data flow of that protocol on the network. Predefined profiles of operation of a protocol are defined
by the manufacturers of IDP devices and they identify everything that is acceptable or not
acceptable in the exchange of messages in a protocol. Unlike anomaly-based detection, where
profiles are created based on the hosts or specific activities on the network, stateful protocol
342
analysis uses general profiles generated by the equipment manufacturers. Most IDP systems use
several detection methods simultaneously, thus enabling a more comprehensive and precise
method of detection.
Testing tools are used for testing the detection, recognition and response capabilities of devices that
perform packet filtering (including those that use network address translation), such as firewalls,
IDSes/IPSes, routers and switches. These test the Traffic Filtering devices' ability to detect and/or
block DoS attacks, spyware, backdoors, and attacks against applications such as IIS, SQL Server and
WINS. Standard traffic sessions can be used to test how packet filtering devices handle a variety of
protocols including HTTP, FTP, SNMP and SMTP.
Anomaly
Detection
Intrusion Detection
Approach Signature Detection
HIDS
Protected NIDS
System
Hybrids
Centralised System
Structure
Distributed System Agent
System
Intrusion Audit Trail
Detection System Network

Packets
Data Source
System State
Analysis(kernel,
services, files)
Active IDS
Behavior
after an
attack Passive IDS
On-the-fly Processing
Analysis
Internal Based IDS
Figure: Intrusion Detection System
343
Summary
 The greater the number of unmanaged systems, the greater the risk to the network. Where
administrators have audited the network, typically between 1 percent and 10 percent of assets
were previously unknown to the administrator.
 Further to the asset inventory tool the organisation needs to:
o Deploy network level authentication via 802.1x to limit and control which devices can be
connected to the network.
o Deploy network access control (NAC) to monitor authorized systems so if attacks occur,
the impact can be remediated by moving the untrusted system to a virtual local area
network that has minimal access.
o Create separate VLANs for BYOD (bring your own device) systems or other untrusted
devices.
o Utilize client certificates to validate and authenticate systems prior to connecting to the
private network.
 There are four basic recommendations for Traffic Filtering in order to reduce security threats,
organisations use various devices, technologies and techniques for traffic filtering. Each
institution/organisation that wishes to improve the efficiency of filtering and increase the level
of security in its network should apply the following recommendations:
o Define traffic-filtering rules that will determine the manner in which the incoming and
outgoing traffic flow in the network will be regulated. A set of traffic-filtering rules can
be adopted as an independent packet filtering policy or as a part of the information
security policy;
o Select a traffic-filtering technology that will be implemented depending on the
requirements and needs;
o Implement defined rules on the selected technology and optimise the performance of
devices accordingly;
o Maintain all the components of the solution, including not only devices, but also the
policy.
 Traffic-filtering technologies are commonly divided into
o packet filtering/stateless firewall
o stateful firewall technologies
 NAT is a technology that enables devices that use private IP addresses to communicate with
devices on the Internet. This technology translates private IP addresses, which can be used by
devices within a Local Area Network (LAN), into publicly available Internet addresses.
 There are three types of NAT translations: dynamic, static and PAT.
344
Activity 1:
Collect information through industry interaction what all they do to manage unauthorised
devices on the network and how these are dealt with.
Activity 2:
Find out about various tools and technologies that are used to monitor and deal with
unauthorised devices.

Q. Which are the three primary classes of detection methodology?
a. ________________________________________
b. ________________________________________
c. ________________________________________
Q. What is the main purpose of an asset inventory tool?
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
Q. State at least two advantages and two disadvantages of applying packet filters?
Advantages:
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
Disadvantages:
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
Q. State at least two advantages and two disadvantages of applying stateful firewall devices?
Advantages:
345
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
Disadvantages:
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
State TRUE or FALSE
a. Dynamic NAT uses a set of publicly available IP addresses, successively assigning them to
hosts with private IP addresses. ( )
b. PAT (Port Address Translation) provides one-to-one mapping between the private IP address
of a host and the public IP address assigned to it. ( )
c. The packet-filtering functionality (stateless firewall) is built into very few and select
operating systems and devices with a traffic routing feature. ( )
d. As part of asset inventory, only those devices such as mobile phones, tablets, laptops, and
other portable electronic devices that store or process data must be identified, that are
attached to the organization’s network. ( )
e. The disadvantage of stateful firewall device is that it does not detect IP Spoofing and DoS
attacks. ( )
346
NOTES:
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
347
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
_________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
_________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
348
UNIT II
Configuring Secure Content
Management
This Unit covers:
 Lesson Plan
2.1 Secure Content Management Overview
2.2 The importance of Secure Content Management
2.3 How does Secure Content Management Work?
2.4 Solution Architectures
349
LESSON PLAN

PC2. identify any issues with instructions The learners must KA1 to KA13:
and guidelines for installing/configuring demonstrate all PCs on
information security devices and clarify given work tasks PCs/Tablets/Laptops
these with appropriate people Labs availability (24/7)
PC3. liaise with stakeholders clearly and Internet with Wi-Fi
promptly regarding the installation/
configuration of information security (Min 2 Mbps Dedicated)
devices Networking Equipment-
PC4. install/configure information Routers & Switches
security devices as per instructions and Firewalls and Access Points
guidelines
Access to all security sites
PC10. comply with your organization’s like ISO, PIC DSS
policies, standards, procedures,
guidelines and service level agreements Commercial Tools like HP
(SLAs) when installing / configuring Web Inspect and IBM
information security devices AppScan etc.,
You need to know and understand: KA1-KA3. QA session Open Source tools like
and a Descriptive write sqlmap, Nessus etc.,
KA1. your organization’s policies,
procedures, standards, guidelines and up on understanding. Security Templates from
client specific service level agreements ITIL
Installation and
for installing, configuring information
security devices configuration of security
KA2. limits of your role and tools in the lab
responsibilities and who to seek guidance environment by peer
from where required groups and validation
by the faculty
350
Lesson
2.1 Secure Content Management - Overview

Organizations are increasingly moving toward collaboration — encouraging usage of the Internet for
knowledge access and productivity enhancement, advocating widespread adoption of email as a
communication means and promoting instant messaging for better coordination. The global nature
of business transactions — involving service providers and third party solutions — relies on
communication protocols such as SMTP, HTTP, HTTPS, FTP, IPSec VPN, etc. for exchange of
information and execution of a transaction. This has been contributing to increased dependencies of
an organization on the inbound and outbound traffic flowing across its boundaries. Internet
technology, with its open architecture, inherently provides access to all resources that are
connected to the World Wide Web. Hence, users can connect themselves to all legitimate and
illegitimate web sources. This may expose organizations to serious security threats. The outward and
inward connections, thus, have a potential to jeopardize the security posture of an organization.
These connections also create possibilities of data leakage from an organization to the outside
world. Security threats have been increasingly exploiting these connections, channels, protocols and
traffic to perpetrate attacks.
Advent of Web 2.0 technologies and proliferation of file sharing protocols, data sharing portals,
media streaming, etc. by the users expand the attack surface of an organization. They create
enormous opportunities for external threats to exploit weaknesses. Allowing the inbound and
outbound connections — as access given to the employees to initiate or receive traffic — creates
issues of employee productivity. It also contributes to bandwidth issue as connection to public or
media streaming sites consumes an organization’s network bandwidth.
While allowing legitimate traffic, organizations may not like their employee to indulge in different
forms of entertainment and attractions available online, which can lead to security threats, data
leakage and productivity issues. Security has been evolving to address these challenges through a set
of practices and technical solutions under a category which can broadly be classified as ‘Secure
Content Management’ (SCM).
DSCI believes that SCM is an important discipline of security. It deserves a close attention as it
promises defense against the threats that are increasingly concentrating their acts to exploit
weakness in the content management. It also offers effective instruments to curb the data leakages,
hence, is regarded as an important element of data security strategies.
351
2.2 The Importance of Secure Content Management
Unrestricted Access
The use of the Internet is on the rise, as are the risks of uncontrolled access. When employees and
staff inadvertently or deliberately access sites containing inappropriate, illegal or dangerous content,
businesses suffer losses of productivity, expose themselves to legal liabilities and can experience
degraded network performance that negatively affects mission-critical tasks. There are also a
growing number of security risks—including Trojans and worms—that can seriously impact
operations.
The Risks include:
Impacted employee productivity
Restricting access to inappropriate Web sites helps companies prevent excessive non-productive
Web surfing and preserves network bandwidth.
Liability Exposure
Employees who visit pornographic or racist/hate sites represent a major legal liability concern.
Businesses need to shield themselves from potential legal liability that can arise if an employee is
repeatedly exposed to offensive material on a co-worker’s computer or anywhere in the workplace.
Other sources of liability exposure include peer-to-peer networking and file sharing, which have
opened the door to charges of copyright violations and high-profile litigation. Corporations can be
held liable for breaking copyright laws if employees use company networks to download music or
movies illegally.
Hacker Attacks and Privacy Violations
Instant messaging, peer-to-peer file sharing and multimedia downloads make businesses vulnerable
to backdoor attacks.
352
2.3 How Secure Content Management Works

Securing content starts with controlling access to certain Web sites based on predetermined criteria.
At a basic level, user access to Internet content is controlled using the URL address or the URL
content category (such as nudity or gambling). Basic content management solutions can also
examine the way the content is delivered, such as through Java applets or ActiveX scripts, and
determine access permissions accordingly.
More advanced content management solutions also provide the ability to block applications such as
instant messaging and peer-to-peer services.
Site Blocking Versus Content Monitoring

Secure content management solutions employ one of two basic approaches: site blocking or content
monitoring. While there are considerable differences between these two approaches, both are
based on pass-through filtering technology. That is, all requests for Web pages pass through an
Internet control point such as a firewall, proxy server or caching device. The device then evaluates
each request to determine whether it should be allowed or denied based on company policy.
Site blocking
The site blocking approach for content management typically uses list-based or URL-based filters to
identify and block certain Web sites. Some solutions rely on white lists that allow access to only
those sites that appear on the list. For example, a retail store might create a white list containing
only the company’s Web site, shipping Web sites and supplier Web sites. Other solutions use black
lists, which permit access to all sites except those on the black list. The black list approach is
preferable for businesses whose employees need less restrictive Internet access. With a black list
approach, the database of Web sites is organized into categories, such as “violence” or “drugs,” and
network administrators can selectively block categories.
The effectiveness and manageability of site blocking depends on a number of factors:
Database size—A larger database allows more sites to be added to the restricted list.
Update frequency—New sites continually emerge, and many existing sites are relocated. Most site
blocking solutions update their databases on a daily basis, often automatically downloading new
URLs every night.
Category organization—Definition of categories must be carefully considered and established with

enough granularity to accomplish effective restrictions while allowing access when appropriate.
A general limitation of site blocking is that it focuses exclusively on HTTP-based Web traffic. It does
not block instant messaging, e-mail attachments, peer-to-peer applications and other applications
that could contain security threats.
Content Monitoring
The most basic level of content monitoring uses a keyword-blocking approach. Instead of blocking
URLs, it compares the keyboard data to a user-defined library of words and phrases. When a match
to one of the blocked words or phrases is detected, the solution filters or blocks the data, or in some
cases even closes the application. The problem with this approach is that it can inadvertently block
353
legitimate pages based on the fact that they contain one or more targeted keywords.
For example, a Web site about cancer research could be blocked because it contains the word
“breast.”
More advanced content monitoring solutions not only examine the individual words on the page,
but also evaluate context and other data such as HTML tags. Armed with this information, advanced
content monitoring solutions can more accurately assess Web sites and consequently more
accurately control blocking. Another valuable advantage of content monitoring is the ability to
monitor and filter content not only from Web sites, but also chat rooms, instant messaging, e-mail
attachments and Windows applications.
2. 4 Solution Architectures
Content management software can be embedded on a networked device such as a proxy server,
caching appliance or firewall, or it can reside on a dedicated server running the Microsoft Windows,
Linux or UNIX operating system. The three common deployment methods vary in terms of
effectiveness, cost and manageability.
Client Solutions
Installed on the desktop, client solutions are most suited for home environments where parental
control is the primary application. Client software solutions include a management interface and a
database of blocked Web sites; the parent downloads database updates via the Internet. Leading
providers of client solutions include Zone Labs, Net Nanny® and Internet Service Providers (ISPs)
such as Microsoft® MSN and AOL®.
Standalone Solutions
Standalone solutions consist of a dedicated database server for defining policies and a separate
gateway or firewall that enforces the content management policies. These solutions are more
manageable than client based solutions because an administrator can create a policy once on the
gateway and then apply it across all desktops. However, most standalone solutions require
organizations to purchase and manage two separate hardware devices in addition to content
management software. They also require additional storage to be purchased as needed, when the
policy database grows to exceed the storage available. Key vendors of standalone solutions include
SonicWALL®, Websense and Surf Control®.
Integrated Solutions
Integrated solutions consolidate management and processing in a single gateway or firewall, thereby
reducing capital and operational expenses. However, when the gateway or firewall is also used for
services like anti-virus and intrusion prevention, performance can suffer. Key vendors of integrated
content filtering solutions include SonicWALL®, Symantec™ and WatchGuard®. Evaluating Solutions
Depending on the levels of protection, performance and manageability required, non-residential
customers should choose between an integrated solution and a standalone appliance. Both
alternatives can combine Internet content management with dynamic threat protection techniques
to control access and secure the network against an array of threats from viruses, spyware, worms,
instant messaging and peer-to-peer applications. At the core of both integrated and standalone
solutions is a rating architecture that leverages a comprehensive database of millions of pre-rated
Web sites and domains. When a user attempts to access a Web site, the URL is cross-referenced
354
against a master ratings database. These databases can be managed and maintained by the content
filtering solution vendor, and made available at multiple locations for performance efficiency and
high availability. A rating is returned to the requestor and compared to the content filtering policy
established by the administrator. If the Web request is permitted, the user is able to view the page.
If the requested Web site is denied, a custom block message informs the user that the site has been
blocked according to policy.
Integrated Content Management and Firewalls

Content filtering integrated on a firewall is a cost-effective content management solution that is
ideal for businesses with small to mid-sized networks. This alternative integrates the existing firewall
technology, or is installed simultaneously with a new firewall solution. A typical service will make
available a continuously updated, comprehensive database of millions of Web sites, domains and IP
addresses. Minimal administrative overhead means that businesses can either manage the solution
themselves or outsource the task to their IT service provider.
Standalone Appliances
For larger businesses and enterprise environments requiring more comprehensive content control
abilities, a standalone content filtering appliance maximizes the protection of any network from
today’s sophisticated Internet threats. Although it requires the purchase of additional hardware,
ease of installation and use make this an attractive solution. The appliance can be dropped into the
existing network without any reconfiguration of existing hardware or software. Appliances are also
an affordable way to upgrade existing firewalls by introducing new functionality without an actual
upgrade on the firewall itself. A standalone appliance can affordably combine Internet content
management with real-time gateway anti-virus and antispyware capabilities, and the best appliances
are rich in features and functionality and deliver superior value for the investment.
Beyond these advantages and basic Web site access controls, other advantages of a standalone
appliance include:
Seamless integration—Appliances can be easily installed in virtually any network, and combined
with any existing firewall. Plug-and-play designs speed installation, making them drop-in solutions
that eliminate the need for additional servers or hardware.
Dynamic rating engine—Built-in capabilities can dynamically evaluate new URLs. Real-time
analysis of page content, context for flagged words, HTML tags and other data can produce a
rating and category for immediate access or blocking based on the organizations’ predetermined
policies. New ratings can be automatically added to a master ratings database for subsequent
requests.
Protection from attacks—Deep packet inspection technology can block viruses, worms, Trojans,
spyware, phishing, malicious code and other attacks before they are able to infect a network.
Appliances can scan and clean network traffic over a multitude of ports and protocols including
HTTP, SMTP, POP3, FTP and NetBIOS.
Advanced security for bandwidth protection and reduced legal liabilities—Appliances can provide
controls for managing instant messaging, peer-to-peer and multimedia applications.
Management and reporting capabilities—Integrated support enables network administrators to

manage all users through a single interface, while the option to create custom categories and URL-
355
rating lists provides more granular control over filtering policies. Advanced reporting and analysis
tools provide granular insight into network usage through custom reports.
Report on CMS attacks:

What do WordPress, Joomla, and Drupal all have in common? First, they are the most popular Content
Management Systems (CMS) in use today. According to statistics from Web Technology Surveys, these
three platforms combine to support over 75% of all CMS-powered websites currently online.
They also share another less encouraging similarity: they are among the most common hacking targets
on the Internet.
A WP White Security study found that a staggering 73% of all WordPress installations had known
vulnerabilities that could easily be detected using automated tools.
Cyber criminals have long discovered these security holes, with over 170,000 WordPress sites being
hacked last year.
356
Why are CMS platforms so vulnerable?

When you consider the different issues in play it becomes obvious why hackers deem CMSes to
be appealing targets. It is easy for some to assume that since WordPress, Joomla, and Drupal are
such recognizable names, they must be providing some form of protection.
However, the opposite is true. Fact is, CMSes are vulnerable by nature because they are built on
open source frameworks. Such shared development environments offer several benefits but they
also have their share of flaws, many of which arise form a lack of accountability.
With no price tag, and with no one to take direct responsibility for potential problems, it’s no
surprise when the final product has some security issues. Since the top CMSes are so popular,
these security vulnerabilities are actively sought after — both by security researchers and
members of the hacker community.
Once identified, these flaws can turn into a virtual gold mine for hackers, creating a much more
efficient way for them to execute automated mass-scale attacks.
Adding to the issue are website operators who use weak passwords, leaving their admin accounts
vulnerable to automated brute force attacks.
In past we’ve showed how such weak passwords were used to inject the website with malware,
turning them into DDoS zombies.
Obviously, with administrative access hackers can also deal other kinds of damage: anything from
defacing the site (for fun) to using it for malware distribution, which eventually gets it blacklisted
in Google and in other search engines.
357
Sites blacklisted by Google on a weekly basis. (Google’s Safe Browsing Initiative)
Finally, there is also the issue of various CMS plugins and themes, which are also exposed to attacks.
Each of these is created by a different developer and may introduce an additional set of vulnerabilities.
A recent study found that over 20% of the fifty most popular WordPress plugins were vulnerable to
hacking, while a staggering eight million susceptible plugins had been downloaded from WordPress
alone.
Considering that most users have at least 3-4 plugins running on their CMS platform, it’s apparent how
they can further expose their sites to new security risks.
What users can do to protect themselves from CMS vulnerabilities

There are a number of things users can do to protect themselves:
 Create a regular schedule to update or patch their CMS, and all installed plugins and themes.
This will ensure that all components are up-to-date. CMS platforms usually display a dashboard
message whenever a new update is available; users should quickly install it even if it’s outside
their update schedule.
 Regularly backup the CMS and its underlying database. This should be performed weekly at a
minimum.
 Subscribe to a regularly-updated list of vulnerabilities for the specific CMS being used (e.g.,
WordPress).
 Delete default admin usernames (e.g., ‘admin’•) and use strong passwords (at least eight
characters long, with a combination of upper and lower case, as well as both letters and
numerical characters).
 Use a plugin for strong authentication, or two-factor authentication (2FA) for an additional
layer of protection.
358
Summary
 DSCI believes that SCM is an important discipline of security. It deserves a close attention as it
promises defence against the threats that are increasingly concentrating their acts to exploit
weakness in the content management. It also offers effective instruments to curb the data
leakages, hence, is regarded as an important element of data security strategies.
 Due to unrestricted access the organisation faces increased risk due to impacted employee
productivity, liability Exposure, Hacker Attacks and Privacy Violations
 Securing content starts with controlling access to certain Web sites based on predetermined
criteria. At a basic level, user access to Internet content is controlled using the URL address or
the URL content category (such as nudity or gambling).
 Basic content management solutions can also examine the way the content is delivered, such as
through Java applets or ActiveX scripts, and determine access permissions accordingly.
 More advanced content management solutions also provide the ability to block applications
such as instant messaging and peer-to-peer services.
 Secure content management solutions employ one of two basic approaches: site blocking or
content monitoring.
 Both of these are based on pass-through filtering technology. That is, all requests for Web pages
pass through an Internet control point such as a firewall, proxy server or caching device. The
device then evaluates each request to determine whether it should be allowed or denied based
on company policy.
 The most basic level of content monitoring uses a keyword-blocking approach. Instead of
blocking URLs, it compares the keyboard data to a user-defined library of words and phrases.
 More advanced content monitoring solutions not only examine the individual words on the
page, but also evaluate context and other data such as HTML tags. Armed with this information,
advanced content monitoring solutions can more accurately assess Web sites and consequently
more accurately control blocking.
 Content management software can be embedded on a networked device such as a proxy server,
caching appliance or firewall, or it can reside on a dedicated server running the Microsoft
Windows, Linux or UNIX operating system. The three common deployment methods vary in
terms of effectiveness, cost and manageability.
 The three categories of solution include client solutions, standalone solution and integrated
solutions
359
Activity 1:
List the various content management service providers and tools available in the market.
Compare at least two tools and their features, benefits and limitations.
Activity 2:
Try and learn about the content management system in your institute if they are using any, or
interact with consultants or companies to enquire about the configuration process of a secure
content management system.

Q. Please explain the risk of liability exposure due to unrestricted web access.
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
Q. Fill in the blanks with the most appropriate answer
 Installed on the desktop, ________ __________are most suited for home environments
where parental control is the primary application.
 Secure content management solutions employ one of two basic approaches: ____________
or ____________________.
 At the core of both integrated and standalone solutions is an __________ architecture that
leverages a comprehensive database of millions of pre-rated Web sites and domains.
Q. What is the difference between a Black List and a White list, in the context of site blocking?
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
360
Q. List at least two factors based on which the effectiveness and manageability of site blocking
depends.
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________

a. Instant messaging, peer-to-peer file sharing and multimedia downloads make businesses
vulnerable to backdoor attacks. ( )
b. Standalone solutions consist of a dedicated database server for defining policies and a
separate gateway or firewall that enforces the content management policies. ( )
361
NOTES:
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
362
UNIT III
Configuring Firewall
This Unit covers:
 Lesson Plan
3.1. What Firewall Software Does?
3.2. Firewall Configuration
3.4. Configuring a Simple Firewall
363
LESSON PLAN
Work Environment /
Outcomes Performance Ensuring Measures Lab Requirement
PC1. identify information The learners must demonstrate PC1, KA1 to KA13:
security devices (firewall) you PC4 on given work task
are required to install/ PCs/Tablets/Laptops
configure/troubleshoot and Labs availability (24/7)
source relevant instructions and
guidelines Internet with Wi-Fi
PC4. install/configure (Min 2 Mbps Dedicated)
(firewall) as per instructions and Networking Equipment-
guidelines Routers & Switches
Firewalls and Access

Points
You need to know and
understand: Access to all security
QA session and a Descriptive write sites like ISO, PIC DSS
KB1. different types of up on understanding.
information security devices Commercial Tools like
(firewall) and their functions Group presentation and peer HP Web Inspect and
KB2. different technical and evaluation along with Faculty. IBM AppScan etc.,
configuration specifications for
firewall and how this affects Presentation of best practices Open Source tools like
function and use document by peer group to the sqlmap, Nessus etc.,
faculty and loading the same into
different sites Security Templates from
ITIL
Presentation of the customized
templates by peer groups and
validation of them by faculty
364
Lesson
3.1. What Firewall Software Does

A firewall is simply a program or hardware device that filters the information coming through the
Internet connection into your private network or computer system. If an incoming packet of
information is flagged by the filters, it is not allowed through.
Let's say that you work at a company with 500 employees. The company will therefore have
hundreds of computers that all have network cards connecting them together. In addition, the
company will have one or more connections to the Internet through something like T1 or T3 lines.
Without a firewall in place, all of those hundreds of computers are directly accessible to anyone on
the Internet. A person who knows what he or she is doing can probe those computers, try to make
FTP connections to them, try to make telnet connections to them and so on. If one employee makes
a mistake and leaves a security hole, hackers can get to the machine and exploit the hole.
With a firewall in place, the landscape is much different. A company will place a firewall at every
connection to the Internet (for example, at every T1 line coming into the company). The firewall can
implement security rules. For example, one of the security rules inside the company might be:
Out of the 500 computers inside this company, only one of them is permitted to receive public FTP
traffic. Allow FTP connections only to that one computer and prevent them on all others.
A company can set up rules like this for FTP servers, Web servers, Telnet servers and so on. In
addition, the company can control how employees connect to Web sites, whether files are allowed
to leave the company over the network and so on. A firewall gives a company tremendous control
over how people use the network.
Firewalls use one or more of three methods to control traffic flowing in and out of the
network:
Packet filtering
Packets (small chunks of data) are analyzed against a set of filters. Packets that make it
through the filters are sent to the requesting system and all others are discarded.
Proxy service
Information from the Internet is retrieved by the firewall and then sent to the requesting
system and vice versa.
Stateful inspection
A newer method that doesn't examine the contents of each packet but instead compares
certain key parts of the packet to a database of trusted information. Information traveling
from inside the firewall to the outside is monitored for specific defining characteristics, then
incoming information is compared to these characteristics. If the comparison yields a
reasonable match, the information is allowed through. Otherwise it is discarded.
365
Working of Firewall
366
3.2 Firewall Software Configuration
Firewall Configuration
Firewalls are customizable. This means that you can add or remove filters based on several
conditions. Some of these are:
IP addresses
Each machine on the Internet is assigned a unique address called an IP address. IP addresses are 32-
bit numbers, normally expressed as four "octets" in a "dotted decimal number." A typical IP address
looks like this: 216.27.61.137. For example, if a certain IP address outside the company is reading too
many files from a server, the firewall can block all traffic to or from that IP address.
Domain names
As it is hard to remember the string of numbers that make up an IP address, and because IP
addresses sometimes need to change, all servers on the Internet also have human-readable names,
called domain names.
For example, it is easier for most of us to remember www.howstuffworks.com than it is to

remember 216.27.61.137.
A company might block all access to certain domain names, or allow access only to specific domain
names.
Protocols
The protocol is the pre-defined way that someone who wants to use a service talks with that service.
The "someone" could be a person, but more often it is a computer program like a Web browser.
Protocols are often text, and simply describe how the client and server will have their conversation.
The http in the Web's protocol.
Some common protocols that you can set firewall filters for include:
 IP (Internet Protocol) - the main delivery system for information over the Internet
 TCP (Transmission Control Protocol) - used to break apart and rebuild information that
travels over the Internet
 HTTP (Hyper Text Transfer Protocol) - used for Web pages
 FTP (File Transfer Protocol) - used to download and upload files
 UDP (User Datagram Protocol) - used for information that requires no response, such as
streaming audio and video
367
 ICMP (Internet Control Message Protocol) - used by a router to exchange the information
with other routers
 SMTP (Simple Mail Transport Protocol) - used to send text-based information (e-mail)
 SNMP (Simple Network Management Protocol) - used to collect system information from a
remote computer
 Telnet - used to perform commands on a remote computer
A company might set up only one or two machines to handle a specific protocol and ban that
protocol on all other machines.
Ports
Any server machine makes its services available to the Internet using numbered ports, one for each
service that is available on the server (see How Web Servers Work for details). For example, if a
server machine is running a Web (HTTP) server and an FTP server, the Web server would typically be
available on port 80, and the FTP server would be available on port 21. A company might block port
21 access on all machines but one inside the company.
Specific words and phrases

This can be anything. The firewall will sniff (search through) each packet of information for an exact
match of the text listed in the filter.
For example, you could instruct the firewall to block any packet with the word "X-rated" in it. The
key here is that it has to be an exact match. The "X-rated" filter would not catch "X rated" (no
hyphen). But you can include as many words, phrases and variations of them as you need.
Some operating systems come with a firewall built in. Otherwise, a software firewall can be installed
on the computer in your home that has an Internet connection. This computer is considered a
gateway because it provides the only point of access between your home network and the Internet.
With a hardware firewall, the firewall unit itself is normally the gateway. A good example is the
Linksys Cable/DSL router. It has a built-in Ethernet card and hub. Computers in your home network
connect to the router, which in turn is connected to either a cable or DSL modem. You configure the
router via a Web-based interface that you reach through the browser on your computer. You can
then set any filters or additional information.
Hardware firewalls are incredibly secure and not very expensive. Home versions that include a
router, firewall and Ethernet hub for broadband connections can be found for well under Rs 10000.
368
Access or abuse of unprotected computers
There are many creative ways that unscrupulous people use to access or abuse unprotected
computers:
Remote login
When someone is able to connect to your computer and control it in some form. This can range from
being able to view or access your files to actually running programs on your computer.
Application backdoors
Some programs have special features that allow for remote access. Others contain bugs that provide
a backdoor, or hidden access that provides some level of control of the program.
SMTP session hijacking
SMTP is the most common method of sending e-mail over the Internet. By gaining access to a list of
e-mail addresses, a person can send unsolicited junk e-mail (spam) to thousands of users. This is
done quite often by redirecting the e-mail through the SMTP server of an unsuspecting host, making
the actual sender of the spam difficult to trace.
Operating system bugs
Like applications, some operating systems have backdoors. Others provide remote access with
insufficient security controls or have bugs that an experienced hacker can take advantage of.
Denial of service
You have probably heard this phrase used in news reports on the attacks on major Web sites. This
type of attack is nearly impossible to counter. What happens is that the hacker sends a request to
the server to connect to it. When the server responds with an acknowledgement and tries to
establish a session, it cannot find the system that made the request. By inundating a server with
these unanswerable session requests, a hacker causes the server to slow to a crawl or eventually
crash.
E-mail bombs
An e-mail bomb is usually a personal attack. Someone sends you the same e-mail hundreds or
thousands of times until your e-mail system cannot accept any more messages.
Macros
To simplify complicated procedures, many applications allow you to create a script of commands
that the application can run. This script is known as a macro. Hackers have taken advantage of this to
create their own macros that, depending on the application, can destroy your data or crash your
computer.
369
Viruses
Probably the most well-known threat is computer viruses. A virus is a small program that can copy
itself to other computers. This way it can spread quickly from one system to the next. Viruses range
from harmless messages to erasing all of your data.
Spam
Typically, harmless but always annoying, spam is the electronic equivalent of junk mail. Spam can be
dangerous though. Quite often it contains links to Web sites. Be careful of clicking on these because
you may accidentally accept a cookie that provides a backdoor to your computer.
Redirect bombs
Hackers can use ICMP to change (redirect) the path information takes by sending it to a different
router. This is one of the ways that a denial of service attack is set up.
Source routing
In most cases, the path a packet travels over the Internet (or any other network) is determined by
the routers along that path. But the source providing the packet can arbitrarily specify the route that
the packet should travel. Hackers sometimes take advantage of this to make information appear to
come from a trusted source or even from inside the network! Most firewall products disable source
routing by default.
Security against unauthorized access or abuse

Some of the items in the list above are hard, if not impossible, to filter using a firewall. While some
firewalls offer virus protection, it is worth the investment to install anti-virus software on each
computer. And, even though it is annoying, some spam is going to get through your firewall as long
as you accept e-mail.
The level of security you establish will determine how many of these threats can be stopped by your
firewall. The highest level of security would be to simply block everything. Obviously that defeats the
purpose of having an Internet connection. But a common rule of thumb is to block everything, then
begin to select what types of traffic you will allow.
You can also restrict traffic that travels through the firewall so that only certain types of information,
such as e-mail, can get through. This is a good rule for businesses that have an experienced network
administrator that understands what the needs are and knows exactly what traffic to allow through.
For most of us, it is probably better to work with the defaults provided by the firewall developer
unless there is a specific reason to change it.
One of the best things about a firewall from a security standpoint is that it stops anyone on the
outside from logging onto a computer in your private network. While this is a big deal for businesses,
most home networks will probably not be threatened in this manner. Still, putting a firewall in place
provides some peace of mind.
370
Proxy Servers and DMZ
A function that is often combined with a firewall is a proxy server. The proxy server is used to access
Web pages by the other computers. When another computer requests a Web page, it is retrieved by
the proxy server and then sent to the requesting computer. The net effect of this action is that the
remote computer hosting the Web page never comes into direct contact with anything on your
home network, other than the proxy server.
Proxy servers can also make your Internet access work more efficiently. If you access a page on a
Web site, it is cached (stored) on the proxy server. This means that the next time you go back to that
page; it normally doesn't have to load again from the Web site. Instead it loads instantaneously from
the proxy server.
There are times that you may want remote users to have access to items on your network. Some
examples are:
 Web site
 Online business
 FTP download and upload area
In cases like this, you may want to create a DMZ (Demilitarized Zone). DMZ is just an area that is
outside the firewall. Think of DMZ as the front yard of a house. It belongs to the owner, who may put
some things there, but would put anything valuable inside the house where it can be properly
secured.
Setting up a DMZ is very easy. If you have multiple computers, you can choose to simply place one of
the computers between the Internet connection and the firewall. Most of the software firewalls
available will allow you to designate a directory on the gateway computer as a DMZ.
Configuring a Simple Firewall

The Cisco 1800 integrated services routers support network traffic filtering by means of access lists.
The router also supports packet inspection and dynamic temporary access lists by means of Context-
Based Access Control (CBAC).
Basic traffic filtering is limited to configured access list implementations that examine packets at the
network layer or, at most, the transport layer, permitting or denying the passage of each packet
through the firewall. However, the use of inspection rules in CBAC allows the creation and use of
dynamic temporary access lists. These dynamic lists allow temporary openings in the configured
access lists at firewall interfaces. These openings are created when traffic for a specified user session
exits the internal network through the firewall. The openings allow returning traffic for the specified
session (that would normally be blocked) back through the firewall.
See the Cisco IOS Security Configuration Guide, Release 12.3 , for more detailed information on
traffic filtering and firewalls.
The following Figure shows a network deployment using PPPoE or PPPoA with NAT and a firewall.
371
A figure of a router with a firewall configured
1 Multiple networked devices—Desktops, laptop PCs, switches
2 Fast Ethernet LAN interface (the inside interface for NAT)
3 PPPoE or PPPoA client and firewall implementation—Cisco 1811/1812 or Cisco

1801/1802/1803 series integrated services router, respectively
4 Point at which NAT occurs
5 Protected network
6 Unprotected network
7 Fast Ethernet or ATM WAN interface (the outside interface for NAT)
In the configuration example that follows, the firewall is applied to the outside WAN interface (FE0)
on the Cisco 1811 or Cisco 1812 and protects the Fast Ethernet LAN on FE2 by filtering and
inspecting all traffic entering the router on the Fast Ethernet WAN interface FE1.
Note that in this example, the network traffic originating from the corporate network, network
address 10.1.1.0, is considered safe traffic and is not filtered.
Configuration Tasks
Perform the following tasks to configure this network scenario:
 Configure Access Lists

 Configure Inspection Rules
 Apply Access Lists and Inspection Rules to Interfaces
372
Configure Access Lists
Perform these steps to create access lists for use by the firewall, beginning in global configuration
mode:
Command Purpose
Step 1 access-list access-list-number {deny | permit} protocol Creates an access
source source-wildcard [ operator [port]] destination list which prevents
Example: Internet- initiated
traffic from
Router(config)# access-list 103 permit host 200.1.1.1 eq
reaching the local
isakmp any
(inside) network of
Router(config)# the router, and
which compares
source and
destination ports.
See the Cisco IOS IP
Command
Reference, Volume
1 of 4: Addressing
and Services for
details about this
command.
Step 2 access-list access-list-number {deny | permit} protocol Creates an access
source source-wildcard destination destination-wildcard list that allows
Example: network traffic to
pass freely between
Router(config)# access-list 105 permit ip 10.1.1.0 0.0.0.255
the corporate
192.168.0.0 0.0.255.255
network and the
Router(config)# local networks
through the
configured VPN
tunnel.
Configure Inspection Rules

Perform these steps to configure firewall inspection rules for all TCP and UDP traffic, as well as
specific application protocols as defined by the security policy, beginning in global configuration
mode:
Command or Action Purpose

Step 1 ip inspect name inspection- Defines an inspection rule for a particular protocol.
name protocol
Example:
Router(config)# ip inspect
name firewall tcp
Router(config)#
373
Step 2 ip inspect name inspection- Repeat this command for each inspection rule that
name protocol you wish to use.
Example:
name firewall rtsp
name firewall h323
name firewall netshow
name firewall ftp
name firewall sqlnet
Router(config)#
Apply Access Lists and Inspection Rules to Interfaces

Perform these steps to apply the ACLs and inspection rules to the network interfaces, beginning in
global configuration mode:
Command Purpose
Step 1 interface type number Enters interface configuration mode for
Example: the inside network interface on your
router.
Router(config)# interface vlan 1
Router(config-if)#
Step 2 ip inspect inspection-name { in | out } Assigns the set of firewall inspection rules
Example: to the inside interface on the router.
Router(config-if)# ip inspect firewall in

Router(config-if)#
Step 3 exit Returns to global configuration mode.
Example:
Router(config-if)# exit
Router(config)#
Step 4 interface type number Enters interface configuration mode for
Example: the outside network interface on your
router.
Router(config)# interface fastethernet 0
374
Router(config-if)#
Step 5 ip access-group { access-list- Assigns the defined ACLs to the outside
number | access-list-name } { in | out } interface on the router.
Example:
Router(config-if)# ip access-group 103
in
Router(config-if)#
Step 6 exit Returns to global configuration mode.
Example:
Router(config-if)# exit
Router(config)#
Configuration Example
A telecommuter is granted secure access to a corporate network, using IPSec tunnelling. Security to
the home network is accomplished through firewall inspection. The protocols that are allowed are
all TCP, UDP, RTSP, H.323, NetShow, FTP, and SQLNet. There are no servers on the home network;
therefore, no traffic is allowed that is initiated from outside. IPSec tunnelling secures the connection
from the Home LAN to the corporate network.
Like the Internet Firewall Policy, HTTP need not be specified because Java blocking is not necessary.
Specifying TCP inspection allows for single-channel protocols such as Telnet and HTTP. UDP is
specified for DNS.
The following configuration example shows a portion of the configuration file for the simple firewall
scenario described in the preceding sections.
! Firewall inspection is setup for all tcp and udp traffic as well as specific application
protocols as defined by the security policy.
ip inspect name firewall tcp
ip inspect name firewall udp
ip inspect name firewall rtsp
ip inspect name firewall h323
ip inspect name firewall netshow
ip inspect name firewall ftp
ip inspect name firewall sqlnet
!
interface vlan 1 ! This is the internal home network
ip inspect firewall in ! inspection examines outbound traffic
no cdp enable
!
interface fastethernet 0 ! FE0 is the outside or internet exposed interface.
ip access-group 103 in ! acl 103 permits ipsec traffic from the corp. router as well as
denies internet initiated traffic inbound.
ip nat outside
no cdp enable
!
375
! acl 103 defines traffic allowed from the peer for the ipsec tunnel.
access-list 103 permit udp host 200.1.1.1 any eq isakmp
access-list 103 permit udp host 200.1.1.1 eq isakmp any
access-list 103 permit esp host 200.1.1.1 any
access-list 103 permit icmp any any ! allow icmp for debugging but should be disabled due
to security implications.
access-list 103 deny ip any any ! prevents internet initiated traffic inbound.
no cdp run
!
376
Firewall Limitations
A firewall is a crucial component of securing your network and is designed to address the
issues of data integrity or traffic authentication (via stateful packet inspection) and
confidentiality of your internal network (via NAT). Your network gains these benefits from a
firewall by receiving all transmitted traffic through the firewall. Your network gains these
benefits from a firewall by receiving all transmitted traffic through the firewall. The importance
of including a firewall in your security strategy is apparent; however, firewalls do have the
following limitations:
 A firewall cannot prevent users or attackers with modems from dialing into or out of
the internal network, thus bypassing the firewall and its protection completely.
 Firewalls cannot enforce your password policy or prevent misuse of passwords. Your
password policy is crucial in this area because it outlines acceptable conduct and sets
the ramifications of noncompliance.
 Firewalls are ineffective against nontechnical security risks such as social engineering,
as discussed in Chapter 1, “There Be Hackers Here.”
 Firewalls cannot stop internal users from accessing websites with malicious code,
making user education critical.
 Firewalls cannot protect you from poor decisions.
 Firewalls cannot protect you when your security policy is too lax.
377
Summary
 A firewall is simply a program or hardware device that filters the information coming through
the Internet connection into your private network or computer system. If an incoming packet of
information is flagged by the filters, it is not allowed through.
 Firewalls use one or more of three methods to control traffic flowing in and out of the network:
 Packet filtering: Packets (small chunks of data) are analysed against a set of filters. Packets that
make it through the filters are sent to the requesting system and all others are discarded.
 Proxy service: Information from the Internet is retrieved by the firewall and then sent to the
requesting system and vice versa.
 Stateful inspection: A newer method that doesn't examine the contents of each packet but
instead compares certain key parts of the packet to a database of trusted information.
Information traveling from inside the firewall to the outside is monitored for specific defining
characteristics, then incoming information is compared to these characteristics. If the
comparison yields a reasonable match, the information is allowed through. Otherwise it is
discarded.
 Firewalls are customizable. This means that you can add or remove filters based on several
conditions. Some of these are: IP addresses, Domain Names, Ports, Specific words or phrases,
Protocols,
 Firewall security is used to protect against: Access or abuse of unprotected computers
 A function that is often combined with a firewall is a proxy server. The proxy server is used to
access Web pages by the other computers. When another computer requests a Web page, it is
retrieved by the proxy server and then sent to the requesting computer. The net effect of this
action is that the remote computer hosting the Web page never comes into direct contact with
anything on your home network, other than the proxy server.
 Perform the following tasks to configure a firewall in a network scenario:
o Configure Access Lists
o Configure Inspection Rules
o Apply Access Lists and Inspection Rules to Interfaces
378
Activity 1:
List the various kinds of firewalls in the market and the various vendors for the same. Compare
the features, benefits and limitations of various kind of firewall products offered. Share with
your fellow students.
Activity 2:
Configure a firewall product or first job shadow someone who installs a firewall. List down the
various steps of the same, then configure it on your own.

Q. List at least five protocols that you can set firewall filters for:
a. ________________________________________
b. ________________________________________
c. ________________________________________
d. ________________________________________
e. ________________________________________
Q. What are Dynamic Temporary Access Lists?
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
Q. Explain what is DMZ and its function?
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
379
NOTES:
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
380
UNIT IV
Troubleshooting information security
devices
This Unit covers:
 Lesson Plan
4.1 Troubleshooting the Cisco IOS Firewall Configuration
4.2 Troubleshooting routers
381
LESSON PLAN

PC4. Troubleshoot information The learners must PCs/Tablets/Laptops
security devices as per instructions demonstrate all PCs on Labs availability (24/7)
and guidelines given work tasks
Internet with WiFi
PC6. resolve problems with
information security devices, following (Min 2 Mbps Dedicated)
instructions and guidelines Networking Equipment-
PC10. comply with your organization’s Routers & Switches
policies, standards, procedures,
Firewalls and Access Points
guidelines and service level
agreements (SLAs) when Access to all security sites
troubleshooting information security like ISO, PIC DSS
devices Commercial Tools like HP
You need to know and understand: KA8. : Presentation of Web Inspect and IBM
the customized AppScan etc.,
KA8.standard tools and templates
available and how to use these to templates by peer
Open Source tools like
record troubleshooting groups and validation of
them by faculty
Security Templates from ITIL
382
Lesson
4.1 Troubleshooting CISCO IOS Firewall configurations

 In order to reverse (remove) an access list, put a "no" in front of the access-group command in
interface configuration mode:
int <interface>
no ip access-group # in|out
 If too much traffic is denied, study the logic of your list or try to define an additional broader list,
and then apply it instead. For example:
access-list # permit tcp any any
access-list # permit udp any any
access-list # permit icmp any any
int <interface>
ip access-group # in|out
 The show ip access-lists command shows which access lists are applied and what traffic is
denied by them. If you look at the packet count denied before and after the failed operation
with the source and destination IP address, this number increases if the access list blocks traffic.
 If the router is not heavily loaded, debugging can be done at a packet level on the extended or ip
inspect access list. If the router is heavily loaded, traffic is slowed through the router. Use
discretion with debugging commands.
Temporarily add the no ip route-cache command to the interface:
int <interface>
no ip route-cache
Then, in enable (but not config) mode:
term mon
debug ip packet # det
produces output similar to this:
*Mar 1 04:38:28.078: IP: s=10.31.1.161 (Serial0), d=171.68.118.100 (Ethernet0),
g=10.31.1.21, len 100, forward
383
*Mar 1 04:38:28.086: IP: s=171.68.118.100 (Ethernet0), d=9.9.9.9 (Serial0), g=9.9.9.9,
len 100, forward
 Extended access lists can also be used with the "log" option at the end of the various
statements:
 access-list 101 deny ip host 171.68.118.100 host 10.31.1.161 log
 access-list 101 permit ip any any
You therefore see messages on the screen for permitted and denied traffic:
*Mar 1 04:44:19.446: %SEC-6-IPACCESSLOGDP: list 111 permitted icmp 171.68.118.100
-> 10.31.1.161 (0/0), 15 packets
*Mar 1 03:27:13.295: %SEC-6-IPACCESSLOGP: list 118 denied tcp 171.68.118.100(0)
-> 10.31.1.161(0), 1 packet
 If the ip inspect list is suspect, the debug ip inspect <type_of_traffic> command produces
output such as this output:
 Feb 14 12:41:17 10.31.1.52 56: 3d05h: CBAC* sis 258488 pak 16D0DC TCP P ack 3195751223
 seq 3659219376(2) (10.31.1.5:11109) => (12.34.56.79:23)
 Feb 14 12:41:17 10.31.1.52 57: 3d05h: CBAC* sis 258488 pak 17CE30 TCP P ack 3659219378
seq 3195751223(12) (10.31.1.5:11109) <= (12.34.56.79:23)
384
4.2 Troubleshooting Routers

Cisco Router Basic Troubleshooting Checklist
Excerpted from the book The Accidental Administrator: Cisco Router Step-by-Step Configuration
Guide (Crawley, Don R., Seattle, WA, soundtraining.net, ISBN 978-0983660729)
When a router isn’t functioning, here are some steps to perform to eliminate basic faults as the
source of trouble:
Physical Layer Stuff: Check power issues. Look for power lights, check plugs, and circuit breakers.
Check the Interfaces: Use the command show ip interface brief or show ipv6 interface brief to
ensure that desired interfaces are up and configured properly.
Ping: Use the ping and trace commands to check for connectivity.
Check the Routing Table: Use the show ip route or show ipv6 route command to find out what the
router knows. Is there either an explicit route to the remote network or a gateway of last resort?
Is there a Firewall on the Computer? If the problem involves a computer, check to ensure that its
firewall is not blocking packets. Sometimes there are computers at client locations with firewalls in
operation without the client’s knowledge.
Any Access Lists? If the above steps don’t resolve the issue, check for access-control lists that block
traffic. There is an implicit “deny any” at the end of every access-control list, so even if you don’t see
a statement explicitly denying traffic, it might be blocked by an implicit “deny any.”
Is the VPN Up? If a VPN is part of the connection, check to ensure that it is up. Use the show crypto
family of commands to check VPN connections. With VPN connections, each end of the connection
must mirror the other. For example, even something as seemingly inconsequential as a different
timeout value or a different key lifetime can prevent a connection.
Do the Protocols Match? If you are trying to gain remote access to a server, ensure that it supports
the protocol you’re attempting to use. For example, if the router hasn’t been configured to support
SSH and you use the default settings in PuTTY which call for SSH, you won’t be able to connect. Also,
some admins change the default port numbers, so you may expect to use port 22 with SSH, but the
admin may have configured it to use a non-standard port.
Check for Human Error: User errors can also be the source of errors. Check to ensure that correct
usernames and passwords are being used, that you and the admin on the other end of the
connection are using the same network addresses and matching subnet masks.
Verify Settings: Do not make assumptions. Verify everything!
Often, by using the above steps, you can solve the problem. If that doesn’t do it, then proceed to
more advanced show and debug commands to isolate the problem.
385
Router Troubleshooting Tools

Using Router Diagnostic Commands
Cisco routers provide numerous integrated commands to assist you in monitoring and
troubleshooting your internetwork. The following sections describe the basic use of these
commands:
• The show commands help monitor installation behaviour and normal network
behaviour, as well as isolate problem areas.
• The debug commands assist in the isolation of protocol and configuration problems.
• The ping commands help determine connectivity between devices on your network.
• The trace commands provide a method of determining the route by which packets
reach their destination from one device to another.
Using show Commands

The show commands are powerful monitoring and troubleshooting tools. You can use the
show commands to perform a variety of functions:
• Monitor router behaviour during initial installation
• Monitor normal network operation
• Isolate problem interfaces, nodes, media, or applications
• Determine when a network is congested
• Determine the status of servers, clients, or other neighbours

Following are some of the most commonly used show commands:
• show interfaces—Use the show interfaces exec command to display statistics for all
interfaces configured on the router or access server. The resulting output varies,
depending on the network for which an interface has been configured.
Some of the more frequently used show interfaces commands include the following:
— show interfaces ethernet

— show interfaces tokenring
— show interfaces fddi

— show interfaces atm
— show interfaces serial
— show controllers—This command displays statistics for interface card controllers. For
example, the show controllers mci command provides the following fields:
386
MCI 0, controller type 1.1, microcode version 1.8

128 Kbytes of main memory, 4 Kbytes cache memory
22 system TX buffers, largest buffer size 1520
Restarts: 0 line down, 0 hung output, 0 controller error
Interface 0 is Ethernet0, station address 0000.0c00.d4a6
15 total RX buffers, 11 buffer TX queue limit, buffer size 1520
Transmitter delay is 0 microseconds
Interface 1 is Serial0, electrical interface is V.35 DTE
High speed synchronous serial interface
Interface 2 is Ethernet1, station address aa00.0400.3be4
Interface 3 is Serial1, electrical interface is V.35 DCE
High speed synchronous serial interface
Some of the most frequently used show controllers commands include the following:
— show controllers token

— show controllers FDDI
— show controllers LEX
— show controllers ethernet
— show controllers E1
— show controllers MCI
— show controllers cxbus
— show controllers t1
— show running-config— Displays the router configuration currently running
— show startup-config—Displays the router configuration stored in nonvolatile RAM
(NVRAM)
— show flash—Group of commands that display the layout and contents of flash memory
— show buffers—Displays statistics for the buffer pools on the router
— show memory—Shows statistics about the router’s memory, including free pool
statistics
— show processes—Displays information about the active processes on the router
— show stacks—Displays information about the stack utilization of processes and
interrupt routines, as well as the reason for the last system reboot
— show version—Displays the configuration of the system hardware, the software
version, the names and sources of configuration files, and the boot images
There are hundreds of other show commands available.
Using debug Commands

The debug privileged exec commands can provide a wealth of information about the traffic
being seen (or not seen) on an interface, error messages generated by nodes on the
network, protocol-specific diagnostic packets, and other useful troubleshooting data.
387
To access and list the privileged exec commands, complete the following tasks:
Step 1 Enter the privileged exec mode:
Command:
Router> enable
Password: XXXXXX Router#
Step 2 List privileged exec commands:
Router# debug ?
Exercise care when using debug commands. Many debug commands are processor
intensive and can cause serious network problems (such as degraded performance
or loss of connectivity) if they are enabled on an already heavily loaded router.
When you finish using a debug command, remember to disable it with its specific no
debug command (or use the no debug all command to turn off all debugging).
Use debug commands to isolate problems, not to monitor normal network
operation. Because the high processor overhead of debug commands can disrupt
router operation, you should use them only when you are looking for specific types
of traffic or problems and have narrowed your problems to a likely subset of causes.
Output formats vary with each debug command. Some generate a single line of
output per packet, and others generate multiple lines of output per packet. Some
generate large amounts of output, and others generate only occasional output.
Some generate lines of text, and others generate information in field format.
To minimize the negative impact of using debug commands, follow this procedure:
Step 1 Use the no logging console global configuration command on your router.
This command disables all logging to the console terminal.
Step 2 Telnet to a router port and enter the enable exec command. The enable exec
command will place the router in the privileged exec mode. After entering the
enable password, you will receive a prompt that will consist of the router
name with a # symbol.
Step 3 Use the terminal monitor command to copy debug command output and
system error messages to your current terminal display.
By redirecting output to your current terminal display, you can view debug
command output remotely, without being connected through the console
port.
If you use debug commands at the console port, character-by-character
processor interrupts are generated, maximizing the processor load already
caused by using debug.
If you intend to keep the output of the debug command, spool the output to a file.
Using Router Diagnostic Commands

In many situations, using third-party diagnostic tools can be more useful and less intrusive
than using debug commands.
388
Using the ping Command

To check host reachability and network connectivity, use the ping exec (user) or privileged
exec command. After you log in to the router or access server, you are automatically in user
exec command mode. The exec commands available at the user level are a subset of those
available at the privileged level. In general, the user exec commands allow you to connect to
remote devices, change terminal settings on a temporary basis, perform basic tests, and list
system information. The ping command can be used to confirm basic network connectivity
on AppleTalk, ISO Connectionless Network Service (CLNS), IP, Novell, Apollo, VINES, DECnet,
or XNS networks.
For IP, the ping command sends Internet Control Message Protocol (ICMP) Echo messages.
ICMP is the Internet protocol that reports errors and provides information relevant to IP
packet addressing. If a station receives an ICMP Echo message, it sends an ICMP Echo Reply
message back to the source.
The extended command mode of the ping command permits you to specify the supported
IP header options. This allows the router to perform a more extensive range of test options.
To enter ping extended command mode, enter yes at the extended commands prompt of
the ping command.
It is a good idea to use the ping command when the network is functioning properly to see
how the command works under normal conditions and so you have something to compare
against when troubleshooting.
Using the trace Command

The trace user exec command discovers the routes that a router’s packets follow when
traveling to their destinations. The trace privileged exec command permits the supported IP
header options to be specified, allowing the router to perform a more extensive range of
test options.
The trace command works by using the error message generated by routers when a
datagram exceeds its time-to-live (TTL) value. First, probe datagrams are sent with a TTL
value of 1. This causes the first router to discard the probe datagrams and send back “time
exceeded” error messages. The trace command then sends several probes and displays the
round-trip time for each. After every third probe, the TTL is increased by one.
Each outgoing packet can result in one of two error messages. A “time exceeded” error
message indicates that an intermediate router has seen and discarded the probe. A “port
unreachable” error message indicates that the destination node has received the probe and
discarded it because it could not deliver the packet to an application. If the timer goes off
before a response comes in, trace prints an asterisk (*).
The trace command terminates when the destination responds, when the maximum TTL is
exceeded, or when the user interrupts the trace with the escape sequence.
As with ping, it is a good idea to use the trace command when the network is functioning
properly to see how the command works under normal conditions and so you have
something to compare against when troubleshooting.
389
NOTES:
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
_______________________________________________________________________________
__________________________________________________________________________________
390
UNIT V
Configuring IDS
This Unit covers:
 Lesson Plan
5.4 Configuring Snort
391
LESSON PLAN
Work
Performance Ensuring Environment /
Outcomes Measures Lab Requirement
PC1. identify information security devices (IDS) The learners must KA1 to KA13:
you are required to install/ demonstrate all PCs on PCs/Tablets/Lapt
configure/troubleshoot and source relevant given work tasks ops
Labs availability
PC4. install/configure information security (24/7)
devices (IDS) as per instructions and guidelines
Internet with WiFi
PC5. test installed/configured information
(Min 2 Mbps
security devices (IDS), following instructions and
Dedicated)
guidelines
Networking
PC6. resolve problems with information security
Equipment-
devices (IDS), following instructions and
Routers &
guidelines
Switches
PC7. obtain advice and guidance on installing /
Firewalls and
configuring / testing / information security
Access Points
devices (IDS) from appropriate people, where
required Access to all
security sites like
PC8. record the installation / configuration /
ISO, PIC DSS
testing of information security devices (IDS)
promptly using standard templates and tools Commercial Tools
like HP Web
PC10. comply with your organization’s policies,
Inspect and IBM
standards, procedures, guidelines and service
AppScan etc.,
level agreements (SLAs) when installing /
configuring information security devices (IDS) Open Source
tools like sqlmap,
You need to know and understand: KA1-KA3. QA session and Nessus etc.,
a Descriptive write up on
KA1. your organization’s policies, procedures, Security
standards, guidelines and client specific service understanding. Templates from
level agreements for installing, configuring ITIL
KA4, KA7 Group
information security devices (IDS)
KA2. limits of your role and responsibilities and presentation and peer
who to seek guidance from where required evaluation along with
KA3. your organization’s systems, procedures and Faculty.
tasks/checklists relevant to your work and how to
use these KA5, KA6. Presentation of
KA4. the importance of following manufacturer’s best practices document
installation guides and procedures and how to by peer group to the
access and apply these to install, information faculty and loading the
security devices (IDS) same into different sites
KA5. who to involve when installing, configuring
information security devices (IDS) KA8. Presentation of the
KA6. methods and techniques used when customized templates by
working with others peer groups and
KA7. the importance of recording issues when
392
installing/configuring information security validation of them by

devices (IDS) and how to report these faculty
KA8.standard tools and templates available and
how to use these to record installation / KB5 Installation and
configuration configuration of security
KB5. methods of testing installed/configured tools in the lab
information security devices (IDS) environment by peer
groups and validation by
the faculty
393
Lesson

The Cisco IOS Firewall IDS feature supports intrusion detection technology for midrange and high-
end router platforms with firewall support. It is ideal for any network perimeter, and especially for
locations in which a router is being deployed and additional security between network segments is
required. It also can protect intranet and extranet connections where additional security is
mandated, and branch-office sites connecting to the corporate office or Internet.
The Cisco IOS Firewall IDS feature identifies 59 of the most common attacks using "signatures" to
detect patterns of misuse in network traffic. The intrusion-detection signatures included in the Cisco
IOS Firewall were chosen from a broad cross-section of intrusion-detection signatures. The
signatures represent severe breaches of security and the most common network attacks and
information-gathering scans.
The Cisco IOS Firewall IDS acts as an in-line intrusion detection sensor, watching packets and
sessions as they flow through the router, scanning each to match any of the IDS signatures.
 IDS monitors packets and send alarms when suspicious activity is detected.
 IDS logs the event through Cisco IOS syslog or the Cisco Secure Intrusion Detection System
(Cisco Secure IDS, formerly known as NetRanger) Post Office Protocol.
The network administrator can configure the IDS system to choose the appropriate response to
various threats.
When packets in a session match a signature, the IDS system can be configured to take these
actions:
 Send an alarm to a syslog server or a Cisco Secure IDS Director (centralized management
interface)
 Drop the packet
 Reset the TCP connection
Cisco developed its Cisco IOS software-based intrusion-detection capabilities in Cisco IOS Firewall
with flexibility in mind, so that individual signatures could be disabled in case of false positives. Also,
while it is preferable to enable both the firewall and intrusion detection features of the CBAC
security engine to support a network security policy, each of these features may be enabled
independently and on different router interfaces. Cisco IOS software-based intrusion detection is
part of the Cisco IOS Firewall.
Interaction with Cisco IOS Firewall Default Parameters

When Cisco IOS IDS is enabled, Cisco IOS Firewall is automatically enabled. Thus, IDS uses Cisco IOS
Firewall default parameter values to inspect incoming sessions. Default parameter values include the
following:
 The rate at which IDS starts deleting half-open sessions (modified via the ip inspect one-minute
high command)
 The rate at which IDS stops deleting half-open sessions (modified via the ip inspect one-minute
low command)
394
 The maximum incomplete sessions (modified via the ip inspect max-incomplete high and the ip
inspect max-incomplete low commands)
After the incoming TCP session setup rate crosses the one-minute high water mark, the router will
reset the oldest half-open session, which is the default behaviour of the Cisco IOS Firewall. Cisco IOS
IDS cannot modify this default behaviour. Thus, after a new TCP session rate crosses the one-minute
high water mark and a router attempts to open new connections by sending SYN packets at the
same time, the latest SYN packet will cause the router to reset the half-open session that was
opened by the earlier SYN packet. Only the last SYN request will survive.
Compatibility with Cisco Secure Intrusion Detection

Cisco IOS Firewall is compatible with the Cisco Secure Intrusion Detection System (formally known as
NetRanger). The Cisco Secure IDS is an enterprise-scale, real-time, intrusion detection system
designed to detect, report, and terminate unauthorized activity throughout a network.
The Cisco Secure IDS consists of three components:
 Sensor
 Director
 Post Office
Cisco Secure IDS Sensors, which are high-speed network appliances, analyze the content and context
of individual packets to determine if traffic is authorized. If a network's data stream exhibits
unauthorized or suspicious activity, such as a SATAN attack, a ping sweep, or the transmission of a
secret research project code word, Cisco Secure IDS Sensors can detect the policy violation in real
time, forward alarms to a Cisco Secure IDS Director management console, and remove the offender
from the network.
The Cisco Secure IDS Director is a high-performance, software-based management system that
centrally monitors the activity of multiple Cisco Secure IDS Sensors located on local or remote
network segments.
The Cisco Secure IDS Post Office is the communication backbone that allows Cisco Secure IDS
services and hosts to communicate with each other. All communication is supported by a
proprietary, connection-based protocol that can switch between alternate routes to maintain point-
to-point connections.
Cisco Secure IDS customers can deploy the Cisco IOS Firewall IDS signatures to complement their
existing IDS systems. This allows an IDS to be deployed to areas that may not be capable of
supporting a Cisco Secure IDS Sensor. Cisco IOS Firewall IDS signatures can be deployed alongside or
independently of other Cisco IOS Firewall features.
The Cisco IOS Firewall IDS can be added to the Cisco Secure IDS Director screen as an icon to provide
a consistent view of all intrusion detection sensors throughout a network. The Cisco IOS Firewall
intrusion detection capabilities have an enhanced reporting mechanism that permits logging to the
Cisco Secure IDS Director console in addition to Cisco IOS syslog.
Functional Description
The Cisco IOS Firewall IDS acts as an in-line intrusion detection sensor, watching packets as they
traverse the router's interfaces and acting upon them in a definable fashion. When a packet, or a
number of packets in a session, match a signature, the Cisco IOS Firewall IDS may perform the
following configurable actions:
395
• Alarm—Sends an alarm to a syslog server or Cisco Secure IDS Director

• Drop—Drops the packet
• Reset—Resets the TCP connection
The following describes the packet auditing process with Cisco IOS Firewall IDS:
• You create an audit rule, which specifies the signatures that should be applied to packet traffic
and the actions to take when a match is found. An audit rule can apply informational and attack
signatures to network packets. The signature list can have just one signature, all signatures, or
any number of signatures in between. Signatures can be disabled in case of false positives or the
needs of the network environment.
• You apply the audit rule to an interface on the router, specifying a traffic direction (in or out).
• If the audit rule is applied to the in direction of the interface, packets passing through the
interface are audited before the inbound ACL has a chance to discard them. This allows an
administrator to be alerted if an attack or information-gathering activity is underway even if the
router would normally reject the activity.
• If the audit rule is applied to the out direction on the interface, packets are audited after they
enter the router through another interface. In this case, the inbound ACL of the other interface
may discard packets before they are audited. This may result in the loss of Cisco IOS Firewall IDS
alarms even though the attack or information-gathering activity was thwarted.
• Packets going through the interface that match the audit rule are audited by a series of
modules, starting with IP; then either ICMP, TCP, or UDP (as appropriate); and finally, the
Application level.
• If a signature match is found in a module, then the following user-configured action(s) occur:
– If the action is alarm, then the module completes its audit, sends an alarm, and passes the
packet to the next module.
– If the action is drop, then the packet is dropped from the module, discarded, and not sent to
the next module.
– If the action is reset, then the packets are forwarded to the next module, and packets with
the reset flag set are sent to both participants of the session, if the session is TCP.
It is recommended that you use the drop and reset actions together.
If there are multiple signature matches in a module, only the first match fires an action. Additional
matches in other modules fire additional alarms, but only one per module.
Note This process is different than on the Cisco Secure IDS Sensor appliance, which identifies
all signature matches for each packet.
When to Use Firewall IDS

Firewall IDS capabilities are ideal for providing additional visibility at intranet, extranet, and branch-
office Internet perimeters. Network administrators enjoy more robust protection against attacks on
the network and can automatically respond to threats from internal or external hosts.
The Firewall with intrusion detection is intended to satisfy the security goals of customers, and is
particularly appropriate for the following scenarios:
• Enterprises that are interested in a cost-effective method of extending their perimeter security
across all network boundaries, specifically branch-office, intranet, and extranet perimeters.
• Small and medium-sized businesses that are looking for a cost-effective router that has an
integrated firewall with intrusion-detection capabilities.
396
• Service providers that want to set up managed services, providing firewalling and intrusion
detection to their customers, all housed within the necessary function of a router.
Memory and Performance Impact

The performance impact of intrusion detection will depend on the configuration of the signatures,
the level of traffic on the router, the router platform, and other individual features enabled on the
router such as encryption, source route bridging, and so on. Enabling or disabling individual
signatures will not alter performance significantly, however, signatures that are configured to use
Access Control Lists will have a significant performance impact.
For auditing atomic signatures, there is no traffic-dependent memory requirement. For auditing
compound signatures, CBAC allocates memory to maintain the state of each session for each
connection. Memory is also allocated for the configuration database and for internal caching.
397

The following is a complete list of Cisco IOS Firewall IDS signatures. A signature detects patterns of
misuse in network traffic.
In Cisco IOS Firewall IDS, signatures are categorized into four types:
• Info Atomic
• Info Compound
• Attack Atomic
• Attack Compound
An info signature detects information-gathering activity, such as a port sweep.
An attack signature detects attacks attempted into the protected network, such as denial-of-service
attempts or the execution of illegal commands during an FTP session.
Info and attack signatures can be either atomic or compound signatures. Atomic signatures can
detect patterns as simple as an attempt to access a specific port on a specific host. Compound
signatures can detect complex patterns, such as a sequence of operations distributed across multiple
hosts over an arbitrary period of time.
The intrusion-detection signatures included in the Cisco IOS Firewall were chosen from a broad
cross-section of intrusion-detection signatures as representative of the most common network
attacks and information-gathering scans that are not commonly found in an operational network.
The following signatures are listed in numerical order by their signature number in the Cisco Secure
IDS Network Security Database. After each signature's name is an indication of the type of signature
(info or attack, atomic or compound).
Atomic signatures marked with an asterisk (Atomic*) are allocated memory for session states by
CBAC.
 1000 IP options-Bad Option List (Info, Atomic)

Triggers on receipt of an IP datagram where the list of IP options in the IP datagram header is
incomplete or malformed. The IP options list contains one or more options that perform various
network management or debugging tasks.
 1001 IP options-Record Packet Route (Info, Atomic)
Triggers on receipt of an IP datagram where the IP option list for the datagram includes option 7
(Record Packet Route).
 1002 IP options-Timestamp (Info, Atomic)
(Timestamp).
 1003 IP options-Provide s,c,h,tcc (Info, Atomic)
(Security options).
 1004 IP options-Loose Source Route (Info, Atomic)
398
(Loose Source Route).
 1005 IP options-SATNET ID (Info, Atomic)
(SATNET stream identifier).
 1006 IP options-Strict Source Route (Info, Atomic)
Triggers on receipt of an IP datagram in which the IP option list for the datagram includes
option 2 (Strict Source Routing).
 1100 IP Fragment Attack (Attack, Atomic)
Triggers when any IP datagram is received with the "more fragments" flag set to 1 or if there is
an offset indicated in the offset field.
 1101 Unknown IP Protocol (Attack, Atomic)
Triggers when an IP datagram is received with the protocol field set to 101 or greater. These
protocol types are undefined or reserved and should not be used.
 1102 Impossible IP Packet (Attack, Atomic)
This triggers when an IP packet arrives with source equal to destination address. This signature
will catch the so-called Land Attack.
 2000 ICMP Echo Reply (Info, Atomic)
Triggers when a IP datagram is received with the "protocol" field in the IP header set to 1 (ICMP)
and the "type" field in the ICMP header set to 0 (Echo Reply).
 2001 ICMP Host Unreachable (Info, Atomic)
Triggers when an IP datagram is received with the "protocol" field in the IP header set to 1
(ICMP) and the "type" field in the ICMP header set to 3 (Host Unreachable).
 2002 ICMP Source Quench (Info, Atomic)
(ICMP) and the "type" field in the ICMP header set to 4 (Source Quench).
 2003 ICMP Redirect (Info, Atomic)
(ICMP) and the "type" field in the ICMP header set to 5 (Redirect).
 2004 ICMP Echo Request (Info, Atomic)
(ICMP) and the "type" field in the ICMP header set to 8 (Echo Request).
 2005 ICMP Time Exceeded for a Datagram (Info, Atomic)
(ICMP) and the "type" field in the ICMP header set to 11(Time Exceeded for a Datagram).
 2006 ICMP Parameter Problem on Datagram (Info, Atomic)
(ICMP) and the "type" field in the ICMP header set to 12 (Parameter Problem on Datagram).
 2007 ICMP Timestamp Request (Info, Atomic)
399
(ICMP) and the "type" field in the ICMP header set to 13 (Timestamp Request).
 2008 ICMP Timestamp Reply (Info, Atomic)
(ICMP) and the "type" field in the ICMP header set to 14 (Timestamp Reply).
 2009 ICMP Information Request (Info, Atomic)
(ICMP) and the "type" field in the ICMP header set to 15 (Information Request).
 2010 ICMP Information Reply (Info, Atomic)
(ICMP) and the "type" field in the ICMP header set to 16 (ICMP Information Reply).
 2011 ICMP Address Mask Request (Info, Atomic)
(ICMP) and the "type" field in the ICMP header set to 17 (Address Mask Request).
 2012 ICMP Address Mask Reply (Info, Atomic)
(ICMP) and the "type" field in the ICMP header set to 18 (Address Mask Reply).
 2150 Fragmented ICMP Traffic (Attack, Atomic)
Triggers when an IP datagram is received with the protocol field in the IP header set to 1 (ICMP)
and either the more fragments flag is set to 1 (ICMP) or there is an offset indicated in the offset
field.
 2151 Large ICMP Traffic (Attack, Atomic)
Triggers when an IP datagram is received with the protocol field in the IP header set to 1 (ICMP)
and the IP length is greater than 1024.
 2154 Ping of Death Attack (Attack, Atomic)
Triggers when an IP datagram is received with the protocol field in the IP header set to 1 (ICMP),
the Last Fragment bit is set, and
( IP offset * 8 ) + (IP data length) > 65535
In other words, the IP offset (which represents the starting position of this fragment in the
original packet, and which is in 8-byte units) plus the rest of the packet is greater than the
maximum size for an IP packet.
 3040 TCP - no bits set in flags (Attack, Atomic)
Triggers when a TCP packet is received with no bits set in the flags field.
 3041 TCP - SYN and FIN bits set (Attack, Atomic)
Triggers when a TCP packet is received with both the SYN and FIN bits set in the flag field.
 3042 TCP - FIN bit with no ACK bit in flags (Attack, Atomic)
Triggers when a TCP packet is received with the FIN bit set but with no ACK bit set in the flags
field.
 3050 Half-open SYN Attack/SYN Flood (Attack, Compound)
400
Triggers when multiple TCP sessions have been improperly initiated on any of several well-
known service ports. Detection of this signature is currently limited to FTP, Telnet, HTTP, and e-
mail servers (TCP ports 21, 23, 80, and 25 respectively).
 3100 Smail Attack (Attack, Compound)
Triggers on the very common "smail" attack against SMTP-compliant e-mail servers (frequently
sendmail).
 3101 Sendmail Invalid Recipient (Attack, Compound)
Triggers on any mail message with a "pipe" (|) symbol in the recipient field.
 3102 Sendmail Invalid Sender (Attack, Compound)
Triggers on any mail message with a "pipe" (|) symbol in the "From:" field.
 3103 Sendmail Reconnaissance (Attack, Compound)
Triggers when "expn" or "vrfy" commands are issued to the SMTP port.
 3104 Archaic Sendmail Attacks (Attack, Compound)
Triggers when "wiz" or "debug" commands are issued to the SMTP port.
 3105 Sendmail Decode Alias (Attack, Compound)
Triggers on any mail message with ": decode@" in the header.
 3106 Mail Spam (Attack, Compound)
Counts number of Rcpt to: lines in a single mail message and alarms after a user-definable
maximum has been exceeded (default is 250).
 3107 Majordomo Execute Attack (Attack, Compound)
A bug in the Majordomo program will allow remote users to execute arbitrary commands at the
privilege level of the server.
 3150 FTP Remote Command Execution (Attack, Compound)
Triggers when someone tries to execute the FTP SITE command.
 3151 FTP SYST Command Attempt (Info, Compound)
Triggers when someone tries to execute the FTP SYST command.
 3152 FTP CWD ~root (Attack, Compound)
Triggers when someone tries to execute the CWD ~root command.
 3153 FTP Improper Address Specified (Attack, Atomic*)
Triggers if a port command is issued with an address that is not the same as the requesting host.
 3154 FTP Improper Port Specified (Attack, Atomic*)
Triggers if a port command is issued with a data port specified that is less than 1024 or greater
than 65535.
 4050 UDP Bomb (Attack, Atomic)
Triggers when the UDP length specified is less than the IP length specified.
 4100 Tftp Passwd File (Attack, Compound)
Triggers on an attempt to access the passwd file (typically /etc/passwd) via TFTP.
401
 6100 RPC Port Registration (Info, Atomic*)

Triggers when attempts are made to register new RPC services on a target host.
 6101 RPC Port Unregistration (Info, Atomic*)
Triggers when attempts are made to unregister existing RPC services on a target host.
 6102 RPC Dump (Info, Atomic*)
Triggers when an RPC dump request is issued to a target host.
 6103 Proxied RPC Request (Attack, Atomic*)
Triggers when a proxied RPC request is sent to the portmapper of a target host.
 6150 ypserv Portmap Request (Info, Atomic*)
Triggers when a request is made to the portmapper for the YP server daemon (ypserv) port.
 6151 ypbind Portmap Request (Info, Atomic*)
Triggers when a request is made to the portmapper for the YP bind daemon (ypbind) port.
 6152 yppasswdd Portmap Request (Info, Atomic*)
Triggers when a request is made to the portmapper for the YP password daemon (yppasswdd)
port.
 6153 ypupdated Portmap Request (Info, Atomic*)
Triggers when a request is made to the portmapper for the YP update daemon (ypupdated) port.
 6154 ypxfrd Portmap Request (Info, Atomic*)
Triggers when a request is made to the portmapper for the YP transfer daemon (ypxfrd) port.
 6155 mountd Portmap Request (Info, Atomic*)
Triggers when a request is made to the portmapper for the mount daemon (mountd) port.
 6175 rexd Portmap Request (Info, Atomic*)
Triggers when a request is made to the portmapper for the remote execution daemon (rexd)
port.
 6180 rexd Attempt (Info, Atomic*)
Triggers when a call to the rexd program is made. The remote execution daemon is the server
responsible for remote program execution. This may be indicative of an attempt to gain
unauthorized access to system resources.
 6190 statd Buffer Overflow (Attack, Atomic*)
Triggers when a large statd request is sent. This could be an attempt to overflow a buffer and
gain access to system resources.
 8000 FTP Retrieve Password File (Attack, Atomic*)
SubSig ID: 2101
Triggers on string "passwd" issued during an FTP session. May indicate someone attempting to
retrieve the password file from a machine in order to crack it and gain unauthorized access to
system resources.
402

See the following sections for configuration tasks for the Cisco IOS Firewall Intrusion Detection
System feature. Each task in the list is identified as optional or required:
• Initializing Cisco IOS Firewall IDS (Required)
• Initializing the Post Office (Required)
• Configuring and Applying Audit Rules (Required)
• Verifying the Configuration (Optional)
Initializing Cisco IOS Firewall IDS
To initialize Cisco IOS Firewall IDS on a router, use the following commands in global configuration
mode:
Command Purpose
Step 1 Router(config)# ip audit Sets the threshold beyond which spamming in e-mail
smtp spamrecipients messages is suspected. Here, recipients is the maximum
number of recipients in an e-mail message. The default is
250.
Step 2 Router(config)# ip audit Sets the threshold beyond which queued events are
po max- dropped from the queue for sending to the Cisco Secure
eventsnumber_events IDS Director.
Here, eventsnumber events is the number of events in the
event queue. The default is 100. Increasing this number
may have an impact on memory and performance, as each
event in the event queue requires 32 KB of memory.
Step 3 Router(config)# exit Exits global configuration mode.
Initializing the Post Office

You must reload the router every time you make a Post Office configuration change. To initialize the
Post Office system, use the following commands in global configuration mode:
Command Purpose
Step 1 Router(config)# ip audit Sends event notifications (alarms) to either a Cisco Secure
notifynr-director IDS Director, a syslog server, or both.
or For example, if you are sending alarms to a Cisco Secure
Router(config)#ip audit IDS Director, use the nr-director keyword in the command
notifylog syntax. If you are sending alarms to a syslog server, use
the log keyword in the command syntax.
Step 2 router(config)# ip audit po local Sets the Post Office parameters for both the router (using
hostid host-id orgid org-id the ip audit po local command) and the Cisco Secure IDS
Director (using the ip audit po remote command).
Here, host-id is a unique number between 1 and 65535
that identifies the router, and org-id is a unique number
403
between 1 and 65535 that identifies the organization to

which the router and Director both belong.
Step 3 Router(config)# ip audit po Sets the Post Office parameters for both the Cisco Secure
remote hostid host-id orgid org- IDS Director (using the ip audit po remote command).
id rmtaddress ip- • host-id is a unique number between 1 and 65535
addresslocaladdress ip- that identifies the Director.
address portport-
number preferencepreference- • org-id is a unique number between 1 and 65535 that
number timeout secondsapplica identifies the organization to which the router and
tion application-type Director both belong.
• rmtaddress ip-address is the Director's IP address.
• localaddress ip-address is the router's interface IP
address.
• port-number identifies the UDP port on which the
Director is listening for alarms (45000 is the default).
• preference-number is the relative priority of the
route to the Director (1 is the default)—if more than
one route is used to reach the same Director, then one
must be a primary route (preference 1) and the other a
secondary route (preference 2).
• seconds is the number of seconds the Post Office
waits before it determines that a connection has timed
out (5 is the default).
• application-type is either director or logger.
Note If you are sending Post Office notifications to a
Sensor, use loggerinstead of director as your
application. Sending to a logging application means
that no alarms are sent to a GUI; instead, the Cisco
Secure IDS alarm data is written to a flat file, which
can then be processed with filters, such
as perl and awk, or staged to a database.
Use logger only in advanced applications where you
want the alarms only to be logged and not displayed.
Step 4 Router(config)# logging console Displays the syslog messages on the router console if you
info are sending alarms to the syslog console.
Step 6 Router# write memory Saves the configuration.
Step 7 Router# reload Reloads the router.
After you have configured the router, add the Cisco IOS Firewall IDS router's Post Office information
to the /usr/nr/etc/hosts and /usr/nr/etc/routes files on the Cisco Secure IDS Sensors and Directors
communicating with the router. You can do this with the nrConfigure tool in Cisco Secure IDS. For
more information, refer to the NetRanger User Guide.
Configuring and Applying Audit Rules
404
To configure and apply audit rules, use the following commands starting in global configuration
mode:
Command Purpose
Step 1 Router(config)# ip audit Sets the default actions for info and attack signatures.
info {action [alarm] [drop] Both types of signatures can take any or all of the
[reset]} following actions: alarm, drop, and reset. The default
action is alarm.
and
Router(config)# ip audit
attack {action [alarm]
[drop] [reset]}
Step 2 Router(config)# ip audit Creates audit rules, where audit-name is a user-defined
name audit-name name for an audit rule. For example:
{info |attack}
ip audit name audit-name info
[list standard-acl]
[action [alarm] [drop] ip audit name audit-name attack
[reset]]
The default action is alarm.
Note Use the same name when you assign attack and
info type signatures.
You can also use the ip audit name command to attach
access control lists to an audit rule for filtering out
sources of false alarms. In this case standard-acl is an
integer representing an ACL. If you attach an ACL to an
audit rule, the ACL must be defined as well:
ip audit name audit-name {info|attack} list
acl-list
In the following example, ACL 99 is attached to the audit

rule INFO, and ACL 99 is defined:
ip audit name INFO info list 99
access-list 99 deny 10.1.1.0 0.0.0.255
access-list 99 permit any
Note The ACL in the preceding example is not denying
traffic from the 10.1.1.0 network (as expected if it were
applied to an interface). Instead, the hosts on that
network are not filtered through the audit process
because they are trusted hosts. On the other hand, all
other hosts, as defined by permit any, are processed by
the audit rule.
Step 3 Router(config)# ip audit Disables individual signatures. Disabled signatures are not
signature signature-id included in audit rules, as this is a global configuration
{disable | list acl-list} change:
ip audit signature signature-number disable
405
To re-enable a disabled signature, use the no ip audit

signature command, where signature-number is the
number of the disabled signature.
You can also use the ip audit signature command to apply
ACLs to individual signatures for filtering out sources of
false alarms. In this case signature-number is the number
of a signature, and acl-list is an integer representing an
ACL:
ip audit signature signature-number list acl-list
For example, ACL 35 is attached to the 1234 signature,

and then defined:
ip audit signature 1234 list 35
access-list 35 deny 10.1.1.0 0.0.0.255
Note The ACL in the preceding example is not denying

traffic from the 10.1.1.0 network (as expected if it were
applied to an interface). Instead, the hosts on that
network are not filtered through the signature because
they are trusted hosts or are otherwise causing false
positives to occur. On the other hand, all other hosts, as
defined by permit any, are processed by the signature.
Step 4 Router(config-if)#interface Enters interface configuration mode.
interface-number
Step 5 Router(config-if)# ip Applies an audit rule at an interface. With this
audit audit-name command, audit-name is the name of an existing audit
{in | out} rule, and direction is either in or out.
Step 6 Router(config-if)# exit Exits interface configuration mode.
Step 7 Router(config)# ip audit po Configures which network should be protected by the
protected ip-addr router. Here, ip addr is the IP address to protect.
[to ip-addr]
Verifying the Configuration

You can verify that Cisco IOS Firewall IDS is properly configured with the show ip audit
configuration command (see Example 1).
Example 1 Output from show ip audit configuration Command
ids2611# show ip audit configuration
Event notification through syslog is enabled

Event notification through Net Director is enabled
Default action(s) for info signatures is alarm
Default action(s) for attack signatures is alarm drop reset
406
Default threshold of recipients for spam signature is 25

PostOffice:HostID:55 OrgID:123 Msg dropped:0
:Curr Event Buf Size:100 Configured:100
HID:14 OID:123 S:1 A:2 H:82 HA:49 DA:0 R:0 Q:0
ID:1 Dest:10.1.1.99:45000 Loc:172.16.58.99:45000 T:5 S:ESTAB *
Audit Rule Configuration

Audit name AUDIT.1
info actions alarm
attack actions alarm drop reset
You can verify which interfaces have audit rules applied to them with the show ip audit
interface command (see Example 2).
Example 2 Output from show ip audit interface Command
ids2611# show ip audit interface
Interface Configuration
Interface Ethernet0
Inbound IDS audit rule is AUDIT.1
info actions alarm
Outgoing IDS audit rule is not set
Interface Ethernet1
Inbound IDS audit rule is AUDIT.1
info actions alarm
Outgoing IDS audit rule is not set
Monitoring and Maintaining Cisco IOS Firewall IDS

This section describes the EXEC commands used to monitor and maintain Cisco IOS Firewall IDS.
Command Purpose
Router# clear ip audit Disables Cisco IOS Firewall IDS, removes all intrusion detection
configuration configuration entries, and releases dynamic resources.
Router# clear ip audit statistics Resets statistics on packets analyzed and alarms sent.
Router# show ip audit statistics Displays the number of packets audited and the number of
alarms sent, among other information.
The following display provides sample output from the show ip audit statistics command:
Signature audit statistics [process switch:fast switch]
signature 2000 packets audited: [0:2]
Interfaces configured for audit 2
Session creations since subsystem startup or last reset 11
Current session counts (estab/half-open/terminating) [0:0:0]
Maxever session counts (estab/half-open/terminating) [2:1:0]
Last session created 19:18:27
Last statistic reset never
407
HID:1000 OID:100 S:218 A:3 H:14085 HA:7114 DA:0 R:0
Cisco IOS Firewall IDS Configuration Examples

The following sections provide Cisco IOS Firewall IDS configuration examples:
Cisco IOS Firewall IDS Reporting to Two Directors Example
In the following example, Cisco IOS Firewall IDS is initialized. Notice that the router is reporting to
two Directors. Also notice that the AUDIT.1 audit rule will apply both info and attack signatures.
ip audit smtp spam 25
ip audit notify nr-director
ip audit notify log
ip audit po local hostid 55 orgid 123
ip audit po remote hostid 14 orgid 123 rmtaddress 10.1.1.99 localaddress 10.1.1.1
ip audit name AUDIT.1 info action alarm

ip audit name AUDIT.1 attack action alarm drop reset
interface e0
ip address 10.1.1.1 255.0.0.0
ip audit AUDIT.1 in
interface e1
ip address 172.16.57.1 255.255.255.0
ip audit AUDIT.1 in
Adding an ACL to the Audit Rule Example
In the following example, an ACL is added to account for a Cisco Secure IDS Scanner (172.16.59.16)
that scans for all types of attacks. As a result, no packets originating from the device will be audited.
ip audit notify log
ip audit name AUDIT.1 info list 90 action alarm

ip audit name AUDIT.1 attack list 90 action alarm drop reset
interface e0
ip address 10.1.1.1 255.0.0.0
ip audit AUDIT.1 in
interface e1
ip address 172.16.57.1 255.255.255.0
ip audit AUDIT.1 in
access-list 90 deny 172.16.59.16

408
Disabling a Signature Example
The security administrator notices that the router is generating a lot of false positives for signatures
1234, 2345, and 3456. The system administrator knows that there is an application on the network
that is causing signature 1234 to fire, and it is not an application that should cause security concerns.
This signature can be disabled, as illustrated in the following example:

ip audit notify log
ip audit signature 1234 disable

interface e0
ip address 10.1.1.1 255.0.0.0
ip audit AUDIT.1 in
interface e1
ip address 172.16.57.1 255.255.255.0
ip audit AUDIT.1 in

Adding an ACL to Signatures Example
After further investigation, the security administrator discovers that the false positives for signatures
2345 and 3456 are caused by specific applications on hosts 10.4.1.1 and 10.4.1.2, as well as by some
workstations using DHCP on the 172.16.58.0 subnetwork. Attaching an ACL that denies processing of
these hosts stops the creation of false positive alarms, as illustrated in the following example:
ip audit notify log


interface e0
ip address 10.1.1.1 255.0.0.0
ip audit AUDIT.1 in
409
interface e1
ip address 172.16.57.1 255.255.255.0
ip audit AUDIT.1 in

access-list 91 deny host 10.4.1.1
access-list 91 deny 172.16.58.0 0.0.0.255
Dual-Tier Signature Response Example
The company has now reorganized and has placed only trusted people on the 172.16.57.0 network.
The work done by the employees on these networks must not be disrupted by Cisco IOS Firewall IDS,
so attack signatures in the AUDIT.1 audit rule now will only alarm on a match.
For sessions that originate from the outside network, any attack signature matches (other than the
false positive ones that are being filtered out) are to be dealt with in the following manner: send an
alarm, drop the packet, and reset the TCP session.
This dual-tier method of signature response is accomplished by configuring two different audit
specifications and applying each to a different ethernet interface, as illustrated in the following
example:
ip audit notify log


ip audit name AUDIT.1 attack list 90 action alarm
ip audit name AUDIT.2 info action alarm
ip audit name AUDIT.2 attack alarm drop reset
interface e0
ip address 10.1.1.1 255.0.0.0
ip audit AUDIT.2 in
interface e1
ip address 172.16.57.1 255.255.255.0
ip audit AUDIT.1 in

access-list 91 deny 172.16.58.0 0.0.0.255
access-list 91 permit an
410
5.4 Configuring Snort

Snort is an open source network intrusion detection system (NIDS) created by Martin Roesch. Snort
is a packet sniffer that monitors network traffic in real time, scrutinizing each packet closely to
detect a dangerous payload or suspicious anomalies. There are two types of IDSs, host-based and
network-based, Snort is a network-based IDS.
This network intrusion detection and prevention system works through traffic analysis and packet
logging on IP networks. Through protocol analysis, content searching, and various pre-processors,
Snort detects thousands of worms, vulnerability exploit attempts, port scans, and other suspicious
behavior. Snort uses a flexible rule-based language to describe traffic that it should collect or pass,
and a modular detection engine.
Snort can be run in 4 modes:
- sniffer mode: snort will read the network traffic and print them to the screen.
- packet logger mode: snort will record the network traffic on a file
- IDS mode: network traffic matching security rules will be recorded (mode used in our tutorial)
- IPS mode: also known as snort-inline (IPS = Intrusion prevention system)
Another tool is needed to display the logs generated by the Snort IDS and sent into the database.
This tool is BASE for Basic Analysis and Security Engine. It is in fact a php script displaying alerts on a
web interface.
Snort can be downloaded from http://www.snort.org/dl/.
In order to install and configure Snort access the Snort Manual available at http://manual.snort.org/.
411
5.5. Configuring Suricata

The Suricata Engine is an Open Source Next Generation Intrusion Detection and Prevention Engine.
More about suricata at suricata-ids.org.
IDS/IPS
Suricata is a rule-based ID/PS engine that utilises externally developed rule sets to monitor network
traffic and provide alerts to the system administrator when suspicious events occur. Designed to be
compatible with existing network security components, Suricata features unified output
functionality and pluggable library options to accept calls from other applications.
The initial release of Suricata runs on a Linux 2.6 platform that supports inline and passive traffic
monitoring configuration capable of handling multiple gigabit traffic levels. Linux 2.4 is supported
In order to install and use Suricata please follow

https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricata_Installation
with reduced configuration functionality, such as no inline option. Available under Version 2 of the
General Public License, Suricata eliminates the ID/PS engine cost concerns while providing a scalable
option for the most complex network security architectures.
Multi-threading
As a multi-threaded engine, Suricata offers increased speed and efficiency in network traffic analysis.
In addition to hardware acceleration (with hardware and network card limitations), the engine is
built to utilize the increased processing power offered by the latest multi-core CPU chip sets.
Suricata is developed for ease of implementation and accompanied by a step-by-step getting started
documentation and user manual.
Development and features

The goal of the Suricata Project Phase 1 was to have a distributable and functional ID/PS engine. The
initial beta release was made available for download on January 1, 2010. The engine supports or
provides the following functionality: the latest Snort VRT, Snort logging, rule language options, multi-
threading, hardware acceleration (with hardware and network card dependencies/limitations),
unified output enabling interaction with external log management systems, IPv6, rule-based IP
reputation, library plug-ability for interaction with other applications, performance statistics output,
and a simple and effective getting started user manual.
By engaging the open source community and the leading ID/PS rule set resources available, OISF has
built the Suricata engine to simplify the process of maintaining optimum security levels. Through
strategic partnerships, OISF is leveraging the expertise of Emerging Threats
(www.emergingthreats.net) and other prominent resources in the industry to provide the most
current and comprehensive rule sets available. The HTP Library is an HTTP normalizer and parser
written by Ivan Ristic of Mod Security fame for the OISF. This integrates and provides very advanced
processing of HTTP streams for Suricata. The HTP library is required by the engine, but may also be
used independently in a range of applications and tools.
412
Configuring Suricata
Basic Setup
When using Debian or FreeBSD, make sure you enter all commands as root/super-user because for these
operating systems it is not possible to use 'sudo' without installing and configuring it first.
Start with creating a directory for Suricata's log information.
sudo mkdir /var/log/suricata
To prepare the system for using it, enter:
sudo mkdir /etc/suricata
The next step is to copy classification.config, reference.config and suricata.yaml from the base
build/installation directory (ex. from git it will be the oisf directory) to the /etc/suricata directory. Do so by
entering the following:
sudo cp classification.config /etc/suricata
sudo cp reference.config /etc/suricata
sudo cp suricata.yaml /etc/suricata
Note: if you have experience with Snort or have an existing Snort setup, check out the Snort.conf to
Suricata.yaml guide.
Auto setup
You can also use the available auto setup features of Suricata:
ex:
./configure && make && make install-conf
The make install-conf option will do the regular "make install" and then automatically create/setup all the
necessary directories and suricata.yaml.
./configure && make && make install-rules
The make install-rules option will do the regular "make install" and it automatically downloads and sets up
the latest ruleset from Emerging Threats available for Suricata.
./configure && make && make install-full
The make install-full option combines everything mentioned above (install-conf and install-rules) - and will
present you with a ready to run (configured and set up) Suricata
413
Setting variables
Make sure every variable of the vars, address-groups and port-groups in the yaml file is set correctly for
your needs. A full explanation is available in the Rule vars section of the yaml. You need to set the ip-
address(es) of your local network at HOME_NET. It is recommended to set EXTERNAL_NET to
!$HOME_NET. This way, every ip-address but the one set at HOME_NET will be treated as external. It is
also possible to set EXTERNAL_NET to 'any', only the recommended setting is more precise and lowers
the chance that false positives will be generated. HTTP_SERVERS, SMTP_SERVERS, SQL_SERVERS,
DNS_SERVERS and TELNET_SERVERS are by default set to HOME_NET. AIM_SERVERS is by default set at
'any'. These variables have to be set for servers on your network. All settings have to be set to let it have
a more accurate effect.
Next, make sure the following ports are set to your needs: HTTP_PORTS, SHELLCODE_PORTS,
ORACLE_PORTS and SSH_PORTS.
Finally, set the host-os-policy to your needs. See Host OS Policy in the yaml for a full explanation.
windows:[]
bsd: []
bsd-right: []
old-linux: []
linux: [10.0.0.0/8, 192.168.1.100, "8762:2352:6241:7245:E000:0000:0000:0000"]
old-solaris: []
solaris: ["::1"]
hpux10: []
hpux11: []
irix: []
macos: []
vista: []
windows2k3: []
Note that bug #499 may prevent you from setting old-linux, bsd-right and old-solaris right now.
Rule set management and download.
Rule Management with Oinkmaster
or just download and untar the ruleset in a directory of your choosing (or yaml config setting) from here:
http://rules.emergingthreats.net/open/suricata/
or if you prefer you can download and use a VRT ruleset.
It is recommended to update your rules frequently. Emerging Threats is modified daily, VRT is updated
weekly or multiple times a week.
414
Interface cards
To check the available interface cards, enter:
ifconfig
Now you can see which one you would like Suricata to use.
To start the engine and include the interface card of your preference, enter:
Tests for errors rule Very recommended --init-errors-fatal
sudo suricata -c /etc/suricata/suricata.yaml -i wlan0 --init-errors-fatal
Instead of wlan0, you can enter the interface card of your preference.
To see if the engine is working correctly and receives and inspects traffic, enter:
cd /var/log/suricata
Followed by:
tail http.log
And:
tail -n 50 stats.log
To make sure the information displayed is up-dated in real time, use the -f option before http.log and
stats.log:
tail -f http.log stats.log
Source: https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Basic_Setup
415
Summary
 The Cisco IOS Firewall IDS feature supports intrusion detection technology for midrange and
high-end router platforms with firewall support. It is ideal for any network perimeter, and
especially for locations in which a router is being deployed and additional security between
network segments is required. It also can protect intranet and extranet connections where
additional security is mandated, and branch-office sites connecting to the corporate office or
Internet.
 The Cisco IOS Firewall IDS feature identifies 59 of the most common attacks using "signatures"
to detect patterns of misuse in network traffic. The intrusion-detection signatures included in
the Cisco IOS Firewall were chosen from a broad cross-section of intrusion-detection signatures.
The signatures represent severe breaches of security and the most common network attacks and
information-gathering scans.
 In Cisco IOS Firewall IDS, signatures are categorized into four types:
o Info Atomic
o Info Compound
o Attack Atomic
o Attack Compound
 The Cisco IOS Firewall IDS acts as an in-line intrusion detection sensor, watching packets and
sessions as they flow through the router, scanning each to match any of the IDS signatures.
 IDS monitors packets and send alarms when suspicious activity is detected.
 IDS logs the event through Cisco IOS syslog or the Cisco Secure Intrusion Detection System (Cisco
Secure IDS, formerly known as NetRanger) Post Office Protocol.
 The network administrator can configure the IDS system to choose the appropriate response to
various threats.
 When packets in a session match a signature, the IDS system can be configured to take these
actions:
o Send an alarm to a syslog server or a Cisco Secure IDS Director (centralized management
interface)
o Drop the packet
o Reset the TCP connection
416
Activity 1:
List the various kinds of IDS products in the market and the various vendors for the same.
Compare the features, benefits and limitations of various kind of IDS products offered. Share
with your fellow students.
Activity 2:
Configure an IDS product or first job shadow someone who installs an IDS. List down the
417
NOTES:
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
418
UNIT VI
IPS Configuration
This Unit covers:
 Lesson Plan
419
LESSON PLAN
Performance Ensuring Work Environment /

PC1. identify the information security devices The learners must KA1 to KA13:
(IPS) you are required to install/ configure and demonstrate all PCs PCs/Tablets/Laptops
source relevant instructions and guidelines on given work tasks
Labs availability
PC2. identify any issues with instructions and
guidelines for installing/configuring information (24/7)
security devices (IPS) and clarify these with Internet with WiFi
appropriate people (Min 2 Mbps
PC3. liaise with stakeholders clearly and Dedicated)
Networking
configuration of information security devices
(IPS) Equipment- Routers
& Switches
PC4. install/configure information security
devices (IPS) as per instructions and guidelines Firewalls and Access
PC5. test installed/configured information Points
security devices (IPS), following instructions and Access to all security
guidelines sites like ISO, PIC
PC6. resolve problems of information security DSS
devices (IPS), following instructions and
guidelines Commercial Tools
PC7. obtain advice and guidance on installing / like HP Web Inspect
configuring / testing / information security and IBM AppScan
devices (IPS) from appropriate people, where etc.,
required Open Source tools
PC8. record the like sqlmap, Nessus
installation/configuration/testing of etc.,
information security devices (IPS) promptly
using standard templates and tools Security Templates
PC9. provide reports for troubleshooting, from ITIL
templates and tools
configuring / troubleshooting information
security devices (IPS)
420
You need to know and understand: KA1-KA3. QA session

and a Descriptive
standards, guidelines and client specific service write up on
level agreements for installing, configuring understanding.
information security devices (IPS)
KA2. limits of your role and responsibilities and KA4, KA7 Group
who to seek guidance from where required presentation and peer
KA3. your organization’s systems, procedures evaluation along with
and tasks/checklists relevant to your work and Faculty.
how to use these
KA4. the importance of following KA5 Presentation of
manufacturer’s installation guides and best practices
procedures and how to access and apply these document by peer
to install, information security devices (IPS) group to the faculty
KA5. who to involve when installing, configuring and loading the same
information security devices (IPS)
into different sites
installing/configuring information security KA8. Presentation of
devices (IPS) and how to report these
the customized
how to use these to record installation / templates by peer
configuration groups and validation
KB3. architecture concepts and design patterns of them by faculty
and how these contribute to the security of
design and devices KB3 – KB5 Installation
KB4. common issues that may occur when and configuration of
installing or configuring information security security tools in the
devices (IPS) and how to resolve these lab environment by
KB5. methods of testing installed information peer groups and
security devices (IPS) validation by the
faculty
421
Lesson
Cisco Intrusion Prevention System

(IPS)
Sensors are network devices that perform real-time monitoring of network traffic for suspicious
activities and active network attacks. The IPS sensor analyses network packets and flows to
determine whether their contents appear to indicate an attack against your network.

Network sensing can be accomplished using Cisco IPS sensors (appliances, switch modules, network
modules, and SSMs) and Cisco IOS IPS devices (Cisco IOS routers with IPS-enabled images and Cisco
ISRs).
These sensing platforms are components of the Cisco Intrusion Prevention System and can be
managed and configured through Cisco Security Manager. These sensing platforms monitor and
analyse network traffic in real time. They do this by looking for anomalies and misuse on the basis of
network flow validation, an extensive embedded signature library, and anomaly detection engines.
However, these platforms differ in how they can respond to perceived intrusions.
Cisco IPS sensors and Cisco IOS IPS devices are often referred to collectively as IPS devices or simply
sensors. However, Cisco IOS IPS does not run the full dedicated IPS software, and its configuration
does not include IPS device-specific policies. Additionally, the amount of sensing that you can
perform with Cisco IOS IPS is more limited. The following sections focus on using dedicated IPS
devices, including service modules installed in IOS routers, rather than Cisco IOS IPS.
When an IPS device detects unauthorized network activity, it can terminate the connection,
permanently block the associated host, and take other actions.
This section contains the following topics:
 Capturing Network Traffic

 Correctly Deploying the Sensor
 Tuning the IPS
Capturing Network Traffic

The sensor can operate in either promiscuous or inline mode. The following illustration shows how
you can deploy a combination of sensors operating in both inline (IPS) and promiscuous (IDS) modes
to protect your network.
422
Figure 1: Comprehensive IPS Deployment Solutions
The command and control interface is always Ethernet. This interface has an assigned IP address,
which allows it to communicate with the manager workstation or network devices (Cisco switches,
routers, and firewalls). Because this interface is visible on the network, you should use encryption to
maintain data privacy. SSH is used to protect the CLI and TLS/SSL is used to protect the manager
workstation. SSH and TLS/SSL are enabled by default on the manager workstations.
When responding to attacks, the sensor can do the following:
 Insert TCP resets via the sensing interface.
You should select the TCP reset action only on signatures associated with a TCP-based service. If
selected as an action on non-TCP-based services, no action is taken. Additionally, TCP resets are not
guaranteed to tear down an offending session because of limitations in the TCP protocol.
 Make ACL changes on switches, routers, and firewalls that the sensor manages. ACLs may block
only future traffic, not current traffic.
 Generate IP session logs, session replay, and trigger packets display.
 IP session logs are used to gather information about unauthorized use. IP log files are written
when events occur that you have configured the appliance to look for.
 Implement multiple packet drop actions to stop worms and viruses.
423
Correctly Deploying the Sensor

Before you deploy and configure your sensors, you should understand the following about your
network:
 The size and complexity of your network.
 Connections between your network and other networks, including the Internet.
 The amount and type of traffic on your network.
This knowledge will help you determine how many sensors are required, the hardware configuration
for each sensor (for example, the size and type of network interface cards), and how many managers
are needed.
You should always position the IPS sensor behind a perimeter-filtering device, such as a firewall or
adaptive security appliance. The perimeter device filters traffic to match your security policy thus
allowing acceptable traffic in to your network. Correct placement significantly reduces the number
of alerts, which increases the amount of actionable data you can use to investigate security
violations. If you position the IPS sensor on the edge of your network in front of a firewall, your
sensor will produce alerts on every single scan and attempted attack even if they have no
significance to your network implementation. You will receive hundreds, thousands, or even millions
of alerts (in a large enterprise environment) that are not really critical or actionable in your
environment. Analysing this type of data is time consuming and costly.
Tuning the IPS

Tuning the IPS ensures that the alerts you see, reflect true actionable information. Without tuning
the IPS, it is difficult to do security research or forensics on your network because you will have
thousands of benign events, also known as false positives. False positives are by-product of all IPS
devices, but they occur much less frequently in Cisco IPS devices because Cisco IPS devices are
stateful, normalized, and use vulnerability signatures for attack evaluation. Cisco IPS devices also
provide risk rating, which identifies high risk events, and policy-based management, which lets you
deploy rules to enforce IPS signature actions based on risk rating.
Follow these tips when tuning your IPS sensors:
 Place your sensor on your network behind a perimeter-filtering device.
 Proper sensor placement can reduce the number of alerts you need to examine by several
thousand a day.
 Deploy the sensor with the default signatures in place.
 The default signature set provides you with a very high security protection posture. The Cisco
signature team has spent many hours on testing the defaults to give your sensor the highest
protection. If you think that you have lost these defaults, you can restore them.
 Make sure that the event action override is set to drop packets with a risk rating greater than
90.
 This is the default and ensures that high risk alerts are stopped immediately.
 Filter out known false positives caused by specialized software, such as vulnerability scanner
and load balancers by one of the following methods:
– You can configure the sensor to ignore the alerts from the IP addresses of the scanner
and load balancer.
424
– You can configure the sensor to allow these alerts and then use Event Viewer to filter out
the false positives.
 Filter the Informational alerts.
 These low priority events notifications could indicate that another device is doing
reconnaissance on a device protected by the IPS. Research the source IP addresses from these
Informational alerts to determine what the source is.
 Analyse the remaining actionable alerts:
– Research the alert.
– Fix the attack source.
– Fix the destination host.
– Modify the IPS policy to provide more information.
425

There are a wide variety of devices on which you can configure the Intrusion Prevention System.
From a configuration point-of-view, you can separate the devices into two groups: dedicated
appliances and service modules (for routers, switches, and ASA devices) that run the full IPS
software; and IPS-enabled routers running Cisco IOS Software 12.4(11) T and later (Cisco IOS IPS).
The following procedure is an overview of IPS configuration on dedicated appliances and service
modules.
Step 1. Install and connect the device to your network. Install the device software and
perform basic device configuration. Install the licenses required for all of the services running
on the device. The amount of initial configuration that you perform influences what you will
need to configure in Security Manager.
Follow the instructions in the Installing Cisco Intrusion Prevention System Appliances and
Modules document for the IPS version you are using.
Step 2. Add the device to the Security Manager device inventory. You can discover router
and Catalyst switch modules when adding the device in which the module is installed. For
ASA devices, you must add the service module separately.
Step 3. Configure the interfaces as described in Configuring Interfaces. You must enable
the interfaces connected to your network for the device to function.
For certain types of service module, there are additional policies to configure:
 Router-hosted service modules—Configure the IPS Module interface settings policy on
the router. IDSM—Configure the IDSM Settings Catalyst platform policy.
 IPS modules on ASA devices—Configure the Platform > Service Policy Rules > IPS, QoS,
and Connection Rules policy on the host ASA to specify the traffic that should be
inspected.
Step 4. Use the Virtual Sensors policy to assign interfaces to the virtual sensors, including
the base vs0 virtual sensor that exists for all IPS devices.
If the device supports it, and you have a need for it, you can also create user-defined virtual
sensors so that a single device acts like multiple sensors. Most of the IPS configuration is
done on the parent device, but you can configure unique settings per virtual sensor for
signatures, anomaly detection, and event actions.
Step 5. Configure basic device access platform policies. These policies determine who can
log into the device:
 AAA —Configure this policy if you want to use a RADIUS server to control access to the
device. You can use AAA control in conjunction with local user accounts defined in the
User Accounts policy.
 Allowed Hosts —The addresses of hosts who are allowed access. Ensure that the
Security Manager server is included as an allowed host, or you cannot configure the
device using Security Manager.
 SNMP —Configure this policy if you want to use an SNMP application to manage the
device.
 Password Requirements —You can define the acceptable characteristics of a user
password.
 User Accounts —The user accounts defined on the device.
426
Step 6. Configure basic server access platform policies. These policies identify the servers
to which the device can connect:
 External Product Interface —If you use Management Centre for Cisco Security Agents,
configure this policy to allow the sensor to download host postures from the application.
 NTP —Configure this policy if you want to use a Network Time Protocol server to control
the device time.
 DNS, HTTP Proxy —The DNS and HTTP Proxy policies are required only if you configure
global correlation. They identify a server that can resolve DNS names to IP addresses.
Use the HTTP Proxy policy if your network requires the use of a proxy to make Internet
connections; otherwise, use the DNS policy.
Step 7. Configure the Logging policy if you want non-default logging.
Step 8. Configure IPS signatures and event actions. Event action policies are easier to
configure than creating custom signatures, so try to use event action filters and overrides to
modify signature behaviour before trying to edit specific signatures.
Step 9. If you use any of the Request Block or Request Rate Limit event actions, configure
blocking or rate limiting hosts.
Step 10. Configure other desired advanced IPS services.
Step 11. Maintain the device:
 Update and redeploy configurations as necessary.
 Apply updated signature and engine packages.
 Manage the device licenses. You can update and re-deploy licenses, or automate license
updates.
 Manage the certificates required for SSL (HTTPS) communication. These certificates
expire, so you need to regenerate them approximately every 2 years.
Step 12. Monitor the device:
 Use the Event Viewer application to view alerts generated from the device. You can open
Event Viewer from the Launch menu in Configuration Manager or Report Manager, or
from the Windows Start menu.
 Use the Report Manager application to generate reports on IPS usage, including
comparisons of inline vs. promiscuous mode, and global correlation vs. traditional
inspection. You can also analyse top attackers, victims, signatures, blocked signatures,
and perform target analysis.
Identifying Allowed Hosts

Use the Allowed Hosts policy to identify which hosts or networks have permission to access the IPS
sensor. By default, no hosts are permitted to access a sensor, so you must add hosts or networks to
this policy.
Specifically, you must add either the IP address of the Security Manager server, or its network
address, or Security Manager cannot configure the device. Also add the addresses of all other
management hosts that you use, such as CS-MARS.
If you add host addresses only, you will be limited to using those workstations to access the device.
Instead, you can specify network addresses to allow all hosts connected to specific “safe” networks
access.
427
Step 1 Do one of the following to open the Allowed Hosts policy:

 (Device view) Select Platform > Device Admin > Device Access > Allowed Hosts from the
Policy selector.
 (Policy view) Select IPS > Platform > Device Admin > Allowed Hosts, then select an existing
policy or create a new one.
Step 2 Do one of the following:
 To add an entry, click the Add Row button and fill in the Access List dialog box.
 You can add up to 512 entries.
 To edit an entry, select it and click the Edit Row button.
 To delete an entry, select it and click the Delete Row button.
Step 3 When adding or editing an entry, specify the host or network address in the Add or Modify
Access List dialog box, then click OK. You can enter addresses using the following formats:
 Host address—A simple IP address, such as 10.100.10.10.
 Network address—A network address and mask, such as 10.100.10.0/24 or
10.100.10.0/255.255.255.0.
 A network/host policy object—Click Select to select an existing object or to create a new
one. To use the object in this policy, it must have a single value, either a single network or a
single host.
Configuring SNMP
SNMP is an application layer protocol that facilitates the exchange of management information
between network devices. SNMP enables network administrators to manage network performance,
find and solve network problems, and plan for network growth.
SNMP is a simple request/response protocol. The network-management system issues a request,
and managed devices return responses. This behaviour is implemented by using one of four protocol
operations: Get, GetNext, Set, and Trap.
You can configure the sensor for monitoring by SNMP. SNMP defines a standard way for network
management stations to monitor the health and status of many types of devices, including switches,
routers, and sensors.
You can configure the sensor to send SNMP traps. SNMP traps enable an agent to notify the
management station of significant events by way of an unsolicited SNMP message.
Trap-directed notification has the following advantage—if a manager is responsible for a large
number of devices, and each device has a large number of objects, it is impractical to poll or request
information from every object on every device. The solution is for each agent on the managed
device to notify the manager without solicitation. It does this by sending a message known as a trap
of the event.
After receiving the event, the manager displays it and can take an action based on the event. For
example, the manager can poll the agent directly, or poll other associated device agents to get a
better understanding of the event.
Trap-directed notification results in substantial savings of network and agent resources by
eliminating frivolous SNMP requests. However, it is not possible to totally eliminate SNMP polling.
SNMP requests are required for discovery and topology changes. In addition, a managed device
agent cannot send a trap if the device has had a catastrophic outage.
This procedure describes how to configure SNMP on an IPS sensor so that you can manage the
sensor with an SNMP management station, including the configuration of traps.
428
Step 1 Do one of the following to open the SNMP policy:
 (Device view) Select Platform > Device Admin > Device Access > SNMP from the Policy
selector.
 (Policy view) Select IPS > Platform > Device Admin > Device Access > SNMP, then select an
existing policy or create a new one.
Step 2 On the General Configuration tab, configure at least the following options.
 Enable SNMP Gets/Sets —Select this option to enable the SNMP management workstation
to obtain (get) information, and to modify (set) values on the IPS sensor. If you do not enable this
option, the management workstation cannot manage this sensor.
 Read-Only Community String —The community string required for read-only access to the
sensor. SNMP get requests from the management station must supply this string to get
responses from the sensor. This string gives access to all SNMP get requests.
 Read-Write Community String —The community string required for read-write access to
the sensor. SNMP set requests from the management station must supply this string to get
responses from the sensor; it can also be used on get requests. This string gives access to all
SNMP get and set requests.
Step 3 If you want to configure SNMP traps, click the SNMP Trap Configuration tab and
configure at least the following options.
 Enable Notifications —Select this option to allow the sensor to send SNMP traps.
 Trap Destinations —Add the SNMP management stations that should be trap destinations.
Click the Add Row (+) button to add a new destination, or select a destination and click the Edit
Row (pencil) button to change its configuration.
When adding or editing a trap destination, the trap community string that you enter overrides
the default community string entered on the SNMP Trap Configuration tab. The community
string appears in the traps sent to this destination and is useful if you are receiving multiple
types of traps from multiple agents. For example, a router or sensor could be sending the traps,
and if you put something that identifies the router or sensor specifically in your community
string, you can filter the traps based on the community string.
To remove a destination, select it and click the Delete Row (trash can) button.
Step 4 If you configure trap destinations, you must also ensure that the desired alerts
include the Request SNMP Trap action. You have the following options for adding
this action:
 (Easy way.) Create an event action override to add the Request SNMP Trap action to all
alerts of a specified risk rating (IPS > Event Actions > Event Action Overrides policy). For
example, you could generate traps for all alerts with a risk rating between 85-100. Event action
overrides let you add an action without individually editing each signature.
 (Precise way.) Edit the Signatures policy (IPS > Signatures > Signatures) to add the Request
SNMP Trap action to the signatures for which you want to send trap notifications. Traps are sent
only for signatures that you configure to send traps.
If the signature has Default for the source, you have to change the source to the Local source
before you can change the action. However, if you right-click the Action cell in the signatures
table and select Edit Actions, then select Request SNMP Trap (along with any other desired
action) and click OK, the source is automatically changed to Local.
429
Step 5 Add the SNMP management stations to the Allowed Hosts policy. The management
stations must be allowed hosts to access the sensor.
General SNMP Configuration Options

Use the General Configuration tab on the SNMP page to configure general SNMP parameters and
apply them to IPS sensors.
Table 1: General Configuration Tab, SNMP Policy for IPS Sensors
Navigation Path
selector. Select the General Configuration tab.
existing policy or create a new one. Select the General Configuration tab.
Field Reference
Element Description
Enable SNMP Whether to enable the SNMP management workstation to obtain (get)
Gets/Sets information, and modify (set) values on the IPS sensor. If you do not enable
this option, the management workstation cannot manage this sensor; the
sensor will not respond to SNMP requests.
Read-Only The community string required for read-only access to the sensor. SNMP get
Community String requests from the management station must supply this string to get
responses from the sensor. This string gives access to all SNMP get requests.
Use the string to help identify the sensor.
Read-Write The community string required for read-write access to the sensor. SNMP
Community String set requests from the management station must supply this string to get
responses from the sensor; it can also be used on get requests. This string
gives access to all SNMP get and set requests. Use the string to help identify
the sensor.
Sensor Contact The network administrator or contact point who is responsible for this
sensor.
Sensor Location The physical location of the sensor, such as building address, name, and
room number.
Sensor Agent Port The port to use for SNMP get/set communication with the sensor. The
default is 161. The valid range is 1 to 65535.
Enter a port number or the name of a port list object, or click Select to
select a port list object from a list or to create a new object. The port list
object must identify a single port.
SNMP Agent Protocol The protocol you are using for SNMP, either UDP (the default) or TCP. Select
the protocol used by your SNMP management station.
430
SNMP Trap Configuration Tab

Use the SNMP Trap Communication tab on the SNMP page to configure traps and apply them to
sensors and to identify recipients that the traps should be sent to.
Table 2: SNMP Trap Configuration Tab, SNMP Policy for IPS Sensors
Navigation Path
selector. Select the SNMP Trap Configuration tab.
existing policy or create a new one. Select the SNMP Trap Configuration tab.
Field Reference
Element Description
Enable Whether to enable the sensor to send trap notifications to the trap destinations
Notifications whenever a specific type of event occurs in a sensor. If you do not select this
option, the sensor does not send traps.
Tip To have the sensor send SNMP traps, you must also select Request SNMP
Trap as the event action when you configure signatures. Traps are sent only for
signatures that you configure to send traps.
Error Filter The type of events that will generate SNMP traps based on the severity of the
event: fatal, error, or warning. Select all severities that you want; use Ctrl + click
to select multiple values.
The sensor sends notifications of events of the selected severities only.
Enable Detail Whether to include the full text of the alert in the trap. If you do not select this
Traps option, sparse mode is used. Sparse mode includes less than 484 bytes of text
for the alert.
Default Trap The community string used for the traps if no specific string has been set for the
Community trap destination in the Trap Destinations table.
String
Tip All traps carry a community string. By default, all traps that have a community
string identical to that of the destination are taken by the destination. All other
traps are discarded by the destination. However, you can configure the
destination to determine which trap strings to accept.
Trap Destinations The SNMP management stations that will be sent trap notifications. The table
table shows the IP address of the management station, the community string added
to traps from this sensor, and the port to which traps are sent.
 To add a destination, click the Add Row button and fill in the Add SNMP
Trap Communication dialog box
 To edit a destination, select it, click the Edit Row button and make your
changes.
 To delete a destination, select it and click the Delete Row button.
431
SNMP Trap Communication Dialog Box

Use the Add or Modify SNMP Trap Communication dialog box to configure SNMP trap destinations.
These are the SNMP management stations that should receive traps from the IPS sensor.
Table 3: SNMP Trap Communication Dialog Box
Navigation Path
Go to the IPS Platform > Device Admin > Device Access > SNMP policy, select the SNMP Trap
Configuration tab, and click the Add Row button beneath the Trap Destinations table, or select a
destination in the table and click the Edit Row button.
Field Reference
Element Description
IP Address The IP address of the SNMP management station that should receive trap
notifications. Enter the IP address or the name of a network/host object, or
click Select to select the object from a list or to create a new object. The
network/host object must specify a single host IP address.
Trap The community string of the trap. If you do not enter a trap string, the default trap
Community string defined on the SNMP Trap Communication tab is used for traps sent to this
String destination.
Trap Port The port used by the SNMP management station to receive traps. Enter the port
number or the name of a port list object, or click Select to select the object from a
list or to create a new one. The port list object must identify a single port.
Managing User Accounts and Password Requirements

You can configure user accounts and passwords, and general password requirements, for your IPS
devices. You can configure local users (defined directly on the device), use a RADIUS AAA server, or
use them both in conjunction. The policies used are the AAA, User Accounts, and Password
Requirements policies in the Platform > Device Admin > Device Access folder.
When you create or edit a local user account in Security Manager, the password you enter must
satisfy the requirements defined in the Password Requirements policy. This ensures that new
passwords meet your security requirements.
If you change the password requirements, and then make changes to any local user account, the
new requirements must be met by all user accounts that have passwords managed by Security
Manager. This is because Security Manager reconfigures the passwords for all managed accounts if
any single account needs to be reconfigured.
The User Accounts policy allows you to centrally manage the local user accounts for your IPS devices.
Using a shared policy can help you ensure that all IPS devices contain the same accounts with the
same passwords. However, it is important to understand that passwords are encrypted, so Security
Manager cannot discover the actual passwords defined on the device. Security Manager manages
the passwords for an account only if you define that password in Security Manager. Security
Manager does not manage any user accounts defined in a RADIUS AAA server.
432
The following topics describe IPS user accounts, and Security Manager discovery and
deployment considerations, in more detail:
 Understanding IPS User Roles

 Understanding Managed and Unmanaged IPS Passwords
 Understanding How IPS Passwords are Discovered and Deployed
 Configuring IPS User Accounts
 Configuring User Password Requirements
 Configuring AAA Access Control for IPS Devices
Understanding IPS User Roles

There are four user roles for IPS user accounts:
 Viewer —Users can view the device configuration and events, but they cannot modify any
configuration data except their user passwords.
 Operator —Users can view everything and they can modify the following options:
– Signature tuning (priority, disable or enable).
– Virtual sensor definition.
– Managed routers.
– Their user passwords.
 Administrator —Users can view everything and they can modify all options that Operators can
modify in addition to the following:
– Sensor addressing configuration.
– List of hosts allowed to connect as configuration or viewing agents.
– Assignment of physical sensing interfaces.
– Enable or disable control of physical interfaces.
– Add and delete users and passwords.
– Generate new SSH host keys and server certificates.
 Service —Only one user with service privileges can exist on a sensor. The service user cannot log
in to IDM or IME. The service user logs in to a bash shell rather than the CLI. The service role is a
special role that allows you to bypass the CLI if needed.
 The purpose of the Service account is to provide Cisco Technical Support access to troubleshoot
unique and unusual problems. It is not needed for normal system configuration and
troubleshooting. You should carefully consider whether you want to create a service account.
The service account provides shell access to the system, which makes the system vulnerable.
However, you can use the service account to create a password if the administrator password is
lost. Analyse your situation to decide if you want a service account existing on the system.
433
Understanding Managed and Unmanaged IPS Passwords

Every IPS local user account has a password, which allows secure user login to the device. These user
passwords are encrypted on the IPS device. Thus, when you add an IPS device to the Security
Manager inventory, Security Manager cannot read the actual user passwords.
Because Security Manager cannot read the password, it is unable to deploy newly-discovered user
account passwords to the device. To avoid putting user accounts into a state where the passwords
are unknown and unusable, Security Manager marks discovered user account passwords
as unmanaged. The status of a password is indicated in the Is Password Managed? column of
the Platform > Device Admin > Device Access > User Accounts policy:
 If No is indicated, the password for this account is not configured in Security Manager. When
you deploy this policy, Security Manager will not attempt to configure the password for this user
account.
 If Yes is indicated, the password for this account was configured or updated in Security
Manager. When you deploy this policy, Security Manager reconfigures the passwords for all
managed accounts, not just the passwords that changed since the last deployment.
Because Security Manager configures even unchanged passwords, all managed passwords must
satisfy the password requirements defined in the Password Requirements policy.
Thus, you can have a mix of managed and unmanaged account passwords. For example, you can
have a set of shared user accounts that are centrally managed, and manage these account
passwords in Security Manager. Other accounts might be unique to individuals; if you never edit
these account passwords in Security Manager, the user can manage these passwords individually on
the device.
If you do not want to manage any user accounts in Security Manager, ensure that the User Accounts
policy is empty, or simply unassign the policy (right-click the policy and select Unassign Policy).
Security Manager will not modify user account configurations.
Understanding How IPS Passwords are Discovered and Deployed

Because user passwords are encrypted on IPS devices, Security Manager has to handle them with
special care when discovering policies on the device or deploying configurations. When discovering
or deploying user accounts on IPS devices, Security Manager does the following:
 Discovery —When you add an IPS device to the inventory, or rediscover policies on it,
Security Manager determines the current status of each user account, updates the User Account
policy with each discovered username and associated role, and marks the user password as
unmanaged.
You cannot view the account status through Security Manager, because it is dynamic and can
change. However, the Discovery Status window displays the status at discovery. Accounts can
have these statuses:
– Active —This state indicates that the account is available for use. Active accounts can be
accessed using an authentication token if one has been assigned to the account.
– Expired —This state indicates that the account’s authentication token has expired and the
account cannot be accessed using a token until the token has been updated.
434
– Locked —This state indicates that logins to the account have been disabled due to too
many failed authentication attempts. You should update the password for these accounts.
 Deployment —You are warned if any deployed user accounts are in the Expired or Locked
state. Any unmanaged passwords are not deployed to the device. Also, keep in mind the
following points:
– If you make changes to any user account on the device, all user accounts with managed
passwords are reconfigured. If you also changed the Password Requirements policy, all
passwords are compared to the new policy and must meet the new requirements.
– If you change the password of the user account you defined in the device’s properties for
Security Manager to use when configuring the device, after successful deployment, Security
Manager updates the password in the device properties to the new password. You do not
need to manually update the password. To see device properties, select Tools > Device
Properties.
This behaviour assumes that you selected Security Manager Device Credentials for the
Connect to Device Using option on the Tools > Security Manager Administration > Device
Communication page. If you are using the logged-in users’ credentials for deployment, after
successful deployment, the overall deployment is marked as failed, and a message explains
how to re-establish connection.
– If you use out-of-band change detection, changes to passwords are not detected. However,
changes to usernames and roles are detected.
– When previewing configurations, you can see changes to the user accounts by selecting to
IPS(Delta – User Passwords). However, passwords are masked.
– If you are rolling back configurations, the user accounts are never rolled back. The current
status and configuration of user accounts does not change.
The IPS sensor can accept public keys for RSA authentication when logging into the device
through an SSH client. Each user has an associated list of authorized keys. Users can use
these keys instead of passwords. Security Manager ignores these keys during discovery and
deployment. Thus, if keys are configured, Security Manager does not remove the
configuration.
Configuring IPS User Accounts

Use the User Accounts policy to configure local user accounts for IPS devices. Users can use these
accounts to log into the device. You can create new users, modify user privileges and passwords, and
delete users.
The user accounts policy should have at least these accounts:
 cisco—An account named “cisco” must exist on the device and you cannot delete it.
 An administrator account that Security Manager can use—Security Manager must be able to
log into the device to configure it. Typically, you create an account for this purpose. However,
you have the option of having Security Manager use the user account of the person deploying
configurations to log into the device. You can configure this using the Connect to Device
Using option on the Tools > Security Manager Administration > Device Communication page.
435
 Cisco IOS IPS devices use the same user accounts that are defined for the router. This
procedure does not apply to Cisco IOS IPS configurations.
 If you change the password for the user defined in the device properties, which Security
Manager uses to deploy configurations to the device, Security Manager uses the existing
credentials defined in the device properties to log into the device and deploy changes. After
successful deployment, the device properties are then changed to use your new settings.
Step 1 Do one of the following to open the User Accounts policy:

 (Device view) Select Platform > Device Admin > Device Access > User Accounts from the
Policy selector.
 (Policy view) Select IPS > Platform > Device Admin > Device Access > User Accounts, then
select an existing policy or create a new one.
The policy shows existing user accounts, including the username, role, and whether the password is
managed by Security Manager.
 To add a user account, click the Add Row (+) button. This opens the Add User dialog box.
Enter the information required to define the account.
 To edit a user account, select it and click the Edit Row (pencil) button and make the required
changes in the Edit User dialog box.
You cannot change a user role to or from the Service role.
 To delete a user account, select it and click the Delete Row (trash can) button. You cannot
delete the account named cisco.
All password changes must meet the requirements of the Password Requirements policy. If you
change the requirements policy, all new user accounts, or edited accounts, are tested against the
new requirements. Although the passwords for existing unedited user accounts are not tested, they
too must meet the password requirements if you change any user account defined in this policy,
because Security Manager will deploy all of the accounts during the next configuration deployment.
Passwords are checked for conformity when you validate policies, which typically happen when you
submit changes to the database.
Add User and Edit User Credentials Dialog Boxes
Use the Add User or Edit User Credentials dialog boxes to add or edit IPS device user accounts.
Table 4: Add or Edit User Dialog Box
Navigation Path
From the IPS platform User Accounts policy, click the Add Row (+) button to create a new account, or
select an existing account and click the Edit Row (pencil) button.
Field Reference
Element Description
User The username for the account. The name can be 1 to 64 characters, including
Name uppercase and lowercase letters and numbers, plus the special characters
436
() + :, _ / - ] + $.
You cannot change the username when editing an account.
Password The password for this user account. Enter the password in both fields.
Confirm The password must conform to the Password Requirements policy for IPS devices;
Role The role for this user. For an explanation of these roles
When editing a user account, you cannot select the Service role. When editing an
account assigned to the Service role, you cannot change the role.
Configuring User Password Requirements
Use the IPS platform Password Requirements policy to configure the rules for passwords for local IPS
device user accounts. All user-created sensor passwords must conform to the requirements defined
in this policy. You can configure password requirements for sensor running IPS software version 6.0
or higher.
The requirements you define here determine what is considered an acceptable password in the User
Accounts policy. If you change this policy, it can be applied even to unchanged user accounts.
To configure IPS password requirements, select one of the following policies:
 (Device view) Select Platform > Device Admin > Device Access > Password
Requirements from the Policy selector.
 (Policy view) Select IPS > Platform > Device Admin > Password Requirements from the
Policy Type selector, then select an existing policy or create a new one.
The following table explains the password requirement options that you can configure.
Table 5: Password Requirements Policy
Element Description
Attempt Limit How many times a user is allowed to try to log into the device before you lock the
user account due to excessive failed attempts.
The default is 0, which indicates unlimited authentication attempts. For security
purposes, you should change this number.
Size Range The minimum and maximum size allowed for user passwords; separate the
minimum and maximum with a hyphen. The range is 6 to 64 characters; the
default is 8-64.
Tip If you configure non-zero values for any of the minimum characters options, the
minimum size you enter in the Size Range field must be equal to or greater than
the sum of those values. For example, you cannot set a minimum password size of
eight and also require that passwords must contain at least five lowercase and five
uppercase characters.
Minimum Digit The minimum number of numeric digits that must be in a password.
437
Characters
Minimum The minimum number of uppercase alphabet characters that must be in a
Uppercase password.
Characters
Minimum The minimum number of lowercase alphabet characters that must be in a
Lowercase password.
Characters
Minimum The minimum number of non-alphanumeric printable characters that must be in a
Other password.
Characters
Number of The number of historical passwords that you want the sensor to remember for
Historical each account. Any attempt to change the password of an account fails if the new
Passwords password matches any of the remembered passwords. If you specify 0, no
previous passwords are remembered.
Configuring AAA Access Control for IPS Devices
Use the AAA policy to configure AAA access control for your IPS devices. The device must use IPS
Software release 7.0(4) to configure AAA.
You can configure the IPS device to use a RADIUS AAA server to authenticate user access to the
device. By configuring AAA, you can reduce the number of local users defined on the device and take
advantage of your existing RADIUS setup. If you configure a AAA server, you can configure the device
to allow local user accounts as a Fallback mechanism if the RADIUS servers are unavailable.
When configuring AAA, you identify the RADIUS server using a AAA server policy object. You can
create the object while configuring the policy, or you can create it in the Policy Object Manager.
When you configure the AAA server object, you must adhere to the following restrictions:
 Host —You must specify the IP address; you cannot use a DNS name.
 Timeout —If you enter a timeout value, it must be from 1 to 512 seconds. The generic AAA
server object allows higher numbers, but IPS has a more limited timeout range. The default is 3.
 Protocol —RADIUS is the only supported protocol.
 Key — You must specify the shared secret key that is defined on the RADIUS server.
Although this field is optional for a generic AAA server object, IPS requires a key.
 Port —Ensure that the RADIUS Authentication/Authorization port is correct. Note that the
default port in the AAA server object is different from the IPS default, which is 1812. You will
need to change the port if you want to use the IPS default.
You must ensure that the user account configured in the device properties exists in the RADIUS
server or as a local user account, depending on the authorization method that you use. If you switch
between local and AAA modes, or change AAA servers, you must ensure that the account is defined
in whatever user account database you are using. If you are using AAA with local Fallback, the
account should be defined in all databases. This account must exist, with the same password defined
in the Security Manager device properties for the device, or deployment to the device will fail. The
user account used for discovery and deployment must have administrator privileges.
438

 (Device view) Select Platform > Device Admin > Device Access > AAA from the Policy
selector.
 (Policy view) Select IPS > Platform > Device Admin > AAA, then select an existing policy or
create a new one.
Step 2 Configure the following basic properties:
 Authentication Mode —Whether to use Local or AAA mode. Local mode uses user accounts
defined on the IPS device only. With AAA mode, the RADIUS servers are the primary means
of user authentication, and you can configure local user accounts as a Fallback mechanism.
The default is Local. You must select AAA to configure any other options in this policy.
 Primary RADIUS Server, Secondary RADIUS Server —The main (primary) AAA server and a
backup server, if any. Enter the name of the AAA server policy object that identifies the
RADIUS server, or click Select to select it from a list of objects or to create a new object.
When authenticating users, the IPS device sends the user authentication attempt to the primary
server. The secondary server is contacted only if the request to the primary server times out.
Step 3 Configure the following optional properties if you want non-default values:
 Console Authentication —How you want to authenticate users who access the IPS device
through the console:
o Local—Users connected through the console port are authenticated through local
user accounts.
o Local and RADIUS—Users connected through the console port are authenticated
through RADIUS first. If RADIUS fails, local authentication is attempted.
o RADIUS—Users connected through the console port are authenticated by RADIUS. If
you also select Enable Local Fallback, then users can also be authenticated through
the local user accounts.
 RADIUS NAS ID —The Network Access ID, which identifies the service requesting
authentication. The value can be no NAS-ID, cisco-ips, or a NAS-ID already configured on the
RADIUS server. The default is cisco-ips.
 Enable Local Fallback —Whether you want to fall back to local user account authentication
if all RADIUS servers are unavailable. This option is selected by default. Note that local
authentication is not attempted if the RADIUS server responds negatively to the logon
attempt; local authentication is tried only if no response is received from the RADIUS server.
 Default User Role —The role to assign to users who do not have a role assigned in the
RADIUS server. You can make Viewer, Operator, or Administrator the default roles, but not
Service; select Unspecified to assign no default role (this is the default).
User role configuration is very important. If you do not assign a role to the user, either through the
default user role or in the RADIUS server, the sensor prevents user login even if the RADIUS server
accepted the username and password.
To assign roles specifically to users on the RADIUS server, you configure the Accept Message for
those accounts as either ips-role=administrator, ips-role=operator, ips-role=viewer, or ips-
role=service. You configure the Accept Message individually for each user account. An example of a
Reply attribute for a given user could be configured to return “Hello <user> your ips-role=operator.”
439
If you configure a service account in the RADIUS server, you must also configure an identical service
account locally on the device. For service accounts, both the RADIUS and Local accounts are checked
during login.
Identifying an NTP Server

Use the NTP policy to configure a Network Time Protocol (NTP) server as the time source for the IPS
device. Using NTP helps ensure synchronized time among your network devices, which can aid event
analysis. NTP is the recommended way to configure time settings on an IPS device.
For detailed information on how to set the time on a sensor, including how to set up a Cisco IOS
router as an NTP server, refer to Configuring Time in Configuring the Cisco Intrusion Prevention
System Sensor Using the Command Line Interface Version 7.0.
Check the time on your IPS sensor if you are having trouble updating your IPS software. If the time
on the sensor is ahead of the time on the associated certificate, the certificate is rejected, and the
sensor software update fails.
Step 1 Do one of the following to open the NTP policy:
 (Device view) Select Platform > Device Admin > Server Access > NTP from the Policy
selector.
 (Policy view) Select IPS > Platform > Device Admin > Server Access > NTP, then select an
existing policy or create a new one.
Step 2 In the NTP Server IP Address field, enter the IP address of the NTP server. You can also enter
the name of a network/host object that identifies the single host address of the server, or
click Select to select the object from a list or to create a new one.
Step 3 If the NTP server does not require authentication, deselect the Authenticated NTP checkbox.
If the NTP server requires authentication, configure the following options:

 Authenticated NTP —Select this option to enable authenticated connections.
 Key, Confirm —The key value of the NTP server. The key is an MD5 type of key (either
numeric or character); it is the key that was used to set up the NTP server.
 Key ID —The key ID value of the NTP server, a numeric value between 1 and 65535.
The key and key ID are configured on the NTP server; you must obtain them from the NTP server
configuration.
Identifying DNS Servers

If you configure global correlation on an IPS 7.0+ sensor, the sensor must be able to resolve domain
names to successfully connect to the update server when downloading global correlation updates.
Use the DNS policy to identify the Domain Name System (DNS) servers that the sensor can use to
resolve domain names to IP addresses.
If your network requires HTTP proxies when making Internet connections, configure the HTTP Proxy
policy instead of the DNS policy.
The AIP-SSC-5 service module does not support DNS servers.
440
Step 1 Do one of the following to open the HTTP Proxy policy:
 (Device view) Select Platform > Device Admin > Server Access > DNS from the Policy
selector.
 (Policy view) Select IPS > Platform > Device Admin > Server Access > DNS, then select
an existing policy or create a new one.
Step 2 Specify the IP addresses of up to three DNS servers in the Primary, Secondary, and
Tertiary Address fields. The sensor uses the servers in the order listed ; if one server does not
respond, the next server is contacted.
You can enter an IP address or the name of a network/host object that contains a server address.
Click Select to select a network/host object from a list or to create a new one. The network/host
object must specify a single host address.
Identifying an HTTP Proxy Server

If you configure global correlation on an IPS 7.0+ sensor, and your network requires the use of HTTP
proxies to connect to the Internet, you need to configure the HTTP Proxy policy to identify a proxy
that the IPS sensor can use. When downloading global correlation updates, the IPS sensor connects
to the update server using this proxy. The proxy must be able to resolve DNS names.
If you do not use HTTP proxies, configure DNS servers so that the IPS sensor can resolve the address
of the update server. The AIP-SSC-5 service module does not support HTTP proxy servers.
Step 1 Do one of the following to open the HTTP Proxy policy:

 (Device view) Select Platform > Device Admin > Server Access > HTTP Proxy from the Policy
selector.
 (Policy view) Select IPS > Platform > Device Admin > Server Access > HTTP Proxy, then select
an existing policy or create a new one.
Step 2 Configure the following options:
 Enable Proxy —Select this option to tell the device to connect through the configured proxy
server.
 IP Address —Enter the IP address of the proxy server, or the name of the network/host
object that contains the server’s IP address. Click Select to select a network/host object from
a list or to create a new one. The network/host object must contain a single host IP address.
 Port —Enter the port number used for HTTP connections to the proxy server. The default is
80.
Configuring the External Product Interface

Use the External Product Interface policy to configure the way that Security Manager works with
Management Centre for Cisco Security Agents (CSA MC).
In general, the external product interface is designed to receive and process information from
external security and management products. These external security and management products
collect information that can be used to automatically enhance the sensor configuration information.
Management Centre for Cisco Security Agents is the only external product that can be configured to
441
communicate with the IPS. At most two Management Centre for Cisco Security Agents servers can
be configured per IPS device.
Management Centre for Cisco Security Agents is no longer an active product. Configure this policy
only if you are still using that application. For more information, see About CSA MC in Installing and
Using Cisco Intrusion Prevention System Device Manager
6.0 and http://www.cisco.com/en/US/products/sw/cscowork/ps5212/index.html.
Management Centre for Cisco Security Agents enforces a security policy on network hosts. It has two
components:
 Agents that reside on and protect network hosts.
 A management console, which is an application that manages agents. It downloads security
policy updates to agents and uploads operational information from agents.
Before You Begin

Add the external product as an allowed host so that Security Manager allows the sensor to
communicate with the external product.
Step 1 Do one of the following to open the External Product Interface policy:
 (Device view) Select Platform > Device Admin > Server Access > External Product Interface
from the Policy selector.
 (Policy view) Select IPS > Platform > Device Admin > Server Access > External Product
Interface, then select an existing policy or create a new one.
To add a server, click the Add Row (+) button. This opens the External Product Interface dialog box.
Enter the information required to identify the server and configure the posture ACLs.
You can add at most two servers.
 To edit a server, select it and click the Edit Row (pencil) button and make the required
changes in the External Product Interface dialog box.
 To delete a server, select it and click the Delete Row (trash can) button.
External Product Interface Dialog Box

Use the Add or Edit External Product Interface dialog box to add or modify interfaces between
Management Centre for Cisco Security Agents (CSA MC) and the IPS device and the related posture
ACLs.
Table 6 External Product Interface Dialog Box
Navigation Path
From the External Product Interface IPS platform policy, click Add Row or select an entry and
click Edit Row.
442
Field Reference
Element Description
External The IP address, or the network/host policy object that contains the address, of
Product’s IP the external product. Enter the IP address or object name, or click Select to
Address select an object from a list or to create a new one.
Interface Type Identifies the physical interface type, which is always Extended SDEE.
Enable receipt of Whether information is allowed to be passed from the external product to the
information sensor.
SDEE URL The URL on the CSA MC the IPS uses to retrieve information using SDEE
communication. You must configure the URL based on the software version of
the CSA MC that the IPS is communicating with as follows:
 For CSA MC version 5.0—/csamc50/sdee-server.
 For CSA MC version 5.1—/csamc51/sdee-server.
 For CSA MC version 5.2 and higher—/csamc/sdee-server (the default
value).
Port The port, or the port list object that identifies the port, being used for
communications. Enter the port or port list name, or click Select to select the
object from a list or to create a new object.
User name A username and password that can log into the external product.
Password
Enable receipt of Whether to allow the receipt of host posture information from CSA MC. The host
host postures posture information received from a CSA MC is deleted if you disable this option.
Allow Whether to allow the receipt of host posture information for hosts that are not
unreachable reachable by the CSA MC.
hosts’ postures A host is not reachable if the CSA MC cannot establish a connection with the host
on any IP addresses in the host’s posture. This option is useful in filtering the
postures whose IP addresses may not be visible to the IPS sensor or that might
be duplicated across the network. This filter is most applicable in network
topologies where hosts that are not reachable by the CSA MC are also not
reachable by the IPS, for example if the IPS and CSA MC are on the same network
segment.
Posture ACL Posture ACLs are network addresses for which host postures are allowed or
table denied. Use posture ACLs to filter postures that have IP addresses that might not
be visible to the IPS or that might be duplicated across the network.
 To add a posture ACL, click the Add Row (+) button. This opens the Add
Posture ACL dialog box. For information on configuring the Posture ACL,
see Posture ACL Dialog Box.
 To edit a posture ACL, select it and click the Edit Row (pencil) button.
 To delete a posture ACL, select it and click the Delete Row (trash
can) button.
 To change the priority of an ACL, select it and click the Up or Down
button. ACLs are processed in order, and the action associated with the first
443
match is applied.
Enable receipt of Whether to allow the receipt of the watch list information from CSA MC. The
watch listed watch list information received from a CSA MC is deleted if you disable this
addresses option.
Manual Watch The percentage of the manual watch list risk rating (RR). The default is 25, and
List RR increase the valid range is 0 to 35.
Session-based The percentage of the session-based watch list risk rating. The default is 25, and
Watch List RR the valid range is 0 to 35.
Increase
Packed-based The percentage of the packet-based watch list risk rating. The default is 10, and
Watch List RR the valid range is 0 to 35.
Increase
Posture ACL Dialog Box

Use the Add or Modify Posture ACL dialog box to configure posture ACLs for Management Centre for
Security Agents. Posture ACLs are network addresses for which host postures are allowed or denied.
Use posture ACLs to filter postures that have IP addresses that might not be visible to the IPS or that
might be duplicated across the network.
Configure the following fields to define a posture ACL:
 Network Address —Enter the IP address of a host or network, or the name of a
network/host object that specifies one. You can click Select to select the object from a list or to
create a new object.
 Action —Whether host postures will be permitted or denied from the hosts on the network
address.
Navigation Path
From the External Product Interface dialog box, click the Add Row (+) button underneath the
Posture ACL table, or select a posture ACL and click the Edit Row (pencil) button.
Configuring IPS Logging Policies

Use the IPS platform Logging policy to configure traffic flow notifications and Analysis Engine global
variables. These settings apply to the general operation of the IPS sensor.
Traffic flow notifications have to do with the flow of traffic across the interface of a sensor. You can
configure the sensor to monitor the flow of packets across an interface and send notification if that
flow changes (starts and stops) during a specified interval. You can configure the missed packet
threshold within a specific notification interval and also configure the interface idle delay before a
status event is reported.
The Analysis Engine performs packet analysis and alert detection. It monitors traffic that flows
through specified interfaces. For the Analysis Engine, there is only one global variable: Maximum
Open IP Log Files.
444
Navigation Path
 Device view) Select Platform > Logging from the Policy selector.
 (Policy view) Select IPS > Platform > Logging, then select an existing policy or create a new one.
Field Reference
Element Description
Interface Notifications Tab

Missed The percent of missed packets that has to occur before you want to receive
Packets notification. The default is 0, and the range is 0 to 100.
Threshold
Notification The length of time, in seconds, that you want to check for the percentage of missed
Interval packets. The default is 30, and the range is 5 to 3600.
Interface The length of time, in seconds, that you will allow an interface to be idle and not
Idle receiving packets before you want to be notified. The default is 30, and the range is 5
Threshold to 3600.
Analysis Engine Tab

Maximum The maximum number of open IP log files that you want to allow on the sensor. The
Open IP Log default is 20, and the range is 20 to 100.
Files
445
Summary
 Sensors are network devices that perform real-time monitoring of network traffic for suspicious
activities and active network attacks. The IPS sensor analyses network packets and flows to
determine whether their contents appear to indicate an attack against your network.
 They do this by looking for anomalies and misuse on the basis of network flow validation, an
extensive embedded signature library, and anomaly detection engines. However, these
platforms differ in how they can respond to perceived intrusions.
 The sensor can operate in either promiscuous or inline mode. The following illustration shows
how you can deploy a combination of sensors operating in both inline (IPS) and promiscuous
(IDS) modes to protect your network.
 When responding to attacks, the sensor can do the following:
o Insert TCP resets via the sensing interface.
o You should select the TCP reset action only on signatures associated with a TCP-
based service. If selected as an action on non-TCP-based services, no action is taken.
Additionally, TCP resets are not guaranteed to tear down an offending session
because of limitations in the TCP protocol.
o Make ACL changes on switches, routers, and firewalls that the sensor manages. ACLs
may block only future traffic, not current traffic.
o Generate IP session logs, session replay, and trigger packets display.
o IP session logs are used to gather information about unauthorized use. IP log files
are written when events occur that you have configured the appliance to look for.
o Implement multiple packet drop actions to stop worms and viruses.
 You should always position the IPS sensor behind a perimeter-filtering device, such as a firewall
or adaptive security appliance. The perimeter device filters traffic to match your security policy
thus allowing acceptable traffic in to your network. Correct placement significantly reduces the
number of alerts, which increases the amount of actionable data you can use to investigate
security violations.
 Tuning the IPS ensures that the alerts you see reflect true actionable information. Without
tuning the IPS, it is difficult to do security research or forensics on your network because you will
have thousands of benign events, also known as false positives.
 There are a wide variety of devices on which you can configure the Intrusion Prevention System.
From a configuration point-of-view, you can separate the devices into two groups: dedicated
appliances and service modules (for routers, switches, and ASA devices) that run the full IPS
software; and IPS-enabled routers
446
Activity 1:
List the various vulnerabilities in any organisation and various activities to check those
vulnerabilities.
Activity 2:
Conduct an audit of your surroundings, of things such as cleanliness, safety and security,
hygiene, etc. Share your report in class, detailing the approach and the various aspects of
auditing.

Q. The three main types of security diagnostics are?
a. ________________________________________
b. ________________________________________
c. ________________________________________
Q. What is the full form of ACL in information security terms?
__________________________________________
Q. What is the purpose of an ACL?
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
Q. What is the purpose of an information security audit?
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
447
State TRUE or FALSE
c. Previous security incidents are not important in a security audit, the auditors are only
concerned about what the situation is at the present time of the audit. ( )
d. Information Security Audit is carried out by an audit team which usually has a representative
from the team which has been involved in the development of the IT configuration to be
audited. ( )
e. A key purpose of the Audit team is to correct and modify practices followed in the
organisation while conducting the audit so as to make the system less vulnerable. (
)
f. AAR is another term used for the audit, it stands for After Attack Responsibility. (
)
g. IS Auditing Standards developed by Information Systems Audit and Control Association
(ISACA) is already in circulation.
Tick the right option
h. Information Security Audit is carried out as a (formal /informal) process by

(certified/uncertified) auditing professional.
i. An IS audit is focused on current data in use (and is also/but is not) concerned with past data
stored in back up media, etc.
j. Passwords are (within/beyond) the purview of the audit.
NOTES:
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
448
UNIT VII
Anti-virus and Antispam Software
This Unit covers:
 Lesson Plan
449
LESSON PLAN

PC1. identify the Anti-virus and Antispam The learners must KA1 to KA13:
Software you are required to install/ configure demonstrate all PCs PCs/Tablets/Laptops
and source relevant instructions and guidelines on given work tasks
Labs availability
guidelines for installing/configuring Anti-virus (24/7)
and Antispam Software and clarify these with Internet with Wi-Fi
appropriate people (Min 2 Mbps
PC3. liaise with stakeholders clearly and Dedicated)
Networking
configuration of Anti-virus and Antispam
Software Equipments-
Routers & Switches
PC4. install/configure Anti-virus and Antispam
Software as per instructions and guidelines Firewalls and Access
PC5. test installed/configured Anti-virus and Points
Antispam Software, following instructions and Access to all security
guidelines sites like ISO, PIC
PC6. resolve problems Anti-virus and Antispam DSS
Software, following instructions and guidelines
Commercial Tools
PC7. obtain advice and guidance on installing /
configuring Anti-virus and Antispam Software like HP Web Inspect
from appropriate people, where required and IBM AppScan
PC8. record the installation/configuration/ of etc.,
Anti-virus and Antispam Software promptly Open Source tools
using standard templates and tools like sqlmap, Nessus
PC9. provide reports for troubleshooting, etc.,
Security Templates
templates and tools
from ITIL
configuring / troubleshooting Anti-virus and
Antispam Software
450

and a Descriptive
level agreements for installing, configuring Anti- understanding.
virus and Antispam Software
KA2. limits of your role and responsibilities and KA4, KA7 Group
who to seek guidance from where required presentation and peer
KA3. your organization’s systems, procedures evaluation along with
and tasks/checklists relevant to your work and Faculty.
how to use these
KA4. the importance of following KA5 Presentation of
manufacturer’s installation guides and best practices
procedures and how to access and apply these document by peer
to install Anti-virus and Antispam Software group to the faculty
KA5. who to involve when installing, configuring and loading the same
Anti-virus and Antispam Software
installing/configuring Anti-virus and Antispam KA8. Presentation of
Software and how to report these
the customized
how to use these to record installation / templates by peer
configuration groups and validation
KB3. architecture concepts and design patterns of them by faculty
and how these contribute to the security of
design and devices KB3 – KB5 Installation
KB4. common issues that may occur when and configuration of
installing or configuring Anti-virus and Antispam security tools in the
Software and how to resolve these lab environment by
KB5. methods of testing installed Anti-virus and peer groups and
Antispam Software validation by the
faculty
451
Lesson

Antivirus software is a type of utility used for scanning and removing viruses from your computer.
While many types of antivirus (or "anti-virus") programs exist, their primary purpose is to protect
computers from viruses and remove any viruses that are found.
Most antivirus programs include both automatic and manual scanning capabilities.
The automatic scan may check files that are downloaded from the Internet, discs that are inserted
into the computer, and files that are created by software installers. The automatic scan may also
scan the entire hard drive on a regular basis.
The manual scan option allows you to scan individual files or your entire system whenever you feel it
is necessary.
Since new viruses are constantly being created by computer hackers, antivirus programs must keep
an updated database of virus types. This database includes a list of "virus definitions" that the
antivirus software references when scanning files. Since new viruses are frequently distributed, it is
important to keep your software's virus database up-to-date. Fortunately, most antivirus programs
automatically update the virus database on a regular basis.
While antivirus software is primarily designed to protect computers against viruses, many antivirus
programs now protect against other types of malware, such as spyware, adware, and rootkits as
well. Antivirus software may also be bundled with firewall features, which helps prevent
unauthorized access to your computer. Utilities that include both antivirus and firewall capabilities
are typically branded "Internet Security" software or something similar.
While antivirus programs are available for Windows, Macintosh, and Unix platforms, most antivirus
software is sold for Windows systems. This is because most viruses are targeted towards Windows
computers and therefore virus protection is especially important for Windows users. If you are a
Windows user, it is smart to have at least one antivirus program installed on your computer.
Examples of common antivirus programs include Norton Antivirus, Kaspersky Anti-Virus, and
ZoneAlarm Antivirus.
The most important thing to remember about virus protection is that no system is infallible. No
matter how good your anti-virus (AV) software is, and how stringent your security processes are,
there is still the chance that a completely new virus will enter your organization and disrupt
operations. Of course, completely isolating your systems from the Internet and removing them from
external e-mail will greatly minimize your exposure; however, in today's digital economy that is no
longer a practical option.
Protecting the Organization

In order to protect your electronic messaging system, it is necessary to understand the flow of
electronic messages within your organization and to provide protection at each point of
vulnerability.
452
Organizations now recognize the importance of providing dedicated virus protection for their e-mail
systems.
The thought was that any virus being carried by an e-mail would simply enter the network as an
attachment that could either be detected as it came through the Internet SMTP gateway or by the
end-user desktop AV scanner. However, over the past few years, e-mail systems have evolved
significantly from simple message distribution to providing collaborative stores, Web-based user
interfaces, and access from wireless devices.
Steps to be taken for Virus protection

Establish an organizational anti-virus policy
In order to properly select, configure, and maintain virus protection solutions, your organization
must clearly define what levels of protection and countermeasures it needs. This necessitates
specifying the types of data that will be permitted, what content should be filtered or barred, who is
responsible for each aspect of the implementation, how communications with end-users will take
place, and what actions to take in the event of virus outbreaks and hoax alerts.
Deploy a multi-tiered defense strategy

There are multiple points of entry for infected messages to enter an organization; as a result, it is
important to provide virus protection to as many points as possible. This includes the electronic
messaging gateways, desktops, PDA's, wireless devices, and the e-mail server itself.
Figure 2: Multi-tiered virus protection system
453
Update your anti-virus definition files and engines regularly

While most organizations understand the importance of keeping their virus definition files up-to-
date, not everyone understands that it is equally important to ensure that the detection engine is
the most current version. Updates can typically be automated, but it is important to periodically
check the log files to ensure that the updates are executing properly.
Update your desktop anti-virus software regularly

Server-based e-mail virus protection is the most efficient way to provide protection within an
organization, but based upon the particulars of organization's security policy, it is not always able to
provide protection for all types of messages (such as encrypted messages). As a result, it is crucial
that desktop anti-virus software be updated regularly to provide security that server-based may not
be able to offer.
Always keep your operating system, Web browser, e-mail, and application programs up-to-date.
Periodically review the security sections of your key software vendors and subscribe to any
applicable electronic newsletters to notify you of any new security vulnerabilities and fixes.
Back up your files on a regular basis

If a virus destroys your data, then you can restore them from your archives. E-mail backups and
restores can be a bit temperamental, so it is advisable to also have a standard procedure to verify
restores from backups periodically.
Subscribe to an e-mail alert service that issues warnings of new virus threats
Many different organizations provide this service, but the most important one will be your anti-virus
vendor. The reason is that due to differences in each AV vendor's capabilities, new viruses will be
rated differently and the action necessary will vary. For instance, one vendor may have already
provided generic virus detection in a past update that provides protection against a new virus and so
they would rate a particular virus as a low threat for their customers. However, other vendors who
may not be able to provide immediate protection would rate the same virus alert as a "high" risk.
Provide anti-virus overview training to all employees

Most virus outbreaks within organizations could be greatly minimized if the general staff were aware
of e-mail virus vulnerabilities, preventative measures and recommended actions should they
encounter a suspected virus.
Protecting E-mail Users

With the closer integration of e-mail and office suite applications, it is no longer sufficient to view
anti-virus vulnerabilities solely from the perspective of the e-mail client application. Instead, one
454
must also adequately protect the whole PC that the user is using - whether they are using a local
copy of an e-mail application or a remotely-hosted thin client e-mail front-end.
The following is a list of recommended steps that organizations can take to protect end users.
Disable the e-mail program preview pane feature

Some e-mail programs, such as Microsoft Outlook and Microsoft Outlook Express, have a feature
that allows users to view a message without opening it in a separate window; however, some viruses
can still execute by simply being viewed because the preview pane has the ability to process
embedded scripts.
Figure 3: Changing Outlook Express Preview pane settings from the View, Layout menu
Figure 4: Changing Microsoft Outlook Preview Pane settings
455
Make the file NORMAL.DOT read-only

If you use Microsoft Word as your e-mail editor, then make NORMAL.DOT read-only at the operating
system level. You should also change the Microsoft Word settings to "Prompt to Save Normal
Template". Many viruses propagate themselves by changing the NORMAL.DOT file, but this measure
can provide at least some deterrent. The permissions can always be switched off again if and when
any intentional changes are required.
Use .RTF and .CSV instead of .DOC and .XLS

Use .RTF instead of .DOC formatted word-processing documents and .CSV instead of .XLS formatted
spreadsheets because these formats do not support the use of macros. However, even then, caution
should be exercised because if the file was first created as a .DOC, it could still contain macros. When
exchanging files with others, it is safest to use .RTF and .CSV formatted files, but this should not be
relied upon as a fail-safe means of exchanging information.
Remove Windows Scripting Host

If your organization does not use Windows Script Hosting (WSH), then you should consider removing
or disabling it. To do this in Windows 9x, go to 'Control Panel' and choose 'Add/Remove Programs'.
Click on the 'Windows Setup' tab and double click on 'Accessories'. Scroll down to 'Windows Script
Host' and uncheck it and choose 'OK'. It may be necessary to reboot the system. For additional
information, visit Microsoft's support Web site.
Use in-box rules to process suspicious e-mails

If your organization does not use e-mail server-based content filtering, then you can use your e-mail
inbox rules to automatically delete or move suspect messages into a dedicated folder.
Do not open any files attached to an e-mail from an unknown, suspicious or

untrustworthy source
Ensure that the source of any e-mail attachments is a legitimate and reputable one. If you're
uncertain, don't download the file at all or download the file to a floppy and then scan it with your
own anti-virus software.
Don't pass along virus warnings from others unless you have verified that it is applicable to your
organization
Due to the large number of viruses and hoaxes, unnecessary time and e-mail traffic can be wasted
by people forwarding virus warnings that may not be legitimate. Before passing along warnings to
others, first check your virus protection vendor's Web site to determine if your systems are already
protected or if it is just a hoax.
456
Write-protect removable media before using them in other computers

If removable media is used to ferry e-mails between computers (such as from work to home), then
write-protecting the medium before using it in a suspect system can protect it from becoming
infected.
Protecting E-mail Servers

Some organizations believe that as long as they protect their e-mail gateways and internal desktop
computers, they do not need e-mail server-based anti-virus solutions. While this may have been true
a few years ago, with today's Web-based e-mail access, public folders, and mapped network drive
access to the stores, this stance is no longer prudent. Besides viruses entering the e-mail system
from the Internet SMTP gateway, infected files can be transferred through an organization's remote
Web-based interface, network-connected user devices such as PDAs, disk drives on computers
without up-to-date virus protection, or copies from un-scanned archives. Once an infected item gets
into the e-mail stores, then only an e-mail server-based solution will be able to detect and remove
the infected item.
The following is a list of recommendations that organizations should follow to secure their e-mail
servers.
Block common infecting attachments

Many e-mail transported infectors (a.k.a. mass-mailers) use executable files that are commonly
found on most computers, such as EXE, VBS, and SHS. Most e-mail users do not need to receive
attachments with these file extensions, so these can be blocked as they enter the e-mail server or
gateway.
Schedule complete on-demand scans whenever you update your virus

definition files
Even if you keep all of your virus protection up-to-date, it is possible for a new virus to enter your
organization before it has been properly identified and a new definition file created for it by your AV
vendor. By scanning all of your data with the latest definitions, you can then ensure that there are
no undetected infected files in your archives.
Use heuristic scanning

Most of new viruses are simply variants of previously known viruses; however, providing separate
detection code for every conceivable variation would be impractical. As an alternative, heuristic
scanning looks for known virus characteristics. While this does provide a higher level of protection, it
requires more processing time to scan items and may occasionally lead to false-positive
identifications. So long as your servers are properly configured, the performance overhead will be
worth the additional protection that heuristic scanning can provide.
457
Use virus outbreak response features in your AV products

Mass-mailer viruses can spread very quickly throughout an organization. They can also be very
troublesome for administrators to eradicate while waiting for the appropriate detection driver to be
obtained from an AV vendor. Some virus protection products provide features that can configure
your system to automatically notify you or take corrective actions if certain virus outbreak
characteristics manifest themselves. For instance, you may configure your system to send a cell
phone warning if there are more than 50 similar messages received in a short period of time,
automatically check the vendor's download site for the latest virus definition files, and then
temporarily disable the e-mail gateway until an administrator can respond if the activity continues.
This sort of outbreak response policy should be included in the organization's anti-virus policy so
that there is a plan of action in place before an outbreak happens.
Archive important data for at least one month

Not all viruses manifest themselves right away; depending upon where a virus is located and how
your system is configured, it may take some time for the virus to be discovered. The further back
that you can go in your archives, the greater the likelihood that you will be able to successfully
restore an infected item if it cannot automatically be cleaned by your AV solution.
General principles of antivirus configuration
 Antivirus software has options, some of which may not be enabled by default. It is
recommended to enable them all.
 Enable heuristics options if they're user-configurable (if several levels are offered, use
Maximum)
 Enable scanning within compressed files and archives wherever the option exists
 Choose to scan all file types wherever this option exists
 Allow no exemptions from scanning, wherever the option exists
 If possible, remove the error-prone human element, by having infected stuff auto-quarantined
or auto-deleted upon detection. Shoot first, ask questions later.
 Configure the virus-definition updates to run daily or more often, if the schedule is under your
control
 Set up a daily scan of all hard-drive data, to catch stuff that slipped in before the antivirus
software recognized it as a threat.
 Never assume that your antivirus software is infallible.
458
Email Spam is the electronic version of junk mail. It involves sending unwanted messages,
often unsolicited advertising, to a large number of recipients. Spam is a serious security
concern as it can be used to deliver Trojan horses, viruses, worms, spyware, and targeted
phishing attacks.
How Do You Know

Messages that do not include your email address in the TO: or CC: fields are common forms of Spam.
Some Spams can contain offensive language or links to Web sites with inappropriate content.
What to Do
 Install Spam filtering/blocking software
 If you suspect an email is Spam, do not respond, just delete it
 Consider disabling the email’s preview pane and reading emails in plain text
 Reject all Instant Messages from persons who are not on your Buddy list
 Do not click on URL links within IM unless from a known source and expected
 Keep software and security patches up to date
About Spam Filters

Your message security service detects spam by applying hundreds of rules to each message that
passes through the data centre. It can block obvious spam immediately, then divert more borderline
spam to a Quarantine for later evaluation. From there, you or your users can review the Quarantine
for any legitimate messages that were falsely quarantined and need to be forwarded to the user’s
Inbox. Otherwise, spam is deleted automatically.
When your service is activated, all types of spam are typically filtered at a uniform level of
aggressiveness. One group of users, however, might have its own idea about what constitutes spam,
or how aggressively to filter it. A travel agency might have a zero-tolerance policy for adult content,
for example, but want to receive special offers, such as “trips to Hawaii.” Another group might want
to change its spam disposition, by changing how its spam is quarantined, or not quarantining it at all.
Filtering aggressiveness affects how the protection service handles messages that may or may not be
spam. More aggressive spam filter levels will quarantine messages that are borderline cases. This will
cause more spam to be caught, but may increase false positives. More lenient spam filters will allow
borderline messages through, which reduces false positives but potentially lets more spam through.
For each of your organisations, you can adjust the overall aggressiveness of filtering, filter specific
categories of spam more aggressively, and choose a spam disposition. Some of these settings are
made at the organisation level, and some for a Default User. You can also adjust individual user’s
filtering, or allow users to do this themselves at the Message Centre.
459
Where Spam Filtering Is Managed

You manage spam filtering at the following locations:
Organisation level Enable Blatant Spam Blocking for users in the organisation, and choose
a spam disposition—the method of disposing of filtered spam, for example, by changing how
it’s quarantined, or by not quarantining it at all. Configure Null Sender Disposition to dispose
of messages that do not contain an SMTP-envelop sender address.
If your service is provisioned with Outbound Services, then you also have the option to turn on Null
Sender Header Tag Validation.
Default User Define user-level spam settings that will apply to new users added to the
organisation. This includes enabling spam filtering in the first place, adjusting how
aggressively to filter spam, and filtering specific spam categories even more aggressively.
Making these settings for a Default User is how you apply a single filtering policy across an
organisation.
Specific User You can modify user-level spam settings for an individual user, as well. But this
isn’t recommended if you want to maintain spam filtering policies across an organisation.
Message Centre You can optionally allow users to modify their own filter levels by granting
them appropriate User Access permissions to the Message Centre.
Types of Spam Filters

When spam filtering is enabled for a user, the user’s messages are processed through the following
filters:
 If Blatant Spam Blocking is enabled for the user’s organisation, the user’s most obvious spam is
bounced or blackholed (deleted), before it reaches your email servers. This eliminates more than
half of users’ spam, so neither you nor they ever have to deal with it.
 Each user (and Default User) has a Bulk Email filter that sets a base level of aggressiveness for
filtering the remaining spam, which is typically sent to a separate Quarantine for review.
 Each user (and Default User) can also optionally adjust four additional Category filters to filter
spam containing particular content even more aggressively (sexually explicit content, special
commercial offers, racially insensitive material, or get-rich-quick schemes).
 Null Sender Disposition lets you choose how to dispose of messages that do not include an
SMTP-envelope sender address. These types of messages are usually Non-Delivery Reports
(NDRs). When the system receives an inbound message, it checks for the SMTP-envelope sender
address. If there is no sender address, the message is disposed of according to the Null Sender
Disposition settings.
 Null Sender Header Tag Validation is the process by which the system examines each inbound
message for the presence of an SMTP-envelope sender address and for the message security
service’s digital signature. If your message security service has been provisioned with Outbound
Services and you have them configured for your mail server, then the system tags the Received
field on outbound messages with a digital signature. When this filter is on and the system
460
receives an inbound message, it checks for the SMTP-envelope sender address and for the digital
signature. If there is no sender address and the message doesn’t have the system signature,
then the message is disposed of according to the Null Sender Disposition settings. If the system
signature is present, then the message bypasses this filter, and is evaluated by the others.
When Spam Filters Apply
Spam category filters are applied after all other filtering, including Content Manager filters, and any
applicable Approved Senders list (the user’s own list, or one defined for the organisation). Blatant
Spam Blocking occurs before most filters, but doesn’t block messages from approved senders. That
means:
 Approved senders bypass Spam Filters

Even if their messages contain spam-like content.
 Messages with approved content bypass the category filters

But it will be blocked if it occurs in obvious spam detected by Blatant Spam Blocking.
 Messages marked as advertisements are blocked

If the Subject line of a message contains the prefix “ADV:” (for “advertisement”), the message is
considered spam, regardless of approved content.
 Virus Blocking over-rides Spam Filters

Virus Blocking scans all messages that either pass through the spam filter, are allowed to bypass
spam filtering or are quarantined as spam. For example, if a message is quarantined as junk, but
also determined to be infected with a virus, the message will be processed according to the virus
filter disposition.
How Spam Is Identified

As a message passes through the spam filters, the message security service applies hundreds of rules
to the message envelope, header, and content, all in a matter of milliseconds. Each rule describes
some attribute typical of spam, and has a numerical value based on the likelihood that the attribute
indicates spam. An equation is then formulated based on the weighted significance and combination
of all rules triggered, and the resulting value is the message’s spam score. This score is measured
against the sensitivity threshold set by the user’s spam filters, and a decision is made: spam or valid
email.
Specifically, a Bulk Email filter sets a base level for filtering all types of spam, and individual category
filters can be adjusted to filter a specific category of spam even more aggressively. The Bulk Email
filter and category filters work independently of each other, but parameters from all filters
collectively provide the final spam score, which can categorize the message as spam. A category
filter thus multiplies the Bulk Email level and increases the number of messages that get identified as
spam.
461
You can see a message’s spam score, whether or not it’s tagged as spam, by looking at the message
header.
Why Catch Rates Might Vary

Developing an effective technology for filtering spam is an ongoing effort since spammers are always
evolving tactics to avoid detection. To combat new and ever-changing threats, the message security
service continually calibrates its detection and filtering mechanisms, always striking a balance
between catching the most spam while lowering the rate of falsely quarantined messages.
As we make adjustments, you might notice slight variances in catch rates for certain spam
categories. Or you might see an increase in falsely quarantined messages. If this happens, you might
want to increase or decrease your own spam filter levels accordingly: Increase sensitivity to catch
more spam, or decrease levels to prevent false quarantines.
When to Use Content Manager Along with Blatant Spam Blocking

If you experience messages with undesirable content like profanity not being caught by your spam
filters, you can add Content Manager filters to catch those messages.
If the objectionable content is limited to a few words and the other content does not score as spam,
then the message would not trigger the spam filters. To stop these types of messages, you can
create content filters that look for exactly the offending language you wish to prohibit.
Configure Spam Settings for an Organization

You configure Blatant Spam Blocking (BSB), which deletes the most obvious spam, and Spam
Disposition, which determines how spam messages are managed for a user organisation.
You will enable spam filtering and set filter levels for the default user (the template use for an
organisation).
Configure Blatant Spam Blocking

Blatant Spam Blocking (BSB) is an organisation level setting on the Spam Filters page that detects
and deletes the most obvious spam before it reaches your email server. This feature identifies more
than half of all spam. Messages are either bounced or black holed (deleted) without reaching the
intended recipient or any Quarantine.
Specifically, BSB calculates the message’s spam score. If the score is below 0.00001 (a perfectly valid
message has a score of 100), the message is overwhelmingly deemed spam, and blocked.
Blatant Spam Blocking applies to all users in an organisation, but works only for users whose Filter
Status is On.
The Reports page has statistics regarding how many messages are caught by Blatant Spam Blocking.
462
To configure Blatant Spam Blocking:

1.Go to the Organisation Management page for the relevant organisation.
2.Under Inbound Services, click Spam Filtering.
3.Under Blatant Spam Blocking, choose one of the following options.
 BSB Off: Disables this feature for the organisation.

 Bounce: Bounces obvious spam back to the sender with the error message “ERROR 571
Message refused.”
 Blackhole: Deletes obvious spam without sending a return error. From the sender's
perspective, the message has been accepted.
Note: Depending on your service package, Blatant Spam Blocking might always be set to a Blackhole
disposition.
Enable BSB without Additional Filtering

Sometimes you might want to enable only Blatant Spam Blocking for an organisation, without any
additional filtering.
1. Enable Blatant Spam Blocking for the organisation, with either the Bounce or Blackhole
Disposition.
2. Under Spam Disposition, select Message Header Tagging.
3. For the organisation’s Default User (and any existing users), make sure the Filter Status is On
(go to Spam Filters on the user’s Overview page).
All obvious spam will be eliminated without reaching the data Centre or your server. Any remaining
spam detected by the filters is tagged with a spam score written in the Header, and then delivered
to users.
Configure Null Sender Disposition

Null Sender Disposition is an organisation level setting on the Spam Filters page that lets you choose
how to dispose of messages that do not include an SMTP-envelope sender address.
To configure Null Sender Disposition:
Select one of the following options:
 Ignore: Let the message bypass this filter. Other filters still apply.
 User Quarantine: Send the message to the recipient’s quarantine.
 Blackhole: Delete the message.
 Bounce: Return the message to the sender.
You can enter text to serve as the bounce message. If you enter text, it must begin with 4 or 5,
followed by two digits, a space, and your text. This structure follows the format of SMTP reply codes.
For example: 554 Transaction failed.
463
If you leave this field blank, the following message is used:
571 Domain does not accept delivery report messages
Note: In order to deliver valid messages that do not include an SMTP-envelope sender address, like
voicemail or vacation responders, use Content Manager to create a custom filter.
Configure Null Sender Header Tag Validation

Note: These options are available only if you have been provisioned with Outbound Services. If you
configure Outbound Services for your mail server, then the system adds a digital signature to each of
your outbound messages.
Null Sender Header Tag Validation is the process by which the system examines NDRs for the
presence of an SMTP-envelope sender address and for the message security service’s digital
signature.
While this filter is an aspect of spam filtering, it runs at the very beginning of the message filtering
process to immediately dispose of messages like invalid NDRs.
Whether or not you have configured Outbound Services for your mail server, we recommend that
you turn this filter on. When the filter is on and it catches a message, the system looks ahead to
Content Manager to see whether it is configured to let messages bypass the junk filters and allow
valid email that does not have an SMTP-envelope sender address. Under these circumstances, you
can let valid messages pass through to their recipients’ inboxes.
If this filter is off, then the system does not look ahead to Content Manager and you do not have the
option to let valid null-sender-address messages pass through to their recipients’ inboxes.
To configure Null Sender Header Tag Validation:
Use the following options to turn Null Sender Header Tag Validation on or off, and to set the length
of time during which the system can accept the digital signature:
 On/Off: Select On or Off to turn Null Sender Header Tag Validation on or off.
On: Any message that does not include an SMTP-envelope sender address, but does include the
message security service’s digital signature bypasses this filter. All other messages that do not
include an SMTP-envelope sender address are disposed of according to your Null Sender Disposition
settings, and according to how Content Manager is configured.
Off: Any message without an SMTP-envelope sender address is disposed of according to your Null
Sender Disposition settings.
 Validate reports up to ___ hours after message delivery: Enter the number of hours that the
digital signature is considered valid. After that number of hours, the signature expires, and
messages with an expired signature are treated the same as messages with no signature.
Configure Spam Disposition for an Organization

To determine what to do with filtered spam, you select a spam disposition. Do this at the
organisation level, which sets the disposition for all users in that organisation.
464
To configure Spam Disposition:
1.Go to the Organisation Management page for the organisation.
2.Under Inbound Services, click Spam Filtering.
3.Choose the Spam Disposition:
 User Quarantine: Filtered spam for each user in the organisation is sent to a separate User
Quarantine. Administrators can manage this Quarantine from the user’s Overview page.
If Quarantine Summary is also enabled for the organisation (under Notifications), each user receives
a periodic summary of recently quarantined messages. If User Access is enabled for the organisation,
as well, users can manage their own quarantined messages in the Message Centre.
 Quarantine Redirect: Delivers all users’ filtered spam to a single administrator’s Quarantine—
the one associated with the address entered here. Enter the primary address (not an alias) of a
user who has been added to the message security service, has administrative privileges for this
organisation, and is located under the same email config as this organisation.
Select this option if you don’t want to sort quarantined spam by user, and if you don’t want users to
manage their own spam. The administrator must review and deliver all users’ legitimate messages
from the shared Quarantine—either from the administrator’s User Quarantine in the Administration
Console or from the administrator’s Message Centre. (The Administration Console can display 5,000
messages at once, Message Centre can display an unlimited number of messages, and Message
Centre Classic can display 500 messages.)
If Quarantine Summary is enabled for the organisation (under Notifications), this administrator
receives a periodic summary of recently quarantined messages for the entire organisation. If you
choose this disposition, make sure to disable User Access permissions to the Message Centre for all
users in the organisation.
WARNING: The administrator’s Quarantine should be checked regularly to forward any legitimate
messages that were accidentally quarantined.
 Message Header Tagging: Sends filtered spam for this organisation to your email server with a
spam score written in the header. The message can then be processed at a dedicated location on
your server or on each user's email client. No spam messages are filtered. For this disposition to
be effective, you must set up rules on the receiving email server for processing spam based on
its spam score.
WARNING: With this disposition, all spam for users in this organisation is delivered to your email
server intact, along with “good” traffic. This is an advanced setting for administrators who want to
create their own rules for filtering spam, or who don’t want to filter spam beyond what is caught by
Blatant Spam Blocking. This setting is not otherwise recommended.
465
Summary
 An information security audit is one of the best ways to determine the security of an
organization's information without incurring the cost and other associated damages of a security
incident.
 Information systems audit is a large, broad term that encompasses demarcation of
responsibilities, server and equipment management, problem and incident management,
network division, safety, security and privacy assurance etc.
 Information security audit is only focused on security of data and information (electronic and
print) when it is in the process of storage and transmission. Both audits have many overlapping
areas.
 Security audits are a formal process, carried out by certified auditing professionals to measure
an information system's performance against a list of criteria.
 A vulnerability assessment, on the other hand, involves a comprehensive study of an entire
information system, seeking potential security weaknesses, usually carried out by industry
experts who may or may not be certified.
 A good security audit may likely include the following:
o Clearly defined objectives
o Coverage is comprehensive and cross-cutting
o Audit team is experienced, independent and objective with verifiable credentials
o There is unrestricted right to obtain and view information.
o Important IS audit meetings such as the opening and the closing meetings as well as the
interviews should be conducted as a team.
o No member of the team should have participated directly in supporting or managing the
areas to be audited
o It should be ensured that actual operations in the organisation are not significantly
disrupted by the audit.
o The auditors never actively intervene in systems or provide change advice.
o Management should support the audit.
o Appropriate communication and appointment of central point of contact and other
support for the auditors.
o The execution is planned and carried out in a phase wise manner
 Constraints of a security audit
o Time constraints
o Third party access constraints
o Business operations continuity constraints
o Scope of audit engagement
o Technology tools constraints
466
Activity 1:
List the various kinds of IPS products in the market and the various vendors for the same.
Compare the features, benefits and limitations of various kind of IPS products offered. Share
with your fellow students.
Activity 2:
Configure an IDS product or first job shadow someone who installs an IPS. List down the
467
NOTES:
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
468
UNIT VIII
Web Application Security
Configuration
This Unit covers:
 Lesson Plan
8.2 Configuring Cisco Web Application Security Module
8.3 Configuring ModSecurity
469
LESSON PLAN

PC1. identify the information security devices The learners must KA1 to KA13:
(Web Application Security) you are required to demonstrate all PCs PCs/Tablets/Laptops
install/ configure and source relevant on given work tasks
instructions and guidelines Labs availability
PC2. identify any issues with instructions and (24/7)
guidelines for installing/configuring information Internet with Wi-Fi
security devices (Web Application Security) and (Min 2 Mbps
clarify these with appropriate people
Dedicated)
PC3. liaise with stakeholders clearly and
Networking
configuration of information security devices Equipment- Routers
(Web Application Security) & Switches
PC4. install/configure information security Firewalls and Access
devices (Web Application Security) as per Points
Access to all security
PC5. test installed/configured information sites like ISO, PIC
security devices (Web Application Security),
DSS
following instructions and guidelines
PC6. resolve problems of information security Commercial Tools
devices (Web Application Security), following like HP Web Inspect
instructions and guidelines and IBM AppScan
PC7. obtain advice and guidance on installing / etc.,
configuring information security devices (Web Open Source tools
Application Security) from appropriate people,
like sqlmap, Nessus
where required
etc.,
PC8. record the installation/configuration/ of
information security devices (Web Application Security Templates
Security) promptly using standard templates from ITIL
and tools
configuring / testing information security
devices (Web Application Security)
and a Descriptive
level agreements for installing, configuring understanding.
information security devices (Web Application
Security) KA4, KA7 Group
KA2. limits of your role and responsibilities and presentation and peer
who to seek guidance from where required evaluation along with
470
KA3. your organization’s systems, procedures Faculty.

and tasks/checklists relevant to your work and
how to use these KA5 Presentation of
KA4. the importance of following best practices
manufacturer’s installation guides and document by peer
procedures and how to access and apply these group to the faculty
to install information security devices (Web and loading the same
Application Security)
KA5. who to involve when installing, configuring
information security devices (Web Application KA8. Presentation of
Security) the customized
templates by peer
installing/configuring information security
devices (Web Application Security) and how to groups and validation
report these of them by faculty
KB3 – KB5 Installation
how to use these to record installation /
configuration and configuration of
KB3. architecture concepts and design patterns security tools in the
and how these contribute to the security of lab environment by
design and devices peer groups and
KB4. common issues that may occur when validation by the
installing or configuring information security
faculty
devices (Web Application Security) and how to
resolve these
KB5. methods of testing installed information
security devices (Web Application Security)
471
Lesson

The web application security feature enables the application appliance to act as an application
firewall and provide web application security and intrusion protection.
Web application security is highly configurable, and can protect against the following kinds
of application attacks:
• identity theft
• SQL, OS, and LDAP command injection
• cross site scripting
• meta character and format string attacks
• buffer overflow
• form exploitation
• URL redirects and directory traversal
• error message exploitation
• cookie exploitation
• noncompliant HTTP
• web server fingerprinting
472
8.2 Configuring Cisco Web Application Security

Module
You configure web application security through the management console GUI by using the menu
commands under the Web Application Security folder that appears under the Cluster Configuration
item under a cluster name.
To configure web application security, follow these basic steps:
1. Use the Traffic Class Maps command to define traffic class maps to classify web application
traffic according to various parameters such as hostname, URL, cookie name and value, and so on. A
traffic map specifies a set of traffic to which you want to apply a security policy.
2. Define web application security feature maps that configure security features. To define feature
maps, select the individual features (URL Normalization, Cookie Protection, ID Theft Protection,
Request Limits, Error/Redirect Pages, Web Cloaking, URL Tagging, Input Validation Checks, HTTP
Protocol Conformance) under the Web Application Security folder.
3. Use the Policy Maps command to define policy maps that associate a traffic class with a set of
security functions. A policy map defines a series of actions (functions) that you want to apply to a set
of classified traffic.
4. Use the System Utilities Service Policy command to choose the active policy map.
5. Use the System Utilities Commit Config command to commit the configuration.
6. If you have a cluster of application appliance nodes, use the System Utilities Publish
Configuration command to publish the configuration to all nodes in the cluster.
Map Summary Interface

Most of the features in the Web Application Security module use the term "map" for a set of options
that configure the feature in a specific way. A map is named and stored, and then it can be viewed,
cloned, edited, or deleted. Every feature that uses maps presents a summary list of those that are
defined when you first click on the feature command name under the Web Application Security
module, as shown in Figure below. If there are no maps yet defined for the feature, then the
summary says "No Maps Configured."
This section describes how to interact with a map summary screen.
473
Figure 5: Map Summary Example
The example in Figure shows the map summary that is displayed when you click on the Request
Limits command. Every other map summary looks similar and contains similar controls. The
following paragraphs describe how to use the controls on a map summary page.
Each row in the summary lists one defined map. Using the controls on a summary row you can view,
clone, edit, or delete the map.
To view the definition of a map, click its underlined name at the left end of the row. The displayed
page shows a read-only listing of the map definition.
To copy a map to use as the basis of a new map, click the Clone button next to the map that you
want to clone. AVS displays a map editing screen that is similar to the one shown when you are
adding a new map, except that all the settings are copied from the map that you cloned.
To edit a map, click the Edit button in the summary. AVS displays a map editing screen where you
can change the settings in the map.
To delete one or more maps, check the box in the Delete column for each map that you want to
delete. Then click the Delete Maps button to delete the checked maps.
To add a new map, click the Add New Map button to display a map editing screen where you can
define the map and give it a name. The sections throughout this chapter describe the unique map
editing screens for each feature.
You can click the links in the blue bar at the top of the frame to go directly to the screens identified
by name.
Global Configuration and Utilities

This section describes the following global configuration and utility items that appear under the Web
Application Security folder in the left hand menu of the management console:
• System Utilities
• Traffic Class Maps
• Policy Maps
• Pattern Definitions
System Utilities
Various utilities let you manage web application security configuration, logging, and statistics.
Use the System Utilities command to display a page that contains links to the system utilities, as
shown in Figure below. To use a utility function, click on its link.
474
Figure 6: Utilities Page
The following sections describe the two groups of items listed on the System Utilities page:
• Display Utilities
• Configuration Utilities
Display Utilities
The utilities grouped under the Display Utilities heading let you display various information. The
following items are included:
• Startup Configuration
• Running Configuration
• New Configuration
• System Stats
• Traffic Level Stats
• Policy Level Stats
• Current Log
• Saved Log
• Show Version
• Show Tech Support
• Default Config
Startup Configuration
The Startup Configuration link displays the default web application security configuration. This
information is not relevant for users; it is for debugging only.
475
Running Configuration
The Running Configuration link displays the web application security configuration that is currently
in effect. This information is not relevant for users; it is for debugging only.
New Configuration
The New Configuration link displays the web application security configuration that is being
configured, but not yet committed. This information is not relevant for users; it is for debugging
only.
System Stats
Click System Stats to display statistics related to the web application security operation and
features, as shown in Figure below.
Figure 7: System Statistics
The statistics are initially shown for the master node, which is the first AVS 3120 node that is added
to the cluster in the management console. To show statistics for a different node, click on the link
with the node name in the Nodes field at the top of the screen. You can click the links above the
table to jump directly to the section of the table that shows statistics for the feature named in the
link. For each item in the table, the statistic shows a number of bytes or the number of times the
event has occurred.
476
Traffic Level Stats

Click Traffic Level Stats to display statistics organized by traffic classification map. The display looks
similar to that shown in Figure above, but a full set of statistics is listed for each traffic class map.
Links to each of the traffic class maps appear across the top of the screen; click one to jump to the
statistics for that map.
with the node name in the Nodes field at the top of the screen.
Policy Level Stats
Click Policy Level Stats to display statistics organized by policy map. The display looks similar to that
shown in Figure above, but a full set of statistics is listed for each policy map. Links to each of the
policy maps appear across the top of the screen; click one to jump to the statistics for that map.
with the node name in the Nodes field at the top of the screen.
Current Log
Click Current Log to display the current web application security log, as shown in the following
Figure. The content of the current log varies depending on your system configuration, as follows:
• If you have an AVS 3180 Management Station, then Current Log displays the log file of the
master node (the first AVS 3120 node that was added to the cluster).
• If you do not have an AVS 3180 Management Station, then Current Log displays the log file of
the current AVS 3120 node on which you are running the management console.
Figure 8: Current Log Display
You can scroll the log window to the right to see additional columns that include the URI, the feature
responsible for the log entry, the policy map, traffic class map, feature map, and the log message.
The policy map, traffic class map, and feature map names are hyperlinks, which when clicked will
take you to a screen where you can edit the named map.
477
This page displays log entries from all web application security features by default. You can filter the
displayed log items by feature by choosing the feature from the Filter By Feature drop-down list.
Then click Refresh Saved Logs.
You can clear the current log file by using Clear Current Logs.
Saved Log
Click Saved Log to display the saved log, which looks similar to the Figure above. The saved log item
works differently, depending on your system configuration, as follows:
• If you have an AVS 3180 Management Station, then Saved Log displays the aggregate log file of
all AVS 3120 nodes that are part of the cluster in the management console. (In order to
aggregate log files from all nodes in the cluster, you must configure all nodes to send log
messages to the AVS 3180 Management Station.
• If you do not have an AVS 3180 Management Station, then Saved Log displays nothing and is
not useful.
The log filtering works the same as for Current Log.
Show Version
Click Show Version to display version information about the web application security software.
Show Tech Support
Click Show Tech Support to display information about the web application security software that can
be helpful for technical support.
Default Config
Click Default Config to display a page that controls the defaults for various web application security
features, as shown in the following Figure.
Figure 9:
Default
Configuration
478
This page lists the web application security features and pattern definitions that can have default
configurations. A default configuration is the configuration that appears when you create a new map
for a feature.
To view the default configuration for a feature or pattern definition, click the View link next to its
name. To enable the feature or pattern definition to have a default configuration, check the Enable
check box.
If you make any changes to this screen, click Apply Changes at the top to save your changes, or click
another AVS command in the left-hand menu to exit this screen without saving your changes.
You can change the default configuration for a feature or pattern definition by creating a new map
for it, configuring the settings as needed, and clicking the Set As Default button. Creating a default in
this way will automatically enable the default configuration if it is not already enabled.
Configuration Utilities
The utilities grouped under the Configuration Utilities heading let you manage the global web
application security configuration and logging. The following items are included:
• System Settings
• Cluster Control
• Publish Configuration
• Service Policy
• Clear System Config
• Commit Config
• Force Commit
• Save Config
• Clear Config
• Clear System Stats
• Clear Traffic Stats
• Clear Policy Stats
• Log Server Config
• Clear Current Logs
479
System Settings
Click System Settings to display a page that controls overall web application security system
operation, as shown in Figure below.
Figure 10: System Settings
From the Mode of Operation drop-down list, choose one of the following operation modes for the
web application security module:
• Inline—This mode is used for web application security only; no other AVS features can be used
or should be configured, including destination mapping or SSL termination. In this mode, the
application appliance acts like a transparent bridge, monitoring traffic on incoming port 3,
checking security policies and taking action if necessary, then forwarding the traffic to the web
servers on outgoing port 4. Ports 3 and 4 do not have IP addresses and so do not terminate
TCP/IP connections. Port 1 is used for management console connectivity and port 2 is not used.
• Gateway—This mode is used when you want to operate other AVS features in addition to web
application security. For this mode, you must configure at least destination mapping in the
application appliance. In this mode, traffic enters and leaves the application appliance on port 1,
which is also used for management console connectivity. The other three ports are not used.
In gateway mode, SSL-encrypted HTTPS traffic that arrives at the application appliance is
decrypted and forwarded to the web servers as unencrypted HTTP traffic if the web application
firewall is in use. HTTPS traffic between the application appliance and the web servers is not
supported unless the web application firewall is disabled.
• Monitor—This mode is used for monitoring traffic only; no other AVS features can be used or
should be configured. No packets are modified by the web application security module, but
instead it only logs events that match security policies. You can use this mode of operation if you
want to passively examine your web application traffic for possible security threats. Connect
network traffic that you want to monitor to port 2 on the AVS 3120. For example, you can
connect port 2 to the monitor port or Switched Port Analyser (SPAN) port on a switch. Port 2
480
does not have an IP address and so does not terminate TCP/IP connections. Port 1 is used for
management console connectivity and ports 3 and 4 are not used.
The port assignments for the various operating modes are summarized in the following Table.
Table 7: Port Assignments
Operating Mode Port 1 Port 2 Port 3 Port 4

Inline management not used incoming client outgoing server
console traffic traffic
Gateway management not used not used not used
console and web
traffic
Monitor management monitored not used not used
console traffic
If you change operating modes, for example from inline to gateway mode, you must restart the web
application security module. This is a major change that will likely also require you to reconfigure
your network routing.
In all of the operation modes, the application appliance inspects traffic that is going to and coming
from the web servers.
In the Software Auto Bypass drop-down list, choose Yes if you want to enable automatic bypass in
inline mode.
Automatic bypass causes the application appliance to bridge packets between the incoming and
outgoing ports if the web application security module fails, which allows clients to continue to access
the web servers without security checks.
If you choose No and the web application security module fails, client requests will not be forwarded
to the web servers.
In the Old Configuration Expires After field, enter the time in seconds to allow any HTTP sessions
that are in progress to finish before changing configuration when a new configuration is committed.
During this grace period, the old configuration still applies to active HTTP sessions.
When this period of time expires, any HTTP sessions that are still in progress are closed and the new
configuration is applied.
In the Servers to protect area, you must do as follows:
- Enter the IP addresses and ports of each web server that you want the web application
security module to protect.
- Enter the IP address of a web server in the IP address field, check the Add box, and
click Update Servers.
- Then you will see a Port field displayed under the IP address.
- Enter the port to protect, check the Add box next to the port, and click Update Servers.
- Repeat this procedure to add each port that you want to protect on the web server.
481
Figure 11: Cluster Control
Repeat entering the IP address and ports of each web server that you want to protect. To delete a
port or web server IP address, check the Delete check box next to the port or IP address and
click Update Servers.
When you are finished with this form, click Apply Changes at the top to save your changes, or
click Discard Changes to return to the utilities main page without saving your changes.
Cluster Control
Click Cluster Control to display a page that allows you to stop, start or restart the web application
security firewall module on individual application appliance nodes, as shown in the following Figure.
This screen shows the status (Running or Stopped) of the web application security firewall module
for each node in the cluster.
You can run, stop, or restart the web application firewall module on the nodes in the cluster. Check
the check boxes next to the nodes that you want to control, and then click Run, Stop, or Restart to
perform that operation on the checked nodes.
You can use the Include All Nodes and Exclude All Nodes buttons at the top to check or clear all
check boxes.
If you want to control the status of both the Condenser and web application security firewall
modules, you can use the Cluster Control command under the cluster name in the left hand menu.
482
Publish Configuration
Click Publish Configuration to display a page that allows you to publish a configuration to all nodes
in a cluster, as shown in Figure below.
Figure 12: Publish Configuration
In the Publish Configuration area of the form, click the Publish button to publish the running
configuration of the master AVS 3120 node to all other nodes in the same cluster. If there are no
other nodes in the cluster, the Publish button is not shown.
The master node is the first AVS 3120 node that is added to the cluster in the management console.
If that node is removed, then the next added node becomes the master node, and so on. The master
node is identified at the top of the Publish Configuration page.
To cancel the operation and go back to the System Utilities page click Back.
Use the Publish button in situations where the master node is stable and one of the other nodes
restarts or a new node is added to the cluster.
All AVS 3120 nodes in a cluster must have the same web application security running configuration.
If you are operating a cluster, you must publish the web application security configuration of the
master node to all other nodes.
In the Synchronize Configuration area of the form, click the Sync button to publish the configuration
that is saved on the management console to all nodes in the same cluster.
Use the Sync button in situations where the master node is restarted with a different configuration
and you want to resynchronize it and all other nodes with the saved configuration that is stored in
the management console.
To view the saved configuration that will be published to all nodes, click the View Last Committed
Configuration link.
483
Service Policy
Click Service Policy to display a page that allows you to choose the active policy map, as shown
in the following Figure.
Figure 13: Service Policy
In the Select Policy Map drop-down list, choose the policy map that you want to be active. Then
click Apply Changes at the top to save your changes, or click Discard Changes to discard your
changes.
Only one policy map can be active at a time. The setting on this screen interacts with enabling a
policy map on the policy map summary screen shown in the following figure. Setting a policy to be
enabled in that screen will cause it to be the selected service policy in this service policy screen.
Clear System Config
Click Clear System Config to clear the saved System Settings on the master AVS 3120 node. The
master node is the first AVS 3120 node that is added to the cluster in the management console. You
are asked in a confirmation dialog if you are sure that you want to clear the configuration.
Click OK to clear or Cancel to cancel.
This command clears only the system settings, not the policy configuration. To clear the policy
configuration, use Clear Config.
Commit Config
Configuration changes that you make to web application security policies must be committed before
they take effect and are applied to web traffic. Before they are committed, they are stored
temporarily by the management console but are not saved or applied to the AVS 3120 node where
the web application security module operates.
Click Commit Config to commit the configuration changes to the master AVS 3120 node and to save
them on the management console. The master node is the first AVS 3120 node that is added to the
cluster in the management console. You are asked in a confirmation dialog if you are sure that you
want to commit the configuration. Click OK to commit or Cancel to cancel.
If any HTTP sessions are in progress, they are given a grace period in which to finish, before the new
configuration takes effect. This grace period is configurable and is described in the "System Settings"
484
section. During this period, you normally cannot commit a second new configuration. If you need to
commit another configuration before this interval has passed, use Force Commit.
After committing a configuration, we recommend that you save the configuration on the master
node by using Save Config. If you have a cluster of AVS 3120 nodes, you must also publish the
configuration to all nodes in the cluster by using Publish Configuration. The application appliance
does not support a cluster where the nodes have different web application security configurations.
Force Commit
Click Force Commit to immediately commit configuration changes, if you have recently committed
another configuration and the grace period for that commit has not yet expired. See the previous
section, Commit Config, for details.
You are asked in a confirmation dialog if you are sure that you want to force commit the
configuration. Click OK to commit or Cancel to cancel.
After committing a configuration, we recommend that you save the configuration by using Save
Config. If you have a cluster of AVS 3120 nodes, you must also publish the configuration to all nodes
in the cluster by using Publish Configuration.
The application appliance does not support a cluster where the nodes have different web application
security configurations.
Save Config
Click Save Config to save the running configuration on the master AVS 3120 node so that it will be
preserved across a reboot of that node. The master node is the first AVS 3120 node that is added to
the cluster in the management console.
You are asked in a confirmation dialog if you are sure that you want to save the configuration.
Click OK to save or Cancel to cancel.
After committing a configuration by using Commit Config, we recommend that you save the
configuration by using Save Config.
Clear Config
Click Clear Config to clear the saved policy configuration on the master AVS 3120 node. The master
node is the first AVS 3120 node that is added to the cluster in the management console. You are
asked in a confirmation dialog if you are sure that you want to clear the configuration. Click OK to
clear or Cancel to cancel.
Clearing the configuration clears only the saved copy of the configuration on the master AVS 3120
node. It does not clear the running configuration, so the node will continue to operate with its
running configuration.
If it is rebooted, that configuration will be lost because it is no longer saved.
485
Clear System Stats

Resets the statistics accumulated and displayed by the System Stats command.
Clear Traffic Stats

Resets the statistics accumulated and displayed by the Traffic Level Stats command.
Clear Policy Stats

Resets the statistics accumulated and displayed by the Policy Level Stats command.
Log Server Config

The log server configuration page lets you configure remote logging for the web application security
firewall. Web application security logs are separate from other AVS logs. Click the Log Server Config
link to display the page shown in the Figure below, where you can configure remote syslog servers to
which logs are sent by the web application security module.
Figure 14: Log Server Configuration
In the IP Address field, enter the IP address of a remote server to which AVS should send web
application security logs. Check the Add check box and click Update IP Addresses to add the address
to the list of remote log servers. Repeat these steps to add additional remote log servers. To delete a
log server from the list, check the Delete check box next to it and click Update IP Addresses.
The servers that you specify must have the syslog facility running and configured to receive
messages from the network.
If you are managing a cluster of AVS 3120 nodes with the AVS 3180 Management Station, you must
configure the AVS 3180 as one of the remote log servers. This allows the management console to
display aggregated logs from all nodes in the cluster. If you do not have an AVS 3180 Management
Station, you may still want to enter the IP address of at least one remote log server where logs will
be aggregated, though these will not be accessible through the management console interface.
click Discard Changes to discard your changes.
486
Clear Current Logs

Clears the current log file. The current log file is different, depending on your configuration, as
follows:
• If you have an AVS 3180 Management Station, then Clear Current Logs clears the log file of the
first AVS 3120 node that is listed in the cluster in the management console.
• If you do not have an AVS 3180 Management Station, then Clear Current Log clears the log file
of the current AVS 3120 node on which you are running the management console.
To view the current log file, use Current Log.
Traffic Class Maps

Traffic mapping allows you to classify HTTP request and response traffic according to a set of
definable criteria. You must define a traffic map to select a set of traffic before you can apply
security features to the traffic in a policy map.
Use the Traffic Class Maps command to display a page that summarizes the traffic classification
maps that are defined, as shown in the following Figure.
Figure 15: Traffic Map Summary
Figure 16: Edit New Traffic Classification MAP
487
Each row in the summary lists one defined traffic map. From here you can view, clone, edit, or delete
a traffic map, or add a new map.
To view the definition of a traffic map, click its underlined name. The displayed page shows a read-
only listing of the definition.
The Match column lists the matching policy of the map.
To copy a map to use as the basis of a new map, click the Clone button for the traffic map that you
want to copy.
To edit a traffic map, click the Edit button for the map that you want to edit. A form similar to that
shown in Figure below. is displayed where you can edit the traffic map.
To delete one or more traffic maps, check the box in the Delete column for each map that you want
to delete. Click Delete to delete the checked maps.
To add a new traffic map, use the Add Traffic Class area below the summary table. Give the map a
name in the Map Name field. To determine how the criteria in this map are to be applied, choose
one of the following radio buttons below this field:
• Match Any Criteria—This traffic map is applied if any one of the criteria is satisfied
• Match All Criteria—This traffic map is applied only if all of the criteria are satisfied
Then click the Add New Map button to create the traffic map. You are returned to the map
summary page where you will see the new traffic map listed. To continue the process of defining the
new map, click the Edit button for the map to display the screen shown in the Figure below. One
criteria line has already been added to this traffic map.
You can add criteria lines that describe one or more characteristics of the traffic that you want to
classify. From the Type drop-down list, select the traffic type: Request or Response. Next select the
type of HTTP data that you want to examine for a match in the Match Criteria drop-down list.
The match criteria choices are listed in the following Table.
Table 8: Traffic Class Match Criteria
Type Match Criteria Description of Parameters

Request cookie-name Name of a request cookie
Request cookie-name-value Name and value of a request cookie
Request cookie-value Value of a request cookie
Request host Value of the Host header
Request method HTTP method used to make the request
Request param-name Name of a query parameter in the URL
Request param-name-value Name and value of a query parameter in the
URL
Request param-value Value of a query parameter in the URL
Request referer Value of the Referer header
Request request-body Value of the HTTP request body
Request request-date Value of the Date header
Request request-header-name Name of a request header
Request request-header-value Value of a request header
488
Request request-version HTTP version of the request

Request url Value of the URL
Request user-agent Value of the User-Agent header
Response content-encoding Value of the Content-Encoding header
Response content-location Value of the Content-Location header
Response content-type Value of the Content-Type header
Response reason-phrase Value of the reason phrase
Response response-body Value of the HTTP response body
Response response-date Value of the Date header
Response response-header-name Name of a request header
Response response-header-value Value of a request header
Response response-version HTTP version of the response
Response server Value of the Server header
Response set-cookie-name Name of a cookie being set
Response set-cookie-name-value Name and value of a cookie being set
Response set-cookie-value Value of a cookie being set
Response status-code Value of the status code
Response transfer-encoding Value of the Transfer-Encoding header
Next to the match criteria in the Parameter1 and Parameter2 fields, enter the values that are the
match criteria. Most match criteria items require only a single value, which you enter into the
Parameter1 field. A few of the match criteria items require both a name and a value, such as a
cookie name and value or a parameter name and value. Enter the name into the Parameter1 field
and the value into the Parameter2 field. If the Parameter2 field is not needed, then it is not shown.
For example, if you choose host for the Match Criteria, then the Parameter1 value would be a host
name such as www.cisco.com; the Parameter2 field is not used. If you choose param-name-value for
the Match Criteria, then the Parameter1 value would be the name of a request parameter, and the
Parameter2 value would be the value of the specified request parameter.
Regular expressions are allowed;
Click the check box in the Negate column if you want to match all traffic that does not meet the
criteria. For example, if you check Negate and enter www.cisco.com for host, this criterion matches
all requests where the host does not equal www.cisco.com.
Traffic maps that contain response criteria cannot be used to trigger a feature that is operating on a
request. For example, if you have a traffic map that uses the content-type criteria (a response
criteria), this traffic map cannot be used in a policy where it is associated with a request limits
feature map.
Many features can apply to both requests and responses. Such a feature can be associated with a
traffic map that contains response criteria only if it does not operate on request data. For example, if
you have a traffic map that uses the set-cookie-name criteria (a response criteria), this traffic map
can be used in a policy where it is associated with a cookie protection map, as long as the cookie
protection map operates only on response cookies. If the cookie protection map includes any
request cookie operations, then the policy is invalid.
489
When you are finished entering one criteria line, click the Update Parameters button to update the
page and give you a new line on which to enter another criterion. To delete one or more criteria
lines, click the Delete check box on each line that you want to delete and then click Update
Parameters to delete all checked lines.
When you are finished with this form, click Apply Changes to save your changes, or click Discard
Changes to return to the summary page without saving your changes.
Default Traffic Maps

The system defines some default traffic class maps that you can use in policy maps. The following
default maps are defined:
• class-all—This traffic map includes all traffic, both requests and responses. Actions and features
that are associated with class-all in a policy map are always executed.
• class-default-request—This traffic map includes all request traffic that does not match any of
the user-defined classes. At the end of an HTTP request, if no user-defined classes have
matched, the actions and features in the policy map that is associated with the class-default-
request traffic map are executed.
In a policy map, this traffic map can be associated with feature maps that operate only on
request data. A policy map that contains the class-default-request traffic map cannot include
other traffic maps that contain the request-body matching criteria (or negation of this criteria).
• class-default-response—This traffic map includes all response traffic that does not match any of
the user-defined classes. At the end of an HTTP response, if no user-defined classes have
matched, the actions and features in the policy map that is associated with the class-default-
response traffic map are executed.
This traffic map can be associated with feature maps that operate only on response data. A
policy map that contains the class-default-response traffic map cannot include other traffic maps
that contain the response-body matching criteria (or negation of this criteria).
You cannot edit or delete these default traffic maps. No security features are associated with these
traffic maps by default. You must use the Policy Maps command to create a policy that associates
features with them.
Policy Maps
A policy map allows you to implement specific web application security functions associated with a
traffic class. First you must create a traffic class map and one or more application security feature
maps, then you can create a policy map that applies the individual security functions to the traffic
class. Here is a summary of the steps required to create a policy map:
1. Create one or more traffic class maps and one or more application security feature maps that
you want to apply to the traffic classes.
2. Click the Policy Maps command and use the Add New Map button to name a new policy map.
3. In the policy map summary page, click the Edit button to add a traffic class to the policy map.
4. In the resulting page that lists traffic maps, click the Edit button next to the newly added traffic
map to associate individual security feature maps with the traffic map.
The following sections describe the policy map GUI in detail.
490
Adding a New Policy Map

Use the Policy Maps command to display a page that summarizes the policy maps that are defined,
as shown in Figure below.
Figure 17: Policy Map Summary
Each row in the summary lists one defined policy map. From here you can view, clone, edit, delete,
or enable a policy map, or add a new map.
To view the definition of a policy map, click its underlined name. The displayed page shows a read-
only listing of the definition.
The Associated Traffic Maps column lists the traffic class maps that are associated with a policy. If no
traffic class maps are yet associated, it reads "No Maps Associated." The Match Criteria column lists
the matching policy of the map.
To copy a map to use as the basis of a new map, click the Clone button for the map that you want to
copy.
To edit a policy map and add traffic class maps, click the Edit button for the map that you want to
edit. A form similar to that shown in the following Figure is displayed where you can edit the policy
map.
To delete one or more policy maps, check the box in the Delete column for each map that you want
to delete. Click Delete to delete the checked maps.
To enable a policy map (make it active), click the radio button in the Enable column for the map that
you want to enable, then click the Enable button at the bottom of the column. You can only enable a
policy map that has associated traffic class maps, and you can only enable one policy map at a time.
This setting interacts with the policy map selected in the Service Policy screen of the System Utilities.
Selecting a policy to be active in that screen will cause it to be displayed as enabled in this policy
map summary screen.
To add a new policy map, use the Add Policy area below the summary table. Give the map a name in
the Map Name field. Choose when to execute the policy by clicking one of the following radio
buttons:
• First Match—Execute the policy only on the first traffic map that matches the traffic
• Match All—Execute the policy on all traffic maps that match the traffic
Then click Add New Policy Map to add the map to the summary. The new map is not yet configured,
and to do that click the Edit button for the map.
491
When you choose First Match for the type of traffic map matching, it is important to understand the
order in which AVS matches traffic maps. Traffic matching is driven by the order in which the traffic
data arrives, which is: HTTP method, HTTP version, host, URL, cookie name, and cookie value. There
can be multiple cookies and they can arrive in any order, so the value of one cookie could cause a
match before the name of another cookie.
Say that you have a traffic map, url-class, that matches on a specific URL, and another traffic map,
cookie-class that matches on a cookie name. In an incoming request, the URL arrives before any
cookies, so if the URL matches url-class, then this will cause a First Match policy to fire (if it uses this
traffic map). The cookie-class might also match this request, but it is not invoked since the url-class
already triggered its policy.
The order in which traffic maps are listed in the traffic maps list (see Figure below) is irrelevant and
does not signify the order in which traffic maps are evaluated for a match.
Adding a Traffic Map to a Policy Map

To define a policy map and add traffic class maps, in the map summary table click the Edit button for
the map that you want to edit. A form similar to that shown in the following Figure is displayed
where you can edit the policy map.
Figure 18: Edit New Policy Map
When you first edit a new policy map, there are no traffic maps included in it. To begin defining a
policy, choose a traffic map from the Traffic Map Name drop-down list. Then click the Add check box
to put a check in it and click the Update List button to add the traffic map to the policy. For details
on the predefined default traffic maps. After the update, the screen looks like that shown in the
following figure.
Figure 19: Traffic Map Added to Policy Map
492
The newly added traffic map is shown in the first row under the Traffic Map Name heading. Each
row summarizes one traffic map that is part of this policy definition. The last row allows you to add a
new traffic map by selecting its name from the drop-down list of traffic maps, clicking the Add check
box, and clicking the Update List button.
Using the controls in the summary row for a traffic map, you can view the policy for the map, delete
it, or edit it.
To view the policy for a traffic map, click its underlined name. The displayed page shows a read-only
listing of the policy definition.
To delete one or more traffic maps from this policy definition, check the box in the Delete column
for each map that you want to delete. Click Update List to delete the checked maps.
To edit the policy for a traffic map, click the Edit button.
Figure 20: Associating Features with a Traffic Class
When you are finished adding or editing traffic map policies, click Apply Changes to save your
changes, or click Discard Changes to return to the summary page without saving your changes.
Associating Security Feature Maps with a Traffic Map

To edit the policy for a traffic map, click the Edit button in the summary. A form similar to that
shown in the Figure above is displayed where you can edit the policy definition by choosing which
security feature maps to apply to the traffic class.
On this screen, you choose which security features to apply to the traffic map shown in the Traffic
Map Name field. You can choose a general response action and/or apply one or more feature maps
to the traffic.
To apply a general response action, choose one of the following actions from the Response Action
drop-down list:
• None—Take no action
• Reset client—Reset the client side of the connection
• Drop—Drop the connection silently
• Reset server client—Reset both the server and client sides of the connection
• Reset server—Reset the server side of the connection
493
• Error Page—Send an error page. Choose the error page to send from the next drop-down list to
the right. You define such error pages by using the send page feature.
Click the Log check box to log the event.
To apply a feature map to the traffic, choose a feature from the Feature drop-down list and then
from the Map Name drop-down list, choose one of the feature maps that you have defined for that
feature. Then click the Update List button to take you back to the screen shown in Figure above. You
can add multiple feature maps to be applied to this traffic map by editing the traffic map again and
following the same procedure.
Traffic maps that contain response criteria cannot be used to trigger a feature that is operating on a
request. For example, if you have a traffic map that uses the content-type criteria (a response
criteria), this traffic map cannot be used in a policy where it is associated with a request limits
feature map.
Many features can apply to both requests and responses. If such a feature operates only on
response data and not on request data, then it can be associated with a traffic map that contains
response criteria. For example, if you have a traffic map that uses the set-cookie-name criteria (a
response criteria), this traffic map can be used in a policy where it is associated with a cookie
protection map, as long as the cookie protection map operates only on response cookies. If the
cookie protection map includes any request cookie operations, then the policy is invalid and will not
be allowed.
The default traffic map class-default-request can be associated with feature maps that operate only
on request data. A policy map that contains the class-default-request traffic map cannot include
other traffic maps that contain the request-body matching criteria.
The default traffic map class-default-response can be associated with feature maps that operate
only on response data. A policy map that contains the class-default-response traffic map cannot
include other traffic maps that contain the response-body matching criteria.
To delete an associated feature map, check the Delete check box for the map and click Update List.
If you would rather cancel the changes that you made on this form, click the Discard
Changes button.
The following features are available in the Feature drop-down list:
• Cookie Protection—Protects against cookie tampering by using hashed cookies and provides
cookie privacy by encrypting cookies;
• HTTP Protocol conformance-MIME Type Controls—Validates that the content's MIME type
matches the MIME type specified in the HTTP Content-type header; This features operates only
on responses.
• HTTP Protocol conformance-Control HTTP Method—Filters traffic based on the HTTP method;
• HTTP Protocol conformance-Generic Pattern Matcher—Filters traffic based on any user-
definable criteria;
• HTTP Protocol conformance-Header Integrity Check—Checks headers for integrity;
• HTTP Protocol conformance-IM Controls—Filters instant messenger traffic;
• HTTP Protocol conformance-P2P Controls—Filters peer-to-peer file sharing traffic;
• HTTP Protocol conformance-Transfer Encoding—Filters traffic based on the HTTP Transfer-
Encoding header;
• HTTP Protocol conformance-Tunnelling Policies—Filters traffic that is tunnelled over HTTP, such
as ShoutCast, GoToMyPC and the like;
494
• HTTP Protocol conformance-URL Black Listing—Blocks access to specific URLs;

• IV-OS Command Injection—Validates that input does not contain disallowed command strings;
• IV-Cross Site Scripting—Validates that input does not contain a cross site scripting attack;
• IV-Format String Attacks—Validates that input does not contain disallowed formatting strings;
• IV-LDAP Injection—Validates that input does not contain disallowed LDAP strings;
• IV-Meta Character Detection—Validates that input does not contain disallowed meta
characters;
• IV-SQL Injection—Validates that input does not contain disallowed SQL command strings;
• ID Theft Protection—Guards against the unsolicited disclosure of social security and credit card
numbers in HTTP responses to clients; This features operates only on responses.
• Request Limits—Enforces boundary length checking on all inputs received from the client;
• URL Normalization—Secures web applications from attacks that use the URL in HTTP requests,
such as directory traversal;
• URL Tagging—Adds information to request URLs that can be used by other downstream devices
such as load balancers or application servers;
• Web Cloaking—Hides identifying information about the web server and application;
Pattern Definitions
Pattern definitions define regular expression sets for matching strings used by other web security
features. For example, the identity theft protection feature uses regular expressions that match
social security numbers and credit card numbers.
Use the Pattern Definitions command to display a page that summarizes the pattern maps that are
defined and to view, delete, clone, edit or add new maps.
When you click the button to add a new map, AVS displays the screen shown in the Figure below.
Figure 21: Add Pattern Definition
495
Give the new regular expression set a name in the Pattern Definition Name field.
In the Type drop-down list, select the type of regular expression set that you are defining, from the
following choices:
• Social Security Number—Regular expressions that describe social security numbers
• Credit Card—Regular expressions that describe credit card numbers
• Custom—Custom regular expression
• Cross Site Scripting—Regular expressions that describe cross site scripting strings
• SQL Injection—Regular expressions that describe SQL command strings
• Command Injection—Regular expressions that describe command strings
• LDAP Injection—Regular expressions that describe LDAP strings
• Meta Character Detection—Regular expressions that describe meta characters
• Format String Attacks—Regular expressions that describe format strings
Select one or more regular expressions that you want to use from the Standard Regular Expressions
list and add them to the Included Regular Expressions list on the right side of the page by clicking the
right arrow (-->) button. The list of standard regular expressions changes depending on the type you
choose. You can also add a custom regular expression by typing it into the Custom field and clicking
the right arrow (-->) button next to that field. For details on the regular expression syntax that is
allowed. If you enter a value into the Custom field, in the Size field you must also enter a maximum
number of characters to search for this expression in the target data. Size must be greater than 0 for
the custom expression to be added to the Included Regular Expressions list.
You can remove a regular expression from the Included Regular Expressions list by selecting it and
clicking the left arrow (<--) button.
click Discard Changes to return to the summary page without saving your changes. If you want to
use the settings on this form as the default for new maps of this type, click Set As Default.
496
Security Feature Configuration
This section describes the following security feature configuration items that appear under
the Web Application Security folder in the left hand menu of the Management Console:
• URL Normalization
• Cookie Protection
• ID Theft Protection
• Request Limits
• Error/Redirect Pages
• Web Cloaking
• URL Tagging
• HTTP Protocol Conformance
• Input Validation Checks
URL Normalization
The URL normalization feature lets you, secure web applications from attacks that use the URL in
HTTP requests, such as directory traversal.
To deobfuscate potential attacks, the application appliance first scans the URL in incoming requests
and normalizes it by decoding all encoded characters. It can detect the following encoding schemes:
escaped encoding, %U encoding, unicode encoding using UTF-8 (up to three bytes in length), and IP
address encoding. Additionally, it can handle a combination of encoding schemes and double
encoding of the same character.
Use the URL Normalization command to display a page that summarizes the URL normalization
maps that are defined and to view, delete, clone, edit or add new maps. For details on using the
summary page GUI.
When you click the button to add a new map, AVS displays the screen shown in the following Figure.
497
Figure 22: Add URL Normalization Map
Give the new map a name in the Map Name field. In the Normalize Case drop-down list, select True
to normalize the case of URLs or False to ignore case.
The following part of the form lists a number of conditions that may indicate a possible attack and
lets you determine what action to take if one of the following conditions is detected in a URL:
• Encoding—Any kind of character encoding
• Escape encoding—Escape character encoding
• Percent-U encoding—Percent-U character encoding
• Unicode encoding—Unicode character encoding
• Combination of encoding schemes—A combination of character encoding schemes
• Multiple levels of encoding—Multi-level character encoding
• Unsupported encoding—Unsupported character encoding
• Overlong unicode encoding—Overlong unicode character encoding
• Null encoding—Null character encoding
• Forward directory traversal—Forward directory traversal
• Backward directory traversal—Backward directory traversal
In the Action drop-down list for each item, choose one of the following actions to take if the
condition occurs:
• Reset server and client—Reset both the server and client sides of the connection
498
• [SEND-PAGE] pagename—Send the error page identified by pagename. You define such error
pages by using the send page feature.
• [REDIRECT-PAGE] pagename—Send the redirection page identified by pagename. You define
such redirection pages by using the redirect page feature.
For each item you can also click the Log check box to log the event.
Cookie Protection
Web applications store a variety of information in plain text cookies. The application appliance
protects against cookie tampering by using hashed cookies and provides cookie privacy by
encrypting cookies. The application appliance also supports adding and removing cookie attributes,
and filtering cookies based on user configurable attributes such as HTTP-only cookies, maximum age,
number of cookies, and others. The cookie protection features operate both on server cookies sent
to clients in HTTP responses and on client cookies that are sent back to servers in HTTP requests.
Use the Cookie Protection command to display a page that summarizes the cookie protection maps
that are defined and to view, delete, clone, edit or add new maps.
499
Figure 23: Add Cookie Protection Map
500
Give the new map a name in the Map Name field.

The next three Tamper Proof fields set the key and algorithm used for hashing cookies. In the
Tamper Proof Key Length drop-down list, choose the key length in bits that you want to use. In the
Tamper Proof Key field, enter a key of the chosen length. You must enter 16 characters for a 128-bit
key or 32 characters for a 256-bit key. Spaces are not allowed in keys. In the Tamper Proof Algorithm
drop-down list, choose the hashing algorithm to use. Currently, AVS supports only SHA-1.
The next three Encrypt fields set the key and algorithm used for encrypting cookies. In the Encrypt
Key Length drop-down list, choose the key length in bits that you want to use. In the Encrypt Key
field, enter a key of the chosen length. You must enter 16 characters for a 128-bit key or 32
characters for a 256-bit key. Spaces are not allowed in keys. In the Encrypt Algorithm drop-down list,
choose the encryption algorithm to use. Currently, AVS supports only AES.
In the Process Response Cookies drop-down list, choose the cookie protection actions to take on all
response cookies (cookies sent from the server to the client). The following actions are defined:
• Allow individual cookie processing—Allow response rule map processing whereby you can
enable encryption and/or tamper proofing on selected cookies, based on cookie/attribute
names and values;
• Encrypt all cookies—Encrypt all cookies
• Tamper proof all cookies—Hash all cookies to prevent tampering
• Encrypt and tamper proof all cookies—Encrypt and hash all cookies
The next part of the form lists a number of cookie problems and lets you determine what action to
take if one of the following events occurs:
• Alien Cookie—A cookie is observed that is not one processed by the AVS cookie protection
feature
• Old Cookie—A cookie sent from the client uses an old version of the hash or encryption key. In
this case, the cookie cannot be unhashed or decrypted.
• Encrypt Fail—Cookie decryption failed
• Tamper Proof Verification Fail—Verification that the cookie was not tampered with failed, so
this may indicate possible cookie tampering
• Server Cookie Range not between—The number of server cookies is not within the specified
range. Enter a range of integers, with the smaller number in the first field and the larger number
in the second field.
• Client Cookie Range not between—The number of client cookies is not within the specified
range. Enter a range of integers, with the smaller number in the first field and the larger number
in the second field.
In the Action drop-down list for each item, choose one of the following actions to take if the event
occurs:
• Allow—Allow the request unchanged
• Remove cookie—Remove the cookie that triggered the event
• Reset—Reset the connection
501
For each item you can also click the Log check box to log the event.
By using the next parts of the form, you can add rule-based processing to cookies that is based on
their values and attributes. These next form parts are described in the following sections:
• Response Attribute Rule Maps
• Response Rule Maps
• Request Rule Maps
Response Attribute Rule Maps

In the Response Attribute Rule Maps section, you can define operations to set, insert, or remove
specific cookie attributes from response cookies (cookies sent from the server to the client). You can
delete one or more operations by clicking the Delete check box next to each operation that you want
to delete and then clicking the Delete button.
To add a new attribute operation, click the Add New button to open the window shown in the
following Figure.
Figure 24: Add Attribute Operation
From the Operation drop-down list, select the type of operation you want to perform, as follows:
• Insert—Insert an attribute with the specified name and value. If the attribute already exists, its
value is replaced with the specified value.
• Remove—Remove the attribute with the specified name and value. If the attribute exists but
the value is different from the specified value, it is not removed.
• Set—Set an existing attribute with the specified name to the specified value. If the attribute
does not exist, it is not added. To insert a new attribute, use Insert.
Enter the attribute name in the Attribute Name field and its value in the Attribute Value field. When
you are finished, click Create to add the operation or Close Window to cancel the operation.
When you add a new operation, it will be listed in the Response Attribute Rule Maps section of the
cookie protection map form.
502
Response Rule Maps

In the Response Rule Maps section, you can define rule maps for response cookies (cookies sent
from the server to the client). In a response rule map, you can specify specific cookies to which to
apply encryption and/or tamper proofing actions. This response rule map processing applies only if
the Process Response Cookies element is set to Allow individual cookie processing in the cookie
protection map.
If there are already rule maps listed here, you can view them by clicking on the underlined identifier
in the RuleMaps column. You can edit a rule map by clicking the Edit button next to the map name.
You can delete one or more rule maps by clicking the Delete check box next to each rule map that
you want to delete and then the clicking the Delete button.
To add a new rule map, click the Add New button to open the window shown in Figure below.
Figure 25: Add Response Rule Map
Enter a unique name for the rule map in the Rule Map Name field. You can specify a numeric priority
(from 1 to 65535) in the Numeric Priority field, which is used to order the rule maps. Rule maps are
applied to cookies in descending order of priority (highest number priority first). If the criteria in the
next priority rule map do not match the cookie, then the rule map with the next highest priority that
matches is applied.
Identify the cookie to which this rule map is to be applied by name and/or value in the Cookie Name
and Cookie Value fields. You can use regular expressions in these fields.
You can also identify cookies by attribute name and/or value by specifying one or more regular
expressions in the Attribute Name and Attribute Value fields. If you specify more than one
name/value pair, all specified attributes must be present in order for this rule to match a cookie.
In the Action drop-down list, select the action to apply to matched cookies, as follows:
• Encrypt—Encrypt all cookies
• Tamper proof—Hash all cookies to prevent tampering
• Encrypt and tamper proof—Encrypt and hash all cookies
If you want to log the event, click the Log check box next to the Action field.
When you are finished, click Create to add the rule map or Close Window to cancel the operation.
503
Request Rule Maps

In the Request Rule Maps section, you can define rule maps for request cookies (cookies sent from
the client to the server). In a request rule map, you can specify cookies to drop or to cause a
connection reset.
Request rule map processing occurs regardless of the setting of the Process Response Cookies drop-
down list, but operates only on request cookies that were initially processed by the cookie
protection feature in the server to client direction. Any cookies that do not meet this criterion are
implicitly allowed, though they are processed by other cookie protection features and may be
removed as a result of that processing.
If there are already rule maps listed here, you can view them by clicking on the underlined identifier
in the RuleMaps column. You can edit a rule map by clicking the Edit button next to the map name.
You can delete one or more rule maps by clicking the Delete check box next to each rule map that
you want to delete and then the clicking the Delete button.
To add a new rule map, click the Add New button to open the window shown in the following figure.
Figure 26: Add Request Rule Map
Enter a unique name for the rule map in the Rule Map Name field. You can specify a numeric priority
(from 1 to 65535) in the Numeric Priority field, which is used to order the rule maps. Rule maps are
applied to cookies in descending order of priority (highest number priority first). If the criteria in the
next priority rule map do not match the cookie, then the rule map with the next highest priority that
matches is applied.
Identify the cookie to which this rule map is to be applied by name and/or value in the Cookie Name
and Cookie Value fields. You can use regular expressions in these fields.
In the Action drop-down list, select the action to apply to matched cookies, as follows:
• Reset—Reset the connection
When you are finished, click Create to add the rule map or Close Window to cancel the operation.
504
ID Theft Protection
Identity theft protection guards against the unsolicited disclosure of social security and credit card
numbers in HTTP responses to clients. The web application firewall searches for numbers that
resemble social security or credit card numbers and performs a configurable action when it finds
them.
Use the ID Theft Protection command to display a page that summarizes the identity protection
maps that are defined and to view, delete, clone, edit or add new maps. For details on using the
summary page GUI.
When you click the button to add a new map, AVS displays the screen shown in the following figure.
Figure 27: Add Identity Theft Map

You can protect social security numbers, credit card numbers, and custom types of numbers by using
the SSN, Credit Card, and Custom controls. In the SSN drop-down list, choose one of the defined SSN
regular expression sets. In the Credit Card drop-down list, choose one of the defined credit card
number regular expression sets. In the Custom drop-down list, choose one of the defined custom
regular expression sets. These regular expression sets are defined by using the Pattern
Definitions command.
In the Action drop-down lists that are to the right of the other fields, choose the action to perform
when the firewall finds a number that matches one of these sets of regular expressions. The
following actions are defined:
• Blank out—Substitute an "x" character for each number in the string that matches the regular
expression. This action is not available for Custom expressions.
click Discard Changes to return to the summary page without saving your changes.
505
Request Limits
Many web sites use user-supplied input to create dynamic web pages. Improper validation of inputs
such as URL, URL query string, and HTTP headers, can lead to buffer overflow attacks. A buffer
overflow attack is when a program writes data beyond its allocated space. These attacks can cause
denial of service by crashing the server and/or injecting malicious code to alter program execution.
Execution of the malicious code facilitates exploit of downstream resources. Such attacks can be
prevented by enforcing boundary length checking on all inputs received from the client.
Use the Request Limits command to display a page that summarizes the request limit maps that are
defined and to view, delete, clone, edit or add new maps. For details on using the summary page
GUI.
Figure 28: Add Request Limit Check Map

In the URL length, checks area you can enter the maximum lengths, in bytes, for various parts of the
URL, as follows:
• URI Length—Maximum length of the URI not including the query portion
• Query Length—Maximum length of the query portion of the URI
• URI+Query Length—Maximum length of the full URI including the query portion
In the Action drop-down list, choose the action to apply if one of the above lengths is exceeded.
Actions include these:
506

If you want to log the event when a URL length parameter is exceeded, click the Log check box next
to the Action drop-down list.
To limit header length, in the Default Header Length field you can enter the maximum length
allowed for any single HTTP header. In the Action drop-down list, choose the action to apply if any
header exceeds this limit. The actions are the same as those for the URL length settings. If you want
to log the event when a header length limit is exceeded, click the Log check box below the Action
drop-down list.
To limit the number of headers, in the Number of Headers field you can enter the maximum number
of HTTP headers allowed. In the Action drop-down list, choose the action to apply if the number of
headers exceeds this limit. The actions are the same as those for the URL length settings. If you want
to log the event when the header limit is exceeded, click the Log check box next to the Action drop-
down list.
In the Advanced Checks area, you can check if a particular header value exceeds a length limit.
Choose the header to check from the Parameter Name drop-down list. If the header you want to
check is not listed, select custom and enter the header name in field below the drop-down list. Enter
the maximum length of the header's value in the Parameter Value field. Then check the Add check
box and click Update Parameters to add this header value check to the map. You can repeat this
procedure to add more header value checks to the map. In the Action drop-down list, choose the
action to apply if any of the header values exceeds the specified limits. The actions are the same as
those for the URL length settings. If you want to log the event when a header value length limit is
exceeded, click the Log check box next to the Action drop-down list.
To delete a header value length check, click the Delete check box next to the header check that you
want to delete and then click Update Parameters.
Error/Redirect Pages
Error obfuscation makes it more difficult for hackers to discover identifying information about the
web server and application by masking or mapping error messages that might normally be returned
to the user. Many security vulnerabilities are dependent on specific software versions and hiding this
information can increase the security of the system.
AVS implements the following techniques for error obfuscation:
• Mapping errors by sending custom configured error pages to clients;
• Masking errors by redirecting the client when an error occurs;
Error obfuscation can be triggered as the action to perform when one of the following web
application security features encounters an error: URL Normalization, Cookie Protection, Request
Limits, Input Validation Checks, and HTTP Protocol Conformance.
Use the Error/Redirect Pages command to configure this feature. Click this command to display a
page that summarizes the error obfuscation maps that you have configured, as shown in the
following figure.
507
Figure 29: Error Obfuscation Map Summary
Each of the four summary sections of the page lists the maps configured for a sub-feature of error
obfuscation. Each defined map is summarized on one line. From here you can view, clone, edit, or
delete a map, or add a new map.
To view the definition of a map, click its underlined name. The displayed page shows a read-only
listing of the definition.
To copy a map to use as the basis of a new map, click the Clone button next to the map that you
want to clone.
To edit a map, click the Edit button in the summary. A form similar to that shown when adding a
map is displayed where you can edit the map.
To delete one or more maps, check the box in the Delete column for the map. Click Delete Maps to
delete the checked maps.
To add a new map or template, click the Add New Map or Add New Template button for the item
that you want to add.
Send Page Configuration

Before you can configure a send page map you must first define a send page header template, which
is a template of HTTP headers that can be sent on error pages. To define a send page header
template, on the summary page, click on the Add New Template button to display the form shown
in the following figure.
508
Figure 30: Add Send Page Header Template
Give the template a name in the Template Name field.

Add one or more headers to the template by choosing a header name from the Header Name drop-
down list. If you want to add a header that is not in the list, choose Custom and enter the name of
the header in the field below the list. Enter the value of the header in the Header Value field next to
the name. Then click the Add check box and click the Update Headers button to add the header to
the template. You can add multiple headers by following the same procedure for each one.
To delete a header from the template, click the Delete check box next to it and click the Update
Headers button.
After at least one send page header template is defined, you can define a send page map, which
defines the error page that you want to send to the client. Click the Add New Map button on the
summary page to display the form shown in the following figure.
Figure 31: Add Send Page Map
509
Give the error page map a name in the Map Name field.
You can define two different sets of error codes, error phrases, and header templates that are to be
sent in response to HTTP requests that use HTTP versions 1.0 and 1.1. If you want to define an error
page that is to be sent in response to HTTP version 1.0 requests, check the HTTP Version 1.0 check
box and complete the fields on that line. To send this error page in response to HTTP version 1.1
requests, check the HTTP Version 1.1 check box and complete the fields on that line. To respond to
both versions of HTTP requests, check both check boxes. This error page is sent only if the HTTP
version setting matches the HTTP version of the request.
In the Error Code drop-down list, choose the error code that this error page should show to the
client. In the Error Phrase field, enter the phrase that should be used to describe this error. By
default, the Error Phrase field initially shows the standard error phrase that corresponds to the
selected error code, but you can change it.
In the Header Template drop-down list, select the name of the send page header template map that
you want to use for this error page. If no header templates are defined, only --Select-- is shown in
this list, and you must define a send page header template before you can define a send page map.
Go back to the summary page and use the Add New Template button to define a header template.
In the Include Date Header drop-down list, select Yes or No to include a date header or not in the
error page.
In the HTTP Body field, enter the HTML for the body of the error page.
In the Content Type drop-down list, select the MIME type of the page content: either text/plain or
text/html.
Redirect Page Configuration

Before you can configure a redirect page map, you must first define a redirect page header
template, which is a template of HTTP headers that can be sent on redirect pages. To define a
redirect page header template, on the summary page, click on the Add New Template button to
display the form shown in the following figure.
Figure 32: Add Redirect Page Header Template
510
Give the template a name in the Template Name field.

Add one or more headers to the template by choosing a header name from the Header Name drop-
down list. If you want to add a header that is not in the list, choose Custom and enter the name of
the header in the field below the list. Enter the value of the header in the Header Value field next to
the name. Then click the Add New check box and click the Update Headers button to add the header
to the template. You can add multiple headers by following the same procedure for each one.
To delete a header from the template, click the Delete check box next to it and click the Update
Headers button.
After at least one redirect page header template is defined, you can define a redirect page map,
which defines the redirect page that you want to send to the client. Click the Add New Map button
on the summary page to display the form shown in the following figure.
Figure 33: Add Redirect Page Map
Give the redirect page map a name in the Map Name field.
You can define two different sets of error codes, error phrases, and header templates that are to be
sent in response to HTTP requests that use HTTP versions 1.0 and 1.1. If you want to define a
redirect page that is to be sent in response to HTTP version 1.0 requests, check the HTTP Version 1.0
check box and complete the fields on that line. To send this redirect page in response to HTTP
version 1.1 requests, check the HTTP Version 1.1 check box and complete the fields on that line. To
respond to both versions of HTTP requests, check both check boxes. This redirect page is sent only if
the HTTP version setting matches the HTTP version of the request.
In the Error Code drop-down list, choose the error code that this error page should show to the
client. In the Error Phrase field, enter the phrase that should be used to describe this error. By
default, the Error Phrase field initially shows the standard error phrase that corresponds to the
selected error code, but you can change it.
In the Header Template drop-down list, select the name of the redirect page header template map
that you want to use for this redirect page. If no header templates are defined, only --Select-- is
shown in this list, and you must define a redirect page header template before you can define a send
page map. Go back to the summary page and use the Add New Template button to define a header
template.
In the Location Header field, enter the absolute URI of the location to which the client should be
redirected.
511
In the Include Date Header drop-down list, select Yes or No to include a date header or not in the
redirect page.
In the HTTP Body field, enter the HTML for the body of the redirect page.
In the Content Type drop-down list, select the MIME type of the page content: either text/plain or
text/html.
Web Cloaking
Web cloaking makes it more difficult for hackers to discover identifying information about the web
server and application. Many security vulnerabilities are dependent on specific software versions
and hiding this information can increase the security of the system.
AVS focuses on the HTTP response headers and implements the following techniques for web server
cloaking:
• Changing the sequence of individual header fields in the response (web servers can be
fingerprinted based on the sequence of header fields in the response)
• Changing the case of header names (web servers can be fingerprinted based on the
capitalization of header names)
• Changing the value of a header based on its name and value
• Removing a header based on its name and value
Figure 34: Edit Web Cloaking Map
512
• Adding false headers to confuse attackers

Use the Web Cloaking command to display a page that summarizes the web cloaking maps that are
defined and to view, delete, clone, edit or add new maps.
If you want to log web cloaking actions, click the Enable Log check box.
In the Available Headers/Header Sequence area you can change the sequence of individual HTTP
headers in responses. Select the header that you want to be first from the Standard list and click the
right arrow (>) to add it to the Header Sequence list on the right side of the page. Then select the
header that you want to be second, and so on, adding each one in turn to the Header Sequence list.
When you add a header, it is always added at the bottom of the list. You can also add a custom
header that is not listed by typing its name into the Custom field and clicking the right arrow (>) next
to that field.
To reorder the headers listed in the Header Sequence list, select a header and click the up arrow
next to the list to move the header up one position in the list, or click the down arrow to move it one
position down. Repeat the process each time that you want to move the header one more position
up or down.
In the Add/Modify/Remove Response Headers area you can add, modify, or remove HTTP headers in
responses. You can add multiple functions in this area; one operation is summarized on each line.
To add an operation, in the Operation drop-down list choose the type of operation: ADD, MODIFY,
or REMOVE. In the Response Header drop-down list, choose the name of the header that you want
to add, modify, or remove. If the header name is not listed, choose custom from the list and type the
name of the header in the Response Header field below the drop-down list. Next, enter values in the
Old Value and New Value fields, as follows:
• If you are adding a header, enter a value in the New Value field only and leave Old Value empty.
• If you are modifying a header, enter the existing value to match in the Old Value field and enter
the value to change it to in the New Value field. Only headers whose value matches the Old
Value will be changed to New Value.
• If you are removing a header, enter a value in the Old Value field only, to remove only headers
that have this value.
Finally, click the Add check box to add the header operation to this web cloaking map. The operation
is added after you click Update Parameters, and a new blank operation line is shown below the
newly added one, where you can add another operation. Also, a Delete check box is shown at the
right end of each operation line, which you can use to delete an operation by checking it and
clicking Update Parameters.
In the Header Name Normalization area, you can force specific header names to be all uppercase or
all lowercase. To normalize the case of a header name, select it in the list at the left side of the page
and click the Uppercase right arrow (>) button to make it uppercase, or click the Lowercase right
arrow button to make it lowercase. Do the same for each header name that you want to normalize.
If you want to normalize a custom header name, choose Custom in the list and type the name in the
Custom field below the list. Then click the appropriate right arrow button. To remove a header name
from a normalization list at the right side, select it and click the left arrow (<) button next to the list.
513
Interaction with AVS Acceleration in Gateway Mode

When you use web cloaking and operate the web application firewall in gateway mode, the AVS
acceleration features interact with the response and can change HTTP response headers. AVS
acceleration processing occurs after web application firewall processing, so the response might
contain headers different from those set by web cloaking.
Specifically, AVS acceleration features may add, remove, or change the following headers:
• Add—Content-Encoding, Transfer-Encoding, Set-Cookie
• Remove—Content-Length
• Change—Connection
If Web Cloaking normalizes, sequences, adds, removes, or modifies any of these headers, the AVS
acceleration processing may undo or change these actions in the response.
URL Tagging
The URL tagging feature lets you add information to request URLs that can be used by other
downstream devices such as load balancers or application servers. You can search for a string in the
URL and if there is a match you can either replace the complete URL with another URL or replace
only the matched string. Additionally, you can insert or remove parameter name/value pairs.
Use the URL Tagging command to display a page that summarizes the URL tagging maps that are
defined and to view, delete, clone, edit or add new maps. When you click the button to add a new
map, AVS displays the screen shown in the following figure.
Figure 35: Add URL Tagging Map

Using the following areas of the form you can configure these functions:
• Parameter rewrite—By using the Parameter Rules area, you can insert or remove parameter
name/value pairs in the query portion of matched URLs. Enter a parameter name in the
Parameter field and its value in the Value field. Choose either Add or Remove from the
Operation drop-down list. If you choose Remove, the parameter name and value must match
exactly for it to be removed. Click the Update Parameter Rule button to add the rule.
Regular expressions and the following characters are not allowed in the Parameter and Value
fields when you are adding a parameter: ?*{}[]()^$,
514
When you are removing a parameter, regular expressions are allowed and there are no
character restrictions in the Parameter and Value fields.
• URL rewrite—By using the URL Rules area, you can search for a string in the URL and if there is a
match you can either replace the complete URL with another URL or replace only the matched
string with another string. Enter the string to search for in the Find field and enter the
replacement string or URL in the Replace field. From the Type drop-down list, choose either
Replace URL (to replace the whole URL with the URL entered in the Replace field) or Replace
matched string (to replace just the matched string in the URL with the string entered in the
Replace field). Click the Update URL Rule button to add the rule. Rewritten URLs are escape
encoded before being sent out.
Regular expressions and the following characters are mostly not allowed in the Find and Replace
fields: ?*{}[]()^$,
When you are replacing a complete URL, then regular expression are allowed and there are no
character restrictions in the Find field.
For details on the regular expression syntax that is allowed.
To delete an existing parameter or URL rewriting rule, click the Delete check box on the same line as
the rule, and when you click Update Parameter Rule (to delete parameter rules) or Update URL
Rule (to delete URL rewrite rules), the rule will be deleted.
HTTP Protocol Conformance

HTTP protocol conformance provides deep analysis of web traffic, enabling granular control over
HTTP sessions for improved protection from a wide range of web-based attacks. In addition, this
feature allows administrative control over instant messaging applications, peer-to-peer file sharing
applications, and applications that attempt to tunnel over port 80 or any port used for HTTP
transactions. Capabilities provided include RFC compliance enforcement, HTTP command
authorization and enforcement, response validation, Multipurpose Internet Mail Extension (MIME)
type validation and content control, URL blacklisting, and more.
The following sections describe the HTTP Protocol Conformance menu commands:
1. IM Controls
2. P2P Controls
3. Tunnelling Policies
4. Generic Pattern Matcher
5. Transfer Encoding
6. MIME Type Controls
7. URL Black Listing
8. Control HTTP Methods
9. Header Integrity Check
515
1. IM Controls
The IM controls feature allows you to control incoming and outgoing instant messaging traffic by
logging or denying it.
Use the IM Controls command to display a page that summarizes the instant messaging maps that
are defined and to view, delete, clone, edit or add new maps.
Figure 36: Add Instant Messaging Map
Use this form to define criteria for identifying instant messaging traffic in either requests or
responses.
Give the instant messaging map a name in the Map Name field.
If you are creating a new map, only the New Criteria section of the form is shown. As each criterion
for identifying instant messaging traffic is added, it is listed in a criteria section at the top of the
form.
In the New Criteria section, click the Add check box to indicate that you are adding a new criterion.
Then in the Message Type drop-down list, choose the message type that you want to examine:
either Request or Response messages. In the Search Type drop-down list, choose the part of the
request or response that you want to examine, and in the next three fields (Name, Value, and Max
No of bytes to search), enter the criteria that must be matched to consider the traffic to be instant
messenger related. For each message type/search type pair, only certain criteria fields are used, and
these are described in Table below.
516
The Obfuscation Option check box is available in certain cases. Checking this box deobfuscates the
URL before performing regular expression matching with the specified criteria. Deobfuscation
decodes encoded URLs. For example, a URL might contain the string "%20", which is decoded to a
space character.
Table 9: Instant Messaging Criteria
Message Type/ Search Criteria Fields Used Description

Type
Request/Method Name Enter the HTTP request method name in the
Name field.
Request/Url Value, Obfuscation In the Value field, enter a string to match in the
Option check box URL and check the Obfuscation Option check
box to deobfuscate the URL before matching.
You can enter either a full URL or a partial string.
If any part of the value is found in the URL, then
the match is successful. Only the URL is searched
for a match, not the query parameters.
Request/Arg Value, Obfuscation In the Value field, enter a string to match in the
Option check box query portion of the URL and check the
Obfuscation Option check box to deobfuscate
the URL before matching. If any part of the value
is found in the query parameters, then the
match is successful. Only the query parameter
portion of the URL is searched.
Request/Header Name, Value Enter the name of the HTTP request header in
the Name field and the header value in the
Value field.
Request/Body Value, Max No of Enter the string to search for in the body of the
bytes to search request in the Value field, and enter the
maximum number of bytes to search in the body
in the Max No of bytes to search field. The
match is successful if the specified string is
found anywhere in the body, ending at the byte
specified in Max No of bytes to search.
Response/StatusCode Value Enter the numeric response status code to
search for in the Value field.
Response/Header Name, Value Enter the name of the HTTP response header in
the Name field and the header value in the
Value field.
Response/Body Value, Max No of Enter the string to search for in the body of the
bytes to search response in the Value field, and enter the
maximum number of bytes to search in the body
in the Max No of bytes to search field. The
match is successful if the specified string is
found anywhere in the body, ending at the byte
specified in Max No of bytes to search.
517
The Value field can be a regular expression;

When you are done entering the criteria, make sure the Add check box is checked and click
the Update Criteria button to add the criteria to the map. You can add more criteria by following the
same procedure for each one. To delete a criterion from the map, click the Delete check box next to
it and click the Update Criteria button.
After you have defined the criteria to identify instant messenger traffic, you can configure the action
to apply when such traffic is observed. In the first Action drop-down list, choose one of the following
items:
• Match All—All criteria must be matched to apply the action
• Match Any—Any single criteria must be matched to apply the action
Click the Not check box if you want to match all traffic that does not meet the criteria. If Not is
checked, the match criteria are interpreted as follows:
• Match All—Fewer than all criteria must be matched to apply the action
• Match Any—None of the criteria must be matched to apply the action
In the second drop-down list, choose one of the following actions:
• Deny—Block the traffic
If you want to log the event, click the Log check box next to the Action drop-down lists.
2. P2P Controls
The P2P controls feature allows you to control incoming and outgoing peer-to-peer application
traffic by logging or denying it. Use the P2P Controls command to configure peer-to-peer application
control. This command works exactly like the IM Controls command.
3. Tunnelling Policies
The tunnelling policies feature allows you to control incoming and outgoing tunnelled application
traffic by logging or denying it. Use the Tunnelling Policies command to configure tunnelling
application control. This command works exactly like the IM Controls command.
4. Generic Pattern Matcher

The generic pattern matcher feature allows you to configure a policy based on any user-definable
criteria in the traffic, to control incoming and outgoing traffic by logging or denying it. Use the
Generic Pattern Matcher command to configure such control. This command works exactly like
the IM Controls command.
5. Transfer Encoding
The transfer encoding feature allows you to control incoming and outgoing traffic that has a specific
Transfer-Encoding header by logging or denying it.
518
Use the Transfer Encoding command to display a page that summarizes the transfer encoding maps
that are defined and to view, delete, clone, edit or add new maps.
Figure 37: Add Transfer Encoding Map
Give the transfer encoding map a name in the Map Name field.
In the next part of the form, you can add criteria lines that describe one or more transfer encodings
of the traffic that you want to act on. First choose the type of transfer encoding in the Transfer
Encoding drop-down list. The following choices are available:
• Custom—an encoding other than those listed; enter the encoding type in the field below the list
• Identity—no transfer encoding used
• Gzip—gzip encoding
• Chunked—chunked encoding
• Deflate—deflate encoding
• Compress—compress encoding
In the Type drop-down list, choose whether you want to act on request or response traffic. In the
Action drop-down list, choose one of the following actions:
If you want to log the event, click the Log check box next to the Action drop-down list. Finally, check
the Add check box and click Update to add the criteria to this form and give you a new line on which
to enter another criterion. To delete one or more criteria lines, click the Delete check box on each
line that you want to delete and then click Update to delete all checked lines.
519
There is another Action drop-down list at the bottom of the form, labelled Action for Nonmatching
Traffic. This action applies to all traffic that has a transfer encoding that does not match any of the
criteria on this form. You can choose the same actions as on the other Action list. Also, you can click
the Log check box next to this drop-down list if you want to log such traffic. When you are finished
with this form, click Apply Changes at the top to save your changes, or click Discard Changes to
return to the summary page without saving your changes.
6. MIME Type Controls

The MIME type controls feature allows
you to validate that the MIME type
specified in the HTTP Content-Type
header matches the content type's magic
number in the body of the message.
(Magic numbers are byte sequences that
are always present in a particular MIME
type and thus can be used to identify
entities as being of a given media type.)
Use the MIME Type Controls command
to display a page that summarizes the
content type verification maps that are
defined and to view, delete, clone, edit or
add new maps.
When you click the button to add a new
map, AVS displays the screen shown
in the following figure.
Give the content type verification map a

name in the Map Name field. The content
types that are validated are listed below
this field. Ensure that the Select check
box is checked for each MIME type that
you want to verify. All MIME types listed
are checked initially.
In the Action drop-down list, choose one
of the following actions:
• Deny—Block traffic with one of the
listed content types
• [SEND-PAGE] pagename—Send the
error page identified by pagename.
You define such error pages by using
the send page feature.
• [REDIRECT-PAGE] pagename—Send
the redirection page identified
by pagename. You define such
redirection pages by using the
redirect page feature.
520
If you want to log the event, click the Log check box next to the Action drop-down list.
7. URL Black Listing

The URL black listing feature allows you to block incoming requests for particular URLs.
Use the URL Black Listing command to display a page that summarizes the URL blacklist maps that
are defined and to view, delete, clone, edit or add new maps. For details on using the summary page
GUI.
Figure 39: Add URL Blacklist Map
Give the URL black listing map a name in the Map Name field.
In the next part of the form, you can add regular expressions for URLs that you want to block traffic
to. In the URL field, enter a regular expression that is used to match part of a URL string in incoming
requests. The regular expression is matched against only the URL and not the query parameters. If
the regular expression matches any part of the URL, the match is considered successful.
Check the Obfuscation check box to deobfuscate the URL before performing regular expression
matching. Deobfuscation decodes encoded URLs. For example, a URL might contain the string "%20",
which is decoded to a space character.
Check the Add check box and click Update to add the URL to this form and give you a new line on
which to enter another URL. To delete one or more URL lines, click the Delete check box on each line
that you want to delete and then click Update to delete all checked lines.
After you have defined the URLs to black list, you can configure the action to apply when such traffic
is observed. In the first Action drop-down list, choose one of the following items:
521
Figure 40: Add Content Methods Map
URL black listing can also be done directly in a policy map by defining the traffic to black list in a
traffic map, then setting a general policy to drop the connection when such traffic is encountered.
8. Control HTTP Methods

The HTTP method control feature allows you to control incoming traffic that uses a specific HTTP
method by logging or denying it.
Use the Control HTTP Methods command to display a page that summarizes the HTTP content
method maps that are defined and to view, delete, clone, edit or add new maps.
Give the HTTP content methods map a name in the Map Name field.
In the next part of the form, you can add one or more HTTP methods to act on. In the Methods drop-
down list choose an HTTP method. Check the Add check box and click Update to add the method to
this form and give you a new line on which to enter another method. To delete one or more method
522
lines, click the Delete check box on each line that you want to delete and then click Update to delete
all checked lines.
After you have defined the HTTP methods to look for, you can configure the action to apply when
such traffic is observed. In the first Action drop-down list, choose one of the following items:
• [SEND-PAGE] pagename—Send the error page identified by pagename.
• [REDIRECT-PAGE] pagename—Send the redirection page identified by pagename.
9. Header Integrity Check

The header integrity check feature allows you to check the integrity of HTTP headers and take action
if problems are found.
Use the Header Integrity Check command to display a page that summarizes the header integrity
check maps that are defined and to view, delete, clone, edit or add new maps.
Figure 41: Add Header Integrity Check Map
Give the header integrity check map a name in the Map Name field.
523
In the next part of the form, you can configure actions to take when the following problems are
found in a header:
• Null Encoding—Transfer-encoding header has no encodings listed
• Non ASCII Characters—Non-ASCII characters are found in a header
• Illegal Content Length—Content-length header contains non-numeric characters
• Illegal Chunk Encoding—Chunk encoding is not valid
• Multiple Length Headers—Multiple content-length headers appear in the request
For each listed header integrity problem, select one of the following actions from the Action drop-
down list:
If you want to log a problem, click the Log check box next to the Action drop-down list.
Input Validation Checks

The input validation module inspects incoming HTTP messages from clients and web servers to
protect against a variety of attacks that use form input submitted by the GET or POST methods. The
following sections describe these input validation checks:
• Cross Site Scripting
• SQL Injection
• OS Command Injection
• LDAP Injection
• Meta Character Detection
• Format String Attacks
All input validation checks use regular expression sets that have been defined with the Pattern
Definitions command.
524
Cross Site Scripting

A cross site scripting attack takes advantage of dynamically generated web pages in which data is
usually gathered in the form of a hyperlink. An attacker, when prompted to enter information like a
user name, will instead pass a script to be executed. A web server that does not properly perform
input validation will execute the script and wait for an innocent user to click the link provided by the
attacker. The victim may unknowingly release information to the attacker.
Use the Cross Site Scripting command to display a page that summarizes the cross site scripting
maps that are defined and to view, delete, clone, edit or add new maps.
Figure 42: Add Cross Site Scripting Map
Give the map a name in the Map Name field.

In the map, you can configure protection in three ways:
• Scan all of the form input data.
Set the Type to Scan All Parameters. Choose a regular expression pattern set from the Pattern
Set drop-down list that lists regular expressions that you want to exclude from form input. The
regular expression patterns that are listed here are those that are defined in the Pattern
Definitions page where the type is Cross Site Scripting. If you see the message "No Pattern Set of
this type is defined," you must define at least one pattern map of the Cross Site Scripting type
before you can complete this form. Any form input that contains a string that matches one of
the regular expressions in the specified pattern set is flagged for the action specified in the
Action drop-down list. Leave the Parameter field empty and make no selection from the Allow
Pattern Set drop-down list.
• Scan all of the form input data except for the values of one or more specific form parameters, in
which certain expressions are allowed.
525
Definitions page where the type is Cross Site Scripting. If you see the message "No Pattern Set of
this type is defined," you must define at least one pattern map of the Cross Site Scripting type
before you can complete this form.
In the Parameter field enter the name of an exception parameter in which you want to allow
input that might otherwise be flagged by the Pattern Set regular expression set. In the Allow
Pattern Set drop-down list, choose a regular expression pattern set that lists regular expressions
that you want to allow in the value of the exception parameter. Check the Add check box to the
right of the Allow Pattern Set drop-down list and click Update Parameters. You can enter as
many exception parameters as you want by repeating this procedure. Each parameter can have
its own associated regular expression that defines the values that are allowed. To delete a
parameter, click the Delete check box to the right of the Allow Pattern Set drop-down list and
click Update Parameters.
Any form input that contains a string that matches one of the regular expressions in the Pattern
Set is flagged for the action specified in the Action drop-down list. If an exception parameter
value contains a string that matches both the Pattern Set and Allow Pattern Set regular
expressions, then it is allowed rather than being flagged for action.
• Scan the values of a one or more specific form parameters within the input data.
Set the Type to Scan Specific Parameters. Choose a regular expression pattern set from the
Pattern Set drop-down list and enter the name of a form parameter to scan in the Parameter
field. Check the Add check box to the right of the parameter name and click Update Parameters.
You can enter as many parameters as you want by repeating this procedure. To delete a
parameter, click the Delete check box to the right of the parameter name and click Update
Parameters. If any of the specified parameter values contain a string that matches one of the
regular expressions in the specified pattern set, the request is flagged for the action specified in
the Action drop-down list.
Figure 43: Add SQL Injection Map
Check the Ignore Case check box if you do not need to match the case of a parameter specified in
the Parameter field. If you do need to match the case exactly, leave this check box unchecked.
In the Action drop-down list, choose the action to apply if a form input string that matches this map
is detected. Actions include these:
526
• [SEND-PAGE] pagename—Send the error page identified by pagename..
If you want to log the event, click the Log check box below the Action drop-down list.
SQL Injection
A SQL injection attack appends or modifies SQL commands in form input with the intention of
gathering information regarding the application and obtaining access to unauthorized data.
Use the SQL Injection command to display a page that summarizes the SQL injection maps that are
defined and to view, delete, clone, edit or add new maps. When you click the button to add a new
map, AVS displays the screen shown in the following figure.
Definitions page where the type is SQL Injection. If you see the message "No Pattern Set of this
type is defined," you must define at least one pattern map of the SQL Injection type before you
can complete this form. Any form input that contains a string that matches one of the regular
expressions in the specified pattern set is flagged for the action specified in the Action drop-
down list. Leave the Parameter field empty and make no selection from the Allow Pattern Set
drop-down list.
Definitions page where the type is SQL Injection. If you see the message "No Pattern Set of this
type is defined," you must define at least one pattern map of the SQL Injection type before you
can complete this form.
527
OS Command Injection
An OS command injection attack inserts OS commands into form input with the intention to gain
elevated privileges to access a web server.
Use the OS Command Injection command to display a page that summarizes the command injection
When you
click the
button to
add a new
map, AVS
displays the
screen
shown in the
following
figure.
Figure 44: Add

Command
Injection Map
528

Definitions page where the type is Command Injection. If you see the message "No Pattern Set
of this type is defined," you must define at least one pattern map of the Command Injection type
before you can complete this form. Any form input that contains a string that matches one of
the regular expressions in the specified pattern set is flagged for the action specified in the
Definitions page where the type is Command Injection. If you see the message "No Pattern Set
of this type is defined," you must define at least one pattern map of the Command Injection type
before you can complete this form.
529
LDAP Injection
Lightweight Directory Access Protocol (LDAP) is widely used to query and manipulate X.500 directory
services. Web applications may use form input to create custom LDAP statements for dynamic web
page requests. An LDAP injection attack modifies an LDAP statement, letting the process run with
the same permissions as the component that executed the command, and can let the attacker
obtain unauthorized information from the database.
Use the LDAP Injection command to display a page that summarizes the LDAP injection maps that
are defined and to view, delete, clone, edit or add new maps. When you click the button to add a
new map, AVS displays the screen shown in the following Figure.
Figure 45: Add LDAP Injection Map

Definitions page where the type is LDAP Injection. If you see the message "No Pattern Set of this
530
type is defined," you must define at least one pattern map of the LDAP Injection type before you
can complete this form. Any form input that contains a string that matches one of the regular
expressions in the specified pattern set is flagged for the action specified in the Action drop-
down list. Leave the Parameter field empty and make no selection from the Allow Pattern Set
drop-down list.
Definitions page where the type is LDAP Injection. If you see the message "No Pattern Set of this
type is defined," you must define at least one pattern map of the LDAP Injection type before you
can complete this form.
• [SEND-PAGE] pagename—Send the error page identified by pagename..
531
Meta Character Detection

A meta character attack inserts meta characters in the form input. Meta characters include
characters such as semicolons (;), pipes (|), tildes (~), and so on.
Use the Meta Character Detection command to display a page that summarizes the meta character
maps that are defined and to view, delete, clone, edit or add new maps. When you click the button
to add a new map, AVS displays the screen shown in the following Figure.
Figure 46: Add Meta Character Detection Map

Definitions page where the type is Meta Character Detection. If you see the message "No
Pattern Set of this type is defined," you must define at least one pattern map of the Meta
Character Detection type before you can complete this form. Any form input that contains a
string that matches one of the regular expressions in the specified pattern set is flagged for the
action specified in the Action drop-down list. Leave the Parameter field empty and make no
selection from the Allow Pattern Set drop-down list.
 Scan all of the form input data except for the values of one or more specific form parameters, in
532
Definitions page where the type is Meta Character Detection. If you see the message "No
Pattern Set of this type is defined," you must define at least one pattern map of the Meta
Character Detection type before you can complete this form.
 Scan the values of a one or more specific form parameters within the input data.
Format String Attacks

A format string attack passes format string characters as form input, which may result in the
unwarranted change of the stack, which can cause segmentation faults or an unanticipated program
to run.
533
Use the Format String Attacks command to display a page that summarizes the format string attack
Figure 47: Add Format String Attack Map

In the map, you can configure protection in two ways:
Definitions page where the type is Format String Attacks. If you see the message "No Pattern Set
of this type is defined," you must define at least one pattern map of the Format String Attacks
type before you can complete this form. Any form input that contains a string that matches one
of the regular expressions in the specified pattern set is flagged for the action specified in the
Scanning all form input data except for the values of one or more specific form parameters is
not allowed in the Format String Attacks form. If Type is set to Scan All Parameters, and you
enter an exception parameter in the Parameter field, you will receive an error when you
click Apply Changes.
534
Check the Ignore Case check box if you do not need to match the case exactly of a parameter
specified in the Parameter field. If you do need to match the case exactly, leave this check box
unchecked.
If you want to log the event, click the Log check box that is below the Action drop-down list.
Web Application Security Regular Expression Syntax

The web application security module uses a regular expression syntax that is different from the
regular expression syntax used by other AVS features. The regular expression syntax used by the
web application security module is summarized in the following table.
Table 10: Web Application Security Regular Expression Syntax
Metacharacter Description
. Matches any single character, except for the new line character (0x0A). For
example, the regular expression r.t matches the strings rat, rut, r t, but not root.
^ Matches the beginning of a line. For example, the regular expression ^When
in matches the beginning of the string "When in the course of human events"
but not the string "What and When in the"
* Matches zero or more occurrences of the character immediately preceding. For
example, the regular expression * means match any number of any characters.
\ This is the quoting character; use it to treat the following meta character as an
ordinary character. For example, \^ is used to match the caret character (^)
rather than the beginning of a line. Similarly, the expression \. is used to match
the period character rather than any single character.
[] Matches any one of the characters between the brackets. For example, the
[c1-c2] regular expression r[aou]t matches rat, rot, and rut, but not ret. Ranges of
characters are specified by a beginning character (c1), a hyphen, and an ending
[^c1-c2] character (c2). For example, the regular expression [0-9] means match any digit.
Multiple ranges can be specified as well. The regular expression [A-Za-z] means
match any upper or lower case letter. To match any character except those in
the range (that is, the complement range), use the caret as the first character
after the opening bracket. For example, the expression [^269A-Z] matches any
characters except 2, 6, 9, and uppercase letters.
() Treat the expression between ( and ) as a group, limiting the scope of other
535
meta characters.
| Logical OR two conditions together. For example, (him|her) matches the line "it
belongs to him" and matches the line "it belongs to her" but does not match the
line "it belongs to them."
+ Matches one or more occurrences of the character or regular expression
immediately preceding. For example, the regular expression9+ matches 9, 99,
and 999.
? Matches 0 or 1 occurrence of the character or regular expression immediately
preceding.
{i} Matches a specific number (i) or minimum number (i,) of instances of the
{i,} preceding character. For example, the expression A[0-9]{3} matches "A"
followed by exactly 3 digits. That is, it matches A123 but not A1234. The
expression [0-9]{4,} matches any sequence of 4 or more digits.
\r Matches the carriage return character (0x0D).
\n Matches the new line character (0x0A).
\t Matches the tab character (0x09).
Matches the form feed character (0x0C).

\xNN Matches the character with the hexadecimal code NN, where N is between 0
and F.
\NNN Matches the character with the octal code NNN, where N is between 0 and 8.
536
8.3 Configuring ModSecurity

One of the more commonly used application layer firewalls is ModSecurity, which is an open source
intrusion detection and prevention system. Modsecurity is an apache module that helps to protect
your website from various attacks. It is used to block commonly known exploits by use of regular
expressions and rule sets and is enabled on all InMotion servers by default. ModSecurity can
potentially block common code injection attacks which strengthens the security of the server. In
order to make ModSecurity more useful, it must be configured with rules. These rules can be
created by us according to need, or we can use the Open Web Application Security Project (OWASP)
rules.
OWASP is a group of security communities that develops and maintains a free set of application
protection rules, which is called the OWASP ModSecurity Core Rules Set (CRS). You can think of
OWASP as an enhanced core rule set that the ModSecurity will follow to prevent attacks on the
server.
ModSecurity is a hybrid web application firewall engine that relies on the host web server for some
of the work. The only supported web server at the moment is Apache 2.x, but it is possible, in
principle, to integrate ModSecurity with any other web server that provides sufficient integration
APIs.
The functionality offered by ModSecurity falls roughly into four areas:
Parsing: ModSecurity tries to make sense of as much data as available. The supported data formats
are backed by security-conscious parsers that extract bits of data and store them for use in the rules.
Buffering: In a typical installation, both request and response bodies will be buffered. This means
that ModSecurity usually sees complete requests before they are passed to the application for
processing, and complete responses before they are sent to clients. Buffering is an important
feature, because it is the only way to provide reliable blocking. The downside of buffering is that it
requires additional RAM to store the request and response body data.
Logging: Full transaction logging (also referred to as audit logging) is a big part of what ModSecurity
does. This feature allows you to record complete HTTP traffic, instead of just rudimentary access log
information. Request headers, request body, response header, response body—all those bits will be
available to you. It is only with the ability to see what is happening that you will be able to stay in
control.
Rule engine: The rule engine builds on the work performed by all other components. By the time the
rule engine starts operating, the various bits and pieces of data it requires will all be prepared and
ready for inspection. At that point, the rules will take over to assess the transaction and take actions
as necessary.
To know more about Modsecurity and its configuration please visit https://www.modsecurity.org
and use the following https://www.feistyduck.com/library/modsecurity-handbook-free/online/ to
know more about installation and configuration.
537
Summary
 The web application security feature enables the application appliance to act as an application
firewall and provide web application security and intrusion protection.
 To configure web application security, follow these basic steps:
o Use the Traffic Class Maps command to define traffic class maps to classify web
application traffic according to various parameters such as hostname, URL, cookie name
and value, and so on. A traffic map specifies a set of traffic to which you want to apply a
security policy.
o Define web application security feature maps that configure security features. To define
feature maps, select the individual features (URL Normalization, Cookie Protection, ID
Theft Protection, Request Limits, Error/Redirect Pages, Web Cloaking, URL Tagging, Input
Validation Checks, HTTP Protocol Conformance) under the Web Application Security
folder.
o Use the Policy Maps command to define policy maps that associate a traffic class with a
set of security functions. A policy map defines a series of actions (functions) that you want
to apply to a set of classified traffic.
o Use the System Utilities Service Policy command to choose the active policy map.
o Use the System Utilities Commit Config command to commit the configuration.
o If you have a cluster of application appliance nodes, use the System Utilities Publish
Configuration command to publish the configuration to all nodes in the cluster.
Activity 1:
List the various kinds of Web Application Security products in the market and the various
vendors for the same. Compare the features, benefits and limitations of various kind of Web
Application Security products offered. Share with your fellow students.
Activity 2:
Configure an IDS product or first job shadow someone who installs a Web Application Security
product. List down the various steps of the same, then configure it on your own.
538
NOTES:
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
539
UNIT IX
Patch Management
This Unit covers:
 Lesson Plan
9.3 Windows Patch Management Tools
540
LESSON PLAN

PC1. identify the Patch you are required to The learners must KA1 to KA13:
install/ configure and source relevant demonstrate all PCs PCs/Tablets/Laptops
instructions and guidelines on given work tasks
Labs availability
guidelines for installing/configuring the Patch (24/7)
and clarify these with appropriate people Internet with WiFi
PC3. liaise with stakeholders clearly and (Min 2 Mbps
promptly regarding the installation/ Dedicated)
configuration of the Patch
Networking
PC4. install/configure the Patch as per
Equipments-
Routers & Switches
PC5. test installed/configured the Patch,
following instructions and guidelines Firewalls and Access
PC6. resolve problems with the Patch, following Points
instructions and guidelines Access to all security
PC7. obtain advice and guidance on installing / sites like ISO, PIC
configuring the Patch from appropriate people, DSS
where required
Commercial Tools
PC8. record the installation/configuration/ of
like HP Web Inspect
the Patch promptly using standard templates
and IBM AppScan
and tools
etc.,
standards, procedures, guidelines and service Open Source tools
level agreements (SLAs) when installing / like sqlmap, Nessus
configuring the Patch
541
You need to know and understand: KA1-KA3. QA session etc.,

and a Descriptive Security Templates
standards, guidelines and client specific service write up on from ITIL
level agreements for installing Patches understanding.
KA2. limits of your role and responsibilities and
who to seek guidance from where required KA4, KA7 Group
KA3. your organization’s systems, procedures presentation and peer
and tasks/checklists relevant to your work and evaluation along with
how to use these Faculty.
KA4. the importance of following
manufacturer’s installation guides and KA5 Presentation of
procedures and how to access and apply these best practices
to install Patches document by peer
KA8.standard tools and templates available and group to the faculty
how to use these to record installation / and loading the same
configuration
KA8. Presentation of
the customized
templates by peer
groups and validation
of them by faculty
KB3 – KB5 Installation

and configuration of
security tools in the
lab environment by
peer groups and
validation by the
faculty
542
Lesson

Also called a service patch, a fix to a program bug. A patch is an actual piece of object code that is
inserted into (patched into) an executable program. Patches typically are available as downloads
over the Internet.
Patch management is an area of systems management that involves acquiring, testing, and installing
multiple patches (code changes) to an administered computer system. Patch management tasks
include: maintaining current knowledge of available patches, deciding what patches are appropriate
for particular systems, ensuring that patches are installed properly, testing systems after installation,
and documenting all associated procedures, such as specific configurations required.
A number of products are available to automate patch management tasks, including RingMaster's
Automated Patch Management, PatchLink Update, and Gibraltar's Everguard.

Patch management is a circular process and must be ongoing. The unfortunate reality about
software vulnerabilities is that, after you apply a patch today, a new vulnerability must be addressed
tomorrow.
Develop and automate a patch management process that includes each of the following:
Detect. Use tools to scan your systems for missing security patches. The detection should be
automated and will trigger the patch management process.
Assess. If necessary updates are not installed, determine the severity of the issue(s) addressed by
the patch and the mitigating factors that may influence your decision. By balancing the severity of
the issue and mitigating factors, you can determine if the vulnerabilities are a threat to your current
environment.
Acquire. If the vulnerability is not addressed by the security measures already in place, download
the patch for testing.
Test. Install the patch on a test system to verify the ramifications of the update against your
production configuration.
Deploy. Deploy the patch to production computers. Make sure your applications are not affected.
Employ your rollback or backup restore plan if needed.
Maintain. Subscribe to notifications that alert you to vulnerabilities as they are reported. Begin the
patch management process again.
To learn more about Patch Management, please visit the following
543
References :
https://ics-cert.us-
cert.gov/sites/default/files/recommended_practices/PatchManagementRecommendedPractice_Fina
l.pdf
https://www.sans.org/reading-room/whitepapers/bestprac/practical-methodology-implementing-
patch-management-process-1206
https://support.symantec.com/en_US/article.HOWTO3124.html
9.3 Windows patch management tools

Different approaches to patch management tools
An organization with more than a few workstations or servers needs some kind of automated way to
handle patch management, and there is a plethora of free patch management tools choose from.
Because there's more than one way to accomplish patch management, it's not uncommon for two or
more parts of the same organization to be updated and managed using different applications.
You can find that situation in environments where a branch office or division of a company is moved
or acquired. Suddenly, what worked before is not what works for the new parent. In this and almost
all other cases, the best approach is to pick one system and consolidate on it as aggressively as
possible.
There are two types of patch management tools out there:
 Reporting tools
 Microsoft's HFNETCHK tool
The commercial version of the same program, HFNetChkPro
These tools scan local machines or computers on a network, audit whatever's in reach and then
produce detailed summaries or digests about what is installed where as well as what might need to
be installed or updated. They do the research and make recommendations, but they don't make any
actual changes.
Management or deployment tools:

Microsoft's own Windows Server Update Services
Gravity Storm Software's Service Pack Manager
Ecora Patch Manager 5.0
These programs do the actual work of downloading and applying patches to local or remote
machines. In many cases, they are also reporting tools -- they audit computers to see what's
installed and what's needed, then download the needed updates and push them out according to an
administrator's directives.
544
If you use multiple auditing or reporting tools, one caveat is that if there are inconsistencies
between the depth or breadth of reporting provided by each tool, you should be aware of that
ahead of time so you're not thrown off. If you are using multiple patch management or deployment
tools, the problem isn't so much that one tool duplicates or undoes the work of another, but that
the administrator (or administrators) becomes confused by the presence of multiple tools to get the
same job done.
Using third-party tools for Windows patch management

Here are some reasons to say yes to third party patching tools.
Yes to third-party patching tools
Additional features: Third-party patch management systems often have additional features that
aren't present in the standard Microsoft way of doing things. For instance, Service Pack Manager
2000 allows the administrator to create multiple arbitrary groups of computers to better govern who
gets what updates.
Automation: Some third-party applications have automated functions that are above and beyond
what's available by default, and they don't require scripting to be effective.
Additional coverage and information: Many of these tools have detailed reporting and research
functions -- for instance, the ability to automatically generate a summary of what's installed on a
given machine and relevant details from Microsoft Knowledge Base articles that apply to each fix.
No to third party patching tools
Internal consistency: If you have one department that's using a third-party tool and another that's
using the standard Microsoft patch deployment methods, it can become confusing for people trying
to maintain standards across organizations -- and it might not be convenient or politically possible to
get everyone to use the same tools. In such a case it might be best to fall back on Microsoft
standards.
Retraining: When people come in from another company or department where no such third-party
tools are in use, you'll need to retrain them. If this happens often, it can be a drain on time and
energy.
Unneeded additional features: Not every organization needs the advanced features offered by third-
party products. Sometimes the defaults work just fine.
These are not the only reasons to use or not use third-party tools for patching. If you need more
convincing on either side of the topic, check out security expert Serdar Yegulalp's article on third-
party patch management tools.
545
Free patch management tools

Numara patch management
Numara™ Patch Manager is the complete patch management solution that scans, updates and
downloads patches for Microsoft Operating Systems and applications across your entire network —
directly from your desktop.
PatchLink Security Patch and Vulnerability Management Solution
PatchLink is a security patch and vulnerability management solution that combines vulnerability
assessment, patch management, network access control and reporting to help organizations address
the emerging security threats while minimizing costs and complexity.
UpdateEXPERT Premium
UpdateEXPERT Premium is another advanced policy-based patch management solution.
546
Summary
 Patch, also called a service patch, is a fix to a program bug.
 A patch is an actual piece of object code that is inserted into (patched into) an executable
program. Patches typically are available as downloads over the Internet.
 Patch management is an area of systems management that involves acquiring, testing, and
installing multiple patches (code changes) to an administered computer system.
 Patch management tasks include: maintaining current knowledge of available patches,
deciding what patches are appropriate for particular systems, ensuring that patches are
installed properly, testing systems after installation, and documenting all associated
procedures, such as specific configurations required.
 A number of products are available to automate patch management tasks, including
RingMaster's Automated Patch Management, PatchLink Update, and Gibraltar's Everguard.
 Patch management is a circular process and must be ongoing. The reality about software
vulnerabilities is that, after you apply a patch today, a new vulnerability must be addressed
tomorrow.
 Developing and automating a patch management process will include each of the following:
o Detect. Use tools to scan your systems for missing security patches. The detection
should be automated and will trigger the patch management process.
o Assess. If necessary updates are not installed, determine the severity of the issue(s)
addressed by the patch and the mitigating factors that may influence your decision.
By balancing the severity of the issue and mitigating factors, you can determine if
the vulnerabilities are a threat to your current environment.
o Acquire. If the vulnerability is not addressed by the security measures already in
place, download the patch for testing.
o Test. Install the patch on a test system to verify the ramifications of the update
against your production configuration.
o Deploy. Deploy the patch to production computers. Make sure your applications are
not affected. Employ your rollback or backup restore plan if needed.
o Maintain. Subscribe to notifications that alert you to vulnerabilities as they are
reported. Begin the patch management process again.
Practical Activities:
Activity 1:
Learn how to down load a patch from the internet. Work with an expert to download and fix
a patch.
Activity 2:
Browse the internet to research sources of patches and make a list of sites that intimate
about the latest patches available for various requirements.
Activity 3:
Collect information about various automated patch management tools from the internet
and their service providers and compare these products to understand their application,
features, benefits and limitations.
547

Q. List at least three automated patch management tools and service providers.
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
Q. List the various elements of the patch management development process.
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
NOTES:
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
548
Student Handbook – Security Analyst SSC/N0904/N0905
SSC/ N 0904:
SSC/ N 0905:
Contribute to information security audits
Support teams to prepare for and
undergo information security audits
UNIT I: Information Security Audit

UNIT II: Types of Security Audits
UNIT III: Role of an Auditor
UNIT IV: Vulnerability Analysis
UNIT V: Penetration Testing
UNIT VI: Information Security Audit Tasks
UNIT VII: Audit Report and Actions
UNIT VIII: Audit Support Activities
551
Unit Title (Task) Contribute to information security audits
Description This unit is about carrying out specific audit tasks as part of information security
audits.
Appropriate people:
 line manager
 members of the security team
Information security audits may cover:
 networks (wired and wireless)
 devices
 endpoints/edge devices
 storage devices
 servers
 software
 application hosting
 application penetration
 application testing
 messaging
 web security
 security of infrastructure
 computer assets, server s and storage networks
 messaging
 intrusion detection/prevention
 security incident management
 third party security management
 personnel security requirements
 physical security
 risk assessment
 business continuity
 disaster recovery planning
552

PC1. establish the nature and scope of information security audits and your
role and responsibilities within them
PC2. identify the procedures/guidelines/checklists for the audit tasks you are
required to carry out
PC3. identify any issues with procedures/guidelines/checklists for carrying out
audit tasks and clarify these with appropriate people
PC4. collate information, evidence and artefacts when carrying out audits
PC5. carry out required audit tasks using standard tools and following
established procedures/guidelines/checklists
PC6. refer to appropriate people where audit tasks are beyond your levels of
knowledge, skills and competence
PC7. record and document audit tasks and audit results using standard tools
and templates
PC8. review results of audit tasks with appropriate people and incorporate
their inputs
guidelines and checklists when contributing to information security audits
A. Organization The user/individual on the job needs to know and understand:

al KA1. your organization’s policies, standards, procedures, guidelines, systems
Context and checklists for information security testing and auditing and your role
(Knowledge in applying these
of the KA2. scope of work to be carried out and the importance of keeping within
company / these boundaries
organization KA3. limits of your knowledge, skills and competence and who to seek guidance
and its from
processes) KA4. different types of information/security audits
KA5. who to involve when carrying out information security audits
KA6. how to record and report audit tasks
KA7. the importance of recording the results of audit tasks
KA8. how to obtain and use input from others when carrying out information
security audit tasks
KA9. the purpose of information security audits and importance of taking part
in these
KA10. how to improve the process and outcomes of future audits
KA11. the range of standard tools, templates and checklists available and how to
use these
KA12. the role of teams in information security audits
553

KB1. common issues that may affect carrying out audit tasks and how to deal
Knowledge
with these
KB2. different systems and structures that may need information security
audits and how they operate, including:
 servers and storage devices
 infrastructure and networks
 application hosting and content management
 communication routes such as messaging
KB3. features, configuration and specifications of information security systems
and devices and associated processes and architecture
KB4. the importance of auditing and the key principles and rules of conduct
that apply when auditing
KB5. common audit techniques and how to record and report audit tasks
KB1. methods and techniques for testing compliance against your organizations
security criteria, legal and regulatory requirements
554
Unit Code SSC/N0905
Unit Title
Support teams to prepare for and undergo information security audits
(Task)
Description This unit is about supporting functional teams to prepare for and undergo information
security audits carried out by internal or external auditors.

Information security audits:
 internal
 external
Appropriate people:
 line manager
 members of functional teams
Audit tasks on:
 networks
 storage devices
 servers
 applications
 application penetration and testing
 application hosting
 messaging
 computer assets, servers and storage networks
 third parties
 personnel requirements
 support functions (e.g. HR support)
PC1. establish the nature and scope of information security audits and your role
and responsibilities in preparing for them
PC2. identify the procedures/guidelines/checklists that will be used for
information security audits
PC3. identify the requirements of information security audits and prepare for
audits in advance
PC4. liaise with appropriate people to gather data/information required for
555
PC5. organize data/information required for information security audits using

standard templates and tools
PC6. provide immediate support to auditors to carry out audit tasks
PC7. participate in audit reviews, as required
PC8. comply with your organization’s policies, standards, procedures, guidelines
and checklists when supporting teams to prepare for and undergo
A. Organizational You need to know and understand:

Context
KA1. your organization’s policies, standards, procedures, guidelines, systems and
(Knowledge of the
checklists for information security audits and your role in applying these
company/
KA2. scope of work to be carried out and the importance of keeping within these
organization and
boundaries
its processes)
KA3. limits of your role, responsibilities, skills and competence and who to seek
guidance from when these are exceeded
KA4. the purpose of information security audits and importance in taking part in
these
KA5. the role of teams in information security audits
KA6. what information is required for information security audits and the
importance of preparing this is advance of the audit
KA7. how to improve the process and outcomes for future audits
KA8. types of support required by teams for information security audits
and how to provide this
KA9. different types of information security audits
KA10. different approaches and ways of working for internal and external
KA11. who to involve when carrying out information security audits
KA12. your organization’s knowledge base and how to use this to support
KA13. how to carry out, record and report audit tasks
KA14. the range of data and information required for information security audits
and where to obtain this
KA16. standard tools, templates and checklists available and how to use these
KA17. the importance of providing immediate support to auditors as required
Knowledge KB1. different information systems that may require audit tasks:
 servers and storage devices
 infrastructure, assets and networks
 application hosting, testing, penetration and support
 communication routes such as messaging
556
 support functions such as personnel and HR services

 third party systems
KB2. features, configuration and specifications of information security systems and
devices which may be audited
KB3. how to collate data for information security audits
KB4. additional information that may be required by auditors and where to source
this
557
THE UNITS
The module for this NOS is divided in 8 Units based on the learning objectives as given below.
UNIT I: Information Security Audit
1.1. Information Systems Audit versus Information Security Audit
1.2. What is an Information Security Audit?
1.3. Scope of the Audit
1.4. What makes a good security audit?
1.5. Constraints of a security audit
UNIT II: Security Audits Features
2.1. Types of Security Audits
2.2. Phases of Information Security Audit
2.3. Information Security Audit Methodology
2.4. Security Testing Frameworks
2.5. Audit Process and Audit Security Practices
2.6. Testing Security Technology and Templates
UNIT III: Information Security Auditor
3.1 Role of an Auditor
3.2 Hiring an Information Security Auditor
3.3 Required Skills Sets of an Information Security Auditor
3.4 Ethics of an Information Security Auditor
3.5 What Makes an Information Security Auditor
UNIT IV: Vulnerability Analysis
4.1. What Is Vulnerability Assessment?
4.2. Vulnerability Classification
4.3. Types of Vulnerability Assessment
4.4. How to Conduct a Vulnerability Assessment
4.5. Vulnerability Analysis Tools
UNIT V: Penetration Testing
5.1. About penetration testing
5.2. Penetration testing stages
UNIT VI: Information Security Audit Tasks
6.1 Pre-audit tasks
6.2 Information Gathering
6.3 External Security Audit
6.4 Internal Network Security Auditing
6.5 Firewall Security Auditing
6.6 IDS Security Auditing
UNIT VII: Audit Reports and Actions
UNIT VIII: Audit Support Activities
558
UNIT I
Information Security Audit
This Unit covers:

 Lesson Plan
1.1. Information Systems Audit versus Information Security Audit
1.4. What makes a good security audit?
1.5. Constraints of a security audit
559
LESSON PLAN
Work Environment / Lab

To be competent, you must be 1. Research the meaning of  PCs/Tablets/Laptops
able to: audit and what it entails.  Projection facilities
2. Which are the various aspects
PC1. establish the nature and of an organization that are
scope of information security audited?
audits and your role and 3. Research the scope of an IT
responsibilities in preparing for
Security Audit and make a
them (0904/0905) presentation on scope of the
audit
You need to know and 1. Listing various systems  PCs/Tablets/Laptops
understand: requiring audits  Labs availability (24/7)
2. Research and list the  Internet with Wi-Fi
KA2. scope of work to be carried difference between an IT  (Min 2 Mbps Dedicated)
out and the importance of Systems Audit and an
keeping within these  Networking Equipment-
Information Security Audit. Routers & Switches
boundaries (0904/0905)
 Firewalls and Access
KB1. different information Points
systems that may require audit  Access to all security
tasks (0905) sites like ISO, PCI DSS,
Centre for Internet
KA4. the purpose of information Security
security audits and importance
in taking part in these
KB4. the importance of auditing

and the key principles and rules
of conduct that apply when
auditing (0905)
560
Lesson
An information security audit is one of the best ways to determine the security of an organization's
information without incurring the cost and other associated damages of a security incident.
1.1. Information Systems Audit versus Information

Security Audit
Information System Audit and Information Security Audit are two tools that are used to ensure
safety and integrity of information and sensitive data.
Find out and write
Information systems audit is

____________________________________________________________________________
____________________________________________________________________________
_________________________________________________________________________
Information security audit is
____________________________________________________________________________
____________________________________________________________________________
_________________________________________________________________________
561

The three main types of security diagnostics:
 Information security audits

 Vulnerability assessments
 Penetration testing
Security audits are a formal process, carried out by certified auditing professionals to measure
A Vulnerability Assessment is
_____________________________________________________________________________
_____________________________________________________________________________
____________________________________________________________________________
“Penetration test"(Pen Test) is

_____________________________________________________________________________
_____________________________________________________________________________
_____________________________________________________________________________
Computer security auditors work with the full knowledge and support of the organization, in order
to carry out the audit. This usually includes receiving documentation and access by the organization
representative. A security analyst may be assigned to support and facilitate the audit.
Computer security auditors perform their work though personal interviews, reviewing policies,
vulnerability scans, examination of operating system settings, analyses of network shares, and
historical data and logs.
Some of the purposes of audits are listed below:

a. Build awareness of current practices and risks
b. Reducing risk, by evaluating, planning and supplementing security efforts
c. Strengthening controls including both automated and human
d. Compliance with customer and regulatory requirements and expectations
e. Building awareness and interaction between technology and business teams
f. Improving overall IT governance in the organization
562
The scope of the audit depends upon:

a. Site business plan
b. Type of data assets to be protected
c. Value of importance of the data and relative priority
d. Previous security incidents
e. Time available
f. Auditors experience and expertise
563
1.4 What should be covered in audits?

Access control Accountability and Application hosting Application
audit penetration
Application security Application support Application testing Awareness and
training
Business continuity Certification, Computer assets, Configuration
accreditation and servers and storage management
security assessments networks
Content Contingency planning Disaster recovery Endpoints/edge
management planning devices
Identification, Incident response Infrastructure devices Intrusion
authentication and (e.g. routers, firewall detection/prevention
access management services)
Maintenance Media protection Messaging Networks (wired and
wireless)
Personnel security Physical and Risk assessment Security incident
environmental management
protection
Security of Security planning Software Storage devices
infrastructure
System and System services and Systems and Third party security
information acquisition communications management
integrity protection
Web security
564
There are a number of key questions that security audits attempt to answer which include but
are not limited to:
• Are passwords secure and difficult to crack?

• Are access control lists (ACLs) in place on network devices to control who has access
to shared data?
• Are there audit logs to record to identify who accesses data?
• Are the audit logs reviewed effectively and how are they reviewed?
• Are the security settings for operating systems in accordance with accepted industry
security practices?
• How are unnecessary applications and computer services managed? Are they
eliminated in a timely and effective manner for each system?
• Are these operating systems and commercial applications patched? How and when
did the patching take place?
• How is backup media stored? What is the backup policy and is it followed? Who has
access to the backup media and is it up-to-date?
• Is there a disaster recovery plan? Have the participants and stakeholders ever
rehearsed the disaster recovery plan? Does it have gaps in its construct?
• Are there adequate cryptographic tools in place to govern data encryption, and have
these tools been properly configured?
• What security considerations were used while writing custom-built applications, are
these adequate and well documented?
• How have these custom applications been tested for security flaws?
• How are configuration and code changes documented at every level? How are these
records reviewed and who conducts the review?
The duration of the cross-cutting audit depends on the size as well as the complexity of the
organization. The size of the organization is determined by the number of employees and locations.
The selection of the level of complexity of an organization can only be performed on an

organization-by-organization basis according to the following criteria, for example:
• What does the system landscape look like (number of systems and level of heterogeneity
of the systems used)?
• How many network gateways are there?
• Which and how many IT applications are used in the organization? Are they used to
support critical business processes?
• Are higher-level procedures used that may affect realms outside of the organization?
• How high is the protection requirement for the infrastructure, systems, and IT
applications?
Is the organization active in areas critical to security (for example, is it a security agency)?
565
1.5 What makes a good security audit?
The development and dissemination of the IS Auditing Standards by Information Systems Audit
and Control Association (ISACA) is already in circulation for further information.
A good security audit is part of a regular and comprehensive framework of information security.
A good security audit may likely include the following:
 Clearly defined objectives
 Coverage of security is comprehensive and cross-cutting audit across the entire

organization. Partial audits may be done for specific purposes.
 Audit team is experienced, independent and objective. Every audit team should consist of
at least two auditors to guarantee the independence and objectivity of the audit (” two -
person rule”). There credentials should be verifiable.
 There is unrestricted right to obtain and view information.
 Important IS audit meetings such as the opening and the closing meetings as well as the
interviews should be conducted as a team. This procedure ensures objectivity,
thoroughness, and impartiality.
 No member of the audit team, for reasons of independence and objectivity, should have
participated directly in supporting or managing the areas to be audited, e.g. they must not
have been involved in the development of concepts or the configuration of the IT systems.
 It should be ensured that actual operations in the organization are not significantly
disrupted by the audit when initiating the audit. The auditors never actively intervene in
systems, and therefore should not provide any instructions for making changes to the
objects being audited.
 Management responsibility for supporting the conduct of a fair and comprehensive audit.
 Appropriate communication and appointment of central point of contact and other

 The execution is planned and carried out in a phase wise manner
566
Functions in an Audit
All audits have common functions that must be performed if they are to be successful. These usually
include:
A. Define the security perimeter – what is being examined?
 Determine how intensive the audit is going to be. Are all facets of the organization to be
examined, or is this to be a common ‘security’ audit based on the IT infrastructure.
 Detail how intrusive the audit is. It is important to avoid adversely impacting the production
environment during the audit process; whether this is by equipment downtime or personnel
being taken away from their primary duties to participate in the audit.
 Does the corporation have existing methodologies to actively mitigate risk on an ongoing
basis?
B. Describe the components – and be detailed about it.
 Assemble a detailed list of the components within the security perimeter. While this is not
an exhaustive list, these devices often include:
o Computing equipment (main frames, servers, desktops, laptops, terminals).
o Networking equipment (firewalls, routers, and switches, hubs, and UPS devices).
o Communications equipment (PBX, phones, cell/smart phones, PDA’s, fax machines).
o Input / Output devices (printers, copiers, scanners, cameras, web-cams, tablets).
o Data storage (databases: sales, customer, employee, other; email, voicemail, files on
server, files in cabinets, customer and employee information, log files).
o Common security items (passwords, access scanners / cards and ID cards, physical
security, data diagrams, daily schedules and employee activity charts).
o Internet exposure (company websites: internet and intranet, collaborative sites,
outbound access availability and restrictions, open ports and other visible devices).
C. Determine threats – what kinds of damage could be done to the systems
 Generate a list of threat vectors based on the scope of the audit. i.e.: if physical security is
beyond the scope of the audit you won’t have to check to see if the server room is locked.
 Examine each type of device on the components list for known vulnerabilities.
D. Delineate the available tools – what documents and tools are in use or need to be created?
 Assemble the various documents and datagrams of the systems under audit.
 Gather the tools already in use to mitigate risk
o Determine if the existing tools are functional.
o Determine if new tools are needed.
E. Reporting mechanism – how will you show progress and achieve validation in all areas?
 Determine what the reporting mechanism will be.

o What is the report format?
o Who will sign off on the report as being acceptable?
o Who determines that a specific threat on a particular component is mitigated?
567
F. Review history – is there institutional knowledge about existing threats?
 Determine what threats existed in the past and determine if those have been mitigated.
 Interview members of the institution to determine if any known threats exist.
G. Determine Network Access Control list – who really needs access to this?
 Develop a matrix of all personnel that need access to each device on the component chart.
 Develop a matrix of all devices that need access to other devices on the component chart.
 Each device on the component list should have a minimal set of entry points.
 How much privilege is required for each person or system to perform their functions?
H. Prioritize risk – calculate risk as Risk = probability * harm
 Given the list of possible threats, what are the possibilities a given threat will materialize.
 If a threat were to materialize, how great would its impact be?
 Establish the greatest pain points for the company. Determine if the approach is to work on
the big stuff first, or get all of the minor issues out of the way before making any major
changes.
I. Delineate mitigation plan – what are the exact steps required to minimize the threats?
 Generate a detailed project plan to reach the goal. Include tasking, timelines, costs,
reporting methods, checkpoints – all the components of a successful project plan are
necessary.
 Ensure that the organization is in agreement with the plan to mitigate risks.
J. Implement procedures – start making changes.
 Begin the mitigation process, using the priority decided upon by the stakeholders.
K. Review results – perform an After Action Review (AAR) on the audit process
 Perform a standard AAR on the audit.

o What went well?
o What process needs revision before it will go well?
o What issues are still outstanding at this time?
o Who is responsible for ensuring that outstanding issues will be addressed?
o What is the timeline for issue resolution?
o Who will validate issue resolution?
Risks that are extremely unlikely happen but that have the potential to cause catastrophic damage
are called ‘Black Swans’. These risks are often not cost effective to address, so a formal acceptance
from management for these risks may the only strategy available. Every audit needs to have
management’s participation to be completely successful.
568
1.6 Constraints of a security audit

 Time constraints
 Third party access constraints
 Business operations continuity constraints
 Scope of audit engagement
 Technology tools constraints
Summary
 An information security audit is one of the best ways to determine the security of an
organization's information without incurring the cost and other associated damages of a
security incident.
 Information systems audit is a large, broad term that encompasses demarcation of
responsibilities, server and equipment management, problem and incident management,
network division, safety, security and privacy assurance etc.
 Information security audit is only focused on security of data and information (electronic and
print) when it is in the process of storage and transmission. Both audits have many
overlapping areas.
 Security audits are a formal process, carried out by certified auditing professionals to measure
 A vulnerability assessment, on the other hand, involves a comprehensive study of an entire
information system, seeking potential security weaknesses, usually carried out by industry
experts who may or may not be certified.
 A good security audit may likely include the following:
o Clearly defined objectives
o Coverage is comprehensive and cross-cutting
o Audit team is experienced, independent and objective with verifiable credentials
o There is unrestricted right to obtain and view information.
o Important IS audit meetings such as the opening and the closing meetings as well as
the interviews should be conducted as a team.
o No member of the team should have participated directly in supporting or managing
the areas to be audited
o It should be ensured that actual operations in the organization are not significantly
disrupted by the audit.
o The auditors never actively intervene in systems or provide change advice.
o Management should support the audit.
o Appropriate communication and appointment of central point of contact and other
o The execution is planned and carried out in a phase wise manner
 Constraints of a security audit
o Time constraints
o Third party access constraints
o Business operations continuity constraints
o Scope of audit engagement
o Technology tools constraints
569
Activity 1:
List the various vulnerabilities in any organisation and various activities to check those
vulnerabilities.
Activity 2:
Conduct an audit of your surroundings, of things such as cleanliness, safety and security,
hygiene, etc. Share your report in class, detailing the approach and the various aspects of
auditing.

Q. The three main types of security diagnostics are?
a. ________________________________________
b. ________________________________________
c. ________________________________________
Q. What is the full form of ACL in information security terms?
__________________________________________
Q. What is the purpose of an ACL?
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
Q. What is the purpose of an information security audit?
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
570
State TRUE or FALSE
a. Previous security incidents are not important in a security audit; the auditors are only
concerned about what the situation is at the present time of the audit. ( )
b. Information Security Audit is carried out by an audit team which usually has a representative
from the team which has been involved in the development of the IT configuration to be
audited. ( )
c. A key purpose of the Audit team is to correct and modify practices followed in the
organization while conducting the audit so as to make the system less vulnerable. (
)
d. AAR is another term used for the audit, it stands for After Attack Responsibility. (
)
e. IS Auditing Standards developed by Information Systems Audit and Control Association
(ISACA) is already in circulation.
Tick the right option
f. Information Security Audit is carried out as a (formal /informal) process by

(certified/uncertified) auditing professional.
g. An IS audit is focused on current data in use (and is also/but is not) concerned with past data
stored in back up media, etc.
h. Passwords are (within/beyond) the purview of the audit.
571
NOTES:
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
572
UNIT II
Security Audit Features
This Unit covers:
 Lesson Plan
2.1. Planning Work and Work environment
2.2. Types of Security Audits
2.3. Phases of Information Security Audit
2.4. Information Security Audit Methodology
2.5. Security Testing Frameworks
2.6. Audit Process and Audit Security Practices
2.7. Testing Security Technology and Templates
573
LESSON PLAN
To be competent, you must 1. Identify and access sources for  PCs/Tablets/Laptops
be able to: standard checklists, guidelines and  Labs availability (24/7)
templates for carrying out different  Internet with Wi-Fi (Min
PC2. identify the types of audits 2 Mbps Dedicated)
procedures/guidelines/chec
 Access to all security
klists for the audit tasks you
are required to carry out sites like ISO, PCI DSS,
(0904/0905) Centre for Internet
Security
PC5. organize
data/information required  Security Templates
for information security from ITIL, ISO
audits using standard
templates and tools (0905)
You need to know and 1. Research and list the various types  PCs/Tablets/Laptops
understand: of security audits, their purpose  Labs availability (24/7)
KA4. /KA9. different types of and requirements  Internet with Wi-Fi (Min
information/security audits 2 Mbps Dedicated)
(0904/0905) 2. Research and list the process for  Access to all security
using and carrying out various sites like ISO, PCI DSS,
KA10. different approaches audit techniques
Centre for Internet
and ways of working for
internal and external Security
information security audits  Security Templates
(0905) from ITIL, ISO
KB5. common audit
techniques and how to
record and report audit
tasks (0904)
KA11. the range of standard 1. Going through security standards,  PCs/Tablets/Laptops
tools, templates and benchmarks like ISO 27001, PCI  Labs availability (24/7)
checklists available and how DSS, Centre for Internet Security  Internet with Wi-Fi (Min
to use these (0904) and understand the implications 2 Mbps Dedicated)
of non-maintenance of such  Access to all security
KB6. methods and standards. sites like ISO, PCI DSS,
techniques for testing 2. Collate and compare audit
Centre for Internet
compliance against your templates from various sources
organizations security and discuss the requirements, Security
criteria, legal and regulatory advantages and disadvantages of  Security Templates
requirements (0904) each. from ITIL, ISO
3. Going through latest threats and
breaches in cyberspace to
understand implications of non-
compliance to security standards.
574
Lesson
2.1 Types of Security Audits

Broadly, there are two types of Audit, internal and external.
External audits are commonly conducted by independent, certified parties in an objective manner.
They are scoped in advance, finally limited to identifying and reporting any implementation and
control gaps based on stated policies and standards such as the COBIT (Control Objectives for
Information and related Technology). At the end the objective is to lead the client to a source of
accepted principles and sometimes correlated to current best practices
Internal audits usually are conducted by experts linked to the organization, and it involves a
feedback process where the auditor may not only audit the system but also potentially provide
advice in a limited fashion. They differ from the external audit in allowing the auditor to discuss
mitigation strategies with the owner of the system that is being audited.
There is a large variety of audit types based on standards followed. Some examples include SSAE 16
audits (Type I or II), audits of ISO 9001, ISO/IEC 17799, ISO/IEC 27001, ISO 27018 cloud security
standard and audits of Industry specific standards such as HIPPA controls.
Within the broad scope of auditing information security there are multiple types of audits, multiple
objectives for different audits, etc. Audits can be broken down into a number of types, from the
simple analysis of security architecture based on opinion, to a full-blown, end-to-end audit against a
security framework such as ISO27001. Auditing information security covers topics from auditing the
physical security of data centres to auditing the logical security of databases and highlights key
components to look for and different methods for auditing these areas. When centred on the IT
aspects of information security, it can be seen as a part of an information technology audit. It is
often then referred to as an information technology security audit or a computer security audit.
However, information security encompasses much more than IT.
Security Review
A security review is when the security posture of an organization is examined based on
professional experience and opinion. In this type of examination, issues that stand out are
sought as a way to help define the starting point for further activities. Running a vulnerability
scanner such as Nessus would fall under this category. The tool generates a list of potential
security issues, but the data must be analysed further to determine on what needs to be acted
on. This is the most basic form of security analysis and the primary output is in the form of an
opinion. Examples include: Penetration test, Vulnerability scan, Architecture review, Policy
review, Compliance review, Risk analysis
575
Security Assessment
Security assessments utilize professional opinion and expertise, but they also analyse the
output for relevancy and criticality to the organization. The analysis aspect of an
assessment attempts to quantify the risk associated with the items discovered to
determine the extent of the problem. If you an organisation has two servers with the same
vulnerability, but one is the financial server, and the other operates as a print server a
security assessment would rank the financial server as a high risk and the print server as a
lower risk based on the severity and damage potential. The biggest differentiator between
an assessment and a review is the depth to which the auditor examines the system and
analyses the results. Examples include: Vulnerability assessment, Risk assessment,
Architecture assessment, Policy assessment
Security Audit
A security Audit examines the organization’s security posture against an industry standard
(ISO27001 or COBIT) and/or industry regulatory compliance such as HIPAA or PCI. An audit
includes review and assessment; it also conducts a gap analysis against standards to measure
how well the organization complies. Audits take into account people, processes, and
technologies, and it compares them to a benchmark in a standardized and repeatable way.
Examples include: Compliance audit, Policy audit, Procedure audit, Risk audit.
Some of the specific audits that can be included in the above categories are:
• Penetration Test
• Vulnerability Audit
• Web Application Security Audit
• Mobile Application Security Audit
• Audit Overall Concept
• IT-Risk Analyses
• Audit Access Control / Social Engineering
• Architecture, Design and Code Review
• Wireless Systems Audit
• Embedded Systems Audit
• Information Protection Audit
• Roles and Rights Audit
• Endpoint Audit (clients)
• Digital Guard Service
• Configuration Audit (firewalls, servers, etc.)
576
2.2 Phases of Information Security Audit

Phases of Information Security Audit
• Pre-audit agreement stage
Agree on scope and objective of the audit. Agree on the level of support that will be provided.
Agree on locations, duration and other parameters of the audit. Agree on financial and other
considerations. Confidentiality agreements and contracting to be completed at this stage.
Developing/creating a formal agreement (e.g., statement of work, audit memorandum, or
engagement memo) to state the audit objectives, scope, and audit protocol
• Initiation and Planning stage
Conducting a preliminary review of the client’s environment, mission, operations, polices, and
practices. Performing risk assessments of client environment, data, and technology resources.
Completing research of regulations, industry standards, practices, and issues. Reviewing current
policies, controls, operations, and practices. Holding an Entrance Meeting to review the
engagement memo, to request items from the client, schedule client resources, and to answer
client questions. This will also include laying out the time line and specific methods to be used for
the various activities.
• Data collection and fieldwork (Test phase)
This stage is to accumulate and verify sufficient, competent, relevant, and useful evidence to
reach a conclusion related to the audit objectives and to support audit findings and
recommendations. During this phase, the auditor will conduct interviews, observe procedures and
practices, perform automated and manual tests, and other tasks. Fieldwork activities may be
performed at the client’s worksite(s) or at remote locations, depending on the nature of the audit.
• Analysis
Analyses are performed after documentation of all evidence and data, to arrive at the audit
findings and recommendations. Any inconsistencies or open issues are addressed at this time.
The auditor may remain on-site during this phase to enable prompt resolution of questions and
issues. At the end of this phase, the auditor will hold an Exit Meeting with the client to discuss
findings and recommendations, address client questions, discuss corrective actions, and resolve
any outstanding issues. A first draft of the findings and recommendations may be presented to
the client during the exit meeting.
• Reporting
Generally, the Information Security Audit Program will provide a draft audit report after
completing fieldwork and analysis. Based on client response if changes are required to the draft,
the auditor may issue a second draft. Once the client is satisfied that the terms of the audit are
complied with the final report will be issued with the auditor’s findings and recommendations.
• Follow-through
Depending on expectations and agreements the auditor will evaluate the effectiveness of the
corrective action taken by the client, and, if necessary, advise the client on alternatives that may
be utilized to achieve desired improvements. In larger, more complex audit situations, follow-up
may be repeated several times as additional changes are initiated. Additional audits may be
performed to ensure adequate implementation of recommendations. The level of risk and
severity of the control weakness or vulnerability dictate the time allowed between the reporting
phase and the follow-up phase. The follow-up phase may require additional documentation for
the audit client.
577
2.3 Information Security Audit Methodology

Need for a Methodology
Audits need to be planned and have a certain methodology to cover the total material risks of an
organization. A planned methodology is also important as this clarifies the way forward to all in the
organization and the audit teams. Which methodology and technique is used is less important than
having all the participants within the audit approach the subject in the same manner.
Audit methodologies
There are two primary methods by which audits are performed. Start with the overall view of the
corporate structure and drill down to the minutiae; or begin with a discovery process that builds up
a view of the organization.
Audit methods may also be classified according to type of activity. These include three types
a. Testing – Pen tests and other testing methodologies are used to explore
vulnerabilities. In other words, exercising one or more assessment objects to
compare actual and expected behaviors.
b. Examination and Review – This include reviewing policies, processes, logs, other
documents, practices, briefings, situation handling, etc. In other words, checking,
inspecting, reviewing, observing, studying, or analyzing assessment objects
c. Interviews and Discussion – This involves group discussions, individual interviews,
etc.
The three methods combine together to form an effective methodology for an overall audit.
578
Auditing techniques:
There are various Auditing techniques used:

Examination Techniques
Examination techniques, generally conducted manually to evaluate systems, applications,
networks, policies, and procedures to discover vulnerabilities
 Techniques include
o Documentation review
o Log review
o Ruleset and system configuration review
o Network sniffing
o File integrity checking
Target Identification and Analysis Techniques

Testing techniques, generally performed using automated tools used to identify systems, ports,
services, and potential vulnerabilities
o Network discovery
o Network port and service identification
o Vulnerability scanning
o Wireless scanning
o Application security examination
Target Vulnerability Validation Techniques

Testing techniques that corroborate the existence of vulnerabilities, these may be performed
manually or with automated tools
o Password cracking
o Penetration testing
o Social engineering
o Application security testing
Organizations use a combination of these techniques to ensure effectiveness and meeting the
objectives of the audit.
579
2.4 Security Testing Frameworks

There are numerous security testing methodologies being used today by security auditors for
technical control assessment.
Four of the most common are as follows:
 Open Source Security Testing Methodology Manual (OSSTMM)

 Information Systems Security Assessment Framework (ISSAF)
 NIST 800-115
 Open Web Application Security Project (OWASP)
All of these frameworks provide a detailed, process-oriented manner in which to conduct a security
test, and each has its particular strengths and weaknesses. Most auditors and penetration testers
use these frameworks as a starting point to create their own testing process, and they find a lot of
value in referencing them.
OSSTMM
OSSTMM manual highlights the systems approach to security testing by dividing assessment areas
into six interconnected modules:
 Information Security: Competitive intelligence, data leakage, and privacy review

 Process Security: Access granting processes and social engineering testing
 Internet Technologies Security: Network mapping, port scanning, service and operating
system (OS) identification, vulnerability scanning, Internet app testing, router/firewall
testing, IDS testing, malicious code detection, password cracking, denial of service, and
policy review
 Communications Security: Private branch exchange (PBX)/phone fraud, voicemail, fax, and
modem
 Wireless Security: 802.11, Bluetooth, handheld scanning, surveillance, radio frequency
identification (RFID), and infrared
 Physical Security: Perimeter, monitoring, access control, alarm systems, and environment
ISSAF
The ISSAF is one of the largest free-assessment methodologies available. Each control test has
detailed instruction for operating testing tools and what results to look for. It is split into two
primary documents. One is focused on the business aspect of security, and the other is designed as a
penetration test framework. The level of detailed explanation of services, security tools to use, and
potential exploits is high and can help an experienced security auditor and someone getting started
in auditing.
580
NIST 800-115
The NIST 800-115, Technical Guide to Information Security Testing, provides guidance and a
methodology for reviewing security that is required for the U.S. government's various departments
to follow. Like all NIST-created documents, 800-115 is free for use in the private sector. It includes
templates, techniques, and tools that can be used for assessing many types of systems and
scenarios. It is not as detailed as the ISSAF or OSSTMM, but it does provide a repeatable process for
the conduction of security reviews. The document includes guidance on the following:
 Security testing policies

 Management's role in security testing
 Testing methods
 Security review techniques
 Identification and analysis of systems
 Scanning and vulnerability assessments
 Vulnerability validation (pen testing)
 Information security test planning
 Security test execution
 Post-test activities
OWASP
The OWASP testing guide was created to assist web developers and security practitioners to better
secure web applications. A proliferation of poorly written and executed web applications has
resulted in numerous, easily exploitable vulnerabilities that put the Internet community at risk to
malware, identity theft, and other attacks. The OWASP testing guide has become the standard for
web application testing and has helped increase the awareness of security issues in web applications
through testing and better coding practices.
The OWASP testing methodology is split as follows:
 Information gathering
 Configuration management
 Authentication testing
 Session management
 Authorization testing
 Business logic testing
 Data validation testing
 Denial of service testing
 Web services testing
 AJAX testing
The OWASP project also has a subproject called WEBGOAT that enables one to load a vulnerable
website in a controlled environment to test these techniques against a live system.
Whatever the approach is to testing security controls, it must be ensured that it is consistent,
repeatable, and based on best practices.
581
2.5 Audit Process

A successful audit will minimally:
1. Establish a prioritized list of risks to an organization.
2. Delineate a plan to alleviate those risks.
3. Validate that the risks have been mitigated.
4. Develop an ongoing process to minimize risk.
5. Establish a cycle of reviews to validate the process on a perpetual basis.
2.6 Auditing Security Practices

The first step for evaluating security controls is to examine the organization’s policies, security
governance structure, and security objectives because these three areas encompass the business
practices of security.
Security controls are selected and implemented because of security policies or security
requirements mandated by law.
Security is a service provided by IT to the business, so measuring it as such enables you to see many
of the connections to the various functions of the business. There are standards, laws, and
benchmarks that you can use as your baseline to compare against.
Normally, you include content from multiple areas, as businesses may have more than one
regulation with which they must comply. It is easiest to start with the organization’s policies and
build your security auditing plan from there. Some criteria you can use to compare the service of
security against are:
 Evaluation against the organization’s own security policy and security baselines
 Regulatory/industry compliance—Health Insurance Portability and Accountability Act
(HIPAA), Sarbanes-Oxley Act (SOX), Grahmm-Leach-Bliley Act (GLBA), and Payment Card
Industry (PCI)
 Evaluation against standards such as NIST 800 or ISO 27002
 Governance frameworks such as COBIT or Coso
After you have identified the security audit criteria that the organization needs to comply with, the
next phase is to perform assessments to determine how well they achieve their goals. A number of
assessments are usually required to determine appropriate means for referring back to the scope,
which defines the boundaries of the audit. The following are types of assessments that might be
performed to test security controls:
582
 Risk assessments: This type of assessment examines potential threats to the

organization by listing areas that could be sources of loss such as corporate espionage,
service outages, disasters, and data theft. Each is prioritized by severity, matched to the
identified vulnerabilities, and used to determine whether the organization has adequate
controls to minimize the impact.
 Policy assessment: This assessment reviews policy to determine whether the policy
meets best practices, is unambiguous, and accomplishes the business objectives of the
organization.
 Social engineering: This involves penetration testing against people to identify whether
security awareness training, physical security, and facilities are properly protected.
 Security design review: The security design review is conducted to assess the
deployment of technology for compliance with policy and best practices. These types of
tests involve reviewing network architecture and design and monitoring and alerting
capabilities.
 Security process review: The security process review identifies weaknesses in the
execution of security procedures and activities. All security activities should have written
processes that are communicated and consistently followed. The two most common
methods for assessing security processes are through interviews and observation:
 Interviews: Talking to the actual people responsible for maintaining security, from users
to systems administrators, provides a wealth of evidence about the people aspect of
security. How do they feel about corporate security methods? Can they answer basic
security policy questions? Do they feel that security is effective? The kind of information
gathered helps identify any weakness in training and the organization’s commitment to
adhering to policy.
 Observation: Physical security can be tested by walking around the office and observing
how employees conduct themselves from a security perspective. Do they walk away
without locking their workstations or have sensitive documents sitting on their desks?
Do they leave the data centre door propped open, or do they not have a sign-out
procedure for taking equipment out of the building? It is amazing what a stroll through
the cubicles of a company can reveal about the security posture of an organization.
 Document review: Checking the effectiveness and compliance of the policy, procedure,
and standards documents is one of the primary ways an auditor can gather evidence.
Checking logs, incident reports, and trouble tickets can also provide data about how IT
operates on a daily basis.
 Technical review: This is where penetration testing and technical vulnerability testing
come into play. One of the most important services an auditor offers is to evaluate the
competence and effectiveness of the technologies relied upon to protect a corporation’s
assets.
This section covered evaluation techniques for auditing security practices within an organization.
Many of the security practices used to protect a company are process- and policy-focused. They
represent the primary drivers for technology purchases and deployment. Technology can automate
many of these processes and policies and needs a different approach to testing effectiveness. The
remainder of this chapter covers tools that can be used to test security technologies.
583
2.7 Testing Security Technology

There are many terms used to describe the technical review of security controls. Ethical hacking,
penetration test, and security testing are often used interchangeably to describe a process that
attempts to validate security configuration and vulnerabilities by exploiting them in a controlled
manner to gain access to computer systems and networks. There are various ways that security
testing can be conducted, and the choice of methods used ultimately comes down to the degree to
which the test examines security as a system.
There are generally two distinct levels of security testing commonly performed today:
Vulnerability assessment:
This technical assessment is intended to identify as many potential weaknesses in a host,

application, or entire network as possible, based on the scope of the engagement. Configurations,
policies, and best practices are all used to identify potential weaknesses in the deployment or
design of the entity being tested. These types of assessments are notorious for finding an
enormous amount of potential problems that require a security expert to prioritize and validate
real issues that need to be addressed. Running vulnerability scanning software can result in
hundreds of pages of items being flagged as vulnerable when in reality they are not exploitable.
Penetration test:
The penetration test is intended to assess the prevention, detection, and correction controls of a
network by attempting to exploit vulnerabilities and gain control of systems and services.
Penetration testers (also known as PenTesters) scan for vulnerabilities as part of the process just
like a vulnerability assessment, but the primary difference between the two is that a PenTester
also attempts to exploit those vulnerabilities as a method of validating that there is an exploitable
weakness. Successfully taking over a system does not show all possible vectors of entry into the
network, but can identify where key controls fail. If someone is able to exploit a device without
triggering any alarms, then detective controls need to be strengthened so that the organization
can better monitor for anomalies.
Security control testing is an art form in addition to a technical security discipline. It takes a certain
type of individual and mind-set to figure out new vulnerabilities and exploits. Penetration testers
usually fit this mould, and they must constantly research new attack techniques and tools. Auditors,
on the other hand, might not test to that degree and will more than likely work with a penetration
tester or team if a significant level of detailed knowledge in required for the audit.
When performing these types of engagements, four classes of penetration tests can be conducted
and are differentiated by how much prior knowledge the penetration tester has about the system.
The four types are:
 Red Team/Blue Team assessment

 White-Box
 Black-Box
584
 Gray-box
What does a Red Team do?

_____________________________________________________________________________
_____________________________________________________________________________
_____________________________________________________________________________
_____________________________________________________________________________
What does a Blue Team do?
_____________________________________________________________________________
_____________________________________________________________________________
_____________________________________________________________________________
_____________________________________________________________________________
■ Red Team/Blue Team assessment: The terms Red and Blue Team come from the military where
combat teams are tested to determine operational readiness. In the computer world, a Red and Blue
Team assessment is like a war game, where the organization being tested is put to the test in as real
a scenario as possible. Red Team assessments are intended to show all of the various methods an
attacker can use to gain entry. It is the most comprehensive of all security tests. This assessment
method tests policy and procedures, detection, incident handling, physical security, security
awareness, and other areas that can be exploited. Every vector of attack is fair game in this type of
assessment. This is used to simulate attacks and test the ability to develop defences for these
attacks. The Red team designate as the attacker and the Blue team as the defence mechanism
builder.
The two teams sharpen an organization’s detection and response capability. This is through sharing
of intelligence data, understanding threat actors' TTPs, mimicking these TTPs through a series of
scenarios and configuring, tuning and improving the detection and response capability.
Penetration tests as part of auditing can be conducted in several ways. The most common difference
is the amount of knowledge of the implementation details of the system being tested that are
available to the testers.
585
• Black box testing
This assumes no prior knowledge of the infrastructure to be tested. The testers must first
determine the location and extent of the systems before commencing their analysis.
• White box testing
This provides the testers with complete knowledge of the infrastructure to be tested, often
including network diagrams, source code, and IP addressing information.
• Grey box testing
These are the several variations in between the white and the black box, where the testers
have partial information.
Penetration tests can also be described as "full disclosure" (white box), "partial disclosure"
(grey box), or "blind" (black box) tests based on the amount of information provided to the
testing party.
Features and Uses
Black box testing simulates an attack from someone who is unfamiliar with the system.
White box testing simulates what might happen during an "inside job" or after a "leak" of sensitive
information, where the attacker has access to source code, network layouts, and possibly even some
passwords.
White box techniques involve direct analysis of the application’s source code, and black box
techniques are performed against the application’s binary executable without source code
knowledge.
Most assessments of custom applications are performed with white box techniques, since source
code is usually available—however, these techniques cannot detect security defects in interfaces
between components, nor can they identify security problems caused during compilation, linking, or
installation-time configuration of the application.
White box techniques still tend to be more efficient and cost-effective for finding security defects in
custom applications than black box techniques.
Black box techniques should be used primarily to assess the security of individual high-risk compiled
components; interactions between components; and interactions between the entire application or
application system with its users, other systems, and the external environment. Black box
techniques should also be used to determine how effectively an application or application system
can handle threats.
Auditors should have a base knowledge of testing tools and techniques. Using testing frameworks is
a useful way to develop a technical testing planning.
586
2.8 Reliance on Checklists and Templates

It is important to develop and use standard checklists for audits as this ensures that data is collected
in a uniform manner. It also ensures that no data point or activity critical to be covered is omitted.
One must ensure the templates and checklists are agreed upon prior to use and from recognised
sources. These should be understood commonly by all participating in the audit. It is important that
those carrying out the audit understand the importance of capturing information in detail.
587
Summary
 Broadly, there are two types of Audit, internal and external.
 External audits are commonly conducted by independent, certified parties in an objective
manner.
 Internal audits usually are conducted by experts linked to the organization, and it involves a
feedback process where the auditor may not only audit the system but also potentially provide
advice in a limited fashion. They differ from the external audit in allowing the auditor to discuss
mitigation strategies with the owner of the system that is being audited.
 Within the broad scope of auditing information security there are multiple types of audits,
multiple objectives for different audits, etc. Audits can be broken down into a number of types,
from the simple analysis of security architecture based on opinion, to a full-blown, end-to-end
audit against a security framework such as ISO27001.
 A security review is when the security posture of an organization is examined based on
professional experience and opinion. In this type of examination, issues that stand out are
sought as a way to help define the starting point for further activities.
 Security assessments utilize professional opinion and expertise, but they also analyse the output
for relevancy and criticality to the organization. The analysis aspect of an assessment attempts
to quantify the risk associated with the items discovered to determine the extent of the
problem.
 A security Audit examines the organization’s security posture against an industry standard
(ISO27001 or COBIT) and/or industry regulatory compliance such as HIPAA or PCI. An audit
includes review and assessment; it also conducts a gap analysis against standards to measure
how well the organization complies.
 Auditing Techniques include
o Documentation review
o Log review
o Ruleset and system configuration review
o Network sniffing
o File integrity checking
 Four of the most common standard frameworks are as follows:
 Open Source Security Testing Methodology Manual (OSSTMM)
 Information Systems Security Assessment Framework (ISSAF)
 NIST 800-115
 Open Web Application Security Project (OWASP)
 Red Teaming is a process designed to detect network and system vulnerabilities and test security
by taking an attacker-like approach to system/network/data access. This process is also called
"ethical hacking" since its ultimate purpose is to enhance security. Red Teams are third-party
entities hired to make an impartial assessment of the network or system.
 Blue team’s responsibility is designed to detect, respond and mitigate the attacks of the
offensive red teams. Blue teams need access to log data, SIEM data, threat intelligence data and
to network traffic capture data. The blue team needs to be able to analyze vast swathes of data
to detect the attacked vulnerability.
 Black box testing: This assumes no prior knowledge of the infrastructure to be tested. The
testers must first determine the location and extent of the systems before commencing their
analysis.
 White box testing: This provides the testers with complete knowledge of the infrastructure to be
tested, often including network diagrams, source code, and IP addressing information.
 Grey box testing: These are the several variations in between the white and the black box, where
the testers have partial information.
588
Activity 1:
Search various Information Security Service Audit Organizations on the internet and prepare
a list of services they offer and the process or methodology followed. Present the same in
class.
Activity 2:
Go through various organizations’ websites and understand the various security policies and
guidelines. Prepare a descriptive write-up on the subject.
Activity 3:
Go through various security benchmarks, research and learn to conduct security audits and
the creation of reports and audit templates. Present in a group the audit approach.
Activity 4:
Go through security benchmarks like ISO 27001, PCI DSS, and Centre for Internet Security
and understand the implications of non-maintenance of such standards.
589

Q. Which one of the following is the correct full form of ISG?
a) Information Security Group

b) Information Secured Governance
c) Information Security Governance
d) Information Securities and Governance
Q. A security professional is testing the functionality of an application, but does not have any
knowledge about the internal coding of the application. What type of test is this tester performing?
a) White box
b) Black box
c) Gray box
d) Black hat
Q. Testers are analysing a web application your organization is planning to deploy. They have full
access to product documentation, including the code and data structures used by the application.
What type of test will they MOST likely perform?
a) Gray box
b) White box
c) Black box
d) White hat
Q. The which of the following is NOT one of the four most common security auditing frameworks?
a) Open Source Security Testing Methodology Manual (OSSTMM)
b) NIST 800-115
c) National Cyber Awareness System (NCAS)
d) Information Systems Security Assessment Framework (ISSAF)
Q. Log review is part of which of the following categories of auditing techniques?
a) Target Vulnerability Validation Techniques
b) Examination review techniques
c) Target Identification and Analysis Techniques
d) Interviews and discussions
Q. Arrange the following audit stages in the order of execution, starting from 1 to 6.
A. Data collection and field work ______
B. Follow-through ______
C. Pre-audit agreement stage ______
D. Initiation and Planning stage ______
E. Reporting ______
F. Analysis ______
Q. The test phase is part of which of the following audit stages?
a) Analysis
b) Pre-audit agreement stage
c) Data collection and fieldwork
d) Initiation and planning
590
Q. List the three types of audit methods as per activity

1. ____________________________
2. ____________________________
3. ____________________________
NOTES:
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
591
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
592
UNIT III
Information Security Auditor
This Unit covers:

 Lesson Plan
3.1. Role of an Auditor
3.2. Auditor Activities
3.3. Information Security Audit Consultants
3.4. Hiring an Information Security Auditor
3.5. Required Skills Sets of an Information Security Auditor
3.6. Ethics of an Information Security Auditor
3.7. What Makes an Information Security Auditor
3.8.
593
LESSON PLAN

To be competent, you must be 1. List and discuss the various  PCs/Tablets/Laptops
able to: skills, knowledge and  Labs availability (24/7)
qualifications of an auditor  Internet with Wi-Fi (Min 2
PC1. establish the nature and and a security analyst Mbps Dedicated)
scope of information security
audits and your role and
carrying out audit activities  Access to sites like ISACA
2. Discuss details of formal
responsibilities within them
qualifications for acquiring
(0904) these skills and knowledge
PC6. refer to appropriate and the benefits of getting
people where audit tasks are formal qualifications
beyond your levels of
knowledge, skills and
competence (0904)
PC4. liaise with appropriate
people to gather
data/information required for
(0905)
You need to know and 1. Research and discuss the  PCs/Tablets/Laptops

understand: various individual and team  Labs availability (24/7)
KA5. /KA11. who to involve competencies  Internet with Wi-Fi (Min 2
when carrying out information (skills/knowledge) that audit Mbps Dedicated)
security audits (0904/0905) providing consultants offer  Access to sites like ISACA
KA5. the role of teams in 2. Research as a security
information security audits analyst what roles does one
(0905) play in various types of
KA17. the importance of audits
providing immediate support to
auditors as required (0905)
KB4. additional information that
may be required by auditors
and where to source this (0905)
594
Lesson
3.1 Role of an Auditor

 The role of the auditor is to identify, measure, and report on risk. The auditor is not tasked to fix
the problem, but to give a snapshot in time of the effectiveness of the security program. The
objective of the auditor is to report on security weakness.
 Auditors ask the questions, test the controls, and determine whether the security policies are
followed in a manner that protects the assets the controls are intended to secure by measuring
the organization’s activities versus its security best practices.
 The auditor functions as an independent advisor and inspector.
 The auditor is responsible for planning and conducting audits in a manner that is fair and
consistent to the people and processes that are examined.
 The auditing charter or engagement letter defines the conduct and responsibilities of an auditor.
 Depending on how a company’s auditing program is structured, ultimate accountability for the
auditor is usually to senior management or the Board of Directors.
 Auditors are usually required to present a report to management about the findings of the audit
and also make recommendations about how to reduce the risk identified.
The auditors are responsible for the following:
 Plan, execute and lead security audits across an organization.
 Inspect and evaluate financial and information systems, management procedures and
security controls
 Evaluate the efficiency, effectiveness and compliance of operation processes with

corporate security policies and related government regulations
 Develop and administer risk-focused exams for IT systems
 Review or interview personnel to establish security risks and complications
 Execute and properly document the audit process on a variety of computing

environments and computer applications
 Assess the exposures resulting from ineffective or missing control practices
 Accurately interpret audit results against defined criteria
 Weigh the relevancy, accuracy and perspective of conclusions against audit evidence
595
 Provide a written and verbal report of audit findings
 Develop rigorous “best practice” recommendations to improve security on all levels
 Work with management to ensure security recommendations comply with company

procedure
 Collaborate with departments to improve security compliance, manage risk and bolster
effectiveness
596
3.2 Auditor Activities

The following tasks and activities area carried out by the auditor in discharging their responsibilities
 Auditing the information asset management process will verify that the critical assets are
being managed in accordance with the IT/IS policies.
 The auditor audits the information security and privacy policies and standards. The auditor
begins with policies and standards related to access control, data classification and network
security. In addition, they focus on other policies and standards such as vendor
management, vulnerability management and data leakage prevention.
 One of the important roles of audit is to verify that the policies and standards are not just
documented but are actually being implemented by users across the enterprise. This
verification can be accomplished by performing an audit of the security training and
awareness program
 Instead of focusing on the actual access of each user, the auditor focuses on the IAM process
and verify that the IAM process is working as designed. Auditing an automated IAM process
ensures the integrity of the process. The audit also focuses on the workflow, which includes
the approval hierarchy. Several IAM vendors are starting to provide mechanisms to
incorporate segregation of duties (SoD) checks within the workflow. If an organization has
incorporated the SoD checks in the workflow, it is important to include this process within its
audit scope.
 During the audit of policies and standards, the auditor should understand how the policies
and standards are being communicated across the enterprise. Every organization has a
communication method (e-mail, posting on an intranet web page, periodic security
seminars, monthly security awareness training, lunch-n-learns, etc.).
 The responsible auditor should determine if logging is enabled in critical systems. Where
logs are enabled, the auditor verifies that there is a process for monitoring. The auditor also
verifies that the process has been assigned to a person and that this person is executing this
process. The focus here is on data leakage prevention (DLP). Besides verifying that the
proper access is granted to each individual, the auditor focuses on how the approved users
are using the data assets. Are data being encrypted properly before they are sent outside of
the organization? Depending on an organization’s DLP policy, the SIEM system can
potentially help the auditor determine if the data are being copied on USB drives and leaving
the organization.
 In today’s business environment, Governance, Risk Management and Compliance (GRC)

processes are critical to the auditor. The auditor examines corporate governance processes
and verifies that an infrastructure has been created to identify and manage risks. The
governance structure should be active and ongoing, which means that the executives should
conduct periodic meetings to address risks. The auditor also identifies all relevant
regulations and industry standards and performs periodic compliance reviews based on
identified and relevant risks. Noncompliance should be tracked and managed by executive
management.
597
 The internal auditor should identify how the organization is connected to the outside, and
who on the outside is connected to the organization. There is a total reliance by some
organizations on Statement on Auditing Standards No. 70 (SAS 70) Type II reports for review
of external vendors. While SAS 70 is good, it is not final. The auditor first verifies that there is
a policy in place to address third-party connections. In addition to the SAS 70 report, the
organization should periodically perform its own audit of the vendor to certify that its
policies and security needs are being adequately addressed (the organization may have to
ensure that the vendor contracts allow for this audit). Changes performed by the third-party
vendor on systems affecting the organization should follow the organization’s normal
change management process.
 Also, the auditor should follow the entire process within the extended enterprise where the
critical data assets reside. For example, an enterprise may do an exceptional job of
protecting critical data assets within the enterprise, but an unencrypted backup tape can fall
off a vendor’s truck and expose critical information and put the enterprise at risk. An audit
of the entire process will definitely reduce the risks associated with the extended enterprise.
This extended enterprise may exist globally and could add more complexity to the audit
plans.
 The auditor verifies that a business continuity plan exists and is maintained and tested
periodically. The auditor should also make sure that the plan covers all the risks associated
with the business and that it is enough to keep the business in operation in times of
disruption. The IT auditor should understand the difference between business continuity and
disaster recovery and make sure that each is adequately addressed and periodically tested.
 The auditor identifies a catalog of IT initiatives, reviews the business reasons for the project
and identifies the executive sponsor for the project. The auditor obtains and reviews the
management reports from IT to executive management and verifies that sufficient
information is provided to management. The auditor verifies that IT initiatives are
adequately aligned with business objectives.
598
3.3 Information Security Audit Consultants

Information Security Audit Consultants – These consultants (individual or organizations) are
usually found in advising or auditing roles for information security.
Security consultants generally fall into one of three categories:
• Management
• Technical
• Forensic
The first step in hiring a reliable consultant is to define the requirements of the job. Does it
involve the analysis of risk, implementation of security systems, regulatory compliance,
management consulting, training or defence of an inadequate security claim? Only after the
requirements of the job are defined can you select the right type of consultant to complete
the work.
A consultant should be independent and not affiliated with a product or service. If your
consultant is not independent, you should know about his or her relationship with a product
or service line and understand that it may result in a conflict of interest.
599
3.4. Hiring an Information Security Auditor
The following things has to be borne in mind before hiring of an audit company as auditors:
Does the consultant organization offer a comprehensive suite of services, tailored to specific
requirements?
Does the consulting organization have a quality certification?
Does the consulting organization have a track record of having handled a similar assignment for
security consulting?
Are the organization’s security professional having certificates like CISSP, CISA, CSM and CIPP?
Does the Organization have sound methodology to follow?
Is the organization recognized contributor within the security industry in terms of research and
publication etc.?
600
3.5. Required Skills Sets of an Information Security

Auditor
A good auditor requires the following skills and knowledge in the various areas listed below:
Organization wide security program planning and management
 Knowledge of the legislative requirements for an agency security program
 Knowledge of the sensitivity of data and the risk management process through risk
assessment and risk mitigation
 Knowledge of the risks associated with a deficient security program
 Knowledge of the elements of a good security program
 Ability to analyse and evaluate an organization’s security policies and procedures and
identify their strengths and weaknesses
Access control
 Knowledge across platforms of the access paths into computer systems and of the
functions of associated hardware and software providing an access path
 Knowledge of access level privileges granted to users and the technology used to provide
control to them
 Knowledge of the procedures, tools, and techniques that provide for good physical,
technical, and administrative controls over access
 Knowledge of the risks associated with inadequate access controls
 Ability to analyse and evaluate an organization’s access controls and identify the strengths
and weaknesses
 Skills to review security software reports and identify access control weaknesses
 Skills to perform penetration testing of the organization’s applications and supporting
computer systems
Application software development and change control
 Knowledge of the concept of a system life cycle and of the System Development Life Cycle
(SDLC) process
 Knowledge of the auditor’s role during system development and of federal guidelines for
designing controls into systems during development
 Knowledge of the procedures, tools, and techniques that provide control over application
software development and modification
 Knowledge of the risks associated with the development and modification of application
software
 Ability to analyse and evaluate the organization’s methodology and procedures for system
development and modification and identify the strengths and weaknesses
System software
 Knowledge of the different types of system software and their functions
 Knowledge of the risks associated with system software
 Knowledge of the procedures, tools, and techniques that provide control over the
implementation, modification, and use of system software
 Ability to analyse and evaluate an organization’s system software controls and identify the
strengths and weaknesses
 Skills to use software products to review system software integrity
Segregation of duties
 Knowledge of the different functions involved with information systems and data
processing and incompatible duties associated with these functions
601
 Knowledge of the risks associated with inadequate segregation of duties

 Ability to analyse and evaluate an organization’s organizational structure and segregation
of duties and identify the strengths and weaknesses
Service continuity
 Knowledge of the procedures, tools, and techniques that provide for service continuity
 Knowledge of the risks that exist when measures are not taken to provide for service
continuity
 Ability to analyse and evaluate an organization’s program and plans for service continuity
and identify the strengths and weaknesses
Application controls
 Knowledge about the practices, procedures, and techniques that provide for the
authorization, completeness, and accuracy of application data
 Knowledge of typical applications in each business transaction cycle
 Ability to analyse and evaluate an organization’s application controls and identify the
strengths and weaknesses
 Skills to use a generalized audit software package to conduct data analyses and tests of
application data, and to plan, extract, and evaluate data samples
Auditors performing tasks in two of the above areas, access controls (which includes penetration
testing) and system software, require additional specialized technical skills. Such technical
specialists should have skills in one or more of the categories listed below:
Network analyst
 Advanced knowledge of network hardware and software
 Understanding of data communication protocols
 Ability to evaluate the configuration of routers and firewalls
 Ability to perform external and internal vulnerability tests with manual and automated
tools
 Knowledge of the operating systems used by servers
Windows/Novell analyst
 Detailed understanding of microcomputer and network architectures
 Ability to evaluate the configuration of servers and the major applications hosted on
servers
 Ability to perform internal vulnerability tests with manual and automated tools
Unix analyst
 Detailed understanding of the primary variants of the Unix architectures
 Ability to evaluate the configuration of servers and the major applications hosted on
servers
 Ability to perform internal vulnerability tests with manual and automated tools
Database analyst
 Understanding of the control functions of the major database management systems
 Understanding of the control considerations of the typical application designs that use
database systems
 Ability to evaluate the configuration of major database software products
Mainframe system software analyst
 Detailed understanding of the design and function of the major components of the
operating system
 Ability to develop or modify tools necessary to extract and analyse control information
from mainframe computers
 Ability to use audit software tools
602
 Ability to analyse modifications to system software components

Mainframe access control analyst
 Detailed understanding of auditing access control security software such as ACF2, Top
Secret, and RACF
 Ability to analyse mainframe audit log data
 Ability to develop or modify tools to extract and analyse access control information
The Information Systems Audit and Control Association (ISACA) set forth a code governing the
professional conduct and ethics of all certified IS auditors and members of the association. As a
CISA, they expect them to be bound to uphold this code. The following points form part of this
code:
The auditor agrees to
Support the implementation of, and encourage compliance with, appropriate standards and
procedures for the effective governance and management of enterprise information systems and
technology, including: audit, control, security and risk management.
Perform their duties with objectivity, due diligence and professional care, in accordance with
professional standards.
Serve in the interest of stakeholders in a lawful manner, while maintaining high standards of
conduct and character, and not discrediting their profession or the Association.
Maintain the privacy and confidentiality of information obtained in the course of their activities
unless disclosure is required by legal authority. Such information shall not be used for personal
benefit or released to inappropriate parties.
Maintain competency in their respective fields and agree to undertake only those activities they
can reasonably expect to complete with the necessary skills, knowledge and competence.
Inform appropriate parties of the results of work performed including the disclosure of all
significant facts known to them that, if not disclosed, may distort the reporting of the results.
Support the professional education of stakeholders in enhancing their understanding of the

governance and management of enterprise information systems and technology, including:
audit, control, security and risk management.
The failure of a CISA to comply with this code of professional ethics may result in an investigation
with possible sanctions or disciplinary measures.
603
3.6 Ethics of an Information Security Auditor

Their code also states that:
Ethics statements are necessary to demonstrate the level of honesty and professionalism expected
of every auditor. Overall, the profession requires them to be honest and fair in all representations
they make. The goal is to build trust with clients. Their behaviour should reflect a positive image on
their profession. All IS auditors are depending on them to help maintain the high quality and
integrity that clients expect from a CISA.
3.7 What Makes an Information Security Auditor

• At minimum, a bachelor's degree
• Certification is often highly recommended and may be required by some employers
prior to hiring.
• A Certified Information Systems Auditor or CISA is an independent expert who is
qualified to perform information systems audit. This has uplifted the status of the CISA
designation, which is often a mandatory qualification for an information systems
auditor.
ABOUT CISA
This certification is recognized worldwide as completion of a standardized security auditing

certification program. Information Systems Audit and Control Association (ISACA) is a world
recognized body that was founded in 1969. The CISA examination and certification was initiated by
ISACA in 1978, to address industry requirements.
The CISA designation is awarded to individuals with an interest in Information Systems auditing,
control and security who meet the following requirements:
• Successful completion of the CISA examination

• Submit an Application for CISA Certification
• Adherence to the Code of Professional Ethics
• Adherence to the Continuing Professional Education Program
• Compliance with the Information Systems Auditing Standards
It is important to note that many individuals choose to take the CISA exam prior to meeting the
experience requirements. This practice is acceptable and encouraged although the CISA designation
will not be awarded until all requirements are met.
ABOUT CISSP
CISSP® (Certified Information Systems Security Professional) is a vendor-neutral CISSP certification is

for those with proven deep technical and managerial competence, skills, experience, and credibility
to design, engineer, implement, and manage their overall information security program to protect
organizations from growing sophisticated attacks. Backed by (ISC), the globally recognized, not-for-
profit organization dedicated to advancing the information security field.
604
Summary
 The role of the auditor is to identify, measure, and report on risk. The auditor is not tasked to fix
the problem, but to give a snapshot in time of the effectiveness of the security program. The
objective of the auditor is to report on security weakness.
 Auditors ask the questions, test the controls, and determine whether the security policies are
followed in a manner that protects the assets the controls are intended to secure by measuring
the organization’s activities versus its security best practices.
 The auditor audits the information security and privacy policies and standards.
 A good auditor possesses skills in the following areas:
o Organization wide security program planning and management

o Access control
o Application software development and change control
o System software
o Segregation of duties
o Service continuity
o Application controls
 A consultant should be independent and not affiliated with a product or service. If your
consultant is not independent, you should know about his or her relationship with a product or
service line and understand that it may result in a conflict of interest.
 Ethics statements are necessary to demonstrate the level of honesty and professionalism
expected of every auditor. Overall, the profession requires them to be honest and fair in all
representations they make. The goal is to build trust with clients.
 ISACA has an auditor code of ethics which auditors should comply with.
 While the minimum qualifications required for an auditor is a Bachelor’s degrees, an auditor can
get CISA and CISSP recognized certification to enhance their value.
605
Activity 1:
Identify some of the organisations offering audit services and to list down and compare
the offering, features, benefits and limitations of at least three of these.
Activity 2:
Collect information of various qualifications for data security auditors and consultants
Activity 3:
Collect through the internet and various other sources various cases where mishandling
of audits or security audit failures have caused damage to organisations. Present one
such interesting case in class.
606
Q. List in brief various activities carried out by an auditor?
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
Q. List points of the ISACA Code of Ethics
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
607
NOTES:
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
_________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
608
UNIT IV
VULNERABILITY ANALYSIS
This Unit covers:
 Lesson Plan
4.1. What Is Vulnerability Assessment?
4.2. Why to carry out Vulnerability Assessment?
4.3. Vulnerability Classification
4.4. Types of Vulnerability Assessment
4.5. How to Conduct a Vulnerability Assessment
4.6. Vulnerability Analysis Tools
609
LESSON PLAN

To be competent, you must be 1. Research and identify the  PCs/Tablets/Laptops
able to: scope of vulnerability  Labs availability (24/7)
assessment and the  Internet with Wi-Fi (Min 2
PC5. carry out required audit related tools, procedures, Mbps Dedicated)
tasks using standard tools and guidelines to carry these  Networking Equipment-
following established out. Routers & Switches
procedures/guidelines/checklist
2. Discuss the various  Firewalls and Access Points
s (0904) requirements and  Commercial Tools like HP
PC3. identify the requirements procedures at different Web Inspect and IBM
of information security audits stages of the VA and the AppScan etc.,
and prepare for audits in various activities that are  Open Source tools like
advance (0905) carried out and their sqlmap, Nessus etc.,
implications for the
PC4. liaise with appropriate organization
people to gather
(0905)
You need to know and 1. Research the various  PCs/Tablets/Laptops
understand: automated VA (paid and  Labs availability (24/7)
free) tools available in the  Internet with Wi-Fi
KA11. the range of standard market and draw a  (Min 2 Mbps Dedicated)
tools, templates and checklists comparison in their
available and how to use these  Access to all security sites
offerings, features and like ISO, PCI DSS, Centre for
(0904) benefits
KB5. common audit techniques Internet Security
2. Going through latest  Security Templates from
and how to record and report threats and breaches in
audit tasks (0904) ITIL, ISO
cyberspace to understand
KB6. methods and techniques the implications of non-
for testing compliance against compliance to security
your organizations security standards.
criteria, legal and regulatory
requirements (0904)
knowledge base and how to use
this to support information
security audits (0905)
610
Lesson
Vulnerability analysis, also known as vulnerability assessment, is a process that defines,

identifies, and classifies the security holes (vulnerabilities) in a computer, network, or
communications infrastructure. In addition, vulnerability analysis can forecast the effectiveness
of proposed countermeasures and evaluate their actual effectiveness after they are put into
use.
4.1 What Is Vulnerability Assessment?

A key component of the vulnerability assessment is properly defining the ratings for impact of loss
and vulnerability. The deliverable for the assessment is, most importantly, a prioritized list of
discovered vulnerabilities (and often how to remediate). The findings are classified into categories of
high, medium, and low risk.
A vulnerability assessment system, will look at the network and pinpoint the weaknesses that need
to be fixed/patched – before they ever get breached. With ever growing new vulnerabilities being
announced each week, a company’s network is only as secure as its latest vulnerability assessment.
An ongoing vulnerability assessment process, in combination with proper remediation, will help
ensure that the network is fortified to withstand the latest attacks.
611
4.2 Why to carry out Vulnerability Assessment?

Vulnerability assessment is important because it is a powerful proactive process for securing an
enterprise network. With vulnerability assessment potential security holes are fixed before they
become problematic, allowing companies to fend off attacks before they occur. Virtually all attacks
come from already known vulnerabilities.
CERT/CC (the federally funded research and development centre operated by Carnegie Mellon
University) reports that nearly 99% of all intrusions resulted from exploitation of known
vulnerabilities or configuration errors.
4.3 Vulnerability Classification
The following are categories of vulnerabilities commonly recognised. Even though classification is
an ongoing discussion that has not yet been fully agreed by various stakeholders:
1. Misconfigurations
2. Default installations
3. Buffer overflows
4. Unpatched servers
5. Default passwords
6. Open services
7. Application flaws
8. Open system flaws
9. Design flaws
Some of these are explained below

Misconfigurations
Security misconfiguration is simply, incorrectly assembled safeguards for a web application. These
misconfigurations typically occur when holes are left in the security framework of an application
by systems administrators, DBAs or developers. They can occur at any level of the application
stack, including the platform, web server, application server, database, framework, and custom
code. These security misconfigurations can lead an attacker right into the system and result in a
partially or totally compromised system. Attackers find these misconfigurations through
unauthorized access to default accounts, unused web pages, unpatched flaws, unprotected files
and directories, and more. If a system is compromised through faulty security configurations,
data can be stolen or modified slowly over time and can be time-consuming and costly to recover.
Default installations
Most server applications included in a default installation are solid, thoroughly tested pieces of
software. Having been in use in production environments for many years, their code has been
thoroughly refined and many bugs that have been found are fixed. However, there is no perfect
software and there is always room for further refinement. Moreover, newer software is often not
as rigorously tested because of its recent arrival to production environments or because it may
not be as popular as other server software. Developers and system administrators often find
612
exploitable bugs in server applications and publish the information on bug tracking and security-
related websites such as the Bugtraq mailing list (http://www.securityfocus.com) or the Computer
Emergency Response Team (CERT) website (http://www.cert.org).
Buffer overflows
A buffer overflow occurs when a program or process tries to store more data in a buffer
(temporary data storage area) than it was intended to hold. Since buffers are created to contain a
finite amount of data, the extra information - which has to go somewhere - can overflow into
adjacent buffers, corrupting or overwriting the valid data held in them. Although it may occur
accidentally through programming error, buffer overflow is an increasingly common type of
security attack on data integrity. In buffer overflow attacks, the extra data may contain codes
designed to trigger specific actions, in effect sending new instructions to the attacked computer
that could, for example, damage the user's files, change data, or disclose confidential information.
Unpatched servers
According to Wikipedia, a patch is a piece of software designed to update a computer program or
its supporting data, to fix or improve it. This includes fixing security vulnerabilities and other bugs,
with such patches usually called bugfixes or bug fixes, and improving the usability or performance.
Although meant to fix problems, poorly designed patches can sometimes introduce new
problems. Server applications which languish unpatched by developers or administrators who fail
to patch their systems leave this as one of the most exploited vulnerabilities.
Default passwords
Another common error is to leave the default passwords or keys in services that have such
authentication methods built into them. For example, some databases leave default
administration passwords under the assumption that the system administrator will change this
immediately upon configuration. Even an inexperienced cracker can use the widely-known default
password to gain administrative privileges to the database.
613
4.4 Types of Vulnerability Assessment
Types of Vulnerability Assessment
Active Assessment: Scans the network using any network scanner to find hosts, services and
vulnerabilities.
Passive Assessment: This is a technique that sniffs the network traffic to find out active systems,
network services, applications and vulnerabilities present.
Host based Assessment: This is a sort of security check carried out through a configuration level
test through command line.
Internal Assessment: This is a technique to scan the internal infrastructure to find out the exploit
and vulnerabilities.
External Assessment: This is used to assess the network from a hacker point of view to find out
what exploits and vulnerabilities are available to the outside world.
Application Assessment: This tests the web server infrastructure for any misconfiguration,
outdated content and known vulnerabilities.
Network Assessment: This determines the possible network security attacks that may occur on
the organization system.
Wireless network Assessment: This determines and tracks all the wireless network prevalent at
the client side.
614
4.5 How to Conduct a Vulnerability Assessment

The method for performing the VA will include reviewing appropriate policies and procedure relating
to the systems being assessed, interviewing system administrators, and security scanning.
Vulnerability analysis consists of several steps:

STEP 1. Defining and classifying network or system resources
STEP 2. Assigning relative levels of importance to the resources
STEP 3. Identifying potential threats to each resource
STEP 4. Developing a strategy to deal with the most serious potential problems first
STEP 5. Defining and implementing ways to minimize the consequences if an attack occurs.
The following tasks are involved in conducting a VA
 Use vulnerability assessment tools
 Check for misconfigured web servers, mail servers, firewalls, etc.
 Search the web for more postings about the company’s vulnerabilities
 Search at underground websites for more postings about the company’s vulnerabilities
The VA is done in three phases:
Pre-assessment phase
• Describes the scope of the Assessment
• Creates proper information protection procedures such as effective planning, scheduling,
coordination and logistics
• Identifies and ranks the critical assets
Assessment phase
• Examines the network architecture
• Evaluates the threat environment
• Carries out penetration testing
• Examines and evaluates physical security
• Performs a physical asset analysis
• Observes policies and procedures
• Conducts and impact analysis
• Performs a risk characterization
Post Assessment phase

• Prioritizing assessment recommendations
• Providing action plan development to implement the proposed recommendation
• Capturing lessons that are learned to improve the complete process in the future
• Conducting training
615
Vulnerability Analysis phase
This phase refers to identifying areas where vulnerability exists. This entails performing vulnerability
analysis and listing of areas that need testing and penetration.
Vulnerability penetration capabilities can be broken down into three steps:
• Locating nodes
• Performing service discoveries on them
• Testing those services for known security holes
Now that auditors have identified and verified the vulnerabilities, they must perform in-depth
analysis of all the assembled data. The goal here is to identify systemic causes, and then they
formulate plans to remedy each cause. These plans are the basis of the strategic recommendations
that they bring before the business’ executives. Once the auditors have completed their assessment,
the IT department or the consultants work alongside the executives to fix those problem areas. Once
the business rectifies vulnerabilities, they can direct their attention to upgrading or transitioning the
network.
616
4.6 Vulnerability Analysis Tools
Types of tools available for vulnerability assessment are classified as follows:

Host based VA tools
These find and identify the OS running on a particular host computer and tests it for known
deficiencies. These search for common application and services.
Application-layer VA tools
These are directed towards web servers or databases
Scope assessment tools
They provide security to the IT system by testing for vulnerabilities in the application and OS
Depth assessment tools
These tools find and identify previously unknown vulnerabilities in a system, and include ‘Fuzzers’.
A Fuzzer is a program that attempts to discover security vulnerabilities by sending random input
to an application. If the program contains a vulnerability that can leads to an exception, crash or
server error (in the case of web apps), it can be determined that a vulnerability has been
discovered. Fuzzers are often termed Fault Injectors for this reason, they generate faults and send
them to an application.
Active/passive tools
Active scanners perform vulnerability checks on the network that consumes resources on the
network. Passive scanners do not materially affect system resources, these only observe system
data and performs data processing in a separate analysis machine
Tools may also be classified based on data examined or location. For example, Network-based
scanner, agent based scanner, proxy scanner or cluster scanner.
While new vulnerabilities are discovered every day and new tools are required to tackle
these, a list of available tools are listed below:
1. Qualys Vulnerability Scanner

2. Cycorp CycSecure Scanner
3. eEye Retina Network Security Scanner
4. Foundstone Professional Scanner
5. GFI LANguard Network Security Scanner
6. ISS Network Scanner
7. Saint Vulnerability Scanner
8. Symantec NetRecon Scanner
9. Shadow Security Scanner
10. Microsoft Baseline Security Analyzer
11. SPIKE Proxy
12. Foundstone’s ScanLine
13. Cerebrus Internet Scanner
617
Some of the free scanners available on the internet include:

Nmap
Nmap is a utility for network discovery and/or security auditing. It can be used to scan large
networks or single hosts quickly and accurately, determining which hosts are available, what
services each host is running and the operating system that is being used.
For more information, visit http://www.insecure.org/nmap
Nessus
Nessus is a remote security scanner. This software can audit a given network and determine if
there are any weaknesses present that may allow attackers to penetrate the defences. It launches
predefined exploits, and reports on the degree of success each exploit had.
For more information, visit http://www.nessus.org
Whisker
Whisker is a CGI web scanner. It scans for known vulnerabilities found in web servers, giving the
URL that triggered the event as well, it can determine the type of web server being run. It is easy
to update and has many useful features.
For more information, visit http://www.wiretrip.net/rfp/p/doc.asp?id=21&iface=2
Enum
Enum is a console-based Win32 information enumeration utility. Using null sessions, Enum can
retrieve user lists, machine lists, share lists, name lists, group and member lists, password and LSA
policy information. Enum is also capable of a rudimentary brute force dictionary attack on
individual accounts.
For more information, visit http://razor.bindview.com/tools/desc/enum_readme.html
Fire walk
Fire walking is a technique that employs traceroute-like techniques to analyse IP packet responses
to determine gateway ACL filters and map networks. It can also be used to determine the filter
rules in place on a packet forwarding device.
For more information, visit http://www.packetfactory.net/Projects/Firewalk
The Future of Network Security Assessments
With hundreds of new operating system and application vulnerabilities announced each month
the need to establish vulnerability testing as an ongoing, continuous process has become
essential. Like automated antivirus and patching, an automated, ongoing vulnerability
assessment and management solution is now a genuine option.
Real-World Security The concept of Automated Vulnerability Detection can be described in this
simplified analogy: Say your building has a high perimeter wall and a motion detection alarm
system. Like network perimeter security products (antivirus, firewalls and IPS/IDS) you are likely
to be alerted that someone is approaching. But it does not tell you that your back door was left
unlocked by the last person leaving – or worse yet, left standing wide open. If a hacker or thief
sees a known vulnerability, or unlocked door, there isn't a high enough fence or alarm system in
the world that will keep them from trying to get in. They will get very inventive as to
618
how they will scale the wall so as to not set off the alarm – if there is an open door beckoning!
Automated VA/VM consists of assessing the mechanical condition of your network's doors and
windows, the relative merit of their locks and reporting on their state of readiness in near real
time.
Automated Vulnerability Detection Now a Reality
AVDS (Automated Vulnerability Detection System) is a series of hardware appliances that run
dedicated online connected software; capable of simulating both internal and external hacker
attacks for networks of 200 to 2 million nodes. AVDS performs a comprehensive vulnerability
assessment on the network and produces a detailed report that contains:
 An executive summary of the vulnerabilities found.
 Comprehensive list of all vulnerabilities discovered.
 A wide range of solutions to those vulnerabilities
 The list of all simulated attacks performed
Additional reporting features available in AVDS also include:
 Technical analysis including links for immediate remedial action
 Differential reporting mechanisms that shows the difference from previous scans,
allowing you to track both infrastructure changes (figure 2) as well as the vulnerabilities
 Data mining allows you to target specific hosts, vulnerability types or services and
export these results in multiple formats
Automated Vulnerability Detection System
 AVDS is updated with new attack profiles on a daily basis using information from the
www.securiteam.com security portal, which is one of the largest and most respected
security information gathering portals on the Internet.
 Using AVDS, it is possible to conduct security scans on:
 The corporate LAN and WAN (from within the organization)
 The DMZ and the external network (from the Internet and outside world)
 Anything that talks “IP” on a network including VoIP network elements and endpoint
devices.
 AVDS provides the following major features:
 Simulates attacks on the organization’s network by using 'sanitized' versions of hacking

techniques, tools and methodologies.
 Uses a pre-determined network bandwidth, eliminating negative effect on the

performance or availability.
619
 Performs on-demand and scheduled penetration testing, according to your predefined

schedule including daily, weekly, monthly or any other combination you require.
 Includes built-in data mining capabilities, allowing on-the-fly generation of statistical and
historical information about your network posture.
 Distributes vulnerability scanning tasks and reports to stakeholders. This provides distant
administrators access to the scanning system for use in their network segment.
 Allows tracking of all vulnerabilities across an entire network and multiple sites.
 Generates a network map, detailing what servers and services exist, or alternatively, have
been added, removed or changed since the last scan.
 Export results for external reference in multiple formats: HTML, PDF, CSV and XML.
Source:
Web Site www.BeyondSecurity.com
Research Site www.SecuriTeam.com
620
Summary
 Vulnerability analysis, also known as vulnerability assessment, is a process that defines,
identifies, and classifies the security holes (vulnerabilities) in a computer, network, or
communications infrastructure.
 The deliverable for the assessment is, most importantly, a prioritized list of discovered
vulnerabilities (and often how to remediate). The findings are classified into categories of high,
medium, and low risk.
 Virtually all attacks come from already known vulnerabilities.
 The following are categories of vulnerabilities commonly recognised:
o Misconfigurations
o Default installations
o Buffer overflows
o Unpatched servers
o Default passwords
o Open services
o Application flaws
o Open system flaws
o Design flaws
 Developers and system administrators often find exploitable bugs in server applications and
publish the information on bug tracking and security-related websites such as the Bugtraq
mailing list (http://www.securityfocus.com) or the Computer Emergency Response Team (CERT)
website (http://www.cert.org).
 Types of Vulnerability Assessment
o Active Assessment
o Passive Assessment
o Host based Assessment
o Internal Assessment
o External Assessment
o Application Assessment
o Network Assessment
o Wireless network Assessment
 Types of tools available for vulnerability assessment are classified as follows:
o Host based VA tools
o Application-layer VA tools
o Scope assessment tools
o Depth assessment tools
o Active/passive tools
 Tools may also be classified based on data examined or location. For example, Network-based
scanner, agent based scanner, proxy scanner or cluster scanner.
 Nessus, NMap, Whisker, Fire walk and Enum are free scanners available on the internet.
 Some of the other available tools include Qualys Vulnerability Scanner, Cycorp CycSecure
Scanner, Eye Retina Network Security Scanner, Foundstone Professional Scanner, GFI LANguard
Network Security Scanner, ISS Network Scanner, Saint Vulnerability Scanner, Symantec
NetRecon Scanner, Shadow Security Scanner, Microsoft Baseline Security Analyzer, SPIKE Proxy
Foundstone’s ScanLine, Cerebrus Internet Scanner
621
Practical Activity:
Activity 1:
Go through the latest threats and breaches in cyberspace to understand the
implications of non-compliance to security standards. List such sources from which
information can be had.
Activity 2:
Search and list various VA tools offered by various organizations and note down their
features, uses, benefits and limitations. Also research reviews of these tools available
online.
Activity 3:
Search for examples of incidents reported for each of the categories of the
vulnerability listed in this unit. Share this with your class.
622

Q. List the three types of Security consultants in the industry?
a) ___________________________________
b) ___________________________________
c) ___________________________________
Q. Which one of the following is NOT a category of VA tools?
a) Host based
b) Application based
c) Scope Assessment
d) Firewall based
Q. Match the following:
Scans the network using any network scanner to find hosts, services and Wireless network
vulnerabilities. Assessment
Sniffs the network traffic to find out active systems, network services, Host based
applications and vulnerabilities present. Assessment
A sort of security checks carried out through a configuration level test Active Assessment
through command line.
This determines and tracks all the wireless network prevalent at the client Application
side. Assessment
Assesses the network from a hacker point of view to find out what External Assessment
exploits and vulnerabilities are available to the outside world.
Tests the web server infrastructure for any misconfiguration, outdated Passive Assessment
content and known vulnerabilities.
Determines the possible network security attacks that may occur on the Internal Assessment
organization system.
Scans the infrastructure inside the company to find out the exploit and Network Assessment
vulnerabilities.
Q. State whether the following statements are TRUE or FALSE
1. Nessus is a free remote security scanner. ( )

2. Active and Passive Scanners are categories of VA tools, classified as such based on the
amount of resources they use to carry out the scan. ( )
3. Incorrectly assembling the safeguards for a web application is known as a default
installation. ( )
4. A buffer overflow occurs when more data is sent to the temporary storage areas than
the capacity and the data spills into other areas corrupting these. ( )
5. A Fuzzer is a program that attempts to discover security vulnerabilities by sending
random input to an application ( )
623
NOTES:
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
624
UNIT V
PENETRATION TESTING
This Unit covers:
 Lesson Plan
5.1. About penetration testing
5.2. Penetration testing stages
625
LESSON PLAN

To be competent, you must be 1. Research and identify the  PCs/Tablets/Laptops
able to: scope of penetration  Labs availability (24/7)
testing and the related  Internet with Wi-Fi (Min 2
PC5. carry out required audit tools, procedures, Mbps Dedicated)
tasks using standard tools and guidelines to carry these  Networking Equipment-
following established out. Routers & Switches
2. Discuss the various  Firewalls and Access Points
s (0904) requirements and  Commercial Tools like HP
PC3. identify the requirements procedures at different Web Inspect and IBM
of information security audits stages of the Penetration AppScan etc.,
and prepare for audits in testing and the various  Open Source tools like
advance (0905) activities that are carried sqlmap, Nessus etc.,
out and their implications
PC4. liaise with appropriate for the organization
people to gather
(0905)
You need to know and 1. Research the various  PCs/Tablets/Laptops
understand: penetration testing tools  Labs availability (24/7)
available in the market and  Internet with Wi-Fi (Min 2
KA11. the range of standard draw a comparison in their Mbps Dedicated)
tools, templates and checklists offerings, features and
available and how to use these benefits
(0904) 2. Going through latest
KB5. common audit techniques
threats and breaches in
and how to record and report cyberspace to understand
audit tasks (0904) the implications of non-
KB6. methods and techniques compliance to security
for testing compliance against standards.
your organizations security
criteria, legal and regulatory
requirements (0904)
626
Lesson
A penetration test is the process of actively evaluating company’s information security

measures. Security measures are Security measures are actively analysed for actively analysed
for design weaknesses, technical flaws and vulnerabilities. The results are delivered
comprehensively in a report, to executive, management, and technical audiences.
5.1. Why conduct penetration testing?
Reasons for conducting PenTests:
Identify the threats facing an organization's s information assets
Reduce an organization's IT security costs and provide a better Return on IT Security Investment
(ROSI) by identifying and resolving vulnerabilities and weaknesses
Provide an organization with assurance - a thorough and comprehensive assessment of

organizational assessment of organizational security covering policy
Gain and maintain certification to an industry regulation (BS7799, HIPAA etc.)
Adopt best practice by conforming to legal and industry regulations
It focuses on high severity vulnerabilities and emphasizes application-level security issues to

development security issues to development teams and management
For testing and validating the efficiency of security protections and controls
For enabling vulnerability perspectives to the organization internally and externally
Providing indisputable information usable by audit team’s gathering data for regulatory
compliance
Providing comprehensive approach of preparation steps that can be taken to prevent upcoming
exploitation
Evaluating the efficiency of network security devices such as firewalls, routers, and web servers
For changing or upgrading existing infrastructure of software, hardware, or network design
627
5.2. What should be tested?
An organization should conduct a risk assessment operation before the penetration testing that
will help to identify the main threats, such as:
• Communications failure, e-commerce failure, and loss of confidential information.

• Public facing systems; websites, email gateways, and remote access platforms.
• Mail, DNS, firewalls, passwords, FTP, IIS, and web servers.
Testing should be performed d be performed on all hardware and software components of a

network security system.
5.3 Penetration testing stages

According to one classification, there are three stages in penetration testing
 Pre-attack
 Attack Phase
 Post-attack phase
Penetration (or external assessment) testing usually starts with three pre-test phases:
• Footprinting
• Scanning
• Enumerating
Together, the three pre-test phases are called reconnaissance.
Pre-attack phase
This process seeks to gather as much information about the target network as possible, following
these seven steps:
STEP 1. Gather initial information
STEP 2. Determine the network range
STEP 3. Identify active machines
STEP 4. Discover open ports and access points
STEP 5. Fingerprint the operating system
STEP 6. Uncover services on ports
STEP 7. Map the network
628
The goal of reconnaissance is primarily to discover the following information:
o IP addresses of hosts on a target network

o Accessible User Datagram Protocol (UDP) and Transmission Control Protocol (TCP)
ports on target systems
o Operating systems on target systems
Malicious hackers also value reconnaissance as the first step in an effective attack. Keep in mind
that the penetration test process is more organic than these steps would indicate. These pre-test
phases entail the process of discovery, and although the process is commonly executed in this order,
a good tester knows how to improvise and head in a different direction, depending upon the
information found.
There are two different reconnaissance methods to discover information on the hosts in your
target network:
• Passive reconnaissance
• Active reconnaissance
a. Passive Host Reconnaissance

Passive reconnaissance gathers data from open source information. Open source means that
the information is freely available to the public. Looking at open source information is entirely
legal. A company can do little to protect against the release of this information, but later
sections of this chapter explore some of the options available. Following are examples of open
source information:
• A company website
• Electronic Data Gathering, Analysis, and Retrieval (EDGAR) filings (for publicly traded
companies)
• Network News Transfer Protocol (NNTP) USENET Newsgroups
• User group meetings
• Business partners
• Dumpster diving
• Social engineering
b. Active reconnaissance
Active reconnaissance, in contrast, involves using technology in a manner that the target might
detect. This could be by doing DNS zone transfers and lookups, ping sweeps, traceroutes, port
scans, or operating system fingerprinting. Some of the tools that are useful in active host
reconnaissance include the following:
• NSLookup/Whois/Dig lookups
• SamSpade
• Visual Route/Cheops
• Pinger/WS_Ping_Pro
629
The three stages of reconnaissance are:
Footprinting
Footprinting is the active blueprinting of the security profile of an organization. It involves gathering
information about your customer's network to create a unique profile of the organization's networks
and systems. It's an important way for an attacker to gain information about an organization
passively, that is, without the organization's knowledge.
Footprinting employs the first two steps of reconnaissance, gathering the initial target
information and determining the network range of the target. Common tools/resources used in
the footprinting phase are:
• Whois
• SmartWhois
• NsLookup
• Sam Spade
Footprinting may also require manual research, such as studying the company's Web page for useful
information, for example:
• Company contact names, phone numbers and email addresses

• Company locations and branches
• Other companies with which the target company partners or deals
• News, such as mergers or acquisitions
• Links to other company-related sites
• Company privacy policies, which may help identify the types of security mechanisms in place
• Other resources that may have information about the target company are:
• The Capital Market database if the company is publicly traded
• Job boards, either internal to the company or external sites
• Disgruntled employee blogs and Web sites
• Trade press
You can also get more active with Footprinting. For example, you can call the organization's help
desk, and by employing social engineering techniques, get them to reveal privileged information.
Scanning
The next four information-gathering steps -- identifying active machines, discovering open ports and
access points, fingerprinting the operating system, and uncovering services on ports -- are
considered part of the scanning phase. The goal here is to discover open ports and applications by
performing external or internal network scanning, pinging machines, determining network ranges
and port scanning individual systems.
630
Although this is still information gathering mode, scanning is more active than footprinting, it
provides a more detailed picture of the customer operations.
Some common tools used in the scanning phase are:
• NMap
• Ping
• Traceroute
• Superscan
• Netcat
• NeoTrace
• Visual Route
Enumerating
In enumeration, a tester tries to identify valid user accounts or poorly-protected resource shares
using active connections to systems and directed queries. The type of information sought by testers
during the enumeration phase can be users and groups, network resources and shares, and
applications.
The techniques used for enumeration include:
• Obtaining Active Directory information and identifying vulnerable user accounts

• Discovering NetBIOS name enumeration with NBTscan
• Using snmputil for SNMP enumeration
• Employing Windows DNS queries
• Establishing null sessions and connections
Remember that during a penetration test, you'll need to document every step and finding, not only
for the final report, but also to alert the organization immediately to serious vulnerabilities that may
exist. This is also known as the Discovery phase.
The next phase is the Vulnerability Analysis. This involves comparing the services, applications,
and operating systems of scanned hosts against vulnerability databases (a process that is
automatic for vulnerability scanners) and the testers’ own knowledge of vulnerabilities. Human
testers can use their own databases—or public databases such as the National Vulnerability
Database (NVD) — to identify vulnerabilities manually. Manual processes can identify new or
obscure vulnerabilities that automated scanners may miss, but are much slower than an
automated scanner.
631
Attack Phase
The next phase is the attack phase, where if an attack is successful, the vulnerability is verified and
safeguards are identified to mitigate the associated security exposure. In many cases, exploits that
are executed do not grant the maximum level of potential access to an attacker. They may instead
result in the tester’s learning more about the targeted network and its potential vulnerabilities, or
induce a change in the state of the targeted network’s security.
Some exploits enable testers to escalate their privileges on the system or network to gain access to
additional resources. If this occurs, additional analysis and testing are required to determine the true
level of risk for the network, such as identifying the types of information that can be gleaned,
changed, or removed from the system. In the event an attack on a specific vulnerability proves
impossible, the tester should attempt to exploit another discovered vulnerability.
If testers are able to exploit a vulnerability, they can install more tools on the target system or
network to facilitate the testing process. These tools are used to gain access to additional systems or
resources on the network, and obtain access to information about the network or organization.
Testing and analysis on multiple systems should be conducted during a penetration test to
determine the level of access an adversary could gain.
While vulnerability scanners check only for the possible existence of a vulnerability, the attack phase
of a penetration test exploits the vulnerability to confirm its existence.
Most vulnerabilities exploited by penetration testing fall into the following categories:
Misconfigurations
Misconfigured security settings, particularly insecure default settings, are usually easily
exploitable.
Kernel Flaws
Kernel code is the core of an OS, and enforces the overall security model for the system—so any
security flaw in the kernel puts the entire system in danger.
Buffer Overflows
A buffer overflow occurs when programs do not adequately check input for appropriate length.
When this occurs, arbitrary code can be introduced into the system and executed with the
privileges—often at the administrative level—of the running program.
Insufficient Input Validation
Many applications fail to fully validate the input they receive from users. An example is a Web
application that embeds a value from a user in a database query. If the user enters SQL commands
instead of or in addition to the requested value, and the Web application does not filter the SQL
commands, the query may be run with malicious changes that the user requested—causing what
is known as a SQL injection attack.
Symbolic Links
A symbolic link (symlink) is a file that points to another file. Operating systems include programs
that can change the permissions granted to a file. If these programs run with privileged
permissions, a user could strategically create symlinks to trick these programs into modifying or
listing critical system files.
632
File Descriptor Attacks

File descriptors are numbers used by the system to keep track of files in lieu of filenames. Specific
types of file descriptors have implied uses. When a privileged program assigns an inappropriate
file descriptor, it exposes that file to compromise.
Race Conditions
Race conditions can occur during the time a program or process has entered into a privileged
mode. A user can time an attack to take advantage of elevated privileges while the program or
process is still in the privileged mode.
Incorrect File and Directory Permissions
File and directory permissions control the access assigned to users and processes. Poor
permissions could allow many types of attacks, including the reading or writing of password files
or additions to the list of trusted remote hosts.
Attack Phase Activities
The attack phase activities include:
a. Activity: Perimeter Auditing
The perimeter layer of a network starts when and where an outside connection is established and
ends with access to a private network. A private network will be at risk from many threats because
of the need to establish connections to other networks, especially the Internet. An IDS (Intrusion
Detection System) or IPS (Intrusion Prevention System) is usually included in the perimeter to detect
and stop any malicious activity on a private network. The overall network perimeter complexity will
depend on the services provided over the Internet. The router and firewall separate the Internet
from a private network, the IDS or IPS monitors all traffic, and the VPN (Virtual Private Network)
provides remote access; all of which provide the necessary defence-in-depth features for the
perimeter.
Complex configurations of various organizations make it very difficult to secure the perimeter 100%.
A sound network security perimeter architecture requires multiple layers of defence, up-to-date and
hardened policies and controls and segmentation. All of these things make it harder for an attacker
to gain access to the critical data assets and easier for the organization to isolate and respond to
breaches when they occur.
Audits performed for the purpose of determining the security stance of a private network are known
as perimeter security tests.
A channel is the means of interaction with an asset and an asset is what has value to the owner.
Channels are classified as
• Physical security
• Spectrum security
• Communications security
633
The definition of the scope will determine the costs associated with third-party audits.
The scope consists of targets as determined by the selection of channel, test type, and
vectors.
These targets are then indexed to allow for unique identification by the test vector.
The vectors represent how the security of a channel will be tested.
The more channels and vectors in a scope, the longer it will take to complete an audit.
Performing an external security assessment on the perimeter at least annually is recommended and
should be affordable since only the external vector is tested.
Audits could be used to verify rules configured for firewall, IDS and spam filtering devices. The audit
needs to be performed independently from whoever installs, configures, and manages the perimeter
to ensure impartiality.
Documenting the effectiveness of perimeter security measures is an important audit activity. The
auditors have to ensure these are established properly as many organizations use perimeter security
as their main line of defence against external threats.
Common problems during and after the perimeter security implementation process include:
Management and IT staff believe that once a firewall is in place, they have sufficient security and
no further checks and controls are needed on the internal network.
Analog lines and modems are provided to connect to an Internet service provider or have dial-in
access to the desktop system, thus bypassing perimeter security measures.
Internal host network services are passed through security perimeter control points unscreened.
Firewalls, hosts, or routers accept connections from multiple hosts on the internal network and
from hosts on the DMZ network.
The organization allows incorrect configuration of access lists, which results in allowing unknown
and dangerous services to pass through the network freely.
The details of logged user activities are not reviewed regularly or are insufficient, thus
deteriorating the effectiveness of the monitoring system.
Hosts on the DMZ or those running firewall software also are using unnecessary services.
Support personnel use unencrypted protocols to manage firewalls and other DMZ devices.
Employees are allowed to run encrypted tunnels through the organization's perimeter device
without fully validating the tunnel's end-point security.
The company uses unsecured or unsupported wireless network applications.
634
Organizations purchase security tools to help evaluate the IT network's strength and detect network
vulnerabilities and risk areas. Some of the tools available for different activities include host-based
audit software, network traffic analysis and intrusion detection system tools, security management
and improvement programs, and network-based audit and encryption software. The auditors will
check the effectiveness of these tools and their application.
b. Activity: Web Application Auditing

Web application vulnerabilities account for the largest portion of attack vectors outside of malware.
It is crucial that any web application be assessed for vulnerabilities and any vulnerabilities by
remediated prior to production deployment.
• Areas Covered by Web Application Testing

 Configuration errors
 Application loopholes in server code or scripts
 Advice on data that could have been exposed due to past errors
 Testing for known vulnerabilities
 Reducing the risk and enticement to attack
 Advice on fixes and future security plans
• Typical Issues Discovered in an Application Test
 Cross-site scripting
 SQL injection
 Server misconfigurations
 Form/hidden field manipulation
 Command injection
 Cookie poisoning
 Well-known platform vulnerabilities
 Insecure use of cryptography
 Back doors and debug options
 Errors triggering sensitive information leak
 Broken ACLs/Weak passwords
 Weak session management
 Buffer overflows
 Forceful browsing
 CGI-BIN manipulation
 Risk reduction to zero day exploits
635
Web applications are subject to security assessments based on the following criteria:
 New or Major Application Release

This will be subject to a full assessment prior to approval of the change control documentation
and/or release into the live environment.
 Third Party or Acquired Web Application

This will be subject to full assessment after which it will be bound to policy requirements.
 Point Releases
This will be subject to an appropriate assessment level based on the risk of the changes in the
application functionality and/or architecture.
 Patch Releases
This will be subject to an appropriate assessment level based on the risk of the changes to the
application functionality and/or architecture.
 Emergency Releases
An emergency release will be allowed to forego security assessments and carry the assumed risk
until such time that a proper assessment can be carried out.
Web Application Audit Tools: Burp Suite, fuzzing tool, dotDefender, IBM Security AppScan, HP
WebInspect, SQL Block Monitor, Microsoft Source Code Analyzer, Acunetix Web Vulnerability
Scanner, WebCruiser, GreenSQL, Microsoft UrlScan, Absinthe, CORE IMPACT Pro, Safe3SI,
BSQLHacker, SQL Power Injector, Havij, BobCat, Sqlninja, sqlmap, Pangolin – Automatic SQL
Injection Penetration Testing Tool, NGSSQuirreL
c. Activity: Wireless Auditing
Wireless network security audits provide information concerning the actual security level of the
examined infrastructure.
The wireless network security audit service includes

wireless network security-centered topology analysis;
examination of wireless network accessibility on and outside of company premises by examining
the network range followed by recording the results on a situation map;
this allows for the identification of areas in which the network transgresses the planned limits and
is accessible to random persons;
analysis of the adopted protection measures, consisting of the analysis of the adopted wireless
network protection mechanisms, users’ rights as well as data transmission security;
penetration tests; non-invasive or invasive attempts to break the employed protection measures
636
by means of special tools;

procedural audit, examining the completeness and correctness of procedures relating to wireless
network security;
this examination can include e.g. analysis of access rights granting procedure or periodical
unauthorized access points detection procedure.
d. Activity: Application Security Assessment
Application security testing and examination help an organization determine whether its custom
application software—for example, Web applications—contains vulnerabilities that can be
exploited, and whether the software behaves and interacts securely with its users, other
applications (such as databases), and its execution environment.
Application security can be assessed in a number of ways, ranging from source code review to
penetration testing of the implemented application. Many application security tests subject the
application to known attack patterns typical for that application’s type. These patterns may directly
target the application itself, or may attempt to attack indirectly by targeting the execution
environment or security infrastructure.
Examples of attack patterns are information leakage (e.g., reconnaissance, exposure of sensitive
information), authentication exploits, session management exploits, subversion (e.g., spoofing,
impersonation, command injections), and denial of service attacks.
Application security assessment should be integrated into the software development life cycle of the
application to ensure that it is performed throughout the life cycle.
For example, code reviews can be performed as code is being implemented, rather than waiting until
the entire application is ready for testing.
Tests should also be performed periodically once an application has gone into production; when
significant patches, updates, or other modifications are made; or when significant changes occur in
the threat environment where the application operates.
Assessors performing application security assessments should have a certain baseline skill set.
Guidelines for the minimum skill set include knowledge of specific programming languages and
protocols; knowledge of application development and secure coding practices; understanding of the
vulnerabilities introduced by poor coding practices; the ability to use automated software code
review and other application security test tools; and knowledge of common application
vulnerabilities.
Application Security Assessments provide assurance that mobile applications, external applications,
internal applications and APIs are secure. Security consultants test the state of applications and
provide actionable recommendations to enhance an organization’s security posture.
637
Application Testing services include:

Mobile Application Security Assessments
Whether mobile apps for use by customers, employees or business partners, this ensures that the
application, supporting backend infrastructure and data flows are secure and compliant.
Application Security Assessments
When application security assessments are conducted, it aims to validate that the applications are
secure by identifying known vulnerabilities, and by providing risk identification, consequences of
exploitation and expert guidance and recommendations of what the organization should
specifically do to improve the overall security posture of an application.
Web API Testing
Web Services and APIs are typically used as application glue (“middleware”) to connect systems
and to support business operations. They are high-value targets for attackers, and therefore
ideally should be examined thoroughly. Testing application Web Services and APIs requires a
strong knowledge of coding techniques and of the packages used in delivering applications and
services.
e. Activity: Network Security Assessment
An enterprise's network includes computers and workstations, routers, bridges, modems, etc. as
well as the operating, executive, communications, and application software that govern how these
components operate. Most components have some built in automated (technical) security
mechanisms. These mechanisms provide protection services for the information that the
components process, store, or transmit. These services are usually referred to as technical security
controls. The environment that surrounds the network also has protective mechanisms. Security
controls within the environment (nontechnical security controls) reinforce protection afforded by
the component. Physical, procedural, and administrative security mechanisms like back-up power,
door locks, badge systems, policies, operational procedures, location, trusted users, etc., are all
examples of security mechanisms present in the network’s environment. Although the component
and environment offer security mechanisms to protect information, the protection is not absolute —
both can have weaknesses.
Unauthorized individuals use the weaknesses to gain access to critical or sensitive information
stored, processed, or transmitted by the network. An authorized user may exploit a weakness to
misuse the network. The security mechanisms that protect the network can fail, be improperly
configured, or not be implemented at all.
The network security assessment process is used to identify technical and environmental
weaknesses in a network. Network security assessment also identifies real and potential threats to
the network. Real versus theoretical threats must be effectively addressed and over-protecting
marginally valuable assets at the expense of under-protecting critical assets must be avoided.
The network security assessment identifies errors in the configuration and operation of the
network. It assesses the enterprise's capabilities to detect external and internal attacks on the
network. Audit reports identified threats and vulnerabilities to management with recommendations
concerning their seriousness and possible impacts on the enterprise. These recommendations and
ways are provided, sometimes at added expense, to either mitigate or remove identified
638
vulnerabilities. Management makes the final judgement on the cost-benefit trade-offs of added
security expense against mitigating these risks to the Enterprise.
When a company's network infrastructure security is assessed some of this things assessed
include:
• Where devices such as a firewall or IPS are placed on the network and how they
are configured
• What hackers see when they perform port scans, and how they can exploit
vulnerabilities in the network hosts
• Network design, such as Internet connections, remote access capabilities, layered
defenses and placement of hosts on the network
• Interaction of installed security devices such as firewalls, IDSs, antivirus and so on
• What protocols are in use
• Commonly attacked ports that are unprotected
• Network host configuration
• Network monitoring and maintenance
If a hacker exploits a vulnerability in one of the items above or anywhere in your network's security,
bad things can happen:
• A hacker can use a DoS attack, which can take down your Internet connection -- or even
your entire network.
• A malicious employee using a network analyser can steal confidential information in emails
and files being transferred on the network.
• A hacker can set up backdoors into your network.
• A hacker can attack specific hosts by exploiting local vulnerabilities across the network.
Before moving forward with assessing your network infrastructure security, remember to do the
following:
• Test your systems from the outside in, the inside out and the inside in (that is, between
internal network segments and DMZs).
• Obtain permission from partner networks that are connected to your network to check for
vulnerabilities on their ends that can affect your network's security, such as open ports, the
lack of a firewall or a misconfigured router.
Tools used for Network Security Assessment
External Penetration Testing Tools: Network Topology Mapper, VisualRoute, Visual Trace Route,
nslookup, NetInspector, SmartWhois, Nmap, Hping3, IDA Pro, Httprint, Netcat, Acunetix Web
Vulnerability Scanner, HP WebInspect, HTTPTunnel.
Internal Network Penetration Testing Tools: Angry IP Scanner, SuperScan, TCPView, GFI
LANguard, Winfingerprint, Wireshark, Tcpdump, Power Spy 2013, L0phtCrack, Arpspoof, Cain and
Able, Activity Monitor, Active@ Password Changer, Netcat, SMAC, Metasploit, Nessus, Retina
Network Security Scanner.
639
f. Activity: Wireless/Remote Access Assessment
Wireless Security Assessments meet the security challenges of business-critical wireless

technologies. These technologies pose unique threats because their signals propagate outside
physical boundaries and are therefore difficult to control. Misconfigurations and weak security
protocols allow for unauthorized eavesdropping and easy access. Auditors attempt to detect the
wireless networks in place (including any ad-hoc networks identified), determine the locations and
ranges of the wireless networks, evaluate the range of the wireless access area, determine network
configuration information, and probe points of entry for identifying system information or access
parameters. Assess Wireless Implementation for Vulnerabilities, auditors evaluate the security
measures taken to secure infrastructure, including the SSID, the use and strength of WEP encryption,
network segmentation, and access control devices. The testing is executed from the perspective of
an authenticated external user connected to the organization's network through remote access
technologies such as VPN, SSLVPN, Citrix, etc.
(SSID is short for service set identifier. SSID is a case sensitive, 32 alphanumeric character unique
identifier attached to the header of packets sent over a wireless local-area network (WLAN) that
acts as a password when a mobile device tries to connect to the basic service set (BSS) -- a
component of the IEEE 802.11 WLAN architecture. The SSID differentiates one WLAN from
another, so all access points and all devices attempting to connect to a specific WLAN must use
the same SSID to enable effective roaming. As part of the association process, a wireless network
interface card (NIC) must have the same SSID as the access point or it will not be permitted to join
the BSS.)
Exploit Vulnerabilities and Access Other Networks, auditors use the previously discovered
vulnerabilities to obtain access to other network segments. If the team is successful, they will test
different methods to exploit that access. This phase will determine which network segments and
systems the wireless network infrastructure can access, the security controls that separate the
wireless network from other network segments and if the wireless network can be used as a
launching point to attack other systems.
g. Activity: Database Information Security Audit
Database management system (DBMS) is a complex set of software programs that control the
organization, storage and retrieval of data in a database. It also controls the security and integrity of
the database
When auditing the controls of a database, the auditor would check to see that the following controls
have been implemented and maintained to ensure database integrity and availability:
o Definition standards
o Data backup and recovery procedures
o Access controls
o Only authorized personnel can update the database
o Controls to handle concurrent access problems such as multiple users trying to update the
same record at the same time
640
o Controls to ensure the accuracy, completeness and consistency of data elements and
relationships.
o Checkpoints to minimize data loss
o Database re-organizations
o Monitoring database performance
o Capacity planning
o Who can access the database without going through the application?
One of the major audit concerns is what access does the DBA have? A DBA basically has the access
to everything and can do (read, write, change, delete) anything. Supervising and monitoring the DBA
is of critical importance. The monitoring (logging) of actions of the DBA along with not having the
ability to de-activate the log nor having access to the log are prime requirements.
It goes without saying that Access Control is the number one issue with database management
systems. Apart from that audit disaster recovery and restoration, patch management, change
management, incident logging and all the other issues an auditor would usually look for.
There is another issue that auditors need to deal with when auditing DBMS and that is to perform
some type of data integrity testing. Data integrity testing is a set of substantive tests (NOTE:
Substantive not Compliance testing) that examines accuracy, completeness, consistency and
authorization of data presently held in a system.
There are two common types of data integrity tests;

• Relational
• Referential.
Relational integrity tests are performed at the data element and record-based levels. It is
enforced through data validation routines built into the application or by defining the input
condition constraints and data characteristics at the table definition in the database stage.
Sometimes it is a combination of both.
Referential integrity test defines existence relationships between entities in different tables of a
database that needs to be maintained by the DBMS. Referential integrity checks involve
ensuring that all references to a primary key from another table actually exist in their original
table.
h. Activity: File Integrity Checking
File integrity monitoring is critical for security and compliance. To minimize the risk to sensitive data,
detection of unmanaged changes in file servers and storage appliances is necessary. File integrity
monitoring tools are deployed to alert personnel to unauthorized modifications of critical system or
content files, and for performing file comparisons if the process can be automated.”
File integrity monitoring ensures that program and operating system files have not been
compromised. Using file integrity monitoring technology is important to verify that malicious code
has not been inserted into sensitive system, configuration and/or content files. Knowledge of exactly
who modified the file, what the change was, when and where the change was made in order to
prevent possible security and business impact is critical.
641
Tools provide protection of critical data by providing the following file integrity details:
• file size
• when it was created
• when the change was made
• what exactly was changed
• who made the change
• where the change was made
• previous and current values for the change
• its attributes (e.g., read-only, hidden, system, etc.)
Be aware of all changes, protect sensitive data, significantly reduce audit preparation time and
maintain compliance with the regulations requiring file integrity monitoring.
It is very difficult to compromise a system without altering a system file, so file integrity checkers are
an important capability in intrusion detection. A file integrity checker computes a checksum for
every guarded file and stores this. At a later time, you can compute a checksum again and test the
current value against the stored value to determine if the file has been modified. A file integrity
checker is a capability that you should expect to receive with any commercial host based intrusion
detection system.
The primary checksum that was used for this was a 32 bit CRC (Cyclic Redundancy Check). Attackers
have demonstrated the ability to modify a file in ways the CRC checksum could not detect, so
stronger checksums known as cryptographic hashes are recommended. Example of cryptographic
hashes include MD5, and snefru.
Auditors check the file integrity monitoring reports and logs, to evaluate effectiveness and use.
i. Log Management Information Security Audit
Organizations often spend a great deal of money on Log Management and Security Information and
Event Management (SIEM). While there are any number of compliance regulations and auditors
follow various standards, there are a few common core elements to success.
 log all relevant events

 define the scope of coverage
 define what events constitute a threat
 detail what should be done about them in what time frame
 document when they occurred and what was done
 document where both the events and follow up records can be found
 document how long events and tickets are kept
By defining which events are of interest and what should be done about them, security and log
analysis not only aids in compliance, but becomes proactive. Log analysis used in this manner can be
used to detect emerging threats and trends, and even to tune and improve overall security. It is easy
to become overwhelmed by the millions of events generated by firewalls, authentication logs,
intrusion logs, and other logs ad nauseum, however certain anomalous behavioural patterns, and
repeat events are common relatively easy to detect signs of malware.
Log management (LM) comprises an approach to dealing with large volumes of computer-generated
log messages (also known as audit records, audit trails, event-logs, etc.).
642
LM covers:
• log collection
• centralized aggregation
• long-term retention
• log rotation
• log analysis (in real-time and in bulk after storage)
• log search and reporting
Concerns about security, system and network operations (such as system or network administration)
and regulatory compliance drive log management.
Effectively analysing large volumes of diverse logs can pose many challenges — such as:
• huge log-volumes (reaching hundreds of gigabytes of data per day for a large organization)
• log-format diversity
• undocumented proprietary log-formats (that resist analysis)
• the presence of false log records in some types of logs (such as intrusion-detection logs)
Logs can contain a wide variety of information on the events occurring within systems and networks.
Security software logs primarily contain computer security-related information. Operating system
logs and application logs typically contain a variety of information, including computer security-
related data.
Under different sets of circumstances, many logs created within an organization could have some
relevance to computer security. For example, logs from network devices such as switches and
wireless access points, and from programs such as network monitoring software, might record data
that could be of use in computer security or other information technology (IT) initiatives, such as
operations and audits, as well as in demonstrating compliance with regulations.
Log management infrastructures, which are typically based on either syslog-based centralized
logging software or security information and event management software, usually use a three-
tiered design.
 The first tier encompasses the hosts that generate the original log data.
 The second tier includes centralized log servers, which perform consolidation and data
storage.
 The third tier contains consoles that are used to monitor and review log data, and optionally
may also be used to manage the log servers and clients.
Communications between the tiers usually occur over the organization’s regular networks, but may
be routed over a separate logging network instead. Organizations may also have log-generating
hosts that cannot actively participate in the log management infrastructure, such as computers that
are not network connected, legacy systems, and appliance-based devices; administrators can either
transfer data manually to the infrastructure from these hosts through removable media, or manage
and analyse the data locally.
Syslog
643
In a syslog-based centralized logging infrastructure, each log generator uses the same standard log
format and forwards its log entries to a centralized log server. Because syslog is a simple standard
protocol, it can be used by many OSs, security software programs, and applications. The original
syslog standard does not offer much granularity in handling different types of events. Also, because
it has few data fields, it can be very difficult to extract the meaning of the data logged for each event
when multiple log sources are generating events. Syslog was developed when log security was not a
major concern; the original syslog standard offers no features for preserving the confidentiality,
integrity, and availability of logs.
To improve the security of syslog deployments, a new proposed standard has been created that
offers stronger security capabilities, and various syslog implementations have added features such
as reliable log delivery; transmission encryption, integrity protection, and authentication; robust
filtering; automated event responses; log file encryption; and event rate limiting. Organizations using
syslog should consider using secure syslog implementations, paying particular attention to
interoperability because many syslog clients and servers offer features not specified in current
standards.
SIEM
Unlike syslog-based infrastructures, which are based on a single standard, security information and
event management (SIEM) software primarily uses proprietary data formats. SIEM products have
centralized servers that perform log analysis and database servers for log storage. Most SIEM
products require agents to be installed on each log generating host; the agents perform filtering,
aggregation, and normalization for a particular type of log. The agents are also responsible for
transferring log data from the individual hosts to a centralized SIEM server on a real-time or near-
real-time basis. Other SIEM products are agentless and rely on an SIEM server to pull data from the
logging hosts and perform the functions that agents normally perform.
SIEM products usually support several dozen types of log sources, including generic formats such as
syslog. Because the SIEM products typically understand the meaning of each logged field for specific
log source formats, an SIEM-based log management infrastructure is usually superior to a syslog-
based infrastructure in performing normalization, analysis, and correlation of log data from multiple
log sources.
SIEM products can analyse data from many sources, identify significant events, and initiate
automated responses if desired. SIEM products may also include analysis GUIs, security knowledge
bases, incident tracking and reporting capabilities, and asset information storage and correlation
capabilities. SIEM products also usually offer capabilities to protect the confidentiality, integrity, and
availability of log data.
Although SIEM software typically offers more robust and broad log management capabilities than
syslog, SIEM software is usually much more complicated and expensive to deploy than a centralized
syslog implementation. Also, SIEM software is often more resource-intensive for individual hosts
than syslog because of the processing that agents perform.
In addition to syslog and SIEM software, there are several other types of software that may be
helpful for log management. Host-based intrusion detection systems (IDS) monitor the
characteristics of a host and the events occurring within it, which might include OS, security
software, and application logs. Host based IDS products are often part of a log management
infrastructure, but they cannot take the place of syslog and SIEM software. Other utilities that are
644
helpful for log management include visualization tools, log rotation utilities, and log conversion
utilities.
Auditors check for these logs and their management as part of the Information Security Audit. A
security analyst may be directly involved in log monitoring and following established log
management processes and therefore can be directly be interviewed for this.
j. Telephony Security Assessment
VoIP and Telephony assessment is a significant concern ever more so in light of recent development
with the convergence of voice, data, and video. The robustness of the telephony system in isolation
is a significant concern; there are a range of threats to the confidentiality, availability and integrity of
the telephony system and testing evaluates all of these. VoIP and Telephony Assessment Testing
typically includes reviewing handsets, soft-phones, the telephony servers and a range of network
layer activities to fully understand whether the telephony system can be considered secure and
reliable.
The need to segregate voice services from the traditional corporate network is well publicised and
this is the second area of attention. The method of segregation (commonly VLANs) will be subject to
review, as will any servers that bridge both data and voice networks to ensure that they are capable
of maintaining the required level of segregation.
The type of testing conducted will be dictated by the nature of the solution and in addition to
telephony specific skills, tests may include elements of wireless testing, infrastructure penetration
testing, application testing, build reviews, remote access testing and more. The mission critical
nature of voice services and the challenges of the multipartite ownership of voice services cannot be
undermined or ignored. Auditors test these services and related infrastructure to establish -
government and industry regulatory compliance requirements; discover Telephony network
vulnerabilities and risks to business systems; validate the effectiveness of current security
safeguards; identify remediation steps to help prevent network compromise.
k. Data Leakage Information Security Audit
Data leakage audits are conducted to establish the loss of data from various parts of the
organizations. Auditors usually examine outbound e-mail, FTP and Web communications. They
explore leaks of general financial information, corporate plans and strategies, employee and other
personal identifiable information, intellectual property and proprietary processes. Usually auditors
may place taps between the corporate LAN and the firewall and between the external e-mail
gateway and the firewall. They would also use software on servers to monitor unencrypted traffic.
Then they analyse the traffic with respect to company policy.
l. Social Engineering
Social engineering is an attempt to trick someone into revealing information (e.g., a password) that
can be used to attack systems or networks. It is used to test the human element and user awareness
of security, and can reveal weaknesses in user behaviour—such as failing to follow standard
procedures. Social engineering can be performed through many means, including analog (e.g.,
conversations conducted in person or over the telephone) and digital (e.g., e-mail, instant
messaging). One form of digital social engineering is known as phishing, where attackers attempt to
steal information such as credit card numbers, Social Security numbers, user IDs, and passwords.
Phishing uses authentic-looking emails to request information or direct users to a bogus Web site to
645
collect information. Other examples of digital social engineering include crafting fraudulent e-mails
and sending attachments that could mimic worm activity.
Social engineering may be used to target specific high-value individuals or groups in the
organization, such as executives, or may have a broad target set. Specific targets may be identified
when the organization knows of an existing threat or feels that the loss of information from a person
or specific group of persons could have a significant impact. For example, phishing attacks can be
targeted based on publicly available information about specific individuals (e.g., titles, areas of
interest). Individual targeting can lead to embarrassment for those individuals if testers successfully
elicit information or gain access. It is important that the results of social engineering testing are used
to improve the security of the organization and not to single out individuals. Testers should produce
a detailed final report that identifies both successful and unsuccessful tactics used. This level of
detail will help organizations to tailor their security awareness training programs.
Post-Attack Phase and Activities
The reporting phase occurs simultaneously with the other three phases of the penetration test. In
the planning phase, the assessment plan—or ROE—is developed. In the discovery and attack phases,
written logs are usually kept and periodic reports are made to system administrators and/or
management. At the conclusion of the test, a report is generally developed to describe identified
vulnerabilities, present a risk rating, and give guidance on how to mitigate the discovered
weaknesses.
Case Study
This is a case study of an external network penetration test that Dionach performed on one office of
a large UK organization. Some of the information has been changed or omitted to maintain
confidentiality.
BACKGROUND
The client had most of their web servers at a single office and wished to understand their
current level of external risk. They commissioned Dionach to carry out an external penetration
test and supplied Dionach with the external IP address range to be tested.
Dionach then proceeded with the four stages of the penetration test:
 Information gathering
 Scanning for external services
 Identifying vulnerabilities on external services and exploiting them
 Producing a detailed report of issues and recommendations
646
INFORMATION GATHERING
Dionach first verified that the IP address range supplied was assigned to the organisation by querying
the RIPE Whois Database. This also starts the information gathering process, as emails, telephone
numbers and addresses are available from RIPE. DNS servers were then queried for more information
such as registration details and mail servers. Internet, forum and newsgroup searches on key
individuals did not reveal much information that would be useful in penetrating the network, for
example any information about the technology that the organisation has used, or the skills of
individuals. An internally developed tool was used on search engines to find DNS names with IP
addresses within the IP range. This turned up 19 different web sites on 5 different IP addresses. It was
assumed that there were other web sites hosted by the organisation that hadn't been indexed by
search engines.
Note that this information is all publicly available, and was discovered without any or very little direct
contact with the organisation's network.
SCANNING FOR EXTERNAL SERVICES

The external IP range was then scanned for common TCP and UDP services, such as FTP, Mail, DNS,
web, and remote control services. More in-depth scans were also carried out three times over the
course of the week of the test. These scans were carried out using two different tools and undertaken
slowly to both keep scanning traffic at near zero, and evade any intrusion detection or prevention
systems that may be in place. The TCP port scanning revealed that no hosts replied to ICMP pings.
There were several hosts web servers on port 80 and 443. There were SMTP mail gateways, a DNS
server, FTP servers and a host with port 264 open that indicated a Checkpoint firewall.
The services banners showed that the web and FTP services were all Microsoft IIS based, with a
mixture of IIS 4.0 (Windows NT) and IIS 5.0 (Windows 2000). Four of the service banners disclosed
internal computer names or private IP addresses.
647
IDENTIFYING AND EXPLOITING VULNERABILITIES

Mail relay variants were attempted on the mail servers with no success. Downloading the
Checkpoint firewall topology was unsuccessful; this may have revealed internal network
information. A DNS zone transfer on the DNS server was also unsuccessful, which may have
also revealed internal network information. A commercial web server vulnerability scanning
tool and an open source vulnerability scanning tool were used to check for potential
vulnerabilities on the relevant host services. These identified that one of the FTP servers
allowed anonymous access, and that some of the web servers had not been locked down and
had services that may be vulnerable to remote command execution. The automated scans can
reveal vulnerabilities, but a manual check usually reveals more information. One host allowed
remote command execution. Dionach at this point informed the organisation that they had a
critically compromised host. Credentials were then retrieved for administrator level users. The
surrounding network was enumerated, showing that the host was in a DMZ with access to
other hosts.
Dionach then looked at the web sites identified in the information gathering exercise, and also
the port scanning. Some of these were dynamic sites, with some using CGI applications with
.exe extensions, and others using ASP pages. Using open source scripts and tools, as well as in-
house developed tools and a manual process, the dynamic web sites were checked for web
application vulnerabilities. Common problems were discovered, the most serious of which was
that some of the pages on the web sites were vulnerable to SQL injection that allowed
arbitrary SQL statements to be executed and also commands on the server itself, giving full
control of the server. The proxy server identified in the port scan appeared to allow access to
an intranet, although limited internal information was available.
648
REPORTING
The issues listed above and other issues not mentioned were compiled and put into the final report. The
report noted the dates the test was carried out on, and the IP address range. The issues were graded into
the following risk levels: critical, high, medium, low and informational. The executive summary specified
that the overall security represented critical risk, and highlighted that although firewall configuration was
well maintained, application and operating system security allowed remote intruders to gain access and
control to a number of servers. The number of issues identified at each risk level (critical, high, medium,
low and informational) was presented graphically and key issues starting with the most critical were
listed with recommendations given for resolution of each.
There then followed the technical part of the report, which detailed:
 Information gathered: RIPE Whois information, DNS information and web site domain names.
 Network scan results.
 Exploit tests carried out, such as mail relay and DNS zone transfer.
 Summary walkthroughs and locations of the exploited web server and web application
vulnerabilities.
 Technical, in depth list of issues discovered and recommendations on reducing the risk starting
with the most critical.
PRESENTATION
Dionach then presented the report to the organisation face to face, which ensured that the organisation
got the most value out of the report and a good understanding of the issues. Following this, the
organisation rebuilt the previously compromised web server, reviewed the web applications, and then
requested Dionach to carry out a follow-up penetration test.
Source : https://www.dionach.com/library/network-penetration-test-case-study
649
Summary
 A penetration test is the process of actively evaluating company’s information security
measures. Security measures are Security measures are actively analysed for actively analysed
for design weaknesses, technical flaws and vulnerabilities. The results are delivered
comprehensively in a report, to executive, management, and technical audiences.
 Testing should be performed on all hardware and software components of a network security
system.
 According to one classification, there are three stages in penetration testing
o Pre-attack
o Attack Phase
o Post-attack phase
 The three stages of reconnaissance are:
o Footprinting
o Scanning
o Enumerating
 Types of Reconnaissance
o Active Reconnaissance
o Passive Reconnaissance
 Reconnaissance process seeks to gather as much information about the target network as
possible, following these seven steps:
o Gather initial information
o Determine the network range
o Identify active machines
o Discover open ports and access points
o Fingerprint the operating system
o Uncover services on ports
o Map the network
 The next phase is the attack phase, where if an attack is successful, the vulnerability is verified
and safeguards are identified to mitigate the associated security exposure.
 Attack phase activities include: perimeter auditing, web application auditing, wireless auditing,
application security auditing, network security auditing, wireless/remote access auditing,
database auditing, file integrity checking, log management auditing, telephone security, data
leakage auditing, social engineering auditing
 At the conclusion of the test, a report is generally developed to describe identified
vulnerabilities, present a risk rating, and give guidance on how to mitigate the discovered
weaknesses.
650
Practical Activity:
Activity 1:
Collate data from various sources and list the various types of penetration testing
based on the object of testing. List down steps and considerations for each type of
testing including the various tools that are available in the market for the particular
testing.
Activity 2:
Compare various data security companies and their offerings for penetration testing.
Compare their features, benefits and value propositions, also research reviews of
various clients /independent reviewers of their products and services.
Activity 3:
Study from various sources and discuss in class the legal and ethical concerns of
penetration testing. Also to explore the advantages and disadvantages of penetration
testing.
651
Check for understanding:
Q. A security tester is sending random data to a program. What does this describe?
a) Fuzzing
b) Buffer overflow
c) Integer overflow
d) Command injection
Q. Your organization wants to improve the security posture of internal database servers. Of the
following choices, what provides the BEST solution?
a) Opening ports on a server’s firewall
b) Disabling unnecessary services
c) Keeping systems up to date with current patches
d) Keeping systems up to date with current service packs
Q. List at least 5 tools used for network security assessment.
a) ___________________________________
b) ___________________________________
c) ___________________________________
d) ___________________________________
e) ___________________________________
Q. Active blueprinting of the security profile of an organization, involving gathering information

about your customer's network to create a unique profile of the organization's networks and
systems is known as
a) Enumerating
b) Footprinting
c) Scanning
d) Relational Assessment
Q. List at least 5 tools used for web application assessment.

a) ___________________________________
b) ___________________________________
c) ___________________________________
d) ___________________________________
e) ___________________________________
652
NOTES:
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
653
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
654
UNIT VI
Information Security Audit
Tasks
This Unit covers:
 Lesson Plan
6.1. Pre-audit tasks
6.2. Information gathering
6.3. External Security Audit
6.4. Internal Network Security Auditing
6.5. Firewall Security Auditing
6.6. IDS Security Auditing
6.7. Social Engineering Audit
655
LESSON PLAN

To be competent, you must be 1. Carry out audits using free  PCs/Tablets/Laptops
able to: internet tools in a lab  Labs availability (24/7)
environment  Internet with Wi-Fi
PC2. identify the 2. Locate list of threats and (Min 2 Mbps
procedures/guidelines/checklist vulnerabilities and compare Dedicated)
s for the audit tasks you are them to known lists or  Networking Equipment-
required to carry out (0904)
uncovered threats and Routers & Switches
PC3. identify any issues with vulnerabilities  Firewalls and Access
procedures/guidelines/checklist 3. Carry out a preliminary Points
s for carrying out audit tasks information gathering activity  Commercial Tools like
and clarify these with for the Training institution HP Web Inspect and
appropriate people (0904) network. Identify the IBM AppScan etc.,
perimeter and other network  Open Source tools like
PC4. collate information, components and create a sqlmap, Nessus etc.,
evidence and artefacts when security audit plan for the
carrying out audits (0904) same
PC5. carry out required audit
tasks using standard tools and
following established
s (0904)
PC7. record and document audit
tasks and audit results using
standard tools and templates
(0904)
PC8. review results of audit

tasks with appropriate people
and incorporate their inputs
(0904)
PC3. identify the requirements
of information security audits
and prepare for audits in
advance (0905)
You need to know and  PCs/Tablets/Laptops

understand: 1. Research and list various  Labs availability (24/7)
stages of the audit and  Internet with Wi-Fi
KB1. common issues that may related tasks (Min 2 Mbps
affect carrying out audit tasks 2. Research and outline the Dedicated)
and how to deal with these responsibilities of security
analyst across the various
KB2. different systems and stages and tasks
656
structures that may need 3. Research various tools (paid

information security audits and and free) and compare their
how they operate offerings, features, benefits
and limitations
KB3. features, configuration and
specifications of information
security systems and devices
and associated processes and
architecture
KA10. different approaches and
ways of working for internal and
external information security
audits
KA11. who to involve when

carrying out information
security audits

security audits
KA13. how to carry out, record

and report audit tasks
KA14. the range of data and

information required for
information security audits and
where to obtain this
KA15. methods and techniques

used when working with others
657
Training Resource Material
A security analyst may contribute to activities during the audit process which includes the following
task.
6.1 Pre-audit tasks

During this phase, the auditors determine the main area/s of focus for the audit and any areas that
are explicitly out-of-scope, based normally on an initial risk-based assessment plus discussion with
those who commissioned the audit. Information sources include general research on the industry
and the organization, previous and perhaps other audit reports, and documents such as the
Statement of Applicability, Risk Treatment Plan and Security Policy.
The auditors should ensure that the scope ‘makes sense’ in relation to the organization. The audit
scope should normally match the scope of the Information Security Management System (ISMS)
being certified. For example, large organizations with multiple divisions or business units may have
separate ISMS's, an all-encompassing enterprise-wide ISMS, or some combination of local and
centralized ISMS. If the ISMS certification is for the entire organization, the auditors may need to
review the ISMS in operation at all or at least a representative sample of business locations, such as
the headquarters and a selection of discrete business units chosen by the auditors.
The auditors should pay particular attention to information security risks and controls associated
with information conduits to other entities (organizations, business units etc.) that fall outside the
scope of the ISMS, for example checking the adequacy of information security-related clauses in
Service Level Agreements or contracts with IT service suppliers. This process should be easier where
the out-of-scope entities have been certified compliant with ISO/IEC 27001.
During the pre-audit survey, the ISMS auditors identify and ideally make contact with the
main stakeholders in the ISMS such as the ISM manager/s, security architects, ISMS
developers, ISMS implementers and other influential figures such as the CIO and CEO, taking
the opportunity to request pertinent documentation etc. that will be reviewed during the
audit. The organization normally nominates one or more audit "escorts", individuals who are
responsible for ensuring that the auditors can move freely about the organization and rapidly
find the people, information etc. necessary to conduct their work, and act as management
liaison points.
The primary output of this phase is an agreed ISMS audit scope, charter, engagement letter or
similar. Contact lists and other preliminary documents are also obtained and the audit files are
opened to contain documentation (audit working papers, evidence, reports etc.) arising from the
audit. The pre-audit questionnaire is used to assist the audit manager in gathering pertinent
information prior to the on-site visit. Information gathered from the pre-audit questionnaire is used
to formulate additional questions to be answered during the on-site visit and to assist in determining
policy compliance. Additionally, the pre-audit questionnaire is used as a tool by audit managers to
prepare information sheets for local auditors, outlining/summarizing the CSAs audit program and
procedures.
658
6.2 Information Gathering
Information gathering is essentially using the Internet to find all the information you can about
the target (company and/or person) using both technical (DNS/WHOIS) and non-technical
(search engines, news groups, mailing lists etc.) methods.
a. What Is Information Gathering?
Information gathering does not require that the assessor establishes contact with the target system.
Information is collected (mainly) from public sources on the Internet and organizations that hold
public information (e.g. tax agencies, libraries, etc.) Information gathering section of the penetration
test is important for the penetration tester. Assessments are generally limited in time and resources.
Therefore, it is critical to identify points that will be most likely vulnerable, and to focus on them.
Even the best tools are useless if not used appropriately and in the right place and time. That’s the
reason why experienced testers invest an important amount of time in information gathering.
Information Gathering is a necessary step of a penetration test. This task can be carried out in many
different ways. By using public tools (search engines), scanners, sending simple HTTP requests, or
specially crafted requests, it is possible to force the application to leak information, e.g., disclosing
error messages or revealing the versions and technologies used. And it includes the following steps:
1. Spiders, Robots and Crawlers: This phase of the Information Gathering process consists of
browsing and capturing resources related to the application being tested.
2. Search Engine Discovery/Reconnaissance: Search engines, such as Google, can be used to

discover issues related to the web application structure or error pages produced by the application
that have been publicly exposed.
3. Identify application entry points: Enumerating the application and its attack surface is a key
precursor before any attack should commence. This section will help you identify and map out every
area within the application that should be investigated once your enumeration and mapping phase
has been completed.
4. Testing Web Application Fingerprint: Application fingerprint is the first step of the Information
Gathering process; knowing the version and type of a running web server allows testers to
determine known vulnerabilities and the appropriate exploits to use during testing.
5. Application Discovery: Application discovery is an activity oriented to the identification of the

web applications hosted on a web server/application server. This analysis is important because often
there is no direct link connecting the main application backend. Discovery analysis can be useful in
revealing details such as web applications used for administrative purposes. In addition, it can reveal
old versions of files or artefacts such as undeleted, obsolete scripts, crafted during the
test/development phase or as the result of maintenance.
6. Analysis of Error Codes: During a penetration test, web applications may divulge information that
is not intended to be seen by an end user. Information such as error codes can inform the tester
about technologies and products being used by the application. In many cases, error codes can be
659
easily invoked without the need for specialist skills or tools, due to bad exception handling design
and coding. Clearly, focusing only on the web application will not be an exhaustive test. It cannot be
as comprehensive as the information possibly gathered by performing a broader infrastructure
analysis
b. Information Gathering Methodology
Phase One
Network survey: A network survey is like an introduction to the system that is tested. By doing that,
you will have a “network map”, using which you will find the number of reachable systems to be
tested without exceeding the legal limits of what you may test. But usually more hosts are detected
during the testing, so they should be properly added to the “network map”. The results that the
tester might get using network surveying are: - Domain Names - Server Names - IP Addresses -
Network Map - ISP / ASP information - System and Service Owners Network surveying can be done
using TTL modulation(traceroute), and record route (e.g. ping -R), although classical 'sniffing' is
sometimes as effective method
Phase Two
OS Identification (sometimes referred as TCP/IP stack fingerprinting): The determination of a

remote OS type by comparison of variations in OS TCP/IP stack implementation behaviour. In other
words, it is active probing of a system for responses that can distinguish its operating system and
version level. The results are: - OS Type - System Type - Internal system network addressing.
Phase Three
Port scanning: Port scanning is the invasive probing of system ports on the transport and network
level. Included here is also the validation of system reception to tunnelled, encapsulated, or routing
protocols. Testing for different protocols will depend on the system type and services it offers.
However, it is not always necessary to test every port for every system. This is left to the discretion
of the test team. Port numbers that are important for testing according to the service are listed with
the task. Additional port numbers for scanning should be taken from the Consensus Intrusion
Database Project Site. The results that the tester might get using Port scanning are: - List of all Open,
closed or filtered ports - IP addresses of live systems - Internal system network addressing - List of
discovered tunnelled and encapsulated protocols - List of discovered routing protocols supported.
Methods include SYN and FIN scanning, and variations thereof e.g. fragmentation scanning.
660
Photo : Example of Port Scanning
Phase Four
Services identification: This is the active examination of the application listening behind the service.
In certain cases, more than one application exists behind a service where one application is the
listener and the others are considered components of the listening application. The results of service
identification are: - Service Types - Service Application Type and Patch Level - Network Map
The methods in service identification are same as in Port scanning. There are two ways using which
one can perform information gathering:
1. 1st method of information gathering is to perform information gathering techniques with a 'one
to one' or 'one to many' model; i.e. a tester performs techniques in a linear way against either one
target host or a logical grouping of target hosts (e.g. a subnet). This method is used to achieve
immediacy of the result and is often optimized for speed, and often executed in parallel
2. Another method is to perform information gathering using a 'many to one' or 'many to many'
model. The tester utilizes multiple hosts to execute information gathering techniques in a
random, rate-limited, and in non-linear way. This method is used to achieve stealth. (Distributed
information gathering)
c. Information gathering steps
Information Gathering Steps

1. Crawl the website and mirror the pages on your PC
2. Crawl the FTP website and mirror the pages on your PC
3. Lookup registered information in WHOIS database
4. List the products sold by the company
5. List the contact information, email addresses, and telephone numbers
6. List the company’s distributors
7. List the company’s partners
8. Search the internet, newsgroups, bulletin boards and negative websites for information
661
about the company

9. Search for trade association directories
10. Search for link popularity of the company website
11. Compare price of product or service with competition
12. Find the geographical location
13. Search the internet archive pages about the company
14. Search similar or parallel domain name listings
15. Search job postings sites about the company
16. Browse social network websites
17. Write down key employees
18. Investigate key personnel – searching in Google, look up their resumes and cross
reference information
19. List employee company and personal email address
20. Search for web pages posting patterns and revision numbers
21. Email the employee disguised as customer asking for quotation
22. Visit the company as inquirer and extract privileged information
23. Visit the company locality
24. Use web investigation tools to extract sensitive data targeting the company
25. Conduct background check on key company personnel
26. Search on ebay and other sites for company presence
27. Use the Domain Research Tool to investigate the company’s domain
28. Use various public Database to research company information
29. Use Google/Yahoo! Finance and other sites to search for press releases issued by the
company
30. Search company business reports and profiles at various databases
31. Search for telephone numbers using directories and other services
32. Retrieve the DNS record of the organization from publicly available servers
662
6.3 External Security Audit

External Intrusion Audit and Analysis
An External Intrusion Audit and Analysis identifies strengths and weaknesses of a client system and
network as they appear from the outside the client’s security perimeter, usually from the internet.
Why Is It Done?
This is done to demonstrate the existence of known vulnerabilities in the client system and network
that could be exploited by an external hacker.
Client Benefits
The client benefits by anticipating external attacks, that might cause security breaches and to
proactively reduce risks to information, system and networks. It also improves the security of the
client’s networked resources. This provides improved e-commerce and e-business operations with
increased confidence in their ability to protect data, information and resources.
External Security Auditing – How is it done?
 Gather externally accessible configuration information

 Scan client’s external network gateways to identify services and topology
 Scan client’s Internet servers for ports and services vulnerable to attack
 Attempt intrusion of vulnerable internal systems
Steps for Conducting External Security Auditing
• Inventory the company’s external infrastructure and create a topological map of the
network
• Identify the IP address of the targets
• Locate the traffic route that goes to the web servers
• Locate TCP and UDP traffic path to the destination
• Identify the physical location of the target servers
• Examine the use of IPV6 at the remote location
• Lookup domain registry for IP information, find IP block information about the target
• Locate the ISP servicing the client
• List open and closed ports
• List suspicious ports that are half open/close
• Port scan every port on the target’s network
• Use SYN scan and connect scan on the target and see the response
• Use XMAS scan, FIN scan and NULL scan on the target and see the response
• Firewalk on the router’s gateway and guess the access-list
• Examine TCP sequence number prediction
• Examine the use standard and non-standard protocols
• Examine IPID sequence number prediction
• Examine the system uptime of target
• Examine the operating system used for different targets
• Examine the applied patch to the operating system
663
• Locate DNS record of the domain and attempt DNS hijacking

• Download applications from the company’s website and reverse engineer the binary code
• List programming languages used and application software to create various programs from
the target server
• Look for error and custom web pages
• Guess different sub domain names and analyse different responses
• Examine the session variables
• Examine cookies generated by the server
• Examine the access controls used in the web applications
• Brute force URL injections and session tokens
• Check for directory consistency and page naming syntax of the web pages
• Look for sensitive information in web page source code
• Attempt URL encodings on the web pages
• Try buffer overflow attempts at input fields
• Try Cross Site Scripting (XSS) techniques
• Record and replay the traffic to the target web server and note the response
• Try various SQL injection techniques
• Examine hidden fields
• Examine e-commerce and payment gateways handled by the web server
• Examine welcome messages, error messages, and debug messages
• Probe the service by SMTP mail bouncing
• Grab the banner of HTTP servers, SMTP servers, POP3 servers, FTP Servers
• Identify the web extensions used at the server
• Try to use an HTTPS tunnel to encapsulate traffic
• OS fingerprint target servers
• Check for ICMP responses (type 3, port unreachable), (type 8, echo request), (type 13,
timestamp request), (type 15, information request), (type 17, subnet address mask request)
• Check for ICMP responses from broadcast address
• Port scan DNS servers (TCP/UDP 53)
• Port scan TFTP servers (Port 69)
• Test for NTP ports (Port 123)
• Test for SNMP ports (Port 161)
• Test for Telnet ports (Port 23)
• Test for LDAP ports (Port 389)
• Test for NetBIOS ports (Ports 135-139, 445)
• Test for SQL server ports (Port 1433, 1434)
• Test for Citrix ports (Port 1495)
• Test for Oracle ports (Port 1521)
• Test for NFS ports (Port 2049)
• Test for Compaq, HP Inside Manager ports (Port 2301, 2381)
• Test for Remote Desktop ports (Port 3389)
• Test for Sybase ports (Port 5000)
• Test for SIP ports (Port 5060)
• Test for VNC ports (Port 5900/5800)
• Test for X11 ports (Port 6000)
• Test for Jet Direct ports (Port 9100)
• Port scan FTP data (Port 20)
• Port scan web servers (Port 80)
• Port scan SSL servers (Port 443)
• Port scan Kerberos-Active directory (Port TCP/UDP 88)
• Port scan SSH servers (Port 22)
664
6.4 Internal Network Security Auditing

Internal testing involves testing computers and devices within the company. It is more like white-box
testing. What if an employee of the company penetrates the network with the amount of IT
knowledge he knows? What if a hacker breaks-in to the internal network that houses employees’ PC
and databases and steals sensitive information?
What if a casual guest visitor walks by the company and steals data from one of the isolated
machines? Internal network penetration test process will test and validate the level of internal
security on the client network. Based on statistics maintained by the Federal Bureau of
Investigations (FBI), fifty percent of companies reporting break-ins to their networks and/or business
applications state they were compromised by internal attacks. Internal network security is, more
often than not, underestimated by administrators. Very often, such security does not even exist,
allowing one user to easily access another user’s machine using well-known exploits, trust
relationships and default settings. Most of these attacks require little or no skill, putting the integrity
of a network at stake.
Most employees do not need and should not have access to each other’s machines, administrative
functions, network devices and so on. However, because of the amount of flexibility needed for
normal operation, internal networks cannot afford maximum security. On the other hand, with no
security at all, internal users can be a major threat to many corporate internal networks. A user
within the company already has access to many internal resources and does not need to bypass
firewalls or other security mechanisms which prevent non-trusted sources, such as Internet users, to
access the internal network. Poor network security also means that, should an external hacker break
into a computer on your network, he/she can then access the rest of the internal network more
easily. This would enable a sophisticated attacker to read and possibly leak confidential emails and
documents; trash computers, leading to loss of information; and more. Not to mention that they
could then use your network and network resources to start attacking other sites, that when
discovered will lead back to you and your company, not the hacker.
Most attacks, against known exploits, could be easily fixed and, therefore, stopped by administrators
if they knew about the vulnerability in the first place. During an Internal Network Security
Assessment, security experts scan the entire internal local-area and wide-area networks for known
vulnerabilities. These scans include all servers, workstations, and network devices.
Steps for Internal Network Security Auditing
Internal Network Review includes:
• Examining the internal configuration and setup of the organizations computing resources.
• Users’ accounts & password policies and practices
• Access privileges and levels
• File, directory, event log and registry permissions
• Audit logs
• Software Patch management
• Physical network cabling
• Backup methodology & disaster recovery plans
Internal testing involves testing computers and devices within the company. The internal
penetration testing involves:
665
• Performing port scanning on individual machines and establishing null sessions.

• Attempting replay attacks, ARP poisoning, MAC flooding.
• Conducting man-in-the-middle attack and trying to login to a console machine.
• Attempting to plant keylogger, Trojan, and Rootkit on target machine.
• Attempting to send virus using target machine.
• Hiding sensitive data and hacking tools in target machine.
• Escalating user privileges.
Internal testing which is a critical part of this includes the following steps:
• Map the internal network
• Scan the network for live hosts
• Port scan individual machines
• Try to gain access using known vulnerabilities
• Attempt to establish null sessions
• Enumerate users/identify domains on the network
• Sniff the network using Wireshark
• Sniff POP3/FTP/Telnet passwords
• Sniff email messages
• Attempt replay attacks
• Attempt ARP poisoning
• Attempt MAC flooding
• Conduct a man-in-the middle attack
• Attempt DNS poisoning
• Try a login to a console machine
• Boot the PC using alternate OS and steal the SAM file
• Attempt to plant a software keylogger to steal passwords
• Attempt to plant a hardware keylogger to steal passwords
• Attempt a plant a spyware on the target machine
• Attempt to plant a Trojan on the target machine
• Attempt to create a backdoor account on the target machine
• Attempt to bypass anti-virus software installed on the target machine
• Attempt to send virus using the target machine
• Attempt to plant rootkits on the target machine
• Hide sensitive data on target machines
• Hide hacking tools and other data on target machines
• Use various Steganography techniques to hide files on target machine
• Escalate user privileges
• Capture POP3/SMTP/IMAP email traffic
• Capture the communications between the FTP client and FTP server
• Capture HTTP/HTTPS/RDP/VoIP traffic
• Run Wireshark with the filter -ip.src == ip_address
• Run Wireshark with this filter - ip.dst == ip_address
• Run Wireshark with this filter - tcp.dstport == port_no
• Run Wireshark with this filter - ip.addr == ip_address
• Spoof the MAC address
• Poison the victim’s IE proxy server
• Attempt session hijacking on Telnet/FTP/HTTP traffic
Continue to compromise every machine in the network and perform the previous steps. Make sure
you can undo your actions based on the pen-test process you had conducted.
666
Internal Security Auditing Tools
a. Automated penetration tools

• Core Impact
• Metasploit
• Canvas
b. Scanning tools
• Internet Scanner (www.iss.net)
• NetRecon (www.symantec.com)
• CyberCop (www.nai.com)
• Nessus (www.nessus.org)
• Cisco Secure Scanner (www.cisco.com)
• Retina (www.eeye.com)
667
6.5 Firewall Security Auditing
A firewall is a set of related programs, located at a network gateway server that protects the
resources of a private network from users from other networks. A firewall sits at the junction point
or gateway between the two networks, usually a private network and a public network, such as the
Internet. Firewalls protect against hackers and malicious intruders. It is a combination of hardware
and software that separates a LAN into two or more parts for security purposes
Firewalls are top on the list of critical security devices that businesses use to protect their assets.
Firewalls come in all shapes and sizes, they operate on the same basic principle that you should limit
the exposure of computer systems to only those protocols and ports necessary to provide services,
thus reducing the size of the attack surface of the system. The auditing of a firewall primarily
revolves around inspecting the firewall rules to make sure that they are accurately enforcing security
policy, and providing as high a degree of protection as feasible.
A firewall examines all traffic routed between the two networks to see if it meets certain criteria. It
routes packets between the networks. It filters both inbound and outbound traffic. It manages
public access to private networked resources such as host applications. It logs all attempts to enter
the private network and triggers alarms when hostile or unauthorized entry is attempted. Firewalls
block unauthorized traffic, but if an organization wants to follow good practices, then it needs to
layer on other security countermeasures to defend against attacks that firewalls are not designed to
prevent.
Address filtering:
• Firewalls can filter packets based on their source and destination addresses and port numbers.
Network filtering:
• Firewalls can also filter specific types of network traffic. The decision to forward or reject traffic is
dependent upon the protocol used, for example HTTP, FTP, or Telnet.
• Firewalls can also filter traffic by packet attribute or state.
If you have an attack against an authorized port and service, and your server is compromised, it isn’t
the firewall that failed but the lack of defence in depth. Of course the concept of what a firewall is
just isn’t as clear as it used to be in the days of single purpose firewalls. We live in a unified threat
management world, and today’s firewalls perform a great many security tasks. IPS and VPN has
been integrated into the firewall line. Unified Threat Management (UTM) devices operate as a
combined threat management device, but the foundational elements of the firewall are central to
how the device operates.
A firewall may allow all traffic through unless it meets certain criteria, or it may deny all traffic unless
it meets certain criteria. The type of criteria used to determine whether traffic should be allowed
through varies from one type of firewall to another. Firewalls may be concerned with the type of
traffic, or with source or destination addresses and ports. They may also use complex rule bases that
analyse the application data to determine if the traffic should be allowed through.
668
Types of firewall
Firewalls fall into four broad categories:
• Packet filters
• Circuit level gateways
• Application level gateways
• Stateful multilayer inspection firewalls
Packet filtering firewalls work at the network level of the OSI model (or the IP layer of TCP/IP).
They are usually part of a router. In a packet filtering firewall, each packet is compared to a set of
criteria before it is forwarded.
Depending on the packet and the criteria, the firewall can:
• Drop the packet.

• Forward it or send a message to the originator.
Rules can include source and destination IP address, source and destination port number and
protocol used.
The advantage of packet filtering firewalls is their low cost and low impact on network performance.
Most routers support packet filtering.
Circuit level gateways work at the session layer of the OSI model, or the TCP layer of TCP/IP. They
monitor TCP handshaking between packets to determine whether a requested session is legitimate.
Information passed to remote computer through a circuit level gateway appears to have originated
from the gateway. Circuit level gateways are relatively inexpensive. They have the advantage of
hiding information about the private network they protect. Circuit level gateways do not filter
individual packet
Application level gateways are also called proxies. They can filter packets at the application layer of
the OSI model. Incoming or outgoing packets cannot access services for which there is no proxy. In
plain terms, an application level gateway that is configured to be a web proxy will not allow any FTP,
gopher, Telnet or other traffic through. Because they examine packets at application layer, they can
filter application specific commands such as http:post and get.
Stateful multilayer inspection firewalls combine the aspects of the other three types of firewalls.
They filter packets at the network layer, determine whether session packets are legitimate and
evaluate contents of packets at the application layer. They are expensive and require competent
personal to administer the device.
Review Firewall Design

Assessing firewall design requires that the auditor understand the various ways in which a firewall
can be deployed. There are many factors that cause an organization to choose one design over
another, and technical requirements sometimes are shaped by politics and budget as well. The
firewall is a policy enforcement tool that should be placed at key network zone boundaries. It is
ultimately up to the business to determine its tolerance for risk and deploy the countermeasures
that make sense. The following examples illustrate common firewall designs that an auditor might
find.
669
Simple Firewall
The simple firewall design is common for small or branch networks and involves a firewall or
router (configured as a firewall) between the Internet and the internal network. NAT is typically
used, and providing Internet access is the primary function of the firewall. There might be port
forwarding configured to internal servers for e-mail delivery or limited web hosting. These
designs typically suffer from minimal layered security, but are by far the least expensive
deployment method to connect a very small remote office or mobile worker situation.
Screening Router and Firewall
A screening router provides frontline defence at the network edge. Not only does this router act
as a basic firewall, but can also perform services such as routing, Netflow collection, quality of
service, and anti-spoofing. The point of a screening router is to provide defence in depth and
another place where access rules can be applied.
Firewall with DMZ

A better design for an organization that hosts its own websites, e-mail, or other Internet facing
services is the firewall with DMZ design. This design provides segmentation of Internet-facing
services to their own dedicated subnet where policies and access control can be better
enforced. Typically, the firewall provides NAT services to the web applications, and also
conducts application layer inspection to enforce RFC compliance and application use policies.
Layering in an IPS via an SSM module inside the firewall or through a dedicated appliance can
give full IPS protection for all traffic passing through the device.
Firewall with DMZ and Services Network
As the criticality of web services increases, a single DMZ can sometimes become crowded with
applications and services. The more applications, the more complicated the access rules can
become, and before long policies become difficult to implement on a single DMZ. Creating
service networks on separate firewall interfaces addresses this, by grouping like services
together to simplify policy enforcement. Web servers can go into the DMZ, and internal servers
can go into the services network. The amount of configuration starts to increase as the number
of interfaces increases, but the capability to be able to create more effective policies is vastly
improved.
High Availability Firewall

High availability firewall designs are common in organizations that rely on the Internet as both a
source of revenue and an important mechanism for reaching customers. For these types of
organizations, downtime can create significant monetary loss, so the expense of a redundant
architecture is well worth it. Another high availability option is active/active where both
firewalls enforce policy and pass traffic at the same time, and in the event of a failure of one
device all traffic flows through the single remaining firewall. The benefits of active/active over
active/standby are that both firewalls are being utilized and can support higher data rates than a
single firewall. The downside to active/active is that both firewalls must be able to support their
own traffic loads in addition to the other firewall if one fails or the organization must be able to
accept.
670
Firewall testing
The steps involved in firewall penetration testing include:
• Locate the firewall and traceroute to identify the network range
• Port scan the router
• Grab the banner
• Create custom packets and look for firewall responses
• Test access control enumeration
• Test to identify firewall architecture
• Test the firewall policy
• Test firewall using firewalking tool
• Test for port redirection
• Testing the firewall from both sides
• Overt firewall test from outside
• Test covert channels
• Covert firewall test from outside
• Test HTTP tunnelling
• Test firewall specific vulnerabilities
After the testing the following is documented:
• Firewall logs.
• Tools output
• The analysis
• Recommendations (if any).
Firewall Auditing Tools: HTTPORT, HTTHOST, Firewall Test Agent, Hping3, Netfilter, fragroute,
IP Filter, Ftester, Fwanalog, Fpipe, Firewall Builder, Port Test/ Firewall Tester, VisualRoute,
datapipe, firewalking;
671
Photo: Sample Compliance report with Firewall security audit.
Source: https://www.manageengine.com/products/firewall/firewall-security-audit-configuration-
analysis.html
672
6.6 IDS Security Auditing

Introduction to IDS
IDS is a software/hardware that detects and logs inappropriate, incorrect, or anomalous activity.
IDSes are typically characterized based on the source of the data they monitor.
There are 2 types of IDS:
• Host-based: A host-based IDS uses system log files and other electronic audit data to identify
suspicious activity.
• Network-based: A network-based IDS uses a sensor to monitor packets on the network to

which it is attached.
A network intrusion detection system (NIDS) is a system that tries to detect malicious activity such as
denial of service attacks, port-scans or even attempts to crack into computers by monitoring
network traffic.
A host-based IDS monitors individual hosts on the network for malicious activity; for example, Cisco
Security Agent. Host systems are more accurate than network-based IDS because they analyse the
server's log files and not just network traffic patterns. The host monitors the system and reports its
activities to a centralized server. They are expensive and resource intensive.
An application-based IDS is like a host-based IDS designed to monitor a specific application (similar
to antivirus software designed specifically to monitor your mail server). An application-based IDS is
extremely accurate in detecting malicious activity for the applications it protects.
Multi-Layer Intrusion Detection Systems
mIDS integrates many layers of IDS technologies into a single monitoring and analysis engine. It
aggregates integrity monitoring software logs, system logs, IDS logs, and firewall logs into a single
monitoring and analysis source.
Benefits:
• Improves detection time

• Increases situational awareness
• Incident handling and analysis
• Shortens response time
• Decreases detection and reaction time
• Decreases consumed employee time and increases in system’s uptime
• Provides a clear picture of what happened during an incident
673
Wireless Intrusion Detection Systems
WIDS monitor and evaluate user and system activities, identify known attacks, determine abnormal
network activity, and detect policy violations for WLANs.
Check for potential weakness that damage the WLAN security.
• Rough wireless APs.

• Man-in-the-middle attacks.
A WIDS detects the following:
• DoS attacks.
• MAC spoofing.
• RF interference.
• Isolates an attacker's physical location
• Identifies non-encrypted traffic.
IDS Security Auditing Steps
IDS Security Auditing Steps:

• Test for resource exhaustion/ IDS by sending ARP flood
• Test the IDS by MAC spoofing/ IP spoofing
• Test by sending a packet to the broadcast address/ inconsistent packets
• Test IP packet fragmentation/duplicate fragments
• Test for overlapping fragments/ping of death
• Test for odd sized packets/ TTL evasion
• Test by sending a packet to port 0/UDP checksum
• Test for TCP retransmissions/ TCP flag manipulation
• Test TCP flags
• Test the IDS by sending SYN floods/sequence number prediction
• Test for backscatter
• Test the IDS with ICMP packets/IDS using covert channels
• Test using TCP replay
• Test using TCP opera
• Test using method matching
• Test the IDS using URL encoding
• Test the IDS using double slashes
• Test the IDS for reverse traversal
• Test for self-reference directories
• Test for premature request ending
• Test for IDS parameter hiding
• Test for HTTP-mis-formatting
• Test for long URLs
• Test for DOS/Win directory syntax
• Test for null method processing
• Test for case sensitivity
• Test session splicing
674
IDS Security Auditing Tools:

• IDS Informer
• Firewall informer
• Traffic IQ professional
• OSSEC HIDS
Evasion tools:
• EVADE IDS
• Evasion GAteway
675
6.7 Social Engineering Audit

What is Social Engineering?
The term social engineering is used to describe the various tricks used to fool people (employees,
business partners, or customers) into voluntarily giving away information that would not normally be
known to the general public.
Examples:
• Names and contact information for key personnel

• System user IDs and passwords
• Proprietary operating procedures
• Customer profiles
Steps in conducting Social Engineering
• Attempt social engineering techniques using phone, vishing, telephone, email, traditional
mail, in person, dumpster diving, insider accomplice, shoulder surfing, desktop information,
extortion and blackmail, websites, theft and phishing attacks, satellite imagery and building
blue prints, details of an employee from social networks sites, telephone monitoring device
to capture conversation, video recording tools to capture images, vehicle/asset tracking
system to monitor motor vehicles, identified “disgruntled employees” and engage in
conversation to extract sensitive information
• Document everything including approach, response, information sought and retrieved
Web Application Security Auditing
Web application vulnerabilities generally stem from improper handling of client requests and/or a
lack of input validation checking on the part of the developer. A web application is an application,
generally comprising a collection of scripts that resides on a web server and interacts with databases
or other sources of dynamic content.
Steps for Web Application Testing

• Fingerprinting the web application environment
• Investigate the output from HEAD and OPTIONS HTTP requests
• Investigate the format and wording of 404/other error pages
• Test for recognized file types/extensions/directories
• Examine source of available pages
• Manipulate inputs in order to elicit a scripting error
• Test inner working of a web application
• Test database connectivity
• Test the application code
• Testing the use of GET and POST in web application
• Test for parameter-tampering attacks on website
• Test for URL manipulation
• Test for cross site scripting
• Test for hidden fields
• Test cookie attacks
• Test for buffer overflows
676
• Test for bad data

• Test client-side scripting
• Test for known vulnerabilities
• Test for race conditions
• Test with user protection via browser settings
• Test for command execution vulnerability
• Test for SQL injection attacks
• Test for blind SQL injection
• Test for session fixation attack
• Test for session hijacking
• Test for XPath injection attack
• Test for server side include injection attack
• Test for logic flaws
• Test for binary attacks y
• Test for XML structural
• Test for XML content-level
• Test for WS HTTP GET parameters/REST attacks
• Test for naughty SOAP attachments
• Test for WS replay
Web Application Testing Tools

Burp Suite, fuzzing tool, dotDefender, IBM Security AppScan, HP WebInspect, SQL Block Monitor,
Microsoft Source Code Analyzer, Acunetix Web Vulnerability Scanner, WebCruiser, GreenSQL,
Microsoft UrlScan, Absinthe, CORE IMPACT Pro, Safe3SI, BSQLHacker, SQL Power Injector, Havij,
BobCat, Sqlninja, sqlmap, Pangolin – Automatic SQL Injection Penetration Testing Tool,
NGSSQuirre, AtStake WebProxy, SPIKE Proxy, WebserverFP, KSES, Mieliekoek.pl, Sleuth, Webgoat,
AppScan
Case Study
Case Study : Here are a few case studies to review how information was socially engineered,
the type of social engineering used, and the results or mitigating steps each company took to
combat it.
Human Information Fraud – Company A
Company A is a widget manufacturing company with several plants across the country. The IT
staff is located at the corporate headquarters and performs most of their technical support
remotely. A man who calls himself Joe Admin contacts a remote user on the telephone. He
introduces himself as a new system security administrator supporting Company A’s UNIX
systems and network. He mentions that he works for the IT manager, and that he is part of a
new security initiative to harden the systems and network. Joe informs the user that her
password has been cracked as part of a routine security audit.
677
Joe explains the types of characters and length the user’s password must be to meet the new minimum
security criteria. He recommends that the user review the new security policy’s password guidelines
section, detailing the systems to which she has access. Joe then asks the user for her password to
critique it and point out why it wasn’t good enough. The duped user willingly communicates her
password to Joe, believing that he is a member of the security team. Upon closing the conversation, Joe
lets the user know that she is not alone—that there are numerous users who don’t meet the minimum
criteria. He encourages her to pick something a little stronger next time she’s prompted to change her
password. This user’s account was compromised and, although no sensitive information was contained
on the systems she had access to, her account was used to download hacker tools and the systems
were used as a jump point for additional hacking. In this instance, a savvy system administrator noticed
an unusual traffic pattern coming from the compromised system and decided to investigate. During the
investigation, multiple hidden hacking tools were found. At first it was believed that the user was
responsible for this activity and a case was being built to take disciplinary action against her.
However, further investigation revealed that the activity occurred during times when the user wasn’t
working on the system, and it was identified that her account was logging in from a modem connection.
The Telecom group identified the phone number where the call was originated. Through a long and
arduous process, it was determined that the phone line was an outbound modem connection on a
system which had also been compromised from several IP addresses located in Europe. During the
investigation review it was determined that the user didn’t follow the security policy guidelines and
protect her own password. No information had been lost, so the users’ disciplinary action amounted to
the proverbial slap on the wrist. However, the end result was the implementation of a security
awareness program launched to keep users informed of the current security policies and to audit users’
awareness of the security policies. The audits were successful because they were required in order to
receive quarterly bonuses. Employees were required to log onto their Intranet accounts, review the
security policies, and take a 5-question multiple-choice quiz in order to receive their checks. The
questions were relatively easy and a little common sense would allow them to pass, however the
information was critical as a means to measure the effectiveness of the security awareness program,
and determine what areas would need the most focus over the next year. In addition, every employee
was required to attend an annual security policy review meeting. Changes to security policies were
posted on the company’s internal web site, and notices were sent to everyone through e-mail, and
memos attached to their paychecks.
Company A’s Security Awareness Program Outline
 Review security policies with all employees on an annual basis.

 Post updated security policies through e-mail and on the company’s internal web site.
 Implement a new, more secure password retention policy, enforcing minimum requirements
on length, strength, and password recycling.
 Perform periodic social engineering audits, using both internal and external resources to
validate adherence to policy.
 Implement security awareness assessment testing to measure the overall company’s security
awareness, and target weak areas for improvement.
 Make testing a requirement to obtain annual bonuses.
678
Company A’s Password Policy
1.0 Purpose
This document describes the password requirements and how they should be handled.
2.0 Scope
All Company A personnel with access to any of Company A’s computer systems.
3.0 Policy Password requirements and handling:
1. Passwords minimum length must be 10 characters.
2. Passwords must contain alpha, numerical and at least one special character such as @ # $ % ^ & * (
)!.
3. Passwords must not be written down and/or stored in an unsecured area.
4. Passwords are considered property of each individual and disclosure or sharing of passwords for any
reason is not acceptable.
4.0 Enforcement
Any employee found to have violated this policy may be subject to disciplinary action, up to and
including termination of employment.
5.0 Definitions
Terms Definitions
Computers Systems located in Company A’s computer rooms used to support file and print
sharing, e-mail, applications, etc. These systems include remote access servers.
6.0 Revision History
Date Revision Author
02/02/2003 Draft Joe Admin
Human Information Mishandled – Company B Company B is a growing financial institute, with 25

offices located in one region of the country. They are looking to expand their operations by acquiring
several financial companies in other parts of the country. The IT department has been asked to review
the communication, infrastructure, and security of several potential prospects. Company B’s IT
Security Manager, Pete Security, was given several packets of potential companies’ security profiles.
He was asked to estimate how much capital it would take to get each prospective company’s security
posture to meet Company B’s minimum requirements, and to complete it in two days. Pete enlisted
the help of two of his security professionals, Jim and Bill.
679
They both thought the schedule was aggressive but agreed it could be done. Jim and Bill gather all
the material and lock themselves in a conference room to review all the prospective companies’
security postures. They are making a lot of progress, but there is still a lot of work needed to finish
their assessment. Both colleagues are getting hungry, which is causing them to lose their focus. Bill
suggests they go to the new trendy restaurant around the corner from the office—it’s close and
there are some quiet areas perfect for working while they eat. Jim reluctantly agrees. They finish
their dinner and their assessment and leave the restaurant. Bill takes the document, saying that he
will review their work on his train ride out of the city. The two part company feeling they have just
pulled a rabbit out of a hat. Bill would not have normally taken work like this out of the office;
however with such an aggressive deadline, and the fact that he is planning to take tomorrow
afternoon off to play golf, he goes against his better judgment. The train is full because a local
sporting event has just ended. Bill begins to review the spreadsheet they produced, entitled
“Company B’s Prospective Acquisitions—A Security Assessment.” Listed in the document are each
potential company’s name, security equipment, and an estimate of what it would cost to bring them
to Company B’s minimum security requirements. Bill is so focused on reviewing the document he
doesn’t notice the person sitting next to him reading it as well. It turns out that his fellow passenger
is a manager at a competing financial institute, who brings the news of Company B’s potential
acquisitions to his management. Company B’s competitor undermines their acquisition of these
companies and forces Company B to pay more than they should have. Company B personnel should
have followed their security policy regarding the handling of sensitive information. Company B
implemented a security awareness program stressing points on the handling of sensitive information.
Every employee was required to addend a yearly training session including taking a test to assess
their level of security awareness. 70% was passing grade and employees were required to pass the
test. Personnel who had failing grades were required to sit through the security aware program
again. The tests consisted of multiple choice questions and matching policy violation situation to the
policies they violated.
680
Summary
 Pre audit tasks: During this phase, the auditors determine the main area/s of focus for the
audit and any areas that are explicitly out-of-scope, based normally on an initial risk-based
assessment plus discussion with those who commissioned the audit.
 An External Intrusion Audit and Analysis identifies strengths and weaknesses of a client
system and network as they appear from the outside the client’s security perimeter, usually
from the internet.
 Internal testing involves testing computers and devices within the company. It is more like
white-box testing. What if an employee of the company penetrates the network with the
amount of IT knowledge he knows? What if a hacker breaks-in to the internal network that
houses employees’ PC and databases and steals sensitive information?
 Internal testing involves testing computers and devices within the company. The internal
penetration testing involves:
o Performing port scanning on individual machines and establishing null sessions.
o Attempting replay attacks, ARP poisoning, MAC flooding.
o Conducting man-in-the-middle attack and trying to login to a console machine.
o Attempting to plant keylogger, Trojan, and Rootkit on target machine.
o Attempting to send virus using target machine.
o Hiding sensitive data and hacking tools in target machine.
o Escalating user privileges.
 Firewall auditing includes testing the firewall after establishing the types of firewall and their
configuration in the company
 Firewalls fall into four broad categories:
o Packet filters
o Circuit level gateways
o Application level gateways
o Stateful multilayer inspection firewalls
 There are 2 types of IDS:
o Host-based: A host-based IDS uses system log files and other electronic audit data to
identify suspicious activity.
o Network-based: A network-based IDS uses a sensor to monitor packets on the
network to which it is attached.
 mIDS integrates many layers of IDS technologies into a single monitoring and analysis engine.
It aggregates integrity monitoring software logs, system logs, IDS logs, and firewall logs into a
single monitoring and analysis source.
 WIDS monitor and evaluate user and system activities, identify known attacks, determine
abnormal network activity, and detect policy violations for WLANs.
 Other audits in Penetration testing include Social Engineering and Web Application testing.
681
Activity 1:
Gather as much information and the various sources of information, you can gather of
the training institute without crossing boundaries of law. Share the same in class and
debate on the security considerations for each type of information being out there and
the authorised or unauthorised sources of information.
Activity 2:
Make a list of precautions, security measures and legal options your institute has to
enhance the security of their organisation’s information assets?
Activity 3:
Study and deliberate on the varying needs, concerns, limitations and challenges of an
internal and external information security audits.
Q. List down steps involved in Firewall auditing
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
Q. List down the four types of firewall.
a) ___________________________________________________
b) ___________________________________________________
c) ___________________________________________________
d) ___________________________________________________
682
Q. What are the two types of IDS?
a) ___________________________________________________
b) ___________________________________________________
Q. Write a short note on the benefits of Multi-Layered IDS.
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
Q. List down at least four types of firewall designs an auditor is likely to find in organizations?
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
683
NOTES:
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
684
UNIT VII
Audit Reports and Actions
This Unit covers:
 Lesson Plan
7.1. Audit Reports and Actions
685
LESSON PLAN

To be competent, you must be 1. Evaluate various audit report  PCs/Tablets/Laptops
able to: formats available from  Labs availability (24/7)
various sources. Discuss the  Internet with Wi-Fi
PC7. record and document audit purpose of each of the  (Min 2 Mbps Dedicated)
tasks and audit results using elements of the report.
standard tools and templates  Access to all security
2. Prepare a report for an audit sites like ISO, PCI DSS,
(0904)
of the training institute Centre for Internet
PC8. review results of audit Security
tasks with appropriate people
and incorporate their inputs
(0904)
PC5. organize data/information
required for information
security audits using standard
You must know and understand: 1. Research various audit report  PCs/Tablets/Laptops
KA6. how to record and report formats and procedures to  Labs availability (24/7)
audit tasks (0904) create and audit report.  Internet with Wi-Fi
KA7. the importance of 2. Research key issues and  (Min 2 Mbps Dedicated)
recording the results of audit concerns around audit  Access to all security
tasks (0904) reports, key considerations sites like ISO, PCI DSS,
KA10. how to improve the Centre for Internet
and present the same in class
process and outcomes of future Security
audits (0904)?
KB5. common audit techniques
and how to record and report
audit tasks (0904)
KA13. how to carry out, record
and report audit tasks (0905)
686
Lesson
The auditor report’s goal is to show the organization that the team honestly wants to improve the
company’s security posture this is to be borne in mind when writing the report.
Documentation report should contain the final result and recommendations to rectify the problem if
occurred during the penetration testing process.
The document report includes:
• Summary of the test execution.

• Scope of the project
• Result analysis.
• Recommendations.
• Appendixes.
After documentation, submit the document to the client and get the signature from them and keep
a copy of the report.
The summary should provide a short, high-level overview of the test. It should contain the client’s
name, testing firm, date of test, and so on. Information about the targeted systems and applications.
End-user test results. Examine all exploits performed. The summary should include details of
discovered vulnerabilities.
Scope of the project should include the IP address ranges that are tested and mentioned in the
contract.
• Examining whether social engineering was employed or not.
• Examining whether public or private networks are tested or not.
• Examining whether Trojans and backdoor software applications are permitted or not.
The results analysed should include:

• Domain name and IP address of the host
• TCP and UDP ports
• Description of the service
• Details of the test performed
• Vulnerability analysis
If one would simply run a handful of tools and provide a report, then the company will never want to
see you again. Recommendations to their security is very important for the report to be accepted by
the customer.
Appendices should include:

• Contact information
• Screen shots
• Log output
687
Network penetration testing should include the following reports:

• Executive report - Generate reports for various hosts, users, and vulnerabilities that were
identified, targeted, and exploited during the test process.
• Active report - Generates a detailed report for various executed exploits.
• Host report - Generate a detailed report on various hosts that were tested.
• Vulnerability report - Generate report on various vulnerabilities that were exploited
effectively during the penetration testing process.
• Payment Card Industry (PCI) report - Display the results of vulnerabilities that are
performed by the Payment Card Industry (PCI) data security standard. (Where applicable)
Client-side penetration testing should include the following reports:
• Client-side penetration report - Provide report for client side test that includes the email
template sent, exploit launched, test result, and details about the compromised systems.
• User report - Provide information about which links were clicked, when the links were
clicked, and who have clicked the link. Display summarized report on all the users who
were identified and targeted during the testing process.
Web application penetration testing should include the following reports:
• Web application vulnerability report:
• Provides detailed report on every vulnerability that were found during the testing process.
• Web application execution report:
• Provides summarized report of every vulnerable web page found during the penetration
testing process.
Writing the final report does not have to be the responsibility of one person. In many cases, multiple
team members will contribute to the actual writing of the final report. Assigning the writing
responsibility is usually according to the abilities of individual team members and the scope they
covered.
Divide the reports into sessions as follows:
• Network test reports
• Client side test reports
• Web application test reports
Common structure for penetration report includes: Executive summary
• Management summary
• Technical summary
Findings are security issues that the team uncovered during the penetration testing. Findings are
categorized as:
• High
• Medium
• Low
High criticality findings: Loss could result in the unauthorized release of information that
could have a significant impact on the organization’s mission or financial assets or result in
loss of life
Medium criticality findings: Loss could result in the unauthorized release of information that
could have an impact on the organization’s mission or financial assets or result in harm to an
individual
Low criticality findings: Loss could result in the unauthorized release of information that
could have some degree of impact on the organization’s mission or financial assets or result in
Recommendations:
harm to an individual
688
Focus on high priority security concerns first. Develop strategies to achieve short term and long term
security postures. Decide on required and available resources to maintain a consistent level of
Organizations should develop an action plan to:
• Address the security concerns on time and systematically.
• Reduce the misuse or threat of attacks on the organization.
• Create a configuration management process.
• Create or use configuration checklists available from the product vendors and security
organizations such as NIST and NSA.
• Improve the level of control for the purchased software's by checking for updates and
patches from the vendors.
• Create a policy for applying patches in a timely manner.
• Create guidelines for best practices to be followed based on the recommendations of pen
test report.
• Regular auditing of organization reduces exposure to vulnerabilities.
Contribute to creation and strengthening of Security Policies:

• Systems Security Policy
• Information Classification Policy
• Password Policy
• Strong Authentication Policy
• Virus Detection and Management Policy
• Encryption Policy
• Security Change Management Policy
• Remote Network Access Policy
• Firewall Security Policy.
Conduct training for analysing security posture of a network. Technical security training programs for
people managing information technology. Training for application developers to develop secure
code.
Security education and awareness programs need to be implemented, such as:
• General security awareness for new employees in the organization
• Awareness program through e-learning.
• Provide training on social engineering to each and every employee.
Final report format

The final report will contain
• The cover letter
• A title page: this will indicate the report name, the agency or department it is for, the date
as to when the report was published.
• A table of contents: Seems obvious, but these documents can get lengthy, include this as
courtesy.
• An executive summary: This will be a high level summary of the results, what was found and
what the bottom line is. The sections of the executive summary will include:
o Organization synopsis
o Purpose for the evaluation
o System description
o Summary of evaluation
o Major findings and Recommendations
o Conclusion
689
• An introduction: A simple statement of your qualifications, the purpose of the audit and
what was in scope.
• Findings: This section will contain your findings and will list the vulnerabilities or issues that
should be re-mediate. This listing should be ordered by critical levels, of which are hopefully
defined by internal policies (i.e. if your vulnerability scanner finds a high critical vulnerability,
based upon how that vulnerability is implemented in your environment, it may not be a true
high critical, so internal policies should assist in defining the critical levels)
• Methodologies: Here you will discuss tools used, how false positives were ruled out, what
processes completed this audit. This is to provide consistency and allow your audits to be
repeatable in the event a finding is disputed or deemed not worthy of fixing by
management.
• Conclusion: Basic conclusion, summarize the information you have already put together.
• Appendices: This will be any extra attachments needed for reference.
The final report should be delivered personally and the report should not be sent by emails or CD-
ROM. A printed report is the best format. The pen-test information is very sensitive. One should only
store it for a certain period of time (30–45 days is typical). One should be able to answer questions
during this period. After the 30–45 days, one should destroy the information from the storage. This
clause is usually mentioned in the contract with the customer before the engagement begins.
Pentest reports on discovered vulnerabilities, available options, recommendations, and suggestions.
Recommendations make the most important part of the report for the user to implement for
improving the network security. A pen tester should hand over the sensitive information within 45
days or should destroy from the storage. Create a final report, documenting the test findings. Deliver
the report to the concerned officer.
690
Summary
 The auditor report’s goal is to show the organization that the team honestly wants to improve
the company’s security posture this is to be borne in mind when writing the report.
 The document report includes:
o Summary of the test execution
o Scope of the project
o Result analysis
o Recommendations
o Appendixes
 The results analyzed should include:
o Domain name and IP address of the host.
o TCP and UDP ports.
o Description of the service.
o Details of the test performed.
o Vulnerability analysis.
 Appendices should include:
o Contact information
o Screen shots
o Log output
 Divide the reports into sessions as follows:
o Network test reports
o Client side test reports
o Web application test reports
 Findings are categorized as:
o High
o Medium
o Low
 Organizations should develop an action plan as a result of the audit
 The report should help in creating and strengthening information security policies
Activity 1:
Collate various audit report templates and sources which provide guidance on audit
reports. These should be compared and the considerations and requirements for their
preparation should be discussed in class.
691
Q. Complete the following by providing relevant answers and information
High criticality findings are
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
Medium criticality finds are
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
Low criticality findings are
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
Q. List the elements of a test report
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
Q. List the elements of an overall audit report
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
692
NOTES:
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
693
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
694
UNIT VIII
Audit Support Activities
This Unit covers:
 Lesson Plan
7.1. Audit Support Activities
695
LESSON PLAN

To be competent you must be 1. Research and list down the  PCs/Tablets/Laptops
able to: various aspects of support  Labs availability (24/7)
required by auditors at different  Internet with Wi-Fi
PC1. establish the nature and stages of the audit.  (Min 2 Mbps Dedicated)
scope of information security
audits and your role and 2. Discuss with the class the
responsibilities within them challenges and need for support
(0904) anticipated in carrying out audit
PC3. identify any issues with activities.
s for carrying out audit tasks 3. Discuss implications of these
and clarify these with challenges and actions taken to
appropriate people (0904) address them for overall audit.
PC6. refer to appropriate
people where audit tasks are
beyond your levels of
knowledge, skills and
competence (0904)
organization’s policies,
standards, procedures,
guidelines and checklists when
contributing to information
PC3. identify the requirements
of information security audits
and prepare for audits in
advance (0905)
PC4. liaise with appropriate
people to gather
(0905)
PC5. organize data/information
security audits using standard
PC6. provide immediate support
to auditors to carry out audit
tasks (0905)
PC7. participate in audit
reviews, as required (0905)
You must know and understand: 1. Research and list down the  PCs/Tablets/Laptops
various policies/documents that  Labs availability (24/7)
KA1. your organization’s that provide information around  Internet with Wi-Fi
696
policies, standards, procedures, roles and responsibilities of  (Min 2 Mbps Dedicated)

guidelines, systems and organizational staff and support
checklists for information provided to auditors.
security testing and auditing
and your role in applying these
KA2. scope of work to be
carried out and the importance
of keeping within these
boundaries
KA3. limits of your knowledge,
skills and competence and who
to seek guidance from
KA6. what information is
security audits and the
importance of preparing this is
advance of the audit
KA7. how to improve the
process and outcomes for
future audits
KA8. types of support required
by teams for information
security audits and how to
provide this
KA14. the range of data and
information required for
information security audits and
where to obtain this
KA17. the importance of
providing immediate support
to auditors as required
697
Lesson
Assisting the auditors
Security Analyst: A security analyst may be assigned responsibilities to carry out activities supporting
the audit team or independently carrying out a set of security auditing activities. It is important for
the security analyst to clarify and understand their scope of responsibilities and work within these
limits. In case they are not clear about any aspect of their limits of authority, or scope of
responsibilities they should speak to their supervisor and clarify the same. It always helps to get
written clarifications for eliminating the scope of confusion later on.
Auditors need organizational support, such as having access to certain data or staff. The Security
analyst often assists and supports the information audit. This support often includes actions such as
obtaining access to copies of policies or system configuration data. These expectations should be
clarified or directed by seniors to the security analyst and the auditors. The security analyst should
also get clear information about units whose systems will be audited. The security analyst would
communicate the same to co-workers and other users in the organization to ensure a least
disruptive and smooth audit. For this purpose, business and IT unit managers of the audited systems
should be involved in the process early in the process. This will ensure there are no disputes and
delays regarding auditor's access to areas and information.
The various responsibilities of the Security Analyst in supporting the auditors can include the
following:
Assisting with Security Policy
As stated, a security audit is essentially an assessment of how effectively the organization's security
policy is being implemented. Of course, this assumes that the organization has a security policy in
place which, unfortunately, is not always the case. A Security Analyst will support the auditors in
getting the necessary information by getting them access to policies and procedures documents or
explaining the processes where such documents are not available.
Facilitating access
Natural tensions frequently exist between workplace culture and security policy. Even with the best
of intentions, employees often choose convenience over security. Sometimes teams and individuals
need to be spoken to and auditors need to be helped in gaining access to the facilities required for
auditing. This may also be the case with getting time with individuals to get their time for auditing.
Pre-Audit Homework
Before the computer security auditors even begin an organizational audit, there's a fair amount of
homework that should be done. Auditors need to know what they're auditing. In addition to
reviewing the results of any previous audits that may have been conducted, there may be several
tools they will use or refer to before. The first is a site survey. This is a technical description of the
system's hosts. It also includes management and user demographics. This information may be out of
date, but it can still provide a general framework. Security questionnaires may be used as to follow
up the site survey. These questionnaires are, by nature, subjective measurements, but they are
useful because they provide a framework of agreed-upon security practices. The respondents are
698
usually asked to rate the controls used to govern access to IT assets. These controls include:
management controls, authentication/access controls, physical security, outsider access to systems,
system administration controls and procedures, connections to external networks, remote access,
incident response, and contingency planning.
A security analyst may be called upon to assist in conducting site surveys and administering security
questionnaires. Accompanying communication may be required to acquire the specific responses of
specific requirements.
Auditors, review previous security incidents at the client organization to gain an idea of historical
weak points in the organization's security profile. It may require the support of organizational staff
to support auditors examine current conditions to ensure that repeat incidents cannot occur. If
auditors are asked to examine a system that allows Internet connections, they may also want to
know about IDS/Firewall log trends. Do these logs show any trends in attempts to exploit
weaknesses? A security analyst may be called upon to provide such support to auditors.
The auditors develop an audit plan. This plan will cover how will audit be executed, with which
personnel, and using what tools. They will then discuss the plan with the requesting agency. Next
they discuss the objective of the audit with site personnel along with some of the logistical details,
such as the time of the audit, which site staff may be involved and how the audit will affect daily
operations. The security analyst may be called upon to coordinate and smoothen the audit
execution.
At the Audit Site
When the auditors arrive at the site, their aim is to not to adversely affect business transactions
during the audit. They should conduct an entry briefing where they again outline the scope of the
audit and what they are going to accomplish. Any questions that site management may have should
be addressed and last minute requests considered within the framework of the original audit
proposal. This communication may be further passed on with the help of the security analyst.
During the audit, they will collect data about the physical security of computer assets and perform
interviews of site staff. They may perform network vulnerability assessments, operating system and
application security assessments, access controls assessment, and other evaluations. Throughout
this process, the auditors should follow their checklists, but also keep eyes open for unexpected
problems. Here they get their noses off the checklist and start to sniff the air. They should look
beyond any preconceived notions or expectations of what they should find and see what is actually
there. In this case the security analyst may be of immense help providing the auditors with
background information and facilitating ad-hoc activities that may not be registered in the original
plan.
Conduct Outgoing Briefing
After the audit is complete, the auditors will conduct an outgoing briefing, ensuring that
management is aware of any problems that need immediate correction. Questions from
management are answered in a general manner so as not to create a false impression of the audit's
outcome. It should be stressed that the auditors may not be in a position to provide definitive
answers at this point in time. Any final answers will be provided following the final analysis of the
audit results. The security analyst may be the conduit for channelling the information and supporting
interim measures for strengthening security.
699
Back in the Office
Once back in the home office, the auditors will begin to comb their checklists and analyse data
discovered through vulnerability assessment tools. There should be an initial meeting to help focus
the outcome of the audit results. During this meeting, the auditors can identify problem areas and
possible solutions. They may require some pending information or call for information to fill in some
gaps. This may be provided by the Security Analyst.
Post-recommendation stage
Finally, the audit staff should prepare the report as speedily as accuracy allows so that the site staff
can correct the problems discovered during the audit. Depending on company policy, auditors
should be ready to guide the audited site staff (Security Analysts) in correcting deficiencies and help
them measure the success of these efforts. Management should continually supervise deficiencies
that are turned up by the audit until they are completely corrected.
The Ongoing Audit
It must be kept in mind that as organizations evolve, their security structures will change as well.
With this in mind, the computer security audit is not a one-time task, but a continual effort to
improve data protection.
Security analysts learn with each audit and testing activity and can carry on evaluation of the
strength of the organizations security policy and its implementation. The analyst makes ongoing
efforts to help refine the policy and correct deficiencies that are discovered through the audit
process. Whereas tools are an important part of the audit process, the audit is less about the use of
the latest and greatest vulnerability assessment tool, and more about the use of organized,
consistent, accurate, data collection and analysis to produce findings that can be measurably
corrected. This is where the security analyst continues to contribute to.
700
Summary
 A security analyst may be assigned responsibilities to carry out activities supporting the audit
team or independently carrying out a set of security auditing activities.
 It is important for the security analyst to clarify and understand their scope of responsibilities
and work within these limits.
 In case they are not clear about any aspect of their limits of authority, or scope of
responsibilities they should speak to their supervisor and clarify the same.
 Auditors need organizational support, such as having access to certain data or staff. The
Security analyst often assists and supports the information audit.
 This support often includes actions such as obtaining access to copies of policies or system
configuration data. These expectations should be clarified or directed by seniors to the
security analyst and the auditors.
 Security Analyst in supporting the auditors can include the following:
o Security Analyst will support the auditors in getting the necessary information by
getting them access to policies and procedures
o Helping Auditors in gaining access to the facilities required for auditing. This may also
be the case with getting time with individuals to get their time for auditing.
o A security analyst may be called upon to assist in conducting site surveys and
administering security questionnaires. Accompanying communication may be
required to acquire the specific responses of specific requirements.
o Auditors on site need help in site management
o Security analyst may be of immense help providing the auditors with background
information and facilitating ad-hoc activities that may not be registered in the original
plan.
o Security analysts learn with each audit and testing activity and can carry on evaluation
of the strength of the organizations security policy and its implementation. The
analyst makes ongoing efforts to help refine the policy and correct deficiencies that
are discovered through the audit process.
Q. List down various assistance auditors require at various stages of the audit, that the Security
Analysts may be called upon to assist with.
Pre-audit stage
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
701
On-site
_______________________________________________________________________
________________________________________________________________________
Post audit
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
NOTES:
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
_________________________________________________________________________________
702
SSC/ N 9001:
Manage your work to meet requirements
UNIT I: Understanding scope of work and working within limits of authority

UNIT II: Work and work environment
UNIT III: Maintaining confidentiality
703
Unit Title (Task) Manage your work to meet requirements
Description This unit is about planning and organizing your work in order to complete it to the
required standards on time.
Work requirements:
 activities (what you are required to do)

 deliverables (the outputs of your work)
 quantity (the volume of work you are expected to complete)
 standards (what is acceptable performance, including compliance with
Service Level Agreements)
 timing (when your work needs to be completed)
Appropriate people:
 line manager
 the person requesting the work
 members of the team/department
 members from other teams/departments
Resources:
 equipment
 materials
 information

PC1. establish and agree your work requirements with appropriate people
PC2. keep your immediate work area clean and tidy
PC3. utilize your time effectively
PC4. use resources correctly and efficiently
PC5. treat confidential information correctly
PC6. work in line with your organization’s policies and procedures
PC7. work within the limits of your job role
PC8. obtain guidance from appropriate people, where necessary
PC9. ensure your work meets the agreed requirements

al KA1. the organization’s policies, procedures and priorities for your area of work
Context and your role and responsibilities in carrying out your work
(Knowledge KA2. the limits of your responsibilities and when to involve others
KA3. your specific work requirements and who these must be agreed with
of the
KA4. the importance of having a tidy work area and how to do this
704
company / KA5. how to prioritize your workload according to urgency and importance and
organization the benefits of this
and its KA6. the organization’s policies and procedures for dealing with confidential
information and the importance of complying with these
processes)
KA7. the purpose of keeping others updated with the progress of your work
KA8. who to obtain guidance from and the typical circumstances when this may
be required
KA9. the purpose and value of being flexible and adapting work plans to reflect
change
KB1. the importance of completing work accurately and how to do this
Knowledge KB2. appropriate timescales for completing your work and the implications of
not meeting these for you and the organization
KB3. resources needed for your work and how to obtain and use these
705
THE UNITS
The module for this NOS is divided in 3 Unit based on the learning objectives as given below.
UNIT I: Understanding scope of work and working within limits of authority

1.1. Scope of work
1.2. Seeking/providing clarity, assistance and support
1.3 Seeking feedback and approvals
1.4 Change and flexibility
UNIT II: Work and work environment
2.1. Planning work and work environment
2.2. Cleanliness and tidiness
UNIT III: Maintaining Confidentiality
3.1. Confidentiality of information
3.2. Policies and procedures for confidential information
706
UNIT I
Understanding scope of work and
working within limits of authority
This Unit covers:
 Lesson Plan
1.1. Scope of work
1.2. Seeking and providing clarity, assistance and support
1.3. Seeking feedback and approvals
1.4. Change and Flexibility
707
LESSON PLAN

PC1.establish and agree your work The learners must Copies of the written
requirements with appropriate people demonstrate PC1, instructions for the
PC6,PC7, PC8 before mentioned task, and the
Appropriate people: line manager, the person starting work activity material and equipment
requesting the work, members of the provided and demonstrate required to perform the task
team/department, members from other PC9 after completion of for each group.
teams/departments work
PC6. work in line with your organization’s
policies and procedures
PC7. work within the limits of your job role
PC8. obtain guidance from appropriate people,

where necessary
PC9. ensure your work meets the agreed

requirements
You need to know and understand: KA1 to K9, (Inclusive of Hardware /

Software Specifications)
KA1. the organization’s policies, procedures Sharing of information
and priorities for your area of work and your obtained through LinkedIn Standard Environment
role and responsibilities in carrying out your , Facebook and other PLUS Create Discussion
work social media contacts for forums at college level
KA2. the limits of your responsibilities and evaluation of peer group Create contacts in LinkedIn
when to involve others and faculty and other social media sites.
KA3. your specific work requirements and who
Create discussion forums
these must be agreed with
and discuss about the
KA7. the purpose of keeping others updated
learning through social
with the progress of your work
media and create a
KA8. who to obtain guidance from and the
document for the
typical circumstances when this may be
evaluation by the peer
required
group and faculty
KA9. the purpose and value of being flexible
and adapting work plans to reflect change
708
1.1 Scope of Work
Scope of work refers to the range of tasks and activities to be performed or expected to be performed
by someone or within a project or contract, as agreed. This is usually a result of division or defining
and limiting of work and responsibilities. This usually is understood to be performed within agreed
timelines and rules or standards of performance.
It is important to understand clearly one’s own and others’ scope of work and responsibilities clearly
and commonly between co-workers for the following reasons:
 Helps in planning and organising work better

 Builds trust and reliability
 Reduces scope of conflict and confusion
 Helps optimise effort through reducing omissions and overlaps
 Helps secure the right level of support from the right people
Discuss and state the importance (advantages and disadvantages) of doing work with as per the
following:
 agreeing work requirements with appropriate people before commencing work
__________________________________________________________
__________________________________________________________
__________________________________________________________
__________________________________________________________
__________________________________________________________
 purpose of having policies and procedures and working as per these
__________________________________________________________
__________________________________________________________
__________________________________________________________
__________________________________________________________
__________________________________________________________
 knowing job limits and working within one’s span of responsibility
__________________________________________________________
__________________________________________________________
__________________________________________________________
__________________________________________________________
__________________________________________________________
709
Every worker needs to know what they are meant to do at work and the limits of their work and
authority. This helps everyone in planning and organising their own work better as it reduces
uncertainty and the need to constantly clarify with seniors and others the expectations of work, as
to what to do and what not to.
Also if it everyone is clear about their and their co-workers work then there is clarity of expectations
around performance of each other and it helps everyone know and rely on others to do their part,
especially where there are interdependencies involved. If co-workers do their part as expected or
required then there is development of trust between co-workers. Where co-workers do not deliver
performance as expected or required there is disappointment and lack of trust.
A clear division of work and responsibilities also helps plan and carry out work in a manner that no
work is left unassigned or erroneously assigned duplicitously to multiple people causing lack of clarity
on who is responsible and accountable for carrying out that work.
The main difference between responsibility and accountability is that responsibility can be shared
while accountability cannot.
Ways to clarify scope of work

 Job descriptions
 Seniors (Supervisors or managers)

 Job or duty assignment sheet/document/roster
 Colleagues
 Policy and procedure documents
Organisations policies and procedures
Why do companies have policies and procedures?
a. Ease of working and common understanding

b. Regulatory and statutory compliance
c. Optimising performance and productivity
d. Setting standards for performance and quality
e. Reduction of errors, safety and security
Why is it important to follow policies and procedures while working?
a. To be safe, productive and maintain company standards

b. Reliability and trustworthiness
c. To remain compliant with legal, regulatory and statutory requirements
710
Research the internet to list various policies and their purpose in companies.
Policies for awareness of role and responsibilities
1. _______________________________________________________________________________
2. _______________________________________________________________________________
3. _______________________________________________________________________________
4. _______________________________________________________________________________
5. _______________________________________________________________________________
IT related policies
6. _______________________________________________________________________________
7. _______________________________________________________________________________
8. _______________________________________________________________________________
9. _______________________________________________________________________________
10. _______________________________________________________________________________
711
1.2 Seeking/Providing Clarity, Assistance and Support

When working in an organisation, very
often, work dependencies means
executing work that involves or impacts stay and
different departments, co-workers and keep
other stakeholders. others
informed,
collaborate,
assist and
support
each other,
participate in
planning and
Executing the work well may require decision
people to: making, etc.
The organisation being divided into hierarchies, departments, divisions and teams to use and develop
people’s expertise in accordance with capability requirements of organisations.
It is important to involve, seek assistance and support from those who are designated in the
organisations as authorities for decision making over their remit of work, where required. It is
important that people respect other people’s authority and expertise over their areas of work.
There are various reasons why others need to be involved:

1. To contribute their expertise
2. Complex work and interdependencies that requires more people to complete tasks
3. Authority and remit of decision making
4. Stakeholders impacted by the actions
5. To generate more and diverse ideas
It is important to know one’s own limits of decision making. When one is unclear about it or needs to
execute or make decisions about work that extends beyond one’s remit and authority, it is important
to secure formal permissions, advice and assistance from those designated for the same.
Information on whom to secure permissions, advice or assistance from may be derived from the
following sources:
712
Organisational chart
Organisation policies
depicting hierarchy and Employee handbook
and procedures
reporting relationships
Designated person
from the designated or
Own manager or
relevant department or others
supervisor
Division such as Human
Resources Department
All tasks at work must be performed accurately as per instructions and within the time
limit while demonstrating the following principles.
 establish and agree your work requirements with appropriate people

 Appropriate people: line manager, the person requesting the work, members
of the team/department, members from other teams/departments
 work in line with your organization’s policies and procedures
 work within the limits of your job role
 obtain guidance from appropriate people, where necessary
 ensure your work meets the agreed requirements
 Provide feedback in the end to each group with respect to the same.
 Ensure members represent different levels of hierarchy in an organization,
including supervisor, subordinate, department head, specialist, customer, etc.
When to keep others informed of progress and problems?
It is important in many contexts to inform others of work related issues, problems and progress. Any
work being assigned also comes with a set of expectations of customers, co-workers, supervisors or
managers, other departments, etc. These expectations are around:
 volume of work,
 quality of work
 time within which the work needs to be completed.
Since others are usually depending on the work being completed as per expectations, it is important
that they are made aware of progress and any problems that may arise during execution of work.
713
1.3 Seeking Feedback and Approvals
Seeking feedback and getting work quality checked by appropriate persons is important for various
reasons including:
1. Ensuring internal and external customer satisfaction

2. Identifying areas of strength and improvement
3. Gathering evidence of satisfactory performance
4. Compliance with set procedures and organisation guidelines
Internal
Customers
Department External
head, etc. customers
Feedback
is sought
from
Own
Team these:
direct
members
supervisor
Fellow Team
leader or
co-workers manager
The person providing the feedback should be thanked for taking the time to do so.
Feedback must be analysed and used to improve our work and achieve better. Feedback sought and
not worked on is wasted feedback and often can cause disappointment to the person providing the
feedback. Usually once feedback is used to improve or change work processes and performance, the
person providing the feedback must be informed of the same. This gets greater support, generates
positivity in the mind of the person providing the feedback and usually gets greater buy-in from them.
To incorporate feedback may sometimes require change of work processes and methods, which may
require approval of others. This may be a formal requirement with set processes that may need to
be followed to affect the change.
714
1.4 Change and flexibility

While scope of work, limits of authority, remit of work, set policies, processes and procedures define
what one must do and expectations of workers, it is also important to balance this with flexibility and
willingness to change.
This is important because of the dynamic environment that we work within and the ever evolving
nature of our work, work environment, customer expectations and related policies and procedures.
The field of Information security is an evolving and rapidly changing field. The greatest challenge for a
security analyst will be to keep abreast and be in sync with the changes.
Our professional, social and personal lives also will undergo changes that we have to accept and make
the best use of.
Flexibility to change is required to:

 incorporate new and improved methods of working
 adjusting to environmental changes
 supporting others
 refining goals and objectives
However, to effect change in work practices or policies It is important to follow protocol and go
through the right channels and procedures. This is particularly important as any change has many
facets of impact and in organisations it usually impacts others, also that the original practices and
processes were made for a purpose and served some need.
Those people and organisations which are not willing to change often fail to improve and adapt to
newer conditions and environments, which may make them redundant.
Change must be communicated to all those who are impacted by it and often their views must be
collected regarding the same in a timely manner, in order to ensure that the change is not causing
undesired impact that can escalate into larger problems.
715
NOTES:
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
716
UNIT II
Work and Work Environment
This Unit covers:
 Lesson Plan
2.1 Planning Work and Work environment
2.2 Cleanliness and Tidiness
717
LESSON PLAN

PC2. keep your immediate work Provide the learners a similar task Copies of the written
area clean and tidy as above and ask them to do the instructions for the mentioned
task keeping in mind the learning task, and the material and
PC3. utilize your time effectively from the previous unit as well as equipment required to perform
PC4. use resources correctly and this. the task for each group.
efficiently Ask 1 member of each group to
take notes for the neighbouring
group on PC1-9 while the task is
being performed on what went
well and what could be done
better. The trainer can also take
notes. Have each member present
the trainer can value add.
The learners must demonstrate

PC2-4 while on the job.
You need to know and understand: Ask each individual to write a note (Inclusive of Hardware /
keeping their work area clean. Software Specifications)
KA4. the importance of having a
tidy work area and how to do this All learners to listen to all the tips Standard Environment PLUS
and list 5 best ideas for Create Discussion forums at
KA5. how to prioritize your prioritization that they would college level
workload according to urgency and practice. Create contacts in LinkedIn and
importance and the benefits of this other social media sites.
KB1. the importance of completing KB1 to KB3 Standard Environment PLUS

work accurately and how to do this Create Discussion forums at
Create documents and present it to college level
KB2. appropriate timescales for the group for peer group and
completing your work and the faculty evaluation Create contacts in LinkedIn and
implications of not meeting these other social media sites.
for you and the organization
KB3. resources needed for your

work and how to obtain and use
these
718
2.1 Planning work and work environment
Work planning
To-Do List
Sr.No To-do tasks To finish by Very important

when Important
Not important
1
10
Plan for the Day
Time Task to be done Interaction Status/comments

with whom
9.00am –
10.00am
10.00am -
11.00am
11.00am –
12.00pm
12.00pm –
01.00pm
01.00pm –
02.00pm
02.00pm –
03.00pm
03.00pm –
04.00pm
04.00pm –
05.00pm
719
Prioritizing
Individual Goals Team Goals

1. 1.
2. 2.
3. 3.
4. 4.
5. 5.
 Discuss with Supervisor/Faculty and Finalize

 Decide as per goals which work is important and needs to be prioritise and what can
be avoided, delegated or negotiated.
Important work as per Goal Not so Important as per Goals
Planning work and work environment can have a substantial impact on the quality and
quantity of work and contributes towards efficiency and productivity.
Work planning involves various things including
1. Defining goals 2. Sequence of 4. Resource

3. Time allocation
and sub goals activities planning
6. Mechanisms for
5. Anticipating events and
checking accuracy and
issues impacting work
quality of work
 Defining goals and sub-goals includes breaking the overall objective into measureable and well
defined constituent results, that can help in planning, implementation and tracking achievement
and progress. It is important that these are further evaluated in terms of realistic and required
time frames and time available is allocated in such a manner that these goals are achieved within
optimal time frames.
720 | P a g e
 Sequencing activities right is also of great importance in efficient and effective working. Factors
that need to be considered while sequencing activities include:
o Dependencies on interim outputs
o Availability of resources
o Space design
o Schedule of deliverables and urgencies
o Work styles, interests and preferences
o Capabilities
 Resources required can be identified by analysing the work, tasks and sub-tasks involved and the
volume of work required.
 Most organisations have standard procedures for requisitioning for resources. For eg. the IT
supplies team may have IT equipment that the user department may requisition through a formal
request approved by a designated level of authority (authorised person).
 Organisations also have procedures to request for purchase of new resources and materials that
may not be available within the organisation. This has to be routed as per procedure through the
authorised department and personnel and requires necessary approvals.
 One also has to plan for foreseen and unforeseen events or occurrences that may impact the work
and ensure to factor these in for timelines, costs, material and human resource requirements, etc.
 It is very important to check one’s work for accuracy, completeness and quality.
As a security analyst this is particularly important as your work is very detailed and a minor omission
may result in vulnerabilities being ignored and causing greater damage.
It is also important to meet time commitments and agreed deadlines.
1. Loss of reputation and being recognised as incompetent or unprofessional.
2. Not being able to meet time commitments also means that it impinges on further commitments
of other work that has to follow. There might be others depending on the output of work done.
3. Delays can also cause financial losses, as there may be penalty clauses on delayed delivery.
4. Also time spent on the job is budget at a certain cost any delay means increases in costs
Planning the Work environment

A place for everything and everything in its place’ is a principle used by many to organise their
environment. One can contribute effectively towards making one’s work environment conducive for
efficient working.
 Some of the key requirements for this are
 cleanliness and tidiness,
 organising the space layout for efficient working,
 ergonomic design, optimal space for people and the work to be carried out,
 right ambient conditions (lighting, ventilation, etc.).
721 | P a g e
2.2 Cleanliness and tidiness
Cleanliness and tidiness of work environment is also essential for

 the working of others and conveying a professional image of the worker and the organisation.
 preventing loss and wastage through misplaced items and spoilage due to improper storage.
 inhibiting growth of pests and harmful microbes that may result in illness or materials damage.
In order to maintain a clean and tidy work area the following practices may need to be followed:
1. Ensure routine cleanliness done by housekeeping or designated staff is carried out. Bring to their
notice or report areas which require cleanliness or have not been done so.
2. Ensure that food and beverage items and other organic materials are not brought into the work
area, where avoidable.
3. Ensure windows and doors are kept closed, especially in environments where there is risk of
dust accumulation.
4. Identify places for all materials and objects used in work and return these to their rightful place
after use.
5. Do not litter trash and use the appropriate dustbin for disposing waste. Follow organisational
waste disposal procedures if specified.
6. Ensure surfaces are not damaged, scratched or dampened. It looks bad and at the same time
cause further deterioration and accumulation of harmful microbes or pest infestation.
7. Ensure that papers and files are not strewn around.
8. Encourage others to follow the same practices, in a polite and respectful manner.
Try this:
Visit the workstations of different floors and make 2 lists
1) Ways in which a work area was untidy
2) Way in which work area was kept tidy
Visit their own work area and see what can be done to make it clean and tidy.
722 | P a g e
UNIT III
Maintaining Confidentiality
This Unit covers:
 Lesson Plan
3.1. Treating confidential information
3.2. Policies and procedures for confidential information
723
LESSON PLAN

PC5. treat confidential information Share the training organisations 2 copies of the training
correctly policy and procedures for dealing organisations policy and
with confidential information, have procedures for dealing with
You need to know and understand: all learners sign the same. confidential information
KA6. the organization’s policies and During the course of the training Online research facility
procedures for dealing with take measures to check that
confidential information and the confidentiality has been maintained
importance of complying with these and procedures were followed
3.1 Confidentiality of Information
Privacy is having control over the extent, timing, and circumstances of sharing oneself with others,
physically, behaviorally, or intellectually
Confidentiality is the treatment of information that an individual has disclosed in trust and with the
expectation that it will not be given away to others in ways that are inconsistent with the
understanding of the original disclosure without permission.
Confidential information refers to items that should be kept private. This can include:
Audio
Documents, Images,
materials, etc
Confidential information is often generated in client-professional, or employee-employer

relationships and could also be conversations. If information is not public then it generally has an
owner, which can be an individual or an organization. In most cases, only the owner is permitted to
share or authorize the sharing of private items.
In today’s increasingly litigious and highly competitive workplace, confidentiality is important for a
host of reasons:
 Sharing confidential information is often a professional violation and a legal violation. There
are a wide range of consequences including financial damages, loss of reputation, litigation,
etc.
 Failure to properly secure and protect confidential business information can lead to the loss
of business/clients.
 In the wrong hands, confidential information can be misused to commit illegal activity (e.g.,
fraud or discrimination), which can in turn result in costly lawsuits for the employer.
 There are laws protecting the confidentiality of certain information in the workplace.
 The disclosure of sensitive employee and management information can lead to a loss of
employee trust, confidence and loyalty. This will almost always result in a loss of productivity.
724
What Type Of Information Must Or Should Be Protected?
Restricted Information or Data: "Restricted information" is UC's term for the most sensitive
confidential information. Restricted information or data is any confidential or personal information
that is protected by law or policy and that requires the highest level of access control and security
protection, whether in storage or in transit.
Examples of Restricted Data

 Personal Identity Information (PII)
 Electronic protected health information (ePHI) protected by Federal HIPAA legislation
 Credit card data regulated by the Payment Card Industry (PCI)
 Passwords providing access to restricted data or resources
 Information relating to an ongoing criminal investigation
 Court-ordered settlement agreements requiring non-disclosure.
 Information specifically identified by contract as restricted.
 Other information for which the degree of adverse effect that may result from unauthorized
access or disclosure is high.
Examples of Other Types of Non-Restricted, Confidential Information

 Home address or home telephone number
 Personal information protected by anti-discrimination and information privacy laws such as:
o Ethnicity or Gender
o Date of birth
o Citizenship
o Marital Status
o Religion or Sexual orientation
 Certain types of student records
 Exams, answer keys, and grade books
 Applicant information in a pending recruitment
 Information subject to a non-disclosure agreement, including research data, intellectual
property (IP), patent information and other proprietary data
 Academic evaluations and letters of recommendation
 Responses to a Request for Proposal (RFP) before a decision has been reached
 Some kinds of personnel actions
 "Pre-decisional" budget projections for a campus department (can also be marked "Draft" or
"Not for Distribution")
Confidential workplace information can generally be broken down into three categories:
1) employee information,
2) management information,
3) business information.
725
3.2 Policies and procedures for confidential

information
Why the organizations would have chosen to have these policies?
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
What would have if these policies are violated?
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
To Better Protect Confidential Information, organisations can develop written confidentiality policies
and procedures.
Every business/organization should have a written confidentiality policy (typically in its employee
handbook) describing both the type of information considered confidential and the procedures
employees must follow for protecting confidential information. At the very least, we recommend
employers adopt the following procedures for protecting confidential information:
 All confidential documents should be stored in locked file cabinets or rooms accessible only
to those who have a business “need-to-know.”
 All electronic confidential information should be protected via firewalls, encryption and
passwords.
 Employees should clear their desks of any confidential information before going home at the
end of the day.
 Employees should refrain from leaving confidential information visible on their computer
monitors when they leave their work stations.
 All confidential information, whether contained on written documents or electronically,
should be marked as “confidential.”
 All confidential information should be disposed of properly (e.g., employees should not print
out a confidential document and then throw it away without shredding it first.)
 Employees should refrain from discussing confidential information in public places.
 Employees should avoid using e-mail to transmit certain sensitive or controversial
information.
 Limit the acquisition of confidential client data (e.g., social security numbers, bank accounts,
or driver’s license numbers) unless it is integral to the business transaction and restrict access
on a “need-to-know’ basis.
 Before disposing of an old computer, use software programs to wipe out the data contained
on the computer or have the hard drive destroyed.
726
Enforcement of Confidentiality Policy:
This is one of the most important steps a business/organization can take to protect its confidential
information, and unfortunately, it’s oftentimes the one step that is ignored. All the policies,
procedures and training in the world will not matter if those policies and procedures are not enforced.
In order for a confidentiality policy to have “teeth,” employees who violate the policy must be
disciplined in accordance with an employer’s corrective action procedures.
New and/or Current Employees Sign a “Non-Disclosure” Agreement:
These agreements go by many names. Sometimes they are called “non-disclosure agreements,” and
other times they are called “proprietary information agreements.” Regardless of title, these
agreements are contracts designed to protect the confidential “business information” described
above (e.g., “trade secrets”). These agreements are vital to most businesses today, especially
considering the ease in which employees can now electronically transfer large amounts of
information, much of which would be incredibly damaging in the hands of a competitor.
727
Summary
 It is important to understand clearly one’s own and others’ scope of work and responsibilities
and the limits of their work and authority.
 When one is unclear about what to do or needs to execute or make decisions about work that
extends beyond one’s remit and authority, it is important to secure formal permissions,
advice and assistance from those designated for the same.
 All tasks at work must be performed accurately as per instructions and within the time limit
while demonstrating the following principles.
o establish and agree your work requirements with appropriate people
o work in line with organization’s policies / procedures and within limits of your job role
o obtain guidance from appropriate people, where necessary
o ensure your work meets the agreed requirements
o Provide feedback in the end to each group with respect to the same.
 Since others are usually depending on the work being completed as per expectations, it is
important that they are made aware of progress and any problems that may arise
 The person providing the feedback should be thanked for taking the time to do so.
 Feedback must be analyzed and used to improve our work and achieve better.
 To incorporate feedback may sometimes require change of work processes and methods,
which may require approval of others.
 The field of Information security is an evolving and rapidly changing field. The greatest
challenge for a security analyst will be to keep abreast and be in sync with the changes.
 Flexibility to change is required to incorporate new and improved methods of working;
adjusting to environmental changes; supporting others; refining goals and objectives
 However, to effect change in work practices or policies It is important to follow protocol and
go through the right channels and procedures.
 Keep your immediate work area clean and tidy, utilize your time effectively and use
resources correctly and efficiently
 Decide as per goals which work is important and needs to be prioritize and what can be
avoided, delegated or negotiated.
 Ensure routine cleanliness done by housekeeping or designated staff is carried out. Bring to
their notice or report areas which require cleanliness or have not been done so.
 Ensure that food and beverage items and other organic materials are not brought into the
work area, where avoidable.
 Identify places for all materials and objects used in work and return these to their rightful
place after use.
 Do not litter trash and use the appropriate dustbin for disposing waste. Follow organizational
waste disposal procedures if specified.
 Confidential information is often generated in client-professional, or employee-employer
relationships and could also be conversations.
 Sharing confidential information is often a professional violation and a legal violation. There
are a range of consequences including financial damages, loss of reputation, litigation, etc.
 Failure to properly secure and protect confidential business information can lead to the loss of
business/clients.
 In the wrong hands, confidential information can be misused to commit illegal activity (e.g.,
fraud or discrimination), which can in turn result in costly lawsuits for the employer.
 The disclosure of sensitive employee and management information can lead to a loss of
employee trust, confidence and loyalty. This will almost always result in a loss of productivity.
 Confidential workplace information can generally be broken down into three categories -
employee information, management information, business information.
728
 All confidential documents should be stored in locked file cabinets or rooms accessible only to
those who have a business “need-to-know.”
 All electronic confidential information should be protected via firewalls, encryption and
passwords.
 Employees should clear their desks of any confidential information before going home at the
end of the day.
 Employees should refrain from leaving confidential information visible on their computer
monitors when they leave their work stations.
 All confidential information, whether contained on written documents or electronically,
should be marked as “confidential.”
729
Check your Understanding

1) List you key responsibilities as a Security Analyst and your limits w.r.t to each.
Key Responsibility Limits

1.
2.
3.
4.
5.
2) Which of the following is not a way to clarify job requirements?
a) By asking Seniors (Supervisors or managers)
b) By researching on the internet
c) By reading the Job or duty assignment sheet/document/roster
d) By clarifying from Colleagues
3) State 3 benefits of having a tidy work area and 3 things that you can do to achieve this
Benefits
1. _____________________________________________________________________________
2. _____________________________________________________________________________
3. _____________________________________________________________________________
How to keep work area tidy
4. _____________________________________________________________________________
5. _____________________________________________________________________________
6. _____________________________________________________________________________
730
4) State whether the following statements are ‘TRUE’ or ‘FALSE’
Statement TRUE FALSE

1. The organisation is divided into hierarchies, departments, divisions and
teams to make sure there is a career progression for all.
2. This is important because of the dynamic environment that we work

within and the ever evolving nature of our work, work environment,
customer expectations and related policies and procedures.
3. It important to complete work as per expectation rather than wasting

time making relevant people aware of progress or any problems
4. To effect change in work practices or policies It is important to follow

protocol and go through the right channels and procedures
5. Change must be communicated to all those who are impacted by it and

often their views must be collected regarding the same in a timely manner
6. Cleanliness and tidiness of work environment is also essential for

conveying a professional image
7. Feedback and approvals are often and actively sought from external
customers and own direct supervisor. Internal customers, team members
can also give their feedback sometimes
731
NOTES:
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
732
SSC/ N 9002:
Work effectively with colleagues
UNIT I: Effective Communication
UNIT II: Working Effectively
733
Unit Title (Task) Work effectively with colleagues
33Description This unit is about working effectively with colleagues, either in your own work
group or in other work groups within your organization.
Colleagues:
 line manager
 members of your own work group
 people in other work groups in your organization
Communicate:
 face-to-face
 by telephone
 in writing

PC1. communicate with colleagues clearly, concisely and accurately
PC2. work with colleagues to integrate your work effectively with theirs
PC3. pass on essential information to colleagues in line with organisational
requirements
PC4. work in ways that show respect for colleagues
PC5. carry out commitments you have made to colleagues
PC6. let colleagues know in good time if you cannot carry out your
commitments, explaining the reasons
PC7. identify any problems you have working with colleagues and take the
initiative to solve these problems
PC8. follow the organization’s policies and procedures for working with
colleagues

al KA1. the organization’s policies and procedures for working with colleagues and
Context your role and responsibilities in relation to this
(Knowledge KA2. the importance of effective communication and establishing good working
relationships with colleagues
of the
KA3. different methods of communication and the circumstances in which it is
company / appropriate to use these
organization KA4. benefits of developing productive working relationships with colleagues
and its
734
processes) KA5. the importance of creating an environment of trust and mutual respect in
an environment where you have no authority over those you are working
with
KA6. where you do not meet your commitments, the implications this will have
on individuals and the organization
KB1. different types of information that colleagues might need and the
Knowledge importance of providing this information when it is required
KB2. the importance of understanding problems from your colleague’s
perspective and how to provide support, where necessary, to resolve
these
735
THE UNITS
UNIT I: Effective Communication

1.1. What is Communication?
1.2. Barriers to Effective Communication
1.3. Communicating Effectively at work
UNIT II: Working Effectively

2.1. Importance of establishing Good Working Relationships
2.2. Environment of Trust and Mutual Respect
2.3. Implication of not meeting commitments
2.4. Performance Evaluation
736
UNIT I
Effective Communication
This Unit covers:
 Lesson Plan
1.1. What is Communication?
1.2. Barriers to Effective Communication
1.3. Communicating Effectively at work
737
LESSON PLAN
Outcomes Performance Ensuring Work Environment / Lab

Measures Requirement
PC1.communicate with colleagues clearly, The learners must Standard Environment plus Cluster
concisely and accurately demonstrate PC1, arrangement in classroom for group
during group activities work.
Chart paper, sketch pens, A4 size
blank sheets for activities
You need to know and understand: KA2 to K3, Standard Environment PLUS Create
KA2.the importance of effective Question and Answer Discussion forums at college level
communication and establishing good session. Descriptive
Create contacts in LinkedIn and
working relationships with colleagues write up on
other social media sites.
KA3.different methods of communication understanding.
and the circumstances in which it is
Group presentation
appropriate to use these
and peer evaluation
along with Faculty.
Performance
evaluation from Faculty
and Industry with
reward points.
Writing Skills SA1, SA2. Standard Environment.

You need to know and understand how Online assessment. Group discussions.
to: Quiz, Document review
SA1.complete accurate, well written work by peer group and
with attention to detail Faculty.
SA2.communicate effectively with
colleagues in writing
Reading Skills
You need to know and understand how
to: SA3. Quiz, Document
SA3.read instructions, guidelines review by peer group
/procedures and Faculty.
Oral Communication (Listening and

Speaking skills)
to:
SA4.listen effectively and orally SA4, SA5. Online
communicate information accurately assessment. Strongly
SA5.ask for clarification and advice from recommends
the line manager Versant/SVAR
738
2.1. EFFECTIVE COMMUNICATION
Communication
Any activity that involves exchange of information between two or more persons to meet a
desired objective, is known as communication.
Types of Communication
Verbal Communication- Verbal communication refers to the form of communication in which
the message is transmitted verbally. An important aspect of verbal communication is to
ensure that the person who is listening is also on the same page. Sometimes what the speaker
intends to say is not what the listener hears. Hence, the former has to make sure that he
communicates clearly. Some examples of oral communication:
Virtual
Face-to-face Telephonic
Video Radio communication Television
interactions conversations
like Skype chats
Non-Verbal Communication- Non-Verbal Communication refers to the form of

communication that does not use any words to convey the message. It uses gestures, posture,
body language, expressions and tone of voice for communicating. Some examples of non-
verbal communication:
Giving a
Frowning at Nodding of head Smiling in
disapproving look
someone in agreement appreciation
to someone
Written Communication- Written communication is the form of communication that uses

written language, signs or symbols for communicating. Here, the message is influenced by the
vocabulary and grammar used, writing style, precision and clarity of the language used. Some
examples of written communication:
Emails Letters Memos Notes Notices
PowerPoint
Reports Manuals
Presentations
739
Barriers to Effective Communication

The following are some impediments that can
come in the way of communicating effectively
with others:
 Physical barriers- When two persons are not

present at the same physical location,
communicating with each other becomes
difficult. However, technology like virtual meeting applications has made things easier.
 Perceptual barriers- When two people have a different perception of the same thing,
communication becomes difficult. For example, for somebody in a formal setting, talking
softly would be the norm, whereas for another person, talking softly could mean the other
person is trying to hide something.
 Emotional barriers- Emotions too play a very important role in communication. For
somebody, discussing personal issues in the office may be okay, while another person
could consider that as unacceptable.
 Cultural barriers- Given the global nature of workplaces these days, people from different
cultures work together, thereby leading to cultural misunderstandings. For example, in
some cultures shaking hands with female colleagues is acceptable, while in the others, it
may be unacceptable.
 Language barriers- When two people who are communicating, do not know the same
language, miscommunication can happen.
How to Communicate Effectively at Work

The following are some ways to communicate effectively:
 Be clear about what you want to say before communicating.

 Modify your message according to the recipient, if required. The background and
need of the recipient should be kept in mind.
 Be careful about the language, tone and content of the message.
 Take cues from the non-verbal messages that the receiver may be sending that may
help you understand whether he is getting your message, or is still interested.
 The message being sent out should be consistent and not self-contradictory.
 Listen to the other person’s point of view during a communication.
 Follow-up after the communication to ensure the message has gone across.
 Choose the medium of communication carefully.
 Do not let your personal biases creep in.
740
Email Etiquettes
Research has found that on average, IT
professionals spend about a quarter of their time
at work combing through the numerous emails
and other digital messages one sends and
receives each day.
In many cases more communication is conducted

through emails, and other digital messaging
options like online discussion forums, whatsapp,
sms, than through personal meetings or phones.
Hence it becomes imperative for a Security

Analyst to be able to use this mode of
communication effectively.
Here are some considerations that one needs to take care while communicating through
emails or other digital messaging options:
 Include a subject line that is crisp and clear and matches the content of the message.
Remember, people often decide whether to open an email based on the subject line.
 Use your official email address/account to conduct all official messaging. However if you
have to use some other address/name/account due to pressing reasons, then choose one
that is appropriate for the workplace.
 Avoid using "reply all" unless there is a reason everyone on the list needs to receive the
email. Check before sending the message that it is being sent to all the people it is meant
for, and there is no-one who will find the message a waste of their time.
 Use professional salutations.
 Avoid emoticons as far as possible and use exclamation points sparingly. If you choose
to use an exclamation point, use only one to convey excitement. While emoticons are fun,
you don’t know how the recipient will take them. It's better to spell it out and write what
you mean.
 Make your message easy to read. Don’t use long sentences. Use bullets to set off points
you want to make. If it is an important or complex content, have someone trusted read it
and let you know where was it difficult to understand, so that you may correct it.
 Keep it short and get to the point. The long e-mail is a thing of the past. Write concisely,
with lots of white space, so as to not overwhelm the recipient. Make sure when you look
at what you're sending it doesn't look like a burden to read.
 Do not sound abrupt or harsh. "Read your message out loud. If it sounds harsh to you, it
will sound harsher to the reader. Any emotion when passed in a written message will
seem heightened.
 Know that people from different cultures speak and write differently. Tailor your message
depending on the receiver's cultural background or how well you know them.
741
 It's better to leave humour out of emails unless you know the recipient well. Something
that you think is funny might not be funny to someone else.
 Reply to your emails — even if the email wasn't intended for you. It's difficult to reply to
every email message ever sent to you, but you should try to. Even if the email was
accidentally sent, you can reply informing the sender of the same so that it can be sent to
correct person on time.
 Proofread every message. Don't rely only on spell-checkers. Read and re-read your email
a few times, preferably aloud, before sending it off.
 Be cautious with colour or All capitals in the message. It's distracting and may be
perceived the wrong way. Writing in all capitals can convey that you are shouting in your
message, and nobody likes to be yelled at.
 Don't use email to discuss Confidential Information. Email messages are easy to copy,
print and forward.
 Your e-mail greeting and sign-off should be consistent with the level of respect and
formality of the person you're communicating with.
 Always include a signature. You never want someone to have to look up how to get in
touch with you. If you're social media savvy, include all of your social media information
in your signature as well.
“Remember - Your e-mail is a reflection of you. Every e-mail you send adds to, or detracts
from your reputation.”
742
UNIT II
Working Effectively
This Unit covers:
 Lesson Plan
2.1. Working Effectively
743
LESSON PLAN

PC2.work with colleagues to integrate your The learners must Standard Environment plus
work effectively with theirs demonstrate PC2-8, during Cluster arrangement in
PC3.pass on essential information to group activities classroom for group work.
colleagues in line with organisational
Chart paper, sketch pens, A4
requirements
size blank sheets for
PC4.work in ways that show respect for
activities
colleagues
PC5.carry out commitments you have made
to colleagues
PC6.let colleagues know in good time if you
cannot carry out your commitments,
explaining the reasons
PC7.identify any problems you have
working with colleagues and take the
initiative to solve these problems
PC8. follow the organization’s policies and
procedures for working with colleagues
You need to know and understand: KA1 to KA6. QA session and a Standard Environment
KA1.the organization’s policies and Descriptive write up on PLUS Create Discussion
procedures for working with understanding. forums at college level
colleagues and your role and responsibilities Group presentation and peer
Create contacts in LinkedIn
in relation to this evaluation along with Faculty.
and other social media sites.
KA4.benefits of developing productive Performance evaluation from
working relationships with colleagues Faculty and Industry with
KA5.the importance of creating an reward points.
environment of trust and mutual respect in
an environment where you have no
authority over those you are working with
KA6.where you do not meet your
commitments, the implications this will
have on individuals and the organization
You need to know and understand: KB1, KB2. Standard Environment PLUS
KB1.different types of information that Group and Faculty evaluation Access to online forums.
colleagues might need and the importance based on anticipated out
of providing this information when it is comes.
required
KB2.the importance of understanding
problems from your colleague’s
perspective and how to provide support,
where necessary, to resolve these
744
2.2. WORKING EFFECTIVELY
Importance of establishing Good Working Relationships

The following are some benefits of developing productive relationships with colleagues:
 Getting tasks done gets easier.
 Colleagues are more likely to go along with the changes that you recommend.
 Instead of spending time and energy on negative relationships, you can focus on
opportunities.
 You can get ideas and feedback from others.
 You can take help in hours of need, if required.
 Your productivity increases.
 Your performance gets appraised better.
 You can learn from others and add to your existing skill-set.
To explain this further, consider this example.

Example 1
The Information Security Analyst of a company has been entrusted with the task of upgrading the
organization’s security systems. You have been able to upgrade the system, but you cannot be sure of
its success till you test the system. For that, you would need help from all the people in the
organization who use computer systems.
You need their feedback to ascertain if they are getting any technical glitches. Also, you need to test
the systems on Saturdays, when the company has a weekly off, but some employees do come to work
overtime. You need to convince them that they cannot work overtime one of the Saturdays as testing
is important for you. Getting approval from all the colleagues and departments and zeroing in on a
date would be a challenge.
Such tasks are only possible when you have a good relationship with your colleagues and they
understand the importance of your job.
Benefits of productive working relationship with colleagues

Work with your colleagues and fill this table.
Type of Colleague Type of Interaction Frequency of Importance of the Colleague
Interaction Vis-a-Vis Your Job
745
One important aspect of inter-dependence is mutual respect and trust. This is as much true in
professional relationships and as it is in personal relationships. Consider this example:
Example-2
A new colleague joins an organisation in the Finance department. He is not able to understand the
networking system of the organisation. He calls you, the Information Security Analyst, and asks for
help. You give him the Help Manual and ask him to refer to it. He calls you back and says that he is not
able to understand much from the Manual and needs some time with you. You tell him this way
beyond your scope of work.
After a few months, your company’s CEO asks you to install special security systems for the Finance
department as the data with them was more vulnerable than that of the other departments. For this,
you need to understand the workings of the department and come up with a plan that would be
approved by the department representative. As luck may have it, the department representative turns
out to be that very person whom you had refused to help earlier.
What do you think will happen now?

__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
How will it affect your work?
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
Importance of an environment of trust and mutual respect

One important aspect of inter-dependence is mutual respect and trust. This is as very true in
professional relationships and as it is in personal relationships. It is the former that have to be
explained to the students. This again can be best done with an example.
Example-3
The IT department of a company has three sub-departments –

1. Hardware,
2. Software and
3. Security.
Reena is responsible for the Security part of it as she is the Information Security Analyst of the
company. Given the nature of the job, all three sub-departments need to work in tandem with each
746
other, which means giving access to each other’s systems. For Reena, this means that she will have to
share the details of the firewalls and other security systems that she has installed on the network with
the other two sub-departments.
Jai handles the Hardware part, while Amit handles the Software part.
Both, Amit and Reena have been in the organisation for over two years and have therefore reached a
point where they can trust each other with their confidential information. On the other hand, Jai is
new to the organisation. Reena is uncomfortable sharing all the details with him. Jai, however, trusts
her and share his information freely.
After a while, he realises that Reena is not reciprocating and is hiding some crucial information from
him. At one instance, Jai had to make a Hardware Procurement Plan for the coming year, for which he
needed to understand Reena’s system requirements for the coming year. Reena did not share all the
information with Jai because of which Jai’s plan suffered. Because Reena and Amit were friends, Jai
started mistrusting Amit as well.
As a result, the entire IT department’s plans suffered.
Please comment on this scenario and discuss what steps could the organisation, or Reena and Amit
have taken to prevent the trust gap.
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________
Some of the benefits of an environment of trust and mutual respect are as follows:
 Getting tasks done gets easier.

 It encourages free flow of ideas.
 It saves time spent in gauging whether the other person is speaking the truth, or is giving genuine
advice.
 Colleagues are more likely to go along with the changes that you recommend.
 You can take help in hours of need, if required.
 Your productivity increases.
 Your performance gets appraised better.
747
Implications of not meeting commitments on individuals and organisation

Consider this example:
Example-4
The Information Security department of a bank was entrusted with the task of upgrading the anti-
virus software of all the computers at the bank over the weekend. The Information Security
department had only two employees who were responsible for this.
 One of them had his annual leave planned for that weekend, which he availed.
 And, the other fell sick.
As a result, the task could not be completed over the weekend. As luck may have it, there was a virus
attack on the systems on Monday morning as a result of which some financial transactions of some
customers were leaked to some unauthorised people.
The customers got to know of this and as a result, there was a huge backlash against the bank. The
company’s senior management and the Public Relations department had to work overtime to allay
the fears of the customers. Some other employees too had to work overtime to ensure that no
unauthorised transactions were performed from the leaked data. In short, the whole company
suffered.
Do see how important is the role of an Information Security Analyst and the ripple effect it can have
on an organization if the Analyst does not perform his duties properly?
You can summarize the following key points:
 The performance of the entire team suffers, which has an impact on the performance of the
department and organization as a whole.
 Customers get annoyed and the organization’s reputation gets tarnished.
 Remedial action eats up resources that could have been used for more productive activities
748
Summary
 Communication is an activity that involves exchange of information between two or more
persons to meet a desired objective, is known as communication.
 Types of Communication are Verbal Communication, Non-Verbal Communication and Written
Communication
 Some impediments that can come in the way of communicating effectively with others are
Physical barriers, Perceptual barriers, Emotional barriers, Cultural barriers and Language
barriers
 The following are some ways to communicate effectively:
 Be clear about what you want to say before communicating.
 Modify your message according to the recipient, if required. The background and need of
the recipient should be kept in mind.
 Be careful about the language, tone and content of the message.
 Take cues from the non-verbal messages that the receiver may be sending that may help
you understand whether he is getting your message, or is still interested.
 Listen to the other person’s point of view during a communication.
 Choose the medium of communication carefully.
 Do not let your personal biases creep in.
 Some considerations that one needs to take care while communicating through emails or
other digital messaging options are:
 Include a subject line that is crisp and clear and matches the content.
 Avoid using "reply all" unless there is a valid reason.
 Use professional salutations.
 Make your message easy to read. Keep it short and get to the point.
 Do not sound abrupt or harsh. Tailor your message depending on the receiver's cultural
background or how well you know them. It's better to leave humour out of emails unless
you know the recipient well.
 Be cautious with colour or all capitals in the message.
 Don't use email to discuss Confidential Information.
 The following are some benefits of developing productive relationships with colleagues:
 Getting tasks done gets easier.
 Colleagues are more likely to go along with the changes that you recommend.
 Instead of spending time and energy on negative relationships, you can focus on
opportunities.
 You can get ideas and feedback from others.
 You can take help in hours of need, if required.
 Your productivity increases.
 Your performance gets appraised better.
 You can learn from others and add to your existing skill-set.
 One important aspect of inter-dependence is mutual respect and trust. This is as true in
professional relationships and as it is in personal relationships. Consider this example:
 The performance of the entire team suffers, which has an impact on the performance of the
department and organisation as a whole.
 Customers get annoyed and the organisation’s reputation gets tarnished.
 Remedial action eats up resources that could have been used for more productive activities
749
Check Your Understanding.

1. Search and provide the key points of this organization’s policies and procedures for working with
colleagues and your role and responsibilities in relation to this
Key Points
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
2. Give 2 examples that highlight the importance of effective communication and establishing good
working relationships with colleagues.
1. ___________________________________________________________________________
___________________________________________________________________________
2. ___________________________________________________________________________
___________________________________________________________________________
3. State at least 6 different methods of communication and the circumstances in which it is

appropriate to use these.
Verbal 1.
___________________________________________________________________
2.
___________________________________________________________________
Non-Verbal 1.
___________________________________________________________________
2.
___________________________________________________________________
Written 1.
___________________________________________________________________
2.
___________________________________________________________________
750
4. State 4 benefits of developing productive working relationships with colleagues.
1. ___________________________________________________________________________
2. ___________________________________________________________________________
3. ___________________________________________________________________________
4. ___________________________________________________________________________
Explain the importance of creating an environment of trust and mutual respect in an environment
where you have no authority over those you are working with.
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
Explain the importance of understanding problems from your colleague’s perspective and how to
provide support, where necessary, to resolve these.
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
751
NOTES:
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
752
SSC/ N 9003:
Maintain a healthy, safe and secure working
environment
UNIT I: Need For a Health and Safety at Work
UNIT II: Security Analyst’s role
UNIT III: Emergency Situations
UNIT IV: Skills Required to Maintain a Health and Safety at Work
753
Unit Title (Task) Maintain a healthy, safe and secure working environment
Description This unit is about monitoring the working environment and making sure it meets
requirements for health, safety and security.
Emergency procedures:
 illness
 accidents
 fires
 other reasons to evacuate the premises
 breaches of security
Resources (needed to achieve the unit objectives):

 information
 government agencies in the areas of safety, health and security and their
norms and services
PC1. comply with your organization’s current health, safety and security policies
and procedures
PC2. report any identified breaches in health, safety, and security policies and
procedures to the designated person
PC3. identify and correct any hazards that you can deal with safely, competently
and within the limits of your authority
PC4. report any hazards that you are not allowed to deal with to the relevant
person in line with organizational procedures and warn other people who
may be affected
PC5. follow your organization’s emergency procedures promptly, calmly, and
efficiently
PC6. identify and recommend opportunities for improving health, safety, and
security to the designated person
PC7. complete any health and safety records legibly and accurately

al
KA1. legislative requirements and organization’s procedures for health, safety
Context
and security and your role and responsibilities in relation to this
(Knowledge KA2. what is meant by a hazard, including the different types of health and
of the safety hazards that can be found in the workplace
company / KA3. how and when to report hazards
organization KA4. the limits of your responsibility for dealing with hazards
754
and its KA5. the organisation’s emergency procedures for different emergency
processes) situations and the importance of following these
KA6. the importance of maintaining high standards of health, safety and
security
KA1. implications that any non-compliance with health, safety and security
may have on individuals and the organization
Knowledge KB1. different types of breaches in health, safety and security and how and
when to report these
KB2. evacuation procedures for workers and visitors
KB3. how to summon medical assistance and the emergency
services, where necessary
KB4. How to use the health, safety and accident reporting
procedures and the importance of these
KB1. government agencies in the areas of safety, health and security and their
norms and services
755
THE UNITS
UNIT I: Need For Health and Safety at Work
UNIT II: Security Analyst’s role
UNIT III: Emergency Situations
UNIT IV: Skills for Maintaining Health and Safety at Work
756
UNIT I
Need For Health and Safety at
Work
This Unit covers:
 Lesson Plan
1.1. Need for Health and Safety at Work
757
LESSON PLAN

You need to know and understand: KA1. QA session and a Standard Environment PLUS
Descriptive write up on Access to online forums.
KA1. implications that any non-
understanding.
compliance with health, safety and security
may have on individuals and the
KA2 & KA6. Group
organization
presentation and peer
KA2. what is meant by a hazard, evaluation along with Faculty.
including the different types of health and Performance evaluation from
safety hazards that can be found in the Faculty with reward points.
workplace Faculty and peer review.
KA6. the importance of maintaining high
standards of health, safety and security
You need to know and understand: KB1 & KB5. Standard Environment PLUS
KB1. different types of breaches in QA session and a Descriptive Access to online forums.
health, safety and security and how and write up on understanding.
when to report these Group presentation and peer
KB5. government agencies in the areas evaluation along with Faculty.
of safety, health and security and their Performance evaluation of
norms and services the report by Faculty with
reward points.
758
1.1. Need for Health and Safety at Work
Why is Health and Safety Important?
Since 1950, the International Labour Organisation (ILO) and the World Health Organisation
(WHO) have shared a common definition of occupational health. The definition reads:
"The main focus in occupational health is on three different objectives:
(i) the maintenance and promotion of workers’ health and working capacity;
(ii) the improvement of working environment and work to become conducive to safety and
health, and
(iii) development of work organisations and working cultures in a direction which supports
health and safety at work, and in doing so also promotes a positive social climate and smooth
operation, and may enhance productivity of the undertakings.
The concept of working culture is intended in this context to mean a reflection of the essential
value systems adopted by the undertaking concerned. Such a culture is reflected in practice
in the managerial systems, personnel policy, principles for participation, training policies and
quality management of the undertaking."
 Why is it important?
_____________________________________________________________________________
_____________________________________________________________________________
_____________________________________________________________________________
_____________________________________________________________________________
 What measures it would entail?
_____________________________________________________________________________
_____________________________________________________________________________
_____________________________________________________________________________
_____________________________________________________________________________
759
Having a healthy, safe and secure working environment is important for the following reasons:
Moral case- Ensuring safety and Ethical case- Exposing employees

well-being of workers, and to toxic chemicals and other risk
providing an environment that factors is unethical. Hence,
causes no harm to mental, or providing healthy, safe and secure
physical health, is a moral working environment becomes an
obligation of organisations. ethical obligation of organisations.
Legal case- There are many laws in

our country that mandate
organisations to have a healthy,
safe and secure working
environment.
Examples:
 Civil Liability for Nuclear Damage Act, 2010 - An Act to provide for civil liability for nuclear
damage and prompt compensation to the victims of a nuclear incident through a no-fault
liability regime channelling liability to the operator, appointment of Claims Commissioner,
establishment of Nuclear Damage Claims Commission and for matters connected therewith
or incidental thereto.
 Atomic Energy (Factories) Rules 1996- Applies to all factories owned by the Central
Government engaged in activities under the Atomic Energy Act 1962 (33 of 1962). Regulates
health inspectors, workplace hygiene, safe use of machinery, manual labour, and protective
equipment. Chapter VI covers hours of work; Chapter VII forbids the employment of persons
under the age of 18. Provides for special working conditions for work involving lasers and toxic
substances. Repeals the Atomic Energy (Factories) Rules, 1984.
 The Plantations Labour Act 1951- Provides for the welfare of labour and regulates the
conditions of work in plantations. Contains 43 sections and 8 chapters concerning registration
of plantations; inspection staff; health provisions; welfare; hours and limitation of
employment; leave with wages; accidents; and penalties and procedure.
 Factories Act 1948- This Act contains 120 sections, and is divided into Chapters concerning
inspection staff, health, safety, hazardous processes, welfare, working hours of adults,
employment of young persons, annual leave with wage, and penalties and procedures.
 Employer's Liability Act 1938- Provides that certain defences shall not be raised in suits for
damages in respect of injuries sustained by workmen.
 Indian Boilers Act, 1923- Provides for the registration and certification of boilers, reporting of
boiler-related accidents, and duties of boiler owners at examination.
760
Business case
Employers are recognizing the competitive advantage that a healthy workplace can provide to them,
in contrast to their competition, who would feel that a healthy and safe workplace is just a necessary
cost of doing business.
Global case
There is a widespread agreement among global agencies, including the World Health Organisation
(WHO) and the International Labour Organisation (ILO) that the health, safety and well-being of
workers, who make up nearly half the global population, is of paramount importance. Thus, in order
to comply with international standards and to have a good reputation globally, organisations in India
too need to maintain a healthy, safe and secure working environment.
This can be best explained with the help of the following diagram:
761
Different types of breaches in health, safety and security

There are five main types of breaches in health, safety and security:
1. Physical hazards are the most common hazards and are present in most workplaces at some time.
For example, frayed electrical cords, unguarded machinery, exposed moving parts, constant loud
noise, vibrations, working from ladders, scaffolding or heights, spills, tripping hazards.
2. Ergonomic hazards occur when the type of work you do, your body position and/or your working
conditions put a strain on your body. They are difficult to identify because you don’t immediately
recognize the harm they are doing to your health. For example, poor lighting, improperly adjusted
workstations and chairs, frequent lifting, repetitive or awkward movements.
3. Chemical hazards are present when you are exposed to any chemical preparation (solid, liquid, or
gas) in the workplace. For example, cleaning products and solvents, vapours and fumes, carbon
monoxide or other gases, gasoline or other flammable materials.
4. Biological hazards come from working with people, animals, or infectious plant material. For
example, blood or other bodily fluids, bacteria and viruses, insect bites, animal and bird droppings.
5. Electrical Hazards as there are many equipment in the workplace that are run by electricity, which
if due precautions are not taken can cause fire, electric shock, electrocution.
Types of health and safety hazards at a workplace

Every workplace has hazards. A workplace hazard is anything that has the potential to cause harm to
a person. Hazards can take the form of items such as machinery that is high at risk. For example,
working at heights, or on a slippery floor is a workplace hazard. Hazards in the workplace should be
identified and the risk of the hazard causing an injury should be assessed. Reducing the risk of the
hazard causing injury is an important step towards maintaining workplace safety.
Occupational hazards can be broadly classified into the following two types:
 Safety hazards that cause accidents that physically injure workers. For example, many tall
buildings that have glass windows, require cleaners to hang from the rooftop to clean the
glasses. If the rope snaps, or if there is some other mistake, it can get fatal for the cleaner.
 Health hazards that result in the development of some disease. For example:
Though the Bhopal gas tragedy took place over 30 years ago, the city is still experiencing the effects
of the gas leak. Around 3700 people died almost immediately following the incident in December
1984. The immediate cause of death was due to choking, circulatory collapse and pulmonary oedema
(filling up of fluid in the lungs). Further post mortem reports revealed that people died not only of
suffocation but also because the toxins had caused swelling in the brain, leading to disorientation and
finally death, due to collapse of the nervous system. Other conditions include degeneration of the
liver, and kidneys and rotting of the intestines. The stillbirth rate was 300% and neonatal mortality
(death as an infant) was about 200% right after the tragedy.
Years later, the effects of the gas leak are still seen. In the year 2002 a report published by the Fact-
Finding Mission on Bhopal found a number of toxins, including mercury, lead, trichlorobenzene,
dichloromethane and chloroform in the breast milk of nursing mothers. In 2004 BBC Radio 5 broadcast
762
reported that the area where UCIL had set up the plant, was still contaminated with toxic chemicals
including benzene hexa-chloride and mercury, which were stored in open containers and in some
cases spilled into the ground. In 2009 the same body also took samples from a commonly used hand
pump situated north of the plant and found that the water contained 1000 times the World Health
Organisation’s recommended maximum amount of Carbon tetrachloride, a known carcinogen.
Government agencies in the areas of health, safety and security

Various government agencies are involved in the area of health, safety and security. For example,
Ministry of Labour and Employment, Government of India, which has defined the National Policy on
Safety, Health and Environment at Workplace; Bureau of India Standards that sets up various
committees for the same; etc. Also, international organisations like WHO and ILO set the benchmarks
for organisations across the globe, to follow.
Enlist some implications of not paying adequate attention to Health and Safety at work.
Discuss in groups and understand, summarize and articulate the hazards w.r.t. health, safety and
security. Prepare a report.
763
NOTES:
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
764
UNIT II
Security Analyst’s role
This Unit covers:
 Lesson Plan
 Lesson
2.1. Security Analyst’s Role
 Summary
 Check Your Understanding
765
LESSON PLAN

To be competent, you must be able to: During the course of the Standard Environment
training, the faculty can plus excel and word on
PC1. comply with your organization’s current
keep a record of all computers and access to
health, safety and security policies and procedures
instances where a learner sources for data to be
PC2. report any identified breaches in health, violated any health and collected
safety, and security policies and procedures to the safety norm. The record
designated person can remain public so
everyone knows how they
PC3. identify and correct any hazards that you can
are faring.
deal with safely, competently and within the limits
of your authority
PC4. report any hazards that you are not allowed
to deal with to the relevant person in line with
organizational procedures and warn other people
who may be affected
PC5. follow your organization’s emergency
procedures promptly, calmly, and efficiently
PC6. identify and recommend opportunities for
improving health, safety, and security to the
designated person
PC7. complete any health and safety records
legibly and accurately
You need to know and understand: QA session and a Standard Environment
Descriptive write up on PLUS access to online
KA1. legislative requirements and organization’s
understanding. forums, blogs etc.
procedures for health, safety and security and your
role and responsibilities in relation to this Group presentation and
peer evaluation along with
KA3. how and when to report hazards
Faculty.
KA4. the limits of your responsibility for dealing
Performance evaluation
with hazards
from Faculty and Industry
with reward points.
Online exam and rewards
points based on reviews
from the forums.
766
2.1. Security Analyst’s Role
Understanding ‘Safety’
Accident is an unplanned and undesired occurrence, which may or may not result in injury, or damage
to self, others and/or property. Main causes of accidents are:
Unsafe Natural
Conditions, Calamities,
18% 2%
Unsafe
Actions,
80%
Thus lack of awareness about safety is the main cause of accidents.
Safety is freedom from accidents, injury or damage; it is a pro-active means to give protection from
known dangers. A safe workplace is free of risks and hazards.
Hazards are the potential to cause harm (accidents, injury or damage) e.g.
 Naked wires
 Heavy equipment and machines
 Heat being generated in the computers, Servers, etc.
 Sharp edges on furniture
Risks are the likelihood of harm (accidents, injury or damage) e.g.
 Plugging equipment with naked wires
 Lifting heavy equipment in a wrong posture
 Working in a non-temperature regulated environment with Technology that heats up
 Using duplicate parts in IT equipment that could pose a safety threat
Common Safety Hazards

Some safety and health related hazards and how they can be controlled are as follows:
Surfaces/Places related Hazards & Risks:
 Dirty, dusty and littered areas can lead to infections as well as accidents from slipping,
tripping, etc.
 Wet/oily/soapy surfaces are can lead to accidents by slipping or falling and breaking of
glassware.
 Working with wooden tables that have nails protruding on the surface.
How to Control?
 Keep the work area neat and tidy
 Wet areas should be mopped and kept dry
 Handling glassware properly
 Precautions should be taken while dealing with surfaces with sharp or pointed edges or
object protruding
767
Equipment/items related Hazards & Risk:

 Certain equipment used in the workplace like staplers, heavy laptops and computers, etc.
which if not used carefully can cause physical hurt.
How to Control?
 Never use a tool to do a job for which it was not designed
 Handling the equipment properly as required
Materials & Chemical Hazards & Risks:
 Cleaning chemicals used by housekeeping, kept in the washroom and housekeeping cabinets
 Solutions for cleaning IT equipment
 Pest control sprays, etc.
How to Control?
 While using hazardous materials & chemicals ensure the following
 Wear gloves, avoid skin coming into contact with the chemical
 Keep the chemical away from eyes and nose
 Never mix chemicals unless particularly advised by the product manufacturer
 Do not ingest any chemical, if by mistake someone swallows some chemical see a doctor
immediately
 Identify common warning signs associated with different types of hazardous materials
Biohazard Radiation hazard
Physical Hazards & Risks:

 Any obstruction at the entry/exits/blind turns could be dangerous in a time of emergency
when people have to run in or out.
 Overstocked cupboards or shelves can be hazards as they can topple over anytime.
 Work may require lifting or moving heavy objects, which if not done properly can cause injury
or aches.
768
How to control?
 Entry/exits/blind turns should be clear of obstructions/faults at all times.
 Cupboards and shelves should be neatly arranged, preferably supported by the wall or fixed
on the floor.
 Warning signs should be placed if a physical hazard cannot be removed.
 Always try to use a machine or tool if required to lift a heavy object.
 If it is not possible then try to split the load and lift it in more than one turns. Can also take
help.
 If one has to lift a heavy object, then follow right lifting practices while lifting or moving heavy
objects.
LIFTING HEAVY OBJECTS
 Stand the object upright.

 Position feet shoulder-width apart, close to the object.
 Approach the load upfront and facing the direction in which it has to be taken.
 Bend at the knees.
 Place hands under the load and pull the load close to the body.
 Lift the load such that the thigh muscles are doing most of the work, and not the back.
 Slowly lift by straightening knees.
 Lower the load also by bending the knees.
 While releasing the load take care that the fingers are not trapped under it.
WARNING SIGNS
Danger – General Danger – Watch your step
Danger – Watch your step Danger – Under construction Danger – Watch your step
769
Electrical Risks:
Electricity is an amazing thing when used properly, but can very easily hurt, harm and even fatally
injury a person that comes in contact with it. Whenever one works with power tools or electrical
circuits there is a risk of electrical hazards, especially electrical shock.
One must pay special attention to electrical hazards because they work with electrical supplies and
circuits. Coming in contact with an electrical voltage can cause current to flow through the body,
resulting in electrical shock, burns or serious injury. Even death may occur.
Electric Shock: An electrical shock is received when electrical current passes through the body. One
gets an electrical shock if:
• touching a live wire and an electrical earth, or
• touching a live wire and another wire at a different voltage.
Electricity travels in closed circuits, and its normal route is through a conductor. Electric shock occurs
when the body becomes part of a circuit and works like a conductor. Earthing is a physical connection
to the earth, which is at zero volts.
Freeing a victim from electrocution
 The first person to reach a shocked worker should cut off the current if this can be done
quickly.
 If this is not possible, the victim should be removed from contact with the charged equipment.
Either the equipment/wire should be pulled away or the victim.
 Bare hands should not be used, use a dry board, dry rope, leather belt, coat, overalls or some
other non-conductor.
 Be sure to stand on a non-conducting surface when pulling – dry rubber slippers, dry wooden
board, etc.
Accident prevention is said to be everybody’s job. The security analyst can at least do the following:
 observing all unsafe condition and warning people of potential hazards
 reporting any violations of safety rules and
 setting a good example by his or her own behaviour
Far too many accidents happen due to unsafe conditions that were not noted, reported, or corrected.
After finding an unsafe condition, the security analyst must either correct the condition or report it to
someone who can make the correction.
Safety is purely a matter of common sense. Corrective action should be taken when possible or the
proper authority called to handle the situation. It is important both to the guest and the people being
protected from injuries due to careless safety practice.
770
Role of a Security Analyst in maintaining health and safety at work

The role and responsibilities of an Information Security Analyst related to maintaining a healthy, safe
and secure working environment would be defined in the organisation’s policy on the same. Thus, he
would have to ensure that he follows the rules. For example, if the company policy states that all IT
equipment that is more than two years old, should go for annual maintenance, then it would be the
Information Security Analyst’s responsibility to ensure the same.
 Obtain the organization’s current health, safety and security policies and procedures
and list the key items that you would have to follow.
_____________________________________________________________________________
_____________________________________________________________________________
_____________________________________________________________________________
_____________________________________________________________________________
_____________________________________________________________________________
_____________________________________________________________________________
_____________________________________________________________________________
_____________________________________________________________________________
_____________________________________________________________________________
 Conduct a field study of the training institute and make a report of:
1. the items that are being followed and those that are being violated.
2. areas that could be potential health and safety Hazards
3. recommendations for improving health, safety, and security
 Present findings in the class
771
How to identify job hazards

The following are the major steps to identifying and analysing job hazards:
Step 1- Decide whether a job is to be analysed, based on the following criteria:

 Incident frequency and severity- Jobs where incidents occur frequently, or where they occur
infrequently but result in disabling injuries.
 Potential for severe injuries or illness- The consequences of the incident, hazardous
conditions, or exposure to harmful substances are potentially severe.
 Newly established jobs- Due to lack of experience in these jobs, hazards may not be evident
or anticipated.
 Modified jobs- New hazards may be associated with changes in job procedures.
 Infrequently performed jobs- Employees may be at greater risk when undertaking non-
routine jobs, and an analysis provides a means of reviewing hazards.
Step 2- Break the job down into a sequence of steps. Ensure that each step is not too specific, or too
general. Steps should be kept in the correct sequence. Document using the company template. Make
notes on what is done, rather than how it is done.
Step 3- Identify the potential hazards. Based on observations of the job, knowledge of incident and
injury causes, and personal experience, list the things that could go wrong at each step. The following
is a list of questions that may be used to help identify potential hazards:
 Can any body part get caught in or between objects?
 Do tools, machines, or equipment present any hazards?
 Can the worker make harmful contact with moving objects?
 Can the worker slip, trip, or fall?
 Can the worker suffer strain from lifting, pushing, or pulling?
 Is the worker exposed to extreme heat, or cold?
 Is excessive noise, or vibration a problem?
 Is there a danger from falling objects?
 Is lighting a problem?
 Can weather conditions affect safety?
 Is harmful radiation a possibility?
 Can contact be made with hot, toxic, or caustic substances?
 Are there dusts, fumes, mists, or vapours in the air?
Step 4- Hazard Mitigation- Upon completion of the first three steps of the job hazard analysis,
determine the appropriate controls to overcome the hazards. You can remind the students that these
772
steps have already been discussed in this chapter earlier: elimination, substitution, isolation,
engineering controls, administrative controls, and personal protective clothing and equipment.
Responsibilities w.r.t Health and Safety at Work
 From the websites of various organizations, understand the policies and guidelines for
health, safety and security.
 Define a role and responsibilities relates to this in an employee context (Research &
report)
 Complies with his organisation’s current health, safety and security policies and procedures.
 Reports any identified breaches in health, safety and security policies and procedures to the
designated person.
 Identifies and corrects any hazards that he can deal with safely, competently and within the limits
of your authority.
 Reports any hazards that he is not competent to deal with to the relevant people in line with
organisational procedures.
o Warns others who may be affected.
 Follows the emergency procedures promptly, calmly and efficiently.
 Identifies and recommends opportunities for improving health, safety and security to the
designated person.
 Completes any health and safety records legibly and accurately.
 Coordinates with the appropriate people for his information needs.
 Is reliable; gets information from reliable sources
 Communicates with colleagues clearly, concisely and accurately.
 Integrates his work effectively with others.
 Shares essential information on time.
 Takes help from the appropriate people when there are any problems in the information.
 Follows the company rules while analysing data.
 Keeps a track of the needs of the organisation.
 Honours his commitments.
o If for some reason, he is unable to carry out his promises, he informs in advance and
suggests alternatives.
 Maintains good relationships with colleagues.
o Sorts out problems with them, if any.
o Shows respect for others.
 Follows the policies, procedures and culture of the organisation.
 Keeps abreast with the technological developments.
 Takes care of quality issues.
o Maintains the data in the required formats
o Keeps data up-to-date
o Provides accurate information
773
o Provides complete information

 Takes logical and practical approach to problems, keeping the constraints of the organisation in
mind.
 Gives importance to the needs of the colleagues and responds to their feedback.
How and when to report hazards

After developing the ability to identify hazards, the Information Security Analyst should report them
to his line manager, or the person assigned the responsibility in the company policy. This should be
done immediately without any delay.
Work in groups and fill the following table based on whatever they have learnt so far.
Tasks Sub Tasks Performance Evaluation Criteria
774
UNIT III
Emergency Situations
This Unit covers:
 Lesson Plan
 Lesson
3.1. Emergency Situations
 Summary
 Check your Understanding
775
LESSON PLAN

You need to know and understand: QA session and a Descriptive Standard Environment PLUS
write up on understanding. Access to online forums.
KA5. the organisation’s emergency
procedures for different emergency
situations and the importance of
following these
KB2. evacuation procedures for
workers and visitors
You need to know and understand: QA session and a Descriptive Standard Environment PLUS
KB3. how to summon medical write up on understanding & Access to online forums.
assistance and the emergency services, reporting.
where necessary
Group presentation and peer
KB4. How to use the health, safety
evaluation along with Faculty.
and accident reporting procedures and
the importance of these Performance evaluation of the
report by Faculty with reward
points.
776
3.1. Emergency Situations
A workplace emergency is an unforeseen situation that threatens your employees,

customers, or the public; disrupts or shuts down your operations; or causes physical or
environmental damage.
Emergencies may be natural, or man-made, and include the following:
 Floods
 Hurricanes
 Tornadoes
 Fires
 Toxic gas releases
 Chemical spills
 Radiological accidents
 Explosions
 Civil disturbances
 Workplace violence resulting in bodily harm and trauma
An organisation’s emergency procedures and their importance

 The following are some guidelines for emergency procedures to be followed in case of any
emergency related to health, safety and security at the workplace:
 Consider what might happen and how the alarm will be raised. Don’t forget night and shift
working, weekends and times when the premises are closed like on holidays.
 Plan what to do, including how to call the emergency services. Help them by clearly marking your
premises from the road. Consider drawing up a simple plan showing the location of hazardous
items.
 If you have 25 tonnes or more of dangerous substances, you must notify the fire and rescue service
and put up warning signs.
 Decide where to go to reach a place of safety, or to get rescue equipment. You must provide
suitable forms of emergency lighting.
 You must make sure there are enough emergency exits for everyone to escape quickly, and keep
emergency doors and escape routes unobstructed and clearly marked.
 Nominate competent people to take control.
 Decide which other key people you need, such as a nominated incident controller, someone who
is able to provide technical and other site-specific information if necessary, or first-aiders.
 Plan essential actions such as emergency plant shutdown, isolation or making processes safe.
Clearly identify important items like shut-off valves and electrical isolators, etc.
 You must train everyone in emergency procedures. Don’t forget the needs of people with
disabilities and vulnerable workers.
 Work should not resume after an emergency if a serious danger remains. If you have any doubts
ask for assistance from the emergency services.
777
Constituents an emergency action plan:

 A preferred method for reporting fires and other emergencies.
 An evacuation policy and procedure.
 Emergency escape procedures and route assignments, such as floor plans, workplace maps, and
safe or refuge areas.
 Names, titles, departments, and telephone numbers of individuals both within and outside your
company to contact for additional information, or explanation of duties and responsibilities under
the emergency plan.
 Procedures for employees who remain to perform, or shut down critical plant operations, operate
fire extinguishers, or perform other essential services that cannot be shut down for every
emergency alarm before evacuating.
 Rescue and medical duties for any workers designated to perform them.
 Designating an assembly location and procedures to account for all employees after an
evacuation.
Make an emergency plan using the above points.
778
How and when to report these

The Information Security Analyst should report any job hazards that he may come across to his line
manager, or the person assigned the responsibility in the company policy. This also means that he
should keep an eye for potential hazards and report them before they cause any harm.
Evacuation procedures for workers and visitors

 Define a clear chain of command and designation of the person in your business authorized to
order an evacuation, or shutdown. You may want to designate an ‘evacuation warden’ to assist
others in an evacuation and to account for personnel.
 Specific evacuation procedures, including routes and exits should be defined. Post these
procedures where they are easily accessible to all employees.
 Procedures for assisting people with disabilities, or who do not speak the commonly used
language, should be clearly defined.
 Designation of what, if any, employees will continue, or shut down critical operations during an
evacuation. These people must be capable of recognizing when to abandon the operation and
evacuate themselves.
 A system for accounting for personnel following an evacuation. Employees’ transportation needs
for community-wide evacuations should also be considered.
How to summon medical assistance and emergency services

Here again, organisation’s policies and procedures need to be kept in mind. Usually, organisations
have an in-house first-aid kit, or medical team to assist in medical emergency situations. Employees
can follow the emergency evacuation plan and take help from the designated personnel. The following
are some emergency numbers that can be used in India:
 Service Telephone
 Ambulance 102
 Emergency response service for medical, police and fire emergencies. Available in Andhra
Pradesh, Gujarat, Uttarakhand, Goa, Tamil Nadu, Rajasthan, Karnataka, Assam, Meghalaya,
Madhya Pradesh and Uttar Pradesh 108
 Local police 100
 Fire service 101
How to use health, safety and accident reporting procedures and their
importance
The Information Security Analyst should be well conversant with the organisation’s policy for
emergency reporting procedures. Not only he should keep an eye for potential hazards, he should
report them to the line manager, or any other person designated for the same. If he fails to do so, big
disasters can happen that can cause harm to the employees and the company as a whole.
779
NOTES:
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
780
UNIT IV
Skills for maintaining Health and
Safety at Work
This Unit covers:
 Lesson Plan
 Lesson
3.1. Skills for maintaining Health and Safety at Work
 Summary
 Check your Understanding
781
LESSON PLAN

Writing Skills Standard Environment
SA1. complete accurate, well written SA1. Online assessment. Quiz,
work with attention to detail Document review by peer
group and Faculty.
Reading Skills
SA2. read instructions, guidelines SA2. Quiz, Document review by
/procedures peer group and Faculty.
Oral Communication (Listening and SA3. Online assessment.

Speaking skills) Strongly recommends
SA3. listen effectively and orally Versant/SVAR
communicate information accurately
Decision Making Standard Environment PLUS
SB1.make a decision on a suitable course SB1. Document review by peer MS-Projects
of action or response group and Faculty. Standard Environment PLUS
MS-Projects
Plan and Organize SB2. Document review by peer Standard Environment.
SB2. plan and organize your work to group and Faculty. Daily/weekly Recommend to invite
achieve targets and deadlines SCRUM. industry experts like
SB3. Group and Faculty Business Analysts/Delivery
Customer Centricity evaluation for anticipated out Heads for a face–to-face
SB3. build and maintain positive and comes based on the interaction.
effective relationships with performance in the simulated Standard Environment
colleagues and customers environment. Reward points to Standard Environment PLUS
be allocated to groups. Various publicly available
Problem Solving SB4. Group and Faculty case studies.
SB4. apply problem solving approaches evaluation based on anticipated  www.kaggle.com
in different situations out comes.  www.coursera.org
Evaluate approach template  www.udacity.com
Analytical Thinking and reward points.  www.edx.org
SB5. analyse data and activities SB5. Assessment based on use Standard Environment PLUS
case. Submit and review the Various publicly available
Critical Thinking document by group/faculty. case studies.
SB6. apply balanced judgements to SB6. Assessment based on use Suggested online tools:
different situations case. Submit and review the  WebEx
document by group/faculty.  GotoMeetings
Attention to Detail Validate real-time opinions  Lensoo
SB7. check your work is complete and given by the students.  AnyMeetings
free from errors Evaluate approach of  OpenMeetings
SB8. get your work checked by peers student/groups towards the Standard Environment PLUS
given case study. Seminars, workshops, panel
Team Working SB7, SB8. Assessment based QA discussions etc.
SB9. work effectively in a team standards. Standard Environment PLUS
environment Submit and review the Access to online forums.
document by group/faculty on
QA standards.
SB9. Group and Faculty
evaluation based on anticipated
out comes from a group.
782
Technical Skills SC1 to SC3. Standard Environment

SC1. identify and refer anomalies Online assessment. PLUS Various publicly
SC2. help reach agreements with Task based assessment. available data sets.
colleagues
Document comparison reports. www.data.gov.in
SC3. keep up to date with changes,
Task schedulers.
procedures and practices in your role
783
3.1. Skills for maintaining Health and Safety at Work
Skills is the ability to use information, or knowledge acquired through education, or experience, to
accomplish a given task.
Types of skills
 Technical Skills- The ability to do a specific type of activity or work.
 Human Skills- The ability to work with people.
 Conceptual Skills- The ability to work with ideas, or concepts.
Generic Skills- These are generic in nature that are common to most white collar jobs like reading,
writing, listening and speaking.
Professional Skills- These skills make a person more employable by giving the person the ability to
make logical decisions and the ability to solve problems judiciously. Some examples of professional
skills are decision making, planning and organising, customer centricity, problem solving, critical
thinking, attention to detail, and team work.
Skills required to maintain a safe and healthy work environment

Security Analysts need to be good at the following skill-sets to be able to maintain a healthy, safe and
secure working environment.
Core/ Generic Skills- As an Information Security Analyst, you should be able to communicate well
with colleagues, in writing. You should be able to write accurately with attention to detail. For
example, making plans for the department for upgrading the safety and security systems requires
writing skills. You should also be able to read instructions, guidelines, procedures and service level
agreements laid down by your organisation. For example, each organisation has certain guidelines for
maintaining a healthy and safe environment. As an Information Security Analyst, you should be aware
of those. Only then can you install the appropriate systems. Other than reading and writing, an
Information Security Analyst should also have oral skills like listening and speaking. For example, when
talking to your line manager, you need to listen to the instructions carefully. If at any stage, you do
not understand the instructions, you should be able to speak well and ask for clarifications.
Professional Skills- During the course of any career, one needs to be adept at professional skills like
problem solving, critical thinking, logical reasoning, etc. This is equally true for an Information Security
Analyst.
 Decision Making- Many times, as an Information Security Analyst, you would need to take
decisions, and you should have the skills to be able to take the appropriate decisions. Also, you
should follow the company rules for the same. For example, what safety systems to install? How
to test them?
784
 Planning and Organising- These are basic skill sets of any role. To be able to accomplish any task,
one needs to first plan and then organise the sub-tasks. For example, making a Project Plan for
upgrading the safety and security systems.
 Customer Centricity- As explained in the earlier chapter as well, here too you, the Instructor, will
have to explain that here the term, ‘customer’ refers to internal customers, i.e., colleagues. You
can tell the students that as an Information Analyst, they will need to work with colleagues from
across the organisation, as has been explained in the chapter on how to work effectively with
colleagues. When designing and installing the security systems, they will have to make sure that
they meet the requirements of their colleagues. In other words, their needs have to be considered
paramount. Not only should you strive to meet customer requirements, you should try and exceed
them.
 Problem Solving- You can tell the students that they would have to face many challenges as an
Information Security Analyst. They will have to develop problem solving skills to be able to handle
them. For example, if you have developed a system that mandates all employees to not use the
emergency evacuation doors under normal circumstances, and if you notice certain anomalies, it
would be your responsibility to bring this to the notice of your line manager.
 Analytical Thinking- Another skill-set that is associated with an Information Security Analyst is that
he will need to have an analytical bent of mind. He will have to analyse data across the
organisation and also monitor the activities of all, before coming up with a security plan. He will
have to ensure that the relevant information reaches the concerned people on time.
 Critical Thinking- This skill may be required by an Information Security Analyst time and again as
he may have to apply his judgments in a balanced manner in various situations. For example, he
may suggest a particular networking system that requires least maintenance and has very less
chances of getting fire-related shocks, but the senior management may not agree due it being too
expensive. Thus, he may have to apply his judgement to come up with a plan that keeps the
budgetary constraints in mind while not compromising on the safety.
 Attention to Detail- Quality is a key criterion for any job and that of an Information Security Analyst
is no different. One aspect of it is to pay attention to detail. For example, emergency evacuation
route of an organisation may be different for the senior management as compared to that of the
others. The Information Security Analyst would need to be aware of this while designing his
policies. Also, he needs to ensure that his plan is error-free and complete. He can also take help
from his colleagues, if required.
 Team Work- No job can be completed without interacting with others, within and outside the
organisation. Thus the ability to be able to work with others as a team is a key requirement. For
example, to be able to test his data backup systems, an Information Security Analyst would need
to coordinate with members of other teams. Hence, being able to work effectively in a team
environment is a must-have skill-set.
Technical Skills- Just like technical knowledge, technical skills too are equally important for any
Information Security Analyst to perform his job. For example, the ability to use information technology
efficiently; being able to input and extract safety data accurately; being able to validate and update
785
safety data; being able to identify and refer anomalies in safety data; being up to date with changes,
procedures and practices in your role; being able to reach agreements with colleagues; etc.
Performance evaluation criteria for an Information Security Analyst

By now the students should be comfortably placed to understand the nature of the job of an
Information Security Analyst and what would help them perform this role well. You can now move on
to the last section of the lesson which talks about the criteria that would be used to evaluate the
performance of an Information Security Analyst vis-a-vis his ability to maintain a healthy, safe and
secure working environment.
 Complies with his organisation’s current health, safety and security policies and procedures.
 Reports any identified breaches in health, safety and security policies and procedures to the
designated person.
 Identifies and corrects any hazards that he can deal with safely, competently and within the limits
of your authority.
 Reports any hazards that he is not competent to deal with to the relevant people in line with
organisational procedures.
o Warns others who may be affected.
 Follows the emergency procedures promptly, calmly and efficiently.
 Identifies and recommends opportunities for improving health, safety and security to the
designated person.
 Completes any health and safety records legibly and accurately.
 Coordinates with the appropriate people for his information needs.
 Is reliable; gets information from reliable sources
 Communicates with colleagues clearly, concisely and accurately.
 Integrates his work effectively with others.
 Shares essential information on time.
 Takes help from the appropriate people when there are any problems in the information.
 Follows the company rules while analysing data.
 Keeps a track of the needs of the organisation.
 Honours his commitments.
 If for some reason, he is unable to carry out his promises, he informs in advance and suggests
alternatives.
 Maintains good relationships with colleagues.
786

 Follows the policies, procedures and culture of the organisation.
 Keeps abreast with the technological developments.
 Takes care of quality issues.

o Maintains the data in the required formats
o Keeps data up-to-date
o Provides accurate information
o Provides complete information
 Takes logical and practical approach to problems, keeping the constraints of the organisation in
mind.
 Gives importance to the needs of the colleagues and responds to their feedback.
Practical Activities for Self –Study

1. Documentation preparation - follow the approach document. Prepare a technical document on:
 Health and Safety Hazards at the workplace
2. Learning and understanding various guidelines, procedures, rules and SLA available publicly in
open data camps.
3. Learn concepts of SOW, Plan, do, check, act (PDCA), Work Breakdown Structure (WBS) and
Decision trees. Brain storming.
4. Learn about Agile and SCRUM methodologies.
5. Understanding the scope, defining the objectives. Identifying deviations from the expectations,
solution to mitigate with the deviations. Prepare a document on the same
6. Discuss with peers, groups, faculties and SME/industry SPOCs. Prepare a document to build a safe
& secure platform in an Analytics way.
7. Use online meeting tools to share the opinions in real-time.
8. Define roles and responsibilities amongst the groups.
787
SUMMARY
 Maintaining Health and safety at work is import because:
 Moral case - Ensuring safety and well-being of workers, and providing an environment
that causes no harm to mental, or physical health, is a moral obligation of organisations.
 Ethical case - Exposing employees to toxic chemicals and other risk factors is unethical.
Hence, providing healthy, safe and secure working environment becomes an ethical
obligation of organisations.
 Legal case - There are many laws in our country that mandate organisations to have a
healthy, safe and secure working environment.
 Safety is freedom from accidents, injury or damage; it is a pro-active means to give protection
from known dangers. A safe workplace is free of risks and hazards.
 Hazards are the potential to cause harm (accidents, injury or damage) e.g.
 Risks are the likelihood of harm (accidents, injury or damage) e.g.
 Some safety and health related hazards are as follows:
 Surfaces/Places related Hazards & Risks:
 Equipment/items related Hazards & Risk:
 Materials & Chemical Hazards & Risks:
 Physical Hazards & Risks:
 Electrical Risks:
 The first person to reach a shocked worker should cut off the current if this can be done
quickly.
 If this is not possible, the victim should be removed from contact with the charged
equipment.
 Far too many accidents happen due to unsafe conditions that were not noted, reported, or
corrected. After finding an unsafe condition, one must either correct the condition or report it
to someone who can make the correction.
 The role and responsibilities of an Information Security Analyst related to maintaining a
healthy, safe and secure working environment would be defined in the organisation’s policy
on the same. Thus, he would have to ensure that he follows the rules.
 Information Security Analyst vis-a-vis his ability to maintain a healthy, safe and secure working
environment should:
 Comply with his organisation’s current health, safety and security policies and procedures.
 Report any identified breaches in health, safety and security policies and procedures to
the designated person.
 Identify and correct any hazards that he can deal with safely, competently and within the
limits of your authority.
 Report any hazards that he is not competent to deal with to the relevant people in line
with organisational procedures.
 Follow the emergency procedures promptly, calmly and efficiently.
 Identifies and recommends opportunities for improving health, safety and security to the
designated person.
 Completes any health and safety records legibly and accurately.
 Coordinates with the appropriate people for his information needs.
788
Check Your Understanding

1. Define a hazard. State the different types of health and safety hazards that can be found in the
workplace
___________________________________________________________________________
___________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
2. State 5 actions that are your responsibility for dealing with hazards
I. ___________________________________________________________________________
II. ___________________________________________________________________________
III. __________________________________________________________________________
IV. __________________________________________________________________________
V. __________________________________________________________________________
3. State 5 actions that are not within the limits of your responsibility for dealing with hazards
VI. ___________________________________________________________________________
VII. ___________________________________________________________________________
VIII. __________________________________________________________________________
IX. __________________________________________________________________________
X. __________________________________________________________________________
789
4. State the evacuation procedures for workers and visitors

__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
NOTES:
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
790
Student Handbook – SSC/ Q09004 – Security Analyst
SSC/ N 9004:
Provide data/information in standard formats
UNIT I: Information and Knowledge Management
UNIT II: How to manage data/ information effectively
UNIT III: Skills required to manage data and information effectively
UNIT IV: Performance Evaluation Criteria for an Information Security

Analyst
791
Unit Title (Task) Provide data/information in standard formats
Description This unit is about providing specified data/information related to your work in
templates or other standard formats.
Appropriate people:
 line manager
 members of your own work group
 people in other work groups in your organization
Data/information:
 quantitative
 qualitative
Sources:
 within your organization
 outside your organization
Formats:
 paper-based
 electronic

PC1. establish and agree with appropriate people the data/information you
need to provide, the formats in which you need to provide it, and when
you need to provide it
PC2. obtain the data/information from reliable sources
PC3. check that the data/information is accurate, complete and up-to-date
PC4. obtain advice or guidance from appropriate people where there are
problems with the data/information
PC5. carry out rule-based analysis of the data/information, if required
PC6. insert the data/information into the agreed formats
PC7. check the accuracy of your work, involving colleagues where required
PC8. report any unresolved anomalies in the data/information to appropriate
people
PC9. provide complete, accurate and up-to-date data/information to the
appropriate people in the required formats on time
792

al KA1. The organization’s procedures and guidelines for providing
Context data/information in standard formats and your role and responsibilities in
(Knowledge relation to this
KA2. The knowledge management culture of the organization
of the
KA3. Your organization’s policies and procedures for recording and sharing
company / information and the importance of complying with these.
organization KA4. The importance of validating data/information before use and how to do
and its this
processes) KA5. Procedures for updating data in appropriate formats and with proper
validation
KA6. The purpose of the CRM database
KA7. How to use the CRM database to record and extract information
KA8. The importance of having your data/information reviewed by others
KA9. The scope of any data/information requirements including the level of
detail required
KA10. The importance of keeping within the scope of work and adhering to
timescales
KB1. data/information you may need to provide including the sources and how
Knowledge to do this
KB2. templates and formats used for data and information including their
purpose and how to use these
KB3. different techniques used to obtain data/information and how to apply
these
KB4. how to carry out rule-based analysis on the data/information
KB5. typical anomalies that may occur in data/information
KB6. who to go to in the event of inaccurate data/information and how to
report this
793
THE UNITS
UNIT I: Information and Knowledge Management
UNIT II: How to manage data/ information effectively
UNIT III: Skills required to manage data and information effectively
UNIT IV: Performance Evaluation Criteria for an Information Security Analyst
794
UNIT I
Information and Knowledge
Management
This Unit covers:
 Lesson
1.1. Information and Knowledge Management
 Summary
 Check your understanding
795
1.1. Information and Knowledge Management
What is data?
Data is unprocessed facts, or figures without any added interpretation, or analysis. For example,
Asha’s salary is Rs. 10,000 per month.
What is information?
Information is data that has been interpreted, or analysed so as to give it some meaning. For example,
Asha’s salary is Rs. 10,000, which is 10% lesser than her peers.
What is knowledge?
Knowledge is the combination of information, experience and insight that is useful for deciding a
course of action. For example, if Asha develops her writing skills, her salary can reach at par with her
peers.
Knowledge required for the job of Information Security Analyst
Enlist the kind of data, or information that an Information Security Analyst is likely to deal with.
796
A. Knowledge of the Organisation

To be able to work in any organisation, an employee, irrespective of the role they have been assigned,
needs to know about the organisation they are working with. This includes knowledge about the
company’s policies, procedures, structure, culture, your role and responsibilities, overview of other
departments, information needs of other departments, key contact points, etc.
B. Technical Knowledge
Technical knowledge helps a person understand a field of work. This section would be the easiest to
explain to the students as it would be obvious to them that to perform any task, they would need the
technical know-how for the same. If the Information Security Analyst does not know what a gateway
is, or what a multiplexer is, or what a hub is, or how they function; how can one can be expected to
install them?
Knowledge Management
Knowledge management is the systematic management of an organisation’s knowledge assets for the
purpose of creating value, and meeting tactical and strategic requirements.
What kind of data, or information is required by an Information Security Analyst?
An Information Security Analyst usually has to deal with the following type of data and information,
to perform their job effectively:
 Information about the current security systems, if any.
 Computer hardware and software specifications
 Information about the networking systems
 Information about the latest security systems available in the market
 Feedback of the users
 Problems faced by the users
What type of people, is an Information Security Analyst likely to interact with, to manage data
effectively?
797
categorise the people into the following categories:
• Line manager • Members of your • People of other • Subject matter

own workgroup workgroups experts
798
UNIT II
How to manage data/
information effectively
This Unit covers:
 Lesson Plan
 Lesson
2.1. How to Manage Data/Information Effectively
 Summary
799
LESSON PLAN
Outcomes Performance Ensuring Measures Work Environment / Lab

Requirement
PC1. establish and agree with Provide written instructions to the Standard Environment
appropriate people the participants for collating data plus excel and word on
data/information you need to provide, relevant to any of the sessions. computers and access to
the formats in which you need to Prepare assessment sheet for each sources for data to be
provide it, and when you need to individual to check if the collected
provide it demonstrated all the performance
criteria mentioned.
PC2. obtain the data/information from
reliable sources
PC3. check that the data/information is
accurate, complete and up-to-date
PC4. obtain advice or guidance from
appropriate people where there are
problems with the data/information
PC5. carry out rule-based analysis of the
data/information, if required
PC6. insert the data/information into the
agreed formats
PC7. check the accuracy of your work,
involving colleagues where required
PC8. report any unresolved anomalies in
the data/information to appropriate
people
PC9. provide complete, accurate and up-
to-date data/information to the
appropriate people in the required
formats on time
You need to know and understand: QA session and a Descriptive write Standard Environment
up on understanding. PLUS access to online
KA1. The organization’s procedures and
forums, blogs etc.
guidelines for providing Group presentation and peer
data/information in standard formats evaluation along with Faculty.
and your role and responsibilities in
Performance evaluation from
relation to this
Faculty and Industry with reward
KA2. The knowledge management points.
culture of the organization
Online exam and rewards points
KA3. Your organization’s policies and based on reviews from the forums.
procedures for recording and sharing
information and the importance of
complying with these.
KA4. The importance of validating
data/information before use and how to
do this
800
KA5. Procedures for updating data in

appropriate formats and with proper
validation
KA6. The purpose of the CRM database
KA7. How to use the CRM database to
record and extract information
KA8. The importance of having your
data/information reviewed by others
KA9. The scope of any data/information
requirements including the level of
detail required
KA10. The importance of keeping within
the scope of work and adhering to
timescales
You need to know and understand: QA session and a Descriptive write Standard Environment
up on understanding & reporting. PLUS Access to online
KB1. data/information you may need to
forums.
provide including the sources and how Group presentation and peer
to do this evaluation along with Faculty.
KB2. templates and formats used for Performance evaluation of the
data and information including their report by Faculty with reward
purpose and how to use these points.
KB3. different techniques used to obtain
data/information and how to apply
these
KB4. how to carry out rule-based
analysis on the data/information
KB5. typical anomalies that may occur in
data/information
KB6. who to go to in the event of
inaccurate data/information and how to
report this
801
2.1. How to Manage Data/Information Effectively
What is a policy?
A policy is a statement of agreed intent that clearly sets out an organisation’s views with respect to a
particular matter.
What is a procedure?
A procedure/practice is a clear step-by-step method for implementing an organisation’s policy, or
responsibility.
Why does an Information Security Analyst need to understand the

organisation’s policies and procedures?
 It gives a framework for actions to get on with their job.
 It helps understand the expectations out of him/her. In other words, it helps one understand
their role and responsibilities.
 It helps comply with the legal requirements.

 It helps understand the quality standards set out by the organisation.
Understanding the organisation’s policies for recording and sharing

information
1. Going through various organizations websites and understand the policies and
guidelines. Identify various standard templates and reporting formats in practice.
(Research)
2. Understand, summarize and articulate policies and procedures and specify the
importance of complying policies and procedures.
Not only does an Information Security Analyst need to understand the organisation’s policies and
procedures for the type of data and information that you can use, but also the procedures for how to
use them. Such policies clearly lay out the formats in which the data has to be stored, when and where.
Also, the way it has to be shared. For example, an organisation could have a policy to record every
system testing data in an online format that can be accessed by the senior management any time.
Understanding the procedures for updating data in appropriate formats

Just like organisations have policies and procedures for using, storing and sharing data, they have
policies for updating data in the appropriate formats. For example, the Information Security Analyst
may get feedback in various forms like verbal, written, through feedback forms, etc. but the
organisation policy could state that all feedback should be up-to-date in a pre-specified format.
802
Understanding the knowledge management culture of your organisation

Each organisation has a culture of managing its data and information, which basically stems from its
policies, procedures and of course, its people, especially the senior management. For example, if your
line manager gives importance to maintaining data records in specific formats, you too would take it
seriously, and vice-versa.
Identifying the appropriate people to take advice from and to report to with
appropriate data/ information
The kind of data and information that an Information Security Analyst deals with is sensitive in nature,
so one needs to be aware of the company policy about whom one can share the data with, and whom
one can take advice from. For example, the R&D division of a company may not want to share the
details of its security systems with heads of other departments, so as an Information Security Analyst,
you will have to be careful about that.
Understanding the importance of validating information before use

As an Information Security Analyst, you will be inundated with lots of data and information. However,
you need to validate that data for correctness and usefulness before using it. This is especially true of
information accessed from the Internet. For example, one of your colleagues may have told you about
a security system that your competitor is using. Instead of copying that, you should validate that
information and study whether it suits your organisation’s needs, or not.
Understanding the importance of getting data/ information reviewed by

others
An Information Security Analyst cannot be expected to validate all information by oneself, so one can
take help from colleagues. However, one has to be careful that one gets the data reviewed only by
authorized persons who have the domain knowledge.
What is CRM?
Evaluate open source CRM database. Download public datasets and do a validation check.
803
Customer Relationship Management (CRM) is an approach to managing a company's interaction with

current and future customers. It often involves using technology to organize, automate, and
synchronize sales, marketing, customer service, and technical support.
What is a database?
A database is a collection of information that is organized so that it can easily be accessed, managed,
and updated. Microsoft Excel is an example of a very basic database.
An integral part of the job of an Information Security Analyst is to understand the CRM database of
an organisation to ensure that customer data is stored and accessed securely.
Understanding the scope of work and data requirements

An organisation has unlimited amounts of data. Therefore, an Information Security Analyst needs to
understand what the scope of work is. For example, the organisation policy may require all
departments to give data to the Information Security Analyst in a pre-determined format every month,
for system updation. To save its workload, if some department tries to give raw data to the Analyst,
he/she should be able to raise objection. This also means that the Information Security Analyst should
give their data requirements to the departments in advance and explain the process for the same.
Understanding the data/ information that you may need to provide

As discussed earlier, the Information Security Analyst needs to be aware of the data and information
that comes under their purview. Time and again, one may need to share some data and information
with peers, or senior managers. The following are some examples of the same:
 Current security systems- The senior managers may want to check if their data is secure.
 Computer hardware and software specifications- This information may go to and fro between
various sub-departments of the IT department.
 Networking systems- This information may go to and fro between various sub-departments of the
IT department.
 Information about the latest security systems available in the market- The senior managers, or
your line manager may want to be apprised of this.
 Feedback of the users- The senior managers may want to review the current security systems and
their user friendliness.
 Problems faced by the users- The senior managers may want to understand the security systems
from the users’ perspective.
Understanding the templates/ formats

As an Information Security Analyst, you should have an understanding of the various templates and
formats that your organisation uses for data storage and sharing.
The following example talks about data security policy template and guidelines that an Information
Security Analyst should have an understanding about.
 To what types of data the policy applies.
804
 Who in the business is responsible for data protection?

 The main data risks faced by the company.
 Key precautions to keep data protected.
 How data should be stored and backed up.
 How the company ensures data is kept accurate.
 What to do if an individual asks to see your data.
 Under what circumstances the business discloses data, and to whom.
 How the company keeps individuals informed about the data it holds.
Understanding the techniques for obtaining data/ information

The Information Security Analyst should have knowledge about the various data access techniques
that are available in the market, and the company policy for the same. For example, some
organisations have front-end forms where the user can select some drop-downs and get the data that
they need.
You, the Instructor, can explain this with the help of the following example of a form to input and
access data.
Ensuring the quality of data

The Information Security Analyst should always ensure that the data and information provided by
him/her meets the quality standards set by the organisation. The following are some parameters to
be taken care of:
 Error-free
 Up-to-date
 In the specified format
 Easy to retrieve
 During retrieval, data shouldn’t get altered
 Complete
805
 Consistent
 Timely availability
 Valid
 Relevant
Understanding the process for data analysis

Data analysis refers to the process of manipulating data to get meaningful results. For example, the
Marketing Head may want to find out which customers contribute most to the bottom line. He/She
can access the sales records of all the customers and filter them according to their sales value. The
Information Security Analyst should be careful to carry out rule-based analysis on the data, or
information.
The following are some commonly used tools for data analysis:
 MS Excel
 SAS
 SPSS
 Minitab
Understanding, identifying and reporting the anomalies
As an Information Security Analyst, not only do you have to ensure that you store data properly, you
need to identify the anomalies, and report them. For example, if you find that data about your
company’s plans is being accessed by some IP address outside your organisation at odd hours, you
should verify the information and report it to your seniors immediately.
NOTES:
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
806
UNIT III
Skills required to manage data
and information effectively
This Unit covers:
 Lesson Plan
 Lesson
3.1. Skills required to manage data and information effectively
 Summary
807
LESSON PLAN
Outcomes Performance Ensuring Measures Work Environment / Lab

Requirement
Writing Skills SA1. Standard Environment
You need to know and understand how Online assessment. Quiz,
to: Document review by peer group
and Faculty.
SA1. complete accurate, well written
work with attention to detail
Reading Skills SA2. Quiz, Document review by
peer group and Faculty.
to:
SA2. read instructions, SA3. Online assessment. Strongly
guidelines/procedures recommends Versant/SVAR
Oral Communication (Listening and
Speaking skills)
to:
SA3. listen effectively and orally
communicate information accurately
Decision Making SB1, SB2. Standard Environment
PLUS Various publicly
You need to know and understand how Online assessment.
available data sets.
to:
Technical assessment
www.data.gov.in
SB1. follow rule-based decision-
Case study
making processes
Document evaluation.
SB2. make a decision on a suitable
course of action
Standard Environment
Plan and Organize Quiz
You need to know and understand how Peer group evaluation and
to: faculty evaluation.
SB3. plan and organize your work Plan document review by faculty.
PLUS Access to online
to achieve targets and deadlines
forums.
Customer Centricity
SB4, SB5.
Group and Faculty evaluation Standard Environment
to:
based on anticipated out comes. PLUS Various publicly
SB1. check that your own work Reward points to be allocated to available data sets.
meets customer requirements groups.
www.data.gov.in
SB2. meet and exceed customer
expectations www.kaggle.com
SB6.
Problem Solving www.coursera.org
Assessment based on use case.
You need to know and understand how www.udacity.com
Submit and review the document
to: by group/faculty. www.edx.org
808
SB3. apply problem solving SB7.

approaches in different situations
Assessment based on use case. Standard Environment
Analytical Thinking Submit and review the document PLUS Various publicly
by group/faculty. available data sets.
to: www.data.gov.in
SB4. configure data and disseminate SB8. Assessment based on use www.kaggle.com
relevant information to others case. Submit and review the
www.coursera.org
document by group/faculty.
Critical Thinking
Logical thinking towards problem www.udacity.com
You need to know and understand how solving.
www.edx.org
to:
SB1. apply balanced judgements to
SB9, SB10. Assessment based on
different situations
use case. Submit and review the
Attention to Detail document by group/faculty
PLUS Seminars,
You need to know and understand how workshops, panel
to: discussions etc.
SB11.
SB1. check your work is complete
Group and Faculty evaluation
and free from errors
based on anticipated out comes..
SB2. get your work checked by peers
Team Working PLUS Seminars,
workshops, panel
discussions etc.
to:
SB3. work effectively in a team
environment
PLUS Access to online
forums.
You need to know and understand: SC1 to SC5. Standard Environment
SC1. use information technology Online assessment. PLUS Various publicly
effectively, to input and/or extract data available data sets.
accurately Task based assessment.
www.data.gov.in
SC2. validate and update data Document comparison reports.
Task schedulers.
SC3. identify and refer anomalies
SC4. store and retrieve information
SC5. keep up to date with changes,
procedures and practices in your role
809
3.1. Skills required to manage data and information

effectively
What are Skills?
Types of skills
 Technical Skills- The ability to do a specific type of activity or work.
 Human Skills- The ability to work with people.
 Conceptual Skills- The ability to work with ideas, or concepts.
 Generic Skills- These are generic in nature that are common to most white collar jobs like reading,
writing, listening and speaking.
 Professional Skills- These skills make a person more employable by giving the person the ability
to make logical decisions and the ability to solve problems judiciously. Some examples of
professional skills are decision making, planning and organising, customer centricity, problem
solving, critical thinking, attention to detail, and team work.
Skills required to manage data and information effectively

Security Analysts need to be good at the following skill-sets if they want to make a career as an
Information Security Analyst, and be able to manage data effectively.
Core/ Generic Skills- As an Information Security Analyst, you should be able to communicate well with
colleagues, in writing. You should be able to write accurately with attention to detail. For example,
making plans for the department for upgrading the security systems requires writing skills. You should
also be able to read instructions, guidelines, procedures and service level agreements laid down by
your organisation. For example, each organisation has certain guidelines for data security. As an
Information Security Analyst, you should be aware of those. Only then can you install the appropriate
security systems. Other than reading and writing, an Information Security Analyst should also have
oral skills like listening and speaking. For example, when talking to your line manager, you need to
listen to the instructions carefully. If at any stage, you do not understand the instructions, you should
be able to speak well and ask for clarifications.
Professional Skills- During the course of any career, one needs to be adept at professional skills like
problem solving, critical thinking, logical reasoning, etc. This is equally true for an Information Security
Analyst.
 Decision Making- Many times, as an Information Security Analyst, you would need to take
should follow the company rules for the same. For example, what security systems to install? How
to test them?
 Planning and Organising- These are basic skill sets of any role. To be able to accomplish any task,
upgrading the data security systems.
 Customer Centricity or focus- The term, ‘customer’ refers to not only external but internal
customers, i.e., colleagues. As an Information Analyst, you will need to work with colleagues from
colleagues. When designing and installing the security systems, you will have to make sure that
810
them.
 Problem Solving- You would have to face many challenges as an Information Security Analyst. You
will have to develop problem solving skills to be able to handle them. For example, if you have
developed a system that does not permit employees to access data on Sundays, and if you notice
certain anomalies, it would be your responsibility to bring this to the notice of your line manager.
 Analytical Thinking- Another skill-set that is associated with an Information Security Analyst is
that you will need to have an analytical bent of mind. He/she will have to analyse data across the
organisation and also monitor the activities of all, before coming up with a data security plan. You
will have to ensure that the relevant information reaches the concerned people on time.
 Critical Thinking- This skill may be required by an Information Security Analyst time and again as
you may have to apply your judgment in a balanced manner in various situations. For example,
you may suggest a particular data security template, but the senior management may not agree
due it being too complex. Thus, you may have to apply your judgement to come up with a plan
that keeps the user friendliness in mind while not compromising on the security.
 Attention to Detail- Quality is a key criterion for any job and that of an Information Security
Analyst is no different. One aspect of it is to pay attention to detail. For example, data usage policy
of an organisation may be different for the senior management as compared to that of the others.
The Information Security Analyst would need to be aware of this while designing policies. Also,
you need to ensure that the data is error-free and complete. You can also take help from
colleagues, if required.
 Team Work- No job can be completed without interacting with others, within and outside the
example, to be able to test database systems, an Information Security Analyst would need to
coordinate with members of other teams. Hence, being able to work effectively in a team
Technical Skills- Just like technical knowledge, technical skills too are equally important for any
Information Security Analyst to perform their job. For example, the ability to use information
technology efficiently; being able to input and extract data accurately; being able to validate and
update data; being able to identify and refer anomalies in data; being able to store and share
information in standard formats; being up to date with changes, procedures and practices in your role;
etc.
Performance Evaluation Criteria for an Information Security Analyst

By now you should understand the nature of the job of an Information Security Analyst and what
would help them perform this role well. Now let us see the criteria that would be used to evaluate the
performance of an Information Security Analyst vis-a-vis his/her ability to manage data effectively.
 Coordinates with the appropriate people for data and information needs.
 Is reliable; gets data from reliable sources.
 Communicates with colleagues clearly, concisely and accurately.
 Integrates work effectively with that of others.
 Shares essential information on time.
 Takes help from the appropriate people when there are any problems in the data.
 Follows the company rules while analysing data.
 Keeps a track of the needs of the organisation.
 Honours commitments.
811
o If for some reason, the analyst is unable to carry out their promises, they inform in
advance and suggest alternatives.
 Maintains good relationships with colleagues.
 Follows the policies, procedures and culture of the organisation.
 Keeps abreast with the technological developments.
 Reports any unresolved anomalies in the data to the appropriate people.
 Takes care of quality issues.
Practical Exercises
 For writing Skills: Documentation preparation as per specifications given. Story writing,
Handouts.
 For Reading Skills: Download instructions, procedures and guidelines from internet and
do a Peer & Faculty discussions.
 For Listening and speaking skills: Conduct a group discussion on a topic selected by the
faculty. Listen, Interpret and communicate between groups and Faculties.
 For decision making skills: Discover and review data from public websites. Use various
supervised and unsupervised learning methods. Build models and find a decision making
process. Recommend groups to take different domains (data sets). Document entire
exercise and circulate across all the groups and publish in the forums.
 For Planning and Organising skills: Assign task with a measurable target to be achieved
within a deadline. Divide the batch into groups. Share the steps involved in planning and
organising and them to perform the task in the given time, making sure all the steps for
planning and organising are done.
 For Customer Centricity or focus: Check all previous exercises. Create a traceability
matrix for requirements Vs Outcomes. Compare with the customer expectation (faculty
is the customer or an industry expert). Submit the expectation in a standard template.
 For Problem solving: Discuss with peers, groups, faculties and SME/industry SPOCs.
Come up with a solution document/architecture for a use case.
 For Analytical Ability and Critical thinking: Discuss with peers, groups, faculties and
SME/industry SPOCs. Come up with a plan document for various situations in business
use cases.
 For Attention to detail: Check and review the work of peers and share with faculty
 For Team Work: Define roles and responsibilities amongst the groups.
 For Technical Skills: Check for publicly available data sets by exploration and research.
Review and download data.
 Store data into data bases using various methods like SQL/programming
languages/scripting etc. Find out anomalies and prepare report. Recommend to define
roles to perform tasks. Groups must take different domains (data sets).
 Fill the following table based on your learnings so far. You can share one example with
them to explain what is expected out of them, if required.
812
Tasks Sub Tasks Performance Evaluation Criteria
SUMMARY
 Data is unprocessed facts, or figures without any added interpretation, or analysis.
 Information is data that has been interpreted, or analysed so as to give it some meaning. For
example, Asha’s salary is Rs. 10,000, which is 10% lesser than her peers.
 Knowledge is the combination of information, experience and insight that is useful for
deciding a course of action. For example, if Asha develops her writing skills, her salary can
reach at par with her peers.
 To be able to work in any organisation, an employee, irrespective of the role he/she has been
assigned, needs to know about the organisation he/she is working with and the Technical
knowledge
 An Information Security Analyst usually has to deal with the following type of data and
information, to perform their job effectively:
 Information about the current security systems, if any.
 Computer hardware and software specifications
 Information about the networking systems
 Information about the latest security systems available in the market
 Feedback of the users
 Problems faced by the users
 A policy is a statement of agreed intent that clearly sets out an organisation’s views with
respect to a particular matter.
 A procedure/practice is a clear step-by-step method for implementing an organisation’s
policy, or responsibility.
813
 Not only does an Information Security Analyst need to understand the organisation’s policies
and procedures for the type of data and information that he can use, but also the procedures
for how to use them.
 The kind of data and information that an Information Security Analyst deals with is sensitive in
nature, so he/she needs to be aware of the company policy about whom to share it with
 Customer Relationship Management (CRM) is an approach to managing a company's
interaction with current and future customers. It often involves using technology to organize,
automate, and synchronize sales, marketing, customer service, and technical support.
 A database is a collection of information that is organized so that it can easily be accessed,
managed, and updated. Microsoft Excel is an example of a very basic database.
 An organisation has unlimited amounts of data. Therefore, an Information Security Analyst
needs to understand what their scope of work is.
 Information Security Analyst should have knowledge about the various data access techniques
that are available in the market, and the company policy for the same.
 The Information Security Analyst should always ensure that the data and information
provided by him/her meets the quality standards set by the organisation. The following are
some parameters to be taken care of:
 Error-free, Up-to-date, In the specified format, Easy to retrieve , During retrieval, data
shouldn’t get altered, Complete, Consistent, Timely availability, Valid, Relevant
 The commonly used tools for data analysis are MS Excel, SAS, SPSS, Minitab
 As an Information Security Analyst, not only do you have to ensure that you store data
properly, you need to identify the anomalies, and report them. For example, if you find that
data about your company’s plans is being accessed by some IP address outside your
organisation at odd hours, you should verify the information and report it to your seniors
immediately.
 The criteria that would be used to evaluate the performance of an Information Security
Analyst with respect to their ability to manage data effectively could be as follows:
 Coordinates with the appropriate people for data and information needs
 Is reliable; gets data from reliable sources
 Communicates with colleagues clearly, concisely and accurately.
 Integrates work effectively with that of others.
 Shares essential information on time.
 Takes help from the appropriate people when there are any problems in the data
 Follows the company rules while analysing data
 Keeps a track of the needs of the organisation.
 Honours commitments.
 If for some reason, the analyst is unable to carry out their promises, he/she informs in
advance and suggests alternatives.
 Maintains good relationships with colleagues.
 Sorts out problems with them, if any.
 Shows respect for others.
 Follows the policies, procedures and culture of the organisation.
 Keeps abreast with the technological developments.
 Reports any unresolved anomalies in the data to the appropriate people.
 Takes care of quality issues.
814
Check your Understanding

1. Describe the knowledge management culture of the training organization
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
2. What is the importance of validating data/information before use and how to do this?
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
3. State 7 types of Data/information that a security analyst may need and the sources for
obtaining the same
SNo. Data/information that a security analyst may need Source
1
2
3
4
5
6
7
4. State how to carry out rule-based analysis on the data/information

__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
815
NOTES:
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
816
SSC/ N 9005:
Develop knowledge, skills & competence
UNIT I: Importance of Self Development

UNIT II: Knowledge and Skills Required for the Job
UNIT III: Avenues of Self Development
UNIT IV: Planning for Self-Development
817
Unit Title (Task) Develop your knowledge, skills and competence
Description This unit is about taking action to ensure you have the knowledge and skills you
need to perform competently in your current job role and to take on new
responsibilities, where required.
Competence is defined as: the application of knowledge and skills to perform to
the standards required.
Appropriate people may be:
 line manager
 human resources specialists
 learning and development specialists
 peers
Job role:
 current responsibilities as defined in your job description

 possible future responsibilities
Learning and development activities:
 formal education and training programs, leading to certification

 non-formal activities (such as private study, learning from colleagues,
project work), designed to meet learning and development objectives but
without certification
Appropriate action may be:
 undertaking further learning and development activities

 finding further opportunities to apply your knowledge and skills

PC1. obtain advice and guidance from appropriate people to develop your
knowledge, skills and competence
PC2. identify accurately the knowledge and skills you need for your job role
PC3. identify accurately your current level of knowledge, skills and competence
and any learning and development needs
PC4. agree with appropriate people a plan of learning and development
activities to address your learning needs
PC5. undertake learning and development activities in line with your plan
PC6. apply your new knowledge and skills in the workplace, under supervision
818
PC7.obtain feedback from appropriate people on your knowledge and skills

and how effectively you apply them
PC8. review your knowledge, skills and competence regularly and take
appropriate action

al KA1. the organization’s procedures and guidelines for developing your
Context knowledge, skills and competence and your role and responsibilities in
(Knowledge relation to this
KA2. the importance of developing your knowledge, skills and competence to
of the
you and the organization
company / KA3. methods used by the organization to review skills and knowledge and how
organization to use these methods to review your knowledge and skills against your job
and its role
processes) KA4. different types of learning and development activities available for your
job role and how to access these
KA5. how to produce a plan to address your learning and development needs ,
who to agree it with and the importance of undertaking the planned
activities
KA6. different types of support available to help you plan and undertake
learning and development activities and how to access these
KA7. why it is important to maintain records of your learning and development
KA8. the ways of obtaining and accepting feedback from appropriate people on
your knowledge skills and competence
KA9. how to use feedback to develop in your job role
KB1. the knowledge and skills required in your job role
Knowledge KB2. your current learning and development needs in relation to your job role
KB3. different types of learning styles and methods including those that help
you learn best
KB4. the importance of taking responsibility for your own learning and
development
819
THE UNITS
UNIT I: Importance of self-development

1.1. Importance of Developing competence
1.2. Being Responsible for own Development
UNIT II: Knowledge and Skills required for the job

2.1. Knowledge and Skills required for the job
UNIT III: Avenues for Self-Development

3.1. Formal Avenues of Self Development in an organisation
3.2. Different types of learning styles and methods
UNIT IV: Planning for Self-Development

4.1. Planning for Self-Development
820
UNIT I
Importance of Self Development
This Unit covers:
 Lesson Plan
1.1. Importance of Developing competence
1.2. Being Responsible for own Development
821
LESSON PLAN
Outcomes Performance Ensuring Work Environment

Measures / Lab Requirement
You need to know and understand: QA session and a Descriptive Standard

KB4. the importance of taking responsibility write up on understanding. Environment
for your own learning and development Group presentation and peer
KA2. the importance of developing your evaluation along with
knowledge, skills and competence to you Faculty.
and the organization
822
1.1 Importance of developing competence
There is probably no more important skill in life than learning to learn. This skill is especially important
IT professionals, because the field of Information technology changes more rapidly than any other
field.
“Change is so fast and frequent that it is almost impossible be a master of even one particular
framework or technology, let alone all the technology that a security analyst needs to know. This is
a feature of the new normal that a security analyst will live and work in. If one’s doesn’t keep pace
with the changes then he/she will get left behind.”
Thus in the field of Information technology, if there is truly a skill that will propel one’s career, then
that is to learn how to teach yourself and quickly acquire the knowledge needed for the task at hand.
Self-development is therefore, a continual process throughout one’s career.
The benefits of continual learning and self-development are also as follows:

 It helps to stay relevant and up to date of the changing trends and directions in one’s
profession.
 It helps in becoming more effective in the workplace
 Builds a knowledge base that helps identify different types of problems and generate
solutions.
 This assists in advancing one’s career and move into new positions
 Can deliver a deeper understanding of what it means to be a professional, along with a greater
appreciation of the implications and impacts of your work.
 Leads to increased self confidence
 Helps to stay interested and interesting by stimulating the mind to stay inspired and excited.
 Opens you up to new possibilities, new knowledge and new skill areas.
 Ask the students to list all the reasons they feel continual learning on the job is
important.
 Have them research and see what professionals say about this.
 Ask them to pose that question in Security Analyst Networking forums and bring the
responses they got. After the research, discuss in the class
823
Are there reasons for continuing learning on the job, once you start working? If
yes, make a list of reasons for it.
Discuss this with working professionals especially people you look up to and
those who have achieved success and earned respect at work. Ask them what
their opinion is and what do they have to learn in order to do well.
Ask a Security Analyst if possible, as to what do they have to learn on the job to
remain productive and to deliver high quality work?
Share your learning with others.
What is Competence?
Competence can be defined as the application of knowledge and skills to perform to the standards
required. In other words, it is the ability of a person to do a job properly. You can explain this to the
students with the help of the following diagram.
Types of Competencies
Competencies can be broadly classified into two categories:
Behavioural Competencies- These refer to the soft skills that affect a person’s performance. For
example, customer focus is a very popular behavioural competency expected of an Information
Security Analyst. He is expected to keeps the needs of his customers in mind and ensure their
satisfaction.
Technical Competencies- These refer to technical skills that help a person complete his job. For
example, project management is a very popular technical competency expected of an Information
Security Analyst
824
Make a list of things you need to do in order to
 Perform well at work

 Get the respect of their seniors, peers and users
 Grow to the next level
Share this with others. Now discuss what all do you need to learn in order to
achieve the above. Reflect on the importance of learning and the multiple
things that one has to learn in order to achieve success.
Go through various organizations websites (NASSCOM) and talk to industry experts to

understand, summarize and articulate need of various types of training in
organizations and prepare a need document for the same.
825
1.2 Being responsible for own development
In a challenging business environment change is a fact of life. These new challenges, and rapid
changes, require new skills, knowledge and attitudes, that is why personal development is so
important. Most organisations recognize this and encourage their employees to continuously develop
themselves by providing various opportunities for learning as well as time out from work to avail of
the same. However, whether the organisation provides an encouraging atmosphere or not, one’s own
personal development, growth, and continuing learning is not the organisation’s responsibility; it is
one’s own responsibility.
To learn and perform at the highest level, to obtain greater mastery, one has to own the responsibility
self-development.
While the organisation would have the best interests of their employees at heart. Even if they care
deeply about their employees provide them with training and educational opportunities, it isn’t at all
the same as the employees taking responsibility for their own growth.
Each person is best equipped, more than anyone else, to identify

 what skills and attributes he or she needs to develop?
 where one’s interests lie?
 what one wants in the future and one’s vision of a bigger self?
It requires reflection, research and discussion.
Personal performance depends on you and your motivation to succeed; no one can make it happen
for you, but you.
It’s about:
 Self-awareness
 Setting objectives
 Gaining support
 Most importantly, continually reviewing how you are performing.
You need to understand the importance of taking responsibility for your own learning and
development. For example, your manager may not have the time to ascertain areas where you may
need training. However, if you yourself take up this assessment and go up to him, he may consider
your request. In other words, you identified some sample/ potential problems and worked on their
solutions proactively.
826
Have a discussion with your fellow students on the following topics:
 After you join work, who will be responsible for your learning?
 What will happen if you get so involved in work that you are unable to learn further?
 What if the organization you join provides no opportunities for learning?
 What could be the obstacles that could hamper your learning and development, and
how to handle these?
Work together with your classmates and develop a self-development charter,

stating what you all would like to commit to doing for your own self
development in future. What are the likely pitfalls and distractions and how
you will overcome them?
827
NOTES:
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
828
UNIT II
Knowledge and Skills
Required for the Job
This Unit covers:
 Lesson Plan
 Lesson
2.1. Knowledge and Skills Required for the Job
 Summary
829
LESSON PLAN

PC2. identify accurately the Ask to list the various Knowledge Standard Environment
knowledge and skills you need for and Skills required as per the QP-
Copy of the QP for all participants
your job role NOS
KB1. the knowledge and skills KB1 to KB2. Standard Environment PLUS
required in your job role Access to online forums.
Quiz and descriptive exam.
KB2. your current learning and
development needs in relation to Group and Faculty evaluation.
your job role
Document review.
830
2.1 Skills and knowledge required for the job
Knowledge required to perform the job of an Information Security Analyst

effectively
Knowledge refers to information, or concepts learned through books, or training, or other sources of
learning. It is the awareness, or understanding of facts and information, which are acquired through
education, or learning.
Knowledge of the Organisation
You can explain to the students that to be able to work in any organisation, an employee, irrespective
of the role he has been assigned, needs to know about the organisation he is working with. This
includes knowledge about the company’s policies, procedures, structure, culture, your role and
responsibilities, overview of other departments, information needs of other departments, key contact
points, etc.
Technical Knowledge
Technical knowledge helps a person understand a field of work. This section would be the easiest to
explain to the students as it would be obvious to them that to perform any task, they would need the
technical know-how for the same. If the Information Security Analyst does not know what a gateway
is, or what a multiplexer is, or what a hub is, or how they function; how can he be expected to install
them?
One also has to plan for foreseen and unforeseen events or occurrences that may impact the work
and ensure to factor these in for timelines, costs, material and human resource requirements, etc.
These may include things causing distractions, time delays, wastage, change of environmental
conditions and assumptions, resource availability, etc.
Skills required to perform the job of an Information Security Analyst effectively
Human Skills- The ability to work with people.
Conceptual Skills- The ability to work with ideas, or concepts.
Core/ Generic Skills- These are generic in nature that are common to most white collar jobs like
reading, writing, listening and speaking.
 As an Information Security Analyst, you should be able to communicate well with colleagues, in
writing. For example, making plans for the department for upgrading the security systems required
writing skills.
 You should also be able to read instructions, guidelines and procedures laid down by your
organisation. For example, each organisation has certain guidelines for data security.
 As an Information Security Analyst, you should be aware of those. Only then can you install the
appropriate security systems.
831
 Other than reading and writing, an Information Security Analyst should also have oral skills like
listening and speaking. For example, when talking to your line manager, you need to listen to the
instructions carefully. If at any stage, you do not understand the instructions, you should be able
to speak well and ask for clarifications.
Professional Skills- These skills make a person more employable by giving the person the ability to
make logical decisions and the ability to solve problems judiciously. Some examples of professional
skills are decision making, planning and organising, customer centricity, problem solving, critical
thinking, attention to detail, and team work. During the course of any career, one needs to be adept
at professional skills like problem solving, critical thinking, logical reasoning, etc. This is equally true
for an Information Security Analyst.
 Decision Making- Many times, as an Information Security Analyst, you would need to take
should follow the company rules for the same. For example, what security systems to install? How
to test them?
 Planning and Organising- These are basic skill sets of any role. To be able to accomplish any task,
upgrading the data security systems.
 Customer Centricity or focus- The term, ‘customer’ refers to not only external but internal
customers, i.e., colleagues. As an Information Analyst, you will need to work with colleagues from
colleagues. When designing and installing the security systems, you will have to make sure that
them.
 Problem Solving- You would have to face many challenges as an Information Security Analyst. You
will have to develop problem solving skills to be able to handle them. For example, if you have
developed a system that does not permit employees to access data on Sundays, and if you notice
certain anomalies, it would be your responsibility to bring this to the notice of your line manager.
 Analytical Thinking- Another skill-set that is associated with an Information Security Analyst is
that you will need to have an analytical bent of mind. He/she will have to analyse data across the
organisation and also monitor the activities of all, before coming up with a data security plan. You
will have to ensure that the relevant information reaches the concerned people on time.
 Critical Thinking- This skill may be required by an Information Security Analyst time and again as
you may have to apply your judgment in a balanced manner in various situations. For example,
you may suggest a particular data security template, but the senior management may not agree
due it being too complex. Thus, you may have to apply your judgement to come up with a plan
that keeps the user friendliness in mind while not compromising on the security.
 Attention to Detail- Quality is a key criterion for any job and that of an Information Security
Analyst is no different. One aspect of it is to pay attention to detail. For example, data usage policy
of an organisation may be different for the senior management as compared to that of the others.
The Information Security Analyst would need to be aware of this while designing policies. Also,
you need to ensure that the data is error-free and complete. You can also take help from
colleagues, if required.
 Team Work- No job can be completed without interacting with others, within and outside the
example, to be able to test database systems, an Information Security Analyst would need to
832
coordinate with members of other teams. Hence, being able to work effectively in a team
Technical Skills- The ability to do a specific type of activity or work. Just like technical knowledge,
technical skills too are equally important for any Information Security Analyst to perform his job. For
example, the ability to use information technology efficiently; being up-to-date with changes,
procedures and practices in your role; and agreeing to objectives and work requirements.
 Take a copy of the Security Analyst Qualification Pack and National

Occupational standard (a soft copy of the QP-NOS and online access).
Anticipate learning needs in order to achieve this standard of performance and
then think what you will need to succeed in the job and further career.
 Segregate the areas of development under the following heads:
o Knowledge of the organization
o Technical knowledge
o Human skills
o Conceptual skills
o Core/Generic skills
o Professional skills
o Others
 Create a broad plan as to where you will learn these from?
833
NOTES:
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
834
UNIT III
Avenues for Self-Development
This Unit covers:
 Lesson Plan
3.1. Formal Avenues of Self Development in an organisation
3.2. Different types of learning styles and methods
835
LESSON PLAN

PC1. obtain advice and guidance from Share the training Standard Environment
appropriate people to develop your organisations policy and
2 copies of the training
knowledge, skills and competence procedures for learning and
organisations policy and
development and have all
PC7. obtain feedback from appropriate procedures for learning and
learners sign the same.
people on your knowledge and skills and development
how effectively you apply them Ask learner prepare list of Industry connect
knowledge and skills required
for the job and take a sign off
from at least 2 seniors in the
industry
You need to know and understand: KA1 to KA10. Standard Environment
KA1. the organization’s procedures and QA session and a Descriptive

guidelines for developing your write up on understanding.
knowledge, skills and competence and
your role and responsibilities in relation
to this
KA3. methods used by the organization Group presentation and peer
to review skills and knowledge and how evaluation along with Faculty.
to use these methods to review your
knowledge and skills against your job
role Performance evaluation from
KA4. different types of learning and Faculty and Industry with
development activities available for your reward points.
job role and how to access these
KA8. the ways of obtaining and
accepting feedback from appropriate
people on your knowledge skills and
competence
KA9. how to use feedback to develop in
your job role
KB3. different types of learning styles
and methods including those that help
you learn best
836
3.1 Formal avenues of self-development in an

organisation
Knowledge, skills and attitudes can be developed through a range of methodologies

1) Education or professional qualifications,
2) Training by employers,
3) On-the-job experience,
4) Informal learning from peers, seniors and others.
5) Self-study and practice
Many employers invest large amount of resources (time, effort and money) to make employees work
ready and for them to grow in their jobs and improve their knowledge, skills and attitudes. Employees
should realise that this is an opportunity for them to develop not only for delivering a better
performance for employers but for the employee’s own career development.
A professional should think of career development not just in the short term but also from a longer
term perspective.
Knowledge and skills required for a job changes over time and therefore a professional need to ensure
his or her employability over one’s working life, and needs to keep learning. High achievers in any field
and people who are recognised for their professionalism work very hard to keep abreast of
developments in their field and are life-long learners.
Life-long learning is very important for developing a successful and sustainable career. There are many
professionals who got comfortable with their current level of performance and stopped learning and
in some time found themselves without a job, or stuck at a particular level without any growth. These
people then get frustrated with their professional lives and either resort to blaming employers or fate
for their own lack of hard work and lack of desire to keep learning. Successful professionals commit
to a life of learning (life-long learning).
It is important that one constantly finds out what avenues are available for one’s development in
terms of professional development courses, further education, professional books and programs, etc.
Also one must make the most of knowledge and experience available within the job environment from
seniors, training manuals and programs, peers, trade and professional journals, suppliers and vendors,
etc.
Some more Avenues for Learning
 Develop Your Own Pet Projects: If there is some technology that you really want to learn and if
you do not have the opportunity to apply this technology at work, then you should invent your
own project to use it and develop this project during your free time.
 Learn from Online Courses: Today there is a great diversity of free online courses. Sites such as
Coursera, Udacity and edX offer many interesting courses organized by known professors of some
of the best Universities in the world. These courses are completely free, and besides material such
as videos and slides they may include real home works and assignments.
837
 Go to Technical Meetings: Programmers like to meet to discuss new technologies and share their
experiences. You can search for meetings in sites such as Meetup and Eventbrite.
 Participate in Online Forums: Online Forums are a great way to communicate with other
professionals that may be located very far from you, but even so they share exactly the same
interests.
 Read Technical Blogs: follow software development gurus on Twitter, as well as enthusiastic
programmers that like to share their favourite posts.
 See Presentation Slides: If you want to get some initial idea about a technology or platform, and
if you do not have much time to invest on it, then finding introductory slides is an easy and fast
solution. Sites such as SlideShare have a huge quantity of such professional slides.
 Watch Videos: It is easy to find videos on YouTube or Vimeo on most popular subjects. These may
be recorded lectures in Universities, presentations in conferences or talks in group meetings. For
example, TED talks are known for their ability to provide inspiration and make watchers think.
 Use Question-and-Answer Communities: If you have a technical problem, then it’s very probable
that someone before you already had the same problem. Thus, you should try Q&A Communities
such as StackOverflow to search for a solution. If you cannot find an existing question that fits
your needs, you can always ask a new question yourself.
List which are the different modes and avenues of learning you have used during this
course?
The list of various learning needs identified in the previous section, which are the
avenues you can use to forward your learning in those areas. Be realistic and explore
what avenues are available.
838
3.2 Different types of learning styles and methods

Everyone processes and learns new information in different ways. There are three main cognitive
learning styles:
 visual,
 auditory, and
 kinesthetic.
The common characteristics of each learning style listed below can help you understand how you learn
and what methods of learning best fits you. Understanding how you learn can help maximize time you
spend studying by incorporating different techniques to custom fit various subjects, concepts, and
learning objectives. Each preferred learning style has methods that fit the different ways an individual
may learn best.
Visual Learners
CLUES LEARNING METHODS
 Needs to see it to know it.  Use graphics to reinforce learning -
 Strong sense of color. films, slides, illustrations, diagrams.
 May have artistic ability.  Color coding to organize notes and
 Difficulty with spoken directions. possessions.
 Overreaction to sounds.  Write out directions.
 Trouble following lectures.  Use flow charts / diagrams for note
 Misinterpretation of words taking.
 Visualizing spelling of words or
facts to be memorized.
Auditory Learners
 Prefers to get information by listening and  Use tapes for reading and for
needs to hear it to know it. class and lecture notes.
 Difficulty following written directions.  Learn by interviewing/participating
 Difficulty with reading. in discussions.
 Problems with writing.  Have test questions or directions
 Inability to read body language and read aloud or put on tape.
facial expressions
Kinesthetic Learners
 Prefers hands-on learning.  Experimental learning (making
 Can assemble parts without reading models, doing lab work, and role
directions. playing)
 Difficulty sitting still.  Frequent breaks in study periods.
 Learns better when physical activity is  Trace letters and words to learn
involved. spelling and remember facts.
 May be very well coordinated and have ath  Use computer to reinforce learning
letic ability. through sense of touch.
 Memorize or drill while walking or
exercising.
 Express abilities through dance,
drama, or gymnastics
839
The most used and researched models were developed by Kolb (1984) and Honey and Mumford
(1986), As per Honey and Mumford (1986), learners displayed the following learning styles:
Honey and Mumford Characteristics Learning Methods

Learning Styles
Activist Learn by doing and  brainstorming
participation  problem solving
 group discussion
 puzzles
 competitions
 role-play
Reflector Learn by watching  models
others and think  statistics
before you act  stories
 quotes
 background information
 applying theories
Theorist Learn by  time to think about how to apply learning
understanding in reality
theory very clearly  case studies
 problem solving
 discussion
Pragmatist Learn through  paired discussions
practical tips and  self-analysis questionnaires
techniques from  personality questionnaires
experienced person
 time out
 observing activities
 feedback from others
 coaching
 interviews
Which are your own learning style preferences? Reflect, experiment and collect evidence for the
same, share it with others in your class, see if they agree. Also share the methodology used to
arrive at your preferences.
840
UNIT IV
Planning for Self-Development
This Unit covers:
 Lesson Plan
4.1. Planning for Self-Development
841
LESSON PLAN

PC3. identify accurately your current level of All learners to self-evaluate Standard Environment
knowledge, skills and competence and any themselves on the skills
learning and development needs required and prepare a self-
development plan with
PC4. agree with appropriate people a plan of goals and milestones.
learning and development activities to address
your learning needs Get it evaluated by Faculty
and Peer review
PC5. undertake learning and development
activities in line with your plan
PC6. apply your new knowledge and skills in the

workplace, under supervision
PC8. review your knowledge, skills and

competence regularly and take appropriate
action
You need to know and understand: KA1 to KA10. Standard Environment
KA5. how to produce a plan to address your QA session and a Descriptive Online access for research
learning and development needs , who to agree write up on understanding. work
it with and the importance of undertaking the
planned activities
KA6. different types of support available to help Group presentation and
you plan and undertake learning and peer evaluation along with
development activities and how to access these Faculty.
KA7. why it is important to maintain records of
your learning and development
KB3. different types of learning styles and Performance evaluation
methods including those that help you learn from Faculty and Industry
best with reward points.
842
4.1 Planning for self-development

Steps to be taken to upgrade your current level of knowledge, skills and competence.
Each organisation has a set of guidelines for developing the skill-sets of its employees. Given the
nature of the job of an Information Security Analyst, it is important for him to keep himself abreast
with the latest technological developments.
He can follow the following 10 steps to ascertain his current level of knowledge, skills and competence.
1) Understand your organisation’s procedures and guidelines for developing your knowledge, skills
and competence, and your role and responsibilities in relationship to this. For example, some
organisations mandate its employees to enrol themselves for self-learning tutorials on the
company’s Intranet. If you have a team reporting to you, then it would become your responsibility
to ensure that your team members also enrol for these mandatory trainings.
2) Understand why you need to develop your knowledge, skills and competence and how it will help
your organisation. Also, understand why learning new concepts is important and how they can be
applied in the work environment.
As has already been explained several times earlier, the role of an Information Security Analyst
requires him to be up-to-date. For example, if your company tells you to have a Twitter handle so
that you can participate in various technical discussions, and you do not know how to use Twitter,
it will go against you. For this, if you enrol for some training, your career prospects will brighten
up.
3) Apprise yourself of the different methods used by your organisation to review skills and
knowledge. Some such methods are:
4) Training Need Analysis- This is a process to discover the development needs of employees so that
they can perform their job effectively. The following tools are used frequently for assessing the
training needs:
o Questionnaires
o Direct observation
o Review of relevant literature
o Interviews
o Records and report studies
o Consultation with persons in key positions, and/or with specific knowledge
o Focus groups
o Assessments
o Surveys
o Work samples
5) Skills Need Analysis- This process is similar to the Training Need Analysis with a focus on the
development needs of skills like the following:
o Planning
o Analytical skills
o Action orientation
o Business knowledge/acumen
843
o Communication
o Customer focus
o Adaptability
o Decision making
o Fiscal management
o Global perspective
o Innovation
o Interpersonal skills
o Leadership
o Establishing objectives
o Risk management
o Persuasion and influence
o Teamwork
o Problem solving
o Project management
o Results orientation
o Technology
o Self-management
Performance Appraisals - One technique of identifying the training needs of employees is through
performance appraisals. Mangers are interviewed and performance data is analysed. Some
commonly used sources of performance data are:
o Absenteeism
o Performance appraisals
o Turnover
o Quality parameters
o Losses
o Accidents
o Safety incidents
o Grievances
o Returns
o Customer complaints
6) Understand the different types of learning and development activities available for your role and
the process of availing those. The following are some commonly used techniques in organisations:
o Instructor-led training
o Blackboard, or whiteboard
o Overhead projector
o Videos
o PowerPoint presentation
o Storytelling
o Interactive methods
o Quizzes
o Group discussions
o Case studies
844
o Q&A sessions
o Role playing
o Hand-on training
o Coaching
o Mentorship
o Apprenticeship
o Demonstrations
o Computer Based Training
o CD-ROM
o Multimedia
o Virtual reality
o E-Learning
o Web-based training
o Webinars
o Video conferencing
o Blended learning- A combination of two, or more of the techniques given above.
7) Making a plan- Like with any activity, this too requires planning. The following are some major
steps:
o Identify the people who would help you make the plan, and those would approve it- for
example, your managers
o Understand what is at stake- for example, who would take care of your job in your absence
o Study the different types of tools available
o Study the documentation required and understand why it is important- for example,
would you need to make a report on what you have learnt, after the training? Can this
report be of help to your peers, who can probably learn from it?
o Identify whom to take feedback from and how to follow-up on it- for example, would your
managers review the changes in your work processes after the training? Also, you would
need to understand the various methods of obtaining feedback, and how to use it. Some
commonly used methods are:
 Surveys
 Feedback boxes
 Face-to-face interaction
 Peer assessment
8) Understand how and what future avenues would open up post the training. For example, if you
undergo social media training, you can add that as an additional skill-set in your resume that would
give you an edge over your peers.
9) Implement the plan, apply your new knowledge and skills in the workplace and take feedback. For
example, if you have taken training about a new data security system, you can make a proposal
to get it installed; after installation, you can use it and demonstrate the benefits to your peers and
managers.
845
10) You need to make sure that you make this a process continuous.
Apply the above 10 step on yourselves and on the basis of this create a self-
development plan for yourself. Research each of the ten steps further on your own.
Download samples of organization’s policies and procedures for Learning and

development and share with the class.
846
SUMMARY
 Change is so fast and frequent that it is almost impossible be a master of even one particular
framework or technology, let alone all the technology that a security analyst needs to know.
This is a feature of the new normal that a security analyst will live and work in. If one’s doesn’t
keep pace with the changes then he/she will get left behind.
 The benefits of continual learning and self-development are also as follows:
 It helps to stay relevant and up to date of the changing trends and directions in one’s
profession.
 It helps in becoming more effective in the workplace
 Builds a knowledge base that helps identify different types of problems and generate
solutions.
 This assists in advancing one’s career and move into new positions
 Can deliver a deeper understanding of what it means to be a professional, along with a
greater appreciation of the implications and impacts of your work.
 Leads to increased self confidence
 Helps to stay interested and interesting by stimulating the mind to stay inspired and
excited.
 Opens you up to new possibilities, new knowledge and new skill areas.
 Competence can be defined as the application of knowledge and skills to perform to the
standards required. In other words, it is the ability of a person to do a job properly.
 Competencies can be broadly classified into two categories - Behavioural Competencies and
Technical Competencies
 You need to understand the importance of taking responsibility for your own learning and
development.
 One also has to plan for foreseen and unforeseen events or occurrences that may impact the
work and ensure to factor these in for timelines, costs, material and human resource
requirements, etc.
 These may include things causing distractions, time delays, wastage, change of environmental
conditions and assumptions, resource availability, etc.
 Skills is the ability to use information, or knowledge acquired through education, or
experience, to accomplish a given task. - Human Skills, Conceptual Skills, Core/ Generic Skills-
Knowledge,
 Skills and attitudes can be developed through a range of methodologies - Education or
professional qualifications, Training by employers, On-the-job experience, Informal learning
from peers, seniors and others, Self-study and practice
 Knowledge and skills required for a job changes over time and therefore a professional need
to ensure his or her employability over one’s working life, and needs to keep learning. High
achievers in any field and people who are recognised for their professionalism work very hard
to keep abreast of developments in their field and are life-long learners.
 Life-long learning is very important for developing a successful and sustainable career.
 Some more Avenues for Learning
 Develop Your Own Pet Projects
 Learn from Online Courses
 Go to Technical Meetings
 Participate in Online Forums
 Read Technical Blogs
 See Presentation Slides
847
 Watch Videos
 Use Question-and-Answer Communities
 Everyone processes and learns new information in different ways. There are three main
cognitive learning styles: visual, auditory, and kinesthetic.
 Each organization has a set of guidelines for developing the skill-sets of its employees. Given
the nature of the job of an Information Security Analyst, it is important for him to keep
himself abreast with the latest technological developments.
848
Check your understanding

1. State the importance of developing your knowledge, skills and competence to you and the
organization
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
2. List 3 methods used by the organization to review skills and knowledge and how to use these
methods to review your knowledge and skills against your job role
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
3. List 7 different types of learning and development activities available for your job role and how to
access these
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
4. State the different types of learning styles and methods including those that help you learn best
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
5. Why should you take responsibility for your own learning and development
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
849
NOTES:
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
850
Annexures
• Security Assessment Template

• Case Studies
This work is licensed under the Creative Commons Attribution-NonCommercial License. To
view a copy of this license, visit http://creativecommons.org/licenses/by-nc/2.0/ or send a letter to
Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA.
Created by Keith A. Watson, CISSP on March 1, 2005
{CLIENT ORGANIZATION}
Security Assessment Report
December 13, 2015
Report Prepared by:

{YOUR NAME}, {YOUR CREDENTIALS}
{YOUR EMAIL ADDRESS}
{YOUR PHONE NUMBER}
{YOUR ORGANIZATION}
{YOUR MAILING ADDRESS}
The information contained within this report is considered

proprietary and confidential to the {CLIENT ORGANIZATION}.
Inappropriate and unauthorized disclosure of this report or portions
of it could result in significant damage or loss to the {CLIENT
ORGANIZATION}. This report should be distributed to
individuals on a Need-to-Know basis only. Paper copies should be
locked up when not in use. Electronic copies should be stored
offline and protected appropriately.
Confidential and Proprietary Information: Need to Know

EXECUTIVE SUMMARY 5
Top-Ten List 5
1. Information Security Policy 5
2. {Security Issue #2} 5
INTRODUCTION 7
Scope 7
Project Scope 7
In Scope 7
Out of Scope 7
Site Activities Schedule 7

First Day 7
Second Day 7
Third Day 7
BACKGROUND INFORMATION 8
{CLIENT ORGANIZATION} 8
ASSET IDENTIFICATION 9
Assets of the {CLIENT ORGANIZATION} 9
THREAT ASSESSMENT 9
Threats to the {CLIENT ORGANIZATION} 9
LAWS, REGULATIONS AND POLICY 10
Federal Law and Regulation 10
{CLIENT ORGANIZATION} Policy 10
Vulnerabilities 10
The {CLIENT ORGANIZATION} has no information security policy 10
{State the Vulnerability} 10

Page 2
PERSONNEL 11
Management 11
Operations 11
Development 11
Vulnerabilities 11
There is no information security officer 11
NETWORK SECURITY 12
Vulnerabilities 12
The {CLIENT ORGANIZATION} systems are not protected by a network firewall 12
SYSTEM SECURITY 13
Vulnerabilities 13
Users can install unsafe software 13
APPLICATION SECURITY 14
Vulnerabilities 14
Sensitive information within the database is not encrypted 14
OPERATIONAL SECURITY 15
Vulnerabilities 15
There is no standard for security management 15
PHYSICAL SECURITY 15
Vulnerabilities 16
Building Vulnerabilities 16
Several key doors within the building are unlocked or can be forced open 16
Security Perimeter Vulnerabilities 17
There is no entryway access control system 17
Server Area Vulnerabilities 17
The backup media are not protected from fire, theft, or damage 17
SUMMARY 18

Page 3
Action Plan 18
REFERENCES 18

Page 4
Executive Summary
Briefly describe the activities of the assessment.
Talk about the importance of information security at the client organization.
Discuss security efforts that the organization has under taken.
Highlight three major security issues discovered that could significantly impact the operations of
the organization.
Top-Ten List
A top-ten list is used to highlight the ten most urgent issues discovered during an assessment.
Clients unfamiliar with security may be overwhelmed by a long list of problems. Putting the
major issues together may allow the client to easily focus efforts on these problems first.
The list below contains the “top ten” findings, weaknesses, or vulnerabilities discovered during
the site security assessment. Some of the issues listed here are coalesced from more than one
section of the assessment report findings. Additional information about each is provided
elsewhere in the report.
It is recommended that these be evaluated and addressed as soon as possible. These should be
considered significant and may impact the operations of the {CLIENT ORGANIZATION}.
1. Information Security Policy

An information security policy is the primary guide for the implementation of all security
measures. There is no formal policy specific to the {CLIENT ORGANIZATION}.
Recommendation: Develop an information security policy that specifically addresses the needs
of the {CLIENT ORGANIZATION} and its mission. Use that policy as a basis for an effective
security program.
2. {Security Issue #2}

{Brief description of Security Issue #2}
Recommendation: {Brief list of recommendations for Security Issue #2}



Page 5






Page 6
Introduction
Provide an overview of the report.
Scope
The scope is the boundaries of the project. It is used to describe the on-site activities.
Project Scope
In Scope
The following activities are within the scope of this project:
 Interviews with key staff members in charge of policy, administration, day-to-
day operations, system administration, network management, and facilities
management.
 A Visual Walk Through of the facilities with administrative and facilities
personnel to assess physical security.
 A series of Network Scans to enumerate addressable devices and to assess each
systems available network services. (These Scans will be conducted from within
each center’s network and from the outside.)
 A configuration and security assessment of at most ten key systems at each
center.
Out of Scope
The following activities are NOT part of this security assessment:
 Penetration Testing of systems, networks, buildings, laboratories or facilities.
 Social Engineering to acquire sensitive information from staff members.
 Testing Disaster Recovery Plans, Business Continuity Plans, or Emergency
Response Plans.
Site Activities Schedule

List the site activities.
First Day
Second Day
Third Day

Page 7
Background Information
Use this section to talk about any relevant background information.
Describe the client organization.

Page 8
Asset Identification
Describe the process of asset identification.
Assets of the {CLIENT ORGANIZATION}

The following lists document some of the {CLIENT ORGANIZATION} tangible and intangible
assets. It should not be considered a complete and detailed list but should be used as a basis for
further thought and discussion to identify assets.
Tangible Assets
 {List tangible assets.}
Intangible Assets
 {List intangible assets.}
Each item on these lists also has value associated with it. Each item’s relative value changes over
time. In order to determine the current value, it is often best to think in terms of recovery costs.
What would it cost to restore or replace this asset in terms of time, effort, and money?
Threat Assessment
Describe the process of threat assessment.
Threats to the {CLIENT ORGANIZATION}

The following lists document some of the known threats to the {CLIENT ORGANIZATION}. It
should not be considered a complete and detailed list but should be used to as a basis for further
thought and discussion to identify threats.
Natural Threats
 {List Natural Threats.}
Intentional Threats
 {List Intentional Threats.}
Unintentional Threats
 {List Unintentional Threats.}

Page 9
Laws, Regulations and Policy

Talk about the role of laws, regulation, and policy on the client organization.
Federal Law and Regulation

Outline federal laws and regulation that impact the client organization.
{CLIENT ORGANIZATION} Policy

Talk about the current policy at the client organization. Describe what policy they currently have.
Vulnerabilities
Listed below are the vulnerabilities discovered during the assessment relating to law, regulation,
and policy. These are considered significant and steps should be taken to address them.
The {CLIENT ORGANIZATION} has no information security policy

Explanation
The {CLIENT ORGANIZATION} has no information security policy that is specific to
its needs and goals.
Risk
There are several risks in not having an information security policy.
 Mistakes can be made in strategic planning without a guideline for security.
 Resources may be wasted in protecting low value assets, while high value assets
go unprotected.
 Without a policy, all security measures are merely ad hoc in nature and may be
misguided.
Recommendations
 Create a policy that is in compliance with {CLIENT ORGANIZAION} security
goals.
 Periodically review and update the policy.
{State the Vulnerability}

Explanation
{Explain the vulnerability.}
Risk
There are several risks in not having {this vulnerability}.
 {Provide a list of risks.}
Recommendations

Page 10
 {Provide a list of recommendations}.
Personnel
Describe the personnel at the client organization. Organize them into related groups.
In this example, we have Management, Operations, and Development.
Management
Describe the management group.
Operations
Describe the operations team.
Development
Describe the development team.
Vulnerabilities
Listed below are the staff vulnerabilities discovered during the interviews with the {CLIENT
ORGANIZATION} staff. These are considered significant and steps should be taken to address
them.
There is no information security officer

Explanation
An information security officer is responsible for the overall security for an organization.
He or she must help create security policy, enforce it, and act as the primary security
contact.
Risk
Without an information security officer, important security issues may not receive the
proper attention. The overall security of the {CLIENT ORGANIZATION} may suffer.
Recommendations
 Designate an existing employee to fill the role of information security officer, or
hire a qualified candidate for the position.
 Provide training opportunities to the information security officer.
 Encourage and support the acquisition of security certification(s).

Explanation

Page 11
Risk
Recommendations
Network Security
Describe the state of network security at the client organization.
List public network resources and sites.
List partner connections and extranets.
Vulnerabilities
Listed below are the network security vulnerabilities discovered during the assessment. These are
considered significant and steps should be taken to address them.
The {CLIENT ORGANIZATION} systems are not protected by a

network firewall
Explanation
A firewall is a network gatekeeper. Based on a configurable set of rules, the firewall
determines which network connections to allow or deny. There are generally three types
of attacks that can be prevented (or at least slowed) using properly configured firewalls:
intrusion, denial-of-service, and information theft.
There are two types of firewalls. One type is incorporated into operating systems
(software-based). The other type consists of a networking hardware platform that protects
a group of networked systems (hardware-based).
The {CLIENT ORGANIZATION} systems are inconsistently protected by software-
based firewalls. Most of the workstations have firewall software installed and configured.
Some do not.
Risk
There are several risks in running network services without a firewall.
 Incoming network-based scans and attacks are not easily detected or prevented.
 Attackers target vulnerable network services.
 Attacks are not isolated and damage cannot be contained.
 Network probing for vulnerabilities slows system and network performance.
Recommendations
 Enable operating system firewalls where available.
 Install a hardware-based firewall.

Page 12
 Configure firewall rule sets to be very restrictive.

Explanation
Risk
Recommendations
System Security
Describe the state of system security at the client organization.
Vulnerabilities
Listed below are the system security vulnerabilities discovered during the assessment. These are
considered significant and steps should be taken to address them.
Users can install unsafe software

Explanation
Since users have privileged access to their workstations, they are free to install software
that can impact the operations at the {CLIENT ORGANIZATION}. Most of this
software is freely available from the Internet. Unsafe software is any software that
impedes the productivity of the staff, collects information on the user or the {CLIENT
ORGANIZATION} network environment, launches attacks or probes internal systems.
Risk
There are several risks in allowing users to install unsafe software.
 The software may contain a virus, worm, or some other dangerous electronic
threat.
 The software may be a “Trojan Horse” to fool users.
 The software may capture, disclose, delete, or modify sensitive data.
 The software may impact system performance and user productivity.
 Significant time may be wasted attempting to remove software.
Recommendations
The operations team should
 Remove user privileges to install software.
 Remove unsafe software from workstations. Reinstall systems as needed.

Page 13
 Establish a process for the evaluation and installation of new software.

Explanation
Risk
Recommendations
Describe the state of application security at the client organization.
Vulnerabilities
Listed below are the application security vulnerabilities discovered during the assessment. These
are considered significant and steps should be taken to address them.
Sensitive information within the database is not encrypted

Explanation
Sensitive information in databases can be encrypted to protect confidentiality. If an
attacker gets unauthorized access to the database, sensitive information still cannot be
read.
Risk
If an attacker gains access to the database, sensitive information stored in the database
can be viewed and modified.
Recommendations
 Examine changes required to support encrypted database tables.
 Modify web and database software to work with encrypted data.
 Safely store and protect the encryption keys.

Explanation
Risk

Page 14
Recommendations
Operational Security
Describe the state of operational security at the client organization.
Vulnerabilities
Listed below are the application security vulnerabilities discovered during the assessment. These
are considered significant and steps should be taken to address them.
There is no standard for security management

Explanation
A security standard is a document that defines and describes the process of security
management for an organization.
Risk
Without a guideline for security practices, those responsible for security may not apply
adequate controls consistently throughout the {CLIENT ORGANIZATION}.
Recommendations
 Evaluate existing security standards such as ISO 17799.
 Modify an existing standard for use within the {CLIENT ORGANIZATION}.
 Inform and train personnel on use of the standard.
 Audit information systems and procedures to ensure compliance.

Explanation
Risk
Recommendations
Physical Security
Describe the state of operational security at the client organization.
Specifically, list the building, security perimeter, and server room vulnerabilities.

Page 15
Vulnerabilities
Listed below are the physical security vulnerabilities discovered during the assessment. These are
considered significant and steps should be taken to address them. The list is divided into a list of
vulnerabilities that relate to the building, the security perimeter, and the server rooms. The
building group contains vulnerabilities within the {CLIENT ORGANIZATION} office. The
security perimeter group includes the exterior office windows, doors, alarm system, and the
surrounding area. The server room are specific to rooms containing server equipment.
Building Vulnerabilities
Several key doors within the building are unlocked or can be forced
open
Explanation
There are several important doors in the interior {CLIENT ORGANIZATION} office
area that are normally unlocked or can be forced open even when locked. The door to the
utility room is a hollow core wooden door with no lock. The utility room contains the
wiring panel for the telephones, a junction for the fiber optic cable, and the alarm system
box. The room containing the modem pool is normally open and unlocked. The system
administrator’s office containing the office file and web server is usually unlocked and
open.
Risk
These doors protect valuable assets of the {CLIENT ORGANIZATION}. A determined
attacker, thief, or disgruntled employee could get through these important doors with
minimal effort to steal and/or destroy.
Recommendations
 Replace current doors with stronger fire doors.
 Replace existing door hardware with high security locks.
 Weld exterior hinge pins in place.

Explanation
Risk
Recommendations

Page 16
Security Perimeter Vulnerabilities
There is no entryway access control system

Explanation
An entryway access control system limits physical access to a secure area to authorized
personnel with the correct PIN number or access card. These systems have either a
control panel where a correct PIN number must be entered before entry is allowed or a
unique access card (contact or contactless) for each person to enter. Advanced systems
provide log information each time personnel enter the secure area.
Risk
There are several risks in not having an entryway access control system.
 Unauthorized people can enter secure areas unescorted.
 There is no record of personnel entries into secure areas.
 It is not possible to disable access for a specific person.
Recommendations
 Evaluate available and suitable entryway access systems.
 Develop appropriate procedures for assigning and removing access.
 Install an appropriate system and assign access rights.

Explanation
Risk
Recommendations
Server Area Vulnerabilities
The backup media are not protected from fire, theft, or damage
Explanation
The backup media are stored near the backup system on an open shelf in the server area.
The media could be stolen, misplaced, accidentally erased, dropped, or destroyed in a
fire. If a system or data must be recovered, the media may not be available or functional
when needed.
Risk
The operation of the {CLIENT ORGANIZATION} can be impacted if the backup media
are not available due to theft, damage, or fire.
Page 17
Recommendations
 Purchase and install a lockable, fireproof media safe. Secure it to the floor and/or
wall.

Explanation
Risk
Recommendations
Summary
Summarize the report findings.
Action Plan
Provide an action plan that lists steps to be taken to improve security at the client organization.
References
Anderson, R. Security Engineering: A Guide to Building Dependable Distributed Systems.
Indianapolis: John Wiley & Sons, 2001.
Archer, Tom and Whitechapel. Andrew. Inside C#. Redmond: Microsoft Press, 2002.
Deraison, Renaud. The Nessus Security Scanner. http://www.nessus.com/
Garfinkel, Simson, Spafford, Eugene H., and Schwartz Alan. Practical Unix & Internet Security,
3rd Edition. Sebastapol: O’Reilly, 2003.
Gordon, Lawrence, Loeb, Martin, Lucyshyn, William and Richardson, Robert. “2004 CSI/FBI
Computer Crime and Security Survey,” San Francisco: Computer Security Institute, 2004.
International Standards Organization, International Electrotechnical Commission. Information
technology — Code of practice for information security management. ISO/IEC 17799:2000(E).
Switzerland: ISO/IEC, 2001.
Open Web Application Security Project. “The Ten Most Critical Web Application Security
Vulnerabilities – 2004 Update.” OWASP, 2004. http://www.wasp.org/documentation/topten.html
Peltier, Thomas R. Information Security Risk Analysis. Boca Raton: CRC Press, 2001.
Public Law No. 100-235. The Computer Security Act of 1987.
Stoneburner, Gary, Goguen, Alice, and Feringa, Alexis. “Risk Management Guide for
Information Technology Systems.” NIST Special Publication 800-30. National Institute of
Standards and Technology, 2001.
Page 18
Stoneburner, Gary, Hayden, Clark, and Feringa, Alexis. “Engineering Principles for Information
Technology Security (A Baseline for Achieving Security).” NIST Special Publication 800-27 Rev
A. National Institute of Standards and Technology, 2004.
Swiderski, Frank and Snyder, Window. Threat Modeling. Redmond: Microsoft Press, 2004.
United States Department of Agriculture. “USDA Information Systems Security Policy.” USDA
3140-001. Washington: USDA, 1996.
Viega, John and McGraw, Gary. Building Secure Software. Indianapolis: Addison-Wesley, 2002.
Wood, Charles C., Banks, William W., Guarro, Sergio B., Garcia, Abel A., Hampel, Victor E.,
and Sartorio, Henry P. Computer Security. New York: Wiley, 1987.
Zwicky, Elizabeth D., Cooper, Simon, and Chapman, D. Brent. Building Internet Firewalls, 2nd
Edition. Sebastapol: O’Reilly, 2000.

Page 19
Common Cyber Attacks:
Reducing The Impact
Contents
Introduction ....................................................................................................................................................................... 3
Part 1: The Threat Landscape .......................................................................................................................................... 4

Commodity vs bespoke capabilities ................................................................................................................................. 4
Un-targeted attacks ............................................................................................................................................................. 5
Targeted attacks .................................................................................................................................................................. 5
Every organisation is a potential victim ........................................................................................................................... 6
Part 2: Understanding Vulnerabilities .............................................................................................................................. 7

Flaws ...................................................................................................................................................................................... 7
Features ................................................................................................................................................................................ 7
User error .............................................................................................................................................................................. 7
Part 3: Common Cyber Attacks - Stages and Patterns .................................................................................................. 8

Stages of an attack ............................................................................................................................................................. 8
Survey ............................................................................................................................................................................... 8
Delivery ............................................................................................................................................................................. 9
Breach .............................................................................................................................................................................. 9
Affect ................................................................................................................................................................................ 9
Part 4: Reducing Your Exposure to Cyber Attack ........................................................................................................ 10

Breaking the attack pattern ............................................................................................................................................. 10
Reducing your exposure using essential security controls ......................................................................................... 10
Mitigating the stages of an attack .................................................................................................................................. 11
Mitigating the survey stage ......................................................................................................................................... 11
Mitigating the delivery stage ...................................................................................................................................... 11
Mitigating the breach stage ........................................................................................................................................ 12
Mitigating the affect stage .......................................................................................................................................... 12
I’ve been attacked, what do I do? ................................................................................................................................... 12
Closing word: raising your cyber defences ..................................................................................................................... 12
Case Studies ................................................................................................................................................................... 13

Case study 1: Espionage campaign against the UK energy sector ............................................................................ 13
Case study 2: Hundreds of computers infected by remote access malware ........................................................... 14
Case study 3: Spear-phishing attack targets system administrator ......................................................................... 15
Common Cyber Attacks: Reducing The Impact Page 2 of 17

Introduction
Your organisation’s computer systems - and the information they hold - can be compromised in many ways.
It may be through malicious or accidental actions, or simply through the failure of software or electronic
components. And whilst you need to consider all of these potential risks, it is malicious attack from the
Internet that is hitting the headlines and damaging organisations.
“In GCHQ we continue to see
The 2014 Information Security Breaches Survey1 found that 81% of real threats to the UK on a
large companies had reported some form of security breach, daily basis, and I’m afraid the
costing each organisation on average between £600,000 and scale and rate of these
£1.5m. These findings are supported by almost daily stories of large attacks shows little sign of
scale cyber incidents, such as the Gameover ZeuS botnet. As the abating.”
Director of GCHQ says in his 2015 foreword to the republished 10 Robert Hannigan
Steps to Cyber Security, “In GCHQ we continue to see real threats to Director GCHQ
the UK on a daily basis, and I’m afraid the scale and rate of these
attacks shows little sign of abating.”
As the National Technical Authority for Information Assurance, GCHQ believe that understanding the
capabilities behind these attacks, the vulnerabilities they exploit, and how they are exploited is central to
your organisation’s ability to defend itself against them. Security professionals often focus on the security
mechanisms or controls employed without explaining why they are needed, and what they mitigate.
Understanding these details can help you make conscious risk management judgements to ensure that the
required controls are pragmatic, cost effective and appropriate - and actually protect your business.
Common Cyber Attacks: Reducing The Impact has been produced by CESG (the Information Security Arm of
GCHQ) with CERT-UK, and is aimed at all organisations who are vulnerable to attack from the Internet. The
paper helps CEOs, boards, business owners and managers to understand what a common cyber attack looks
like. Using real case studies where the attackers used readily available off-the-shelf tools and techniques, it
provides a rationale for establishing basic security controls and processes (such as those set out in the Cyber
Essentials Scheme2). Understanding these attacks can help you manage the most common cyber risks faced
by your organisation.
More specifically, this paper covers:
 the threat landscape - the types of attackers, their motivations and their technical capabilities
 vulnerabilities - what are they, and how are they exploited?
 cyber attacks, stages and patterns - what is the ‘typical’ structure of a cyber attack?
 reducing the impact of an attack - what controls are needed to reduce the impact of common cyber
attacks?
 case studies - real world examples that demonstrate how cyber attacks have caused financial and
reputational damage to major UK businesses
Note: There are far more comprehensive case studies and more detailed technical information openly
available on the Internet; the case studies in this paper have been simplified to demonstrate where and how
basic controls could have reduced the extent or the impact of the attack. That is, this paper is not intended
to be a comprehensive review of sophisticated or persistent attacks.
1 www.gov.uk/government/publications/information-security-breaches-survey-2014
2 www.gov.uk/government/publications/cyber-essentials-scheme-overview

Part 1: The Threat Landscape
Although computer systems can be compromised through a variety of means, GCHQ looks to understand
malicious actions and the attackers that carry them out.
TECHNICAL FOCUS: RISK
The risk to information and computer assets comes from a broad
In cyber security terms, risk is the
spectrum of threats with a broad range of capabilities. The impact potential for a threat (a person or
(and therefore the harm) on your business will depend on the thing that is likely to cause
opportunities you present to an attacker (in terms of the damage) to exploit a vulnerability
vulnerabilities within your systems), the capabilities of the attackers (a flaw, feature or user error) that
to exploit them, and ultimately their motivation for attacking you. may result in some form of
negative impact.
WHO MIGHT BE ATTACKING YOU? For example, an easily
Cyber criminals interested in guessed password to an online account takes very little technical
making money through fraud or capability to exploit. With a little more technical knowledge, attackers
from the sale of valuable can also use tools that are readily available on the internet. They can
information. also bring resources (people or money) to bear in order to discover
Industrial competitors and foreign new vulnerabilities. These attackers will go on to develop bespoke
intelligence services, interested in tools and techniques to exploit them; such vulnerabilities enable
gaining an economic advantage for
them to bypass the basic controls provided by schemes like Cyber
their companies or countries.
Essentials. To protect against these bespoke attacks will require you
Hackers who find interfering with
computer systems an enjoyable to invest in a more holistic approach to security, such as that outlined
challenge. in the 10 Steps to Cyber Security.
Hacktivists who wish to attack The motivation of an attacker can vary from demonstrating their
companies for political or technical prowess for personal kudos, financial gain, commercial
ideological motives.
advantage, political protest; through to economic or diplomatic
Employees, or those who have
legitimate access, either by
advantage for their country. You have no control over their
accidental or deliberate misuse. Whilst attackers may have capabilities and motivations,
the capability and the but you can make it harder
motivation, they still need an opportunity to deliver a successful for attackers by reducing your
vulnerabilities.
attack. You have no control over their capabilities and motivations,
but you can make it harder for attackers by reducing your vulnerabilities.
Commodity vs bespoke capabilities

In this paper, we are using the terms ‘commodity’ and ‘bespoke’ to characterise the capabilities attackers
can employ.
Commodity capability involves tools and techniques openly available on the Internet (off-the-shelf) that are
relatively simple to use. This includes tools designed for security specialists (such as system penetration
testers) that can also be used by attackers as they are specifically designed to scan for publicly known
vulnerabilities in operating systems and applications. Poison Ivy is a good example of a commodity tool; it is a
readily available Remote Access Tool (RAT) that has been widely used for a number of years.
Bespoke capability involves tools and techniques that are developed and used for specific purposes, and thus
require more specialist knowledge. This could include malicious code (‘exploits’) that take advantage of
software vulnerabilities (or bugs) that are not yet known to vendors or anti-malware companies, often
known as ‘zero-day’ exploits. It could also include undocumented software features, or poorly designed
applications. Bespoke capabilities usually become commodity capabilities once their use has been
discovered, sometimes within a few days3. By their very nature, the availability of bespoke tools is not
advertised as once released they become a commodity.
3
‘When Vulnerabilities are Exploited: the Timing of First Known Exploits for Remote Code Execution Vulnerabilities’, Tim Rains, 17 June 2014,
http://blogs.microsoft.com/cybertrust/2014/06/17/when-vulnerabilities-are-exploited-the-timing-of-first-known-exploits-for-remote-code-execution-vulnerabilities
‘Before We Knew It: An Empirical Study of Zero-Day Attacks In The Real World’, Leyla Bilge and Tudor Dumitras, CCS ’12, 16-18 October 2012,
http://users.ece.cmu.edu/~tdumitra/public_documents/bilge12_zero_day.pdf

Openly available commodity capabilities are effective because basic
Openly available commodity
cyber security principles, such as those described in Cyber Essentials
capabilities are effective
because basic cyber security and 10 Steps to Cyber Security, are not properly followed. Regardless
principles, such as those of their technical capability and motivation, commodity tools and
described in Cyber Essentials techniques are frequently what attackers turn to first.
and 10 Steps to Cyber In section 2 we will look in more detail at the vulnerabilities that
Security, are not properly
attackers exploit using both commodity and bespoke capabilities.
followed.
Un-targeted attacks THE INSIDER THREAT

In un-targeted attacks, attackers indiscriminately target as many Although this paper is focussed on
threats from the Internet, insiders
devices, services or users as possible. They do not care about who (anyone who has legitimate access
the victim is as there will be a number of machines or services with to your systems as an employee or
vulnerabilities. To do this, they use techniques that take advantage a contractor) should also be
of the openness of the Internet, which include: considered as part of a holistic
security regime. They may be
 phishing - sending emails to large numbers of people asking motivated by personal gain or
for sensitive information (such as bank details) or redress against grievances.
encouraging them to visit a fake website An insider could simply use their
normal access to compromise your
 water holing - setting up a fake website or compromising a
information, take advantage of
legitimate one in order to exploit visiting users unlocked computers or guessable
 ransomware - which could include disseminating disk passwords. They could use social
encrypting extortion malware engineering techniques (fooling
people in to breaking normal
 scanning - attacking wide swathes of the Internet at random security procedures) to gain further
accesses. They may even have the
technical skills to use commodity
Targeted attacks tools and techniques to become a
‘hacker within the system’, with
In a targeted attack, your organisation is singled out because the
the opportunity to cause greater
attacker has a specific interest in your business, or has been paid to damage and steal information at
target you. The groundwork for the attack could take months so will. In the worst case scenario, an
that they can find the best route to deliver their exploit directly to insider could be working for an
your systems (or users). A targeted attack is often more damaging adversary who can develop
than an un-targeted one because it has been specifically tailored to bespoke tools, and introduce these
deep within your organisation.
attack your systems, processes or personnel, in the office and Assessing which (if any) of these
sometimes at home. Targeted attacks may include: scenarios is likely should be a
critical part of your risk
 spear-phishing - sending emails to targeted individuals that
assessment process.
could contain an attachment with malicious software, or a
Without appropriate training,
link that downloads malicious software insiders can also accidentally
 deploying a botnet - to deliver a DDOS (Distributed Denial of compromise a system or the
Service) attack information it holds. So make sure
that particular care is taken when
 subverting the supply chain - to attack equipment or evaluating all aspects of the
software being delivered to the organisation insider threat as part of your
organisation’s overall assessment
In general attackers will, in the first instance, use commodity tools of cyber risks, referring to external
and techniques to probe your systems for an exploitable guidance where required.
vulnerability.

Every organisation is a potential victim
Before investing in defences, many organisations often want concrete evidence that they are, or will be
targeted, by specific threats. Unfortunately, in cyberspace it is often difficult to provide an accurate
assessment of the threats that specific organisations face.
However, every organisation is a potential victim. All organisations
have something of value that is worth something to others. If you If you openly demonstrate
weaknesses in your
openly demonstrate weaknesses in your approach to cyber security
approach to cyber security
by failing to do the basics, you will experience some form of cyber by failing to do the basics,
attack. you will experience some
As part of your risk management processes, you should be assessing form of cyber attack.
whether you are likely to be the victim of a targeted or un-targeted
attack; every organisation connected to the Internet should assume they will be a victim of the latter. Either
way, you should implement basic security controls consistently across your organisation, and where you may
be specifically targeted, ensure you have a more in-depth, holistic approach to cyber security.

Part 2: Understanding Vulnerabilities
Vulnerabilities provide the opportunities for attackers to gain access to your systems. They can occur
through flaws, features or user error, and attackers will look to exploit any of them, often combining one or
more, to achieve their end goal.
In the context of this paper, a vulnerability is a weakness in an IT system that can be exploited by an attacker
to deliver a successful attack.
Flaws TECHNICAL FOCUS:

A flaw is unintended functionality. This may either be a result of VULNERABILITIES
poor design or through mistakes made during implementation. Vulnerabilities are actively pursued
Flaws may go undetected for a significant period of time. The and exploited by the full range of
attackers. Consequently, a market
majority of common attacks we see today exploit these types of has grown in software flaws, with
vulnerabilities. In the last twelve months nearly 8,000 unique and ‘zero-day’ vulnerabilities (that is
verified software vulnerabilities were disclosed in the US National recently discovered vulnerabilities
Vulnerability Database (NVD).4 that are not yet publically known)
fetching hundreds of thousands of
pounds.
Features Zero-days are frequently used in
bespoke attacks by the more
A feature is intended functionality which can be misused by an capable and resourced attackers.
attacker to breach a system. Features may improve the user’s Once the zero-days become
experience, help diagnose problems or improve management, but publically known, reusable attacks
they can also be exploited by an attacker. are developed and they quickly
become a commodity capability.
When Microsoft introduced macros into their Office suite in the late This poses a risk to any computer
1990s, macros soon became the vulnerability of choice with the or system that has not had the
Melissa worm in 1999 being a prime example. Macros are still relevant patch applied, or updated
its antivirus software.
exploited today; the Dridex banking Trojan that was spreading in
late 2014 relies on spam to deliver Microsoft Word documents The ability for an attacker to find
and attack software flaws or
containing malicious macro code, which then downloads Dridex subvert features depends on the
onto the affected system. nature of the software and their
technical capabilities. Some target
JavaScript, widely used in dynamic web content, continues to be
platforms are relatively simple to
used by attackers. This includes diverting the user’s browser to a access, for example web
malicious website and silently downloading malware, and hiding applications could, by design, be
malicious code to pass through basic web filtering. capable of interacting with the
Internet and may provide an
opportunity for an attacker.
User error
A computer or system that has been carefully designed and implemented can minimise the vulnerabilities of
exposure to the Internet. Unfortunately, such efforts can be easily undone (for example by an inexperienced
system administrator who enables vulnerable features, fails to fix a known flaw5, or leaves default passwords
unchanged).
More generally, users can be a significant source of vulnerabilities. They make mistakes, such as choosing a
common or easily guessed password, or leave their laptop or mobile phone unattended. Even the most
cyber aware users can be fooled into giving away their password, installing malware, or divulging information
that may be useful to an attacker (such as who holds a particular role within an organisation, and their
schedule). These details would allow an attacker to target and time an attack appropriately.
4 https://nvd.nist.gov/
5
Fixes such as applying software patches, removing detected malware and updating device configuration to address issues detected through vulnerability scanning

Part 3: Common Cyber Attacks - Stages and Patterns
Regardless of whether an attack is targeted or un-targeted, or the attacker is using commodity or bespoke
tools, cyber attacks have a number of stages in common. Some of these will meet their goal whilst others
may be blocked. An attack, particularly if it is carried out by a persistent adversary, may consist of repeated
stages. The attacker is effectively probing your defences for weaknesses that, if exploitable, will take them
closer to their ultimate goal. Understanding these stages will help you to better defend yourself.
Stages of an attack
A number of attack models describe the stages of a cyber attack (the Cyber Kill Chain® produced by
Lockheed Martin is a popular example6). We have adopted a simplified model in this paper that describes the
four main stages present in most cyber attacks:
 Survey - investigating and analysing available information about the target in order to identify
potential vulnerabilities
 Delivery - getting to the point in a system where a vulnerability can be exploited
 Breach - exploiting the vulnerability/vulnerabilities to gain some form of unauthorised access
 Affect - carrying out activities within a system that achieve the attacker’s goal
Survey TECHNICAL FOCUS:

SURVEY
Attackers will use any means available to find technical, procedural The default settings of computer
or physical vulnerabilities which they can attempt to exploit. systems can reveal a lot of useful
information about the software
They will use open source information such as LinkedIn and running on them, and how they are
Facebook, domain name management/search services, and social configured. They can broadcast a
media. They will employ commodity toolkits and techniques, and range of network protocols and
standard network scanning tools to collect and assess any communications channels that
information about your organisation’s computers, security systems can be exploited if they aren’t
removed.
and personnel.
The attacker will point network
User error can also reveal information that can be used in attacks. scanning tools at your network to
Common errors include: try and identify any of the
following:
 releasing information about the organisation’s network on a  open ports
technical support forum
 open services
 neglecting to remove hidden properties from documents  default settings
such as author, software version and file save locations
 vulnerable applications and
Attackers will also use social engineering (often via social media) to operating systems
exploit user naivety and goodwill to elicit further, less openly  the makes and models of your
available information. network equipment
6 The Lockheed Martin Cyber Kill Chain® can be found at www.lockheedmartin.co.uk/us/what-we-do/information-technology/cyber-security/cyber-kill-chain.html

Delivery
During the delivery stage, the attacker will look to get into a position where they can exploit a vulnerability
that they have identified, or they think could potentially exist. Examples include:
 attempting to access an organisation’s online services
 sending an email containing a link to a malicious website or an attachment which contains malicious
code
 giving an infected USB stick away at a trade fair
 creating a false website in the hope that a user will visit
The crucial decision for the attacker is to select the best delivery path for the malicious software or
commands that will enable them to breach your defences. In the case of a DDOS attack, it may be sufficient
for them to make multiple connections to a computer in order to prevent others from accessing it.
TECHNICAL FOCUS: Breach

BREACH
With the great variety of potential The harm to your business will depend on the nature of the
vulnerabilities in any IT system, vulnerability and the exploitation method. It may allow them to:
there is a similar diversity in the
often highly technical and  make changes that affect the system’s operation
innovative mechanisms used to  gain access to online accounts
exploit them. Although attackers
 achieve full control of a user’s computer, tablet or
continue to develop novel
techniques to exploit smartphone
vulnerabilities, attackers are Having done this, the attacker could pretend to be the victim and use
ultimately successful due to an
unfixed flaw, misused feature or their legitimate access rights to gain access to other systems and
user error. information.
Some types of attack are much
more obvious or easier to detect Affect
than others. DDOS attacks are
often quickly noticed by system Depending on their motivation, the attacker may seek to explore your
users, as they struggle to access or systems, expand their access and establish a persistent presence (a
simply cannot use the targeted process sometimes called ‘consolidation’). Taking over a user’s
service. On the other hand, most
malware is designed to be
account usually guarantees a persistent presence. Taking over an
stealthy, hiding from users and administrator’s account is an attacker’s Holy Grail. With administration
detection mechanisms alike. access to just one system, they can try to install automated scanning
tools to discover more about your networks and take control of more
systems. When doing this they will take great care not to trigger the system’s monitoring processes and they
may even disable them for a time.
Determined and undetected attackers continue until they have achieved their end goals. Depending on their
objectives, the activities they aim to carry out on your systems will differ, but they can include:
 retrieving information they would otherwise not be able to access, such as intellectual property or
commercially sensitive information
 making changes for their own benefit, such as creating payments into a bank account they control
 disrupting normal business operation, such as overloading the organisation’s internet connection so
they cannot communicate externally, or deleting the whole operating system from users’ computers
After achieving their objectives, the more capable attacker will exit, carefully removing any evidence of their
presence. Or they could create an access route for future visits by them, or for others they have sold the
access to. Equally, some attackers will want to seriously damage your system or make as much ‘noise’ as
possible to advertise their success.

Part 4: Reducing Your Exposure to Cyber Attack
Preventing, detecting or disrupting the attack at the earliest opportunity limits the business impact and the
potential for reputational damage. Once the attacker has consolidated their presence they will be more
difficult to find and remove.
Even though it’s normally the
most motivated attackers
Breaking the attack pattern who have the persistence to
Even though it’s normally the most motivated attackers who have carry out multiple stage
the persistence to carry out multiple stage attacks, they will attacks, they will frequently
do this using commodity
frequently do this using commodity tools and techniques, which are
cheaper and easier for them to use. So putting in place security
controls and processes that can mitigate these will go some way to making your business a hard target.
Equally, adopting a defence-in-depth7 approach to mitigate risks through the full range of potential attacks
will give your business more resilience to cope with attacks that use more bespoke tools and techniques.
Reducing your exposure using essential security controls

Fortunately, there are effective and affordable ways to reduce your organisation’s exposure to the more
common types of cyber attack on systems that are exposed to the Internet. The following controls are
contained in the Cyber Essentials, together with more information
about how to implement them: TECHNICAL FOCUS:
SECURE CONFIGURATION
 boundary firewalls and internet gateways - establish network For broader guidance on a range
perimeter defences, particularly web proxy, web filtering, specific technologies (such as
content checking, and firewall policies to detect and block Bring Your Own Device, Cloud
executable downloads, block access to known malicious Security, and End User Device
Security & Configuration), please
domains and prevent users’ computers from
visit the following site:
communicating directly with the Internet https://www.gov.uk/government/
 malware protection - establish and maintain malware organisations/cesg
defences to detect and respond to known attack code
 patch management - patch known vulnerabilities with the latest version of the software, to prevent
attacks which exploit software bugs
 whitelisting and execution control - prevent unknown software from being able to run or install itself,
including AutoRun on USB and CD drives
 secure configuration - restrict the functionality of every device, operating system and application to
the minimum needed for business to function8
 password policy - ensure that an appropriate password policy is in place and followed
 user access control - include limiting normal users’ execution permissions and enforcing the principle
of least privilege9
If your organisation is likely to be targeted by a more technically capable attacker, give yourself greater
confidence by putting in place these additional controls set out in the 10 Steps to Cyber Security:
 security monitoring - to identify any unexpected or suspicious activity
 user training education and awareness - staff should understand their role in keeping your
organisation secure and report any unusual activity
7 Strengthened security achieved by establishing multiple layers of security mechanisms

8 For broader guidance on secure configuration see the following publications:
Cloud Security Principles, www.gov.uk/government/collections/cloud-security-guidance
End user devices security and configuration guidance, www.gov.uk/government/collections/end-user-devices-security-guidance
Bring Your Own Device Guidance, www.gov.uk/government/collections/bring-your-own-device-guidance
9 Applying only those privileges to a user account that are essential to that user's work

 security incident management - put plans in place to deal with an attack as an effective response will
reduce the impact on your business
The 10 Steps to Cyber Security sets out the features of a complete cyber risk management regime. There are
many effective and comprehensive schemes and open standards that your organisation can apply to support
a defence-in-depth strategy, if this approach isn’t already implemented.
Mitigating the stages of an attack

We’ll look at each stage of an attack in turn, and highlight where the basic security controls mitigate the
activities that take place.
Mitigating the survey stage

Any information which is published for open consumption should be systematically filtered before it is
released to ensure that anything of value to an attacker (such as software and configuration details, the
names/roles/titles of individuals and any hidden data10) is removed.
TECHNICAL FOCUS:
User training, education and awareness is important. All your users CiSP
should understand how published information about your systems The Cyber-security Information
and operation can reveal potential vulnerabilities. They need to be Sharing Partnership (CiSP), part of
aware of the risks of discussing work-related topics on social media, CERT-UK, is a joint industry-
and the potential for them to be targeted by phishing attacks. They government initiative to share
should also understand the risks to the business of releasing cyber threat and vulnerability
information. It does this in order to
sensitive information in general conversations, unsolicited
increase overall situational
telephone calls and email recipients. The Centre for the Protection awareness of the cyber threat, and
of the National Infrastructure (CPNI) have published a guide to therefore reduce the impact of
online reconnaissance to help put into place the most effective cyber threat on UK businesses.
social engineering mitigations11.
Secure Configuration can minimise the information that Internet-facing devices disclose about their
configuration and software versions, and ensures they cannot be probed for any vulnerabilities.
Mitigating the delivery stage

The delivery options available to an attacker can be significantly diminished by applying and maintaining a
small number of security controls, which are even more effective when applied in combination.
Up-to-date malware protection may block malicious emails and prevent malware being downloaded from
websites. Firewalls and proxy servers can block unsecure or unnecessary services and can also maintain a list
of known bad websites. Equally, subscribing to a website reputation service to generate a blacklist of
websites could also provide additional protection.
A technically enforced password policy will prevent users from selecting easily guessed passwords and lock
accounts after a specified number of failed attempts. Additional authentication measures for access to
particularly sensitive corporate or personal information should also be in place.
Secure configuration limits system functionality to the minimum needed for business operation and should
be systematically applied to every device that is used to conduct business.
10
‘Metadata’ many programs automatically add metadata to files, including author, their username and the file save location
11
‘Online reconnaissance’, CPNI, May 2013, www.cpni.gov.uk/documents/publications/2013/2013007-online_reconnaissance.pdf?epslanguage=en-gb

Mitigating the breach stage
As with the delivery stage, the ability to successfully exploit known vulnerabilities can be effectively
mitigated with just a few controls, which are again best deployed together.
All commodity malware depends on known and predominately patchable software flaws. Effective patch
management of vulnerabilities ensures that patches are applied at the earliest opportunity, limiting the time
your organisation is exposed to known software vulnerabilities.
Malware protection within the internet gateway can detect known malicious code in an imported item, such
as an email. These measures should be supplemented by malware protection at key points on the internal
network and on the users’ computers where available. Devices within the internet gateway should be used to
prevent unauthorised access to critical services or inherently unsecure services that may be required
internally by your organisation. Equally, the gateway should be able to detect any unauthorised inbound or
outbound connections.
Well-implemented and maintained user access controls will restrict the applications, privileges and data that
users can access. Secure configuration can remove unnecessary software and default user accounts. It can
also ensure that default passwords are changed, and any automatic features that could immediately activate
malware (such as AutoRun for media drives) are turned off.
User training, education and awareness are extremely valuable to reduce the likelihood of ‘social engineering’
being successful. However, with the pressures of work and the sheer volume of communications, you cannot
rely on this as a control to mitigate even a commodity attack.
Finally, critical to actually detecting a breach is the capability to monitor all network activity and to analyse it
to identify any malicious or unusual activity.
Mitigating the affect stage

If all the measures for the survey, delivery and breach stages are consistently in place, the majority of attacks
using commodity capability are likely to be unsuccessful. However, if your adversary is able to use bespoke
capabilities then you have to assume that they will evade them and get into your systems. Ideally, you should
have a good understanding of what constitutes ‘normal’ activity on your network, and effective security
monitoring should be capable of identifying any unusual activity.
Once a technically capable and motivated attacker has achieved full access to your systems it can be much
harder to detect their actions and eradicate their presence. This is where a full defence-in-depth strategy can
be beneficial.
I’ve been attacked, what do I do?

There is no such thing as 100% security and your organisation will probably experience some form of cyber
attack at some time. Having an effective security incident response plan can help to reduce the impact of the
attack, clean up the affected systems and get the business back up and running within a short time. Where
relevant, you should also consider the Cyber Security Incident Response services provided by CESG, CPNI and
CERT-UK.
Closing word: raising your cyber defences

Doing nothing is no longer an
The Internet can be a hostile environment. The threat of attack is option; protect your
ever present as new vulnerabilities are released and commodity tools organisation and your
are produced to exploit them. Doing nothing is no longer an option; reputation by establishing
protect your organisation and your reputation by establishing some some basic cyber defences.
basic cyber defences to ensure that your name is not added to the
growing list of victims.

Case Studies
On a daily basis, GCHQ and CERT-UK see computer systems and the information on them being
compromised by malicious attackers. Although the motivations may vary, they nearly always use commodity
tools and techniques at some point.
The following three case studies demonstrate how effective these attacks can be to gain access to
organisations and, conversely, how widely accepted and cost-effective cyber security controls can disrupt
the different stages in the attack model we discussed earlier.
 In the first two case studies, the attackers added malicious code to legitimate websites that staff
from the target companies regularly visited. This code compromised their computers, giving the
attackers access to the companies’ systems.
 The final case study is an example of a single-staged attack that compromised the computer of a
system administrator.
All of the mitigations listed in these case studies are covered in detail in the Cyber Essentials Scheme and the
10 Steps to Cyber Security. To reduce the risk of commodity and bespoke attacks on your business, fully
implement a comprehensive suite of cyber security controls.
Case study 1: Espionage campaign against the UK energy sector

Attackers used a technique known as a ‘watering hole’ attack to distribute malware into businesses working
in the UK energy sector. The attackers added scripts to legitimate websites frequented by energy sector
staff. Many of the websites were managed by the same web design company. Visitors’ browsers were
automatically and surreptitiously redirected to download malware from an attacker-owned server.
The malware targeted known and patchable vulnerabilities in Java, older internet browsers, and all but the
most recent versions of Microsoft Windows. The malware harvested visitors’ credentials and computer
system information, and sent this information back to the controllers via attacker-owned domains.
How it happened: the technical details

In the survey stage, the attackers discovered that a single web design company hosted a number of energy
sector businesses’ websites. Although we can’t say for sure how the attacker delivered the attack to breach
the site, they may have infiltrated the web design company’s networks by masquerading as a legitimate user
with credentials stolen through successful spear-phishing, or by exploiting an unpatched vulnerability on the
web server.
The attacker compromised the web server and then added code12 which caused their own website to be
loaded whenever the legitimate website was visited. The delivery stage then involved the attacker’s website
delivering the malicious code to the victims’ computers. The unpatched browsers were breached through
known software flaws in Java and common internet browsers.
The attacker’s website installed a Remote Access Tool (RAT) on the visitor’s computer, disguised as a
common type of web application script. The malware then started communicating with the attacker-owned
domains by sending ‘beacons’ to show it was active and to request commands from the attackers. The
malware was designed to capture system information, user keystrokes and clipboard contents to enable the
attackers to consolidate their position as they moved towards affecting their target. However, security
monitoring of network activity detected command and control messages from malware on the infected
computers, and in this case the attack was broken before it could affect the targeted businesses.
12
An ‘iframe’ was inserted to point to malicious content

We believe that these ‘watering hole’ attacks were part of a continuing espionage campaign against the UK
energy sector.
Capabilities, vulnerabilities and mitigations

The attackers used a number of commodity techniques to compromise their targets within the energy
sector. They probably gained access to the legitimate websites using automated scanning tools and exploit
kits to identify and exploit unpatched vulnerabilities, or used social engineering to take advantage of poor
user training and awareness. The script hosted on the attacker’s website exploited applications with known
software vulnerabilities to install a RAT.
Whilst the attack was spotted by security monitoring, this control is not 100% effective, as it depends heavily
on technology and skills. If the appropriate essential controls had been in place, this attack would not have
been successful. However, that's not to say they wouldn't have kept on trying by using different techniques.
The most effective mitigations against this attack (both at the website and within the victim organisation)
would have been:
 network perimeter defences - deploying a web proxy, web filtering, content checking, and firewall
policies could have prevented executable downloads and access to known malicious domains on the
Internet
 malware protection defences - might have detected the commodity attack code used to exploit the
victims browser
 patching the known software flaws - would have prevented the script from being successful and the
malware from running
 whitelisting and execution control - would have prevented any unknown software from being able to
run or install itself
 user access control - could have restricted the malware’s capabilities
 security monitoring - in this case did identify the suspicious activity
Case study 2: Hundreds of computers infected by remote access malware

This widespread compromise of a large UK company’s internal network originated from an exploit hosted on
their externally-managed corporate website. This was achieved as a result of poor security practices by the
website provider. The attackers used a commonly available RAT to gain information about the internal
network and control a number of computers. The widespread malware infection took extensive effort to
eradicate and remediate.

As part of their survey of the victim’s network and services, attackers discovered that the corporate website
was hosted by a service provider, and it contained a known vulnerability. In the survey stage of the attack on
the service provider, the attackers exploited this vulnerability to add a specialised exploit delivery script to
the corporate website.
The script compared the IP addresses of the website’s visitors against the IP range used by the company. It
then infected a number of computers within the company, taking advantage of a known software flaw, to
download malware to the visitor’s computer within a directory that allowed file execution.
Over 300 computers were infected during the delivery stage with remote access malware. The malware then
beaconed and delivered network information to attacker-owned domains. The attackers were eventually
detected early in the affect stage. By this time they had installed further tools and were consolidating their
position, carrying out network enumeration and identifying high value users.

Whilst the compromise was successful, it was detected through network security monitoring, and a well-
defined incident response plan made it possible to investigate the incident using system and network logs,
plus forensic examinations of many computers.
To eradicate the discovered infection it was necessary, at great cost, to return the computers to a known
good state. Further investigation was also required to identify any further malware that could be used to
retain network access. To prevent further attacks through the same route, the contract terms with the
website provider needed to be renegotiated, to ensure they had similar security standards to the targeted
organisation.

The attackers used a combination of automated scanning tools, exploit kits and technology-specific attacks
to compromise the organisation. They took advantage of a known software flaw and the trust relationship
between the company and its supplier.
The intensive and costly investigation and remediation of the compromise could have been averted by more
effective implementation of the following cyber security controls:
 patching - the corporate website would have not been compromised, nor would the malware
download script have succeeded, had patching on both the web server and users’ computers been
up to date
 network perimeter defences - the malware could have been prevented from being downloaded and
the command and control might not have succeeded with the use of two-way web filtering, content
checking and firewall policies (as part of the internet gateway structure)
 whitelisting and execution control - unauthorised executables such as the exploration tools would
have been unable to run if the company’s corporate computers were subject to whitelisting and
execution control (this could also prevent applications from being able to run from the temporary or
personal profile folders)
 security monitoring - may have detected the compromise at an earlier stage
Case study 3: Spear-phishing attack targets system administrator

A system administrator within a high profile UK organisation was successfully spear-phished and
unknowingly installed a RAT. Taking advantage of the user’s privileged permissions, the attackers were able
to exfiltrate13 information about the network and details for multiple business-critical systems.
Fortunately, the compromise was restricted to one computer, and it was detected and effectively
investigated as appropriate security monitoring and logging were in place. Identifying and mitigating the lost
information impacted the availability of the system to the business and required extensive support from
external forensic and technical architecture specialists.

The attackers identified the system administrator and their personal subjects of interest. They crafted and
delivered a socially-engineered email to the administrator’s personal email address. Accessing personal
webmail from the admin computer, the administrator read the phishing email and downloaded a Trojanised
document from a file sharing service containing the first stage malware.
13 The unauthorised transfer of data from a computer

When the Trojanised file was opened, the user was prompted to run an executable which then breached the
defences and installed the first stage malware onto the system. The attacker exploited poor security
awareness by repeatedly requesting approval to run until the administrator finally clicked ‘OK’. Unpacking
itself silently into a temporary folder, this first stage malware hid itself as a legitimate file and changed the
system to ensure it continued to run between reboots of the computer. Once installed, it started
communicating with attacker-controlled domains.
After a number of days, the initial malware downloaded a second stage executable (the RAT) and a
configuration file. To discover more about the victim organisation, the attackers configured the malware to
exfiltrate captured screenshots. Data was covertly delivered for nearly a week until the transfers were
detected. The domains were then blocked and the machine was disconnected from the network for forensic
analysis.
The compromise was detected before any significant damage could be done. However, the investigation and
clean-up operation required the assistance of industry experts and disrupted the day-to-day operation of the
organisation.

The information to identify the system administrator and topics of interest to socially engineer the spear-
phish was likely to have been derived from surveying publically available information. The clean-up operation
could have been averted by more effective implementation of the following cyber security controls:
 user training education and awareness - would have ensured staff understood how personal
information can be openly accessed, and made them suspicious of unsolicited email with
unexpected attachments and being asked to run executable files
 user access controls - enforcing these on the basis of least privilege, for high risk activities (such as
web browsing), could help to protect privileged accounts; allowing completely open browsing from
the admin computer was the critical security weakness
 network perimeter defences - the Trojan and the delivery stage executable should have been
detected and blocked by firewall policies, a filtering web proxy or corporate malware protection
software, none of which were implemented on the system administration computer
 secure configuration - would have prevented such malware from being able to run

Disclaimer
This document has been produced jointly by GCHQ and Cert-UK. It is not intended to be an exhaustive guide
to potential cyber threats, is not tailored to individual needs and is not a replacement for specialist advice.
Users should ensure they take appropriate specialist advice where necessary.
This document is provided without any warranty or representation of any kind whether express or implied.
The government departments involved in the production of this document cannot therefore accept any
liability whatsoever for any loss or damage suffered or costs incurred by any person arising from the use of
this document.
Findings and recommendations in this document have not been provided with the intention of avoiding all
risks and following the recommendations will not remove all such risks. Ownership of information risks
remains with the relevant system owner at all times.
Crown Copyright 2015

International
Case Report On
Cyber Security
Incidents
Reflections on three cyber incidents in
the Netherlands, Germany and Sweden
Preface
As cyber incidents are increasing worldwide, the protection of the functionality of IT
systems, particularly if they are critical or vital to our societies, is high on the political
agenda. Enhancing cybersecurity – both in the public and in the private sector – is of
crucial importance for the future.
It has become a well cited truis, that these increasing threats do not stop at state borders.
On the other hand, international co-operation in fighting against cyber-attacks and
cyber-incidents appears to be in its infancy, compared to law enforcement efforts against
physical crime.
Frequently, both the actual perception of IT or cyber incident and the initial response to it
take place at a national level, either by private stakeholders or by state authorities. Hence,
the editors of this study consider it worthwhile to share with our readers reflections and
lessons learned of three cases from the Netherlands, Germany, and Sweden, which were
dealt with mainly, but not exclusively, within these countries.The cyber incidents
described, differ in scope, in the damage caused, and in many other aspects, but they
have in common that their impact on society was considerable. Even though, on a
technical level, these incidents were not very complex. Also, as a consequence of
networks, these incidents escalated quickly, which put great emphasis on incident
response. In two of the cases, the identities of the (possible) attackers have not as yet
been revealed (in the Tieto case there was no attack) .
Hence, one lesson to be learned, as it were a priori, is that coping with cyber-attacks and
cyber incidents always involves some degree of uncertainty. The publication of this case
study, therefore, aims at providing transparency of past events as a starting point for
preventive measures against future cyber threats. The report is a joint effort of three
authorities: the National Cyber Security Centre (NCSC) in the Netherlands, the Bundesamt
für Sicherheit in der Informationstechnik (BSI) in Germany, and the Swedish Civil
Contingencies Agency (Myndigheten för samhällsskydd och beredskap, MSB).
Wilma van Dijk, Director Cyber Security, Ministry of Security and Justice.
Andreas Könen, Vicepresident, Federal Office for Information Security.
Nils Svartz, Deputy Director-General, Swedish Civil Contingencies Agency.
International Case Report On Cyber Security Incidents | 3

4 | International Case Report On Cyber Security Incidents
Introduction
If we have learned one thing during the past decade, it is that cyber security is a complex
affair. During this decade, we have seen many things go wrong in the digital domain.
These incidents have left us much more experienced, but also a little confused. Where
do we go from here? In this International Trend Report, three European national CERTs
(Computer Emergency Response Teams) share some of their experiences of recent years
by means of three case studies. The central theme for all cases is ‘Trust’: the need for
it, and possibly the lack of it in the digital world. The Swedish national CERT, MSB, has
contributed a case involving an availability disruption at IT operations provider Tieto.
BSI, the German national CERT, describes the events during a DoS amplification attack
on a major telecommunications provider in Germany. The contribution of the NCSC, the
national CERT of the Netherlands, is a case on the DigiNotar crisis, which also had far-
reaching international repercussions.
All three cases share certain characteristics. They all focus on the vital infrastructure
of their country. They all affected not just one, but a whole network of organisations
in their country. In each case, trust was lacking or was lowered after the incident. The
Swedish case stands out because it focuses on non-intentional disturbance of vital
infrastructure. The German case is about a deliberate attack to deny the availability of a
telecommunications provider and the consequences of such an attack. The Dutch case,
the hack of DigiNotar, was a deliberate act, but it probably was not the ultimatel goal of
the attacker to hack into DigiNotar. The attacker used forged certificates from DigiNotar
to eavesdrop on other citizens in different countries.
It is hard to reach an effective level of trust in the digital domain. By moving so many
aspects of our lives to the digital realm, we automatically become potential victims of
extensive data breaches at digital service providers. Assurance reports, Service Level
Agreements and legal action can only do so much to reflect what is required from a digital
service provider: that they perform at a level which deserves the trust their clients place in
them.
We hope you will find benefit in reading this international publication which is the joint
effort of the national CERTs of the participating countries. Let it be a reminder of known
risks, and the medium for a message: that trust in the digital domain is not only hard to
come by, but also crucial to its success.

The system of trust in security
certificates based on the integrity of
certificate authorities has shown to
be flawed.

The DigiNotar case
Background
Even though the DigiNotar crisis was a cyber incident with an unprecedented impact
on the Netherlands, it was not the first incident where the trust which organisations
place in their providers was undermined by a security breach at one of these providers.
Two examples:On 17 March 2011, RSA, a security company and provider of security
tokens, announced that unknown parties had gained access to the company’s network.
Based on the limited information that RSA released, security researcher Steve Gibson
concluded that it was clear that, at a minimum, a portion of the SecurID product (a
two factor security token) was compromised. At the end of May 2011, three potentially
related incidents were reported: at Lockheed Martin, at L2 and at Northrup Grumman,
all American defence contractors. Although the reliability of the information available
is difficult to assess, a link between these three incidents and the first attack against RSA
seems extremely plausible.
A second incident took place at a business partner of Comodo, a provider of security

certificates used for secure web communication. The hacker was able to obtain several
fraudulent certificates and the corresponding keys from a Comodo partner. The
certificates which were issued, included rogue certificates for Google, Microsoft, Yahoo
and Mozilla web services. After some time, responsibility for the attack was claimed by
an anonymous individual who claimed to have acted alone. Because these certificates
allowed secure internet traffic for those web sites to be intercepted, the login data of
millions of users of these services was at risk until the certificates were revoked.
In these examples, the security breach at a provider was a first step in successfully
attacking targets which depended on this provider for their security.
The DigiNotar crisis

On 27 August 2011, an Iranian internet user received an invalid certificate warning from
his browser when he visited the Gmail website. He reported this incident to Google. The
certificate was generated on 10 July 2011. During the following weeks, it became clear that
the fraudulent certificate was issued by DigiNotar, a Dutch security certificate provider,
after a successful break-in into their servers.
The important role which DigiNotar fulfils in the Netherlands is threefold. First, DigiNotar
is one of the security certificate providers for the Dutch government. Second, DigiNotar
is an issuer of certificates for the Dutch national PKI (PKIoverheid). Third, DigiNotar

issues certificates for qualified signatures. The framework for qualified signatures is an
endeavour by the European Union to attach greater legal value to digital signatures. It
gradually became clear that all three of these systems had been compromised during
the break-in. This implied that trust could no longer be placed in the confidentiality or
integrity of data or communications which had been secured with a DigiNotar certificate.
Response
When DigiNotar initially noticed the break-in into their systems, they decided to keep
it a secret from the general public and the authorities. In the Netherlands, there was no
explicit legal provision which required them to report such an incident. However, judging
from the consequences of keeping this incident secret, this course of action was probably
not in the publics best interest.
The Dutch government communicated extensively about the events at DigiNotar.

However, the message varied greatly over time as more information about the break-
in became clear. The PKIoverheid certificates serve as an example: as there was no
initial indication that the certificate signing process for these certificates had been
Timeline of events (2011)

17 June 22 July
Initial breach of DigiNotar systems. After discovering the attack, DigiNotar
initiates an investigation into the events.
17 June – 1 July They decide to keep silent about the break-in.
Attackers use their access to the
demilitarised zone (DMZ) to break through 27 July – 27 August
to the internal network. Rogue certificates signed by DigiNotar are
used in man-in-the-middle attacks in Iran.
10 July Such an attack is used in order to listen in
First rogue certificate is signed with the on and possibly modify the communications
access gained. of users of Google services such as Gmail.
For Google services alone, at least 300,000
10 – 22 July distinct users were confronted with
Attackers gain access to all certificate fraudulent certificates.
signing systems of DigiNotar and sign at
least 531 rogue certificates for at least 53 27 August
different internet domains. An Iranian internet user who attempts to
access Gmail notices that a rogue certificate
has been provided. He notifies Google.

compromised, the government organisation Logius published a statement which declared
that PKIoverheid certificates could still be trusted.
Once GovCERT1 had been notified, they were in charge of handling the incident. When it
became clear, a week later, that PKIoverheid certificates could also not be trusted, a full
crisis management plan was initiated. The Dutch crisis management structure (‘national
crisis structure’) was activated in accordance with existing procedures. The IRB (ICT
Response Board)2 is an advisor to the crisis organisation in case of a crisis involving an
IT component. The IRB convened twice, which helped to gain a quick insight into the
impact of revoking trust in DigiNotar certificates. Many parties cooperated in the crisis
management. Some examples are the Dutch national police, public prosecutor, ministry
of the interior, ministry of security and justice and IT security company Fox-IT.
Internally, the Dutch government investigated which processes depended on DigiNotar

certificates for security or confidentiality of their communications. The filing system for
tax returns was but one of these processes.
Since January 2012 GovCERT has been included within the National Cyber Security Centre (NCSC).
1
The IRB is a private public advisory board, which advises the national crisis structure about the situation and
2
about the measures to be taken (including the impact).
29 August 6 September
Mozilla also discovers attack. GovCERT, the At the explicit request of the Dutch
Dutch national computer emergency government, Microsoft decides to postpone
response team is notified of the attack by – only in the Netherlands – the update
CERT-BUND, their German equivalent. which will remove all support for DigiNotar
DigiNotar publicly admits having been certificates.
hacked.
14 September
1 September Dutch telecommunications authority OPTA
Dutch governmental organisation Logius announces that it revokes the licence of
circulates an email message in which it asks DigiNotar to issue certificates for qualified
other government bodies what the impact signatures. 300 Dutch government websites
would be of revoking DigiNotar certificates. still use DigiNotar certificates to encrypt
communications.
3 September
Dutch government officially renounces
DigiNotar as a trustworthy certificate
provider.

Revoking all DigiNotar certificates would disrupt many critical services which the
government provides, as well as disrupting many interdepartmental communication
channels. Also, it was unclear exactly what the impact would be of revoking DigiNotar
certificates: there was only very limited knowledge about where DigiNotar certificates
were being used. Even organisations which knew that they were using DigiNotar
certificates could not say what the impact of revoking them would be on their business
processes. A Dutch newspaper noted that abruptly revoking DigiNotar certificates would
lead to a ‘government blackout’. Microsoft agreed to postpone their update which would
revoke these certificates in order to allow for one more week of repairs.
Final remarks
After the DigiNotar crisis, two measures were proposed:
• A legal obligation to notify a central authority of any significant data leaks or break-
ins within an organisation. For providers of qualified certificates, such an obligation
has since been introduced. In the case of DigiNotar, this would have led to an earlier
awareness and understanding of the extent of the problems.
• The creation of a department of digital firefighters, which could act on behalf of
the Dutch government in order to resolve a cybersecurity incident or crisis. Many
proposed formats for this closely matched the role which GovCERT already had within
the government. A discussion point within this concept was whether the government
should have the power to take over IT operations and exercise it in case of a cyber crisis
in order to protect the public interest.
Six days after the OPTA revoked DigiNotar’s licence to issue qualified certificates, the
company went bankrupt. Most of its property was auctioned off, but the hardware used to
protect the private keys of the revoked certificates is still kept locked away. The original
expiry date of the root certificates has not yet passed, which means it is possible some
software still accepts certificates issued by DigiNotar. After this expiry date, the DigiNotar
incident will be over.
The DigiNotar case has been evaluated extensively within all levels of the Dutch
government. Some important conclusions can be made:
• Apparently, the certificate authority/PKI system is part of the critical infrastructure of a
country. The DigiNotar case motivates one to re-evaluate whether his or her perception
of what constitutes the ‘critical infrastructure’ of a country is both correct and
complete. Also, in what way does any compromise involving such trust providers have a
significant impact on the physical world?
• In cybersecurity, the effectiveness of the measures taken by a provider greatly affect the
security stance of its clients. On the other hand, the insight and influence clients have
over the security measures taken by their provider is very limited. This means that there
will always be a residual risk associated with cooperating with providers of any kind.

Any lack of security at a provider which is responsible for trust-related services has an
even higher impact. The security measures taken at DigiNotar were regularly evaluated
by an external auditor. It is possible that if this audit had been performed differently
or more in-depth, either the actual breach, or the vulnerabilities which allowed for it,
would have been noticed. This leads one to ask whether the depth at which these audits
are currently performed is suitable for a system where the integrity of every component
is of such great significance.
• The system of trust in security certificates based on the integrity of certificate
authorities (CAs) has been shown to be flawed. Every CA can testify to the authenticity
of certificates for every domain. As such, a breach at a minor CA in the Netherlands can
compromise the communications of Iranian citizens with US-based corporations such
as Google. Several improvements to the CA system which have been proposed are:
– using a web of trust-like structures (as is used in PGP);
– including SSL key information in DNSSEC records (DANE);
– convergence (an external authority which attests to the validity of certificates based
on observations around the world).
It is unclear who has the power to initiate such a transition to a new and more secure
system. Until such a transition occurs, we will see similar attacks occur regularly.

Since the internet is a worldwide
network, it is necessary to establish
national and international contacts
and well-defined contact points
between ISPs, but also between
governmental agencies.

A Cyber-Attack on
Deutsche Telekom
Background
A denial-of-service (DoS) attack is an attempt to make a machine or network resource
unavailable to its intended users. There are different types of DoS attacks. One common
method of attack on the internet involves saturating the target machine with external
communications requests, so much so that it cannot respond to legitimate traffic or
responds so slowly as to be rendered essentially unavailable. When multiple systems flood
the bandwidth or resources of a targeted system the attack is called distributed denial-of-
service (DDoS).3
DDoS attacks are very common on the internet. BSI is aware of about 1,800 DDoS attacks
in Germany during the first half of 2013. It means that on average at least ten DDoS
attacks are carried out daily. The real figure is probably much higher. Worldwide, several
companies report that they observe thousands of DDoS attacks per day. On average,
an attack lasts less than one hour. But in some cases it can last for several days or even
months.
Statistics show that the main targets of DoS attacks are governments, banks, and
e-commerce companies. Often adversaries attack a victim’s web-server to disrupt its
internet presence. But in some cases, other services, such as the Domain Name System4
(DNS), are targeted as well.
There are different motivations for DoS attacks, e.g. political and ideological motives,
competition, extortion. Adversaries can be government agencies, state-sponsored or
patriotic hackers, hacktivists, or criminals. Some examples for adversaries and their DDoS
attacks in the recent past are:
For more information, see e.g. http://en.wikipedia.org/wiki/Denial-of-service_attack

3
The DNS is a distributed system for computers, services, or any resource connected to the Internet or a private
4
network. It associates a variety of information with domain names assigned to each of the participating entities.
Most prominently, it translates easily memorised domain names to the numerical IP addresses needed for the
purpose of locating computer services and devices worldwide. An oft-used analogy to explain the Domain Name
System is that it serves as the phone book for the Internet by translating human-friendly computer hostnames
into IP addresses. For more information, see e.g. http://en.wikipedia.org/wiki/Dns

• The international network of activists called Anonymous which has carried out many
DDoS attacks against various entities (governments, organisations, companies) in order
to protest against their activities.
• Patriotic hackers who attack organisations and companies of a foreign state during
political conflicts. This was seen, for example, in conflicts between China and Japan,
Israel and Palestine, Russia and Georgia, and so on.
• Criminals who have carried out a massive DDoS attack against an anti-spam
organisation: The Spamhaus Project. During this attack, up to 300 gigabits per second
of DoS traffic were experienced.
In some cases, however, as in an attack against Deutsche Telekom, neither the adversaries
nor their motivation for an attack are known.
DoS attacks lead to direct and indirect costs for the victim. They cause costs for DDoS
mitigation, direct revenue losses for e-commerce companies, reputational and brand
damage, and customer turnover. Studies and surveys suggest that an hour of DDoS attack
can cost a victim tens of thousands of euros. Attacks against critical infrastructure of a
state can even disrupt its supply of essential goods and services to its population.

03.09 12: 16:00 03.09.12: 18:30
Attack started, outage of Deutsche Attack mitigated by reconfiguration of
Telekom’s reverse DNS DDoS Defence tooling, reverse DNS up
and running
03.09.12: 17:30
Attack mitigated by facilitation of DDoS 04.09.12: 00:00
Defence tooling, reverse DNS again up and Attack traffic stopped
running
05.09.12
03.09.12: 18:00 Deutsche Telekom informs BSI about attacks
Attackers modify packet structure to adapt
to Deutsche Telekom’s countermeasures. 05.09.12: 14:15
Reverse DNS down again. New attack against reverse DNS, no DNS
outages because DDoS Defence Tools still
engaged

Incident
In September 2012 Deutsche Telekom AG, a large German internet service provider (ISP),
was attacked by unknown adversaries. The Denial-of-Service attack was an attempt to
block the Domain Name System of the provider. From a practical viewpoint, an outage
of the DNS would cause an outage of the internet for most customers of that provider.
The telecommunication and internet belongs to the critical infrastructure of a country.
Its outage could have significant adverse effects on that country.
3rd Party Victim

IP: y.y.y.y IP: z.z.z.z
From: y.y.y.y
To: z.z.z.z
Message: Requested Information: …
Fr o: Sen bou
M orm d
om y.y d t
es a om
in
T
: z .y me you
f
sa tio a
.z.
ge n in
z.z
:
. y
a
al r
l
Attacker
IP: x.x.x.x
DNS reflection / DNS amplification attack
05:09.12: 16:00 07.09.12

Contact to web hosting provider with take Contact to German Federal Crime Office
down request for the attacking system IP
addresses 13.09.12
Deutsche Telekom files formal criminal
05.09.12: 17:00 complaint to Public Prosecution Service
Deutsche Telekom asks BSI for emergency
point of contact at web hosting provider 17.09.12
DDoS Defence mitigation measures closed
05.09.12: 22:00 down.
New attacks against reverse DNS, no DNS
outages because DDoS Defence Tools still
engaged

For this attack, the adversary used the server infrastructure of another web hosting
provider. Although the attack vector is not completely clear, most probably the attacker
used a technique known as DNS reflection or DNS amplification. It involves sending
short queries with a spoofed source IP address – in this case the addresses of DNS
servers of the ISP – to the DNS servers of a third party – in this case the web hosting
provider – in order to trigger long responses to be sent by those servers to the victim’s IP
address within a short time window. The DNS protocol allows an amplification factor up
to 100.
The motivation for the attack is unclear. The attacker made no demands to Deutsche
Telekom. No information claiming responsibility for the attack was published. A possible
explanation could be a “proof of concept” or test by which the attackers try out their
capabilities, infrastructure and tools to carry out that kind of attack.
Response
Abuse messages sent to the web hosting provider to stop the attack were unsuccessful.
After a short delay the ISP was able to mitigate the attack by redirecting the malicious
traffic (see Timeline of events, above). The mitigation was possible, since the ISP
possessed the necessary equipment and skills to monitor and mitigate such attacks and
its network capacity was high enough not to collapse under the heavy traffic.
CERT-Bund was informed by Deutsche Telekom about the attack and helped it with the
analysis. While the attack against a provider’s infrastructure which provides services to
the broad population was new, the attack method itself was already known. Since benign
DNS queries need to be answered only once, repeated DNS queries were blocked by the
mitigation systems of Deutsche Telekom.
Also, the Federal Criminal Police Office was involved in the investigation of the attack
infrastructure. However, at first, it was not clear whether it was responsible in this case.
It started to act after the Telekom provided additional information about the attack and it
was recognised that the attack was targeting a critical infrastructure.
Final Remarks
For providers of Domain Name Services there are different technical advisories for
strengthening their own DNS servers in such a way that they cannot be misused for this
kind of attack. The DNS provider should be made aware of the threat and be forced to
implement the necessary counter measures. The problem here is that this should be
done by every single provider worldwide.

Possible victims should implement the necessary processes for detecting and mitigating
such attacks in advance. The mitigation can be done directly by the victim using
appropriate anti-DoS appliances offered by various manufacturers. Alternatively, the DoS
mitigation can be used as a service offered by different providers.
Since the internet is a worldwide network, it is necessary to establish national and

international contacts and well-defined contact points between ISPs, but also between
governmental agencies (law enforcement, governmental CERT’s) which can help to
stop an ongoing attack in case the attacker does not respond to direct requests. In a
federal state – such as Germany – it should also be clarified what agency (federal, state,
communal...) is responsible if an attacker needs to be stopped.
The internet is a critical infrastructure. Its availability is essential for the functioning of a
society and economy. Its outage can cause serious negative effects on almost all areas of
life and can even inflict real damage in the physical world. Therefore, its protection should
be an important goal for governments in every country.
Although the attack technique has been known for quite some time, its recent use for
launching DoS attacks of unprecedented scale has brought renewed interest in it. Similar
attacks are carried out against victims worldwide. A recent attack which made it into the
headlines was a DoS attack on the anti-spam organisation, The Spamhaus Project, in
March 2013.
The usage of internet servers – here DNS servers, in other cases also web, email, etc.
servers – instead of home PCs enables the attacker to generate higher network traffic,
since the internet connection of any such server is much faster than the connection of
a typical private PC. This threat changes the general situation and demands immediate
action for implementing appropriate counter measures.

The analysis that followed the event
was able to establish that several of
the affected parties did not have
enough knowledge about their own
dependencies.

The disruption at the IT
service provider Tieto
Background
New technology and new business solutions have allowed a concentration of information,
services, communication and IT operations in society. In the Swedish public sector, the
trend towards concentration and integration has been strengthened through a number
of initiatives such as the eGovernment Delegation, National eHealth, the Government
service authority, as well as the framework agreements that the Legal, Financial and
Administrative Services Agency has signed with major partners. The change in forms of
delivery of IT services is seen as a way to both increase quality and reduce business costs.
An account of the disruption at the IT service provider Tieto in late 2011 is given below.
The disruption affected both public and private organisations, and was debated both in
the specialist press and in the general media. A similar event occurred in Sweden on New
Year’s Eve (January 1, 2014) as a fire in the server room of one of the Stockholm facilities of
the IT service provider Evry caused considerable problems for the Stockholm metro, for
railway traffic, and for postal and logistic services, among others. The fire extinguishing
system was empty due to a human error. No one had restored (re-loaded) the system after
a minor incident the day before. The fire resulted in a loss of power, and data storage
systems had to be re-started. During the re-start, a software failure complicated matters,
and Evry was not able to re-deploy several IT services. This incident started a chain
reaction with implications for the whole society.
The disruptions at Tieto and Evry emphasise an already known circumstance, namely that
increased concentration and integration create a new category of vulnerability where
technical and human errors can shut down a number of societal functions over vast
geographical areas in a short period of time. A disruption at a large IT service supplier
can affect an entire society and the consequences can be considerable. Modern society is
becoming more and more vulnerable when IT systems become unavailable.
The Tieto incident

On Friday, 25 November 2011, a hardware error occurred at IT service provider Tieto. A
central part of a large data storage system at a facility in Stockholm suffered an emergency
shutdown. First, an important key component of the system was lost. At that moment, it
would still have been possible to fall back on a backup system that was on stand-by and

ready to take over. However, after a short while the backup system malfunctioned as well,
thereby rendering data storage for the connected server systems non-functional.
The exact details of what happened have not been made public by Tieto, but data storage
for a large number of servers was suspended in a very short period of time. The disruption
affected about 50 of Tieto’s customers, including companies, governmental agencies and
municipalities. Exactly which clients were affected by the disruption has still not been
made public by Tieto. For some organisations, IT support nearly came to a complete
halt, while other organisations experienced disruptions of specific services. In addition,
several service suppliers seem to have been connected to the storage system, including
companies that deliver web-based tools for administration, travel management and
similar services. There were reports from several municipalities across the country about
malfunctioning administration of financial services and pension services following the
disruption at Tieto.

25 November technical equipment because the hardware
A hardware error occurs at IT operations problem causes a chain reaction of
provider Tieto on Friday afternoon. A incidents that result in a complex and
central part of a large data storage system time-consuming restoration process.
at a facility in Stockholm suffers an Therefore, it takes a considerably longer
emergency shutdown. For some of the time for customers to restore saved data
approximate 50 affected organisations to the same state as before the disruption.
(Tieto’s customers), IT support comes
to a near-complete halt, while other 28 November
organisations experience disruptions Early Monday morning, the mass media
to specific services. and the public have started to understand
the widespread impact of the disruption.
26-27 November The disruptions are not limited to the
Tieto does not publicly acknowledge that capital Stockholm and the municipalities in
it is experiencing operational problems the surrounding area. There are reports of
caused by a hardware malfunction until problems caused by the disruption from
Sunday afternoon, 27 November. The several municipalities around the country.
actual hardware error takes two days to
correct. However, the customers’ 29 November
information, i.e. the data stored in the Media attention is growing and additional
storage system, cannot be restored simply reports on affected organisations are made
by replacing a single component of the public.

It is difficult to provide an exact account of the direct impact of the breakdown, such as
the number of IT services or servers that went down. However, it is possible to get an
approximate idea of the extent based on the outsourcing contracts between Tieto and
some of the affected organisations. The storage system crash resulted in the malfunction
of a large number of servers, or virtual servers, over a short period of time. Moreover,
the effects were not limited to the systems operated by Tieto. The company also sold
automated operational monitoring of customer servers. As a result, several Tieto
customers quickly noticed that they no longer had any control over the status of their own
servers. This meant that they had to move quickly to manual monitoring, which resulted
in a significant amount of extra work.
30 November once again have IT support. Bilprovningen

Tieto has managed to restore operations at inspects around 20,000 vehicles per day
all of the 350 affected pharmacies across across the country, and the loss of IT
the country (about 50 % of the pharmacies services slows down the inspection
are back in operation on Monday evening). process and leads to extra costs. One
The pharmacies lost contact with their IT notable consequence is that the automatic
systems and were unable to dispense reporting of all approved inspections
prescribed medicines in accordance with normally made to the Swedish Transport
normal procedures. Prescriptions were Agency is halted. This, in turn, triggers a
administered manually, and in some cases driving ban on many vehicles.
older IT systems were re-installed. The
loan operations of the Government-owned 4 January, 2012
mortgage lender SBAB are also fully Nacka Municipality is able to announce
restored. that all computer systems are up and
running again. However, there is still a lot
1 December of catching up to do and the municipality
The City of Stockholm concludes that there has identified lost data.
are no lingering effects of the disruption.
5 December
The 180 control stations of the motor-
vehicle inspection company Bilprovningen

Response
The Tieto company solved the technical error in about two days. The major challenge
for the company, however, was to restore the data and re-deploy IT services. This was a
complex problem that took several weeks in some cases.
This section focuses on responses related to the consequences of the disruption. Many
of the affected organisations had to resort to manual routines while Tieto was working
on restoring their IT services. This halted some processes, and slowed down others
considerably, due mainly to lack of personnel. Some organisations had frameworks and
plans for dealing with the loss of IT services; others had to solve the problems as they
emerged. A few organisations resorted to using old IT systems – systems that still existed,
or could be re-installed. There was also an example of a public organisation that used
Twitter and Facebook to communicate with people when their website and email systems
were down.
The Swedish Civil Contingencies Agency (MSB) started working on the event, formally,
on the morning of the 28th of November 2011. Regular meetings were held through the
Agency’s National Cybersecurity Coordination Function. Obtaining situational awareness
was the most important part of that work. In addition to this, MSB published information
on the Agency’s websites, including the national crisis portal which is the responsibility of
the Agency. On Tuesday, November 29, MSB completed an impact analysis and concluded
that no critical societal functions were affected in such a way that would seriously
threaten the functioning of society. This was followed by a status report to the Swedish
Ministry of Defence. MSB followed the progression of events through open sources,
its own contact networks, and contacts with affected parties as well as with Tieto. The
Agency quickly contacted Tieto, as well as many of the affected organisations. However,
it was difficult to gain a complete understanding of the situation through these channels
from the perspective of societal considerations as regards the widespread effects of the
disruption. Therefore, a request was drawn up on 6 December for the majority of agencies
specifically indicated in the Emergency Management and Heightened Alert Ordinance
(2006:942) to submit a situation report to the MSB regarding the disruption at Tieto. In
summary, however, it can be concluded that the MSB had difficulty in quickly forming a
comprehensive picture of how the event was affecting Swedish society. There is still no
single party with a complete picture of the societal impact. In February 2012, the Agency
submitted a formal report on the event to the Swedish Ministry of Defence.
Final remarks
It is difficult to assess fully the negative societal consequences of the disruption at Tieto.
For some organisations, IT services were unavailable for weeks, while others only suffered
minor problems. Apart from IT services becoming unavailable, there were also some
cases of data losses. In terms of financial cost, it is even more difficult to estimate the

consequences. It has not been possible to analyse the total cost, but, as an example, one of
the affected municipalities (with approximately 100,000 inhabitants) estimated that their
direct costs caused by the shutdown were at least SEK 7.5 million (circa EUR 850,000). It is
very difficult to assess the costs that are related to loss of reputation. For the public sector
organisations, it is also important to notice that even if an organisation has outsourced its
IT operations, the organisation is still accountable to the public.
The Swedish Civil Contingencies Agency (MSB) did not activate the national IT response
plan during the Tieto disruption. The consequences of the disruption at Tieto cannot
be considered a social emergency. However, the disruption clearly had serious negative
consequences for individuals and organisations, meaning that the event was very serious.
The analysis that followed the event was able to establish that several of the affected
parties did not have enough knowledge about their own dependencies, nor about their
need for cooperation. Had the disruption led to more extensive social problems, the
MSB would have had trouble coordinating the relief work and alleviating the effects
of the incident, as well as creating a satisfactory basis for collaboration. The affected
organisations (Tieto’s customers), have a great responsibility in terms of informing
their users and other stakeholders themselves. The event shows that this responsibility
is difficult for many organisations to comply with. Emergency preparedness and
contingency planning for long disruptions are requirements for most organisations, but
special needs arise when an organisation outsources IT operations or uses cloud services
for vital parts of the operation. The impression after the disruption at Tieto is that the
organisations’ contingency planning was of varying quality. Further, only a small number
of organisations had applied information classification or performed a risk analysis
before their procurement and outsourcing of services.
In the event of cyber incidents, warnings come at short-notice or not at all, the pace is
rapid and the incident is usually geographically independent. In order to prevent and
handle cyber incidents, an increased capability of all organisations in society at all levels
of responsibility and in all sectors is required. To this end, the MSB has identified four
areas in which further work is required:
• Strengthening preventive initiatives for cyber security (information security) throughout society.
• Procurement as a tool for better security: There is a great deal of potential in public
procurement, and all organisations need to develop further their competency in using
procurement as a means of controlling their cyber security (information security).
• Special focus on risk analysis and contingency planning: The disruption at Tieto shows that
there are shortcomings in the contingency planning and emergency preparedness
among several of the affected organisations.
• National and regional cyber security situational awareness: The increased concentration of
IT operations and other IT related services means that a large number of stakeholders

might be affected simultaneously by a cyber incident. The disruption at Tieto shows
that the affected parties need to develop better processes for gathering and sharing
information in order to create situational awareness. This should also include being
able to communicate information to the public, and it assumes that the information
is coordinated.

By stepping out of our own closed
communities, opportunities to work
together will show themselves
everywhere. By recognising these
opportunities and acting upon
them, we ensure that we will be able
to meet tomorrow’s threats today.

Lessons learned
Three case studies have been presented. Each one presents lessons learned from the
events described and the role of their authoring organisation during these events.
Two features are evident in each of these cases:
On a technical level, the incidents were not very complex, but the impact on society
was great. The Swedish case describes a relatively simple system failure; the German
story about the denial-of-service attack involves somewhat advanced but well-known
techniques; and the hack at DigiNotar was mostly possible because of the lack of proper
controls in place at DigiNotar.
In each case, the impact was large because of the role the target played in each country:
a national telecommunications provider, a signer of the national PKI infrastructure, and
an IT operations provider. All had many parties who depended on their cyber security.
Through network effects, these incidents escalated quickly.
The lessons learned show many parallels as well. A few highlights:
1 New technology has created new opportunities as well as new risks in our society. New
technology and new business solutions have allowed a concentration of information,
services, communication and IT operations in society. This increased concentration,
along with new forms of operation and increased integration, can lead to a
vulnerability where small technical errors can shut down a number of societal functions
in a short period of time.
2 Since the internet is a worldwide network, it is necessary to establish national and

international contacts and well-defined contact points between ISPs, but also between
governmental agencies (law enforcement, governmental CERTs), which can help to
stop an attack. Incident response is an entirely different matter if the incident has taken
place within infrastructures which may be halfway across the globe. International
cooperation is essential in approaching this challenge. Special needs arise when an
organisation outsources IT operations or uses cloud services for vital parts of the
operation. Cloud services and service providers form an additional challenge for
CERTs and their activities.
3 The internet is a critical infrastructure. Its availability is essential for the functioning
of a society and economy. Therefore, its protection should be an important goal for

governments in every country. Governments should re-evaluate whether the perception
of what constitutes the ‘critical infrastructure’ of a country is both correct and
complete.
4 The incidents in this report show that a large cyber incident can have an effect on an
entire society and that the impact can be considerable. In order to prevent and handle
major IT incidents, an increased capability of all participants in society at all levels
of responsibility and in all sectors is required. In this regard, the following areas are
particularly important:
a Procurement as a tool for better control of cyber security
b Special focus on risk analysis and contingency planning
c Implementation of the necessary processes for early detection and mitigation of IT
attacks
d National and regional situation status reports on cyber security.
5 In each of these cases, incident response plays a central role. Cooperation and
coordination around a major cyber security incident are crucial. The timing and
the quality of the initial response are both crucial in order to deal effectively with
all aspects of an incident or with a crisis at a later stage. The examples in this report
show that all participants must be able to act together and collaborate on decision-
making and operations in the event of an emergency. It is important that the affected
parties have developed processes for gathering and sharing information. This should
also include being able to communicate information to the public and to other
stakeholders. And finally the information should be coordinated.
6 During an incident or crisis it is important to have access to current and relevant

information from different stakeholders. Each of these cases describes how more and
more information became available during the crisis and how it was dispersed among
trusted partners. Such trust relations are not built during a crisis, but rather in the
relatively calm period beforehand. In order to respond adequately during a crisis, it is
important to establish channels for communication and the conditions under which
communication takes place.
7 Internet Service Providers (ISPs) are an important party in preventing cyber attacks.
The effectiveness of the measures taken by a provider greatly affects the security stance
of its clients. Any lack of security at a provider which is responsible for trust-related
services has a great impact.

All in all, this report provides one with much to think about, but much to do as well. The
opportunities presented by international cooperation are large indeed. We can no longer
model the cyber security stance of an organisation on a fort, by assessing the thickness
of the virtual wall built around it. Rather, we must secure the information within and
between organisations. By stepping out of our own closed communities, opportunities to
work together will show themselves everywhere. By recognising these opportunities and
acting upon them, we ensure that we will be able to meet tomorrow’s threats today.

Ministry of Security and Justice, The Netherlands
Federal Office for Information Security, Germany
Swedish Civil Contingencies Agency, Sweden
November 2014
Cyber Case Studies:
The Traditional Security Nexus
Blu3
Product of the Research & Information Support Center (RISC)
The following report is based on open-source reporting.
November 18, 2014
Introduction
As the lives of individuals and the daily operations of organizations increasingly use and depend upon
online networks and resources, the line between security incidents in the cyber and physical worlds has
become blurred. Traditional security definitions and boundaries no longer apply uniformly. While many
security professionals may still consider cyber security a technical problem, today’s reality is an
intertwined cyber-physical world wherein cyber security issues often affect and cross over into the
physical realm (and vice versa) with direct, tangible impact. Billions of people worldwide are now online; it
has become another, if not the primary, domain that individuals and organizations depend upon to
communicate, increase efficiency, engage in commerce, store and publish information, and reduce costs.
Criminals, spies, terrorists, and hacktivists (hacker activists) also take advantage of these same benefits.
The proliferation of intersections between cyber and physical is increasing as a function of computing
device connectivity. People use numerous communications protocols to connect multiple devices to
various networks at work, at home, and on the go. An organization’s sensitive and proprietary systems,
once closed-off networks, are now accessible or controllable via remote or Internet access. Furthermore,
low-cost “smart” technology has been introduced into departments not traditionally overseen by technical
staff. According to Gartner, 26 billion devices will be part of the “Internet of Things” (IoT) by 2020. IoT is
the interconnection of atypical, non-computing devices – everything from smart thermostats and alarm
systems to medical monitoring devices and automobiles – to the Internet using a myriad of wireless
technologies. This wave of ubiquitous automation will likely create a surge of security implications in both
the cyber and physical realms, especially considering security has historically lagged behind technology.
Defenders must cover all points of attack, while attackers only have to identify the weakest point. An
increasing number of traditional security incidents have occurred because of weak links that existed in the
cyber realm; the converse is also true. Through the examination of security incidents, including the
highlighted examples in Table 1, this white paper will demonstrate the interwoven nature of the two
realms, reveal who has been affected, and provide best practices and countermeasures.
Facility Security • Chinese military hackers compromise facility access systems
Personal Protection • Online information sharing facilitates kidnapping of billionaire's son
Information Security • Syrian spy cameras and microphones surveil activists and journalists
Financial Security • Credit card breaches will continue after chip and PIN adoption
Personnel Security • Terrorist-linked software developers hired for critical infrastructure work
Public Safety • Hackers can cause traffic jams and misdirection
National Security • Cyber warfare becomes a component of international conflict

Table 1: Examples of examined security incidents with a cyber-traditional security nexus
The contents of this unclassified report, compiled from various open sources, in no way represent the policies, views, or attitudes
of the United States Department of State, or the U.S. Government, except as otherwise noted (e.g. travel advisories, public
statements). All OSAC products are for internal U.S. private sector security purposes only. Publishing or distributing OSAC-
derived information in a manner inconsistent with this policy may result in the discontinuation of OSAC support.
Agreement on the categorization of traditional security disciplines is difficult because there is much
overlap among them; cyber security is no different. Several other security sub-categories could fall under
one or more security disciplines in Table 1, such as operations security (OPSEC). Facility security,
personal protection, and information security are all common sub-categories of physical security.
Physical Security Case Studies
Physical security (defined as the physical protection of sensitive or proprietary information, people,
facilities, installations, or other sensitive materials, resources, or processes) is broad and multi-faceted. Its
key areas involve the physical protection of facilities, people, and information.
Facility Security
U.S. Steel
In May, a federal grand jury indicted five military officers in China’s People Liberation Army (PLA) Unit
61398 for computer hacking, economic espionage, identity theft, and other related offenses directed at six
U.S. private-sector organizations in the nuclear power, metals, and solar energy industries. This was the
first time the U.S. Government successfully brought criminal charges against nation-state actors for this
type of computer hacking. Most of the alleged criminal conduct involved information that was stolen while
the companies were in negotiations, partnerships, or trade litigations with Chinese state-owned
enterprises (SOEs).
One of the affected organizations, United States Steel Corporation (U.S. Steel), was involved in trade
cases with Chinese steel companies between 2009 and 2012. Shortly before the anticipated decision in
one of the cases, an indicted military hacker allegedly sent spear-phishing emails to U.S. Steel
employees – including those associated with the litigation. Some of the emails, which appeared to come
from the CEO, successfully tricked employees into clicking on malicious links, resulting in the installation
of malware and backdoor access on corporate computers. The hackers used more spear-phishing
emails, with the subject line “US Steel Industry Outlook,” to steal a list of about 1,700 company
computers, including servers that controlled physical access to the company’s facilities and emergency
response.
Although the indictment stated that vulnerable servers on that list were identified and exploited, it does
not confirm which ones were hacked or detail the extent of exploitation. Compromised facility access
systems could have enabled a Chinese competitor to target U.S. Steel’s business operations from a
physical security angle. However, most of the alleged activity conducted by the PLA 61398 hackers
resulted in intellectual property (IP) and trade secret theft.
Countermeasures
 The U.S. Steel case study underscores the need for Spear-phishing is used
segmentation or compartmentalization of critical systems in over 90 percent of
from public-facing networks via physical and/or logical advanced economic
(software) means. espionage attacks by
nation-state or nation-
 The case study also stresses the importance of cyber state-sponsored actors.
security education, especially to protect against spear-
phishing tactics.
o Spear-phishing is used in over 90 percent of
advanced economic espionage attacks by nation-state or nation-state-sponsored actors.
o Spear-phishing was the predominant method allegedly used by the PLA 61398 hackers.
 Segmentation and compartmentalization will likely become more important as the Internet of
Things expands, where thermostats, refrigerators, alarm systems, and security cameras could all
exist on the same network.
o A vulnerability in just one device could disclose the credentials to the entire network.
o Not only could an attacker turn off an alarm or security camera, but a threat actor could
use the cameras or smart meter readings to determine when a building is vacant in order
to break in.
o Manipulation of a thermostat to prompt a building evacuation could be the first step in a
plot to attack an organization’s physical security.
o In addition, networks that communicate without encryption, or with IoT devices that lack
physical protection, are exposed and vulnerable to attack.
Personal Protection
Social networking sites and social media sites have made collecting information on people and
organizations for social engineering, blackmail, and conducting traditional, economic, or industrial
espionage – in both the cyber and physical domains – much easier. However, information published on
these sites can also affect the physical security of people in an organization.
Mexican Drug Cartels and a Diverted Flight
Mexican drug cartels and organized crime groups (OCG) often glean personally identifiable information
(PII) from social networking and media sites to add legitimacy to extortion and kidnapping threats. They
regularly monitor social media target individuals, such as journalists disseminating “unfavorable”
information about illicit OCG activities. OCGs may also search for secure communication channels to
avoid detection by government and security authorities, and they are likely trying to diversify revenue
streams through hacking, counterfeiting, and ATM skimming activities. As such, there have been media
reports of kidnappings, enslavements, bribes, and coercions of computer programmers, engineers, and
telecommunications experts since at least 2009.
A hacking group called the Lizard Squad attacked Sony Online Entertainment in August 2014, causing
denial-of-service disruptions to Sony’s PlayStation Network servers and tweeting a hoax to American
Airlines about “receiving reports that [Sony Online Entertainment CEO]’s plane #362 from DFW to SAN
has explosives on-board.” The hackers were a previously-unknown group who claimed links to terrorism
to add credence to the hoax; therefore, American Airlines diverted the flight and security authorities
checked for explosives. The Lizard Squad had obtained the CEO’s flight information from cross-
referencing flight schedules with travel information he had posted on Twitter (see Figure 2).
Figure 2: Hacking group Lizard Squad devised a hoax using information gleaned from
Sony Online Entertainment CEO’s tweets
Private Celebrity Photos
Information found on social networking and media sites can be used to defeat security questions used to
reset passwords on online sites and services. This, in addition to the use of weak passwords, use of
repeated passwords across multiple sites, a lack of two-factor authentication, and the allowance of
unlimited password guesses on a cloud back-up service, contributed to the highly-publicized leaks of
private celebrity photos in 2014. Using information on the Internet to humiliate, blackmail, bully, stalk,
surveil, and/or kidnap a person may be the most frightening ways someone’s personal safety can be
compromised by cyber-related means.
Kaspersky Kidnapping
The highest-profile cyber surveillance, stalking, and abduction case involved Ivan Kaspersky, son of the
chairman and CEO of Russia-based Kaspersky Lab, one of the most prominent cyber security firms in the
world. Ivan Kaspersky was kidnapped for ransom in 2011 while walking to work from his Moscow
apartment. According to Russian media sources, amateurs – an older indebted couple – orchestrated the
plot and enlisted their son and two of his friends as “muscle” for the plot. The abductors stalked
Kaspersky and his girlfriend for several months prior to the kidnapping, determining his behavioral
patterns and discovering that he did not have a protective security detail. The kidnappers reportedly
obtained all the needed information from Kaspersky’s user profile on Vkontakte, a popular Russian social
networking site. His profile contained publicly-posted personal information, such as his real name, photo,
current school and area of study, girlfriend, work location, and the addresses of his last two apartments.
With this information, even amateurs could track and abduct the son of a prominent billionaire.
Kaspersky was forced to call his father to relay the ransom demands. Fortunately, the cellphone he used
was tracked within six days, although there is conflicting reporting as to whether its location was tracked
by Russian security authorities or someone working directly for Kaspersky. The Russian System for
Operative Investigative Activities (SORM) lawfully enables authorities to monitor, record, analyze, and
retain all data that traverses Russian telephone and Internet networks, including all emails, telephone
calls, Internet browsing sessions, text messages, and fax transmissions. The abductors may have used
the same cellphone to make food deliveries, or had geolocation services enabled.
Countermeasures
 The common thread in these personal safety attacks is the lack of operations security (OPSEC)
used in online interactions.
o Limiting the amount of publicly-available personal information online and turning off
geolocation services on social networking and media sites can go a long way in
preventing targeted attacks.
o Even in cases where permissions are set to limit the audience to online “friends,” it is
easy for the Internet savvy to use fake social networking site accounts to socially
engineer their way in.
o Potential targets should be made aware of what information about them is publicly
available online (or for a few dollars), to understand the ways they could be targeted.
o Posting information from wearable IoT devices with geolocation capabilities (GPS), like
fitness activity-monitoring devices, could also reveal regular routes or residential
addresses.
 Only trusted third-party sites and services with stringent security measures should be used for
any off-site or cloud storage of sensitive files.
 Other best practices to help counter attacks include separating work and personal accounts and
using fabricated information in password reset security questions.
In addition to facilities and people, physical security protects sensitive or proprietary information from
sabotage or theft. Using cyber methods to destroy or steal information stored electronically is obvious, but
using cyber methods to obtain information that is not located on computer networks or electronic media is
less so. Stringent physical security measures and systems used in facilities to prevent adversaries from
overhearing information, gaining access to printed information, or discovering what physical security
systems or methods are in place, can be defeated by one compromised cellphone or computer.
Computers and cellphones contain cameras, microphones, and often tracking devices – the same
components that make up high-tech eavesdropping devices.
Syria: Non-Governmental Organizations, Journalists, and Activists
Violence from Syria’s civil war continues both on the ground and in the cyber realm. Pro-government
forces are circulating spyware to infiltrate, track, and gather intelligence against the opposition, which
often winds up in the hands of the Assad regime and results in arrests, raids, and attacks. In some cases,
suspected rebels have been rounded up and interrogated about activities they conducted on their
computers, without the interrogators needing to have physical access to the machines.
Pro-Assad hackers deploy malware that is usually in the form of a remote access toolkit (RAT), which
grants nearly full access to victim computers. Not only do the attackers have access to computer files, but
they can record everything that is typed or displayed on the screen, such as online communications,
emails, video calls, and chats on social networking sites. The spyware is able to obtain information not
normally in the cyber domain – it can turn on cameras to collect intelligence on locations, record sensitive
information posted within view, attribute online activities to specific users’ faces, and turn on microphones
to eavesdrop on conversations in the room.
The attackers use well-informed social engineering that is tailored to the interests, needs, and fears of the
opposition. For example, they have hidden malware in fake security tools, fake versions of privacy or
encryption software [such as virtual private network (VPN) clients and Skype encryption tools], bait
documents, and malicious links. One email promised documents and maps showing the movements of
fighting groups. Further, they compromised legitimate Facebook accounts, such as one belonging to the
head of the Transnational Syrian Opposition, to recommend the installation of malicious software.
When diplomatic efforts appeared to replace the possibility of U.S. military action in Syria, NGOs and
journalists working on the conflict were included as targets in the attackers’ phishing, social media, and
spear-phishing campaigns. In one instance, an NGO administrator received an email purporting to
contain video evidence of Syrian military abuses. The file played a video of a graphic execution while it
installed RAT malware.
Pro-government hacking campaigns followed similar methods until late last year, when security
researchers began to see attacks that they believed were “false flags.” The new campaigns seemed to
implicate pro-Assad hackers deliberately, but did not fit their techniques and tactics. For example, new
malware of unknown origin claimed to be from the Syrian Electronic Army, but specifically attacked
Mac computers, which are uncommon in the region. Mac computers are more popular with activists
and journalists covering Syrian issues from outside the country. Kaspersky Lab has attributed the
locations of attackers in recent Syria-related cyber attack campaigns to operations coming from Syria,
Lebanon, and Russia. This may indicate that Syrian government allies with significant hacking
capabilities, such as Hizballah, are secretly assisting in the attacks. Figure 3 shows the geographical
distribution of those targeted by recent cyber attacks.
Activists, journalists, and NGOs working on the Syrian conflict have become more knowledgeable of
the risks posed by these kinds of attacks. However, the attackers’ malware campaigns have become
increasingly innovative and sophisticated in 2014, with higher levels of social engineering. Analysis of
the cyber attacks, especially correlating new or resurging attack campaigns with current events, is
difficult.
Figure 3: Recent Syria-related cyber attacks mostly affected victims in Syria and nearby countries
(Source: Kaspersky Lab)
Countermeasures
 In addition to education on spear-phishing techniques and social networking/media site

compromise methods, organizations can prevent malware installation by keeping all software
up to date with upgrades and patches, and only downloading or obtaining trusted software
from authorized, authentic websites and stores.
 Organizations should also be aware that there is a risk of surveillance or eavesdropping when
using computers and mobile electronic devices.
o Microphones can be physically switched off (not using software) or disconnected from
systems in sensitive areas.
o Covers or removable tape can be used to cover camera lenses when not in use.
o Cellphones can be left outside, or batteries can be temporarily removed, during
sensitive conversations in secure areas.
o Other best practices for safely using electronic devices abroad can be found in the
OSAC report on economic espionage trends.
Reverse Case: Physical Security Affecting Cyber Security
An exploited vulnerability in cyber security does not always defeat physical security, but physical access
to computing devices nearly always defeats cyber security. Lack of access control, locks, temperature
control, and backup power for high-value networks or server rooms could easily result in data loss or
compromise.
Additionally, most attacks against cellphones and mobile electronic devices require one or more of the
following:
 An unencrypted connection to an unsecure or Wi-Fi network;
 Falling prey to a malicious link or attachment in an email, social networking or media site, or text
message;
 Software that is unpatched or out of date; or
 Having physical access to the device.
Physical access is the easiest way to compromise laptops and mobile electronic devices. Abroad,
especially in locations with aggressive technical collectors, most security experts assume devices that are
out of direct physical control are compromised.
Financial Security Case Studies
Perhaps the greatest confluence of traditional and cyber security occurs in the finance industry, where
international commerce and financial services operate largely on a cashless framework. “Cyber” is losing
its place as a term in the finance industry vernacular. Excluding cash-only economies, monetary
exchanges and transactions are done electronically. Brazil was a pioneer in the adoption of electronic and
online financial systems 30 years ago and today has a large, robust banking community and e-commerce
sector. Even in several African countries, such as Kenya, mobile network penetration preceded that of
broadband Internet, and financial transactions by phone have become commonplace. With rapid
technological growth comes a general lag in implementing and enforcing cyber security legislations and
practices, usually creating lucrative environments for cyber criminals. As such, Brazil is a worldwide
hotspot for cyber crime, and in Africa, fraud conducted over mobile networks is prolific.
Major Credit Card Breaches of 2014
Especially in the United States, major data breaches seem to make the news headlines regularly,
contributing to the “Age of the Data Breach.” In 2014 alone, hackers have stolen over 500 million financial
records from the U.S. private sector. Of these, point-of-sale (POS) terminal malware exposed the financial
information of over 100 million credit cardholders, stealing the information while it was unencrypted in
memory or elsewhere in the transaction chain. EMV “chip and PIN” credit cards, wherein cards contain an
embedded microchip and are authenticated to bank servers using a personal identification number (PIN),
may be an answer. However, without end-to-end encryption of credit card data in a financial transaction
(including memory and storage), these breaches could still occur. Furthermore, stolen card information
still can be used fraudulently in online transactions, which cannot access the chip.
Credit card skimming, when criminals insert a rogue device into an ATM or POS terminal that copies
information stored on the magnetic strip, will likely decrease in countries that migrate fully to EMV chip
technology. However, chip and PIN cards are not immune to software flaws, incorrect implementation, or
more advanced skimming attacks that clone the chip or harvest the PIN.
As countries migrate to the EMV standard, payment networks have implemented liability shifts. In the
U.S., the card issuer is liable for fraudulent transactions, but in countries that have adopted EMV, liability
for fraudulent transactions has shifted to retailers and ATM owners who do not support it.
Countermeasures
Large credit card breaches will likely continue to occur because of the time required for a country to
completely adopt EMV technology, and as long as there are end-to-end encryption issues. However,
examination of the major credit card breaches in 2014 reveals other vulnerabilities that were involved in
the attacks.
 Computers on the same network as those in the POS transaction chain (without physical or
logical separation):
o Were open to Internet access;
o Had remote administration software installed;
o Had user accounts with access to email and Internet browsing (susceptible to spear-phishing
and drive-by downloads that install malware); and/or
o Were connected to third-party vendors or services, such as payment processor companies or
HVAC companies, that employ less stringent security measures.
 Even organizations that employed stringent security software and response teams missed alerts
and warnings. This can happen when multiple offices are responsible for an organization’s overall
security, but there is no standard operating procedure to delineate individual responsibilities, and
when no formal breach response plan exists.
Compliance with new PCI-DSS 3.0 security standards will help address some of the vulnerabilities
affecting credit card transactions.
Personnel Security Case Studies
Personnel security assures the loyalty, reliability, suitability, and trustworthiness of employees and others
who work with or have access to sensitive information and material. It is often concerned with insider
threat. Economic (nation state) and industrial (corporate) espionage threat actors use social engineering
techniques, both cyber and traditional, to specifically target employees who have any access to sensitive
or IP-related information. Some insiders may be state-sponsored threat actors already embedded in U.S.
private-sector organizations, but many are coerced with promises of financial reward. Both economic and
industrial espionage actors lure employees with lucrative job opportunities at either state-owned
enterprises or competitors. Employees can also be coerced by nation-state governments to help their
home countries out of patriotism or loyalty.
Disgruntled employees are prime targets for economic and industrial espionage actors, wherein as many
as 75 percent of departing employees are disgruntled. According to client statistics compiled by cyber
security firm Websense, 65 percent of malicious insiders have already accepted a new job, and 25
percent of them hand over proprietary information to a foreign company or government (see Figure 4).
Figure 4: Threat profile of malicious insiders (Source: Websense)
Jerome Kerviel and Societe General
For Jerome Kerviel, no encouragement or lure was needed in what became the biggest rogue trading
scandal in history. Kerviel, a trader for French multinational banking and financial services company
Societe Generale, was convicted in 2008 for breach of trust, forgery, and unauthorized use of the bank’s
computers. As an insider, he subverted controls and used an accumulation of privilege to go on a
gambling spree that resulted in a $7 billion loss for his employer. Since his release from prison in
September 2014, he was hired as an information systems and computer security consultant by Lemaire
Consultants and Associates.
Aum Shinrikyo
Aum Shinrikyo, a Japanese doomsday terrorist group, was responsible for many assassinations and the
1995 sarin gas nerve agent attacks on the Tokyo subway system that killed 12 people. Five years later,
security authorities realized that more than 80 Japanese companies and government organizations had
contracted computer companies affiliated with Aum Shinrikyo for software development. The Japanese
companies affected were major players in the electronics, food, banking, transportation, and metal
manufacturing fields, while some of the government agencies were responsible for construction,
education, postal services, and telecommunications.
Computer software development was a major source of revenue for Aum Shinrikyo. Many affected
organizations did not know they had ordered software from firms affiliated with the terrorist group because
their main suppliers had subcontracted the work. Additionally, most affiliates concealed their relationship
with Aum Shinrikyo. They developed about 100 different types of software, including customer
management, airline route management, and mainframe computer systems. The most prominent
corporate customer was Nippon Telegraph and Telephone (NTT), Japan’s main telephone and Internet
service provider, and the Defense Ministry of Japan. The concern that the terrorist group had inside
access to sensitive government and corporate computer systems became a widespread fear, as many
worried about acts of cyber terrorism and sabotage of vital communications and networks. Many affected
government agencies and companies were forced to suspend the use of purchased systems until they
could assure they were secure.
Countermeasures
 The most effective countermeasure for insider threat is user education, especially as part of a
formalized insider threat program.
o The average employee is not aware that foreign governments, in addition to competitors,
attempt to recruit insiders.
o Coworkers have the best chance at identifying insider threat behavior in an organization.
o The CERT Insider Threat Center has published best practices for mitigating IP theft,
information systems sabotage, and fraud. Additionally, the FBI Counterintelligence
Division’s Insider Threat Program offers an extensive list of possible insider behavior and
risk indicators.
 A great number of insiders are also unintentional.

o Although usually not as costly, many losses occur from negligent or uninformed
employees, who do not realize that they are not complying with cyber security best
practices.
o It often requires only one instance of human error, such as falling for a spear-phishing
scheme, for a major data breach or loss to occur in an organization.
 The Aum Shinrikyo case stresses the importance of personnel security measures not only for
employees in the workplace, but also for all those who work with or have access to sensitive
information or systems in the entire supply chain.
Public Safety Case Studies
Public safety involves the prevention of and protection from events that could endanger or cause injury,
harm, or damage to the general public. The Aum Shinrikyo case highlights a cyber-related incident that
overlaps multiple security disciplines; it could have had long-reaching effects on the public safety in
Japan. Other examples of cyber incidents that could impact public safety involve event security and
terrorism.
Major Event Disruption
Hacktivists (hacker activists) have threatened mass disruptions at major events to publicize or bring
attention to their causes. Days before the opening ceremony at the London 2012 Summer Olympic
Games, British security services warned Olympics authorities about the threat of a cyber attack on the
stadium’s power supply. According to government investigations, the threat came from hacktivists that
were not credible. However, the threat led to checks on a back-up power system, including tests to
ensure functionality despite the strain from the stadium’s lighting and communications networks.
Traffic Light Hacks
Hacktivists have also threatened to hack into traffic control systems at major events, such as the 2014
FIFA World Cup, using vulnerabilities in traffic control systems that were recently published in two
separate studies. The studies revealed that traffic control systems could be disrupted or rendered
inoperable. One researcher used a remote-control drone and cheap programmable hardware to launch
an attack on a traffic system and sent fake data to sensors – small wireless vehicle detection devices
embedded in the ground that transmit information about automobile location and movement. Traffic could
be impacted if the sensors were wirelessly linked to traffic lights. The other research team showed that it
was possible to break into the wireless communications of another system’s traffic controllers because
there were no passwords in use and no encryption used in the transmissions.
Terrorists could exploit traffic control system vulnerabilities to direct traffic toward (or restrict it to) a
planned attack location. While the products detailed in the studies are deployed primarily in the U.S.,
about 200,000 of the sensors in one system are in use worldwide – such as the UK, France, and
Australia. Experts believe that many traffic infrastructure devices created by various vendors have similar
security properties due to a lack of security consciousness in the traffic control systems field.
Countermeasures
 There are several practical ways that transportation departments, traffic light operators, and
equipment manufacturers can increase the security of their infrastructure:
o Enabling encryption on wireless networks,
o Blocking non-essential traffic from being sent on the network, and
o Updating device firmware regularly.
 The simplest solutions with the greatest impact are to enable passwords and not rely on
default login credentials.
 The vulnerabilities in the traffic sensor system have been patched, with planned upgrades for
older models. However, the identity of the other vendor has not been disclosed, and their
vulnerabilities are still exploitable.
National Security Case Studies
National security refers to the protection of a nation through the use of economic power, political power,
military might, and diplomacy to ensure its survival. Accordingly, national security is dependent upon
military as well as non-military facets such as economic security, energy security, and environmental
security.
One of the most concerning national security issues with or without a cyber security nexus is the scale of
trade secret theft conducted against U.S. economic interests, especially those with foreign operations. In
addition, host country national security can affect the operations and welfare of U.S. private sector
organizations abroad. There are many possible attack vectors that could impact a country’s critical
infrastructure and therefore the operations of OSAC constituents. Furthermore, international and
intranational conflicts more frequently include cyber components.
Economic Damage by Espionage
Intellectual property theft, especially in the cyber domain, has been one of the most serious economic and
national security challenges the U.S. has faced over the past several years. The Commission on the Theft
of American Intellectual Property, in their 2013 IP Commission Report, estimated that the U.S. economy
is experiencing annual losses of over $300 billion a year to international trade secret theft. The report
concluded that better protection for IP, especially overseas, would add millions of jobs to the U.S.
economy, significantly bolster economic growth, encourage investment in research and development, and
improve innovation.
Critical Infrastructure Attacks
Threats to a host nation’s critical infrastructure include those against the financial services industry,
energy sector, water supply, transportation systems, public health services, and telecommunications
networks. Nation states have infiltrated or attacked critical infrastructures, often controlled and monitored
by industrial control systems (ICS), since at least 2003. Patching and updating ICS equipment can be
difficult because it is often old, sensitive, proprietary, or no longer supports software upgrades. Many
systems require continuous operation and cannot be rebooted after an update, especially if it takes
several hours to do so or there is a risk that the system may not work properly afterward.
Critical infrastructures that are accessible via the Internet are most vulnerable to attack. However, those
that isolate, or “air gap” their systems from the Internet are not impenetrable. Advanced nation-state
attacks on air-gapped systems have succeeded, e.g., the Stuxnet and Agent.btz campaigns, where
employees may have inserted malicious USB flash drives – planted outside targeted facilities – into
computers that were connected (or later connected) to the sensitive, isolated networks. The Stuxnet virus
destroyed nuclear centrifuges in Iran, and Agent.btz infiltrated both classified and unclassified U.S.
military networks. Other research suggests that the Stuxnet virus may have entered via hacked suppliers
of nuclear facility components. Additionally, the Shamoon virus, introduced by a disgruntled insider with
full systems access, destroyed 75 percent of the corporate data at Saudi Arabia’s national oil and natural
gas company.
Actors based in China, Russia, and Iran have allegedly conducted cyber probes of U.S. grid systems;
cyber attacks have occurred against critical infrastructure in several other countries as well. In 2013, a
senior Israeli official revealed a foiled hacking attempt to break into the computers of the water system in
Haifa and stated that critical infrastructures in Israel undergo hundreds of cyber attacks every minute. In
2013 and 2014, private security researchers set up fake industrial control systems (“honeypots”) on the
Internet that emulated water pumping stations. Analysis of one decoy system revealed intrusion and
system modification attempts originating from several countries, as shown in Figure 5. Further, targeted
attacks to obtain statistics, diagnostics, and protocol information included a spear-phishing attack from
China, a commonly-known malware attack from Vietnam, and an unknown malware attack from Russia.
Figure 5: Water pumping station “honeypot” attacks by originating country with

highlighted exploitation methods (Source: Trend Micro)
Despite the vulnerabilities and reported intrusions of industrial control systems, it is rare for threat actors
to carry out significantly damaging or full-scale attacks. Many critical infrastructure systems in
technologically-advanced countries are air-gapping their most important systems from the Internet. Some
experts argue that a mass takeover of critical infrastructure is not likely because it is sufficiently
segmented, where only one component, area, or section could be affected at one time. Regardless, the
pervasiveness of cyber attacks on critical infrastructures and “cold war” tactics indicate that the definition
of national security has expanded to include a nation’s offensive and defensive cyber capabilities.
Cyber Component in International Conflicts
National governments use cyber tactics to help fight rebellions, oppositions, and terrorists internally (see
previous section on the Syrian civil war). However, they have also used cyber tactics as a component in
international conflicts. Cyber researchers have noted major spikes in malware traffic on corporate and
government networks preceding the Russia-Ukraine and Israel-Gaza conflicts, suggesting that conflict
occurring in the cyber realm could be used as a threat indicator or even a tripwire for kinetic attacks. Over
an 18-month period, as tensions rose between each pair of countries, so did the frequency of cyber
attacks between them. Attribution of the attacks becomes crucial, however, as a false flag or the
misidentification of a state-led cyber attack could lead to physical, armed conflict.
Russian Conflicts
Open-source reporting and private industry security research have accused Russia of conducting attacks
on telecommunications networks in its engagements with Estonia in 2007, Georgia in 2008, and Ukraine
in 2014. In a dispute that erupted over the Estonian removal of a Soviet war memorial in Tallinn, Russia
allegedly conducted a three-week cyber attack that took down Estonian systems that relied on Internet
technology – disabling voting, security, telephony, and 95 percent of banking operations. US-CERT
attributed the takedowns to distributed denial-of-service (DDoS) attacks. In 2008, the Russian invasion of
Georgia included disruption attacks that blocked Georgia’s banking, media, and government websites.
Internet connectivity within Georgia and to the outside world was impacted, and there were widespread
propaganda and website defacement campaigns against Georgian websites. In 2014, armed men raided
Ukrainian telecommunications facilities in Crimea, severing Internet and telephone services between the
region and the rest of Ukraine. However, this was accomplished by physically cutting telecommunications
lines, a military tactic that predates the Internet by decades. Russia also allegedly installed equipment
that blocked the mobile phones of Ukrainian members of parliament. Some Ukrainian government
agencies, including the Prime Minister’s office and at least 10 Ukrainian embassies abroad, were infected
with a Russian-linked cyber espionage campaign called the Snake malware, also referred to as
“Uroboros.” At least nine other countries’ embassies in Eastern Europe were also infected with the
malware, resulting in leaks of sensitive diplomatic information. And in September, the broadband network
of a major telecommunications provider in New Zealand ground to a halt for 36 hours when user
connections were co-opted to conduct a DDoS attack against websites in Ukraine and several large
international banks enforcing sanctions against Russia.
Predictably, the Russian government has denied state involvement in these attacks. Nonetheless,
investigations by private cyber security firms have determined that these attacks originated inside
Russia's borders. State-sponsored or Russian nationalist hackers could have been responsible for at
least some of the cyber campaigns. Cyber Berkut, a nationalist hacking group that emerged after the
dissolution of the “Berkut” Ukrainian special police force, took credit for the hacking of Ukraine’s electronic
election system prior to the 2014 presidential election. They took down the system via DDoS,
manipulated and destroyed data, and defaced the website to display fake election results.
Israel-Gaza Conflict
While Israel likely included a cyber component in its conflict with

Gaza, media reporting focused more on attacks that pro-Gaza
hackers conducted against Israel. Pro-Gaza hackers took control of A constituent called
an Israeli satellite TV station to display propaganda, hacked into the OSAC emergency
emergency messaging systems to send false and threatening SMS duty phone to confirm
text messages to millions of Israeli civilians, and hacked the Israeli whether a rocket had
Defense Forces’ Twitter account to report falsely that two rockets hit the Tel Aviv airport.
from Gaza had hit the Dimona nuclear reactor and caused a leak. Their security vendor in
While media reporting attributed the cyber attacks to Hamas, Israeli Israel likely received a
security officials revealed that Iran may have also been involved. false SMS text alert
One of the false emergency SMS text messages was an alert that from the hacked
the airport in Tel Aviv had been hit by a rocket. Later that evening, emergency messaging
an OSAC constituent called the OSAC emergency duty phone to system.
confirm the attack after receiving a report from their security vendor
on the ground. However, the vendor was likely one of the many
who had received the hoax on their smartphones.
Terrorist Groups
The Islamic State of Iraq and the Levant (ISIL or ISIS) and Al-Qa’ida have not exhibited the ability to
conduct sophisticated cyber attacks, thus far only using social media networks and other online resources
to communicate, post propaganda, and recruit. Just as governments, militant groups, and terrorists may
receive physical assistance and arms support from their allies, they may also receive offensive cyber
training. Based on open-source reporting and past attack attribution, Iran, Syria, Hamas, Hizballah, and to
a lesser extent, pro-Islamic hacktivists, are the only adversaries in the Middle East and North Africa
region that have exhibited offensive cyber capabilities.
Countermeasures
 Critical infrastructures should isolate their most important systems from public networks. Many ICS
devices are not only Internet-facing, but do not have security mechanisms to prevent unauthorized
access.
o Web-based ICS equipment that cannot be isolated from the Internet should use encrypted
communications.
o System administrators should set appropriately secure and non-default log-in credentials,
implement two-factor authentication, and disable insecure or unnecessary remote access
communications protocols.
o Organizations with aging, fragile, or sensitive industrial control systems can employ real-time
network monitoring and incident response. Otherwise, administrators should keep ICS
equipment up to date with software patches and fixes.
o Physical and logical (software-based) access control can prevent unauthorized employees or
contractors from accessing important equipment.
 Air-gapped systems may still be vulnerable to attack by advanced nation-state threat actors.
o Education and training is the best way to protect against both insider threat and the
connection of unauthorized devices or external electronic media.
o Disabling or restricting computer ports that accept external electronic devices or media can
prevent the introduction of malware.
o Suppliers are usually much easier for hackers to exploit than the corporations or government
agencies using them.
 Shodan is an online search engine that allows users to search for publicly-accessible devices and
computer systems that are connected to the Internet.
o Shodan users can locate systems including security cameras; heating and security control
systems for banks, universities, and large corporations; medical devices; and industrial
control systems (see Figure 6) for water plants, power grids, and nuclear power facilities.
o Users are primarily cyber security professionals, researchers, and law enforcement agencies,
and it is a useful tool for conducting penetration tests on, or “red teaming,” network resources
and systems.
o While cyber criminals can use the website, they have other effective methods to accomplish
the same task without detection. One recent honeypot study revealed intrusion attempts from
China-based attackers within two hours of connecting the decoy ICS equipment to the
Internet, before the system appeared on Shodan.
Figure 6: A map of industrial control systems that are directly connected to the Internet (Source: Shodan)
Outlook and Conclusion
Out of convenience, people and organizations have adopted technology into nearly every aspect of their
daily lives and operations. Physical devices are linking or connecting to the cyber realm at an exponential
rate. As atypical devices with “smart” functionalities and Internet capabilities become connected to the
Internet of Things, they also become hackable. Sharing or storing information on external networks also
relinquishes control of the data to third-party vendors and services. Even worse, technology adoption is
surpassing the ability to secure it. This is especially concerning as cyber security has become a
component of an organization’s overall security posture.
Supply chains today are large, complex, and often networked. It is

increasingly difficult to map all the systems, devices, and services
that support an organization’s operations, especially how they link Suppliers – or even
together. Security breaches occur when attackers probe and map
suppliers of suppliers –
targeted networks before an organization can, seeking to exploit
are usually much
the weakest spots and leveraging trusted third-party connections.
easier to break into
For example, hackers often compromise the email accounts of third
parties to send spear-phishing emails to higher-value targets with
than the corporations
stronger security postures. Suppliers – or even suppliers of using them.
suppliers – are usually much easier to break into than the
corporations using them.
The convergence of traditional and cyber threats has created the need for integration of the security
disciplines. Adversaries have become more sophisticated in their exploits, often involving both traditional
and cyber attack vectors. Traditional security organizations and jobs are more frequently including cyber
security responsibilities as the line between cyber and real-world security incidents becomes indistinct.
Information security – traditionally the protection of sensitive or proprietary information – and financial
security have almost become synonymous with cyber security because most information and financial
data is now transmitted and stored on computer networks.
According to former DHS Secretary Michael Chertoff, “one of the biggest misconceptions is that cyber
security is a hardware or software problem; the reality is that it is a people problem.” Understanding
adversaries and addressing both technical and human vulnerabilities is critical. A strong security posture
depends upon a culture where security is everyone’s responsibility, especially when the actions of one
person, or one weak link, can compromise the entire enterprise.
Examination of the case studies presented in this white paper reveals countermeasures that OSAC
constituents could incorporate into their security strategies to prevent or lessen the impact of security
incidents with a cyber nexus:
 Segmenting, compartmentalizing, or isolating sensitive information and systems from public-

facing networks and unauthorized access;
 Separating work and personal accounts and/or information;
 Enforcing separation of duties and least privilege for employee, contractor, and vendor user
accounts;
 Educating and training employees and third parties, including social engineering techniques
used by threat actors, and holding third parties accountable with service-level agreements;
 Keeping software, including anti-virus and anti-malware software, up to date with security
patches and upgrades;
 Incorporating security into technology development, maintenance, and the overall system
development life cycle process;
 Only downloading or obtaining trusted software from authorized, authentic websites and
stores;
 Practicing good operations security (OPSEC) in online interactions;
 Encrypting sensitive information in transit and storage whenever possible;
 Employing two-factor authentication, especially for remote access to internal networks and
external storage of sensitive files;
 Employing and enforcing strong password strategies;
 Disabling microphones and cameras in sensitive areas to prevent surveillance or
eavesdropping;
 Remembering that physical access to unencrypted computing devices nearly always defeats
cyber security; and
 Integrating cyber security into crisis management, disaster recovery, and incident response
plans and exercises.
Contact Information
For further information or inquiries, please contact OSAC’s Coordinator for Information Security & Cyber
Threats.
OSAC constituents can confidentially report traditional or cyber security incidents abroad on the OSAC
website at https://www.osac.gov/Pages/IncidentSubmission.aspx or by directly contacting the OSAC
Research and Analysis Unit (RAU).
Referenced OSAC Reports:
 Trade Secret Theft: Trends in State-Sponsored Economic Espionage

 OSAC Assessment: Sochi 2014 Winter Olympics (Information Security and Cyber Threats
section)
 OSAC Assessment: 2014 FIFA World Cup (Information Security and Cyber Threats section)

Security Analyst Student HandBook Dec2015

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Security Analyst Student HandBook Dec2015

Uploaded by

Copyright:

Available Formats

Student Handbook – Security Analyst

Copyright (c) 2015

Executive Director – Sector Skill Council

JOB ROLE: Security Analyst (Information/System Security Analyst/Engineer)

OCCUPATION: Information Security

Classroom and Lab Requirements

JNTUH Syllabus mapped to the Facilitator and Students Guide

Unit I - Information Security Management

Unit II - Fundamentals of Information Security 55

Unit III - Data Leakage 83

Unit IV - Information Security Policies, Procedures and Audits 109

Unit V - Information Security Management - Roles &

1. SSC/ N 0901: Contribute to managing information security …29

i. Information Security and Threats

2. SSC/N 0902: Coordinate responses to information security incidents …243

i. Incident response overview

i. Configuring Network Devices

4. SSC/ N 0904: Contribute to information security audits

i. Information Security Audit

5. SSC/ N 9001: Contribute to managing information security …703

i. Understanding scope of work and working within limits of authority

6. SSC/ N 9002: Work effectively with colleagues …733

i. Need For Health and Safety at Work

8. SSC/ N 9004: Provide data/information in standard formats …791

i. Information and Knowledge Management

9. SSC/ N 9005: Develop knowledge, skills & competence …817

UNIT I: An Overview of the IT-BPM Industry

This Unit covers:

Performance Ensuring Work Environment / Lab

1.1. An Overview of the IT-BPM Industry

Organizations within the IT-BPM Industry

Multi-national Companies (MNCs):

Indian Service Providers (ISPs):

Sub-Sectors within the IT-BPM Industry

Figure : Sub-Sectors in the IT-BPM Industry

Figure: Sub-Sectors in the IT-BPM Industry

The number of people

1600 Number of Organisations India’s position in IT

USD Total amount of ITS Total contribution of

Growth of the ITS sub-sector in INR terms

Figure: IT Services Sub-sector-A Snapshot

Profile of the IT Services Sub-Sector

Figure 3: Contribution of Areas in the IT-BPM Industry (FY 2014)

Key Trends in the IT Services Sub-Sector

Figure 5 : Trends in the IT Services

Risk, Audit and Compliance

 Development, implementation, testing, and maintenance of the business continuity

UNIT I: Information Security and Threats

Unit Code SSC/ N 0901

PC2.monitor systems and apply controls in line with information security

A. Organization You need to know and understand:

This unit covers:

Work Environment/ Lab

1.1 Introduction – Information Security

Why information security?

Role of a security analyst in information technology

1.2 Information Assets & Threats

Confidentiality Integrity Availability

• Prevention of • Prevention of • Ensuring authorized

Threats to information assets

Threat agents (individuals and groups) can be classified as follows:

Source: News Articles

 Trojan-Clicker or Trojan-AD clicker – a Trojan that continuously attempts to connect to specific

 Cryptolock Trojan (Trojan.Cryptolocker) – this is a new variation of Ransomware Trojan